The third FST IT Security Conference on 8 October at the IoD Hub in the City of London carried the theme of 'security in a downturn', looking at everything from the insider threat from disgruntled employees to the likelihood of higher levels of phishing, ID theft and malware. Neil Ainger reports on the discussions, case studies and possible solutions on offer

The well established one-day IT Security Conference, organised by Financial Sector Technology magazine, is intended to help boardroom executives, chief information security officers (CISOs) and other interested professionals fight the threats of an increasingly hostile cyber-world, where fraud levels are rising as the recession deepens. The audience consisted of key decision makers from retail and wholesale banks, building societies, insurers and other financial institutions, plus consultants, academics, and legislators. All attendees got an opportunity to discuss ideas, trends, the pros and cons of various technologies like encryption, two-factor authentication, and biometrics, with colleagues and peers, while comparing strategies to cope with online fraud or the insider threat. The head of IT security at HSBC, Malcolm Kelly, was there, as was Jayesh Panchal, head of information security, EMEA, Barclays Capital, and Andrew Yeomans, vice president, global information security, Commerzbank. The respective IT security managers from Aegon and Lloyds Banking Group, Adam Kaminski and Setrag Chilingirian were there, alongside Jadvji Kanji, information security officer, BoA Merrill Lynch, and Mike Deane, senior security analyst, Axa UK. Other representatives from the Financial Services Authority (FSA), Credit Suisse, UBS, Visa Europe, Deloitte and the BCS chartered institute for IT were also in attendance.

It's rare to quote the unpopular prime minister, Gordon Brown, at the moment but as he recently commented: "We have to secure our position in cyber space in order to give people and businesses the confidence they need to operate safely." A better description of the rationale behind the FST Conference would be hard to find. As he added: "Just as in the nineteenth century we had to secure the seas for our national safety and prosperity, and in the twentieth century we had to secure the air, in the twenty first century we have to secure our position in cyber space."

The industry delegates gathered at the IoD Hub would no doubt agree and with that aim, as they listened to presentations from the Earl of Erroll of the parliamentary all party internet group on future legislation; Lockton on cyber liability and the market for data loss insurance; Molex's view that physical security is a vital grounding for every other security layer; and FaceTime's opinion that security challenges are growing as communications converge and applications multiply in a web 2.0 world. Case studies and talks from Aviva, Lloyd's and Barclays also followed (see boxout at bootom for a full schedule). Selected highlights follow:

Security in a recession
Delegates listened to a welcome speech from Professor Fred Piper, of the Information Security Group, Royal Holloway, University of London, as proceedings got underway on 8 October, who pointed out that two things happen in a recession - crime goes up and budgets go down. Andy Jones, principal research consultant, at the Information Security Forum (ISF) trade body also re-emphasised the theme of the day with his presentation entitled IT Security in the Downturn, which looked at what affect the recession is having on information security in terms of increased threats, numbers of fraudsters, reduced budgets, and so on. As he admitted: "It's a good time to try some social engineering [if you're a criminal], targeting disgruntled employees or temporary staff." The recession will be a single dip U-shaped curve, says the ISF, but even as those famous 'green shoots' begin to appear ITsec investment will lag behind the recovery. According to Andy, it might be another year before you get the money you need to fight rising fraud levels, as firms will only then start to ramp up for growth.

Up next was Stephen Bonner, head of information risk management, Barclays, who discussed the on-going relationship between security v privacy; the role of the Data Protection Act (DPA) in this debate, outsourcing, efficiency v protection, the information commissioners office, and so on. How privacy and security can sometimes be competing - for instance, whether consolidating information helps or hinders - and sometimes complimentary was also discussed. In a fun presentation he allocated 'wins' to security or privacy in various scenarios, such as how cloud computing affects each, and threw sweets out into the crowd for anyone asking a question, or indeed answering one.

The highlight of the morning sessions was perhaps Paul Wood, Aviva's chief security officer, and formerly UBS', who explained how there is no patch for human stupidity, making staff training and good internal procedures a key element in any effective security strategy. Paul highlighted bad practice, such as Nationwide's £1 million FSA fine for losing an unencrypted laptop, and Aviva Norwich Union's own £1.26 million fine from a few years ago for not having effective controls in place to prevent publicly available information from being used to defraud customers via the call centre, which prompted the newly appointed Wood to launch a board-supported education programme fully explained here, including a video message from group chief executive Andrew Moss, seen by all staff to emphasise how important security is. The more recent £3 million FSA penalty for three HSBC units, handed out in September this year - to its Life, Actuaries and Insurance brokers businesses - for various security failings was also discussed, alongside other high profile failures at financial institutions. The point was to learn from past mistakes and outline how to get better in future, as Aviva itself has done with its internal staff education programme highlighted here. "It helps get buy-in when you have a very clear message of support from the board," concluded Wood.

Hosting the afternoon sessions was Marcus Alldrick, CISO, Lloyd's of London, ex-Abbey and Barclaycard, who talked about how risk appetites are changing; being reigned in during the recession, while simultaneously more attention is paid to the subject. He referenced how Lloyd's latest survey showed reputational damage, information security breaches and cyber attacks rated 9th, 16th and 20th on the list of risks firms were most worried about, behind credit and insolvency risks. Encouragingly, in all three cases firms felt they were more prepared to meet the risk than the priority they'd assigned it, suggesting a good level of preparedness. Marcus also discussed how risks are diversifying with the rise of cloud computing, social networking, and mobile devices - "they're not just smartphones anymore, they're mobile computers," he said. Attacks are also getting more sophisticated as criminals get more organised. The threat is growing as the underground economy grows; as evidenced by the fact 10,000 hotmail accounts and 30,000 gmail, yahoo and other accounts were stolen just prior to the conference in October via fake websites, causing millions to change their passwords.

'Belial', an ethical hacker from The Hackers Voice collective, was up next, illustrating the threat from forgotten technologies such as pagers, with a case study that showed how information gained from this medium can be used as a back door into other channels. A real-life recording from a financial institution, where data obtained from a pager was used at a call centre to extract personal information, was played to the rapt audience. He also showed how lots of pager secret service messages, from the spring G20 meeting in London, could be accessed and how vulnerable bank mobiles can be, as these devices typically broadcast unencrypted or can be hacked. "I'm here to show how hacking skills can be used to do good, not just as a destructive force," said Belial, when explaining the rationale of his speech and the potential benefits of regularly 'security road-testing' your systems. A lively Q&A followed, touching on the GSM threat as mobile banking stands ready for rapid growth and a wide range of other topics.

Paul Hopkins, head of network vulnerability, University of Warwick, ended the day with a presentation on the vulnerabilities of cloud computing, especially the potentially devastating affect of a denial of service attack when everything is in the cloud, alongside the problems of identification, verification, continuity, trojans and other malware. The work of the non-profit Cloud Security Alliance group was also touched on. The latest threats, changing economic and regulatory landscape, possible future challenges, and best new solutions, were all discussed over a few drinks as the event wound down.


IT Security Conference - Agenda
9.10-9.20 Conference Chairman in morning, opening address:
Professor Fred Piper, Information Security Group, Royal Holloway. An advisor to the UK government, organiser of the MSc in Information Security and Secure Electronic Commerce, and regular academic and commercial lecturer, Fred has also acted as a consultant for a number of financial institutions. He introduced the day by pointing out two
things that happen in a recession - crime goes
up and budgets go down, presenting CISOs with a challenge.

9.20-9.50 IT Security in the Downturn:
Andy Jones, principal research consultant, Information Security Forum, presented the latest research from more than 200 global firms, including many banks and insurers, looking at what affect the recession is having on information security in terms of increased threats, numbers of fraudsters, reduced budgets, etc.

9.50-10.20 Security v Privacy:
Stephen Bonner, head of information risk management, Barclays, discussed the on-going relationship between security and privacy; the role of the Data Protection Act in this debate, outsourcing, efficiency, etc.

10.20-10.50 Future legislation:
The Earl of Erroll, the All Party Internet Group, House of Lords, gave an overview of coming laws, such as data breach notification, government thinking on the doomed ID card scheme, and what a change of government next year might mean.

11-11.30 Human error - No patch for stupidity:
Paul Wood, group chief security officer, for Aviva, and formerly UBS, emphasised the importance of good staff training to prevent mistakes and reduce the insider threat.

11.30-12 noon Data security breaches - Transferring risks via contracts and insurance:
Emily Freeman, director, Lockton International, talked about what you should and shouldn't have in contracts with staff and outsourcers, and gave an overview of the developing market for insurance to protect against data loss, class action suits, etc.

12-12.30 It's 12pm - Do you know where your assets are?:
Chip Baines, global R&D director, Molex, advanced the view that improving physical layer management of buildings, cabling and infrastructures is vital, and provides a good grounding for all else that follows.

12.30-1 The new internet - Real-time communication, collaboration & social networking:
Nick Sears, VP, EMEA, Face Time, talked about the challenges of convergence as communications unify and applications multiply in a web 2.0 world. How the net has changed, altering the challenge facing financial institutions, was the focus of his speech.

2-2.30 Conference chairman in afternoon; The emerging risk landscape:
Marcus Alldrick, CISO, Lloyd's of London, talked about how risk appetites are changing; being reigned in during the recession, while simultaneously more attention is paid to the subject.

2.30-3 The forgotten threat of 1990s security in the modern age:
'Belial', ethical hacker from The Hackers Voice, illustrated the threat from old technologies, such as pagers, showing how information gained here can be used as a back door into other channels.

3-3.30 Global challenges in cloud security:
Paul Hopkins, head of network vulnerability, University of Warwick, presented on the vulnerabilities of cloud computing.

• To see presentations in full go to the ITsec website at: http://www.fstech.co.uk/ conferences/IT-sec/ITsec.htm.

Share Story: