Barclays’ Head of Information Risk Management Mark Logsdon is on the frontline in the bank’s fight against internal and external threats to its all-important data. It’s a war Barclays is winning, but Logsdon says he won’t allow complacency to catch the bank off guard – “not even for a millisecond”.
“It's about good technologies, good processes and good people management. I don't think there's anything new in that. I think that the danger is that there's just a focus on one of those things.”
Any information loss at a bank can escalate into a serious incident and a loss of customer confidence. Does the myriad of threats to data make you slightly paranoid or keep you awake at night?
Mark Logsdon. I'm always a reasonable sleeper so the threats don't keep me awake. However, we need to be on our toes collectively and understand the risks that are out there and ensure we've got sufficient controls to manage the risks accordingly. We've got a great team that help us do that and this helps me sleep a little easier, although one is never complacent, not for even a millisecond. We continue to monitor the threats so that we hopefully don't get caught out. There is a there's a whole [response] team here who are able to instantly respond to an incident. They are constantly monitoring systems and events as we speak and use some sophisticated programs around fraud detection and prevention.
As the bank's Head of Information Risk Management, what are the main challenges you face at Barclays when tackling the issue of information security?
ML. Dear old John Dillinger (American bank robber and gangster during the Great Depression) was once asked why he robbed all the banks that he did and his response was 'Because that's where all the money is, stupid'. I think that's still the case today. We are naturally a target because we've got money that people are going to seek to steal. That said, we've still got a lot of people's personal data and it's important to us that having been entrusted with that data by our clients, that we protect it in a manner entirely appropriate to make sure that it's not lost. The traditional electronic scams like phishing and now social engineering have been around for a while just the same as con men, fraudsters and tricksters have been. What I call old fashioned crime is still committed today but people are more tempted to do it electronically. And there is still the problem of disgruntled insiders although instances of that are rare.
One important things is to ensure that we do have secure technologies and that we have great processes around them because if there's a weakness in the process it can circumvent all that great technology and the controls. We also spend an awful lot of time making sure that people are aware of the risks that we potentially face, and that they know how to respond and deal with them, should they either suspect of spot something. So we have a huge awareness campaign in place that helps them to understand the risks and what they should do accordingly.
When you mention threats to people's personal bank information, people may think of external attacks from 'hackers' but data loss is more likely to come from within. How do you protect against these risks?
ML. The particular risk of data loss has always been with us; it's not a new risk. If one thinks about it, letters have always gone missing in the post. The file in your filing cabinet - we've always lost them. And there has always been the risk of the fax machine where someone inadvertently punches in a wrong digit and the document gets sent to the wrong number. So there has always been that case for a genuine mistake or a momentary lapse of concentration and I don't think it is any different today. The difference now is that there is more chance to lose date quicker; one can keep an awful lot information on a memory stick as opposed to in a file.
How do you combat it?
ML. We have some good technologies that help us to control things and make sure that in cases where colleagues have got access to some sensitive data they can't just simply plug a USB stick in and download it all from their laptop or desktop. It comes back to awareness of the issues. Mistakes will always happen and there always will be that momentary lapse of concentration. We all have them. We didn't mean to send an email, but, unfortunately, we did. With those colleagues around particular sensitive areas of the bank, those with privileged access, there are further controls to ensure what they're doing is appropriate, that monitoring tools are there and that they're backed up with good HR-type policies. It's about good technologies, good processes and good people management. I don't think there's anything new in that. I think that the danger is that there's just a focus on one of those things, be it technology.
And the other risk is that people don't join the three things up, and they happen a little bit in isolation and are not joined up to manage the risk appropriately. Our job here is to ensure that with information risk management we look at all kinds of information in whatever form it resides, be it in people, hard copy or electronic and that we try and join all these things up.
And there is no patch for stupidity, as the saying goes within IT security circles.
ML. That is an old quote from [ex-hacker] Kevin Mitnick. I think there is merit in it but I prefer to call it a momentary lapse in concentration. At Barclays we employ bright, committed people who, given the right information at the right time, will make the right decisions. Our job is to give them that information so when they do happen to have that momentary lapse of concentration, which hopefully is very rare, at least they know what to do next to try and minimise what happens next.
The public sector has seen its fair share of spectacular data losses. How do you get staff to appreciate the value of data and educate them on correct procedures?
ML. Let's be clear, I'm not saying this has happened in Barclays but people with good intentions send documents from A to B but with no thought about what happens if they go missing in the post. They are not aware that they might need to encrypt the documents. The reason they did not follow the correct process might be because it was so cumbersome and so inhibitive that it prohibited the business from doing what it was seeking to do. In my view, there has got be a balance of pragmatism against the need for control. In some cases, the need for control wins but users will find a way around it if they can. As I said, a lot of the time it comes down to genuine mistakes. For instance, how many times do we see the phone left outside somebody's household address? It contains people's names and addresses, right?
It comes down to user education; they often don't know they are supposed to put these things on an encrypted disk, use a double envelope of whatever it might be. They don't understand what is expected of them in this day and age and make an honest mistake. While the technology and processes might be right, do the people understand what is expected of them?
How do you deal with staff mobility and work being carried out on laptops, smartphones and now tablets, 24/7 globally?
ML. Staff mobility presents us with magnificent opportunities for ways of working. Sure, sometimes there are challenges around the way we do things, but we have to manage those challenges in a pragmatic way which enables a business to meet and realise some of the opportunities mobility allows. It is about a risk-based approach because for some people in some jobs it may not be appropriate for them to have remote access in an internet café. For other people in other parts of the business, it may be because the information they've got access to isn't particularly sensitive at all. So we need to manage it appropriately but not in a way that stops the business from realising the opportunities.
We have a big push at the moment exploring the use of iPads but we need to manage it in an appropriate way because it may be right for some staff to use them and others to stick with a desktop. It needs to be managed accordingly without saying to people, 'You can't have that or you can't have that'. It's about risk managing the process.
Data losses can also occur when operations are outsourced. How do you approach this to ensure information doesn't fall into the wrong hands?
ML. This is a third-party risk and we share this concern. More recently, we have offered some awareness material, free of charge, to third parties looking
after our data so they are aware of what we expect of them. This isn't aimed at the large companies but more towards the SMEs who haven't necessarily got the resources to spend on that sort of stuff. It's also targeted at the people on the ground handling our data. We mandate that high- and medium-risk suppliers are properly trained and it has proves to be hugely successful.
The myriad of consultants and contractors that are constantly working with us and provide and invaluable service have an account on the network just like I have too. So you need to understand what sorts of third parties you are talking about because the risk profile might be different and the controls you put around them as a consequence might change as well. With regard to what information they have access to, we have a segregation tool that allows us to make that call. We put the suppliers into high, medium and low risk categories and the controls we put into place around this reflect the risk potential they pose to us. Of course, we back this up with a performance review to ensure they are doing the right things. We'll go back at a later stage and say, 'You said you're doing X, but can you prove it to us'?
What key trends do you foresee in information risk management over the next few years? Where will the threats come from?
ML. The traditional threats will stay the same - fraudsters, organised criminals and insiders - and these threats will remain constant. Another is around consumerisation and the plethora of devices people are wanting to bring into the organisaton and use, which creates some interesting challenges. The one that interests me, going forward, is around identity and people accessing networks. If you think about it, we all have multiple identities. I just wonder how this can be sustained so we might have to look at that.
Barclays is a major global financial services provider engaged in retail banking, credit cards, corporate banking, investment banking, wealth management and investment management services with an international presence in Europe, the Americas, Africa and Asia.
With over 300 years of history and expertise in banking, Barclays operates in over 50 countries and employs nearly 147,000 people. Barclays moves, lends, invests and protects money for more than 48 million customers and clients worldwide.
Barclays is made up of two 'Clusters': Global Retail Banking, and Corporate and Investment Banking and Wealth Management, each of which has a number of Business Units. The third major area of the business is Group Centre, which comprises the support functions.
Barclays Group headquarters is at 1 Churchill Place in London, UK, but they have operations all over the world, with products and services to meet the needs of customers and clients in local markets.