Meet our new Information Security Manager
- 4 November 2019
We’re delighted to announce that David Phillips has recently been promoted to the role of Information Security Manager for ORX. David has been with ORX for 6 years and has been an important part of the IT and systems team in this time.
He’s taken a lead role in the development and maintenance of our Insight system, which is our purpose-built platform for the highly secure and anonymous exchange of loss data. We caught up with him to learn a bit more about his important role.
So, David, can you explain why information security is so important to ORX?
Keeping our community’s data safe and secure is our top priority at ORX and something we invest heavily in. We understand that we are in a unique position in working with financial institutions around the world. It is vital for us to demonstrate that we can be trusted to safely handle any data we receive from them.
As an operational risk association, ORX sees stories of cyber and information security losses all the time. Our ORX News service regularly reports on these types of operational risk loss events from within and outside the financial sector. This is a constant reminder for us of the importance of information security, and what can happen if it goes wrong!
The information security landscape is constantly changing, with new challenges appearing all the time. What do you think are the biggest information security threats facing organisations in general today?
One of the biggest threats today is social engineering – criminals are becoming increasingly sophisticated at creating emails which can be very effective at tricking individuals into clicking on a link. Improvements in infrastructure technology and the management of IT have reduced the risk of an attacker being able to access internal systems simply by exploiting a vulnerability.
But, these controls can be easily sidestepped if an internal user is tricked into providing a set of credentials, or if they allow a malicious tool to be installed on their computer. The rise in state-sponsored hacking of critical infrastructure – such as power plants – is also a major threat to society as a whole.
Understandably, all firms who share sensitive information through ORX need to be sure that it is secure and anonymous. Can you tell me how we make sure that the loss data and other confidential information is safe and protected?
We have a variety of different mechanisms which we use to secure data. We created a purpose-built system called Insight, which is hosted securely in Switzerland, to handle the operational risk loss data. Data in Insight is encrypted in transit and at rest, using SSL and AES256 bit encryption. We also have separation of duties, combined with system enforced anonymisation, which prevents even ORX knowing who submitted a piece of data.
And what about data not submitted through Insight?
All loss data and other highly confidential information is always submitted through Insight. We also run many surveys for our research projects which do not involve highly confidential data. Despite this, we use similar controls to ensure any information you submit is handled safely.
What do you think is the key to effective information security?
Information security should be baked into everything we do as part of our in-person and digital communications. From educating users on security awareness, to the development of secure systems and operations, information security should never be an afterthought. Instead, it should form an essential part of modern-day business and systems.
What do you think will be the biggest challenge in your new role?
Our unique position of working with over 100 firms in the financial community can be a challenge – we have to meet the varying information security requirements of our whole community. As well as this, we need to find safe but effective methods to communicate with all of them.
One challenge, for example, is finding collaboration tools which all of our members can use, and we often have to use a number of different solutions to ensure we can safely exchange information across the internet.
Finally, what are you looking forward to most in your new role?
As I enjoy solving problems, I’m looking forward to ensuring that our controls are helping to improve security but are easy to use. Information security is something that should complement existing systems and processes – if controls are too difficult to use or understand, then they won’t be accepted by the user community.