|
The
first choice for people in pensions Pensions
Age has been designed to provide pensions professionals with a single
and authoritative source |
|
In
safe hands An academic giving a paper at a conference in Las Vegas is normally a straightforward event unless of course you’re clever enough to break code. The cautionary tale of Dmitri Sklyarov, a 26 year-old Ph.D. cryptography student who has become the first person to be criminally indicted under the Digital Millennium Copyright Act (DMCA), which outlaws the use of technology able to circumvent copyright laws. His crime was to write a software program which enabled eBook readers (including the blind) to convert secure Adobe software into PDF format, an offence not recognised in his native Russia, but taken very seriously when he attended a hackers’ conference in Las Vegas in July. Sklyarov has become quite a celebrity, with internet freedom activists vociferously championing his cause, but the case has even wider-reaching implications for the business world. As new legislation vies for precedence (The DMCA, Human Rights Act, Freedom of Information and Data Protection Act can all be invoked to justify opposing points of view) and technology becomes ever more sophisticated, the potential for good and harm has also increased exponentially. A pension provider can communicate via email with clients, who are now able to purchase pensions directly over the internet, cutting costs and increasing efficiency, but such technologies also leave companies vulnerable to viruses, hackers, and fraudsters who seek to access the kind of personal and financial data which are part and parcel of pension schemes. A recent survey by the CBI highlights the growing concern for security as companies rely increasingly on the internet for communication with customers. The report showed that two-thirds of the respondents had experienced a ‘serious incident’ in the past year, such as hacking, virus attack or credit card fraud. Larger firms, as one would expect, have greater facilities to sell over the net that those with fewer than 10,000 employees, but are less willing to adopt business to consumer initiatives as opposed to business to business – their smaller counterparts were keen, but inhibited by lack of resources. The financial services industry is particularly at risk from hackers, according to the report, although culprits are often to be found closer to home: over all sectors, current or former employees represent 24% of security breaches. The CBI’s Clive Edrupt says a combination of technical sophistication and employee awareness is necessary to reduce risk: “One of the principal messages was for companies to be alert to risk and exposure to cybercrime, which they should address when setting their risk management policies, make maximum use of affordable technical measures accompanied by staff training in awareness, detection and preventative measures.” Significantly, 72 per cent of companies with a director responsible for risk management reported cases of serious attacks in the last year, compared to 55 per cent without, showing that even where awareness is greater, it is still not effective in preventing breaches in the first place. Norwich Union provides the facility for consumers (and IFAs) to purchase various products, including stakeholder pensions, online. Nigel Hopwood, Norwich Union’s head of eIFA development considers stakeholder to be “a bit of a catalyst” pushing the issue of security to the forefront with the increase of business transacted over the internet. But he concludes “stakeholder is just another transaction driven by a lot of market activity, but it followed the same sort of processes and used the same sort of services as we already had in place.” It is important to keep up to date with security developments, says Hopwood, but he is confident that the existing system is quite secure: “The data is encrypted to a high standard and when we started to look at transactional capability, i.e. making policy information for intermediaries available online, we kicked off a piece of work which resulted in us spending many hundreds of thousands of pounds on new firewall equipment and testing.” Norwich Union even has what Hopwood describes as a “men in black arrangement”, where an agency of “professional hackers” is employed to crack the code. So far, they have not succeeded. The security issue is a double edged sword for the pensions industry. Providers and trustees have to be alert to security breaches not only to avoid financial loss, but are also at risk of breaching the 1998 Data Protection Act, which fully comes into force on 24 October, if certain procedures regarding personal data are not fully complied with. Although the onus is on the trustee, as the ‘data controller’, to ensure that employees have access to their records and are aware that their personal data is being used, providers are nonetheless responsible as ‘data processors’ for complying with principle seven of the Act which states data must be “protected by appropriate security measures”. “The whole issue is going to become more and more important,” says Jon Fell, partner in the Information and Technology department at Masons, he adds that, for pension companies, “you’ve got two different strands coming together. One is the commercial pressure and the fact that people won’t want to use it unless it’s secure, and, secondly, you’ll have the regulatory side, the Data Protection side, and they’ll have to deal with that”. Complying
with the international information standard IS017799 (a respected
industry quality standard) is a good way of ensuring your company
is taking all the technical and organisational steps necessary to
protect against security breaches, says Fell; he is reassured, however,
that, for most most financial services companies, “security tends
to be an issue which has already been addressed in depth, so it’s
not necessarily something that’s going to come as a big shock –
at least it certainly shouldn’t!” Neil McEachran, IT consultant
at Dunnet Shaw & Partners, attributes many security incidents to
employees: “As with most systems, the greatest risk of fraud and
hacking comes from disgruntled current and former employees”, he
says, citing misuse of passwords (for example, writing them down
next to the PC, not changing them when people leave) as a major
contributing factor to security loss. He makes the following recommendations
for companies to reduce their risk of fraud and hacking: Computer
science professor William Arbaugh at the University of Maryland
has conducted research indicating that “well over 90 per cent of
[IT] security incidents are due to poor management”, a claim which
appears to be borne out by experience. As technology develops, so
does the potential for misuse. Jon Fell concludes: “on the technical
side, you can never have 100 per cent security, it’s absolutely
impossible – the way the hackers work changes daily. What you have
to do is have a combination of technical and organisational measures.”
It may seem like a lot of work to keep tabs on employees, and training
up people can be time consuming and costly, especially to smaller
organisations. But the “prevention is better than cure” adage is
more than just a truism when it comes to keeping systems secure,
especially while Dmitri Sklyarov is still around.
|
 |
|