Cyber security – lock it down

Estimated reading time: 5 minutes

Everything’s relative. Back in 2014, when a surprise budget gave us the ‘overnight transformation’ of the pension industry, we thought we’d seen the ultimate shock to the system. From the 2020 vantage point, 2014’s ‘biggest shake up in a century’ looks like a long, slow and well-planned walk in an entirely predictable park. Now, we’re looking at actual overnight transformation - necessity has driven the world online on a massively accelerated timetable and cyber-attacks are running a close second to Covid-19 in the global headlines. 

These are tough times – we’re all lucky that financial services was already moving in a remote-working and online direction, but there is a huge variation in the level of readiness. Organisations with a robust BCP, rigorous internal controls and a track-record of investment in information security are best-placed to face the cyber-security challenges, but this is a joined up world with multiple interdependencies. The pension payment system depends on payroll, BACs, banking, and HMRC systems. Death benefit administration depends on insurance and banking systems. Everything depends on member communications and an effective replacement for the postal system. When the world needs to move quickly, there’s a strong temptation to take just that little bit more risk to get things done, but predators old and new are still stalking our pension schemes, so the control environment matters now more than ever. 

Effective internal controls around information technology, cyber-risk and data management are about more than passwords and firewalls. There are a whole range of behavioural and technological activities that threaten data security and the controls need to be as effective at 1000 makeshift kitchen table workstations as they are under the organisation’s roof. A few of these are worth thinking about in detail to look at if/how they translate to the home environment.

When Police Scotland presented at a Scottish PMI Regional Group seminar on cybercrime, everyone in the room was struck by how successfully criminals could access an office environment to target organisations and identities. The office is always on the lookout for tailgaters, but a friendly contract cleaner with a camera phone could surreptitiously photograph documents on desks as he made his way through the room, gathering up member and banking details in his wake. 

Living under lockdown, most offices will now be both people and paper free, but that doesn’t mean the physical access risk goes away – it just shifts to those 1000 kitchens, 1000 recycling bins and whatever a motivated data miner is able to find there. If staff can print member data at home, they can also leak it. Maybe people have shredders, maybe they don’t, maybe people with shredders will routinely shred every document, maybe they won’t. Either way, the organisational control has been taken out of the equation.

Faced with so much potential risk in such uncertain times, the absolute best control is to lock the system down, with no at home printing, no memory sticks, disks or other removable media. Only those staff with a legitimate and pressing business need should be granted controlled access rights to plug-in devices such as home printers and then only in very limited circumstances. There’s a convenience cost, but it’s one worth paying.

A recent estimate quoted social engineering, ‘the act of manipulating or tricking people into certain actions including divulging personal or financial information’ as being behind 98% of cyber threats under Corona. Basically, these are boom times for cybercrime. IT may be manning the firewalls but the vigilant cyber-hygiene and collective good sense of the office quickly crumble in a crisis situation. People are at home, keeping calm and carrying on, but all the time hungry for news and comfort. Bugs, malware and ransomware are lurking in official looking Covid-19  updates and websites. Social media is rife with links appearing to offer distraction and reassurance. People are much more prone to taking online risks as their offline world shrinks. It’s a perfect data security storm.

Again, the best control is a system lockdown that breaks the link between the remote workstation and the wider world – social media and open browsing are incompatible with data security. An effective lockdown approach on systems leaves your IT security systems free to focus on your business and your clients rather than the non-stop assaults of the dark web.

This is what it all comes down to. Data, large and small, still needs to move between organisations, IDs need to be verified, payments authorised, and communications issued. In current circumstances, the months and years of planning that go into data interface policies are necessarily condensed into weeks, and policy is converting to practice in real time. 

At the practical level, where large-scale data is exchanged with employers, insurers, payroll, etc, secure exchange mechanisms are already in place across the pension and wider financial industries and these translate fairly seamlessly to the home working environment. That level of interface security is just the day job. The more challenging aspect is likely to be around exchanging data with individuals so that benefit administration keeps moving, and this is going to call for immediate online solutions.   

Most TPAs will already have member online options in place but take-up can be challenging, especially for DB schemes where data is more static and there’s often a trustee attachment to ‘how things have always been done’. Part-paternalistic and part-protective instincts towards members, the ‘little old lady factor’ and a worry that the all-important ‘personal touch’ will somehow be lost, have all traditionally played a role in the relatively slow adoption of online services. 

With members stuck at home, paper-based communications are disappearing, so even a ‘no bells, no whistles’ secure online platform will keep the communication channels open until the present storm passes. Trustees are no longer asking themselves whether they want to offer member online access, they’re asking the industry exactly how fast we can deliver it. 

Stay up to date

Get the latest independent commentary and exclusive insights from a range of experts at the forefront of risk, pensions, investment and insurance – tailored to your preference.

Subscribe today