In the latest edition of Technical View, Spence & Partners' Monica Cope gives a step-by-step guide to protecting data security in the digital age.
According to the Information Security Breaches Survey 2013, commissioned by the Department for Business and Skills, companies are now “struggling to keep up” with security threats.
Key points
Schemes should regularly review the risks posed by information security breaches.
They should conduct due diligence on all service providers.
They could put business continuity plans in place to protect data in event of disaster.
There are resources available to assist trustees put safeguards in place to preserve information security.
The survey revealed that the number of security breaches affecting UK businesses is rising – in the past year 93 per cent of large organisations and 87 per cent of small businesses had a security breach.
The average cost of a security breach is also increasing. During the past year, 78 per cent of large organisations and 63 per cent of small businesses were attacked by an unauthorised outsider.
Trustees should be aware of the consequences of an information security breach, as they could face a potential fine of up to £500,000, with the risk of significant reputational damage to the parties involved. The Information Commissioner’s Office may also instigate criminal prosecutions under legislation.
As far as possible, trustees should make best endeavours to mitigate the risks of an information security incident. Forward-thinking professionals can see the bigger picture of information security and are acting now to minimise harm.
First steps
Schemes need to continually review the security of the information they control and how their chosen service providers handle pension scheme information. Digital security is an ever-moving target, but the first step trustees need to take is to identify who has authorised access to their electronic pension scheme information.
Aside from the scheme administrators and actuaries, consider any outsourced IT firms with network access and contracted media disposal firms. Ensure that non-disclosure agreements are in place, or that service level agreements with the relevant parties have a built-in confidentiality clause.
Internal issues arising from failure in processes and people can also be considerable. The survey highlighted that of the worst security breaches, 36 per cent were caused by inadvertent human error and a further 10 per cent by deliberate misuse of systems by staff.
Both trustees and contractors should understand their information security responsibilities. Procedures and baseline controls, such as password security, teleworking, data sharing and file transfer guidelines should be established. Training and awareness should also be advocated.
Many of us now rely on portable devices to carry out our day jobs, but have trustees considered the information security risks these devices might present?
Schemes should consider what information could be held locally on these devices, how the devices are physically protected against theft or loss, how they are backed up and the method of disposal.
Cloud security
The benefits of cloud computing for pension schemes are clear; schemes managing their data securely in the cloud are less likely to hold data on notebook computers or data sticks, yet can access their pension scheme data from anywhere with an internet connection.
Trustees should consider how cloud computing might apply to their scheme currently, and whether adequate security measures are in place to protect scheme assets and members’ personal information.
In order to stay protected, many organisations are now engaging professional firms to conduct an audit of their IT infrastructure. Penetration testing is a valuable method of evaluating computer and network security.
The process involves an active analysis of systems for any potential vulnerabilities by simulating an attack from external and internal threats. Effective penetration testing will highlight any security issues raised and outline countermeasures to reduce risks.
Trustees should also consider their risk appetite for business continuity in adverse situations. Digital copies of correspondence should be retained and core production systems should be backed up. Back-ups should be encrypted and held securely off site.
The digital age brings us improved flexibility, efficiency and reliability, but undoubtedly presents schemes with a whole new set of risks. They should be stepping up to address these risks and should not feel intimidated.
Monica Cope is information manager at consultancy Spence & Partners
