It’s the crim e that dare not sp eak its name – cyber-theft. Estim ated to cost Aust ralia $2 billion a year, cyber-fraud and identity theft could be an even larger problem than the investment and superannuation industry acknowledges, because no-one wants to admit that members’ accounts can be infiltrated. PHILIPPA YELLAND reports.

Detective Inspector Bruce van der Graaf, of the NSW Police, is only half-joking when he says that the best protection against cyber-crime is the ultra-secure Linux operating system. Vastly superior to the ubiquitous Microsoft OS, apparently. Speaking at last month’s ASFA lunch, van der Graaf said “a Linux boot disk is the most secure way to work”, followed by the Macintosh environment in which “it’s relatively safe” to work in Australia, where it was estimated that a mere 8 per cent of security events were reported. At the same time as he calmly and laconically reels off some truly frightening statistics, van der Graaf demonstrates how easy it is to breach cyber-security – or find someone who will. And it’s not just police who are concerned. That cyber-crime is of concern to APRA is shown in its letter to all trustees and APRAregulated superannuation funds last November in which the prudential authority flagged its concern about lax procedures.

APRA’s general manager in the supervisory support division, Puay Sim, says that “to date, assessments of cloudcomputing proposals typically lack sufficient consideration” of business processes, the technology’s architecture, and the sensitive information (member or other) “impacted by the outsourcing arrangement”. Ethical hacker Ty Miller is already alarmed that SuperStream’s mooted use of the Tax File Number “will increase the risk of ID theft. SuperStream will introduce risk and it’s a question of managing that risk”. Miller, who is chief technology officer at Pure Hacking, says the best defence is a dedicated server on its own network. “Plus, the hosting company must comply with the standards to which you are compelled to be compliant,” he says, “for example, PCI DSS compliant (Payment Card Industry Data Security Standard).”

Intrusion tests Some super funds already retain Pure Hacking to do intrusion tests, but Miller says many cases of cyber-fraud are internal. “We’ll find the internal rogue employee – usually within a day – and we’ll be in the system and controlling it. The much bigger risk is internal fraud.” Investment behemoth State Street has acted on cloud concerns already. State Street’s chairman, president and chief executive, Jay Hooley, says State Street has built its own private “cloud” rather than use a public one such as Google’s. “It’s a scale business which requires continuous investment in IT and systems,” Hooley says. “We’ve never stopped spending 20- 25 per cent (of revenue) each year throughout the cycle.” That equates to more than US$1 billion a year. Recent spending has had a focus on “cloud” computing, which offers not only security and cost savings, but also much greater speed to market and innovation around data.

Join the discussion