In a bid to protect members’ data and money from hackers, First Super is considering the practicality of completely isolating its member database from the internet. Under its plan, no terminal that can access the master database will be connected or connectible to the internet.
This might seem far fetched and some in the industry question whether it is practicable, but it is understandable given that information technology experts say that no fund can ever have a 100-per-cent guarantee of not being attacked.
Those who neglect defences will increase the chance of being attacked as an arms race is currently taking place online between hackers and corporate security experts. As companies upgrade security systems, international groups of hackers invest to find more ingenious means of illegally entering databases. Furthermore, hackers are little different to other criminals in that they will chose the path of least resistance.
The consensus of security experts is that the attacks are becoming more common and more dangerous. Hackers are sharing information, with some even selling basic hacking toolkits online. The ill-gotten gains are increasing along with the demand for more user-friendly and dynamic online services for members.
Paul Kastner, a partner at EY, says that by comparison, five years ago it was harder to extract money from super funds. “Then, you had to file your papers and be of a certain age. It took weeks, if not months, to get your retirement money out.”
Profiting from hacking
A superannuation fund can lose out in a number of ways. A straightforward theft of funds could occur from a bogus request for a transfer of an individual’s account into a self-managed super fund from which, in theory, it would be easier to withdraw the savings as cash. One of the fears is that people do not check their accounts regularly and so the crime can go undetected for longer. Part of the reliance around detection of bank fraud comes from customers quickly spotting their account balance has changed.
There is also blackmail.
Kastner says: “Hackers can hold a company to ransom by threatening to bring down its website with a denial-of-service attack. The other way is to crack through their defences and encrypt certain data in the company and then offer to sell the encryption key back to the company. If they do not buy it, then they cannot get access to their own records.”
This last point is certainly worth considering as it is estimated that 45 per cent of an organisation’s value lies in the information it owns.
The world of online criminality and prevention has its own phraseology, and one such saying is the “knock on the door”, a term used to describe the opportunistic search a hacker will take of a company’s online defences before committing a theft.
David Muscat, chief operation officer at Pure Hacking, an internet-security firm that describes its activities as saving companies from “devastating attacks”, describes how this works.
“A lot of attackers will see if an issue with the site may exist. More often than not, the organisations who see this will notice it in a log or on their web server. Those attacks are not necessarily successful, but a fairly vigilant customer would be able to notice this activity going on.”
Muscat’s message is that super funds should be constantly on the look-out for unusual activity. His company works by finding holes in companies defences before hackers can compromise them and looking online to see if attacks are being prepared against a company.
“We recently assisted one financial services organisation by informing them of a malware kit that was targeted against its website and also the disclosure of certain credit-card details,” he says. “The client had not identified any form of attack against them, although they were conscious that there had been activity against its website.”
Chillingly, another way this firm works is to see if a hacker has stolen data and posted it online for sale.
Kastner agrees that detecting “anomalous activity” on your system is key. Funds should seek to “analyse it quickly, contain it by quarantining the server and taking it offline and then bringing in the police. The police and ASIO have very strong capability in this space,” he says.
Another expert in this space, Stan Gallo, director of forensic technology at KPMG, says prevention starts with working out who within an organisation owns the information, how valuable it is and where it is stored.
“If they can understand all that and then have a robust procedure for reacting to incidents coupled with a proactive strategy around their systems, then they are far better off.”
He emphasises that the problem should not only be owned by the IT department, but the chief executive too should consider it a strategic business risk.
It is in this environment that First Super is considering putting its member data out of reach of the internet. The conversation has arisen after the fund considered its responsibilities under the new raised standards of prudence for data risk.
David Galloway, manager of operations and risk management at First Super, explains: “We’re working systematically through this with IT consultants and documenting our approach to each paragraph. Our two main points of vulnerability are the member database and the custodian investment-administration database.
“We’re quite comfortable about the security of investment data because it sits behind the custodian’s fire wall (National Australia Bank), and the testing information we’ve received has been comprehensive. Also, we’ve put in place upgraded encryption and confirmation protocols between the custodian and ourselves which would be very difficult, even for an insider, to circumvent.”
National Australia Bank itself has a cybercrime team that provides web updates to customers on recent attacks, holds customer events and employs defences such as dual authorisation for its customers.
David Powell, chief security officer for technology, enterprise services and transformation at National Australia Bank, says these defences need to be continually updated as traditional virus signature-based systems are becoming ineffective against targeted attacks.
Whether First Super can put its member database out of reach of the internet is a moot point.
Kastner is sceptical: “I’m not sure how they are planning on doing this. If isolating the database were accomplished, I’d be interested in hearing how their members get access to their information and whether they have an online web presence.” Gallo says it is possible, but that it would all depend on how the fund interacts with its stakeholders and clients.
Getting online security experts to talk about the funds they are working with is a sensitive area.
Gallo knows super funds that have been attacked in 2013, but is at paints to divulge much more. “I would not say that no attacks have been successful,” he says, before hinting that while these attacks did not gain access to money, they did get hold of information that could be monetised.
Such reticence might soon have to change. In the United States, financial services companies are obliged to disclose if they have had any hacking attacks and give details on how many accounts were breached and how many credit cards were stolen. There are those within Australia who believe the same rules should apply here.
“This country is moving in the direction of a mandatory notification of breaches,” Kastner says. “It has been mooted for several years. Companies have a duty of care to their customers to notify them and we all need to raise awareness of attacks.”
There is a balance to be struck in how much information is revealed to the public.
Gallo believes forced public disclosure may increase the risk of a business being a target itself. He prefers the disclosure being made to a government body, rather than to be publicly known.
There are three Australian Prudential Regulation Authority standards that have implications for data security, according to David Ephraums, a partner at law firm, Clayton Utz. These are 220, 231 and 232, which deal with risk management, outsourcing and continuity management.
Ephraums says that data security is central to the duties of trustees and that they must have an ongoing awareness of the risks that are being confronted and be able to modify processes accordingly.
He adds that recent guidance from APRA has not raised standards of compliance. The duties have always been there in one shape or form, he argues, the standards have merely articulated the requirements more clearly.
In September, APRA issued final guidance on data security. This emphasises ongoing checks, supported by reporting mechanisms and management reviews.
The guidance states: “A regulated entity would be likely to benefit from developing an initial and ongoing training and awareness program. For staff who do not have specific data-risk-management responsibilities, this would typically be incorporated as part of ongoing business process-specific or broader risk management training, as applicable.”