Pension Funds Insider

Pension Funds Insider brings the latest pensions news and industry insights; from investment and governance updates to new mandate appointments and pensions regulatory information.

Latest news DC and Auto Enrolment Governance Investment Legal and Regulatory Mandates News and Research Opinions Risk Management Trusteeship

Who is looking after your information securi-tea?

Thursday, May 28, 2015

Image for Who is looking after your information securi-tea?

Monica Cope discusses the importance of protecting pension member data from cybercrime.

Betty's tearooms find themselves in hot water as one of the latest victims of cybercrime. The website of the infamous Yorkshire bakery was recently affected by a data breach and the personal information of its customers was compromised. On the 8th of May, the organisation discovered their database had been breached as a result of an industry-wide software vulnerabili-tea. A statement from Director Paul Cogan advised "Personal details (which could include names, email addresses, postal addresses, encrypted passwords and telephone numbers) were copied. We would like to stress that your credit or debit card details have not been copied as this information is stored on a completely separate system managed by a certified third party".

The 2015 Data Breach Investigations Report, released in April by Verizon, estimated that there were 79,790 information security incidents in 2014, with 2,122 confirmed data breaches (disclosures to unauthorised parties). The unfortunate fact is that you don't have time on your side when it comes to detecting and reacting to information security events.

Data controllers and processors have a shared responsibility to protect the sensitive information they store and administer, and in the pensions industry, that information can be extremely valuable. So how can we preserve the confidentiali-tea, integri-tea and availabili-tea of member information?

ISO/IEC 27001:2013 is the international standard that describes best practice for an information security management system. Accredited certification to ISO27001 demonstrates that an organisation is following international information security best practices.

Also, ISO27002:2013 is a collection of information security guidelines that are intended to help organisations implement, maintain and improve information security management.

Furthermore, Cyber Essentials is a government-backed, industry supported scheme to help organisations stay out of steep trouble by protecting themselves against common cyber-attacks. Cyber Essentials concentrates on five key controls. These are:
1. Effective boundary firewalls and internet gateways.
2. Secure network configuration.
3. Access control – ensuring only those who should have access to systems to have
access and at the appropriate level.
4. Virus and Malware protection – ensuring that virus and malware protection is installed and up-to-date.
5. Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.

While it's important to implement rigorous security controls to avoid incidents brewing, it's equally important to put in place an incident response plan and team, and to conduct rehearsals. The incident management response should include root cause analysis, containment, notification (to whom and when), assessment of ongoing risk, and identification of preventative and corrective actions. Security risks are inevitable, but establishing effective incident management policies and processes will help improve resilience and reduce financial and reputational risk

Are you guil-tea of not doing enough to defend your information assets?

Monica Cope
COO, Veratta