So much has been said about the global pandemic and the massive impact of the COVID-19 virus on our physical and financial wellbeing, that I don’t want to add to the weight of collective worry. It is timely, though, to remind ourselves of other present dangers.
As those working in the frontline of the health sector are battling to save lives, so too are professionals in the financial advice and financial services sector battling to protect and preserve the future monetary wellbeing of our citizens.
I want to make a plea that, while the whole world is fighting a health crisis, we as individuals should also take steps to avoid a pandemic of data fraud also taking root.
Anyone now working from home will understand that data protection and security is ever more vital.
As the world is focused on keeping the wheels of commerce and the wellbeing of our families, work colleagues and communities going, it is also important to be vigilant of growing cybersecurity risks, identity fraud and the importance of a few simple and effective process improvements.
As we navigate this terrible COVID-19 pandemic, a few minor changes are all that may be required to be better custodians of working Australians’ sensitive data and their money.
Many financial advisers have small business clients that are an important part of the future recovery effort of the Australian economy. The measures described here will also assist those Australians, and the last thing they need is a data theft or fraud incident at this time.
In the superannuation space, recent experience has shown us how intimate the relationship is between a members’ identity data and their superannuation savings and contributions. That intimacy has to be a focus for protection.
Australia’s cyber spy agency has already warned of scams and phishing attempts. Scamwatch has received 94 reports of scams related to the coronavirus since January, with numbers climbing. It should also be noted that identity fraud is one of the most common crimes in Australia today.
This is well-illustrated with the recent reporting of theft from members’ superannuation savings. For example, during February this year a South Australian man was charged over an $11 million cyber hit on super funds. This is the second recently reported incident where $10 million or more has been stolen from super savings, in this case via payroll identity fraud.
The increase in cybercrime is compounded by employees working from home and accessing company data remotely. Devices like laptops and personal handheld devices significantly increase risks for data breaches from both cyberattack and diminished user vigilance. It is also important to note that at this time the general focus and awareness on cybersecurity issues and threats is reduced.
For example, home-based workers may slip up or avoid their internal systems and processes as many Australians at home are juggling workloads, caring for children and possibly looking after isolated family members.
In the area of superannuation and payroll fraud, we recommend a series of steps to reduce the risks. These extend largely to superannuation funds and payroll service providers offering alternatives to the antiquated export and upload process used to pay employee super contributions.
This literally means avoiding unnecessary contact with the real world. In other words, keeping data and the money in a secure ‘pipe’ that is immune from external attack or of being corrupted by an outside attack.
Most commonly, we see outdated processes that compel employers to unnecessarily expose members’ identity and financial data outside of secure payroll systems. This means unnecessarily by-passing access control, password-protection and audit-log functionality to appropriately protect employees’ information.
To further explain the process (and potential gaps) for a typical payroll manager or small business employer today when paying employee contributions, a SuperStream file is most often exported outside of their secure payroll system – the file contains employees’ name, date of birth, address, contact information, tax file number and income details – essentially a rich laundry list of identity information. The same data targeted for identity fraud and subsequently theft from members’ superannuation savings.
Once a payroll manager or business owner exports a SuperStream or single touch payroll (STP) file outside of their payroll system, they are exposing employees’ and members’ identity and financial data to unnecessary risks. To complete a SuperStream disbursement, the payroll manager subsequently navigates to a fund portal to upload the file or files to finalise the transaction.
In addition to unnecessarily exposing employee data, this process can lead to issues for employers with the notifiable data breach (NDB) scheme. By removing the additional security inherent in payroll systems, employers introduce easily avoidable risks. If they are breached with their employees’ personal and private information exposed on a desktop or shared drive, they have added complexity in their reporting of the breach to the Office of the Australian Information Commissioner (OAIC) and also need to inform their employees that their identity and financial data is likely to have been compromised.
It is therefore evident that an integrated payroll network is even more essential now and should become the ‘new normal’ to help combat the increased risks of cyber threats.
Having such a system in place removes the need to export and expose employees’ or members’ identity and financial data outside of secure payroll systems.
The integration with payrolls via an Application Programming Interface (API) facilitates highly secure transfers for employees’ data by keeping all their information behind the additional security provided by the payroll software. API transfers effectively enable more secure computer to computer transfer for data and removes the requirement to export personal and private information to a desktop or shared drive.
When cyberbreaches occur, personal and private information on a desktop or shared drive is readily accessed by cybercriminals. Even the identity and financial data that sits on desktop or shared drive can be unintentionally exposed by simple human error, simply via an erroneous email or erroneous email recipient. Indeed, human error currently accounts for close to a third of all notifiable data breaches.
With the announced COVID-19 stimulus measures to include early access to superannuation savings, there is likely to be a significant increase in the movement of money being redeemed out of the superannuation system.
This further raises the importance of protecting identity data and superannuation money. The good news is this can be done simply and quickly. Removing the weakest link in the end-to-end security chain from employers to funds, namely desktops and shared drives, significantly improves the contributions payment process for all working
Australians who depend on a secure superannuation system.
During the challenging times ahead, people’s health and financial wellbeing is of course paramount.
Simple changes to common processes can have a lasting and meaningful impact. To help increasingly challenged employers and employees, advisers, superannuation funds and payroll professionals can make some minor changes to ensure their contributions process protects members’ data end to end.
The whole world is massively challenged right now, demanding us to solve the medium-and longer-term implications of significant disruptions from COVID-19.
If there is a so-called ‘silver lining’ from this situation it might be that increased requirements for remote working will accelerate automation, end-to-end security thinking, and process re-engineering.
A disbursed online workforce presents a clear necessity and opportunity for a permanent move away from paper, e-mail or manual based data transfer, and approval processes which circumvent the security and control procedures built into business management systems like payroll.
The most progressive of Australia’s super funds and payroll service providers are already making these types of changes to be good custodians of working Australian’s identity, financial data and money.
Organisations who don’t effectively implement these changes will face increasing challenges from their customers, government and regulators as the cost of complacency will ultimately undermine them.
Is it not better to boost our collective ability to inoculate the money and data on behalf of our clients and hardworking Australians?
One consequence of the COVID-19 crisis is the opportunity to look beyond the immediate challenges and focus on innovation to bring the right contribution and tools to market to not only be prepared to face new challenges, but encourage Australians to be better off for the experience of battling this dreadful virus together.
Dean Martin is chief executive of InPayTech.