The Pensions Administration Standards Association (Pasa) and Crowe have proposed plans for a cybercrime and fraud information sharing network, stressing the need for the industry to share insights around system vulnerabilities.
Speaking at the Pasa Annual Conference, Crowe partner and head of the national forensic services team, Jim Gee, argued that whilst there are things that organisations should be doing to remove their own vulnerabilities, collective effort are also needed.
“There are things we must and should be doing together,” he stated, continuing: “Cybercrime and fraud affects all of us. We can be properly protected against them, but we all need to learn from the incidents that may only affect a few of us.
“So, if something bad happens to an organisation, all Pasa members all and the broader administration community should be able to learn from it.”
Gee also clarified that it’s not just about the identities of the individual fraudsters or cyber criminals, suggesting that this information is “pretty meaningless, to be honest, given identity fraud”.
“What we need to actually share is information about what vulnerabilities are being exploited in what systems, so we can all look at our own systems and make sure that those vulnerabilities are removed,” he continued.
“That’s why we’re talking at the moment about a Pasa cybercrime and fraud Information Sharing network, which would aim to facilitate the sharing of information about the nature of fraud and cybercrime attacks, so the smallest number of attacks leads to the greatest possible level of protection.”
According to Gee, membership would be open to any member of Pasa, with organisations to nominate a senior individual and deputy with suitable experience in the cybercrime and fraud space to be their designated representative.
However, a condition of membership would be that members share the type of anonymised information about all cybercrime and fraud attacks, unless there are exceptional reasons not to.
Gee explained that focusing data sharing on the means, methods and resources used rather than the identify of particular individuals or scammers, would also avoid any issues associated with identifying individuals.
He suggested that the information could be shared electronically and collated in a secure data sharing hub, with Pasa responsible for the administration of the network, with suitable technical and professional support.
The next steps for the proposed framework, according to Gee, are creating an online digital hub on a web-based secure microsite, developing legally acceptable member T&Cs, and resourcing the administration of the hub and information sharing mechanisms.