Under lock and key: How secure is your employee benefits system?

Mention benefits fraud, and most of us think of those newspaper campaigns highlighting people who are falsely claiming unemployment or disabled benefit while working – or running marathons.

But in today’s information-enabled age those managing employee benefits also need to think carefully about the risks to their programmes. As fraud and hacking becomes more sophisticated, it is important to recognise the responsibilities placed on you as an HR professional to look after your employees’ data. You are in a position of trust, after all. It’s probably at the front of your mind when thinking about payroll but what about during the implementation of a voluntary benefits programme?

“Your choice of benefits provider is key to ensure that you do not put your employees’ personal data at risk”

When you set up a benefits programme for your employees, you are entrusting any third party you use with your employee data, which can include payroll or employee ID numbers as part of the running of it. Those employees may then store address, telephone and other key data on their flexible benefit site.

In fact, we should be as wary of the security credentials of benefits providers as we would be with a payroll software provider. After all, in an employee discounts programme your provider will be handling millions of pounds’ worth of your collective employees’ money, holding address details in their systems and processing credit card payments. If you are offering childcare vouchers, they will also hold details of your children and their childcare providers. You do not want the wrong people accessing this data.

The intention of this article is not to scare employers off voluntary benefits. They offer a great proposition that drives engagement across the breadth and range of your employees. Employee discounts can appeal to everyone in a way that other benefits – medical cover, death in service or gym discounts – might not. And they are a great way to help your employees make money go further in straightened times, especially when you include salary sacrifice programmes like childcare vouchers and cycle to work.

But there’s a lot of personal information there about your employees. Your choice of benefits provider is key to ensure that you do not put that at risk. So, how do you make sure your choice of benefits provider is taking your employees’ security seriously?

Well, first and foremost you need to check their credentials. There are some key questions: are they ISO 27001 accredited? The ISO 27001 information security management system (ISMS) brings information security under specific management control. A provider such as Asperity, which has been ISO 27001 accredited continuously since 2009, will have to implement a coherent and comprehensive suite of information security controls that ensure that your data is always handled appropriately and securely.

This can encompass everything from a clear desk policy so that physical data about your employees is not left lying around, to the use of specific terminals that ensure Helpdesk staff can access the appropriate data to help your employees but that are ‘locked-down’ so no one can download or transfer that data elsewhere.

By managing the development of its Reward Gateway site in-house, Asperity can ensure that it responds quickly to keep the platform ahead of the curve in offering anti-fraud measures. And an in-house recruitment team ensures that all staff have been vetted to high standards and can be trusted to protect your data.

You also need to know that your data is backed up and secure offsite. This means ensuring that your provider’s data centre, and any other key third parties used to fulfill your service, is also secure. Asperity’s external hosting company is ISO 27001 accredited meaning any data that Asperity backs up offsite is as secure as the information held in its own offices.

Any company handling cardholder information for major debit, credit and other cards must also hold Payment Card Industry (PCI) certification. Asperity’s PCI accreditation proves that it has built controls around card holder data to minimise the risk of it being stolen for fraudulent use.
You should also look at the company’s background. How long have they been trading? Are they financially secure? Asperity is proud to hold a four out of five star Dun & Bradstreet rating. It’s also FSA authorised and regulated to ensure that its InsureCompareTM feature in Reward Gateway is appropriately managed.

And if your site offers Cashback, does the provider ensure that money is ring-fenced and protected for your employees? These funds should be held independently and not used to fund day-to-day business. Be sure that your employees can withdraw their cash at any time, and in any amount that they want. Asperity’s in-house Cashback team can provide a level of support unmatched elsewhere in the industry, checking and managing Cashback withdrawals to give your users the quickest and most secure response.

Hijacking of users accounts is another concern. It could give a fraudster access to address details, and potential to profit particularly if a user has built up a reserve of Cashback in their account. Asperity’s product is limited to a closed user group (your employees) and our technology enforces user access controls.

We are constantly looking to safeguard registration and access mechanisms. It can be a delicate balance: making it easy as possible for you to use Reward Gateway, and as hard as possible for a fraudster to access it. At the end of the day, our success is in making a site that benefits nearly 1.8m users on a daily basis. And that success is preserved in keeping those users safe as they shop.

By Alison Crosland