Tradelink-eBiz : e-Post

Login ID

Password

TexWeb

CIECC

e-Law

Tariffs & Regulations

Trade Info Circular

TradeStat

Labour Legislation

Steve Beason Making the Jockey Club a Safe Bet

Steve Beason, Executive Director of Information Technology for the Hong Kong Jockey Club, makes sure our bets are safe with information technology.

For much of the year, on Wednesday nights and Saturday afternoons, Steve Beason has the most important information technology (IT) job in Hong Kong, and in dollar terms, probably in the entire world. As Executive Director of Information Technology for the Hong Kong Jockey Club, on race days Beason's computers process roughly 7 million transactions worth around HK$1.2 billion.

Visitors from overseas who spend an afternoon or evening at one of the Jockey Club's racecourses, taking an occasional $20 flyer on a horse wearing a lucky number, rarely gain an understanding of the importance of horse racing and race days to many Hong Kong residents.

Newly arrived foreign jockeys quickly learn, and the story goes that one rider asked a Chinese friend for the translation of what he thought was a nickname that had been given to him by homestretch railbirds. The rider, who had not started his season with a bang, learned from the embarrassed friend that disgruntled punters had been offering him advice on improving his social life.

The logistics of Steve Beason's job are fairly straightforward. The number of transactions, while large, are easily manageable by the infrastructure he has put into place, and the computers don't care if bets are for $20 or $2 million. Where Beason earns his pay is in assuring the Jockey Club's customers of system uptime and system security.

Some 46 per cent of the Jockey Club's monetary transaction volume is cashless, attributable to customers who have established accounts with the Club and who place bets through Club-provided customer input terminals (CITs), mobile phone-based message services or via one of three call centres.

This coming season, says Beason, the Club will roll out an Internet-based service that it has been beta-testing with several hundred customers over the past year. Also soon to be launched is a software module for handheld devices that use the Palm operating system.

Asked how many users he expects will use the Internet betting service, Beason says, "We're planning to be able to handle a large number, but in truth I have no idea how popular the Internet will be as a way for our customers to bet on races. At homes where people have PCs on which they might place bets, they also have televisions. Is it easier to pick up the phone and make a bet while watching television? Probably. I have a feeling that our handheld service will be much more popular." Fundamental to the success of any IT-based services offered by the Jockey Club is the assurance to customers of secure transactions. Though people willingly give their credit cards to waiters and shop assistants who disappear into back rooms to process transactions (and might be running off dozens of blank charge slips for later use), many are still dubious about the security of e-commerce transactions.

The reputation of organisations offering customers an e-commerce option is predicated on the assurance of a completely secure environment, and although no environment (e-commerce-based or not) can be 100 per cent secure, Beason says the Jockey Club has never had a security breach.

He says, "We've spent a lot on making our systems safe, but given the volume of our transactions it's been easy to make the business case for investing in a high level of security." The network carrying transactions from the Club's betting centres and racetracks to its headquarters is a private one, completely inaccessible from outside, and all the data on it is encrypted using standards-based encryption that the Jockey Club has built internally.

In addition, the security of Beason's systems is overseen by a data security specialist who operates outside of Beason's IT department. "The security team's job is to make sure my systems are secure," Beason says. "These guys try to hack into our systems on a regular basis and they produce assessment reports that tell me where we need to improve. They haven't been able to break us yet, but we're ready for it if it happens.

Security is simply about deciding how much risk you're prepared to accept," he continues. "There is always some risk if you are going to interact with the outside world. But most security breaches are not the result of failed system security; they are because someone went through your rubbish or took a key employee to dinner."

Although the Jockey Club hasn't had a security problem, Beason says an important part of implementing a security system is being prepared for a problem. The Jockey Club has press releases and customer letters in place and ready to go at a second's notice if a problem occurs. Everyone in the organisation knows what he or she needs to do in the event of a problem he says. "You've got to assume that something will happen," Beason says, "Prepare for that, and then do everything you can to make sure it doesn't."

One way the Jockey Club reduces its vulnerability and maintains customer confidence is by requiring customers to set up accounts with the Club. This is a strategy that Beason recommends for businesses that conduct e-commerce transactions with regular customers. "If your customer has an account with you, secure credit card information doesn't have to travel over the Internet every time a transaction occurs," he says. "The account can be set up over the telephone or via fax or in person, and then you've got the customer's data on file." The Jockey Club also bars overseas access to its network, meaning that hackers wanting to pit their wits against those of the Jockey Club's security team must be physically resident in Hong Kong. This measure eliminates the possibility that a 16-year-old Russian or American whiz kid might be able to hack into the system on a dare or with more criminal intentions.

All of the Jockey Club's security measures come at a price, but Beason says obtaining a level of comfort with your security systems is a matter of deciding how much security and inconvenience or cost you want to put up with, and balancing those factors.

He draws a parallel to international air travel. "When you take an international flight you pass through at least one metal detector, and your baggage is subject to at least one x-ray," he says. "This takes time and sometimes is a frustrating process, especially when you're late for the plane and there's a queue at the x-ray machine and the inspection office asks you to open your bag. But most of us look at those security measures in context and accept them as very worthwhile. IT systems security is about achieving the same level of customer confidence."

Steve Beason's Tips for More Secure Systems

To avoid credit card problems, set up customer accounts. Obviously this works better for B2B (business-to-business) than for B2C (business-to-consumer) transactions.
Make sure the physical and social aspects of your operation are secure; chances are a problem will occur in these areas before a hacker breaks into your systems from afar.
Assign someone responsibility for overall operational security, and make this someone other than your IT manager.
If you're investing in security systems, keep it simple. Using a single vendor or a small number of vendors increases the chance that your security systems will provide seamless coverage.
Decide how much risk you're willing to accept, prepare for the worst, and hope it doesn't happen. Remember, if you're an SME you're not likely to be a prime target for hackers. The payoff for them is not worth the time and effort.

Sep 2001