Think informative. Think
Think informative. Latest news and updates on issues affecting business
August 2014 • Take steps to tackle internal fraud. • Recent cyber prosecutions. • New figures show all-time low in fatal injuries to workers. • Recent HSE news and prosecutions. • Data theft by departing employees. • Protect your email from prying eyes.
Think
.
Take steps to tackle internal fraud
Most organisations accept the risk of external fraud as an unavoidable part of doing business - and take appropriate steps to limit that risk. But recent figures from CIFAS, the United Kingdom’s fraud prevention service, show that business owners would be wise to grant the same seriousness to internal fraud as well. CIFAS’ standard definition of internal fraud is ‘when a member of staff dishonestly makes false representation, or wrongfully fails to disclose information, or abuses a position of trust for personal gain, or causes loss to others’. An April 2014 a CIFAS report found that there were 638 cases of reported internal fraud in 2013, an increase of 18 per cent from 2012. Internal fraud is on the rise, and it is a force to be reckoned with. The harmful effects of internal fraud linger long after the initial act - the cost of each internal fraud incident can be four times the sum initially lost, according to CIFAS. To tackle internal fraud in your business, follow these five top tips: 1. Start a fraud hotline. Employees are more likely to report fraud if they can remain anonymous. Start a hotline your employees can call anonymously. 2. Watch for red-flag behaviour. Living beyond one’s means, having financial difficulties and maintaining an unusually close association with vendors or customers are all warning signs. 3. Do not rely solely on external audits. External audits, together with rigid internal controls, are what stop fraud. 4. Stay alert, especially if you are a small business. Small businesses tend to suffer more as a result of internal fraud. 5. Focus on prevention. Losses from fraud can linger for years. Instead of trying to recoup losses, try to prevent them in the first place.
Flower and vegetable pots removed from garden A West Midlands pre-school that uses a garden managed by the local parish council to teach children about growing flowers and vegetables was told by the council it must remove the children’s potted plants from the garden, citing health and safety hazards. The pots were placed near posts holding up a small patio area, and the council was worried someone might trip and sue. The HSE Myth Busters Panel ruled that banning pots from a garden is ridiculous - the council should discuss tripping hazards with staff rather than banning standard garden items and depriving children of a learning opportunity. Builder ordered to remove World Cup flags A London builder quit his job after his manager, motivated by health and safety fears, ordered him to remove two flags he had put up to support England in the World Cup. However, health and safety law does not stop anyone from supporting his or her team. The manager may have wanted to avoid setting a precedent that allows all workers to display support for their teams, but it is hard to see why this would be a health and safety problem. Council and tree surgeon fined for botched felling Gateshead Council and a tree surgeon were fined a total of more than £50,000 after their botched tree felling injured the surgeon’s 52-year-old employee. An employee and tree surgeon were carrying out tree work after being contracted by Gateshead Metropolitan Borough Council to remove two trees that were close to falling onto a Network Rail railway line. During the felling, one of the trees fell onto the track. The surgeon and employee tried to cut the tree away, but were unable to do so before an oncoming train slammed into it, injuring the employee. Neither the council nor the tree surgeon had notified Network Rail of the work. Northern Ireland company fined after worker loses hand The Health and Safety Executive Northern Ireland (HSENI) reported on a case in County Derry in which a timber pallet manufacturer was fined £8,000 plus £1,500 in costs after its safety failings led to a 22-year-old worker losing his hand while operating a machine. The HSENI found that the worker had only started work at the company seven weeks before the incident and did not receive proper training to maintain and operate the machine.
New figures show all-time low in fatal injuries to workers New figures released by the Health and Safety Executive (HSE) in July reveal that the number of workers killed in Great Britain last year has dipped to the lowest annual rate on record. Provisional data reports that 133 workers were fatally injured between April 2013 and March 2014, compared with 150 in the previous year. The new figures show that the overall rate of fatal injury dropped to 0.44 per 100,000 workers, down from 0.51 in 2012-13. Any death at work is one death too many, but these statistics confirm that UK workplaces are at least getting safer due to the HSE’s efforts to curb workplace fatalities. The new figures also show the rate of fatal injuries in several key industrial sectors: •
Agriculture – Twenty-seven workers were fatally injured last year in the agriculture sector, lower than the average of 33 in the previous five years. Agriculture’s rate of fatal injury in 2013-14 is 8.77, down from the five-year average rate of 9.89.
•
Construction – Forty-two workers were fatally injured last year in the construction sector, lower than the average figure of 46. The latest rate of fatal injury is 1.98 per 100,000 workers, compared the five-year average of 2.07.
•
Waste and Recycling – Four workers were fatally injured last year in the waste and recycling sector, lower than the average count of seven over the last five years. The latest rate of 3.3 deaths per 100,000 workers is well below the average rate of 5.48.
Across Great Britain, workers’ fatal injury rates continue to lower: • England – 106 workers were fatally injured in England last year, resulting in a rate of 0.41 deaths per 100,000 workers, compared to the average of 134 deaths in the past five years and a decrease from the 119 deaths (and rate of 0.47) recorded in 2012-13. • Scotland – Twenty workers were fatally injured in Scotland last year, resulting in a rate of 0.78 deaths per 100,000 workers, compared to the average of 21 deaths in the past five years and a decrease from the 23 deaths (and rate of 0.90) recorded in 2012-13. •
Wales – Seven workers were fatally injured in Wales last year, resulting in a rate of 0.52 deaths per 100,000 workers, compared to the average of 10 deaths in the past five years and a decrease from the eight deaths (and rate of 0.61) recorded in 2012-13.
But not everything is so rosy—other figures released the same day by the HSE show a rise in deaths from mesothelioma, a cancer caused by exposure to asbestos. In 2012, 2,535 people died from mesothelioma, an increase from 2,291 in 2011. The HSE believes that the high number of mesothelioma deaths is a reminder of historically poor standards of workplace health and safety which continue to cause thousands of deaths each year.
Northern Ireland prison service warned The Information Commissioner’s Office (ICO), the United Kingdom’s data protection regulator, has warned the prison service in Northern Ireland to bolster security after a filing cabinet containing Maze Prison records was unwittingly sold at auction. The incident occurred in 2004 when a cabinet that officials thought was empty was sold at a public auction. In fact, the cabinet contained files about the prison’s closure, including details on staff and a high-profile prisoner. The Northern Ireland Office, which was responsible for prisons at that time, retrieved the sensitive information but failed to report the matter to the ICO. The ICO became aware of the breach when a similar incident occurred in 2012.
Scottish businesses prime targets of cyber crime gangs Russian cyber crime gangs are increasingly targeting Scottish businesses, according to a BBC investigation. Figures from Police Scotland show a surge in cyber crimes at the end of 2013, with businesses as the prime target. Businesses of varying sizes across a wide range of sectors have been targeted, but most targets are financial and agricultural businesses with up to 200 employees. Police are stressing the longterm financial and reputational damage of cyber crime and recommending that businesses invest in additional cyber security measures. The police urge any businesses that were victims of cyber attacks to come forward - although few commercial attacks are reported due to fears of reputational damage, only by contacting the authorities can the criminals be caught.
Manager who sold customer details to claims company fined A 29-year-old former manager at a hire car company in Merseyside was fined £500 and ordered to pay a £50 victim surcharge in addition to £264 in prosecution costs after stealing the records of almost 2,000 customers and selling them to a claims management company. The rental company alerted the ICO after its cyber security system showed an irregularity. The ICO then raided the Liverpool-based claims management company, finding a stockpile of records all related to customers who had been involved in recent accidents. The claims management company currently remains under investigation by the ICO.
Data theft by departing employees
Data theft by departing employees is costing UK businesses millions of pounds, according to research by London-based law firm EMW Law LLP. The number of High Court cases related to the theft of confidential company information spiked more than 250 per cent from 2010 to 2012, with the average legal bill for settling such cases costing about £30,000, not including the actual cost of data loss. What is motivating these sticky-fingered employees? For one thing, data theft has become extremely easy as more and more information can be compressed into smaller and smaller quantities. Disgruntled employees, after being sacked, are making copies of company databases and other critical information to give to new employers, to set up their own businesses or to sell to marketing firms. It only takes seconds to copy a damaging amount of data to a cloud-based storage service, which employees can later access from outside the company. Unfettered remote access to company systems also enables employees’ data theft, allowing them to access sensitive information and easily copy it to their home computers. Although the door is wide open for employees to steal data, businesses lack the basic controls to prevent such thefts. Three-quarters of employers surveyed by OnePoll in April 2013 admitted to not having any enforceable systems to prevent employees from gaining unauthorised access. Smaller companies are more likely to be vulnerable due to their lack of resources. The most commonly affected small companies are financial services firms, estate agents and recruitment firms. To prevent an embarrassing internal data breach and whopping legal bills, proactively monitor all activity across your business’ entire IT network. Rather than relying on reactive security defences, use a dedicated monitoring system to identify data breaches before they escalate.
Protect your email from prying eye
Email has a number of benefits that far outweigh the costs - it’s cheap, instantaneous and easy to use. But email can be a huge liability for businesses: It is not inherently secure, meaning anything you or your employees send via email could be intercepted. For normal, everyday email communication, this is no problem. But for emails containing sensitive information such as passwords and customer data, lax email security is a persistent problem, which can generate steep fines and tarnish a business’ hard-fought reputation. To protect your business’ email from prying eyes on the Internet, follow these top tips: •
Set up a spam email filter. Email is the primary method for spreading viruses and malware. Everyone gets those messages promising £1,000,000 or a new gadget under the condition that you disclose your National Insurance number or bank information. To avoid receiving these dubious messages in the first place, use email-filtering services provided by your email service, hosting provider or cloud provider. Regularly review and update filters to ensure you always have the most up-to-date protection.
•
Protect sensitive information sent via email. Business email often includes sensitive information. Whether it is company information that could harm your business or something personal, it is imperative that you protect that information and ensure that only authorised recipients can see it. Consider encrypting your emails, which is the process of converting data into an unread able format so that only those with the encryption key can read it. Cloud services also offer secure Web-enabled drop boxes that allow secure data transfer.
•
Implement a sensible email retention policy. Keeping old, unnecessary emails clutters your inbox and increases your security risk. You should implement basic controls to limit email retention—if an email contains sensitive information, the longer you keep it, the more your risk grows. Consider mandatory archiving at a chosen retention cycle end date and automatic permanent email removal after another set point, such as after 180-360 days in archives.
•
Develop an email usage policy. Your email policy is important for setting employee expectations and developing company-wide standards. Key areas to address in your policy include what the company email system should and should not be used for, and what data is allowed to be transmitted. Other policy areas should address retention, privacy and acceptable use.
•
Train your employees in responsible email usage. Technology alone cannot make a business secure—train your employees to identify risks associated with email use, how and when to use email appropriate to their work and when to seek professional assistance. Offer security awareness training for all new employees and refresher courses every year.
The content of this newsletter is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2014 Zywave, Inc. All rights reserved.
bluefingroup.co.uk Bluefin Insurance Services Limited is authorised and regulated by the Financial Conduct Authority.
August 2014 • Take steps to tackle internal fraud. • Recent cyber prosecutions. • New figures show all-time low in fatal injuries to workers. • Recent HSE news and prosecutions. • Data theft by departing employees. • Protect your email from prying eyes.
Think
.
Take steps to tackle internal fraud
Most organisations accept the risk of external fraud as an unavoidable part of doing business - and take appropriate steps to limit that risk. But recent figures from CIFAS, the United Kingdom’s fraud prevention service, show that business owners would be wise to grant the same seriousness to internal fraud as well. CIFAS’ standard definition of internal fraud is ‘when a member of staff dishonestly makes false representation, or wrongfully fails to disclose information, or abuses a position of trust for personal gain, or causes loss to others’. An April 2014 a CIFAS report found that there were 638 cases of reported internal fraud in 2013, an increase of 18 per cent from 2012. Internal fraud is on the rise, and it is a force to be reckoned with. The harmful effects of internal fraud linger long after the initial act - the cost of each internal fraud incident can be four times the sum initially lost, according to CIFAS. To tackle internal fraud in your business, follow these five top tips: 1. Start a fraud hotline. Employees are more likely to report fraud if they can remain anonymous. Start a hotline your employees can call anonymously. 2. Watch for red-flag behaviour. Living beyond one’s means, having financial difficulties and maintaining an unusually close association with vendors or customers are all warning signs. 3. Do not rely solely on external audits. External audits, together with rigid internal controls, are what stop fraud. 4. Stay alert, especially if you are a small business. Small businesses tend to suffer more as a result of internal fraud. 5. Focus on prevention. Losses from fraud can linger for years. Instead of trying to recoup losses, try to prevent them in the first place.
Flower and vegetable pots removed from garden A West Midlands pre-school that uses a garden managed by the local parish council to teach children about growing flowers and vegetables was told by the council it must remove the children’s potted plants from the garden, citing health and safety hazards. The pots were placed near posts holding up a small patio area, and the council was worried someone might trip and sue. The HSE Myth Busters Panel ruled that banning pots from a garden is ridiculous - the council should discuss tripping hazards with staff rather than banning standard garden items and depriving children of a learning opportunity. Builder ordered to remove World Cup flags A London builder quit his job after his manager, motivated by health and safety fears, ordered him to remove two flags he had put up to support England in the World Cup. However, health and safety law does not stop anyone from supporting his or her team. The manager may have wanted to avoid setting a precedent that allows all workers to display support for their teams, but it is hard to see why this would be a health and safety problem. Council and tree surgeon fined for botched felling Gateshead Council and a tree surgeon were fined a total of more than £50,000 after their botched tree felling injured the surgeon’s 52-year-old employee. An employee and tree surgeon were carrying out tree work after being contracted by Gateshead Metropolitan Borough Council to remove two trees that were close to falling onto a Network Rail railway line. During the felling, one of the trees fell onto the track. The surgeon and employee tried to cut the tree away, but were unable to do so before an oncoming train slammed into it, injuring the employee. Neither the council nor the tree surgeon had notified Network Rail of the work. Northern Ireland company fined after worker loses hand The Health and Safety Executive Northern Ireland (HSENI) reported on a case in County Derry in which a timber pallet manufacturer was fined £8,000 plus £1,500 in costs after its safety failings led to a 22-year-old worker losing his hand while operating a machine. The HSENI found that the worker had only started work at the company seven weeks before the incident and did not receive proper training to maintain and operate the machine.
New figures show all-time low in fatal injuries to workers New figures released by the Health and Safety Executive (HSE) in July reveal that the number of workers killed in Great Britain last year has dipped to the lowest annual rate on record. Provisional data reports that 133 workers were fatally injured between April 2013 and March 2014, compared with 150 in the previous year. The new figures show that the overall rate of fatal injury dropped to 0.44 per 100,000 workers, down from 0.51 in 2012-13. Any death at work is one death too many, but these statistics confirm that UK workplaces are at least getting safer due to the HSE’s efforts to curb workplace fatalities. The new figures also show the rate of fatal injuries in several key industrial sectors: •
Agriculture – Twenty-seven workers were fatally injured last year in the agriculture sector, lower than the average of 33 in the previous five years. Agriculture’s rate of fatal injury in 2013-14 is 8.77, down from the five-year average rate of 9.89.
•
Construction – Forty-two workers were fatally injured last year in the construction sector, lower than the average figure of 46. The latest rate of fatal injury is 1.98 per 100,000 workers, compared the five-year average of 2.07.
•
Waste and Recycling – Four workers were fatally injured last year in the waste and recycling sector, lower than the average count of seven over the last five years. The latest rate of 3.3 deaths per 100,000 workers is well below the average rate of 5.48.
Across Great Britain, workers’ fatal injury rates continue to lower: • England – 106 workers were fatally injured in England last year, resulting in a rate of 0.41 deaths per 100,000 workers, compared to the average of 134 deaths in the past five years and a decrease from the 119 deaths (and rate of 0.47) recorded in 2012-13. • Scotland – Twenty workers were fatally injured in Scotland last year, resulting in a rate of 0.78 deaths per 100,000 workers, compared to the average of 21 deaths in the past five years and a decrease from the 23 deaths (and rate of 0.90) recorded in 2012-13. •
Wales – Seven workers were fatally injured in Wales last year, resulting in a rate of 0.52 deaths per 100,000 workers, compared to the average of 10 deaths in the past five years and a decrease from the eight deaths (and rate of 0.61) recorded in 2012-13.
But not everything is so rosy—other figures released the same day by the HSE show a rise in deaths from mesothelioma, a cancer caused by exposure to asbestos. In 2012, 2,535 people died from mesothelioma, an increase from 2,291 in 2011. The HSE believes that the high number of mesothelioma deaths is a reminder of historically poor standards of workplace health and safety which continue to cause thousands of deaths each year.
Northern Ireland prison service warned The Information Commissioner’s Office (ICO), the United Kingdom’s data protection regulator, has warned the prison service in Northern Ireland to bolster security after a filing cabinet containing Maze Prison records was unwittingly sold at auction. The incident occurred in 2004 when a cabinet that officials thought was empty was sold at a public auction. In fact, the cabinet contained files about the prison’s closure, including details on staff and a high-profile prisoner. The Northern Ireland Office, which was responsible for prisons at that time, retrieved the sensitive information but failed to report the matter to the ICO. The ICO became aware of the breach when a similar incident occurred in 2012.
Scottish businesses prime targets of cyber crime gangs Russian cyber crime gangs are increasingly targeting Scottish businesses, according to a BBC investigation. Figures from Police Scotland show a surge in cyber crimes at the end of 2013, with businesses as the prime target. Businesses of varying sizes across a wide range of sectors have been targeted, but most targets are financial and agricultural businesses with up to 200 employees. Police are stressing the longterm financial and reputational damage of cyber crime and recommending that businesses invest in additional cyber security measures. The police urge any businesses that were victims of cyber attacks to come forward - although few commercial attacks are reported due to fears of reputational damage, only by contacting the authorities can the criminals be caught.
Manager who sold customer details to claims company fined A 29-year-old former manager at a hire car company in Merseyside was fined £500 and ordered to pay a £50 victim surcharge in addition to £264 in prosecution costs after stealing the records of almost 2,000 customers and selling them to a claims management company. The rental company alerted the ICO after its cyber security system showed an irregularity. The ICO then raided the Liverpool-based claims management company, finding a stockpile of records all related to customers who had been involved in recent accidents. The claims management company currently remains under investigation by the ICO.
Data theft by departing employees
Data theft by departing employees is costing UK businesses millions of pounds, according to research by London-based law firm EMW Law LLP. The number of High Court cases related to the theft of confidential company information spiked more than 250 per cent from 2010 to 2012, with the average legal bill for settling such cases costing about £30,000, not including the actual cost of data loss. What is motivating these sticky-fingered employees? For one thing, data theft has become extremely easy as more and more information can be compressed into smaller and smaller quantities. Disgruntled employees, after being sacked, are making copies of company databases and other critical information to give to new employers, to set up their own businesses or to sell to marketing firms. It only takes seconds to copy a damaging amount of data to a cloud-based storage service, which employees can later access from outside the company. Unfettered remote access to company systems also enables employees’ data theft, allowing them to access sensitive information and easily copy it to their home computers. Although the door is wide open for employees to steal data, businesses lack the basic controls to prevent such thefts. Three-quarters of employers surveyed by OnePoll in April 2013 admitted to not having any enforceable systems to prevent employees from gaining unauthorised access. Smaller companies are more likely to be vulnerable due to their lack of resources. The most commonly affected small companies are financial services firms, estate agents and recruitment firms. To prevent an embarrassing internal data breach and whopping legal bills, proactively monitor all activity across your business’ entire IT network. Rather than relying on reactive security defences, use a dedicated monitoring system to identify data breaches before they escalate.
Protect your email from prying eye
Email has a number of benefits that far outweigh the costs - it’s cheap, instantaneous and easy to use. But email can be a huge liability for businesses: It is not inherently secure, meaning anything you or your employees send via email could be intercepted. For normal, everyday email communication, this is no problem. But for emails containing sensitive information such as passwords and customer data, lax email security is a persistent problem, which can generate steep fines and tarnish a business’ hard-fought reputation. To protect your business’ email from prying eyes on the Internet, follow these top tips: •
Set up a spam email filter. Email is the primary method for spreading viruses and malware. Everyone gets those messages promising £1,000,000 or a new gadget under the condition that you disclose your National Insurance number or bank information. To avoid receiving these dubious messages in the first place, use email-filtering services provided by your email service, hosting provider or cloud provider. Regularly review and update filters to ensure you always have the most up-to-date protection.
•
Protect sensitive information sent via email. Business email often includes sensitive information. Whether it is company information that could harm your business or something personal, it is imperative that you protect that information and ensure that only authorised recipients can see it. Consider encrypting your emails, which is the process of converting data into an unread able format so that only those with the encryption key can read it. Cloud services also offer secure Web-enabled drop boxes that allow secure data transfer.
•
Implement a sensible email retention policy. Keeping old, unnecessary emails clutters your inbox and increases your security risk. You should implement basic controls to limit email retention—if an email contains sensitive information, the longer you keep it, the more your risk grows. Consider mandatory archiving at a chosen retention cycle end date and automatic permanent email removal after another set point, such as after 180-360 days in archives.
•
Develop an email usage policy. Your email policy is important for setting employee expectations and developing company-wide standards. Key areas to address in your policy include what the company email system should and should not be used for, and what data is allowed to be transmitted. Other policy areas should address retention, privacy and acceptable use.
•
Train your employees in responsible email usage. Technology alone cannot make a business secure—train your employees to identify risks associated with email use, how and when to use email appropriate to their work and when to seek professional assistance. Offer security awareness training for all new employees and refresher courses every year.
The content of this newsletter is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2014 Zywave, Inc. All rights reserved.
bluefingroup.co.uk Bluefin Insurance Services Limited is authorised and regulated by the Financial Conduct Authority.
