Remaining temporary insolvency restrictions lifted

Posted on by Admin Admin

Restrictions on winding up petitions, which raised the debt threshold to £10,000 or more and required creditors to give debtor businesses 21 days to respond to alternative proposals before seeking a winding up order have now been lifted.

The measures were introduced in October 2021, replacing previous temporary changes that had been in place since early in the pandemic.

When announcing the measures, the Insolvency Service stated they would “be in force until 31st March 2022″, but many temporary arrangements put in place to respond to the impact of Covid were extended beyond their original end dates. In this case, it seems the government has decided circumstances are close enough to ‘normality’ again to end the restrictions as planned.

It is difficult to tell what effect the changes will have on insolvencies. While the debt threshold was raised significantly from £750 to £10,000, it only applied to single debts, meaning the threshold could still be reached through the sum of multiple debts owed to one creditor or of debts owed to a group of creditors. The restriction still offered added protection to many businesses, of course, especially smaller companies which were more likely to have been impacted by Covid.

Whatever the impact on the insolvency market, the changes are the latest indication from the government that it is returning to ‘business as usual’.

In a related announcement, Business Minister Paul Scully confirmed that the general moratorium on commercial evictions has ended and “a new law is now in place to help resolve certain remianing commerical rent debts accrued because of the pandemic”.

The Commercial Rent (Coronavirus) Act 2022 makes available a legally binding arbitration process to commercial landlords and tenants who have not reached an agreement. The law applies to businesses forced to close, or whose activities were heavily restricted, as part of the government’s Covid restrictions. It protects eligible firms from eviction for a further six months.

Instruct ESA Risk today

If you’re looking for an experienced company to reliably serve documents, including winding up peititions, look no further than ESA Risk. Our extensive network of process servers covers the whole of the UK (as well as overseas locations).

Need to confirm an address before sending documents? We also provide tracing services, ensuring you serve the right people in the right place at the right time.

Email us at process.serving@esarisk.com, or call us on +44 (0)343 515 8686.

Boost cyber standards now, urges government

Posted on by Admin Admin

The UK government is encouraging businesses and charities to strengthen their cyber security, in the light of the Cyber Security Breaches Survey 2022 report commissioned by the Department for Digital, Culture, Media and Sport (DCMS).

Based on a survey conducted by Ipsos MORI between October 2021 and January this year, the report shows that 39% of businesses and 30% of charities experienced cyber attacks or cyber security breaches in the last 12 months.

While these numbers are in line with 2021 levels, the frequency of attacks is increasing. Of those suffering attacks, 31% of businesses and a quarter of charities “said they now experience breaches or attacks at least once a week.”

“It is vital that every organisation take cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk.

No matter how big or small your organisation is, you need to take steps to improve digital resilience now…”

Cyber Minister Julia Lopez

The report was ordered as part of the government’s National Cyber Strategy, which aims to protect the UK from cyber threats “by investing in cyber skills, expanding the country’s offensive and defensive cyber capabilities, and prioritising cyber security in the workplace, boardrooms and digital supply chains.”

Other figures from the survey are more positive, with 82% of senior managers in UK businesses listing the priority level of cyber security as ‘very high’ or ‘fairly high’, compared to 77% in the 2021 survey. This represents “the highest figure seen in any year of the cyber security breaches survey.”

DCMS point out that this increase may be due to the recent “wave of high-profile attacks” and the “increased attention on the cyber security of supply chains and digital services.”

The department is directing organisations to various resources for help, including:

One area that deserves particular attention is supply chain threat management. According to the report, just “13% of businesses reviewed the risks posed by immediate suppliers.”

Get help from ESA Risk

For further cyber security advice and support implementing recommendations in the government’s resources, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

We work to the pillars of training, education and awareness, and provide a range of services including consulting, cyber security courses and practical exercises such as cyber war games.

 

Download The Cyber Threat Landscape 2022: ESA Risk Special Report

ESA Risk consultant raises £4.5k for Cancer Research UK

Posted on by Admin Admin

Mario Ovsenjak, Hotel & Leisure Management Consultant, has raised £4,432 for Cancer Research UK, so far, after completing a second amateur boxing match at Manchester’s Bowlers Exhibition Centre.

A lively crowd was in place at the Ultra White Collar Boxing event to see scores of matches across two boxing rings and an MMA ‘cage’. Competitors undertake a gruelling eight-week training programme before being matched up for fight night, all in the name of charity.

After three exciting rounds, Mario unfortunately lost his fight on points, but he was in good spirits afterwards and hasn’t ruled out making a return to the ring in the future.

Here’s a snippet of the fight (Mario’s in red):

All of this is in aid of Cancer Research UK. Cancer research is an ever-important cause – statistically, one in two people will have cancer in their lifetime. Cancer Research UK works tirelessly on improving our chances of surviving all sorts of cancers.

There’s still time to make a donation on Mario’s Just Giving page.

ESG criteria: Social metrics, the data deficit and the pursuit of a universal framework

Posted on by Admin Admin

Environmental, social and governance (ESG) policies allow customers, investors and other stakeholders to evaluate a company’s impact on its employees, local communities and the natural world.

Some studies show that high performance on ESG criteria correlates with greater profitability, customer satisfaction, investment and ability to attract and retain talent.

Unlike its now less fashionable predecessor, corporate social responsibility (CSR), ESG provides reporting frameworks for tracking compliance.

However, the ability to share best practices and benchmark ESG performance has so far been stymied by the absence of a gold-standard framework that enables like-for-like comparisons.

The issue is particularly acute for ‘social’ metrics, which one expert has argued are “10 years behind” the ‘environmental’ pillar in terms of sophistication and data gathering.

Mutually reinforcing ESG metrics

The growing urgency of climate change and biodiversity loss has seen sustainability – with metrics around carbon footprint, water consumption and air pollution – dominate the ESG conversation.

And the corporate exodus from Russia in the wake of the war in Ukraine, as well as evidence of corporate malfeasance emanating from leaks like the Pandora Papers, have given greater impetus to the ‘governance’ dimension, as measured by the rectitude of directors, regulatory compliance and so on.

But the conflict in Ukraine also demands attention to ‘social’ metrics, which refer to how a business manages relationships with its employees, customers, suppliers and partners.

And Covid-19 too, which raises additional governance questions over supply chain resilience, has highlighted the value of ESG social metrics around keeping employees safe and treating them ethically.

More generally, having a motivated, skilled workforce – a key goal of ESG social criteria – is pivotal to any business goal worth pursuing.

Further, environmental, social and governance metrics are often mutually reinforcing. Consider how, for instance, making industrial processes less air-polluting addresses social criteria around health and wellbeing as well as being an environmental benefit.

‘Objective standard’ for ESG social metrics

Writing in the Stanford Social Innovation Review in February 2022, Jason Saul, executive director for the Center for Impact Sciences at the University of Chicago, said “the ESG field needs an objective standard for reporting social outcomes”.

Promisingly, the World Economic Forum (WEF) has developed ESG metrics consolidated from the profusion of hundreds of existing frameworks and standards that it claims has shown signs of yielding positive social outcomes.

Developed in collaboration with corporate giants including IBM, Nestlé, and Sony, the ‘Stakeholder Capitalism’ criteria comprise four pillars – people, planet, prosperity and governance – and include 21 “well-established, universal, industry-agnostic” metrics and 34 expanded metrics and disclosures.

A white paper (PDF) published in September 2020 sets out the metrics, declaring “near-term objectives of accelerating convergence among the leading private standard-setters and bringing greater comparability and consistency to the reporting of ESG disclosures”.

The WEF reported in September 2021 that more than 50 companies had begun including the Stakeholder Capitalism Metrics in their mainstream reporting materials, and the first 45 reports showed “how companies are building skills for the future, with over $1.5 billion invested in training”, and “contributing to their communities and social vitality with nearly $140 billion in taxes”.

Early reporting has also apparently informed the IFRS Foundation’s International Sustainability Standards Board (ISSB), established in November 2021 to “deliver a comprehensive global baseline of sustainability-related disclosure standards”.

Dignity and equality

The WEF’s ‘people’ metrics comprise three subsections: dignity and equality, health and wellbeing, and skills for the future.

By ensuring “equitable opportunities” and “fair treatment” to employees regardless of “gender, race, age, ethnicity, ability and sexual orientation”, dignity and equality compliance on Stakeholder Capitalism Metrics means companies “become a better reflection of society and also deepen the pool of talent that a more diverse workforce can bring”, argues the white paper.

Health and wellbeing

Health and wellbeing compliance, meanwhile, is said to boost employee productivity and “is increasingly required by law”.

ESG criteria in this area cover the number and rate of fatalities resulting from work-related injuries; high-consequence work-related injuries (excluding fatalities); recordable work-related injuries; the main types of work-related injury; and number of hours worked.

The organisation must also score progress in facilitating workers’ access to non-occupational medical and healthcare services.

Skills for the future

Finally, the white paper says upskilling the workforce is given greater urgency by 2020 WEF findings that we need to reskill more than one billion people by 2030.

The ‘skills for the future’ metrics include average hours of training undertaken per employee over the reporting period by gender and employee categories, and average training and development expenditure per full-time employee.

Expanded ESG social metrics

The expanded metrics, which are suggested as a longer-term reporting goal, purportedly move beyond “reporting outputs alone to capturing the impacts of their operations on nature and society across the full value chain, in more tangible, sophisticated ways, including the monetary value of impacts”.

They will also apparently help “address urgent emerging issues – such as nature loss, resource circularity, and gender and ethnicity pay gaps – that are not yet well-represented in formal reporting standards”.

One expanded skills-for-the-future metric gauges investment in training as a percentage of payroll and the effectiveness of training and development through increased revenue, productivity gains, employee engagement and/or internal hire rates.

Addressing the data deficit

Jason Saul wrote that most of the few attempts made to create frameworks for reporting social impacts “have fallen short”.

He cited a 2021 ESG survey by BNP Paribas that revealed 51% of global institutions found social to be the most difficult to incorporate ESG element into investment strategies because “data is more difficult to come by and there is an acute lack of standardization around social metrics”.

He prescribes “three practical steps” to remedying the situation. “Most importantly, companies should start reporting S impact data consistently” and immediately, which will give them “a lot more influence over what standards are set”, he said.

“Second, ESG investors should start asking for S impact data and making it a requirement,” he added. “Finally, ESG rating agencies, standard-setting bodies, and data providers should align with a specialized S data provider to up-level the value of their data.”

It’s clear that, despite becoming the dominant model for measuring organisations’ impact on society and the environment, ESG – and the ‘S’ part in particular – still has some maturing to do.

Thankfully, evidence is growing that academics and ESG strategists are grappling with the need for universal, effective ESG standards and to elevate social metrics to the sophistication of their sustainability counterparts.

Advice and support from ESA Risk

For futher advice and support on all areas of ESG, particularly compliance and making ESG part of your risk management strategy, contact Mike Wright, Risk Management and Investigations Consultant at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Superyachts: Tracing a moving target

Posted on by Admin Admin

CNBC suggested data it had reviewed showed “at least four massive yachts owned by Russian business leaders have been moving toward Montenegro and the Maldives in recent days.” While that’s not categorical proof that the owners are attempting to hide their assets or remove them from the reach of sanctioning countries (the Maldives is a popular destination for wealthy Russians), the report raises interesting questions about how asset freezing and confiscation orders are implemented.

Property – a common asset looked for in such situations – is relatively easy to identify and locate, superyachts pose a unique challenge, not least because they are a moving target.

Sanctions against Russian individuals have been brought by the UK, the US and the EU, among others, with a view to freezing their assets and, in some cases, seizing them. American President Joe Biden announced on Twitter that the US was “joining with our European allies to find an seize their [Russian oligarchs’] yachts, their luxury apartments, their private jets.” France has already announced the seizure of a yacht worth around £90m moored near Marseille.

It’s all well and good seizing assets that are in plain sight in your own boatyard, and the job is made easier when an international task force is working towards the same goal. But what happens when the whereabouts of an asset is unknown and in lower-profile cases with fewer resources?

How does asset tracing work?

In these cases, the first step is to determine the asset profile of the subject of the order – identifying assets owned by the subject and by their close associates. In many cases, when an individual is trying to hide their wealth, they will distribute assets among their network, but these may still be seized if a link between the subject and the assets can be proven.

The process of identifying assets and estimating the value of those assets is known as asset tracing. Investigators – such as those at ESA Risk – use databases, deep web tools, open-source intelligence (OSINT) and human intelligence (HUMINT) to build a picture of an individual’s lifestyle and behaviours, and the assets they own or potentially own.

Superyacht tracing is no different, but it requires specialist knowledge and can rely heavily on industry connections. It’s an area where we have deep expertise and experience, with access to superyacht-specific tools and databases along with connections in the world of superyachts. Our industry knowledge enables us to identify yachts from intelligence sources such as social media posts and to provide a valuation for a yacht at the current market rate. We also have access to tools that can track the location of a registered vessel anywhere in the world and give information about the status of the yacht (anchored, berthed or under way).

Linking an asset to a subject is not always that simple, though, as is being shown in the case of one of the world’s largest superyachts (at 156m long, the fifth longest), the Dilbar, valued at nearly £450m. Widely ‘known’ to be owned by Russian businessman Alisher Usmanov, the yacht is actually owned through a holding company and it is registered in the Cayman Islands, “making it difficult to tie directly to Usmanov for the purpose of sanctions.” Forbes reported that the Dilbar superyacht had been seized by German authorities, but the outlet quickly published a correction clarifying that this was not the case. Instead, the German federal customs agency states that “no yacht leaves port that is not allowed to do so.”

It is in these cases that industry connections can be particularly useful in helping to ascertain who the ultimate beneficial owner of a vessel is.

Asset tracing services including superyacht tracing from ESA Risk

When it comes to tracing assets, we are the experts. ESA Risk’s team will deliver concise but comprehensive results which will enable you to make the decision on which way to proceed. With a network of trusted partners covering every part of the world, our investigation capability – and therefore yours – is truly international.

We have specialist knowledge of superyacht tracing, too. This can be particularly useful when investigating high-net-worth individuals.

To instruct us on an investigation or for more information on our asset tracing services, contact Mike Wright, Risk Management & Investigations Consultant at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

The Pandora Papers and the challenges of multijurisdictional investigations

Posted on by Admin Admin

Based on almost 12 million documents leaked by whistleblowers in 2021, the journalist-led investigation resulting in the Pandora Papers exposed the opaque financial practices deployed by the rich and powerful to avoid tax and, in some instances, mask criminal wrongdoing.

Painstaking process

However, the Pandora Papers is a misleading case study when it comes to the myriad challenges around conducting multijurisdictional investigations.

The legal, consulting or investigatory firms that typically conduct cross-border investigations don’t usually have millions of documents, images, emails and spreadsheets serendipitously land in their lap, as was the case with the International Consortium of Investigative Journalists (ICIJ) and the Pandora Papers.

Rather, ordinarily they must surmount regulatory, cultural and geopolitical barriers that vary between jurisdictions to painstakingly unearth relevant data themselves.

As investigators we are first and foremost finders of fact.

Some investigators place great emphasis on the interviews conducted with relevant parties to ascertain these facts; others say the data will tell you everything you need to know. But most of us recognise we need a dual approach in order to establish the facts of a case as fully and accurately as possible.

Cross-border expertise

Finance and big business operate transnationally, meaning investigations can involve dealing with multiple corporate units in various countries as well as navigating the treacherous terrain of cooperating with law enforcement in those jurisdictions.

As such, we need a deep understanding of the laws and cultural environment of the countries our investigation encompasses, assisted by local legal and other experts.

Moreover, we must keep track of regulatory, geopolitical and other changes that make information easier or harder to obtain.

This helps us distinguish between outright illegality and practices that might be legal in some jurisdictions (albeit sometimes ethically dubious). Setting up shell companies in tax havens usually falls into the latter category, but could, in rare cases, be a means to cloak criminal activity.

Whitewash hazard

We must also be mindful that our role can be undermined at the very outset. There have been multiple instances where investigators have been brought in to effectively create cover for illegal activities and stonewalled or given misleadingly partial data or outright disinformation. This gives the company the credibility to say to the world: “Look! We had investigators in and there’s nothing to see here.”

Therefore, it is important that investigators have the requisite independence to obtain the information required and establish the facts of the case at hand.

Have we been instructed as an investigator in good faith? Do our engagement instructions allow us to do the job we were ostensibly brought on to do?

Data access policies and regulations

Some multinational corporations make our job easier by having a shared server and consistent systems and policies across their global operations.

Conversely, there are subsidiaries that are only loosely integrated with their parent organisation and effectively function as independent companies. This means you need a strategy for accessing information they hold and corralling on-the-ground resources to support data access.

Divergent data protection regimes, and even differences between how the General Data Protection Regulation (GDPR) is enforced across the EU, also create obstacles to obtaining, sharing and using information.

‘Low trust’ jurisdictions

When you enter a jurisdiction with low levels of ‘trust’ and high levels of economic crime there are several questions to address.

How do you manage people you recruited in this jurisdiction? Are they aligned with the values and culture of your wider organisation? Do you have training, controls and processes in place to ensure people stay on the straight and narrow? Do you conduct regular audits and visit their premises (Covid-19-permitting)?

People can be wary of speaking to investigators for a variety of understandable reasons.

For instance, they might live in low-trust countries with dysfunctional institutions, be female in a patriarchal culture, or be a member of a marginalised socioeconomic group (such as a low caste in India).

Therefore, investigators must have an eye on cultural context and sensitivities and have a plan for navigating those challenges.

How, for instance, can you empower people to speak up mid-investigation if their boss has told them not to speak to anyone?

We can assuage their misgivings by guaranteeing anonymity and a safe location to conduct an interview, such as by arranging to meet in a nearby hotel rather than their office.

Covert and Covid-19 challenges

Gathering data becomes tougher still if your investigation is operating covertly.

Covid-19 has complicated matters too, forcing investigators to do their work remotely when in normal times they might board a plane to retrieve material themselves.

With travel restrictions still onerous in many jurisdictions, we must in many cases still rely on employees and contacts based in the countries in question. But are those individuals trustworthy and reliable? Can you count on them to observe confidentiality and not tip off potential subjects of the investigation?

Data as disinfectant

Bribery and corruption are not isolated to one jurisdiction or region, or the global north or south – but pervasive in every part of the world.

While they fall into a different category of investigation, journalist-led investigations like the Pandora, Panama, and Paradise Papers leaks demonstrate how the disclosure of incriminating  data can spark meaningful action by lawmakers, regulators and courts.

Consider how, for instance, the 2016 Panama Papers revelations have precipitated ongoing money laundering investigations involving a Peruvian presidential candidate and a former Maltese chief of staff, while US lawmakers have cited the coverage in advocating for the Stop Tax Haven Abuse Act (PDF).

Sunlight really can be an effective disinfectant in these scenarios.

ESA Risk investigations

If you have the need for experienced investigators (including for multijurisdictional / cross-border investigations), please contact us. We can support you with an internal investigation or provide a full external investigation to meet your needs.

Contact Lloydette Bai-Marrow, Serious Fraud and Economic Crime Consultant, at lloydette.bai-marrow@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

ESA Risk consultant boxing for charity:
Round 2

Posted on by Admin Admin

Mario Ovsenjak, Hotel & Leisure Management Consultant, raised more than £2,000 for Cancer Research UK when he made his debut appearance in the boxing ring just before Christmas last year. After 3 rounds, he lost on points, unfortunately. However, Mario has taken the opportunity to add a win next to his name and to raise more money for charity – he’ll be returning to the ring on Sunday 20th March in aid of Cancer Research UK, once again.

Ahead of his first fight, Mario remarked that he was “far more likely to be seen with a glass of sherry than fighting”. Clearly, that’s starting to change. As before, Mario has entered a gruelling 8-week training and nutrition regime to ensure he’s fighting fit by the time of the event at Bowlers Exhibition Centre in Manchester.

Here’s a taste of what that entails:

All of this is in aid of Cancer Research UK (a charity supported by ESA Risk’s Mike Wright earlier in 2021). Cancer research is an ever-important cause – statistically, 1 in 2 people will have cancer in their lifetime. Cancer Research UK works tirelessly on improving our chances of surviving all sorts of cancers.

Find out more, including how to make a donation, on Mario’s Just Giving page.

Market conditions creating a perfect storm for businesses

Posted on by Admin Admin

This unprecedented set of market conditions looked to have claimed its first high-profile victim when Studio Retail Group plc called in administrators, after failing to secure a £25m short-term loan. The company has been bought out of administration quickly, with Frasers Group paying £26.8m for the ailing business at the end of last week.

Perhaps the most concerning aspect of Studio’s story is that the company posted excellent trading results throughout the most challenging periods of the Covid-19 pandemic and was optimistic about its future position in updates made as recently as 5 weeks ago. On 31st January 2022, the Group CEO commented: “The trading performance over Christmas, with sales up 18% over two years, shows our offer is resonating with a customer base of 2.3m. We will continue to drive the long-term profitability and success of the group.”

A set of long-term problems bubbling under the surface appear to have come to the boil all at once to create a short-term cash flow issue that required a formal insolvency process to achieve a positive resolution.

The challenges faced by Studio Retail Group are being faced by a huge number of businesses in the UK, especially those in the retail sector.

Supply chain disruption

Supply chain disruption is probably the most widespread and most damaging of those issues. The current reasons for supply chain disruption are varied, with higher container costs, longer times on the water, delays at UK ports due to extra paperwork and HGV drive shortages all contributing to time delays and increased costs. Alongside facing increased transport and logistics costs (mentioned in every Studio trading update for the past 8 months – in hindsight, a red flag being waved repeatedly), many companies are holding excess stock to avoid future disruptions and therefore increasing costs without a guarantee of increasing sales.

Other challenges that may lead to cash flow problems

Overstocking is not necessarily a problem, but the current squeeze on consumers’ disposable income – caused by high inflation, interest rates and fuel prices, and soon to be worsened by energy price rises – is starting to affect sales of non-essential goods. That leads to stock going unsold and costs not being recovered.

Many industries are also seeing high wage inflation, with growth in average total pay at 4.3% in the latest figures from the Office for National Statistics (ONS). While this is much lower than the recent high of 8.3% in June 2021, growth is still higher than it has been for more than 14 years. In some sectors, the rate is much higher – finance and business services saw a growth rate of 8.1% in the period from October to December 2021 – and all sectors are experiencing growth.

Wage inflation can be driven by the need to retain staff by offering more competitive salaries and by staff churn leading to the need to recalibrate starting salaries. In the age of the ‘great resignation’, it’s easy to see why wage inflation is so high.

Add to that the monthly repayments of Covid recovery loans, most notably under the Bounce Back Loan Scheme, which are now well underway for those companies that took a loan and the outlook for UK businesses is a perfect storm which threatens their short-term cash flow. For some (as in the case of Studio), it also threatens their existence.

While the £25m requested by Studio to manage its cash flow problems may seem high, the company had an existing revolving credit facility of £50m, and the decision by HSBC not to extend this funding line was a surprise to investors and the City. Considering Studio’s strong position in the last 2 years, this will rightly give other businesses cause for concern.

What is the outlook for UK corporates?

Studio predicted that “the disruption to supply chains will continue throughout calendar 2022”. The Bank of England expects the rate of inflation to rise even further from 5.5%, currently, to “over 7%” in the coming months – way above its 2% target, which the Bank “expect[s]…to be much closer to…in 2 years’ time.” In short, the challenges being faced by the UK market aren’t going away any time soon.

While it might sound like it’s all doom and gloom, it doesn’t have to be. There are many ways for a company to take control of its cash flow management and overall financial situation before it worsens and to pre-empt any formal insolvency process.

How can ESA Risk help with cash flow issues in business?

At times like these, seeking advice from professionals who are experienced in these financial and supply chain issues can make the difference needed to move your business from facing financial problems to financial security and profitability.

At ESA Risk, our expert consultants have a wealth of experience advising and supporting businesses. We can help with cash flow forecasting, financial risk management, debt recovery strategies and more.

Contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form to find out more about how we can support your business.

The fallout of a major data breach

Posted on by Admin Admin

A few weeks on from the suspected ransomware cyber attack on Optionis Group – Parasol’s parent company, contractors have found their personal data for sale on the dark web.

The discovery is the latest in a series of misfortunes to affect contractors employed through Parasol following the cyber attack in the second week of January.

As an umbrella company, Parasol employs temporary workers, often on behalf of employment agencies. Umbrella companies provide convenience for contractors and agency workers, and the companies who use the services of those workers, by managing contracts, timesheets and payroll, etc.

The role of an umbrella company also means it’s necessary for them to hold a large amount of personal and sensitive data. The introduction of the IR35 regulation in the UK, which relates to contractor / client relationships, has led to an increased use of umbrella companies by contractors and, consequently, an increased number of financial (payroll) transactions being made through those companies. As a result, companies such as Parasol now process and store a vast amount of sensitive financial data, making them attractive targets for cyber criminals.

The Optionis Group incident is the second major attack (that we know of) on an umbrella company in less than four months. Giant Group was the victim of a “sophisticated cyber attack” at the end of September 2021, which took the company’s communications and server network out of operation, and left some contractors without pay.

Timeline of the Optionis Group cyber attack and consequences

14th January 2022

Parasol initially advised its contractors that there was no access to the company’s operational and communication portals used to submit timesheets, view payslips, process contract extensions and so on.

Rumours began to circulate on social media that Parasol was experiencing a cyber attack, which was later confirmed by Optionis Group.

15th January 2022

Some of Parasol’s contractors started to report missing payroll payments or payments that were significantly lower than expected. When this was questioned, the company confirmed that payments were having to be made manually, implying that their bank accounts had been compromised.

21st January 2022

Parasol’s portals were restored. However, other companies within the Optionis Group had to move to rebuilt platforms. For example, an accountancy firm within the group reopened their portal with data migrated from their last back up – from November 2021, meaning 2 months’ worth of data was missing and needed to be manually re-entered.

4th February 2022

Social media reports confirmed that personal data from Optionis Group had been found on the dark web.

7th February 2022

An email from Optionis Group confirmed that their data had been found on the dark web and individuals would be advised if they had been directly impacted.

28th February 2022

At the time of writing, the contractor we spoke to had heard nothing further from Parasol / Optionis Group, despite finding their own personal data on the dark web.

Taking action

As someone who works in the cyber security and fraud industry, they have quickly taken matters into their own hands and put in place controls to mitigate the personal impact of this data breach.

They’ve paid to set up monitoring alerts with Experian and CIFAS to try to protect themselves from identity fraud. The platforms will alert them if their personal details are used to apply for financial products.

As the director of a limited company, they’ve also had to register with the Companies House protection scheme to protect their company and receive alerts if anyone tries to change, or conduct business using, their details.

There’s still no guarantee that the individual’s leaked details won’t be sold or used maliciously in the future.

And the issues at Optionis Group are ongoing, with some systems still not restored in full since the cyber attack.

The contractor we spoke to is, unsurprisingly, frustrated and angry about the situation:

“I know how devastating an information security breach can be, so when I heard that my accountants and umbrella company that I work through for payroll had been breached, I was immediately very concerned. When it was confirmed that the personal data had been located on the dark web, I was extremely angry as you just assume that your accountants have the necessary protection in place for your data and information. Obviously not. It’s vital that other such firms review their systems and ensure they have the utmost protection as these attacks are becoming more and more commonplace.”

This viewpoint is clearly held by other affected parties. ComputerWeekly.com reported that some contractors had “tak[en] it upon themselves to investigate whether their personal data [was] compromised…after growing frustrated at the time…[taken by Parasol] to provide updates on the situation.”

The same article reports that “a group action is being prepared…to seek compensation for contractors caught up in the breach”.

Clearly, the main fault here lies with malicious actors who carried out a targeted cyber attack in order to breach a company’s systems and steal personal data. However, every company that holds personal data has a legal duty to keep data secure and to respond to potential data breaches in a specific way. In this case, there appear to be failings on both the security and the response side by Optionis Group.

Cyber security support from ESA Risk

At ESA Risk, we offer a broad range of cyber security services that can help you secure systems and data, become more cyber-aware, identify breaches, and prepare for and respond to attacks.

Our consultants have proven experience of working in some of the UK’s top financial institutions where they have implemented secure cyber controls and continue to provide remediation and preventative cyber security and data breach support.

For advice and support on making your business cyber-secure, or if you’ve been the victim of a cyber attack or data breach / leak, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

 

Free download: The Cyber Threat Landscape 2022 Special Report

10 smartphone security tips

Posted on by Admin Admin

As a result, should your smartphone fall into the wrong hands, it is a potential treasure trove of information and, therefore, a potential cyber security risk.

If you download a rogue app, click on a malicious link in an email or visit a dubious website, it’s even possible for hackers to hijack your phone without it leaving your side.

Here are 10 smartphone security tips to help keep you and your device safe and secure.

1. Guard your smartphone and make use of security settings

Treat your phone as carefully as you would your bank cards. Take care when using your phone in public, and don’t let it out of your possession. Thieves can quickly rack up huge bills on stolen phones, and you may be liable for all charges run up on your phone before you have reported it lost or stolen to your provider. To help prevent this happening, protect your phone against unauthorised use by setting up a PIN, password or biometrics-based security for your lock screen via your devices settings.

2. Take precautions in case your phone is lost or stolen

smartphone security - imei numberMake a record of your phone’s IMEI number, as well as the make and model number. The IMEI is a unique 15-digit serial number which you will need to give to your mobile operator to have your phone blocked. You can check your IMEI number by ‘dialling’ *#06# in your calls app (device information is displayed on-screen, rather than making an actual call). These details are also noted on a phone’s original packaging.

Consider making your phone less useful to potential thieves by barring calls to international numbers and premium rate lines, if you never use them. Some mobile insurance policies, or any other policies that may cover the phone, could provide limited cover for unauthorised use. It’s worth checking the terms and conditions of your existing policy, and when considering a new policy.

The national Mobile Phone Crime Unit’s Immobilise database is a free registration service that assists thepolice in reuniting owners with their stolen smartphones. For further details and contacts for different operators, see Ofcom’s Lost or Stolen Phone Guide.

3. Don’t override your smartphone’s security settings

It is not advisable to attempt to ‘crack’, ‘jailbreak’ or ‘root’ your smartphone or tablet. This is a process people use to remove restrictions placed on their device’s operating system by the phone manufacturer. Doing so carries considerable risks: it compromises the security of your device and may leave you more vulnerable to malicious software. It is also likely to invalidate your manufacturer’s warranty.

4. Back up and secure your data

Smartphones offer the option to back up your data to the cloud and/or a personal computer, so that you don’t lose data if your phone goes astray. Check for information on how to do this in the phone’s manual.

5. Install apps from trusted sources only

Apps are the easiest way for someone to hack into your phone. Sometimes hackers will take a popular paid-for app, add their own illegitimate elements and then offer it for free on ‘bulletin boards’, ‘peer-to-peer’ networks or through fake online stores. Once the rogue app has been downloaded to your phone, the hacker can potentially take control of the handset, incur charges via premium SMS without your permission, make calls, send and intercept SMS and voicemail messages, or browse and download online content. You may not be aware anything is wrong until it’s too late. Only download apps from official stores (e.g. App Store, Google Play), and exercise care – research the app and check reviews.

6. Use antivirus software

It’s not just rogue apps which pose a threat to your smartphone’s security. Viruses and spyware can also be downloaded from websites, or by connecting your device to an infected computer. Some phones may be more vulnerable than others, but you can check for antivirus software in a reputable app store. Also, before connecting your device to a computer, ensure it has the latest antivirus/antispyware and firewall installed and running.

7. Use software to find your phone or erase its data if it goes missing

This software is typically installed by default on most smartphones, allowing you to log in to a website or an app on another device to track your phone and take action. Examples include Apple’s Find My app and Google’s Find My Device for Android.

8. Clear your phone before you dispense with it

If you decide to donate, resell or recycle your smartphone, remember to erase any data on it first. Remove and erase any media cards and perform a full or ‘factory’ reset by going into the Settings menu.

9. Accept updates and patches

From time to time, you’ll be prompted on screen to update your operating system. App developers may also propose updates to their app. It is advisable to accept these updates as they become available. As well as typically offering new features and improving your phone’s performance, they can also fix security vulnerabilities.

10. Check if your smartphone security has been breached

smartphone security - app usageAdditionally, there are some lesser-known tricks to check whether your smartphone is being tracked or if your security has been breached:

  • Dial *#21# to see whether your data, including SMS, are being forwarded to a third party.
  • Dial *#62# to see if your calls are being automatically forwarded. If so, where are your calls forwarded to? Don’t be too alarmed initially if you see that your calls are forwarded to a number you don’t recognise. This number might be a separate voicemail box run by your network service provider. The digest message might say that your calls are forwarded to this number after 20 seconds or so. Mobile service providers often provide separate voicemail gateways, including for those overseas on roaming charges. But you should certainly double-check with your service provider. Some suspicious numbers of known scammers and criminals are published online at unknownphone.com.
  • Dial ##002# to stop your calls being automatically forwarded.
  • Dial *#*#4636#*#* to find detailed configuration about your phone including call redirects, current network, usage and location. Check ‘Usage Statistics’ and ‘App Count Usage Time’ to double-check app usage and remove any apps that are suspicious (for example, you might not use them, but they show high usage).

Further smartphone security advice and support

For further advice on securing your smartphone and other digital device, or if you think your device has been compromised, contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form. We’re here to support you.

You may also be interested in:

 

Free report download: The Cyber Threat Landscape 2022
Deep dive for the answers you need
TAKE A DEEP DIVE
Or contact us on +44 (0)343 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name them, we help them find the answers
they need. Ready to discover how we can help you?

Take a deep dive
Continue browsing