The role of cyber attack war games in building cyber resilience

Posted on by Admin Admin

The reality is that penetration testing provides no guarantees of security and does not address the weaknesses in an organisation’s ability to detect and respond to a sophisticated attack; or its ability to manage a cyber crisis and take the timely decisions to enact cyber defence or system continuity plans. Consequently, there is a need for more sophisticated and technically based crisis exercises to identify causes of failure and to provide training, education and awareness.

To most firms, a real-world attack simulation is as much a ‘game changer’ as actually being targeted. In both cases, firms can expect to learn hard lessons, but the war game process ensures that the organisation is ready to absorb the lessons and identify the benefits without the pain or damage of an actual breach. This point cannot be underestimated. In a real event there is invariably a catalogue of human and management failures consistent with the inability to think clearly under pressure.

In reality, most lessons are only learnt after a real event, even when the overriding climate is negative or less orientated towards learning. A cyber attack war game, which simulates a prolonged attack, aims to provide lessons before a real event, and enables learning during an attack. In short, it can develop a firm’s ability to interpret and apply experience into real-time learning.

Cyber security war games derive significant learning across multiple levels of decision-makers, and can be structured specifically to bring together the C-suite, security leadership team, security operations centre and incident response, as well as the forensics, risk and crisis management teams. War gaming is an excellent and effective way for large organisations to identify the weaknesses in communications and coordination between these groups. In times of crisis, the cascading effects of an attack and the impacts are often exacerbated by the decisions taken, and the process of decision-making by these groups. Learning how these groups take certain decisions when faced with uncertainties, or adapt and enact response plans when tackling ‘unknowns’, is vital to a successful response and the successful building of cyber resilience within an organisation.

How do cyber attack war games work?

A well-crafted cyber security war game incorporates both a ‘fundamental surprise’ that the organisation had not anticipated and a number of ‘situational surprises’ – known cyber risks for which the organisation has little or no advanced warning. Much of the pre-exercise planning should aim at developing appropriate knowledge and intelligence in order to define the exercise in a manner that can be controlled and developed over time and tests the different capabilities.

The ‘storyline’ can commence with a technical event to kick off the assessment of initial implications, and the event would then be developed through situational feeds from the directorate. The initial objectives should be to test detection: by the systems; by the incident response team; and the analysis of the forensic team. More can then be provided by the directorate including intelligence, such as analysis of the threat community, IP information, and pieces of a malware. The exercise can then examine the fundamentals of communication and decision-making, specifically:

  • who is taking decisions and on what basis?
  • what is the process of taking alerts/indications and deriving useful information from then?
  • how is information then transformed into knowledge throughout this first technical phase?

At this point, a major new technical event may be introduced, or the original event may be taken in a new direction to trigger a new cycle of detection and decision-making. Evaluation may focus more on how the new event affects the decisions previously taken, the need for additional resources, and whether a new risk assessment should take place. With a second-phase escalation of the attack, the evaluation can examine who is assessing the risk throughout the event, who is involved in the process, what indicators are in place, and how they conduct a timely assessment of the possible implications from the new event.

Using this approach will allow escalation towards the involvement of the crisis management team, and an examination of their team, what stage they were involved and how they receive the relevant information. The exercise can also test the team’s communication effectiveness, who precisely was involved and how they supported the whole process.

Building cyber resilience

The more significant element in the learning process is the incorporation of observation, decision-logging, and mentoring as part of the war game process, while a full debrief and post-exercise workshop should establish lessons learnt, capability gaps and the modifications required in technology and processes.

The ‘learning by doing’ opportunity that war games provide identifies failures in breach incident response as well as failures in security. This should ensure a balance between security and implementing the appropriate response, but also offer a list of immediate tactical priorities for remediation, as well as short-term changes. It can also pick up previously peripheral issues that had not been addressed or prioritised specifically because they may have been proven to be more critical to the overall security apparatus than previously recognised. Often these are ‘human’ aspects known to be weaknesses, though not recognised and addressed at an organisational level.

By establishing the right cyber attack war game framework, the learning objectives are set at the top of the agenda if the organisation is astute enough to accept that a breach will occur, and the success is measured by how it deals with this.

The iterative process of this type of workshop can offer a forum for planning that integrates investment, and priorities between prevention, defence, and a shared understanding of the converged nature of cyber risk. This pre-emptive approach to developing effective cyber defence and identifying causes of future failure identifies priorities for response training, and the development of a response doctrine that can provide an organisation with agility and options.

Conduct a cyber war game

At ESA Risk, we can design and run a cyber war game specific to your business. If you would like to learn more about cyber security, war games and/or building cyber resilience within your organisation, please contact us.

The biggest threat

Posted on by Admin Admin

Graeme McGowan, Cyber Risk & Security Consultant at ESA Risk, reveals the biggest cyber security threat posed to businesses in the UK.

It’s the leading cause of reported data security breaches, according to the Information Commissioner’s Office (ICO), and arguably the largest enabler of malware infections and cyber attacks.

He also outlines ways the risks posed by this threat can be minimised.

What is the biggest cyber security threat?

While many people might expect the answer to be the latest malware in circulation or an organised group of hackers, the actual answer is more simple and closer to home…

Human error is arguably the largest enabler of cyber attacks and malware infections. Many people are not aware of the tell-tale signs or preventative measures to take when it comes to cyber security.

biggest security threat 95% human errorThe ICO has reported human error as the leading cause of reported data breaches, highlighting a need to amend this. In turn, it is now handing out fines to organisations following data breaches, as a reverse incentive to push companies to educate their staff and thereby avoid potential breaches in future.

Businesses are not fined if they have a sufficient protocol in place guarding against human error, but small companies are being particularly hit hard because of gross negligence and a lack of staff training leading to employee mistakes.

A simple example:

Firm X sent out personal data in respect of an individual and their family via email and post. A lack of security meant that unconnected third parties, who had no way of knowing the sensitivity of the content of the post and emails, then unintentionally had access to the sensitive personal data. The unconnected third parties were accidentally included on the email and therefore received the data, most likely by the fault of the sender who seemingly did not check the recipient/s they were sending the email to.

A complaint was made by the individual concerned following the unauthorised disclosures and an investigation into the incident revealed that repeated human error was to blame for the breach, resulting in a £10,000 fine being handed to the firm.

Why was the fine so large?

The ICO has noted that the fine is reflective of the firm’s disappointing response to the complaint and its failure to engage appropriately or show an understanding of the impact of the breach on the individual. The lesson here is that, in itself, a breach of data protection rules will not automatically incur a penalty. However, inadequate safeguarding measures followed by a delayed or obstructive (or even just negligent) response to a breach may lead to investigation and subsequent fines from the ICO.

Human error will always be a risk, but the response to that error is what is important both in terms of limiting any sanctions and maintaining a positive relationship between a business and the individuals with whom it deals.

Where does the risk lie?

Lack of understanding or awareness may mean:

  • A subject access request goes unanswered or is delayed.
  • Misuse of personal data, e.g. it is used to contact individuals without consent.
  • Personal data is used for purposes outside of the purpose for collection of that data.
  • Personal data is inadvertently provided to unconnected parties.
  • Delayed or no action following a security breach.
  • Failure to update records or delete records.

All of the above would be breaches of the General Data Protection Regulation (GDPR) and may require immediate action or even reporting, depending on the circumstances.

How do we prevent or minimise the ‘human error factor’?

In three words: training, education and awareness.

Compliance with GDPR cannot rely just on software systems and one data protection manager.

All individuals within organisations from the cleaner to the CEO need to be aware of how data protection compliance impacts on their role and what their responsibilities might be. In a few cases, there may legitimately be none, but it is important for the knowledge to be there and for staff to be alert and aware of cyber security protocol.

In order to combat this risk and employee lack of awareness, training should be provided to staff at induction and at regular intervals, especially if their role and responsibilities change. It is also crucial that staff know what to do if an error occurs and a cyber security threat appears. Communication at the earliest point is key in handling a breach, so creating a culture of trust is critical.

Once the training and understanding is in place, investment in the technology to support good data protection procedures will enhance those procedures and allow easy management of the various tasks and obligations.

Cyber security services from ESA Risk

We’re here when you need us. We provide both passive and reactive support services, which are scalable and quick to deploy in crisis situations, giving you precious additional time at critical moments. Contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form to find out more.

Develop your cyber security knowledge with 1 of our cyber security courses, provided by the Global Cyber Academy.

Ransomware: What you need to know

Posted on by Admin Admin

In this article: ransomware meaning; types of ransomware; ransomware examples; protection against ransomware.

Ransomware meaning: What is ransomware?

Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. While some people might think ‘a virus locked my computer’, ransomware would typically be classified as a different form of malware than a virus. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card, and attackers target individuals, businesses and organisations of all kinds. Some ransomware authors sell the service to other cyber criminals, which is known as Ransomware as a Service.

How do I get ransomware?

How exactly does a criminal carry out a ransomware attack? First, they must gain access to a device or network. Having access enables them to utilise the malware needed to encrypt (or lock up) your device and data. There are several different ways that ransomware can infect your computer.

Malspam

To gain access, some threat actors use spam, where they send an email with a malicious attachment to as many people as possible, seeing who opens the attachment and ‘takes the bait’, so to speak. Malicious spam is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents. It might also contain links to malicious websites.

Malvertising

Another popular infection method is malvertising, or malicious advertising, which is the use of online advertising to distribute malware with little to no user interaction required. While browsing the web – even legitimate sites – users can be directed to criminal servers without ever clicking on an ad. These servers catalogue details about victims’ computers and their locations, and then select the malware.

Spear phishing

A more targeted means to a ransomware attack is through spear phishing. An example of spear phishing would be sending emails to employees of a certain company, claiming that the CEO is asking them to take an important employee survey, or the HR department is requiring them to download and read a new policy.

The term ‘whaling’ is used to describe such methods targeted toward high-level decision makers in an organisation, such as the CEO or other executives.

Social engineering

Malspam, malvertising and spear phishing can, and often do, contain elements of social engineering.

Threat actors may use social engineering in order to trick people into opening attachments or clicking on links by appearing as legitimate – whether that’s by seeming to be from a trusted institution or a friend.

Cyber criminals use social engineering in other types of ransomware attacks, such as posing as a government agency in order to scare users into paying them a sum of money to unlock their files.

Another example of social engineering would be if a threat actor gathers information from your public social media profiles about your interests, places you visit often, your job, etc., and uses some of that information to send you a message that looks familiar to you, hoping you’ll click before you realise it’s not legitimate.

Encrypting files and demanding a ransom

Whichever method the threat actor uses, once they gain access and the ransomware software (typically activated by the victim clicking a link or opening an attachment) encrypts your files or data so you can’t access them, you’ll then see a message demanding a ransom payment to restore what they took. Often the attacker will demand payment via cryptocurrency.

Types of ransomware: Examples

Scareware

Scareware, as it turns out, is not that scary. It includes rogue security software and tech support scams.

You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe. A legitimate cyber security software programme would not solicit customers in this way. If you don’t already have this company’s software on your computer, then they would not be monitoring you for ransomware infection. If you do have security software, you wouldn’t need to pay to have the infection removed – you’ve already paid for the software to do that very job.

Screen lockers

Screen lockers – upgrade to terror alert orange for these guys. When lock-screen ransomware enters your computer, it means you’re frozen out entirely.

Upon starting your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine. However, the FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of cyber crimes, they would go through the appropriate legal channels.

Encrypting ransomware

Encrypting ransomware – this is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment in order to decrypt and redeliver. The reason why this type of ransomware is so dangerous is because once cyber criminals get hold of your files, no security software or system restore can return them to you. Unless you pay the ransom, for the most part, they’re gone. And even if you do pay up, there’s no guarantee the cyber criminals will give you those files back.

Mobile ransomware

Mobile ransomware – it wasn’t until the height of the infamous CryptoLocker and other similar families in 2014 that ransomware was seen on a large scale on mobile devices. Mobile ransomware typically displays a message that the device has been locked due to some type of illegal activity. The message states that the phone will be unlocked after a fee is paid. Mobile ransomware is often delivered via malicious apps and requires that you boot the phone up in safe mode and delete the infected app in order to retrieve access to your mobile device.

Who do ransomware authors target?

When ransomware hit the scene, its initial victims were individual systems (aka regular people). However, cyber criminals began to realise its full potential when they rolled out ransomware to businesses. Ransomware was so successful against businesses – halting productivity and resulting in lost data and revenue – that its authors turned most of their attacks toward them.

By the end of 2016, 12.3% of threats were ransomware, while only 1.8% of consumer detections were ransomware worldwide. And by 2017, 35% of SMEs had experienced an attack.

Ransomware attacks are still focused on western markets, with the UK, US and Canada ranking as the top 3 countries targeted. As with other threat actors, ransomware authors will follow the money, so they look for areas that have both wide PC adoption and relative wealth. As emerging markets in Asia and South America ramp up on economic growth, expect to see an increase in ransomware (and other forms of malware) there as well.

How can I remove ransomware?

If an attacker encrypts your device and demands a ransom, there’s no guarantee they will unencrypt it whether or not you pay up. That is why it’s critical to be prepared before you get hit with ransomware. 2 key steps to take are:

  • Install security software before you get hit with ransomware.
  • Back up your important data (files, documents, photos, videos, etc.).

If you do find yourself with a ransomware infection, the number 1 rule is to never pay the ransom and make sure you have backed up all of your data on a remote drive. Other ways to deal with a ransomware infection include downloading a security product known for remediation and running a scan to remove the threat. You may not get your files back, but you can rest assured the infection will be cleaned up. For screen locking ransomware, a full system restore might be in order. If that doesn’t work, you can try running a scan from a bootable CD or USB drive.

How do I protect myself from ransomware?

My advice is to prevent it happening in the first place. There are methods to deal with a ransomware infection, but they are imperfect solutions at best, and often require much more technical skill than the average computer user posesses.

How to prevent ransomware

The first step in ransomware prevention is to invest in security tools – software and programmes with real-time protection that are designed to thwart advanced malware attacks such as ransomware.

In addition to using the right tools, it all comes down to training, education and awareness…. don’t click on it if it doesn’t feel right!

How ESA Risk can help

If you’ve been the victim of an attack or you’d like further advice and support on ransomware protection, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Increase your knowledge of cyber security – we offer cyber security courses, provided by the Global Cyber Academcy, from levels 2 to 5.

Government consultation on insolvency industry regulation

Posted on by Admin Admin

Update: the UK government published the outcome of the consultation on 12th September 2023. Read The future of insolvency regulation – government publishes consultation outcome.

The proposals include creating a single regulator for insolvency practitioners and extending regulation to companies that offer insolvency services.

Currently, the country’s 1,500 or so insolvency practitioners are regulated as individuals – an arrangement that the government believes “has not kept pace with changes in the way the insolvency market operates”. Many firms employing insolvency practitioners and offering insolvency services are not governed by qualified insolvency practitioners, but the firms themselves are not covered by regulation, at present.

The proposed new regulator would be part of the Insolvency Service and would replace the role of the four recognised professional bodies that currently cover insolvency practitioners: (largest to smallest by number of members)

  • Institute of Chartered Accountants in England and Wales (ICAEW)
  • Insolvency Practitioners Association (IPA)
  • Institute of Chartered Accountants of Scotland (ICAS)
  • Chartered Accountants Ireland (CAI).

The government views the current regime of regulation as “disproportionately complex” considering the relatively small number of qualified insolvency practitioners.

Under the changes, individuals and companies offering insolvency services would be subject to an annual assessment to demonstrate they meet the minimum requirements for registration.

Other key changes included in the consultation are the creation of a public register of all firms and individuals that offer insolvency services and the creation of a system of compensation and redress in the event of insolvency cases being mishandled.

Opening the consultation, Business Minister Lord Callanan said: “Those most impacted by insolvency need confidence in the professionals involved, and the UK regime has a strong reputation for delivering the best outcomes possible when an insolvency occurs. In order to maintain that confidence, the regulatory regime must keep pace with the times and these proposals to introduce an independent regulator will strengthen the regime and deliver greater transparency, accountability and protection for creditors, investors and consumers.”

The consultation – which runs until 25th March 2022 – invites views from within the insolvency industry (from insolvency practitioners, professional and trade bodies, and related professionals such as lawyers, etc.), but also from any other interest parties (including debt charities, business representative organisations and members of the public).

The proposals are based on the results of a 2019 Call for Evidence and would apply to England, Scotland and Wales.

The suggestion from the Insolvency Service’s 5-year strategy, published in September 2021, is that implementation wouldn’t start until 2024.

Get support from ESA Risk

Insolvency investigations

When you suspect fraud or believe that a company director or third party is not being honest, we understand how difficult and time-consuming the investigations process can be. Our investigative services are designed to provide you with the whole picture allowing you to concentrate on the more technical insolvency issues. From intelligence gathering and tracing, to on-site support including digital data capture and forensics, ESA Risk has the investigations side of your insolvency case covered.

Support for company owners and directors

If you have a limited company that you wish to close, we can introduce you to an insolvency practitioner, who will ensure the correct legal process is followed.

If you suspect that a fraud has occurred within your business and need advice or support on the next steps, we’re here to help.

Contact us

Contact Mike Wright, Risk Management & Investigations Consultant, at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form, to find out more.

 

Download our Insolvency & Debt Investigations brochure

 

New powers for the Insolvency Service

Posted on by Admin Admin

The UK government has announced the addition of “new powers to tackle unfit directors who dissolve companies to avoid paying their liabilities.”

The change allows the Insolvency Service to investigate the potential misuse of the company dissolution process and to disqualify directors who are found to have abused the system.

The legislation – introduced under the Ratings (Coronavirus) and Directors Disqualification (Dissolved Companies) Act – appears to be a direct response to the forecasted issues around the repayment of government-backed loans made available during the Covid-19 pandemic. The Act will “help tackle directors dissolving companies to avoid repaying” those loans.

Whereas previously, the Insolvency Service had the power to investigate company directors in cases of insolvency and (on the evidence of wrongdoing) active companies, these new powers will now “extend those investigatory powers to directors of dissolved companies”.

If misconduct is found, directors can face a range of sanctions, including:

Announcing the changes, Business Secretary Kwasi Kwarteng said: “These new powers will curb those rogue directors who seek to avoid paying back their debts, including government loans provided to support businesses and save jobs. Government is committed to tackle those who seek to leave the British taxpayer out of pocket by abusing the covid financial support that has been so vital to businesses.”

The Act received Royal Assent of 15th December 2021 and will apply to England, Scotland, Wales and Northern Ireland.

Get support from ESA Risk

If you have a limited company that you wish to close, we can introduce you to an insolvency practitioner, who will ensure the correct legal process is followed.

If you suspect that a fraud has occurred within your business and need advice or support on the next steps, we’re here to help.

Contact Mike Wright, Risk Management & Investigations Consultant, at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form, to find out more.

Internet of things (IoT) devices – cyber threats

Posted on by Admin Admin

Threats and risks continue to evolve as hackers come up with new ways to breach unsecured systems, posing a threat to the ecosystem itself. Let’s take a look at the leading threats and risks to the IoT and the associated vulnerabilities that must be secured.

What is the internet of things (IoT)?

The internet of things (IoT) is a network of intertwined devices, software, sensors and other ‘things’ which enable the world to be connected throughout physical space. This can include business software, smart home devices, care monitoring systems, mobile phones or driverless trucks, and can be as small as a thumb drive to the size of a train. All of these things communicate with each other without the need for human interaction. This web of connectivity is fascinating but poses serious danger to information security.

Exploring the IoT attack surface

A business’s attack surface is the sum of vulnerabilities that are currently present on their network, both physical and digital. This can be vulnerabilities from within their endpoint devices (computers, tablets) or from the software and hardware used to conduct business. While each device is typically protected through a security software, they are still apt to a series of added threats and vulnerabilities through their connection to the IoT. The Open Web Application Security Project (OWASP) provides a broad consensus of the current threats and vulnerabilities within the surfaces, condensed below.

IoT devices

Devices inevitably have vulnerabilities embedded within their memory systems, physical and web interface, network services, and firmware. This allows hackers to easily exploit systems within the devices’ outdated components and insecure default settings with update mechanisms. When managing vulnerabilities throughout your network’s devices, continuous monitoring is essential.

Communication channels

Attacks can originate from the channels that connect IoT devices. This presents serious threats to the security of the entire system and creates a potential for spoofing and denial of service attacks. These threats and attacks lay the foundation for an unstable network surface.

Applications and software

Each application and software presents risk, and many web applications and APIs do not protect sensitive data adequately. These data can be anything from financial intelligence to healthcare information. A breach of these types of information can result in identity theft, credit card fraud and exposure of confidential information, all because a web application isn’t properly secured or patched on a consistent basis.

7 IoT threats and vulnerabilities to be aware of

As long as the internet of things continues to expand, the number of threats will continue to increase. Being able to identify and understand the different types of threats and vulnerabilities associated with the IoT can significantly reduce the risk of a data breach at your organisation. Let’s explore the top IoT concerns:

1. Lack of physical hardening

The lack of physical hardening has always been a concern for devices within the internet of things. Since most IoT devices are remotely deployed, there is no way to properly secure devices that are constantly exposed to the broader physical attack surface. Devices without a secure location and the inability for continual surveillance allow potential attackers to gain valuable information about their network’s capabilities which can assist in future remote attacks or gaining control over the device. For example, hackers can facilitate the removal of a memory card to read its contents and access private data and information that may allow them to access other systems.

2. Insecure data storage and transfer

As more people utilise cloud-based communications and data storage, the cross-communication between smart devices and the IoT network increases. Any time data is transferred, received or stored through these networks, the potential for a breach or compromised data also increases. This is due to the lack of encryption and access controls before data is entered into the IoT ecosystem. For this reason, it is important to ensure the secure transfer and storage of data through robust network security management tools like firewalls and network access controls.

3. Lack of visibility and IoT device management

Many IoT devices remain unmonitored, untracked and improperly managed. As devices connect and disconnect from the IoT network, trying to monitor them can grow to be very difficult. Lack of device status visibility can prevent organisations from responding to, or even detecting, potential threats. These risks can become life-threatening when we look into the healthcare sector. IoT pacemakers and defibrillators have the potential to be tampered with, if not secured properly, and hackers can purposefully deplete batteries or administer incorrect pacing and shocks. Organisations need to implement device management systems to properly monitor internet of things (IoT) devices so all avenues for potential breaches are accounted for.

4. Botnets

Botnets are a series of internet-connected devices that are created to steal data, compromise networks or send spam. Botnets contain malware that allows the attacker to access an IoT device and its connection to infiltrate an organisation’s network, becoming one of the top threats for businesses. They are most prominent in appliances that were not initially manufactured securely (smart fridges, for example). These devices are continuously morphing and adapting. Therefore, monitoring their changes and threat practices is necessary to avoid attacks.

5. Weak passcodes

Although intricate passcodes can prove to be secure for most IoT devices, one weak passcode is all it takes to open the gateway to your organisation’s network. Inconsistent management of passcodes throughout the workplace enables hackers to compromise your entire business network. If just one employee does not adhere to advanced password management policies, the potential for a password-oriented attack increases. Practising good password hygiene is essential to ensure your business is covering all bases within standard security practices.

6. Insecure ecosystem interfaces

Application programming interfaces (APIs) are software intermediaries that allow 2 applications to talk to each other. With the connection of the 2 servers, APIs can introduce a new entrance for attackers to access a business’s IoT devices and breach a network’s router, web interface, server, etc. It is crucial to understand the intricacies and security policies of each device in the ecosystem before connecting them to ensure complete network security.

7. AI-based attacks

While AI attacks have been around since 2007, the threats they present within IoT are becoming increasingly more prominent. Hackers now can build AI-powered tools that are faster, easier to scale and more efficient than humans to carry out their attacks. This poses a serious threat within the IoT ecosystem. While the tactics and elements of traditional IoT threats presented by cyber attackers will look the same, the magnitude, automation and customisation of AI-powered attacks will make them increasingly hard to battle.

ESA Risk and IoT cyber security

For more advice on cyber security – including internet of things (IoT) cyber security – contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Sustainable investment is here to stay

Posted on by Admin Admin

The vast majority of investors believe that interest in ESG will continue to remain a high priority even when the pandemic has passed.

PwC forecast that ESG assets will make up between 27% and 42% of Europe’s asset base by 2025; a significant increase from 15% in 2020.

The move is being driven by changes in the regulatory landscape within the EU and UK, alongside the creation of the International Sustainability Standards Board (ISSB), set up to deliver a comprehensive baseline of standards that will provide investors (and others) with information about companies’ sustainability-related risks and opportunities to help them make informed decisions.

Interest in ESG will remain high primarily because clients are demanding it. Research suggests that meeting clients’ needs outweighs the need to meet increasing regulatory requirements. Of the 3 elements of ESG, the main focus for consumers is concern for the environment. Investors not only want to see a return on their investment, but they also expect their money to do some good by being invested in a way that protects the environment and does no harm.

New rules are being introduced by the EU, which the UK is set to follow with its own regulatory strategy. The EU has already set its own Sustainable Finance Disclosure Regulations in motion, for the first time requiring investors and asset management companies to provide information about their investments, the ESG risks and their impact on the planet and society. The EU action plan reflects a major shift in the way ESG factors are considered in the investment process.

In October 2021, the UK the government published Greening Finance: A Roadmap to sustainable investing, in which it sets out an ambition to make the UK the best place in the world for green and sustainable investment. The document outlines a vision for a comprehensive approach to ‘greening’ financial systems, mobilising finance for clean, resilient growth and capturing resulting opportunities for UK companies.

The roadmap will come in 3 phases:

  1. Informing – ensuring decision-useful information on sustainability is made available to decision makers.
  2. Acting – to mainstream the information to businesses and financial decisions.
  3. Shifting – financial flows across the economy to align with a net-zero and nature positive policies.

Sustainability Disclosure Requirements (SDR)

The roadmap describes the new regime as bringing together existing sustainability-related disclosure requirements under 1 framework – building on existing and future global standards and best practice. Disclosures will be consumer-focused, with companies selling investment products having to provide consumer-friendly disclosures explaining the impact, risks and opportunities of the businesses they finance on sustainability.

The roadmap flags up that any form of ‘greenwashing’ will not be tolerated. In an effort to minimise the practice within marketing activities, financial organisations will have to substantiate any ESG claims made by their products.

Other proposals include an intention to bring ratings agencies under FCA control to reflect the increase in importance of ESG ratings to investors. The FCA have just published a discussion paper, seeking views on SDR disclosure requirements for asset managers and certain FCA-regulated asset owners as well as the sustainable labelling system. The aim is to build trust in the market and enhance transparency in the interest of consumers and meet the information needs of institutional investors. The input they receive will inform policy proposals to be issued for consultation next year.

The changes announced by the government represent an ambitious and comprehensive package of measures designed to help improve the flow of investment towards financing the transition to a sustainable economy. By encouraging investors to redirect investment towards sustainable technologies and businesses the measures will be instrumental in aligning the financial system with the UK target for a net zero economy by 2050.

International action: COP26 and sustainable investing

Of course, these shifts in mindset and policy aren’t isolated to the UK and EU.

Investing in sustainable industries and commodities was 1 of the main topics of discussion at the World Leaders Summit Action on Forests and Land Use at COP26.

At the summit, more than 30 financial institutions signed a commitment to move away from portfolios that invest in high deforestation-risk supply chains. These institutions include companies with $8.7tn under management, meaning the stakes are high for non-sustainable industries once private finance pours into companies that are aligned with sustainability goals and regulations.

Tuntiak Katan, Coordinator of the Global Alliance of Territorial Communities, representing communities from the rainforests of Africa, Latin America and Indonesia, said:

”We welcome the announcement at COP of the Joint Statement on Advancing Support for Indigenous Peoples and local communities that has raised to an unprecedented level their visibility as a climate solution.

“At the same time, we will be looking for concrete evidence of a transformation in the way funds are invested. If 80% of what is proposed is directed to supporting land rights and the proposals of Indigenous and local communities, we will see a dramatic reversal in the current trend that is destroying our natural resources.”

Sustainable investment due diligence

Katan makes a key point about evidence. When it comes to investing, it is important to see the full picture. Some private companies claim to work sustainably and support ESG goals but are greenwashing. Investors must always screen potential opportunities before committing. Due diligence is a must to ensure you’re investing in a responsible, sustainable business.

Investment managers often use ESG portfolios to inspect the status of a company before they invest. However, definitions of ESG can be subjective, and it’s important to undertake independent research, rather than to always rely on the opinion of an investment manager.

How ESA Risk can help

Due diligence is an area where we possess the expertise and experience to help you and your business.

For advice on private investing or conducting due diligence, please contact Mike Wright, Risk Management and Investigations Consultant at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Benefits and limitations of regulatory and standards-based compliance

Posted on by Admin Admin

First, there’s compliance with standards, certifications and codes of practice that offer assurance that best practices have been followed.

Whether around products or procedures, complying with non-binding guidance can secure better deals with insurers and reassure stakeholders, as well as bolster security.

Alternatively, compliance can be about following the law, with regulations invariably relating to areas other than security, such as data protection and health and safety.

However, security professionals must convince boardrooms that bare-minimum compliance alone is not necessarily ‘job done’ when it comes to executing their obligations to protect personnel and assets.

And regulations, such as around fire safety or data privacy, must be adhered to in a way that doesn’t inadvertently undermine security measures.

Consolidated wisdom

Physical security standards and codes of practice provide a framework, developed by governments and independent bodies, for judging whether products or practices robustly protect people and property against theft, vandalism, terrorism, natural disasters and so on.

They consolidate wisdom drawn from rigorous testing, academic research and the input of experts from government, law enforcement, and the insurance, architecture and risk consultancy industries, among other sources.

These frameworks, which are refreshed periodically, effectively liberate security professionals from having to conduct due diligence and establish best practices from the ground up.

Secured by Design

For instance, Secured by Design, a police initiative, works with fire and security test houses like the Building Research Establishment (BRE) and its subsidiary, the Loss Prevention Certification Board (LPCB), in fulfilling its mission to ‘design out crime’ for homes, commercial premises and public spaces.

The Secured by Design’s product accreditation scheme, the Police Preferred Specification, makes certification contingent on demonstrating that a product has been designed with security as a priority.

Products are independently tested before being certified by the UK Accreditation Service (UKAS).

Necessary – but not sufficient

But might compliance with minimum standards potentially risk fostering complacency among security professionals and a false sense of security among stakeholders?

Having a product that is ‘secure by design’ is necessary – but not sufficient – to ensure that people and property are adequately protected.

A product’s suitability to the environment, and how it’s installed and used are vital too – and there are standards and guidance for these area, also.

Security teams should therefore find out which guidance and standards are relevant for their use case.

And they should be willing to go above and beyond minimum standards where relevant. For instance, if they’re protecting a busy public space at high risk of terror attacks and other criminality, then there’s a strong case to procure the highest calibre systems – not just the cheapest solutions that comply with baseline security standards.

Tiered security ratings

While binary standards – i.e. you either comply or you don’t – are easy to administer and understand, graded or tiered security ratings offer a more nuanced framework for choosing a system that meets your risk profile.

As such, compliance provides assurance that your system is appropriately secure for the environment in which it is installed, without being needlessly feature-rich (and thus expensive).

For example, EN 50131, a European standard outlining performance requirements for intruder alarm systems, sets out four security grades that scale up feature sets, resilience to tampering, and availability of police response, according to the likelihood of attacks and sophistication of likely attackers.

Set according to a risk assessment conducted by installers, they range from grade 1 – the lowest risk category used for domestic properties – to grade 4, assigned to high-risk premises like banks, museums or energy facilities that may be targeted by organised criminals.

Insurers will generally make conformity with the appropriate grade a prerequisite of providing cover.

LPS 1175

LPS 1175, which relates to ‘intruder resistant building components, strongpoints, security enclosures and free-standing barriers’, is also ratings-based.

Overseen by the LPCB, 1 of 7 security ratings is assigned based on how effectively a product – for example, fencing and security doors – can withstand assaults from tools such as drills, hammers or wire cutters.

Naturally, an airport will typically need perimeter fencing with a much more stringent security rating than an office carpark, for instance.

Access control regulatory compliance

According to the UK government, your access control system should be compliant with The Equality Act, Human Rights Act, Health and Safety at Work Act and General Data Protection Regulation (GDPR).

Vendors and their customers must accommodate these regulatory requirements when designing, installing and using security systems and policies, and ensure that, say, fulfilling a health and safety requirement does not undermine a security need.

For instance, to comply with UK fire safety laws your access control system should automatically unlock when a fire alarm sounds. Similarly, health and safety legislation necessitates that control rooms and other critical areas have fail-safe systems. Security teams should think about how to mitigate the security risks created by the activation of these functions.

CCTV regulatory compliance

The GDPR and – especially for local authorities and the police – the UK Surveillance Camera Code of Practice are pivotal to the appropriate specification, installation and usage of CCTV systems.

A data controller’s obligations under GDPR are broadly similar in regard to CCTV images – which count as personal data if the individual can be identified – as they are to text-based personal data like names, dates of birth or national insurance numbers.

This includes having a legitimate reason for processing personal data, protecting data during storage, transmission and processing, and keeping footage no longer than is strictly necessary.

The Surveillance Camera Code of Practice is also – rightly – focused on protecting data subjects’ privacy, and is useful in terms of bolstering both data security and physical security.

The newly revised code (pending parliamentary approval) has 12 guiding principles, including asking end users to establish:

  • the purpose of their system;
  • clear policies and procedures;
  • adherence to approved and relevant operational, technical and competency standards;
  • clearly defined rules on who has access to systems and when;
  • and that images will have evidential value if used by the criminal justice system.

Advice and support from ESA Risk

For Security advice and support, contact Liam Doherty, Security Consultant at liam.doherty@staging.esarisk.com, on +44 (0)343 515 8686 or via our contact form.

For support with regulatory compliance, contact Mike Wright, Risk Management & Investigations Consultant at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Managing risk when choosing to invest overseas

Posted on by Admin Admin

When investing in overseas markets, it’s important to understand the context of any potential investment opportunity in order to manage risk.Overseas investments bring with them potential differences in customs, currency, language and accounting techniques. For the best chances of success – i.e. protected, profitable investments – prior research and due diligence are key, especially into the regulations of any foreign country you wish to trade in.

There are 3 main risk areas that investors should take heed of when investing internationally:

  1. Higher transaction costs
  2. Currency volatility
  3. Liquidity risks.

There tend to be higher expenses on foreign transactions, alongside differing exchange rates or additional charges specific to the market, such as clearing fees, taxes or stamp duties. Added transaction costs vary depending on which international market you are investing in.

Exchanging your money could also impact your return, depending on the time of exchange and the currency you exchange to. Using an exchange-traded fund (EFT) could be a way around this, due to better liquidity and accessibility.

However, liquidity risk poses the potential of losses, if investments aren’t sold at a certain time. There is higher risk of this in foreign markets, especially as it’s harder for investors to protect their capital against losses that occur in a different country with different rules. Arguably, foreign investments are worth the risk, as they contribute to a well-balanced portfolio that utilises the global economy.

Avoiding risk in overseas investments

There are products and techniques that can be used to ensure your international investments are better protected. These include:

  • Global depository receipts (GDRs) can be traded, cleared and settled like domestic stocks are, by institutional or private investors. They can be found on the London Stock Exchange.
  • Foreign direct investing via a domestic-based broker, or a broker based in the target country, that can buy foreign stocks directly on your behalf.
  • Global Mutual Funds – Mutual funds use international equities that can be regional or country-specific. They can be sourced in a passive index fund or a managed fund, which means there are higher fees involved.
  • Exchange-traded funds (ETFs) offer investors access into foreign markets, rather than having to compile a portfolio yourself. ETFs provide insight into multiple international markets.
  • Multinational corporations (MNCs) – Investing in MNCs gives investors international exposure without having to directly invest in foreign stocks.

How do I manage the risk of investing overseas?

It is vitally important for anyone considering investing in overseas investments to either do extensive research on the country and the type of investment before committing, or, as an extra type of safety net, invest through reputable investment vehicles such as Global Mutual Funds, exchange-traded funds or global depository receipts.

As the global economy is still navigating it’s way through it’s most volatile period, it’s important to take the time to do your investment homework.

The first step for an investor is to conduct a country analysis, deciding where exactly to invest. Investing in a broad international portfolio is best, or within a specific region or set of countries, rather than in a single foreign country. Diversification is important when investing internationally, as maximising diversification minimises risk.

Once the country or countries of investment are decided, the investor must decide which investment vehicles to invest in, for instance in stocks or bonds of companies within the country, mutual funds, internationally focused ETFs, etc. Ongoing monitoring of the investment portfolio needs to be done, as the economic conditions overseas will be continuously changing.

The political and economic landscape of the investment country must also be observed, as any abrupt changes can result in unexpected losses to investments. This is part of the country risk analysis, as countries with stable finances and a strong economy offer safer investments than those without. Countries that are unfriendly towards foreign investors or that are in political unrest also offer a less stable investment opportunity.

The Economist Intelligence Unit (EIU) offers comprehensive and objective information on different countries, including an overview of the political, social, economic and demographic climate. Other country risk analysis resources which can help investors include the CIA World Factbook and the UK government’s Overseas Business Risk service.

At ESA Risk, we offer enhanced due diligence services, which can help you see the whole picture before committing to an investment. Contact us for an initial chat with our experienced consultants. You can contact Ali Twidale, Banking & Financial Fraud Consultant at ali.twidale@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Employment fraud: be diligent

Posted on by Admin Admin

Online job scams and employment fraud are when jobseekers are under the pretence that they are in an application process but are instead being scammed into giving up their personal data, including bank account or credit card information.

In this way, criminals can conduct identity theft – gathering people’s personal information and then applying for loans or credit cards in their victims’ names. The Federal Trade Commission says employment fraud also occurs via phishing, whereby scammers use malicious links or websites to obtain the personal information of their victims.

The Disclosure and Barring Service (DBS) has revealed that “85% of identity fraud is committed via online channels, and Cifas members recorded almost 158,000 cases of identity fraud in the first nine months of 2021. Not only is this an increase of 17% compared to 2020, but this is equivalent to one person every 2.5 minutes.”

As well as using online methods, perpetrators might conduct ‘interviews’ by phone and ask upfront for payment for certification or training materials before considering the applicant for a ‘job’, which often does not exist.

In a widescale study of 12,000 jobseekers by JobsAware (previously SAFERjobs), 71.3% of workers said they assumed that any job found online was a legitimate posting from a real business. A staggering 98% admitted they would still apply for a job even if they thought it was suspicious.

It is important that jobseekers remain vigilant when applying for jobs online.

Signs of potential employment fraud

  • Companies asking for any sort of payment during the application process.
  • Interviews taking place over messaging services such as Facebook Messenger or Google Hangouts.
  • Unclear job descriptions or being offered a job that isn’t the one you applied for.
  • Unprofessional-looking emails with misspellings or grammatical errors.
  • Emails coming from personal accounts such as Yahoo or Gmail, rather than a business email address. (However, email spoofing may be used, so be wary even if the email address appears genuine, and conduct further research on the company).
  • Fake job boards and recruiter websites that might ask for card details for ‘pre-screening’ or personal bank account number to start depositing payslips.

Until you are sure of the credibility of a company that has contacted you about a potential job, do not give out personal information or financial information. Research the company – for example, look at their website, social media accounts, Companies House listing, any online reviews, etc. – to make sure that the job posting is real. Call the company’s phone number (if you find a number for them through your own research, rather than a number in the email or job posting) to verify that they sent an email or posted the job online.

Use caution when deciding on the information you include in your CV, as these details could be used in identity fraud. As a rule, do not include any of the following:

  • Date of birth
  • Full address
  • Passport number
  • National Insurance number
  • Driving licence number.

Protect yourself against employment fraud

  • Conduct an online search for the name of the employer alongside the word ‘scam’ to check for reports of job scams.
  • Be wary of vague job descriptions.
  • Don’t believe anything that sounds too good to be true; for example, if the pay on offer is very high but for little work.
  • Be cautious about online forms that are part of the interview process and never include personal or financial information on these.
  • Be wary of mystery shopper or secret shopper positions.
  • Jobs that involve receiving and reshipping packages are likely scams.
  • Do not respond to calls, text messages or emails from unknown numbers or suspicious addresses.
  • Do not click any links in a text message from a number you do not recognise. If a friend sends you a message containing a suspicious link, and it seems out of character, call them to make sure they weren’t hacked.

If you think you’re a victim of employment fraud, the first step is to cut all communication with the fraudulent party. Take note of their details and file a report with Action Fraud. If you have given any bank details, get in touch with your bank immediately.

For futher help and advice on preventing and avoiding fraud or dealing with an ongoing fraud, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Deep dive for the answers you need
TAKE A DEEP DIVE
Or contact us on +44 (0)343 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name them, we help them find the answers
they need. Ready to discover how we can help you?

Take a deep dive
Continue browsing