Page 15 – ESA Risk

Black Friday 2021: Stay cyber-safe

Posted on November 25, 2021December 4, 2023 by Admin Admin

For many, Black Friday 2021 marks the official start to the Christmas shopping season and, excitingly, many retailers announce time-limited sales that promise huge savings to consumers. But it’s also the prime time for cyber criminals to cash in, too.

Some digital threats to watch out for on Black Friday 2021

Phishing attacks

While consumers rush to grab themselves a bargain, they may get caught out in a phishing scandal. Phishing links commonly lead to fake login pages, prompting victims to authenticate themselves on their web account. For instance, victims may think they are logging into their favourite retailer account, when, really, they are handing their username and password over to an attacker, who can use it to their advantage later. Although this affects users directly, it also negatively impacts the retailer’s reputation, which can be difficult to recover.

Malware

Malware (as the portmanteau suggests) refers to any malicious software designed to harm a computer system by tracking user activity, hijacking functionality or stealing, deleting or encrypting data. Most malware enters your systems via email (96% of it in 2020, say CSO). According to research by Deep Instinct, malware saw a year-on-year increase of 358% in 2020. There’s no indication of that proliferation slowing, so this should be seen as a high-risk Black Friday cyber threat.

Formjacking

Formjacking is a form of ‘Magecart’ where malicious code is injected into the checkout forms of a website and can go undetected for a long time. Cyber criminals then hijack web forms to steal personal and payment information from shoppers.

Ransomware

Ransomware encrypts files, so they are made inaccessible to the owner. The cyber criminal then demands a ransom payment in return for releasing the locked files. Ransomware occurs when legitimate ads are hacked (‘malvertising’), or through phishing emails and exploit kits. This will have consequential impact on consumers and retailers/businesses.

Not being prepared enough for cyber threats is a threat

A staggering 3 in 4 IT leaders expressed a lack of confidence in their company’s IT security posture and saw room for improvement. Despite this, just 57% of companies conducted a data security risk assessment in 2020 and businesses need to up their cyber security efforts to reduce these risks and minimise the impact of an attack.

How can you reduce the risk of cyber threats on Black Friday 2021?

The above attacks take place daily and are not specific to the holiday season or large events like Black Friday, but the volume and frequency of these attacks significantly increase during these times, as more consumers make purchases online.

Being aware of these threats is a step closer to preventing cyber attacks on Black Friday 2021 and during the holiday season to come. Businesses should balance their investments in security awareness training for employees and putting robust security measures in place that can help to scan their systems for suspicious activity. Similarly, consumers need to be better educated and made aware of potential threats.

If you find yourself the victim of a cyber incident, ESA Risk can help you with your response to the attack and to make you cyber-secure in the future, through the design and execution of a strong cyber security plan. Reach out to us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form to find out more.

New cyber laws are welcome, but long overdue

Posted on November 24, 2021June 6, 2022 by Admin Admin

The Product Security and Telecommunications Infrastructure (PSTI) Bill, introduced to parliament today by Julia Lopez MP and the Department for Digital, Culture, Media & Sport (DCMS), will provide consumers with better protection from attacks by hackers on their phones, tablets, smart TVs, fitness trackers and other internet-connectable devices.

As Julia Lopez, Minister for Media, Data and Digital Infrastructure, notes: “every day hackers attempt to break into people’s smart devices.” Cyber criminals are targeting these products more and more often. Which? recently found that a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week (yes, 12,000 a week!). With that in mind, a move to mitigate the risk posed to consumers through legislation has been a long time coming.

In the DCMS announcement, the Minister goes on to say: “Most of us assume that if a product is for sale, it’s safe and secure. Yet, many are not [80% of connectable product manufacturers “do not implement appropriate security measures”], putting too many of us at risk of fraud and theft. [The PSTI] Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

Described by the government as “a new world-leading law”, the Bill will “prevent the sale of consumer connectable products in the UK that do not meet baseline security requirements”. Included in these new cyber laws are the following:

A ban on universal default passwords, with new devices required to come with unique passwords that can’t be reset to a universal factory setting.
A demand for greater transparency from manufacturers on their efforts to fix security flaws, with companies required to publish the minimum support time for products (i.e. for how long they’ll receive updates and patches).
A better vulnerabilities reporting system, including a public point of contact at each manufacturer.

The new cyber laws will apply to imported goods, as well as those manufactured in the UK. Retailers (both on the high street and online) will be subject to the same laws as the manufacturers, ensuring consumers are protected no matter where a product is produced or purchased.

And the laws will apply to all ‘connectable’ devices. From January to June this year, Internet of Things (IoT) devices were targeted by 1.5 billion attempted compromises – double the number in the whole of last year.

Technical Director of the National Cyber Security Centre (NCSC) (part of GCHQ), Dr Ian Levy is “delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security.” The Bill was developed jointly by the NCSC and DCMS.

Dr Levy admits that this change “mark[s] the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.” With so many connectable devices that don’t meet these standards already for sale and in our homes, we’re facing an uphill battle against cyber criminals. And, as the DCMS announcement points out, “just 1 vulnerable device can put a user’s network at risk.”

For advice on securing your network against cyber threats, contact Graeme McGowan, Cyber Risk & Security Consultant at graeme.mcgowan@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Manchester networking event

Posted on November 22, 2021April 15, 2022 by Admin Admin

Last week, we were back in Manchester for the latest installment in The 500 Club networking event series. Mark Dickson (Risk Management) hosted at The Alchemist Spinningfields alongside Roger Dugan from our co-hosts Asertis.

Mark and Roger were joined by guests including lawyers and insolvency practitioners for our first Manchester event since the end of the summer.

The 500 Club is an event series jointly hosted by ESA Risk and Asertis. The invitation-only networking events are usually held twice a month at locations across the UK, including London, Manchester, Birmingham, Leeds, Liverpool and others.

Our aim at these events is to connect like-minded professionals. No sales presentations, only good conversation over a few drinks.

We’re in Birmingham on Thursday this week for a private guided wine tasting at Loki Wine Merchant & Tasting House in the historic Great Western Arcade, followed by Baranis in central London next week.

Please contact us if you’d like to join us at a future event.

New supply chain plans to bolster cyber resilience

Posted on November 18, 2021June 6, 2022 by Admin Admin

The Department for Digital, Culture, Media and Sport (DCMS) has unveiled new proposals aimed at “protect[ing] the country’s digital supply chains”. Under the proposals, IT service providers could have to follow new rules, including the National Cyber Security Centre’s Cyber Assessment Framework, to bolster their cyber resilience.

Although developed before the results of the latest Cyber resilience captains of industry survey 2021 were published on 15^th November, the move addresses directly the key issue highlighted by the research. The survey, conducted with “chairs, CEOs and directors of Britain’s top companies” demonstrates a gap between perceived cyber security risk and “action on supply chain cyber security”. 91% of respondents now “see cyber threats as a high or very high risk to their business”, whereas just 69% say they’re “actively manag[ing] supply chain cyber risks.”

The proposals are the result of a government consultation that began in May 2021, driven by “an increasing number of organisations…suffering cyber attacks via their supply chains or via their providers of IT services.” During the government’s ‘call for views’ on this issue, 82% of respondents agreed that an effective (or somewhat effective) solution could be legislation.

Minister for Media, Data and Digital Infrastructure, Julia Lopez, said:

“As more and more organisations do business online and use a range of IT services to power their services, we must make sure their networks and technology are secure.

“Today we are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect their sensitive data.”

As the DCMS admits, this is only the beginning of an idea to strengthen the UK’s digital supply chains. A “new national cyber strategy” is promised “later this year”. Policy proposals need to be developed further and the government is reviewing “the laws and measures which encourage firms to improve their cyber security”.

More generally, the Cyber resilience captains of industry survey 2021 results show that the country’s largest firms – the Top 500 industrials by turnover and the Top 100 financial companies by capital employed – are taking cyber risks seriously.

77% of respondents said cyber security is discussed at board level on at least a quarterly basis. 92% reported that their “board integrates cyber risk considerations into wider business areas”.

However, only 16% said that their company’s board members needed no support “to be able to make better decisions about cyber resilience”. The most commonly chosen type of support needed was “awareness raising / education / training for board members” (34%), which is almost identical to our cyber security motto at ESA Risk: training, education and awareness.

Cyber Assessment Framework

The National Cyber Security Centre’s Cyber Assessment Framework covers 4 objectives:

Managing security risk
Protecting against cyber attack
Detecting cyber security events
Minimising the impact of cyber security incidents.

It “provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible” through 14 principles of cyber security and resilience.

ESA Risk and cyber resilience

For cyber security advice and support, including supply chain cyber resilience and meeting the Cyber Assessment Framework, contact Graeme McGowan, Cyber Risk & Security Consultant at graeme.mcgowan@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

The most common security threats to mobile devices in 2021

Posted on November 15, 2021December 4, 2023 by Admin Admin

However, increases in organisational mobility typically result in a higher number of mobile devices that are accessing your systems from a remote location. For your cyber security teams, this means a growing variety of endpoints and threats they need to secure to protect your organisation from a data breach.

Mobile malware has long been a common problem. As a result, businesses and individuals are usually aware of the potential threat and how to deal with it. However, as Verizon’s Mobile Security Index Report shows, new threats are constantly appearing and organisations need to consider these, as well, in order to ensure they’re protected.

Below are the most common and critical mobile security threats that organisations currently face.

4 different types of mobile phone security threats

Mobile phone security threats are commonly thought of as a single, all-encompassing threat. But, the truth is, there are 4 different types of threat that organisations need to take steps to protect themselves from:

Mobile application security threats

Application-based threats are present when people download apps that look legitimate but skim data from their device. Examples are spyware and malware that steal personal and business information without people realising it’s happening.

Web-based mobile security threats

Web-based threats are subtle and tend to go unnoticed. They happen when people visit affected sites that appear to be fine on the face of it, but automatically download malicious content onto devices.

Mobile network security threats

Network-based threats are especially common and risky because cyber criminals can steal unencrypted data while people use public Wi-Fi networks in places such as transport hubs and cafes.

Mobile device security threats

Physical threats to mobile phone security and other mobile devices most commonly refer to the loss or theft of a device. Because hackers have direct access to the hardware where private data is stored, this threat is especially dangerous to enterprises.

Mobile cyber security threat examples

Below are the most common examples of these threats, as well as steps organisations can take to protect themselves from them.

Social engineering

Social engineering attacks are when bad actors send fake emails (phishing attacks) or text messages (smishing attacks) to your employees in an effort to trick them into handing over private information like their passwords or downloading malware onto their devices. The best defence for phishing and other social engineering attacks is to teach employees how to spot phishing emails and SMS messages that look suspicious and avoid falling prey to them altogether.

Reducing the number of people who have access to sensitive data or systems can also help protect your organisation against social engineering attacks because it reduces the number of access points attackers have to gain access to critical systems or information.

Data leakage via malicious apps

Enterprises face a far greater threat from the millions of generally available apps on their employees’ devices than from mobile malware, because 85% of mobile apps today are largely unsecured.

Hackers can easily find an unprotected mobile app and use that to design larger attacks or steal data, digital wallets, backend details and other information directly from the app.

For example, when your employees visit Google Play or the App Store to download apps that look innocent enough, the apps ask for a list of permissions before people are allowed to download them. These permissions generally require access to files or folders on the mobile device, and most people just glance at the list of permissions and agree without reviewing them in detail.

However, this lack of scrutiny can leave devices and enterprises vulnerable. Even if the app works the way it’s supposed to, it still has the potential to mine corporate data and send it to a third party, such as a competitor, and expose sensitive product or business information.

The best way to protect your organisation against data leakage through malicious or unsecured applications is by using mobile application management (MAM) tools. These tools allow IT admins to manage corporate apps (wipe or control access permissions) on their employees’ devices without disrupting employees’ personal apps or data.

Unsecured public Wi-Fi

Public Wi-Fi networks are generally less secure than private networks because there’s no way to know who set the network up, how (or if) it’s secured with encryption, or who is currently accessing the network or monitoring it.

As more companies offer remote work options, the increasing number of public Wi-Fi networks your employees use to access your servers (e.g. from coffee shops or cafes) could present a risk to your organisation. Cyber criminals often set up Wi-Fi networks that look authentic (by ‘cloning’ them), but are actually a front to capture data that passes through their system (a ‘man in the middle’ attack).

The best way for you to protect your organisation against threats over public Wi-Fi networks is by requiring employees to use a VPN to access company systems or files. This will ensure that their session stays private and secure, even if they use a public network to access your systems.

End-to-end encryption gaps

An encryption gap is like a water pipe with a hole in it. While the point where the water enters the pipe (your users’ mobile devices) and the point where the water exits the pipe (your systems) might be secure, the hole in the middle lets bad actors access the water flow in between. Unencrypted public Wi-Fi networks are one of the most common examples of an encryption gap (and it’s why they’re a huge risk to organisations). Since the network isn’t secured, it leaves an opening in the connection for cyber criminals to access the information your employees are sharing between their devices and your systems.

However, Wi-Fi networks aren’t the only thing that pose a threat – any application or service that’s unencrypted could potentially provide cyber criminals with access to sensitive company information. For example, any unencrypted mobile messaging apps your employees use to discuss work information could present an access point for a bad actor.

For any sensitive work information, end-to-end encryption is a must. This includes ensuring any service providers you work with encrypt their services to prevent unauthorised access, as well as ensuring your users’ devices and your systems are encrypted, as well.

Internet of Things (IoT) devices

The types of digital device that access your organisation’s systems are branching out from laptops, mobile phones and tablets to include wearable tech (like the Apple Watch) and physical devices (like Google Home or Amazon’s Alexa). And since many of the latest IoT mobile devices have IP addresses, it means bad actors can use them to gain access to your organisation’s network over the internet, if those devices are connected to your systems.

Spyware

Spyware is used to survey or collect data and is most commonly installed on a mobile device when users click on a malicious advertisement or through scams that trick users into downloading it unintentionally. Whether your employees have an iOS or Android device, their devices are targets ripe for data mining with spyware, which could include your private corporate data, if that device is connected to your systems.

Dedicated mobile security apps can help your employees detect and eliminate spyware that might be installed on their devices and be used to access company data. Ensuring your employees keep their device operating systems (and applications) up to date also helps ensure that their devices and your data are protected against the latest spyware threats.

Poor password habits

The 20 most common passwords in 2020, according to NordPass.

Position	Password	Time to crack	Times exposed
1	123456	Less than a second	23,597,311
2	123456789	Less than a second	7,870,694
3	picture1 (new entry on 2020’s list)	3 hours	11,190
4	password	Less than a second	3,759,315
5	12345678	Less than a second	2,944,615
6	111111	Less than a second	3,124,368
7	123123	Less than a second	2,238,694
8	12345	Less than a second	2,389,787
9	1234567890	Less than a second	2,264,884
10	senha (new entry)	10 seconds	8,213
11	1234567	Less than a second	2,516,606
12	qwerty	Less than a second	3,946,737
13	abc123	Less than a second	2,877,689
14	Million 2 (new entry)	3 hours	162,609
15	000000	Less than a second	1,959,780
16	1234	Less than a second	1,296,186
17	iloveyou	Less than a second	1,645,337
18	aaron431 (new entry)	3 hours	30,576
19	password1	Less than a second	2,418,984
20	qqww1122 (new entry)	52 minutes	122,481

There’s not much more to say on this topic. These bad password habits present a threat to organisations whose employees use their personal devices to access company systems. Since both personal and work accounts are often accessible from the same device with the same password, it simplifies the work a bad actor has to do in order to breach your systems.

If you use any of the passwords in this list, I strongly suggest you change them now.

Lost or stolen mobile devices

Lost and stolen devices aren’t a new threat for organisations. But with more people working from home or in public places like cafes or coffee shops and accessing your systems with a wider range of devices, lost and stolen devices pose a growing risk. First and foremost, you’ll want to ensure employees know what steps to take if they lose their device. Since most devices come with remote access to delete or transfer information, that should include asking employees to make sure those services are activated.

Out-of-date operating systems

Like other operating systems, mobile security requires continuous work to find and patch vulnerabilities that bad actors use to gain unauthorised access to your systems and data. Companies like Apple and Google address a lot of these vulnerabilities with operating system updates, so updating/patching is critical.

Cyber security support from ESA Risk

For advice and support to secure your business against cyber threats – including mobile phone security – look no further than ESA Risk. From staff training to software and process recommendations, we’ll work with you to meet your cyber security needs.

Investment fraud: An unregulated scheme

Posted on November 11, 2021January 7, 2025 by Admin Admin

The company in question – Dow and Jones Limited – was selling fine wine to members of the public as an investment opportunity, yet most orders were not delivered and even for those that were, customers would be unlikely to get their original capital back due to the inflated buying price of almost double the retail cost.

Alongside overcharging their customers and investors, the company told clients they had to buy more to bulk up their wine portfolios. The company accounts were reflective of their dishonesty; orders from as far back as 2016 weren’t completed and inaccurate accounts had been filed at Companies House.

Investment fraud is not uncommon. In this case, the methods used to convince customers to buy into the fraudulent scheme were outlined by Irshard Mohammed, Senior Investigator at the Insolvency Service, as “Similar to boiler room operations, Dow and Jones used sales scripts from previously failed companies, which assisted salesmen to convince people, including the vulnerable, to invest their money in unregulated investments.

“The courts recognised the unscrupulous nature of Dow and Jones when it wound-up the company and our advice is always to reject unsolicited investment offers that sound too good to be true.”

The Official Receiver appointed to this case revealed that third parties (claiming to work for The Insolvency Service) were contacting investors promising investment returns if money was sent to them during the phone call.

Scams in which criminals impersonate the Insolvency Service are known as ‘recovery room scams’. These are defined as “fraudsters approaching investors who have been scammed or had failed investments, offering to help them get their money back for an upfront fee”. They usually adopt the role of an Official Receiver and use methods such as sending fake letters with the Insolvency Service logo, or referring investors to social media accounts of actual Insolvency Service employees.

The Insolvency Service Official Receivers do not ask investors to pay upfront fees to recover lost investment. Being asked for to pay these fees to ‘get paid faster’ or ‘increase the likelihood of profits’ is one of the surest signs of investment fraud.

Advice from The Insolvency Service

“The Insolvency Service will always look to cooperate with other government agencies and prosecuting authorities when we’re made aware of recovery room scammers and investment fraud. You should report all fraudulent contact from individuals stating they can get your lost investments back for a fee. You can also report these approaches to Action Fraud.
The Financial Conduct Authority publishes a list of known fraudulent claims management companies, you can check online if a warning has been posted about the company that approaches you. Just because the company that has contacted you is not on this list does not mean that they are not attempting to scam you.
You can avoid many unsolicited telephone calls by registering your phone number with the Telephone Preference Service (TPS). The TPS is the official central opt-out register for people who do not want to receive unsolicited sales and marketing calls and is a free service.”

Protection against investment fraud

Banks have become progressively better in recent years in trying to prevent their customers falling for investment fraud scams by implementing monitoring systems that can detect when payments have been made to scam companies, but continual education and awareness will always be key to achieving higher prevention.

For advice and support on recognising and avoiding investment fraud, contact Ali Twidale, Banking & Financial Fraud Consultant at ali.twidale@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Cyber insurance: The risks of a safety net

Posted on November 10, 2021December 4, 2023 by Admin Admin

With increased cyber crime comes higher demands and stakes, meaning there is more need for cyber insurance. Not only has the ask of ransoms skyrocketed, but the average ransomware payment has also increased by over 40% and reached over £150,000.

A ransom of this size could easily push some small and medium-sized businesses to the brink of insolvency or lead to a halt of operations that they simply cannot afford. Therefore, many businesses are turning to cyber insurance for protection against cyber risk.

Cyber insurance is typically meant for businesses that depend heavily on their IT systems to be functional 24/7. Today, that covers almost all businesses, especially healthcare, critical infrastructure, municipalities, manufacturing, and transport and logistics industries. However, some companies that purchase a full-coverage plan start to let down their guard and may simply pay out a ransom because they know the insurance company will later cover it.

The original purpose of cyber insurance was to cover the extortion losses of a business in the event of a successful ransomware attack, if the business had no other option but to pay the ransom demand for business continuity or to mitigate future losses. But a growing lack of vigilance and responsibility from some insured companies is tilting the balance of the cyber insurance market, forcing insurance companies to raise the premium price and adjust the underwriting standards to lower their own risks of loss.

The average global cyber insurance premium rate has increased by 32% year-on-year. Additionally, the insurers now require third-party IT companies to conduct a field examination on the insured company’s cyber security protocols to see if they reach a set standard. The checking process used to be mainly conducted via a self-assessment sheet; now, if the company doesn’t meet the standards, the vendor the insurers hire will tell the applicant company what they need to add, and the insurer won’t sign the contract until everything is in place.

Smaller enterprises are now faced with a dilemma: on 1 side there is the risk of rapidly growing malicious attacks, on the other side is the expensive premium packages with complex prerequisites and clauses that might not necessarily cover all their losses. If this vicious cycle continues, the only beneficiary will be the criminals.

What companies should know about cyber insurance

Every company owner should be aware of what they are looking for when it comes to cyber insurance. They should always read the fine print and understand the specifics of coverage, deductibles and exclusions. This safety net can be highly effective if the policy is correctly written, and the business is fully aware of its coverage and its likelihood of facing cyber risk.

Cyber insurance typically doesn’t cover 3 types of losses: potential future lost profits, loss of value due to the theft of intellectual property, and betterment (i.e., the cost to improve internal technology systems after the attack, such as IT upgrades after a cyber event). That said, losses other than the initial ransom are not likely to be covered by insurance.

Today, most ransomware attacks do not stop at the initial breach. Take the SolarWinds incident as an example. Instead of locking SolarWind’s IT systems, attackers planted malicious code into the company’s Orion technology platform, which is used by more than 30,000 customers, including the U.S. Department of Energy, Department of Homeland Security, and other national agencies. In this case, hackers didn’t even ask for a high amount of ransom, but the damage and potential vulnerabilities this attack caused is immeasurable and cannot possibly be covered by insurance.

Ransomware insurance alone is not enough. A well-written policy should also cover data breach liability, regulatory compliance, and other cyber risk-related threats. There are also firms that specialise in cyber insurance and understand the risks related to specific organisations. The simplest way for business owners to find an insurance plan that best fits their company is to start with the current business liability insurance provider and ask if they have experts who deal with cyber insurance.

Lastly, business owners should never let their guard down. Putting an employee cyber security training programme in place and implementing robust cyber security tools and processes should always be the priority, as this helps to mitigate the risks from the root. Conduct regular IT checks and system updates to ensure all patches are implemented, eliminating backdoors for attackers. Training, education and awareness are absolutely vital.

Conclusion

With the ever-changing cyber attack landscape, businesses should be extra cautious. While cyber insurance can be a smart move, businesses should also learn to utilise other tools to protect themselves, including a robust training regime and a fit-for-purpose policy that meets the company’s situation.

If you require advice on cyber risk or would like to know more about cyber insurance, contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Joint Fraud Taskforce: Accountants to play key role in tackling fraud

Posted on November 9, 2021August 29, 2022 by Admin Admin

The Home Secretary Priti Patel has announced the relaunch of the Joint Fraud Taskforce against the backdrop of a 24% rise in fraud during the Covid-19 pandemic.

The relaunch recognises the key role accountants can play in identifying fraud and educating themselves and their clients on how to do the same. It also highlights accountants as being potential targets for fraudsters, while admitting that the number of fraud cases that involve an accountant is currently low.

For the same reasons that accountants have been recognised as potentially important in the fight against fraud – i.e. their control of / closeness to companies’ finances and their role as trusted advisors, the taskforce highlights accountants as potential fraudsters, with opportunities to commit fraud that few others have.

New fraud charter for the accountancy profession

As a result, the taskforce’s ‘Accountancy Sector Fraud Charter’ includes actions to “drive greater transparency…across the accountancy sector”, as well as to better equip accountants to spot, deal with and educate others on fraud risks. The charter has, so far, been supported by 12 accountancy sector professional bodies, including the ICAEW.

Developed by the Home Office and the profession in partnership, the charter has 4 main actions intended to be delivered in collaboration with the profession, government, and law enforcement agencies.

The first is to identify areas of vulnerability within the accountancy sector with a view to providing the sector with a clearer understanding of the risk of fraud in the UK.
The second action centres on the training and education to be led by the ICAEW, beginning with reminders to the profession on how to spot red flags for fraud within their clients and to avoid them becoming victims themselves.
The third forms part of the government commitment to reform companies house by improving the accuracy of information held and prevent the misuse of corporate entities by fraudsters. The sector will work to address the misuse of accountancy firms details whereby they falsely use an accountants address as their registered office to gain legitimacy or claim to have had accounts prepared or audited by a firm.
The fourth is to increase fraud awareness among businesses and the public through the National Economic Crime Centre, which the accountancy sector will support.

Other areas covered by the Joint Fraud Taskforce

The other sectors in the relaunch are telecommunications and retail banking, with signatories of the respective charters including all major high street banks and the leading telecommunications companies, such as BT EE, Vodafone and Virgin Media O2.

The taskforce will be chaired by Minister for Security Damian Hinds, who described fraud as “a devastating crime that impacts around 1 in 13 of us each year”.

The claim that “fraud now represents over a third of all UK crime.”

October’s relaunch of the taskforce was part of the Fraud Action Plan Framework agreed at the government’s Economic Crime Strategic Board earlier in 2021. First established in 2016, the Joint Fraud Taskforce spent more than a year in the wilderness after a 2019 restructure before being brought back under Home Office control at the end of 2020.

It remains to be seen how effective the latest iteration of the taskforce will be, although the Home Secretary has conceded that “government alone cannot fix this which is why the Joint Fraud Taskforce will bring together key business leaders to work in partnership to protect the public”.

The Home Office’s press release on the relaunch includes a note “encouraging the public to forward suspicious text messages to 7726 (which is free of charge) and…report fraud to the police through Action Fraud”.

How ESA Risk can help

Fraud prevention and fraud investigations are areas where we possess the expertise and experience to help you and your business. These are topics we’ve written extensively on, with guides including ‘Fraud prevention in 5 steps’ and ‘Charities: What to do if you suspect fraud’ (equally useful for non-charity sector organisations).

For advice on fraud prevention, or for support investigating a suspected fraud, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Hospitality council guiding sector to recovery

Posted on November 5, 2021October 10, 2023 by Admin Admin

As part of the UK government’s ‘Hospitality Strategy’, the Department for Business, Energy and Industrial Strategy took the initiative to establish a Hospitality Council.

The newly formed council includes representatives from Nando’s (Chief Executive Colin Hill), Starbucks (UK General Manager Alex Rayner) and Mowgli’s (Nisha Katona). Small Business Minister Paul Scully has commented:

“The hospitality industry has shown incredible creativity and resourcefulness through the pandemic, pivoting to new ways of doing business like al fresco dining and takeaway pints to stay safe, meet changing consumer demands and protect livelihoods.

With the launch of this council, we’re taking the next step in the journey to build back better from the pandemic by unveiling the experts who’ll be driving the reopening, recovery and resilience of the sector.”

Hospitality is the UK’s third largest private sector employer. It accounts for £130bn in economic activity and employs directly 2.9m people, with an estimated further 2.8m people employed indirectly. According to UKHospitality, the sector contributes to the exchequer in the region of £38bn in taxation.

As the above figures suggest, closer attention to the sector’s recent problems by the government is well overdue. In order to reverse the effects of Covid-19, the labour shortages and boost the hospitality sector, industry champions assembled by the Hospitality Council have a tough ask ahead of them.

While the effects of Covid-related lockdowns are being overturned gradually, continued government support will be vital in providing new opportunities, funding expenses and rolling out schemes to combat labour shortages and encourage people to apply for jobs in the sector. As Brexit has also introduced side-effects to the industry, this presents further challenges, which the Hospitality Council will have to answer.

For instance, regarding the amount of EU employees that won’t be able to make up the appropriate workforce for the food and drinks manufacturing and transport/supply chains. The provision of service sectors are not sufficient to service the demand, so the Council has the task of replenishing the sector’s workforce to an appropriate state.

One of the key words here is ‘appropriate’. Common misapprehension about the hospitality industry in some quarters is that anyone could work in hospitality, therefore the workforce should not be a problem, however this is not the case. There are many hospitality vacancies that can be filled by low-skilled labour, but there are many vacancies where there is a lot of training and development required.

The role of the Hospitality Council

Short-term labour shortages are being addressed alongside medium to long-term culture change, with improved training and development within hospitality. The Hospitality Strategy has encouraged al fresco dining, for instance, by making pavement licences permanent and extending takeaway pints until September 2022 to increase sales.

It has also added hospitality and catering qualifications to Free Courses for Jobs, meaning adults can achieve qualifications in professional cookery, food and beverage supervision and more. There is also a Kickstart and Sector-based Work Academy Programme (SWAP) designed to fill hospitality vacancies and a ‘Help to Grow: Management’ course that is 90% subsidised by the government.

Beyond this, there is continued Covid recovery and growth support with fairer business rates, taxation, duty system and other issues that the Hospitality Council will have to address. The government wants the UK’s hospitality industry to land back on its feet and is certainly putting in the work behind the scenes to ensure that this is possible.

Advice from ESA Risk

If you require advice on the process of recovery for your hospitality business or would like to know more about ways that you can make improvements, contact Hotel and Leisure Management Consultants Mario Ovsenjak (mario.ovsenjak@esarisk.com) or Nicola Trew (nicola.trew@esarisk.com) on +44 (0)343 515 8686 or via our contact form.

Beyond security: How access control and CCTV video analytics can generate business intelligence

Posted on November 4, 2021August 7, 2022 by Admin Admin

Fortunately, modern, network-connected security systems can deliver operational benefits that give security chiefs a powerful argument when it comes to pitching to the boardroom for greater funding.

Security systems are, of course, fundamentally – and historically, solely – about deterring and thwarting criminal acts in order to protect people and property.

However, today’s AI-powered video surveillance and access control software can transcend this core purpose to provide other benefits, often in concert with building management systems (BMS).

Deployed wisely, cutting-edge security systems can play a role in reducing energy use, boosting productivity and sales, enhancing work environments and delivering services more effectively.

New technologies can therefore be justified on the grounds of cutting costs and boosting the bottom line, as well as reducing insurance premiums and improving safety, security and loss prevention.

Consider how, for instance, automatic licence plate recognition (ANPR) systems can eliminate the need for ticket inspectors in carparks.

Access control efficiencies

In mediating the entry and exit of authorised individuals, meanwhile, physical access control systems build a picture of which and how many individuals occupy any given room or floor at any particular moment.

If access control reports show an office building is consistently quiet at the same time each month – say, Friday afternoons – facilities managers could decide to close certain floors to lower cleaning, maintenance, staffing and energy demands.

And integration with building management systems means lights, heating and air conditioning can be automatically switched on or off as buildings become occupied or unoccupied, thus reducing energy use.

Further efficiencies can be realised by consolidating physical and logical access control and integrating them with other services. As a result, employees could use the credential they access the office with – whether it’s a card, key or biometric authenticator – to pay for food in the canteen or enter the adjoining car park, too.

Integration with other business functions, such as HR, can streamline back-end administration, while cross-site standardisation is useful for large organisations with multiple offices.

Increasingly, access control can also be integrated with visitor management systems, making the check-in process more seamless and restricting visitors to the areas they need to access and the times they need to access them.

CCTV video analytics for retail business intelligence

Video analytics software, which uses deep learning algorithms to make sense of CCTV footage, has powerful security functions that vendors have repurposed to generate business intelligence.

It can, for instance, automatically identify and track persons of interest, highlight people or objects that fit a certain description, send alerts when pre-defined behaviors are detected, and detect suspicious packages.

In retail, similar capabilities can realise operational insights that inform decisions – on staffing, procurement and store design – that optimise the customer experience and boost sales.

Video content analysis can, for instance, measure footfall and where it is concentrated, something usefully presented in heatmaps.

The routes customers typically take around the store and where they tend to linger – measured by ‘dwell time’ – can help retailers optimise store layout, product lines and even pricing (imagine the conclusion you might draw, for instance, from a long dwell time around particular products but comparatively unremarkable sales figures).

Supported by proximity and people-counting thresholds, staffing levels can be tweaked to reflect peak periods and reduce crowding and queuing at checkout counters, fitting rooms and bathrooms.

Consider the resource efficiencies yielded by determining bathroom cleaning schedules by through-traffic rather than arbitrary intervals.

The ability to monitor shopper numbers and density also has a powerful application in relation to Covid-19 guidelines on limiting headcounts or enforcing social distancing.

Stores can learn how their customer demographics break down by age and gender, too, which can inform marketing and procurement decisions.

However, functionality that analyses individuals’ characteristics will raise understandable privacy concerns – something vendors have, thankfully, taken into consideration.

Data privacy mechanisms

Mindful of GDPR and equivalent data protection regulations in force around the world, reputable technology providers have ensured that retail-focused applications only ever convey information about shoppers as a group, not as individuals.

CCTV systems more generally should be privacy-protecting by design at every stage – capturing, storing, sharing and deleting data.

Among the most important privacy features is dynamic anonymisation, which ensures anonymity by default, with operators only unmasking individuals suspected of criminal wrongdoing.

Even more reassuring from a privacy perspective – and most relevant for non-security applications like monitoring footfall or for hazards – is permanent masking, where data subjects are anonymised with no possibility of reversing the process.

Redaction, meanwhile, is used post-hoc when individuals featuring in footage relevant to a criminal investigation are anonymised if they’re not under suspicion themselves.

Upgrade your security systems with ESA Risk

For advice on physical security or to enquire about a free security risk assessment, please contact Liam Doherty, Security Consultant at liam.doherty@esarisk.com, on +44 (0)343 515 8686 or via our contact form.