Page 19 – ESA Risk

Travel agents and staff/client cyber safety

Posted on September 15, 2021July 13, 2022 by Admin Admin

With a number of high-profile data breaches in the headlines towards the end of 2020 – including Heathrow airport paying £120,000 in fines after an employee lost a memory stick containing personal data, and hackers making off with the personal information of more than nine million Cathay Pacific passengers – it feels as if there is still a gap in data protection education, particularly in cyber security for travel agents.

Enter Graeme McGowan, Cyber Risk & Security Consultant at ESA Risk and Senior Tutor and Advisory Council Member at the Global Cyber Academy – an online training institute offering data security courses to individuals and businesses. Here, he gives tips to help travel agencies improve their cyber security and minimise the risk of data breaches.

Staying secure

First and foremost, McGowan recommends encrypting office hardware and software – computers, social networks and chat functions. Encryption is simply the process of encoding a message or information in a way that only authorised users can access it.

“Using a PIN, passcode or fingerprint to unlock your smartphone is sufficient, as most phones have built-in end-to-end encryption,” he says.

“It’s the same for a Windows PC or laptop, and encryption is turned on by default. But it can be undermined if you have no passcode when you boot up. Apple products are all fully encrypted, as are Android phones.”

Ensuring passwords are regularly updated is just as important, he says.

“Agents should change passwords regularly and never recycle any for a PIN, safe or security box.”

Adequate antivirus software is critical too, McGowan warns, adding: “Make sure whatever software package you choose is patched and up to date. Personally – and there are many other good options out there, I use Avast Pro on my PC and other devices. It has everything you need, including a virtual private network (VPN) and some very useful tools to monitor your footprint.”

He advises agents to avoid using shared computers if they can, which may prove difficult in an agency with a limited number of machines.

“If you must use a communal computer, avoid sharing any information – do not save passwords, and employ two-factor authentication when logging into accounts.”

Two-factor authentication is an extra layer of security that requires not only a password and username but also a security token, like a code.

“For example, in online banking, you often need a PIN that’s sent by text message to complete the transaction,” he adds.

Internet threat

“Always use a secure connection,” says McGowan. “Simply having ‘https’ at the beginning of the browser’s URL bar can protect you from a large variety of potential threats.”

These include “drive-by attacks”: cyber criminals looking for insecure websites to plant malicious code on one of the pages. When agents visit the site, malware is installed on their device. Such instances are called drive-by attacks because they require no action on the part of the victim. Locking the windows and doors of your agency doesn’t mean it’s safe from attacks either, says McGowan.

“At the end of the day, shut down, or at the very least, switch off wireless and Bluetooth on all devices. This prevents hackers from accessing devices if they are connected to an open network or any other connection.”

A good example is Feherty Travel in Bangor, Northern Ireland. They have recognised the importance of keeping data secure. Company director and part owner Scott Parker has ensured his business is protected through education and implementing practical measures.

“I attended a course on general data protection regulation (GDPR), which I then wrote up and trained our staff on. We have also installed new filing cabinets with locks to keep data secure, purchased shredders and replaced door locks on our archive room,” he explains.

Protection on the go

McGowan says travel agents should warn clients about using public Wi-Fi in airports, hotels and cafes.

“Because information that’s transmitted is generally unencrypted. It’s not just the hotspot that’s public – it’s your data too. You might as well shout out your details. A compromised router can vacuum up a lot of personal material relatively simply.

“Just getting into your emails, for instance, gives hackers access to your usernames, passwords, and private messages. It’s fairly easy to set up a fake access point (AP), and it’s well worth the effort for cyber criminals.”

Using a VPN in this instance will provide a level of encryption between the user and a website, says McGowan. It makes intercepted data unreadable by a hacker without the correct decryption key.

“‘Packet sniffing’ is another method used by hackers to acquire airborne information then analyse it at their leisure. A device transmits a data packet across an unencrypted network, which can then be read by free software like Wireshark. The bottom line is, never turn your Wi-Fi or Bluetooth on in public places unless you are in a trusted area.”

Finally, for agents embarking on familiarisation trips, McGowan recommends taking a loaner device to deter cyber criminals.

“This is when the IT department would lend an agent a clean laptop or smartphone for their trip. This ‘loaner’ would be better protected if it were misplaced or stolen, as they would be able to guard the data more effectively. For a small business, buying one laptop for travel and making someone responsible for keeping its security systems updated and patched would also work.”

Temporary insolvency measures to end announces The Insolvency Service

Posted on September 14, 2021June 6, 2022 by Admin Admin

The Insolvency Service has signalled the end of temporary insolvency restrictions in England, Scotland and Wales from Friday 1^st October 2021. (Northern Ireland will follow with “similar legislation”). However, some protections for businesses facing insolvency will remain until at least 31^st March 2022, with new “targeted measures to support small business and commercial tenants” due to be introduced from next month.

Business Minister Lord Callanan believes “the time is right to lift the insolvency restrictions that were needed during the pandemic”, as “we are seeing life and the economy returning to normal with a strong rebound”.

What are the new insolvency restrictions?

Under the new legislation, winding up petitions will only be issued for debts of £10,000 or more – a significant increase on the £750 debt threshold pre-pandemic. However, this higher figure may be deceiving, as the £10,000 threshold doesn’t need to apply to a single debt, but can be the sum of multiple debts owed to 1 creditor or of debts owed to a group of creditors.

The second measure to be introduced will give debtor businesses 21 days to submit a payment proposal to creditors before the creditors can take winding up action.

In addition, the 16^th June announcement that commercial tenants will be protected from eviction until the end of March next year is being upheld. The Insolvency Service notes that “businesses should pay contractual rents where they are able to do so.” The extended protection is designed to stop commercial landlords from liquidation of limited companies to repay “arrears built up during the pandemic”.

The Insolvency Service expects these new measures “will particularly benefit high streets, and the hospitality and leisure sectors”.

Which insolvency restrictions are ending?

The measures which are ending include the suspension of serving statutory demands and wider-ranging restrictions on winding up petitions. The suspension of the wrongful trading rules, which temporarily removed the threat of personal liability from directors for wrongful trading, was lifted at the start of July 2021. All 3 of these temporary measures were put in place in June 2020, with the restrictions on statutory demands and winding up petitions applying to the period 1^st March 2020 to 30^th September 2021, as part of the Corporate Insolvency and Governance Act 2020.

The Act introduced some permanent measures, too, which will remain in place beyond the end of the month. These permanent measures centred on rescue and restructuring plans, and were in development before the Covid-19 pandemic.

What will be the impact of the changes?

On balance, October’s changes appear to benefit creditors, while affording some level of continued protection to the most vulnerable debtors – SMEs, high street business and those in the hospitality sector. How strong those protections are in practice remains to be seen, however, as the new £10,000 debt threshold for winding up petitions may not be high enough if creditors decide to group together to take action.

Instruct ESA Risk today

If you’re looking for an experienced company to reliably serve documents, look no further than ESA Risk. Our extensive network of process servers covers the whole of the UK (as well as overseas locations).

Whether you require us to serve relatively straightforward, standard documents or to organise complex time-synchronised, multi-location services, either in the UK or overseas, we’ll work with you to understand your specific requirements and tailor our services and fees accordingly.

Need to confirm an address before sending documents? We also provide tracing services, ensuring you serve the right people in the right place at the right time.

Email us at process.serving@esarisk.com, or call us on +44 (0)343 515 8686.

Forensic accounting: An overview

Posted on September 14, 2021March 9, 2022 by Admin Admin

Forensic accounting entails a process of auditing, accounting and investigation into a company’s finances. The information obtained can then be used in court, with forensic accountants often being required to give a statement as an expert witness on a case.

A forensic accountant typically begins their career as an accountant or auditor, before specialising and training for further credentials, for instance, the Certified Fraud Examiner (CFE) designation. To qualify, accountants require deep knowledge of tax legislation and financial reporting. The role involves a scrutinisation of accounts, finding hidden or concealed money, in an efficient and concise manner. Forensic accountants are versatile, working with data and numbers, and articulating their findings in a way that is presentable to a court.

A forensic accountant will be familiar with legal concepts and procedures and must be able to communicate financial information clearly and concisely in the courtroom. Likewise, their knowledge on regulatory compliance mandates and financial markets must be solid, in order for procedures to be correctly followed. Forensic accountants will also often need to review contracts, bank statements, accounting records or other data relevant to the investigation, all bearing on knowledge in financial crime and internal investigations. The information is reviewed to identify discrepancies or areas of inconsistency that support the case further.

Charlie Batho, a professional forensic accountant at ESA Risk, has shed some light on the ad-hoc nature of the job. “It is a unique form of accounting; each case is different and you can never be sure what you might come up against. There is no textbook guidance to it, each investigation is a one-off experience and every single case is different. When a company requires forensic investigation, it is usually for the first and last time. My job is to follow where the money has gone, usually in cash trails, scoping out how and why it has gone missing and providing answers for my clients.”

Forensic accounting involves working in a variety of areas, for instance in pre-litigation, accounting, complex finance and tax disputing.

Tax disputes

HMRC might start to litigate against an individual who is partaking in tax evasion, so when hired by that individual, the role of the forensic accountant would be to defend them, finding mitigating circumstances and evidence to demonstrate their innocence.

Marital disputes

In the case of a divorce, couples may dispute over the holding of shares. A forensic accountant would handle the financial disagreement and, if the case is taken to court, act as an expert witness. Depending on which side of the dispute they are hired to represent, the forensic accountant would explain the value of the shares and present a case for why their client is owed a certain amount.

Medical cases

In cases where children are born with disabilities or brain injuries, it is the job of a forensic accountant to establish what the ongoing capital award might be for the parents to look after the child for the rest of their life. Additions, such as ramps, shower-railings, disabled access around the house, a 24-hour carer and the annual RPI, must be taken into consideration. Forensic accountants project figures into the future to estimate finances, as well as looking retrospectively.

Fraud cases

In companies there are times accounts might be mishandled, cash goes missing or problems arise in internal accounting. Payroll fraud is an example of this, where employees add fictitious workers to the payroll and direct the money into their own accounts. It is the role of a forensic accountant to uncover and expose this kind of fraud to their clients.

Shareholder disputes

In business valuation, forensic accountants assist with valuing companies in various ways. For instance, two shareholders might each hold 50% of a company and one wants to exit and sell their shares, but there is a disagreement over the price to sell those shares for. Here, the forensic accountant will put together a financial report to support a case stating why the shares are worth more or less than the disputed amount.

Insurance claims

In cases that involve insurers not paying out, for example after a car crash, a forensic accountant would provide information to negotiate the claim. This would involve the worth of the car, comparing dealers’ prices and car policies on mileage.

Audit complaints

If an audit has been incorrectly taken and auditors have been negligent and misstated accounts or missed a fundamental accounting policy, a forensic accountant would have to prove how the auditors made an error, filing an insolvency case against them. This might be relevant if a company goes bust but the audit was previously signed stating that budgets and cash flows were all in order.

At ESA Risk, we offer expert litigation support and forensic accounting services, available for the consideration of any company or individual that requires assistance with a financial error or dispute.

What can we learn from Emotet?

Posted on September 13, 2021March 9, 2022 by Admin Admin

Although originally intended to be a banking ‘Trojan horse’, Emotet has evolved multifariously by modular Dynamic Link Libraries (DLLs) and constantly updates itself into various versions to evade detection. Emotet was designed to steal sensitive information and personal details by infecting devices with malware that then spreads to other local and linked devices.

“In the current climate it is so fantastic to see a major triumph against such a destructive and parasitic malware such as Emotet which has wreaked havoc and has cost millions in damages over a prolonged period in the international banking sector as it infected numerous devices and stole data and money. It has taken a monumental effort from a number of different countries to achieve this and it’s definitely a step in the right cyber security direction.”

– Ali Twidale, Banking & Financial Fraud Consultant at ESA Risk

The malware effectively grows by multiplying itself through a network of devices. Once it gains access to one computer, it has the means to affect many others, acting as a worm. This works via email attachments, malicious links and macro-enabled document files, usually hidden as compressed files that can spread the malware in the form of .doc, .docx and .exe files. The emails are often in regard to updates to financial information or are imitations of emails from popular shipment companies.

The malspam then spreads by ransacking your contacts list and forwarding itself into the inboxes of your friends, family, co-workers and clients. Since these emails are coming from your hijacked email account, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and download infected files. If a connected network is present, Emotet can also spread using lists of common passwords, finding its way onto other connected systems in a brute force attack.

Emotet is also known to arrive embedded in Word documents attached to emails, that run and install malware once the victim enables macros. These are often flagged as important, so that hackers can gain quick access into the intended device. Microsoft Outlook is also used to generate phishing emails from the infected device, continuing the cycle of malware right under the nose of the unsuspecting victim.

The rapid pace of spread is one of the most dangerous assets to Emotet, aiding the success of the malware in data theft and extortion. It is very difficult to erase from an infected computer, as attackers can update malware codes and enable the trojan to replicate itself across systems. It is undetectable by firewalls due to the nature of its encrypted channels, as well as its ability to lay dormant in a device. Emotet can evade detection from security scanners by remaining idle for extended periods of time and adapting into different versions.

The impact of Emotet

The evolving nature of the malware means it serves various functions for hackers. Notoriously, it has been used to steal banking information from individuals and companies but can also attain sensitive corporate information that is often used for ransom in exchange for a financial reward. Emotet is also often sold to other cyber criminals, extending the varieties of malware it can infect systems with.

Lotem Finkelstein of Check Point Software has revealed that Emotet has ‘sent phishing emails with more than 150,000 different subject lines and 100,000 file names for the attachments.’ Emotet campaigns have impacted global industries, including the malware TrickBot and Obot.

The impact has been enormous, with targets of Emotet including the City of Allentown in Pennsylvania which cost over $1 million to fix. The malware was initially detected in 2014 and has since enabled cyber attacks on Germany, China and Canada in particular. It tends to hide and then reappear in violent bursts, attacking in thousands of malspam messages at once.

Notable cases of Emotet attacks include that on the city of Frankfurt whereby its whole IT network had to be shut down. A similar instance was the attack on Heise Online in May 2019. The German publishing house received the typical email containing an infected Word document requesting access to edit. In turn, the domain controls were compromised so the company had to shut down IT systems in order to attempt to cleanse from infections.

Ways to avoid similar malware attacks

Although malware and trojans can often be difficult to detect and remove, there are measures you can take to avoid infection of your devices. First, ensure your device has cyber security systems installed, such as antivirus software and secure VPN. This software should block dangerous emails, but in cases that it does not, be diligent when checking your inbox. Avoid opening suspicious or unlikely messages or clicking on links that have come from an unrecognised source. Ensure your passwords are secure, you are making use of multifactor authentication and that you do not share devices that have confidential information on them with others.

According to ESA Risk’s Graeme McGowan, Cyber Risk & Security Consultant, the best ways to protect yourself from similar malware are:

Keep your computer/endpoints up to date with the latest patches for Microsoft Windows. TrickBot is often delivered as a secondary Emotet payload, and TrickBot relies on the Windows Eternal Blue vulnerability to do its dirty work, so patch the vulnerability before the cybercriminals can take advantage of it.
DO NOT download suspicious attachments or click a shady-looking link. Emotet can’t get that initial foothold on your system or network if you avoid those suspect emails.
You can protect yourself by using multi-layered protection. If you suspect your device is infected, isolate it from any connected networks, then proceed to patch and clean the system.

Staying safe on social media

Posted on September 10, 2021July 13, 2022 by Admin Admin

Most social media sites are free to use, and unrestricted access gives way to corrupt users or false accounts. As there is rarely a process of verification of identity, it can feel difficult to stay safe on social media sites. However, with security settings and privacy controls, users are able to monitor who and what they interact with.

Oftentimes people are too personable on social media and overshare details of their private lives. This creates the threat of online criminal activity, as situations like stalking, identity theft or hacking can occur if you do not make use of the safety precautions on social media.

There is also an increased risk of phishing, as criminals can tailor phishing emails just by looking at your social media profiles. For instance, once they know your job and some of your connections on LinkedIn, they can craft phishing emails that include company details or manager’s names to make them sound more believable. By having access to your connections on social media, hackers have information to build up an idea of a company’s employees, to either target certain individuals or identify entry points into company databases.

In cases where attackers cannot directly access company data, nor manipulate employees via phishing emails or contaminated links, they may use social media to decipher suppliers and related companies to find a different entryway. This can be done via fake profiles which give hackers access to people’s information, enabling them to spread malware or malicious links. Hackers might also use fake business pages, or fabricated job offers, to lure people in and take their personal data or set up transactions which result in financial information being exchanged, or money being sent.

How to stay safe on social media

Staying safe on social media works differently for each platform: on Facebook, users can alter their privacy settings, making their posts viewable by ‘friends and family only’. You have control over who can see your page and even search for you, as well as the amount of access they have to your friend list, which can be changed to ‘only me’.

Similarly, Instagram allows you to monitor who follows you by setting your account to ‘private’ in your settings. There is also a block feature and ‘remove follower’ feature that means you can revoke users’ access to your page. Location services can also be turned on or off when necessary, so that it is difficult from criminals to locate you or gather information about where you live and work.

On Twitter, there is also the option to remove your location from your tweets. Twitter offers various privacy and security options that protect your account and allow you to be discreet with your personal information. You can manage your contact lists, remove pre-filled contacts and put your account on private so third-party users cannot access your tweets.

LinkedIn is a platform where users can obtain a lot of information about each other, but people are often less cautious, as the site is primarily used for professional networking. Updating where you work, your current projects and places like your education history can be a goldmine for hackers and scammers. As with the other social media platforms, your safety could always be compromised, so it is important to implement security measures to avoid that.

10 tips for staying safe

Never give financial information to anyone over social media.
Research job offers received via LinkedIn, especially if it seems too good to be true or is made up of generic messages or unaffiliated links.
Keep personal information private, such as your phone number and place of residence.
Limit details about your work history online.
Be cautious with who you are connecting with. A lot of people ‘over-friend’ on social media for the sake of networking, but adding strangers is not very safe.
Protect your passwords. In 2012, LinkedIn lost over 100 million users’ passwords and email addresses to the dark web. Many people use the same password for every site, so vary your passwords, make them a mix of both letters and numbers and try to vary them between different social media accounts.
Have a Master Key (a password storage application) to keep all your passwords secure and use ‘Last Pass’, an app that helps you keep track of your various passwords.
Set up security answers (this option is available on most social media sites).
Use two-factor authentication (a second barrier of security that verifies your password, for example, by sending a code to your phone number or email).
Use a single sign-on, such as OpenID, which enables you to manage all your social media accounts from one place.

7 ways to avoid data breaches

Posted on September 9, 2021July 13, 2022 by Admin Admin

According to the Ponemon Institute, the accumulated cost to a company from a data breach is $3.86 million on average. Hackers may blackmail companies with threats to leak private data by holding information hostage and demanding a ransom. Data breaches are thereby invasive and extremely costly, both financially and in terms of the damage they can have on a company’s reputation.

Stolen data could include:

Financial information – including bank details and investment details.
Personal Health Information (PHI) – medical data, details on health conditions, prescriptions and treatments.
Personal Identifiable Information (PII) – contact information, education, workplace, birth dates and other personal details.
Corporate information – details of contracts, trade secrets, business plans and marketing information.
IT data – system structure, encryption keys, passwords and usernames.
Legal information – information on court cases, acquisition details and regulatory rulings.

This data can then be sold or used for fraud and identity theft. Hackers tend to sell stolen information on the dark web, like in April 2020 when Facebook was breached, leaking the identities of 267 million users. Although passwords were not included, the hacker stole names, email addresses, dates of birth and phone numbers, all information that could be used to target the users by phishing.

Similarly, in May 2014, eBay experienced a data breach that impacted 145 million users. The attacker used three employees’ details to break in and for 229 days accessed names, addresses, dates of birth and encrypted passwords. Although credit card information remained safe, customers were required to renew their passwords and in turn, eBay’s client confidentiality was affected.

An instance of a medical breach was the NHS Highland data breach, where almost 300 patients’ details were sent to members of the public. This included contact details, dates of birth and the name of their clinic.

Breaches often occur by cyber attacks, weak passwords, malware attacks from infected emails, drive-by downloads from compromised webpages, payment card fraud and theft of office computers. It can also occur by human error through accidental insider leaks, as well as intentional disclosure by employees with access to confidential data and systems.

Attackers can use employees as their way into an organisation’s information. They usually exploit weak systems by researching the company’s infrastructure to find loopholes, or target employees by analysing their social media and constructing emails that can trick that employee into clicking on infected links or to follow phishing messages. Fraudsters also make use of phone numbers by making phone calls asking for card details pretending to be a bank employee or a service provider. So, how do you avoid a data breach and protect your sensitive information?

How to avoid a data breach

Remember that banks and regular corporations never ask for personal information over the phone or on email. Look out for correspondence that asks you to reset your password, receive compensation or tells you to act immediately to recover funds.

Ensure that:

Employees secure all personal and work devices.
Employees remain mindful of their personal social media accounts.
Staff are wary of suspicious emails and educated on cyber security.
Bank accounts and credit reports are regularly monitored.
Files are backed up and protected by firewalls and antivirus software.
IT systems are updated to avoid hackers finding vulnerabilities in the system.
Audits are regularly undertaken to make sure everything is running in order.

There are now laws for companies to inform customers if they have had a data breach, in case personal information has been compromised. To avoid this happening in the first place, get good defences in place and be alert.

Risk management: 5 areas you should be focusing on

Posted on September 8, 2021July 13, 2022 by Admin Admin

As risk cannot be eliminated in its entirety, the question is how to deal with the issue effectively without putting the business and its managers in a straitjacket. Risks must be identified, evaluated and controlled to allow the business to function and grow.

The purpose of effective risk management is to enable the company to prepare for foreseen risks that may materialise and take steps to prepare for such events by putting in place the best systems to reduce or minimise the risk to manageable levels.

A sound strategy should not compromise the company’s appetite to take risks or engage in a risky venture. On the contrary, it will enable better decision making within a company that is alive to the risks involved in its operation and armed with a strategy of mitigation.

There are 5 principal areas to consider:

1. Avoidable risk

These include risks that can be controlled from within the organisation, such as employee unauthorised acts or failures to abide by company procedures. Such risk ought to be avoided by a compliance-based approach, such as background checks during the recruitment process and double-signature requirements when dealing with invoices or cheques.

Also, injury in the workplace can cause losses to productivity, so health and safety procedures and training must be in place.

2. Strategic risk

Any company must assume certain risks to be able to generate returns from its business strategy. Such risk is not inherently undesirable but cannot be managed through a rules-based process. Instead, you need a risk management programme to reduce the likelihood of risk materialising and mitigate its effects should it occur.

In order to maintain financial processes within a company, consistent accounting procedures should be put into place to monitor accounts and track cash flow.

3. External risk

There are many risks outside the company’s control or sphere of influence, such as natural disasters or a pandemic. These require another approach to identify them and devise a mitigation strategy.

For instance, environmental risks such as fires, floods or power outages can be prepared for by carrying out maintenance check-ups and safety inspections, putting fire escape procedures into place, and training staff.

As the world evolves, the workplace must adapt along with it, so regularly monitoring risk management strategies is imperative in keeping systems relevant and ready to face external risks.

4. Technological risks

Areas to focus on must now include the company’s IT systems, as all companies rely heavily on digitised systems to enable them to do business. Threats include data breaches, cyber risks and outages that threaten the very existence of the company. Any risk management plan must therefore include the IT systems to spot and control the risks to digital assets, including digital and non-digital backups and keeping company computers up-to-date.

With a well thought-out programme of analysing the threats and risks to the business IT infrastructure, the company will be able to prevent IT disasters before they happen. Although an insurance policy can act to transfer risk, it treats the symptom not the cause; money cannot recover lost data or repair the damage to a company’s reputation.

No company – however small – should operate without a disaster recovery plan and cost-effective means of protecting data from potentially catastrophic loss as part of its overall risk strategy.

5. Third-party risks

When outsourcing IT to third-party providers, there is the risk of those providers not being compliant or having appropriate security standards. Giving outsiders access to your systems introduces the risk of intellectual property theft, network intrusion and more.

Third-party risks can be combatted by conducting risk assessments and audits to screen third-party distributors and suppliers. Monitoring is an important part of due diligence, alongside in-depth inspections into the companies you are working with.

The benefits of a robust risk management programme

The creation of a safe and secure working environment has multiple benefits. A dependable health and safety policy followed in practice creates an engaged workforce that is less likely to be absent and with lower turnover of staff. Fewer avoidable accidents also mean reductions in costs of claims, legal action and insurance premiums. Healthier and happier employees are better motivated which in turn improves productivity.

The advantages of having a solid risk management strategy serve to improve the stability of the business and protect its operations from events detrimental to its interests. Guarding against the risks identified by the implementation of the policy will provide the company with a competitive edge. A company with a robust risk policy is a more resilient, better-run company.

A solid risk management framework forms an essential part of meeting a company’s wider environmental, social and governance responsibilities, thereby enhancing the business’ reputation for corporate responsibility among investors, customers and the community in which it operates.

The 500 Club in Soho

Posted on September 7, 2021June 6, 2022 by Admin Admin

Hidden away behind a discreet door on Shaftsbury Avenue, Soho’s exclusive Century Club was the venue for last week’s installment in The 500 Club networking event series. Ali Twidale (Banking & Financial Fraud) hosted alongside Roger Dugan and J-P Pitt from our co-hosts Asertis.

Joined by guests including lawyers and insolvency professionals, we took over Century’s Club Room to talk insolvency, working practices in the post-Covid world, skiing, and much more.

The 500 Club is an event series jointly hosted by ESA Risk and Asertis. The invitation-only networking events are usually held twice a month at locations across the UK, including London, Manchester, Birmingham, Leeds, Liverpool and others.

Our aim at these events is to connect like-minded professionals. No sales presentations, only good conversation over a few drinks.

We’re back in London at the end of September. Before that, we’ll be in Birmingham for a private wine tasting at Loki Wine next week.

If you’d like to be added to our invite list, please contact us.

Fraud prevention in 5 steps

Posted on September 7, 2021July 13, 2022 by Admin Admin

With financial criminals working in a fast-paced, digital environment, the number of commercial fraud cases soared in 2020, totalling to over £220 million in London and South East England alone, as shown in KPMG reports. The Crime Survey for England and Wales estimated a 15% increase to £3,863,000 lost by offences in the same year.

Alongside the financial dent of fraud on businesses, is the risk it poses to the reputation and confidentiality of your organisation. But this can be avoided by following these 5 straightforward steps that will help you take control of the risk of fraud.

Fraud prevention steps

1. Know your staff

Be vigilant when hiring employees – conduct background checks, consider social media accounts, run credit reports and enforce employee policies. Employees may abuse their access to sensitive information or bank details, but safeguards as simple as a DBS check and review of prior job references can help you avoid potentially damaging hires. Other preventative techniques include mandatory holiday time off, job rotation and creating a hotline for whistleblowers. Furthermore, hold fraud training sessions for both online and offline security threats, as well as training for the proper use of handling confidential data.

2. Keep records

Keep a record of transactions, financial details and arrangements with external suppliers. Ensure there is data stored on the company finances, and that payment amounts match invoices. Make sure you are aware of all paper documents to avoid information getting into the wrong hands. Mail, credit card information and cheques need to be securely stored and printed financial statements or sensitive papers should either be shredded or safely recorded. Ensure you have a record of all transactions; in case you have paid for fraudulent services or have received incorrect details.

3. Monitor analytics

Conduct random audits to ensure your balances, income statements and cash flow are all in order. Monitor accounts using advanced analytics for a full view of any vulnerabilities within your organisation- these ensure detection of preliminary signs of fraud. By making use of the right technology and IT systems, you are more likely to pick up fraudulent activity in its early stages, rather than waiting for human detection which allows the rate of fraud to exponentially increase over time. Monitoring systems enable your organisation to stop the multiplication effect of fraud before it grows into a larger financial loss. They detect and flag up the anomalies and inconsistencies that point towards fraudulent activity early enough to save you from losing more money.

4. IT Protection

Your digital information is most at risk from hackers and online fraudsters, so ensure company computers are secured with firewalls, anti-virus and malware detection software. Internet controls are also vital, and you should avoid entering personal passwords or payment methods into public computers.

Documents are at a high risk of being accessed through data breaches, or by malware and ransomware. To avoid this, install cyber security services or sign up to Anti-Money Laundering schemes. SARS (Suspicious Activity Reports) are also highly efficient in recognising fraud. Make sure you are updated on regulatory developments in places you operate, whether that be the UK or globally, so that your SARS remain relevant to the current jurisdictions.

5. Get help from partners

Risk management organisations can help you assess and mitigate fraud risks, and work towards fraud prevention. ESA Risk’s consultants include specialist fraud examiners, such as Lloydette Bai-Marrow, a former principal investigative lawyer with the UK Government’s Serious Fraud Office (SFO). Lloydette recommends companies remain diligent and aware of the risks of fraud, especially in light of the Covid-19 pandemic: “Business owners must be militant in evaluating risk assessment and profiling their employees; those that are vulnerable and may feel justified to commit fraud, and those that are working from home without any enforced security.”

While investing in technology is important, so is making best use of your workforce. ESA Risk can work alongside your compliance and intelligence teams and help strengthen the resilience and experience of your employees through training and consultancy. Mitigation works by combining and investing in IT and human resources to maximise security and awareness of fraud.

The 500 Club heads to Leeds

Posted on August 21, 2021June 6, 2022 by Admin Admin

Guests including insolvency professionals and lawyers enjoyed drinks and great conversation with a backdrop of panoramic views of the city. ESA Risk’s Mike Wright (Risk Management & Investigations) hosted alongside Roger Dugan of our co-hosts Asertis.

And those conversations have continued (on the golf course, for some), which is always our aim with these events: making introductions to create lasting professional relationships.

We’ll be at Century Club in London for our next event in September, followed by a private wine tasting at Loki Wine in Birmingham later in the month.

If you’d like to be considered for a future event, please contact us.

Photo credit