Time is ticking on the Modern Slavery Act. Organisations with a financial year ending 31 March 2016 have a looming compliance deadline in September.

Under the Act, organisations with over £36m in revenue must publish a slavery and human trafficking statement within six months of their financial year. This statement should detail the steps taken to identify and eradicate slavery from the supply chain, including:

  • Slavery and human trafficking policies
  • Due diligence procedures
  • Risk assessments and KPIs
  • Staff training

Forming a proper statement takes months of preparation. Policies need to be drafted, staff must be trained. Now is the time for all companies affected by the Act to start laying the groundwork for compliance.

VinciWorks has released a complimentary guide to compliance with with the Modern Slavery Act. Written by experts on the new law, the guide details the steps you must take to prepare a slavery and human trafficking statement. It includes sample statements, practical examples and checklists.

Download the guide

Imagine a compliance training scenario: you’re hearing a lot about a new phishing (a type of cyber crime involving fraudulent email) threat recently, so you decide to deliver training to protect your organisation; especially since your network was hacked last year, and you can’t risk suffering another data breach.

So, you create or obtain some eLearning, enrol all of your employees, and a few weeks later, they’ve all completed the course.Legal tell you that’s adequate for compliance with data protection regulations, but does it mean you’re safe from the threat? Maybe yes. Maybe no.

The problem? Learning and performance are too far apart. It’s easy to measure what learning has been completed, with what score, when and by whom, but making the connection to the outcome on performance isn’t so straightforward.

In our scenario, while it’s nice knowing that everyone has completed your cyber security eLearning course with a score of at least 80%, the actual desired outcome is increased vigilance around emails.

In other words, we need to connect data about our learning to data about performance, in a far more specific and scientific way than relying on an end of module test, self-reporting and manager observations.

Enter xAPI, a.k.a. Tin Can or the Experience API.

Created in response to limitations with SCORM, the current standard for collecting course completion data (but not much else), xAPI makes it possible to gather performance data from multiple sources and link it to learning data.

As well as software, xAPI talks with smart devices connected to the Internet of Things, so sensors in the real world become sources of performance data, just as we see with fitbit-style activity trackers.

Once this data is collected, it can be used to fine tune each individual’s training for optimised performance. Want a real life example? Take a look at football’s unlikeliest title challengers (and our neighbours) Leicester City, who use player training data gathered using wearable technology to inform strategy – resulting in them topping the English Premier League against all odds.

Back to our example: how could xAPI help us measure whether our eLearning course has reduced the risk of phishing?

Well, rather than solely analysing course completions, with xAPI we could measure how learners interact with emails, click links or open attachments, both before and after taking our course. If they’re more careful around email links after taking training, then clearly it’s been a success; if not, then perhaps it’s back to the drawing board.

The possibilities are almost endless – and they don’t stop at software-related performance outcomes. Any data gathered by Internet-enabled devices can conceivably be linked to learning data using xAPI, so whether it’s the quality of customer service or installation of equipment by engineers, there’s not much that you won’t be able to measure and improve.

Cyber criminals were able to hack a water treatment plant and gain access to not only the personal and financial records of up to 2.5 million customers, but the system that controls the levels of chemicals used to treat drinking water.

Cyber security firm Verizon Security Solutions reported that the hackers may have changed the chemical levels of the tap water provided by the unnamed water plant (nicknamed Kemuri Water Company (KWC) in the report) up to four times during the attack. The report suggested that the hackers may not have realised the extent to which they had infiltrated the plant’s system, or that they had never intended to commit any harm, as there is no evidence that the personal and financial records accessed were exposed or otherwise monetised. Fortunately, the water company was able to identify and reverse the alterations made to the chemical levels before the drinking water was affected, but the cyber-attack could easily have posed real danger to the community.

“KWC’s breach was serious and could have easily been more critical. If the threat actors had a little more time, and with a little more knowledge of the ICS/SCADA (industrial control system / supervisory control and data acquisition) KWC and the local community could have suffered serious consequences,” Verizon’s report found.

Commenting on the report, Monzy Merza, Splunk’s director of cyber research and chief security evangelist, said that: “Dedicated and opportunistic attackers will continue to exploit low-hanging fruit present in outdated or unpatched systems. We continue to see infrastructure systems being targeted because they are generally under-resourced or believed to be out of band or not connected to the internet.”

Outdated operating systems vulnerable to attack

The breach happened because the water company had been using an operating system that was a decade old (some speculated it was Windows XP) and relied on a single IBM Application System server that was released in 1988. The hackers took advantage of vulnerabilities in the company’s web-accessible payments system, and because the payment system was on the same server as the water treatment facility’s operational technology, they were then able to access the water supply and metering water usage systems. The company’s vulnerability was further compounded by the fact that just one employee was able to deal with the archaic system.

“Having internet facing servers, especially web servers, directly connected to SCADA management systems is far from a best practice,” continued Merza. “Many issues like outdated systems and missing patches contributed to the data breach — the lack of isolation of critical assets, weak authentication mechanisms and unsafe practices of protecting passwords also enabled the threat actors to gain far more access than should have been possible.”

It is vital that companies maintain up-to-date technology and follow robust cyber security best practices in order to avoid a potentially catastrophic cyber-attack.

About VinciWorks

Cyber-security starts with organisational culture. VinciWorks can raise cyber awareness in your organisation with eLearning courses including Information Security and Data Protection. Get in touch today and protect your business from cyber-crime.

To celebrate the release of two new cybersecurity Take 5 modules, Understanding Social Engineering and Phishing Awareness, we help you determine your company’s social engineering risk level.

Cybercrime is big business. Hacked or leaked datasets go for £1000s on the dark web’s black markets, and that’s just those containing names and email addresses. A recent McAfee report shows that more sensitive records – with addresses, passwords, national insurance numbers, bank or credit card details – are sold for upwards of £25 each.

This makes your business data a potentially lucrative target for cybercriminals – and with fines for data breaches soaring lately, you simply can’t ignore cybercrime risks.

When you think of cybersecurity, the first things that come to mind are probably hardware and software, and while it’s true that hackers would be quick to exploit any vulnerability found there, they have a far higher hit rate when focusing on exploiting people through social engineering.

Wondering if your organisation is at risk? Ask yourself the following questions to determine how well versed on social engineering your employees are…

Q: Would your employees download software, plug in USB sticks or insert DVDs without confirming they’re from a trustworthy source?

If yes, they’re at risk of baiting, a technique hackers use to trick people into downloading malware, which can then capture confidential information.

Q: Would employees verify their identities by providing sensitive information such as password, date of birth or national insurance number over email, text or telephone in order to fix an urgent issue?

If yes, they’re at risk of phishing, which involves hackers using official-seeming communications to attempt to gain confidential information.

Q: Would employees question a communication that was personally directed to them and included details their like address, phone number or date of birth to back up its authenticity?

If yes, they’re at risk of spear phishing, a technique which targets individuals or organisations with tailored communications including personal information, often obtained via other social engineering techniques, in order to seem more trustworthy.

Q: Would employees challenge someone phoning them up from the bank, payroll, HR or the government and asking them to update their records?

If not, they’re at risk of pretexting, which is what it’s called when hackers pretend to be someone else in order to obtain information they can use to steal people’s identities.

Q: Would they try and fix their computer themselves if they received an error message telling them of issues with it?

If yes, they’re at risk of scareware, which displays an alert telling users they need to download software to fix issues. While there aren’t any issues to begin with, there certainly are once the ‘fix’ is downloaded.

Social engineering poses multiple risks, and hackers are always coming up with new techniques. To prevent your employees becoming victims, you need to increase awareness and create an alert, vigilant culture. Follow these steps to protect your business from social engineering:

    1. Install and regularly update antivirus software
    2. Install, configure and regularly update a firewall
    3. Make sure employees read all emails carefully before responding; especially those containing links or attachments
    4. Train employees to identify when a link is pointing to a different website to the one it should do
    5. Ensure employees don’t click links or open attachment until they have confirmed they are safe
    6. Encourage employees to use search engines to access web links, rather than clicking them directly in emails
    7. Train employees to recognise falsified email addresses and verify emails by contacting the sender via their switchboard
    8. Make sure employees never give out financial or sensitive information over the phone
    9. Encourage them to ignore all requests for financial help or requests claiming they can help them financially
    10. Discourage them from sending sensitive information electronically without a secure connection, to a known person, using encryption where possible.

Following these steps will reduce the risk that social engineering poses to your organisation, as well as your employees.

DeltaNet

We now offer two new Take 5 micro-learning modules to protect your business from social engineering. Understanding Social Engineering provides awareness of the various techniques which put your organisation’s information at risk. Phishing Awareness goes into more detail about the various tactics hackers use to attempt to access confidential information that could be used to steal employees’ identities and compromise your data. Both modules feature an end-of-module assessment to test learners’ knowledge, and can be completed in just five minutes.

How well do you know the people you hire? In today’s competitive job market, it’s perhaps unsurprising that candidates are embellishing their CVs with ‘little white lies’ in order to stand out to recruiters.

A recent analysis by The Risk Advisory Group of over 5000 CVs found that 70% contained inaccuracies, ranging from minor exaggerations to outright lies.

“A growing number of people are applying for jobs with inaccurate CVs. Some discrepancies may be genuine slip-ups, but others are deliberate attempts by job seekers to deceive employers in order to get ahead,” said Michael Whittington, Head of Employee Screening at The Risk Advisory Group.

63% of the CVs analysed contained falsehoods pertaining to academic qualifications, with one claiming to have obtained an MBA from a university that doesn’t exist, while another cited attendance at a prestigious English university but failed to mention having been expelled long before graduation. Other inaccuracies related to employment history, skills and responsibilities, and criminal records – one even omitting fraud committed against a previous employer.

“Trust is very important in professional relationships, and by lying on your CV, you breach that trust from the very outset,” said Rosemary Haefner, vice-president of human resources at CareerBuilder. However, damaging a professional relationship could be the least of the employee’s problems. Candidates who lie during the recruitment process could be found to be in breach of contract resulting in immediate termination, and some CV falsehoods could even constitute “fraud by false representation,” which carries a maximum 10-year jail sentence.

From the employer’s point of view, hiring an employee based on false information could also have unpleasant consequences.

“The repercussions of making the wrong hire can be huge. It can cost a company time, money and, potentially, its reputation if things go awry. And with organised crime and insider fraud on the rise, it can also leave a business exposed to infiltration by rogue candidates, leading to data hacking and security breaches,” warns Michael Whittington.

Steve Girdler, managing director at HireRight, adds: “Organisations are disproportionately focused on external threats, such as cyber security, while paying scant attention to the greatest risk to their safety and reputation – properly qualified, professional employees. They should stop taking applicants at face value and give the same due diligence to employees as they do to other risks.” Research by Careerbuilder backs him up. It found that 51% of employers said they spent more than two minutes reviewing a CV, and one in four spent less than a minute. 12% admitted to spending only 30 seconds reading a candidate’s CVs, so it’s hardly surprising that so many inaccuracies are going undetected.

“We urge companies to validate the credentials of all potential hires in advance, thereby avoiding costly mistakes further down the line,” concluded Michael Whittington.

Led by Director of Best Practice, Gary Yantin, this course covers everything a solicitor needs to know about the SRA’s new approach to continuing competence.

 

 

 

If you license the Continuing Competence Module, this new course is free and has been added to your Learning Management System.

Alternatively, firms can license firm-wide access to this course for a one-time fee of £495 +VAT.

This will enable you to deploy the course to every employee and track who has completed the training. You will be able to customise the introduction and conclusion of the course to suit your firm’s policy and link to further information.
Click here to order now.

Course outcomes

Users of this course will learn how to identify learning needs, build a learning and development plan and consider methods for recording and demonstrating that they have fulfilled the SRA’s requirements.

  • Know how to reflect on your practice in relation to the SRA competence statement
  • Know how to create and maintain a learning and development plan
  • Understand how to use new approaches to learning to enhance your competence
  • Learn the regulations and find out what has changed

Indian Wells’ CEO Raymond Moore has stepped down from his post after his comments about women’s tennis provoked widespread outrage – and a flawless back-hand from Serena Williams. It was during a press conference before the BNP Paribas Open that Moore sparked the furore, musing that in his next life he would like to come back as someone in the Women’s Tennis Association, “because they ride on the coattails of the men.”

“If I was a lady player,” he continued, “I’d go down every night on my knees and thank God that Roger Federer and Rafa Nadal were born because they have carried this sport. They really have.”

And he wasn’t yet finished, going on to note that: the WTA has “a handful of very attractive prospects,” before clarifying that he meant “physically attractive and competitively attractive… they really have quite a few very, very attractive players.”

Though the 69-year-old tournament chief hastily backtracked, calling the remarks “in poor taste,” and “erroneous,” the damage was done, proving yet again that the only way to emerge unscathed from a sexism row is to think before you speak in the first place.

Serena Williams, who was named Sports Illustrated’s 2015 Sportsperson of the Year, didn’t hold back when asked what she thought of the remarks: “… if I could tell you every day how many people say they don’t watch tennis unless they’re watching myself or my sister, I couldn’t even bring up that number…. So I don’t think that is a very accurate statement. I think there is a lot of women out there who are more – are very exciting to watch. I think there are a lot of men out there who are exciting to watch. I think it definitely goes both ways. I think those remarks are very much mistaken and very, very, very inaccurate.”

She dismissed any suggestion that he misspoke or that his words were taken out of context. “If you read the transcript you can only interpret it one way. I speak very good English; I’m sure he does, too,” she said. “You know, there’s only one way to interpret that. Get on your knees, which is offensive enough, and thank a man, which is not—we, as women, have come a long way. We shouldn’t have to drop to our knees at any point.” The No 1 women’s player then delivered a final blow by pointing out that the women’s final of the US Open in 2015 sold out before the men’s.

The United States Tennis Association was equally unequivocal in their response, stating that player equality is a “bedrock” principle in the sport, and that there was no place for Moore’s “antiquated, sexist or uninformed ideologies”. It would clearly be impossible to equate Moore’s comments with their organisation’s stated principles.

Despite his swift reaction and apology, within days it was announced that Raymond Moore had resigned his position. In a statement, Indian Wells Tournament owner Larry Ellison said that he “fully understood” Moore’s decision to step down.

However swift the resignation, Moore’s comments will have damaged the reputation of tennis, and soured relationships between tennis players, their legions of fans, the wider public, and the sport of tennis. The incident highlights the need for all employees, no matter how senior, to understand the importance of equality in every aspect of an organisation’s conduct.

About VinciWorks

Achieving equality is a matter of education, behavioural and cultural change. Employees must be aware of what’s expected of them and why, and managers need to not only lead by example, but also reinforce the message and ensure their teams’ behaviour is acceptable.

VinciWorks hundreds of organisations to achieve equality with online Equality and Diversity training for employees and managers. Contact us today to improve equality in your organisation.

When annual refresher training time rolls around, you probably take it for granted that you’ll be hearing some of these common complaints:

  • “We’re too busy to complete mandatory training”
  • “The courses are too long and boring”
  • “We already know this information”
  • “It’s just a box ticking exercise to cover the company legally”

If any of these sound familiar, VinciWorks has the solution: Take 5 microlearning modules.

Out Take 5 modules are highly focused 5 minute bursts of learning built around behaviours that meet mandatory training requirements without taking up learners’ time, or re-treading material they’re familiar with.

Take 5s pack a lot of punch despite their small size. Each course features explanatory videos, audio narration throughout, and high levels of interaction.

Want to find out more? We have seven new Take 5 modules available now:

Money Laundering Challenge – do your employees know the lengths people will go to make laundered money look legitimate? In this challenge, learners discover how Frank the Fraudster laundered his cash, and must confiscate the laundered money by answering questions correctly.

Gifts and Hospitality Challenge – do your employees know what gifts are acceptable and what could be seen as bribery? Learners follow the story as a potential supplier offers an employee corporate seats at a football match – but can they make the right choices and keep hold of their integrity handshakes?

Setting a Secure Password – do your employees know how to set a secure password? This module shows learners how to set a strong password, keep it secure, and keep hackers at bay.

Is Your Information Secure? – your workplace contains more information security risks than your employees might realise. In this challenge, learners must collect all 8 information security shields by successfully tracking down the risks in a virtual workplace.

Don’t Get Burnt – would your employees know how to get to safety in the event of a fire? In this challenge, learners evacuate a building that’s on fire, but must make the right decisions along the way to make it out with all of their safety tokens.

Working with Dual Screens – there are numerous benefits to using more than one monitor, but failing to set them up correctly increases risk of injury. Once completed, learners will know how to set screens to the same resolution and set up differently sized screens for safe dual screen working.

Fire – Can You Handle It? – would your employees know which type of extinguisher to use if they had to fight a fire? In this challenge, learners need to choose the right extinguisher to put out all four different types of fire.

The above Take 5 modules are available now as part of Compliance Essentials and Health and Safety Essentials. Get in touch today to arrange a demo.

Methods used by the rich, powerful and corrupt to hide wealth have been exposed after over 11 million documents were leaked from Panama law firm Mossack Fonseca.

The documents reveal more than 200,000 offshore entities set up to conceal clients’ money. Although not technically illegal, the lack of transparency required for these shell companies make it easy for their beneficial owners to remain hidden – ideal for criminals seeking to launder money, as well as those looking to cheat the public out of tax.

Someone could, for example, loan public money to an offshore company, have it transferred through numerous others until its origins are untraceable, and eventually enjoy the benefits of the money without having to account for its origins. Meanwhile, the initial loan is defaulted on, and the public loses out.

That’s the essence of the $2bn money laundering ring that’s been linked to Vladimir Putin’s inner circle in the wake of this scandal. But it’s evidence closer to home that has people calling on the government to take action against widespread money laundering and tax evasion going on in the UK.

In fact, the NCA estimates that hundreds of billions of pounds in criminal proceeds is laundered through the UK each year. So, how do businesses in the UK currently combat money laundering?

Combating money laundering

Due diligence is at the heart of anti-money laundering. It requires businesses to find out everything they can about individuals involved, including company directors and beneficial owners, before transacting with anyone.

In high risk countries, such as Panama or the British Virgin Islands, identities should also be verified through certified copies of photographic identification. Once these identities are known, there are a number of risk factors that can indicate potential money laundering activity:

  • Individuals with criminal convictions
  • Individuals you never meet in person
  • Individuals who are Politically Exposed Persons, or connected to PEPs
  • Individuals in high risk areas according to the Transparency International Corruption Perceptions Index
  • Individuals using intermediaries based in high risk jurisdictions
  • Client companies with complex ownership structures
  • Corporate clients whose capital is in the form of bearer shares
  • Clients with a high level of cash income

Failure to carry out due diligence and establish exactly who stands to benefit from transactions is not only irresponsible; it can lead to money laundering charges, as well as being accused of turning a blind eye to criminal activity.

The Panama Papers scandal shows there is a lot of work to be done, but with pressure on governments to address tax havens now at an all-time high, perhaps it will turn out to be a small step in the right direction.

About VinciWorks

VinciWorks help businesses operating in regulated sectors train employees in anti-money laundering by offering our Combating Money Laundering and Terrorist Financing eLearning course. Course licence includes access through our Astute eLearning Platform, providing powerful tools for enhancing engagement and proving compliance.