What are the biggest threats to your digital security? The tenth annual Data Breach Investigations Report from Verizon offers an overview of the current IT security landscape, including emerging threats and the most common causes of data breaches. While the report covers some new ground, one of the most startling aspects of the research is how many known threats continue to cause problems for organisations of all sizes.

And that brings us neatly to one of the report’s key findings: you don’t have to be a global conglomerate to attract the interest of cybercriminals. Many small organisations are attractive to hackers because they are less likely to have strong defences and up-to-date systems. Small companies might be more vulnerable to phishing – especially if the people in customer-facing roles have not been trained to recognise and avoid phishing efforts. Being aware of phishing is not always sufficient to resist these probes; cybercriminals are constantly evolving and are incredibly creative when it comes to producing emails that look and feel legitimate.

Many of the old threats are still causing problems. Weak passwords are a common point of entry. Organisations are still guilty of using the default passwords that come with new products and applications, and which are widely circulated online.

Initial security breaches, whether caused by phishing, weak passwords or unpatched software, are often followed up with an installation of malware. This creates a permanent backdoor that cybercriminals can then exploit in a number of ways, such as installing other malware, taking over the machine, or using the computer’s processing power to support activities like denial of service (DDoS) attacks or mining crypto-currencies. Having established a backdoor, hackers may seek to extend their reach to other machines in your network. This is often an effective strategy that allows criminals to take control of large numbers of computers after making a single breach.

The type of malware known as ransomware, which involves encrypting your files until a ransom is paid, has shot up the malware charts, and is now the fifth most popular type. An example of ransomware is the WannaCry virus that crippled hundreds of NHS computers recently.

The Verizon report seeks to correct a few misconceptions about cybercriminals. In particular, they remind us that cybercriminals are rarely as sophisticated as we imagine. They may not target specific businesses; they’re more likely to use a scattergun approach to look for weak spots and try to find a backdoor, either by phishing or looking for unpatched software. Most hackers are just trying to make money. They are opportunistic and will happily take data, corporate secrets, marketing lists, contact information, payment details or cash.

One danger for companies with seemingly strong defences is complacency. Your security may have prevented data breaches to date, but is your security evolving as quickly as the hackers?

Verizon point out the importance of training. “Throw your weight behind security awareness training and encourage your teams to report phishy emails.” People will always be the front line when it comes to resisting attacks. Being aware of the risks – and the lengths that cybercriminals will go – is a first step towards digital security.

Other warning signs to look for are large data transfers. Does your system provide alerts when large transfers occur? Internal threats are still significant. Your organisation must also protect against disgruntled employees armed with a USB drive.

How does your organisation keep up with changing threats from cybercriminals?

Compliance Week Europe

This conference is designed to help compliance, audit, legal and risk executives understand how they can build and manage their ethics and compliance programmes more effectively.

Topics to be discussed include:

  • GDPR
  • Cyber Fraud
  • AML programmes
  • Whistleblowing
  • Anti-Bribery
  • Collusion
  • Ethics & Compliance
  • Sanctions
  • Supply Chain risk
  • Fraud indicators and red flags

So important even Her Majesty the Queen focussed her attention to it the 2017 Queen’s Speech, interest in the GDPR legislation shows no signs of slowing down.

The Queen’s speech confirmed that the General Data Protection Regulation (GDPR) will still come into force in the UK on 25th May 2018 and will replace the Data Protection Act, which has governed data handling directives in the UK since 1998. The new GDPR legislation is designed to streamline data handling across the European Union, making it easier for members of the EU to share data safely and also introducing more stringent data protection regulations to suit an increasingly digital age.

So, why would the UK implement EU-wide legislation following the beginning of Brexit negotiations? Firstly, it’s important to understand that the UK was (and still is) a major influence behind the new European legislation, so it’s natural that it would still adopt the GDPR even with Brexit going ahead. Secondly, with UK/EU legislation lining-up following May 2018, the UK will maintain its ability to share data with other members of the EU – for example, police forces and other international authorities. Conserving this ability is imperative in the fight against terrorism and other cross-border crimes.

The GDPR will affect organisations across all industry sectors, and all must ensure they’re up to speed by its implementation next year. Whilst the new legislation will bring with it some welcome consistency for multi-national organisations and employees working across Europe, the legislative burden of new rights for individuals and fines of 2 – 4% global annual revenue for breaches are likely to take a toll.

For this reason, it is important that organisations avoid accidental breaches by ensuring that all employees are prepared and understand what they need to do to remain compliant with the GDPR. Human error (undoubtedly in the form of lack of understanding and knowledge) has proven to be the main cause of data breaches in years past, and so-thought ‘harmless’ mistakes still make-up a large percentage of security law violations and consequent fines.

Organisations need to act quickly to ensure they’re not caught out next May and can take advantage of VinciWorks GDPR eLearning courses to ensure they’re up to speed. We offer three GDPR training courses which together form a comprehensive package covering your preparation for the GDPR, what your organisation’s accountability under new GDPR legislation will be, and a microlearning course created to clarify the new legislation’s ‘right to be forgotten’ regulation.

The courses outline the UK’s Key Priorities for the GDPR, which are:

  1. Ensuring data protection rules are suitable for the digital age.
  2. Empowering individuals to have more control over their personal data.
  3. Giving people the right to be forgotten when they no longer wanted a company to process their data.
  4. Modernising data processing procedures for law enforcement agencies.
  5. Allowing police and the authorities to “continue to exchange information quickly and easily with international partners

Failing to prepare for the GDPR could have disastrous consequences for organisations; with punishments for non-compliance including fines of up to €20m or 4% of annual turnover, whichever is greater. It is not just the fine however that could be potentially damaging to organisations but the reputational damage suffered and adverse publicity.

Our GDPR training will help you to prepare for the GDPR in the correct manner and we will be adding to our portfolio of courses as more details come to light about exactly how the GDPR will affect organisations.

Grenade and money

At least £57 billion is laundered through the UK each and every year. It’s not just criminals turning their illicit money from crime clean. Terrorist financing is often overlooked when it comes to anti-money laundering efforts, but acts of terror in the UK and around the world are being bankrolled in the same way as money is laundered.

Law firms, as well as other professional services such as accountants, estate agents and financial services, are at high risk of being patsies for criminals and terrorists. Because their accounts are seen as “clean,” sending dirty money into a law firm’s client account and having it sent back out again is a sure fire way to launder dirty cash.
Continue reading

What is Manual Handling?

The Manual Handling Operations Regulations (MHOR) 1992 define manual handling as:

“… any transporting or supporting of a load (including the lifting, putting down, pushing,

pulling, carrying or moving thereof) by hand or bodily force.”

In effect, any activity that requires an individual to lift, move or support a load, will be classified as a manual handling task.

What are the risks associated with Manual Handling?

Any individual handling or moving goods and people are at risk of manual handling injuries. Any type of work can cause injury and physical suffering if it involves handling a load.  Light loads can even pose a risk, if carried out repetitively and with poor lifting techniques.  Additionally, poor workplace design, layout and ergonomics can be hazardous factors in manual handling.

According to the UK Labour Force Survey 2014, musculoskeletal disorders (MSDs) account for more than 40% of all work-related illnesses. This means an estimated 9.5 million lost working days per year. More than one third of all workplace injuries that require more than 3 days off work were related to musculoskeletal issues. Problems can be related to upper limb disorders – which includes back and neck pain, as well as repetitive strain injury – and lower limb disorders, from the hips to the feet. Risk factors can be found in virtually every workplace.

Risks can be found in all work sectors, but healthcare, agriculture and construction are recognised as high-risk industries due to the number and nature of the manual handling activities.

Are you taking the necessary steps to mitigate manual handling risks?

The Manual Handling Operations Regulations require employers to adopt a hierarchy of control measures:

  • To avoid hazardous manual handling operations so far as is reasonably practicable.
  • To assess any hazardous manual handling operation that cannot be avoided.
  • To reduce the risk of injury so far as is reasonably practicable.

Any employee who is engaged in manual handling, should be aware of the following 5 key principles of manual handling before they perform any task:

TILEO – What does this stand for?

The manual handling TILEO acronym can be used to assess each manual handling activity within your own organisation. It stands for:

  • TASK
  • INDIVIDUAL
  • LOAD
  • ENVIRONMENT
  • OTHER FACTORS

Employing TILEO can help your organisation conduct dynamic risk assessments or on the spot assessments, by considering the individual’s capabilities, the nature of the load and the working environment in order to minimise risks.

Instructing your employees to use TILEO before they begin the manual handling process can help them to take into consideration key factors that can affect their ability to lift loads. As a result, making sure they employ the acronym can help protect themselves from significant harm and can help them ensure safe manual handling procedures are being used at all times.

Training your staff will ensure you protect your employees and reduce the number of injuries and lost working days within your organisation.

The Manual Handling eLearning course has been designed to explain the basics of health and safety manual handling to employees in low-risk working environments. The online course outlines what manual handling covers, how lifting, carrying and setting down can be done safely, and common injuries and musculoskeletal problems caused by bad technique.

The course also examines key duties related to manual handling in the workplace, focusing on the different roles and responsibilities of the employer and their employees. It emphasises that each worker should: cooperate with their employer; not engage in behaviour that is likely to put colleagues in danger; understand and use mechanical aids correctly; report work activities that might be dangerous; and bring any defects in the workplace, systems or equipment to notice. Each individual is also obliged to share with their employer any physical limitations that might impact their ability to carry out manual handling tasks.

All courses can be tailored to meet the needs of your organisation, so that they reflect your specific policies and procedures and not just generic ones. A designated course administrator can edit the text and images within the course using the integrated authoring tool and link to organisation-specific documentation, all at no extra cost.

Two children working under tough conditions

The Modern Slavery Act 2015 has now been in force for over 18 months. The Act means large organisations must pay closer attention to the practices of their suppliers. This includes carrying out audits of their suppliers, investigating the physical conditions of the workforce and being on the look out for instances of child labour. Further, the Act dictates that organisations with a turnover of over £36 million are required to produce a slavery and human trafficking statement. Continue reading

Poor mental health at work is one of the biggest threats to businesses and organisations today. It costs UK employers billions every year in sickness absence, reduced productivity and staff recruitment and takes a terrible toll on individuals’ well-being – yet a huge number of employers are unsure of how to approach the problem and for many it remains a taboo subject.

Emergency Evacuation Procedures  – Preparing your organisation for an emergency

An emergency is a serious, unexpected, often dangerous situation that requires immediate action. An emergency evacuation procedure is a plan of actions to be conducted in a certain order or manner, in response to an emergency situation.  A prepared and educated workforce, who know how to evacuate a building quickly and safely, in the case of a fire or on hearing an emergency alarm, could mean the difference between life and death.

Data submitted by the Home Office reveals that the Fire Rescue Services (FRSs) attended 288,000 fire-related incidents between April – September 2016.  During this period, there were 88 fire related fatalities and 1,570 non-fatal casualties reported.

Employers, owners and landlords of business buildings or other non-domestic premises are responsible for emergency evacuation procedures and general fire safety. These responsibilities include regular risk assessments, implementation and maintenance of fire safety measures, the creation and communication of an emergency evacuation plan and the provision of staff training.

An evacuation plan should:

  1. Identify clearly marked, short, direct and well lit escape routes,
  2. Ensure all emergency doors can be opened easily by all employees
  3. Include special arrangements should be made for individuals with mobility issues.  
  4. Additionally, a safe meeting point should be clearly marked.

Communication is crucial and regular drills should be performed alongside safety awareness training.

Are you as employers, aware of your responsibilities and do your staff know what to do in an emergency situation?

VinciWorks Evacuation Procedures eLearning course outlines the key steps your employees need to take should an emergency strike. The course explains the importance of being aware of evacuation plans, the location of maps on doors and stairwells and which staff hold roles of safety responsibility.  

The online course explains what to do if a fire is discovered, how to raise the alarm and who to contact.  It also provides clear instructions on evacuating the building by the quickest and safest route and proceeding directly to the assembly point.  Additionally, information is given on what to do if you are unable to leave the building, how to help others and what to do if you are trapped in a smoked filled room.

VinciWorks Evacuation Procedures eLearning course emphasises that all emergency evacuation alarms should be treated seriously and acted upon even if it is thought to be a false alarm. After evacuation, employees are told not to return to the building unless instructed to do so by an authorised person.  

Like all VinciWorks courses, this Emergency Evacuation Procedures eLearning course is SCORM compliant and can be customised to meet your needs, enabling your workforce to understand the specific policies and procedures you have developed for your organisation and any particular types of emergency your organisation might face. A designated course administrator can use our integrated authoring tool to edit the text and images within the course, and link to organisation-specific documentation, all at no extra cost.

The Fourth Anti-Money Laundering Directive, which came into force on 26th June 2017, brings some key changes to the anti-money laundering policies in law firms and organisations. Recent high profile money laundering scandals demonstrate the importance of having the right procedures in place to prevent money laundering. This blog gives some examples of the money laundering convictions that have damaged the reputations of firms and organisations.

Deutsche Bank learns anti-money laundering lessons the hard way

Deutsche Bank

In January, Deutsche Bank, Europe’s largest investment bank, was hit with an incredible £500 million from multiple regulators. The bank ran a $10bn money laundering scheme involving the Moscow, New York and London branches shifting roubles between Cyprus, Estonia and Latvia in a manner that was “highly suggestive of financial crime.” The regulators said “the bank missed numerous opportunities to detect, investigate and stop the [money laundering] scheme due to extensive compliance failures, allowing the scheme to continue for years.”
Continue reading

On Monday 26th June, the Fourth Money Laundering Directive was transposed into law to create the Money Laundering Regulations 2017. While the majority of the content in the final law is the same as the draft, there are a few important additions included in the final version of the draft.

What are the changes under the Money Laundering Regulations 2017?

Some of the key changes that the Fourth Money Laundering Directive present are:

  • The ultimate beneficial owner of a corporate client will need to be determined and due diligence checks performed.
  • There will no longer be automatic exemptions from conducting client due diligence.
  • The rules for politically-exposed persons (“PEPs”) are no longer limited to those outside the UK.
  • Third party equivalence – the Fourth Directive has rescinded the “white list” and country-specific risk determinations must be made for any jurisdiction outside of the EU.

Continue reading