What is your IP worth?
Let’s start from a more basic and more critical point – the real value in your business. What is your information worth? Yes, we are talking about the business critical information of your company. So, we include here the client list, your charging rates for services or goods, your borrowings, your strategic plan, your financial data, the nature of the contracts of your key people and your perceived competitive advantage relative to your business rivals in the market-place. So, what is that sort of information worth? We will approach the issue from a risk management point of view.

Why you must place a dollar value on it
When you start to put together your emergency management plan or your business continuity management plan, one of the really critical steps is the business impact analysis (BIA). The BIA determines, as a result of extensive questioning of different parts of the business and sometimes actual testing, how the identified risks will affect various business operations. This process establishes business priorities. It also establishes the clear linkages and contingencies between different operations of the business. The consequence analysis looks at the cost to the business if these risks are not mitigated, but become full-blown. One of the elements of that consequence analysis is placing a dollar value on the loss of functions, assets, inventory, etc.

Placing a dollar value on company assets enables us to understand their true value and relative importance to the operation of the whole business.

Ways to categorise information
It may be very difficult to assign a dollar value to a particular set of data or piece of information. A better approach is to create some categories and then apply a band of value to that category. For instance, the base category would be information that is developed, handled and stored by the company. This information may have value for the company but it equally may already be in the public domain. There is little sense placing any restriction on it and it would not damage the company if it passed into the public domain. For most companies, this band probably constitutes upwards of 60% of their information holdings.

Moving to the IP component
The next category might be information which has been provided to the company in confidence or generated internally; the disclosure to unauthorised persons or the market-place is likely to impact adversely public confidence in the business or the brand, or the company’s capacity to meet its regulatory, privacy and professional obligations. This may amount to some 30-35% of the company’s information and its loss would hurt.

The most sensitive or critical category applies to information, which if disclosed to unauthorised persons or the market-place is likely to cause harm to the company’s strategic plans, its share price, public confidence in the business or the brand, or the company’s capacity to meet its regulatory and professional obligations. Examples might be information dealing with mergers and acquisitions, profit forecasts, restructuring proposals, customer lists, new product proposals and similar. This category may amount to 5% of all company information, but it is the essence of the company’s value. 

Putting a dollar value on your customer list, the impact on your share price if business critical information is leaked, or what you hope to achieve in sales with a new product: these are not difficult. A possible approach is to pick broad bands for the two categories of information, the disclosure of which will hurt the company. Decide whether it is thousands of dollars, tens of thousands, millions, tens of millions or more.

Offer guidance – employees cannot guess this stuff
Of great importance is that you put in place guidelines to help employees assign values and ensure consistency across the company. Next, make sure that all your critical processes, proprietary information and componentry sourcing is documented. The last thing you want is to be held hostage by a long-term employee, consultant or supplier.

Who gets to see what?
With the information documented and graded, the next step to address is who should have access to it, what are the conditions under which they have access, who determines it and what are their obligations? The whole point of marking some information as sensitive or business critical is that only some need to know it or have access to it. So how do you restrict it, allow access to it? The obvious answer is that the information is located in a particular electronic file or on a particular server to which password access is required.

Criteria and a checking capacity
What are the criteria to determine access? Normally they are that the person will require regular or routine access to that information to perform his or her normal duties. If it is a case that only occasional access may be required, then it is more appropriate for the manager to make a special arrangement and provide the material as an excerpt or summary. It has nothing to do with perceived status or the name-plate that people may have on their desk or their door. Obviously, sensitive information should not be disclosed to another employee without assurance that the recipient is an authorised person. So, those authorised to project information or to categories or sensitive information must be able to interrogate a password-protected database and establish or confirm that the intended recipient is an authorised person.

Management of the process
Other questions to be addressed are who is responsible? Who oversights the process? What are the reporting lines? Who conducts periodic audits and to whom is reporting on this directed? These are all vital questions and if they are not attended to, then all the information becomes business critical or everything is dumbed down for the sake of convenience. In either event, as a company and as a manager, you lose. Information does not remain sensitive forever, so there need to be processes set up with a sunset date, which will prompt a review and either downgrade of sensitivity or maintenance for a period of the classification.

Centrality of Culture
Culture must support this approach to preserving the company’s intellectual property. It is the sort of culture that comes about through leadership of the senior managers, documented corporate values, training and procedures. The expectation the company has for employee behaviour needs to be stated clearly in the terms and conditions of employment. This should be by way of a signed declaration on commencement of employment, which requires candidate employees previously to have read the terms and conditions of employment and the Code of Conduct. This allows management to terminate the services of an employee who fails to abide by the commitment enshrined in that declaration.

The same expectations must be levied on contractors and consultants (lawyers, accountants, bankers, etc.) engaged by the company and be enshrined in their contracts.

And at the end of the day…
When employees, contractors or consultants terminate from the company, there needs to be a thorough exit process and any final payment should not be made until all items on the check-list have been satisfactorily addressed. Those items will include the return of any equipment and PDAs issued by the company to the person; a reminder of the obligations of confidentiality, which should be enshrined in another signed, dated and witnessed declaration; and an exit interview that allows any concerns, grievances or suggestions to be recorded.

Gerard Walsh

Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.

Disclaimer
All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.

What should you look for at home?
There are several tools at the disposal of cyber operators. Among the most insidious are targeted spear-phishing campaigns, which move laterally within a network to acquire specific data and often manage to maintain an undetected presence on the target network for months or years. Malware is used to enable control of target networks and is normally launched via such a targeted spear-phishing email campaign. Tools will sometimes be downloaded to target systems during an actual system attack in order to evade local security measures and to achieve the compromise of additional computers on the target network. Second-level domains may be registered to facilitate cyber operators compromising and controlling target systems.

And when abroad?
The game always changes when we are away from our secure operating environments and having to deal remotely. The nature of the risk and also the form of attack are different. So, let us look at what is best corporate practice. This approach should help us develop some sound strategies.

Is your IP at risk in some countries?
The answer is ‘yes’, without any qualification. What does this mean? It means that if you lose control of your laptop, smart phone, tablet or other device for any length of time, you should assume its contents have been copied and undertake consequence analysis. No ifs, no buts, game over. We cannot be any clearer than that.

What mitigation strategies are available?
Best practice internationally is to take in a clean laptop for work purposes. As far as smart phones are concerned, there appears to be a divide between taking in a clean temporary one or using one’s own. Employees should be advised not to take any personal consumer devices into high risk countries and use only company-supplied devices with encryption installed and practical guidance provided. The most critical thing is to maintain 24/7 physical control of laptops and mobiles. Clearly, that is a greater problem with a laptop (going to dinner, engagements, etc.) as hotel safes are not secure locations. At minimum, they should be encased in secure pouches with tamper-evident seals. On balance, it is best to leave them at home.

Should you limit the data that may be carried into high risk countries?
Increasingly, best practice is not to take in hard copy sensitive data or unencrypted USB memory sticks, CDs or DVDs. If you do, the problem remains one of maintaining 24/7 physical control of this material. Fail in that requirement for the briefest of opportunities and you must regard the material as compromised. Again, secure pouches with tamper-evident seals are a minimum.

What security advice should you give travellers?
• Brief travellers thoroughly on the security risks they will face and how this must influence their behaviour;
• Assume any conversation can (not may) be overheard, so any discussion involving sensitive issues needs to involve precautions;
• If a traveller loses control of a portable device for any length of time, assume it is compromised, don’t connect it to the network and notify corporate security;
• Alert travellers to ‘red flag’ issues:
What are red flag issues from a company viewpoint?
• gifts offered to government officials in breach of local or international law;
• gifts to or from a party involved in a tendering process;
• any gift that appears excessive;
• any gift of cash;
• travel expenses for a government official where there is no legitimate business purpose;
• travel or entertainment expenses for the spouse of a government official;
• payment made to a government entity in cash rather than by company cheque or EFT;
• donation to a charitable cause affiliated with a government official or a customer;
• improper expenses;
• vague description on invoice of services provided; and
• refusal to sign a confidentiality agreement.

The list is not exhaustive (leaving drinks unattended so they risk being spiked, accepting offers to go to dubious premises for a knock-out deal on electronics or jewellery, offers of ‘company’, etc. are surely too obvious?), but it gives a flavour of the things for which those travelling on the company’s behalf should be alert and the things that should concern you. Do you have guidance for your travellers? Do you brief them? Do they know the company’s code?

Should the company test devices on return for electronic compromise?
Yes, this should be done, at least on a sampling basis. For any hardware that was out of the traveller’s immediate control for any length of time, testing should be automatic. Most companies will not have the in-house capacity to undertake this, but it may readily be outsourced. Good practice would be to sample 100% of laptops belonging to executives and a lesser percentage for the frequent travellers. Some use EnCase software to create an MD-5 Hash of the baseline and when the laptop is returned to the company’s IT department, they run an MD-5 Hash and compare the results. Others use Anubis, which analyses malware or md5 deep and hashdeep.

Finally…
A company’s intellectual property is likely more valuable than all its physical assets. For much of the IP, you can lock it up, encrypt it, handle it securely and dispose of it safely. Firewalls and patents are a first wall of protection and are essential, but it is people who are handling the IP. A company’s culture and security awareness training is critical to prevent IP leaks. That training needs to be targeted to meet the particular risks faced by different categories within the company and tailored to the needs of different employees: executives, travellers, sales people. One size does not fit all, but your IP is worth it.

Gerard Walsh

Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.

Disclaimer
All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.

With a nice sense of timing, the KPMG report of its biennial survey of fraud, bribery and corruption in Australia and New Zealand covering the period 2010-2012 . This is always a must read and this edition is, again, a rich source of learning for all managers. We will mine and then highlight some of the key facts that emerged :

The bald facts
• The total value of fraud experienced was $372.7m
• The average loss to fraud per company experiencing fraud was $3.08m
• 43% of the responding firms experienced fraud
• 47% of these frauds were due to deficient internal controls
• The larger the company, the greater were the number of frauds committed

Who is doing it?
• 75% if the perpetrators were insiders
• This is an increase by 10% over the 2010 figure
• Management perpetrators principally committed fraud by false invoicing
• Staff perpetrators principally committed fraud through the theft of cash
• Contractors and suppliers principally defrauded by fraudulent tendering

Drilling down a little further…
• Men are three times more likely to commit fraud than women – 75% versus 25%
• This is a change from 68% versus 32% in 2010
• Those acting alone constituted 71% in 2012 compared to 77% in 2010
• On the other hand, those who colluded in fraud grew from 23% to 29%

They are not driven by desperation
• Most don’t have a history of dishonesty
• Nearly 70% earn close to $100,000
• And are motived by greed/lifestyle or personal financial pressure
• Where did they appear in the organisations? 7% were executives; 19% were managers; 49% or nearly half were non-management and 25% were third parties
• Salary levels provide a real shocker: there was a 17% decrease in fraudsters earning less than $100k; a 92% increase in fraudsters

What does this all mean for you?
It means that the people who are likely to defraud your company or business are the people you work with. That’s not a very nice thought, is it? Corporate management committed only 1% of all fraud by incident, but this represented 18% of the $372m.

Culture and Internal Controls
It is absolutely clear that all companies and institutions need to put in place a fraud control strategy and then conduct fraud awareness training sessions on a continuous basis. These are the bedrock measures. Off this base, you can then start progressively to implement prevention strategies:

• Make sure all staff undergo pre-employment screening or make their appointment provisional on satisfactory completion of this if you need to move quickly;
• For positions of trust (handling money, contracts, accounts payable and receivable, etc.) there should be no exceptions;
• Develop and live by a clear code of ethics that is publicised, prominently displayed and rigorously observed;
• Review your internal controls – make sure there really is ‘four eyes’ sign-off on all financial authorisations;
• Nail your colours to the mast – advise all that there will be a zero tolerance to fraud; that those engaging in it will be subject to instant dismissal; and all incidents of fraud are reported to the police;
• Move people around – don’t allow someone to occupy the same position of trust for an excessive period of time. Rotate people through positions and compel all these people to take their annual leave – a reluctance to go on leave is often an indicator of improper activity that may be discovered in the perpetrator’s absence;
• Undertake screening of your suppliers, contractors and business partners. Speak with others who also deal with them and compare notes;
• Provide a whistle-blower channel for people to voice their concerns. Most frauds are discovered in this way or through enhanced internal controls .

Understand your staff and your future
It is inevitable that people will suffer crises at various times through illness, failed relationships, substance abuse or accident. Such events may impose significant financial burdens and cause some to think of resorting to fraud to cover their immediate need. An essential defence is to ensure a supportive culture exists and is fostered in the workplace. That when people are stressed and inform another person of their predicament, those who need to know and who can support them are informed. That sort of culture will not happen by accident and, sometimes, it may cost you as an employer, but it is infinitely preferable to fraud being wreaked on the company and you will be repaid with great loyalty.

Gerard Walsh

Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.

Disclaimer
All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.

SNP Security guard, Peter Hodge, has been awarded an Australia Day Achievement Award for his service to the National Library of Australia. Hodge was presented with the award by the Director-General of the National Library of Australia, Ms Anne-Marie Schwirtlich.

Ms Schwirtlich says Peter has been in the role for more than seven years and “consistently goes the extra mile to provide assistance and support for staff.”

“Peter is well known to National Library staff for the high levels of customer service he provides in his role manning the Security Control Centre,” says Ms Schwirtlich.

“As we enter the library each morning, he somehow manages to do his busy job, greet us all by name, say good morning and hand out passes, open doors, answer the phone and handle enquiries always in his calm and unflappable manner. Peter has also ensured that a range of serious incidents have been managed professionally, minimising the potential for damage or harm to the Library and its staff

“Peter has been an outstanding contributor to the Library and his good nature, support, knowledge and professionalism are highly valued,” says Ms Schwirtlich.

Sean Giddings, SNP Security ACT Branch Manager, says it’s extremely rare for a contractor to be recognised by the National Library of Australia in this way.

“This award is an outstanding recognition of Peter’s many years of service, his can-do attitude and his approach to providing the best customer service, day in and day out.

“It also demonstrates that long-term strategic partnerships can be formed between contractors and clients to achieve mutually beneficial results,” says Giddings.

IMAGE: Director-General of the National Library of
Australia, Ms Anne-Marie Schwirtlich, presents SNP Security guard, Peter Hodge,
with his Australia Day Achievement Award.

The first issue of the Weekend Financial Review for 2013 carried front page headlines and four pages of reporting of the Director-General and others on the same subject . Even though many were away on holidays, some would have read it with a cold one in the other hand. Certainly the article carried sufficiently sobering news to negate the effect of one or two beers.

Then, just before Australia Day 2013, the Prime Minister made a significant policy statement. She then issued a press release summarising the key elements. It was reported on every television news bulletin, radio news bulletin, the internet and in the newspapers . Did it affect you or your business? Can you tease it out of the corner of your brain were it is subconsciously stored?

All of these events were linked. A few days, a few weeks on, what do you remember? What were they all talking about? President Obama, the US Defence Secretary, Leon Panetta, and Jonathan Evans, the Director-General of MI5 have been talking about the same thing.

The dependence and vulnerability of a wired society
It is a truism to say information infrastructures underpin and enable today’s information society. It is unthinkable to imagine how we would survive without them – it has totally changed how we work and play. Business would grind to a halt, as would air traffic control, traffic management systems in our cities, water supply and emergency services.

Since the 1980s, there have been references to information warfare. It was a discussion that occurred within defence department complexes and at academic seminars. Roll on one decade, and there was a slew of conferences and seminars on the subject. We started to hear terms like cyberwarfare, information warfare, iWar and others. We read of cyber terrorists or criminals remotely interfering with aircraft controls, crashing bank’s time clocks in vaults and threatening all manner of real and futuristic harm. We remember the television pictures of the first Gulf War, when the Iraqi telephone and public lighting systems were ‘taken out’ and precision-guided bombs destroyed Kuwait’s key infrastructure and Saddam Hussein’s command and control was totally obliterated. We even remember the name ‘Operation Desert Storm’.

The really important message is…
But what about today: how are the messages from the Prime Minister and the Director-General of Security affecting your business and your role as manager? Take it as read that foreign governments are launching cyber attacks against this country and others. There is overwhelming evidence for that. Grave as that is, we are not going to concern ourselves here with the defence, intelligence and strategic implications. Rather, what does it mean for us in business? What is happening at our own portals?

The first message is that we are being robbed blind. A bunch of people who have not worked for it and don’t contribute to it are trying to strip our economic wealth from us. Highwaymen used to be recognisable: they rode horses, carried pistols, ambushed you and demanded your valuables. The modern-day version sits with a mouse in another country. DSD cites a Symantec estimate that puts the Australian cost of cybercrime at $4.5 billion and arguably more . In many cases, nation states are launching these attacks, while hactivist groups like ‘Anonymous’ have claimed significant dislocation and hackers will always seek your information. The ASIO Director-General quoted CERT Australia as saying there has been more than 5,000 cyber incidents in Australia in the first eight months of last year . The purpose of these cyber attacks is to steal the value of years of research and development; to get across big deals so that the market can be affected; to insert malware and knock out capability; and to strip away privacy and confidentiality. 

What is to be done?
Value your information – it is truly your most critical asset. Value security of your information over speed and convenience of applications. Understand the consequences to you and your staff if you lose your information. The only way to do this is to undertake some consequence analysis and put dollar values on it, as you do in your business continuity plan. As DSD says in its catchy video, you need to ‘Catch, Patch and Match’ :

• Only allow your approved software to run on your systems. 
• Catch all malicious software and block it from running.
• Patch all applications with updates, so there are no security exposures.
• Match the right people with appropriate access to your systems. Administrator access should be severely limited – in the wrong hands it is a death-wish.

Who’s to do it?
You. If you the manager, you the director, you the supervisor, you the worker don’t understand the risks and put in place strategies, controls and policies to mitigate them, you may as well pack up and head to the beach. It takes leadership and discipline. Management must show leadership, resource the requirement and ensure compliance. Everyone else must show discipline and understanding: the discipline not to open emails from unknown sources and understanding of the consequences to their job, the business and their future if information security is not observed.

And if it is left to others…
The Head of NSA described cyber-theft as “the greatest transfer of wealth in history”. He estimated the cost of theft of intellectual property from US companies was worth $250 billion each year and a further $1 trillion was spent on remediation work. The stakes could scarcely be higher.

Have a look at the DSD website. Ask your IT security manager to report on how your business stands against the 35 mitigation strategies listed there and give you a score out of 35. Are you in good shape? If you are not scrupulously careful and leave no chinks in your defences, someone will find their way in.

Most of all, talk with your colleagues and your staff about the risks and their consequences. If you don’t start and regularly pick up that conversation with your people, it may be too late.

Gerard Walsh

Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.

Disclaimer
All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.

The new tools/toys
Smartphones and tablets are now pervasive in the business world. Part of the reason is that people use these devices to manage every aspect of their personal lives, as GPS devices to navigate in their motor vehicles or on walks, to download video and music and so on. The logical extension has been that today’s generation want these indispensible tools in their working lives and companies must find ways to fit them in their IT security framework.

Why? Smartphones and tablets can pose security issues for any business: and not just to the business but also to any customer or business included in the data stored on those devices.

Threats such as Trojans, which attack and exploit software vulnerabilities that have not been ‘patched’ on system endpoints such as these devices, rogue security applications, viruses, spyware, worms and phishing attempts are all threats that apply just as much to these nifty and convenient devices as they do to the standard computers located in your offices.

A short time ago, it was pretty much unthinkable that commercial information, let alone sensitive commercial information, would makes its way onto an employee’s personal device, as they are often not covered by endpoint security. To achieve this would require each computing device on a corporate network to comply with certain standards before network access is granted. Logon would be via a gateway that hosts the network security program and at logon the device would be scanned to ensure that it complied with the security standard before entry was permitted. If the use of smartphones and similar is allowed but not managed in a security sense, quite simply the business has lost control of its own information.

Passwords
We are all ready to concede that data theft and identity theft is a real risk today. So, the first place to look and see if all is well in our world is the area of passwords. SplashData has produced a list of the most common passwords used on the internet . The list is compiled from files containing millions of stolen passwords posted online by hackers. It records 24 of the ‘worst passwords of 2012’, but we will just list the first five here – they illustrate the point graphically!

1. Password (it was in first position in 2011 and will probably be in 2013)
2. 123456 (held second place also in 2011)
3. 12345678 (a more sophisticated attempt than #2 but also third in 2011)
4. abc123 (a genuine alphanumeric attempt!!! Up one place from 2011)
5. qwerty (inspired! Down one place from 2011)

We all know the rules. Passwords should be of eight mixed characters or more – that includes letters, numbers, upper and lower case and symbols or punctuation marks. Why is sloppy practice allowed to continue indefinitely? Ultimately, that is a question for all managers. If you don’t value the commercially sensitive information of your business, why are you working there? If you do value it, why would you condone its leakage under your very nose? The answer is compliance with your IT security standards and the person who ultimately enforces those is – you.

Investigative issues
It is quite critical that you decide, as a manager, whether the company issues and owns the piece of equipment or whether employees are allowed to bring their own on the understanding that apps will be provided that enable access to business critical data without that being stored on the device. The unaffordable situation is where there is no direction and people make their own arrangements. The thought that this might save the business a few dollars in equipment outlays is swamped by the risk that is being needlessly embraced. So, information security policies need constantly to be revised to ensure they are as current as the technology being employed. We have not even addressed the risk of large screen smartphones or tablets being viewed by others, when employees decide to do some work on the bus, train or plane.

From a forensic accounting viewpoint, the technology in some smartphones is changing so rapidly that a real challenge is presented to those tasked with investigation of a major leak. Previously, mobile phones had a telephone address book and a bank of SMS messages that had not been deleted. Smartphones may contain gigabytes of data – much of it potentially yours! They will play an ever increasing role in your business, but the risk exposure, as always, needs to be recognised and addressed.

Everyone’s a reporter
Smartphones and social media allow people instantly to share any ‘oops’ moment in their own or another’s life. With the approaching end of year festivities, there will be plenty of people who will engage in behaviour that may be regretted the morning after or when sober. The temptation will always present itself to snap friends or yourself in moments of high celebration. The risk starts entering this world when you post them on Facebook or send them 150 ‘best friends’ or someone posts images of you. Somewhere a copy of the image and your identity will be preserved, no matter how much deleting takes place.

A year or two later, these same people will be applying for different employment, submitting themselves for a security clearance to join some part of Government service or seeking a promotion in the public sector. One of the obvious pieces of data-mining that anyone conducting a background search on such a candidate will undertake is to trawl through the various social media. Indeed, some firms maintain a watching brief on social media in case any of their employees surface in undesirable circumstances.

If you don’t want the whole world to share your moment of embarrassment or stupidity, don’t take the picture. If you cannot resist the temptation to make the moment indelible, do resist the temptation to demonstrate to the world that you are a goose by sharing it. And remember that whatever you SMS, email, post or tweet is forever part of your personal profile and employment portfolio – because nothing is ever completely deleted. Now, that’s a sobering thought!

Gerard Walsh

Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.

 All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.

The end of year is a time to reflect. Sometimes, under the influence of Christmas dinner or a little time on our hands, we make resolutions. These will often be about personal or professional development: stop smoking; reduce drinking; get more exercise; spend more time with the family. On the professional side it might be: join a professional association; delegate more; give away those services and product lines that are not working.

These goals are great. Achieve one or more and you are probably in line for a gold star. Now friends and mentors could undoubtedly suggest a number that you might consider. But if you are running a business, it might be smarter to have a look at what the Fair Work Ombudsman has been doing. The Tax Commissioner is not the only person undertaking audits, you know! On the Fair Work Australia website are set out the audits under way; those intended; and the findings from some of the recent works completed. These are the industries listed on the Fair Work Ombudsman’s site under “Audits and Campaigns” :

• Hospitality 
• Structural metal product manufacturing
• Vehicle repair & maintenance
• Clerical workers
• Security industry
• Retail industry
• Fuel retailing
• Residential building industry

Let’s look briefly at just four of them.

Security Industry 
Fair Work Australia had conducted a campaign in 2009, so this was a re-visitation. The pleasing aspect was that the contravention rate had halved from 53% of those surveyed to 27%. These were the areas of contravention revealed in this year’s analysis: Wages (36%), Penalties (18%), Payslips/Record Keeping (24%), Public Holidays (9%), Overtime (5%) and Other (3%). In some cases, the managers were unaware of award provisions, in others they relied on accountants who were equally ignorant. Neither, of course, is a defence.

Vehicle Repair & Maintenance
This audit concentrated on pay slips and time and wage records. The analysis of was completed in August 2012. This showed 445 (59%) employers were compliant and 314 (41%) were found to have contraventions – 39.5% of these were underpayments, 54.1% were contraventions relating to time and wage records or pay slip requirements and 6.4% involved both.

Retail Industry 
This audit resulted in more than 750 workers at retail stores throughout the country receiving a bonus – more than half a million dollars in back-pay. This followed $4.7 million in underpaid entitlements being returned to employees in the previous year. Underpayment was not the only issue. Retailers were found to be employing adults only; requiring staff to make purchases in-store and then deducting the amount from wages (an unlawful action); incorrectly classifying employees and then underpaying their entitlements; and requiring them to set up or close outside trading hours for no payment.

Clerical workers 
In this audit, a third of the businesses were in the recruitment sector and the balance in the accounting sector. The result was that 1232 (76%) of employers were compliant and 389 (24%) were in contravention – these related to underpayment in a third of cases and the larger balance related to failures in the rime and wage records or pay slip requirements.

The dog ate my homework and similar reasons
The reasons provide by employers as explanation for their contraventions don’t bear very close scrutiny in the cold light of day :
• My employees agreed to that rate;
• Isn’t that what everyone pays?
• We are a small firm, we can hardly pay every entitlement;
• We pay what they are worth;
• We don’t have time to provide pay slips;
• Sub-contractors are not my responsibility;
• I can’t be bothered learning about it;
• I just applied my common sense; and
• I thought I only had to pay wages

There is no doubt that the majority of businesses try and do the right thing by their employees. However, the obligation is unambiguously on the employer to be informed and be compliant. Just as it is critical to ensure that risk managers, fraud investigators, IT security and business continuity advisers are current in their knowledge and approach, so managers must satisfy themselves that their accountants and payroll staff practise continuing education and maintain their currency. Membership of professional associations is often a useful way of ensuring managers are informed and in the position to ask the right questions – and there is always the Fair Work Australia information line.

Resolution
To keep informed about your obligations; to have a network likely to alert you to changes; to use the freely available sites to check; and to require your key advisers to certify to you that your business is meeting all its legal obligations. That would be a fairly useful resolution to save on your first day back at work in 2013, wouldn’t it?

All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.

“SNP Security is proud to be featured as a finalist in this year’s Awards. We have always had a high commitment to delivering quality. Our ISO 9001 certification is integral to our unique selling proposition. As a company we have invested heavily in having a modern approach to business which involves education and training,” says Roche.

Certified 15 years ago, SNP Security was one of the first security companies in Australia to use certified systems and it still continues to lead the way in maintaining high standards today. With an expansionary vision, the security company realised that one of the most important aspects of service delivery is consistency. By implementing a standardised process, this could be achieved and would also aid the pre-tendering process with large organisations.

“SNP Security has maintained long-term relationships with blue chip international companies, who require ISO 9001 as a pre-requisite for business association. As such, this has become central in our way of conducting processes and procedures,” says Roche.

SNP Security is an Australian, family-owned company that was founded in 1923 in Sydney. It offers fully integrated security solutions covering all elements of security from security offices and mobile patrols to live redundancy monitoring and electronic security, including security alarms, CCTV systems, access control and security intercom systems.

For further information on security solutions, please visit – www.snpsecurity.com.au

ENDS

PHOTO SHOOT OPPORTUNITY:

Venue: Boronia Junction Shopping Complex, outside the front of the main shopping strip.
Event: Launch of CCTV surveillance by Laura Smyth, MP, Federal Member for La Trobe.
Date/time: 10 December 2012, 2pm – 2.30pm followed by a light afternoon tea.

Stuart Pitcher, National Operations Manager for Electronics at SNP, said that his team are experts at placing cameras in well-positioned areas.

“Our CCTV surveillance is designed to increase public safety within the municipality. It’s our goal to provide added protection in public areas and reduce crime rates. The effectiveness of CCTV is not always the number of cameras that are placed in any given area, but knowing where the hot spots are in order to position them effectively and make a difference to the local community,” says Pitcher.

In addition to City of Knox, SNP Security already provides CCTV surveillance to a range of Safe City initiatives including: City of Melbourne, Footscray and Frankston City Council.

SNP Security offers fully integrated security solutions covering all elements of security from security offices and mobile patrols to live redundancy monitoring and electronic security, including security alarms, CCTV systems, access control and security intercom systems.

 ENDS

SNP Canberra has successfully secured a number of new contracts during the past four months. A good example of the new business wins is SNP Canberra’s new contract to provide all security needs to The Royal Australian Mint, one of the largest tourist attractions in the ACT. The Royal Australian Mint is a specialised, high priority site, where SNP Security will be responsible for ensuring the safety and security of the site and its assets.

Another recent goal for the team was the expansion of the services SNP Security provides the National Gallery of Australia. A direct result of looking to increase efficiency in the current economic climate, SNP Security, as of Monday, 5 November, provide a new range of protective services, including security guards to the National Gallery of Australia.

“The Gallery was searching for cost-effective risk mitigation strategies. We demonstrated we could provide a mutually beneficial provision of service at a reasonable expense to the Commonwealth, and are pleased to announce that our pitch was successful,” says Sean.

Sean’s goal is for SNP Security to continue to be market leader for the provision of security services in the ACT. The team in Canberra is also pleased to quietly announce that they have further business wins to announce over the next month. The team has worked to retain existing business and also acquire further new contracts. Watch this space!