Loading...

Author: Inesh Perera

AML CTF Regulations in the UAE

Financial sectors are the most susceptible to money laundering and terrorism financing. Hence, the United Arab Emirates (“UAE”) has made efforts to enhance its legislative framework to better adhere to the international framework set by the Financial Action Task Force (“FATF”).

The UAE has worked tirelessly to remove itself from the “Grey List”, which the FATF categorises “as a country with a higher risk of money laundering”, and/or a “jurisdiction under increased monitoring”. 

Its recent exit from the FATF’s Grey List represents a significant milestone for the country’s business and investment landscape. Being removed from the Grey List is a testament to the UAE’s commitment to enhancing its anti-money laundering and counter-terrorist financing frameworks. This development is expected to have several positive impacts: 

 

  • Increased Market Confidence: Exiting the Grey List signals to the international community that the UAE has strengthened its regulatory and enforcement mechanisms related to financial crimes. This can boost investor confidence in the country’s financial system and overall business environment. 
  • Attraction of Domestic and Foreign Investment: With improved compliance standards, the UAE becomes a more attractive destination for both domestic and foreign investors. Investors are more likely to feel secure knowing that the country’s financial sector operates within globally recognized anti-money laundering and counter-terrorist financing standards. 
  • Reduced Compliance Costs: Stricter compliance measures often come with increased costs for businesses. By aligning with FATF standards and exiting the Grey List, UAE businesses are likely to experience reduced compliance burdens. This can free up resources that can be redirected towards business growth and development initiatives. 
  • Enhanced Reputation: Being removed from the Grey List enhances the UAE’s reputation as a responsible and compliant jurisdiction in the global financial community. This can lead to further integration into the international financial system and potentially open up new avenues for collaboration and partnerships with other countries and financial institutions. 

Overall, the UAE’s exit from the FATF’s Grey List is indeed a positive development that is expected to contribute to the country’s economic growth and attractiveness as an investment destination. 

 

Navigating the UAE’s AML CTF framework 

The penal legislation of AML/CTF in the UAE saw several developments over the last decade. In 1998, the Central Bank of UAE instituted one of its first unit against to monitor and investigate transactions deemed fraudulent or suspicious, the “Anti Money Laundering and Suspicious Cases Unit”. However, it was only n 2002 that the Federal Law No. 4 was issued in the UAE criminalising money laundering.  

In 2018, the nation  issued the Federal Decree No. 20 on AML/CTF to develop the nation’s legislative and legal structure of AML/CTF. The Cabinet Decision No. 10 of 2019 was then issued. It provides a legal framework for a unified approach to AML/CFT across all Emirates, including the Financial Free Zones (“FFZ”) and Commercial Free Zones (“CFZ”), and adheres to the FATF’s recommendations and methodology.

In accordance, the Central Bank of UAE was established in 2020. It is an independent financial intelligence unit. The Anti Money Laundering and Combating the Financing of Terrorism Supervision Department (“AMLD”) works alongside Licensed Financial institutions (“LFI”) and Designated Non-Financial Businesses and Professions (“DNFBP”). The organizations joined forces to ensure compliance to the AML/CTF regulations, upon request or spontaneously. Other regulatory bodies present in the UAE also act as supervisory bodies. It includes the Ministry of Justice for lawyers and legal consultants, as well as the Ministry of Economy. These in turn concern itself with DNFBPs. FFZs, while still following the Federal AML Laws, adhere to separate supervising authorities. The Dubai Financial Services Authority (DFSA) regulates the Dubai International Financial Centre (DIFC), while the Financial Services Regulatory Authority (FSRA) regulates the Abu Dhabi Global Market.

UAE’s quest is to better combat AML/CTF. The nation has also carried out inspections and examinations of LFIs and DNFBPs’ compliance. In the process, it shut down 50 companies in the second half of 2023 for their non-compliance and fining several others.

 

What are the potential risks faced?

Considering UAE’s strategic position between the East and the West, the scope of growth in  the financial sector is exponential. However, the potential risks increase as well. In addition to Terrorist Funding, the the country is victim to money laundering risks. It includes drug trafficking, the abuse of legal persons, cash-based and trade-based transactions, as well as professional third parties’ money laundering. The most vulnerable sectors are banks, precious metal dealers as well as real estate.

The risks are not limited to the mainland. They are also present in the CFZs and FFZs. Given their initial laissez-faire attitude and a tax-free regime, these free zones are most susceptible to money laundering and terrorism funding risks. While they comply with Federal Laws, their requirements are less stringent during initial low-risk assessments.

 

How to ensure protection and compliance?

Here are some key points to be aware of:

  • Register with the goAML app . FIU uses it to collect and process suspicious transactions that may involve money laundering, and terrorism financing.
  • Appoint an AML/CTF compliance officer
  • Keep and regularly update internal policies, procedures, and risk assessments
  • Appoint an independent auditor
  • Regularly maintain and update records
  • Effective KYC protocols, risk profiling, screening and enhanced due diligence
  • Report any risk that presents itself!

 

TenIntelligence Thoughts on AML CTF

The UAE’s strategic position and growing influence in the financial industry present an attractive destination for new business ventures. It is crucial to ensure regulations are followed and diligent processes for combating money laundering are in place.

If you are based in the UAE or are looking to start or relocate your business there, contact us at info@tenintel.com for further information.

 

Written by

Riwa Haidar

Navigating the Recruitment Landscape: A Data Protection Imperative 

In the dynamic world of recruitment, data protection has emerged as a cornerstone of ethical and legal considerations. As organizations strive to attract top talent, ensuring compliance with data protection laws has become a strategic imperative. This comprehensive guide is designed to offer invaluable advice and support on key aspects of the recruitment process, from shortlisting to retention. 

Shortlisting and Testing Candidates: Transparent communication of selection criteria is crucial in ensuring fairness and consistency in shortlisting. The General Data Protection Regulation (GDPR) emphasizes the lawful and transparent processing of personal data. By clearly communicating the selection criteria, organizations align with GDPR principles, promoting fair and ethical practices. 

Data Protection in Interviews: Implementing secure interview processes is imperative, whether conducted in-person or remotely. Emphasize a candidate’s right to privacy throughout the interview process, aligning with GDPR Article 5, which requires that personal data be processed in a manner that ensures appropriate security. 

Candidate Opportunity to Comment: Provide candidates with an opportunity to comment on information obtained from external sources. GDPR Article 15 grants individuals the right to be informed about the existence of automated decision-making and the logic behind it. Allowing candidates to comment ensures transparency and upholds their rights. 

Remote Interviews and Testing: In the age of remote work, organizations should implement robust security measures for remote processes. Additionally, guiding candidates on securing sensitive information during virtual interactions ensures data protection, aligning with GDPR principles of confidentiality, integrity, and availability. 

Verification of Information: Establishing lawful bases and transparent processes for verifying candidate information is foundational. GDPR Article 6 outlines the lawful bases for processing personal data, including the necessity of processing for the performance of a contract. Verification processes are thus aligned with the legal requirements. 

Pre-employment Vetting: Conduct risk assessments to justify pre-employment vetting activities. Keep candidates informed about the purpose, sources, and duration of vetting processes, adhering to GDPR principles of fairness and transparency (Article 5) and ensuring that personal data is processed lawfully (Article 6). 

Checks and Balances: Transparent policies for handling discrepancies between candidate-provided information and verification results are essential. Training recruitment staff on correct procedures ensures consistency and compliance with GDPR’s accountability principle (Article 5) and lawful processing requirements (Article 6). 

Social Media Vetting: Document justifications for social media checks based on identified risks. Separate social media checks from recruitment decision-makers and communicate the process to candidates, aligning with GDPR’s principles of necessity, fairness, and transparency in data processing. 

Credit Checks: Define clear justifications for credit checks, ensuring relevance to the role. Communicate the need for credit checks to candidates early in the recruitment process, adhering to GDPR principles of purpose limitation (Article 5) and lawful processing (Article 6). 

Retention of Vetting Information: Establish policies for the limited retention of vetting information. Emphasize the sensitive nature of vetting information and the importance of secure destruction, in line with GDPR’s principles of data minimization (Article 5) and storage limitation (Article 5). 

Retention of Recruitment Records: Determine clear retention periods for recruitment records, considering legal obligations. Practice selective retention, ensuring relevance to the employment relationship and compliance with GDPR’s storage limitation principle (Article 5). 

Handling for New Purposes: Regularly review and establish lawful bases for new purposes. Promptly dispose of unnecessary information if retained for a different purpose, aligning with GDPR’s requirement for purpose limitation (Article 5) and lawful processing (Article 6). 

Educate Staff on Data Protection: Provide comprehensive training for recruitment staff on data protection procedures. Fostering a culture of awareness and compliance is crucial for GDPR adherence, as highlighted in the accountability principle (Article 5) and the need for staff education on data protection matters. 

Regularly Audit Compliance: Conduct periodic audits to assess compliance with data protection laws. Address any identified gaps or issues promptly to maintain a robust data protection framework. Regular audits are crucial for ensuring ongoing compliance with GDPR and other relevant data protection laws. 

By diligently following this comprehensive guide and the accompanying to-do list, organizations can navigate the recruitment landscape while safeguarding candidate privacy and complying with data protection laws. Regularly revisiting and updating these practices will ensure that companies stay ahead of the curve in the ever-evolving realm of recruitment and data protection.  

Recruitment Data Protection To-Do List: Ensuring Compliance Every Step of the Way 

Define Transparent Selection Criteria: 

  • Clearly communicate selection criteria to candidates. 
  • Ensure fairness and consistency in shortlisting processes. 

Implement Secure Interview Processes: 

  • Emphasize a candidate’s right to privacy in all interview formats. 
  • Apply secure methods for in-person and remote interviews. 

Facilitate Candidate Feedback: 

  • Provide candidates with an opportunity to comment on information obtained from external sources. 
  • Establish a clear process for addressing discrepancies and incorporating candidate feedback 

Secure Remote Interactions: 

  • Implement robust security measures for remote interviews and testing. 
  • Guide candidates on securing sensitive information during virtual interactions. 

Establish Lawful Verification Processes: 

  • Define lawful bases and transparent processes for verifying candidate information. 
  • Clearly communicate with candidates about the verification process and its necessity. 

Conduct Risk Assessments for Vetting: 

  • Justify pre-employment vetting through comprehensive risk assessments. 
  • Inform candidates about the purpose, sources, and duration of vetting activities. 

Maintain Transparent Policies: 

  • Develop transparent policies for handling discrepancies between candidate-provided information and verification results. 
  • Train recruitment staff on correct procedures for verification and vetting. 

Justify and Separate Social Media Checks: 

  • Document justifications for social media checks based on identified risks. 
  • Ensure social media checks are conducted separately from recruitment decision-makers. 

Establish Clear Justification for Credit Checks: 

  • Define clear justifications for credit checks, ensuring relevance to the role. 
  • Communicate the need for credit checks to candidates early in the recruitment process. 

Limited Retention of Vetting Information: 

  • Collaborate on establishing policies for the limited retention of vetting information. 
  • Emphasize the sensitive nature of vetting information and the importance of secure destruction. 

Determine Clear Retention Periods for Records: 

  • Set clear retention periods for recruitment records, considering legal obligations. 
  • Practice selective retention, ensuring relevance to the employment relationship. 

Review and Establish Lawful Bases for New Purposes: 

  • Regularly review recruitment practices to align with data protection principles. 
  • Establish lawful bases for new purposes. Emphasize the importance of destroying unnecessary information if retained for a different purpose.

Legal Claims and Limitation Periods:  

  • Be aware of the statutory limitation periods for legal claims. Aim to strike a balance between retention for potential claims and the obligation to promptly dispose of unnecessary information. 

Retaining for Statistical Purposes:  

  • Encourage anonymization for statistical purposes, ensuring compliance with data protection laws. Collaborate on secure methods for storing and using anonymized information. 

Conclusion

This guide offers invaluable advice and support on key aspects of the recruitment process, from shortlisting to retention. By focusing on data security, transparency, following rules, and being prepared, organizations can confidently handle changing data protection and privacy demands within the recruitment process.

If you ever need further guidance, feel free to reach out on lynsey.hanson@tenintel.com.

 

Lynsey Hanson

Written by

Lynsey Hanson, DPO

Essential Insights for Data Protection Awareness Day 

As we approach Data Protection Awareness Day on January 28th, it’s crucial to revisit the General Data Protection Regulations (GDPR), which has been in force for nearly six years!  

Time flies when you’re a DPO 😀  

As we gear up to celebrate Data Protection Awareness Day,  it’s time to acknowledge that data protection is not a one-day affair—it’s a daily commitment.  

Enter, the unsung hero, our Data Protection Officer (DPO) Lynsey Hanson with the compiled answers to the top 10 questions on the General Data Protection Regulation (GDPR) that everyone should know; especially those aiming to avoid the hefty fines we have seen since the introduction of GDPR back in 2018. 

1. What is GDPR? 

GDPR represents the most significant change to UK data privacy laws in two decades. Enacted on May 25th, 2018, it replaced the outdated Data Protection Act 1998, offering a unified set of rules designed to better protect personal data.   

Regulated by the Information Commissioner’s Office (ICO), GDPR aims to address the challenges posed by technology and the evolving use of data. 

2. Why was GDPR introduced? 

The original Data Protection Act became outdated with the rapid growth of the internet, leading to unforeseen uses of personal data, such as online behavioural advertising and social media. GDPR was introduced to address these changes, ensuring that individuals’ data is processed lawfully, fairly, and transparently.

3. Who does GDPR apply to? 

GDPR applies to any organization processing and holding the personal data of UK or EU citizens. This broad scope encompasses virtually every organization, emphasizing the importance of compliance for all entities.

4. What is a data breach? 

Organizations must safeguard personal data from misuse and exploitation. In the event of a data breach, GDPR enforces reporting specific breaches to relevant authorities such as the Information Commissioner’s Office (ICO) within 72 hours. 

5. What are the penalties for GDPR breaches? 

GDPR introduced a tiered approach to fines, where the severity of the breach determines the penalty imposed. The maximum fines for serious breaches can reach 4% of annual global turnover or £17.5 million.

Notable cases, such as Meta’s €1.2 billion fine in May 2023, highlight the significant financial consequences for non-compliance. 

6. What responsibilities do organisations have under GDPR? 

Organisations must adhere to six data protection principles outlined in GDPR Article 5. These principles include lawfulness, fairness, transparency, limitation, data minimization, accuracy, storage limitation, and integrity. By following these principles, companies can ensure the ethical and secure processing of personal data. 

7. What are GDPR ‘fundamental rights’? 

GDPR grants individuals several fundamental rights, including access, rectification, erasure, restriction of processing, data portability, object to processing, and the right to claim compensation for damages caused by infringements. 

8. Do I always need consent to process personal data? 

Consent is one of six legal bases for processing personal data under GDPR. Other bases include contractual necessity, legal obligation, protection of vital interests, public interest, and legitimate interests. Consent must be explicit, and sensitive data requires specific protection. 

9. How do I store personal data? 

Personal data should be stored on managed services whenever possible, utilizing encryption if stored on third-party devices. This ensures the security and integrity of personal data.  

10. Does everyone need a Data Protection Officer (DPO)? 

While not compulsory for all organizations, a DPO is required for public authorities or those engaging in large-scale systematic monitoring or processing of special categories of data. Companies may appoint a DPO voluntarily, but compliance with GDPR obligations remains paramount.  

Having a DPO is like having a security sidekick. After all, complying with Data Protection Regulation’s is a 24/7 job; it’s not just Data Protection Awareness Day—it’s Data Protection Every Day!

Conclusion: 

As we observe Data Protection Awareness Day on January 28th, understanding and prioritizing GDPR compliance is essential.

Organizations can enhance their compliance efforts through seeking professional advice from our DPO lynsey.hanson@tenintel.com, who can advise on available training, compliance gap analysis assessments, best practice guides and checklists.  

As technology continues to advance, staying informed and proactive, rather than reactive in data protection is the key in compliance.  

 

 

Mother of all Data Breaches!

Cyber security researchers have uncovered what is now considered the largest-ever data leak, exposing over 26 billion personal records. Sensitive information from major platforms like X (Twitter), Dropbox, and LinkedIn has been compromised on an unsecured web instance. 

Risk?

The leaked dataset poses an extreme risk, serving as a potential catalyst for a range of cyber-crimes. Individuals are urged to be cautious and take immediate action to protect their personal information. 

The Team at TenIntelligence are analysing this exposure and will be contacting our Clients to ensure work and personal emails are checked.  We will also be digging deeper into the data leak and bringing readers further insights on how to limit your exposure.

What happened?  

  • Discovered by Bob Dyachenko and Cybernews researchers on an unsecured web instance. 
  • 26 billion personal records exposed, making it the largest data breach on record. 
  • Affected sites include X (formally known as Twitter), Dropbox, LinkedIn, Tencent’s QQ, Weibo, MySpace, and government organizations. 
  • Cyber security experts warn of potential identity theft, phishing, cyberattacks, and unauthorized access. 

What next?  

  • Change passwords promptly, especially if concerned about personal data exposure. 
  • Avoid using identical passwords across multiple accounts. 
  • Enable two-factor authentication for enhanced security. 

This data breach demands swift action to secure personal information. Individuals should stay vigilant, update passwords, and leverage available tools to bolster online security.  

Should you have any questions or concerns about how to protect yourself and your business from Data Breaches, please reach out to our Data Protection Officer (DPO) Lynsey Hanson lynsey.hanson@tenintel.com or email dpo@tenintel.com  

New Email Marketing Guidelines for Improved Business Communication 

 

In February 2024, Google and Yahoo will implement updated email marketing guidelines, reshaping how businesses manage electronic communication. These changes centre on three key aspects: 

 

 

1. Confirming Email Legitimacy 

Email authentication is vital to ensure emails are genuine and not flagged as spam. Tools like DKIM, SPF, and DMARC authenticate emails, guaranteeing safe delivery to recipient’s inboxes. 

Example: A company can use DKIM and SPF to verify newsletters and promotional emails, boosting chances of avoiding spam filters. 

2. Simplifying Unsubscribing 

Providing a straightforward ‘unsubscribe’ link is crucial for recipients to manage their subscriptions easily and comply with regulations. 

Example: An e-commerce platform includes an ‘unsubscribe’ link in all marketing emails, following guidelines in personalised emails, giving recipients control over preferences.  

3. Sending Targeted and Consented Emails 

Ensuring emails are sent only to those who explicitly agreed to receive them keeps spam rates low, reaching an engaged audience genuinely interested in the content. 

Example: A software company monitors email metrics, adjusting content and strategy if there’s an increase in spam complaints, aligning emails with audience interests. 

 

Adapting Business Operations 

Businesses revamp email marketing creation processes by incorporating authentication methods across departments. Additionally, electronic communications such as promotional campaigns include ‘unsubscribe’ links. Regular analysis of email metrics becomes standard, guiding adjustments for compliance and audience engagement. 

 

Why These Changes Matter 

Beyond meeting regulations, these changes aim to enhance email security, improve recipient experiences, and maintain trust between senders and receivers. 

 

Next Steps for Businesses 

Businesses are encouraged to proactively adopt email authentication methods, update communication protocols with ‘unsubscribe’ links, and consistently monitor email metrics. Collaboration with platforms can ease this transition. 

These changes promise a safer and more effective landscape for email communications, strengthening connections between businesses and their audiences.  In this context, the role of a Data Protection Officer (DPO) is crucial. With the guidance of a DPO, organisations can proactively update business operations in line with these email marketing guidelines to succeed in the digital age, gaining trust from audiences and partners. 

Feel free to contact our DPO officers for a consultation on handling your company data.

 

Lynsey Hanson

Written by

Lynsey Hanson | Data Protection Officer

lynsey.hanson@tenintel.com

Digital Forensic Intelligence

In our last article, Keeping Cyber Simplified, we outlined how your organisation can implement a Cyber Security Framework. As part of the Framework, using forensic intelligence in response to an incident (cyber-attack, hack or data breach) is vital, not only in identifying the perpetrators but also to learn from the event and incorporate new measures to mitigate the risk from occurring again. 

 

What is Digital Forensic Intelligence? 

Digital forensic intelligence and investigations is a discipline that provides evidence to support an internal investigation, data breach or cyber-attack. The importance of preserving, identifying and gathering digital evidence is key to successful litigation, dispute resolution and the recovery of electronic data. 

Digital forensic intelligence investigators are trained to safely preserve and examine data found on digital devices and networks often identifying the root cause of incident and evidence. They have a working understanding of the legalities, best practice and methodologies used in the current corporate digital forensic environment. 

 

Preservation of Evidence in a Cyber-Crime Investigation

During or after a cyber-crime, related attack or unauthorised event, it is essential to identify and secure any known network devices that may contain digital evidence and/or unauthorised access activity.   

Investigators must follow evidence continuity protocols, demonstrating appropriate exhibit handling, data collection and preservation, through to forensic examination and investigation. 

It should be noted that the preservation of large data sources from networks and devices will take time to preserve, process and filter.  Stakeholders should be made aware of this at the start of any forensic intelligence process, so that they can implement operational measures and manage expectations of any relevant external parties.  It is not uncommon for large digital data sets to take several days to preserve and process. 

Therefore, whilst the device preservation is being processed, the forensic intelligence investigator can turn to the preservation of Windows Event Logs and other audit logs acquired from within online platforms such as Office365, SharePoint etc, as these logs will be paramount to supporting the investigation.   

Note that most organisations using Office365 will have their event logs set at a default of 7 days, therefore it is imperative that this forensic intelligence is gathered as soon as possible. 

 

Forensic Examination

Once the evidence has been seized and preserved, the forensic analysis and examination can begin, including the imaging (producing a working copy) of all digital data from the devices collected using specialised forensic software and hardware. The imaging allows the original devices to be preserved as an evidential exhibit, leaving the imaged version (copy) to be forensically tested and analysed. 

During this phase it is important to keep continuous communications with key stakeholders, including senior management, incident response teams, regulatory authorities and if necessary, your cyber-insurance company.  

Although, communications should be clear and regular, forensic investigators must also be allowed where possible, to conduct their examination without distraction.  The forensic intelligence process can be quite a complex process and many hypotheses will need to be tested to provide factual opinion on what happened during the event.  

 

Testing Cyber-Crime investigation hypotheses 

Forensic intelligence investigators will commonly look at the following hypotheses as part of the examination process: 

  • examine all compromised accounts and systems accessed by the perpetrator/attacker 
  • identify, secure and analyse relevant support information and data from servers, cloud platforms, routers and other network devices 
  • identify the root cause of the incident, data breach or cyber attack 
  • examine event logs for evidence of unauthorised access 
  • look for any patterns of unauthorised access 
  • assist in providing evidence around the perpetrator’s profile and how technical defence mechanisms were breached 
  • undertake traditional analysis of deleted files, browser history, access logs and file sharing 
  • examine chronological System Services, Windows Event Logs, Log Files, Jump Lists, Shellbags and other digital logs. 

Once all reasonable forensic intelligence hypotheses tests have been completed, it is best practice for investigators to provide factual updates to stakeholders outlining the details of each examination that has been conducted, and clearly communicate the key results from each examination in a forensic report.  If necessary, these reports can then be shared with the relevant authorities or counsel to enforce any regulatory or legal actions against the perpetrators. 

 

Prevention 

Once all the forensic examinations have bene completed, stakeholders and the forensic intelligence investigators can evaluate how to prevent future incidents, data breaches and cyber-attacks. If necessary, organisations can then work with Protective Technologies partners to implement patch management and remove vulnerabilities and immediate threats to the organisation.  

 

How we can help 

Our understanding of cyber-crime threats, data protection, data security procedures and assessing vulnerabilities, allows our Team to provide Clients with measures to mitigate the risk of a cyber-crime, attack and/or data breach.  

If you need assistance or have suffered a data breach or cyber-attack, our Forensic Intelligence Team works with a variety of clients, including law firms and Insolvency Practitioners, helping them preserve digital devices and secure data found during a cyber event, investigation or company liquidation. 

We assist clients recover and investigate material found in digital devices, including hard-drives, servers, laptops, smart-phones, networks and storage media. 

If you need help implementing a cyber-security strategy, contact us at cyber@tenintel.com for a free 30 minute consultation.  

If you need assistance with a forensics intelligence investigation, contact us at forensics@tenintel.com. 

 

Written by

Neil Miller, CFE | Founder and CEO 

Watch out for Business Payment Fraud this Christmas 

The festive period is undeniably a hectic time of year. According to the FCA, many people are concerned about being able to afford Christmas and resort to borrowing money to cover the costs. This also leads to a rise in fraudsters looking to take advantage of people’s desperation.   

However, it’s not just parents with young children who are concerned with fraud this Christmas.   

According to a study conducted by Trustmi, 75% of business leaders admitted to feeling more concerned about business payment fraud this season compared to other times of the year. In addition to this, 63% admitted that their businesses have experienced some form of business payment fraud during the Christmas period.   

A combination of increased transactions and workload, business initiatives and activities, distracted consumers, and sophisticated cybercriminals creates a perfect storm for fraudulent activities this time of year.   

 

What is Business Payment Fraud?

Business payment fraud – also known as invoice fraud or corporate payment fraud – is committed when fraudsters exploit vulnerabilities in a company’s financial systems and processes with the goal of illicitly obtaining funds or manipulating financial transactions for personal gain. Businesses and companies of all sizes can be targeted, however certain sectors can be more at risk, such as real estate, retail and financial services. Any business that deals with large amounts of money and has access to public records are at risk.   

Fraudsters employ various techniques and tactics to commit business payment fraud. One common tactic is phishing – sending payment requests from unauthorised or malicious email addresses. Fraudsters also utilise social engineering to manipulate their victims, such as pretending to be a person of authority in the organisation to trick employees into sending money quickly. Fraudsters will also resort to creating counterfeit invoices and payment requests. However, business payment fraud can also be caused by simple human error, such as the wrong payment amount gets sent to a false account due to internal mistakes.   

 

Fraud Prevention Strategies to implement this Christmas

In order to avoid falling victim to fraud, it is essential to understand the latest fraud schemes, how they are implemented, and how they can affect your company. If you think your business may be a potential target for fraudsters, then the next step is to implement cybersecurity strategies to prevent fraud attacks. This can mean using anti-fraud tools that can detect fraud and protect business accounts from unauthorised transactions. It is also recommended to implement basic fraud prevention techniques, such as dual controls, and segregation of duties so no single person has unrestricted access to business accounts.  

Finally, you can also conduct refresher training on company policies and procedures on security and reporting fraud, so all members of staff know what to look out for.   

 

TenIntelligence Thoughts

As businesses prepare for the festive season, it is important to stay vigilant and take the essential steps to safeguarding themselves against business payment fraud. Be sure to implement a comprehensive cybersecurity strategy and educate your employees and customers on the associated risks to ensure a safe experience.   

If you think you or your business has experienced business payment fraud, do not hesitate to contact us at info@tenintel.com.   

 

Written by

Rachael Legg | Senior Analyst

Workplace Monitoring: Balancing Productivity and Privacy 

The landscape of remote work presents a challenge for employers: how to monitor workers while respecting their rights and maintaining a balance between productivity and privacy. The Information Commissioner’s Office (ICO) has stepped in with crucial guidance, aiming to help employers navigate through what could become an area of complexity.  

workplace monitoring

Survey Findings 

A survey conducted by Survation of 1,012 UK adults found that: 

  • 19% believe they’ve been monitored by a current or former employer. This belief varied across age groups: 23% of 18-24s, 25% of 25-34s, and 11% of those aged 55+. 
  • Common monitoring practices among those who felt monitored included timekeeping and access (40%), followed by monitoring emails, files, calls, or messages (25%). The least common practice was taking screenshots or webcam footage (10%). 
  • 70% find employer monitoring intrusive, while 21% do not. 
  • Younger individuals (18-24s) are less likely (60%) to find monitoring intrusive compared to older individuals (55-64s) at 76%. 
  • Those earning less than £19,999 (63%) find monitoring intrusive compared to 72% of those earning £40,000+. 
  • The most intrusive practices include monitoring personal devices (83%), recording audio and video (78%), and taking screenshots or webcam footage (77%). Monitoring timekeeping and access is seen as least intrusive (47% find it intrusive). 
  • 57% would feel uncomfortable taking a job where monitoring is known, while 19% would feel comfortable. 
  • Men (22%) are more likely than women (16%) to feel comfortable, and younger individuals (26%) are more comfortable compared to older individuals (14%). 

Understanding Workplace Monitoring 

Workplace monitoring can include various checks on work quality, health, safety, and regulatory compliance. It extends to security measures and data analytics for inferring worker performance and well-being. Compliance with data protection law requires monitoring to be conducted lawfully and fairly, both on and off work premises and hours. 

Monitoring technologies and purposes may include: 

  • camera surveillance including wearable cameras for the purpose of health and safety; 
  • webcams and screenshots; 
  • technologies for monitoring timekeeping or access control; 
  • keystroke monitoring to track, capture and log keyboard activity; 
  • productivity tools which log how workers spend their time;
  • tracking internet activity and keystrokes; 
  • body worn devices to track the locations of workers; and 
  • hidden audio recording. 

Impact of Excessive Monitoring

Excessive monitoring jeopardizes privacy, mental well-being, and data protection rights. Distinguishing between work-related and private information becomes challenging, especially with the prevalence of homeworking and the use of personal devices for work. 

Ensuring Lawful Workplace Monitoring 

While data protection law doesn’t bar monitoring, compliance is essential. The Human Rights Act and General Data Protection Regulation, emphasizes respecting workers’ private and family lives, particularly in homeworking contexts. Balancing business interests with workers’ rights, monitoring should be fair, transparent, and minimally intrusive to serve its purpose. 

Identifying a Lawful Basis 

Employers must identify a lawful basis for collecting and processing monitoring information. The ICO outlines six options: Consent, Contract, Legal obligation, Vital interests, Public task, and Legitimate interests. Assessing the best fit among these bases involves considering the purpose and context of monitoring. 

Legitimate Interests and a Three-Part Test 

Legitimate interests, the most flexible basis, entail a three-part test: Purpose, Necessity, and Balancing. Employers must establish a legitimate interest, its necessity for that purpose, and ensure it doesn’t override workers’ interests, rights, or freedoms. 

 

In Conclusion 

As workplace monitoring evolves alongside technology and remote work becomes standard, the ICO’s guidance remains a crucial compass for employers. It not only defines the legal framework but emphasizes the need for a thoughtful and balanced approach. Although there’s guidance available, it can still have some ambiguity. Which is why consulting a Data Protection Officer (DPO) is so valuable. This ensures a workplace culture that respects privacy in our ever-changing work world. 

For advice on how to lawfully monitor workers, please reach out to me lynsey.hanson@tenintel.com

Happy navigating!

 

Lynsey HansonWritten by

Lynsey Hanson | Data Protection Officer

Keeping Cyber Simplified.

The exponential rise in cyber-attacks, ransomware reports and data breaches has given organisations of all sizes an increased focus on securing personal and company data. 

Cyber-crime and attacks are becoming increasingly more sophisticated and stealthier, targeting people, organisations, supply chains, data networks and company devices.  Threat actors (criminals) are continuously looking for vulnerable targets that do not have up-to-date security and technical processes in place. 

“Cyber-Security” is a phrase that we all know, yet do we actually know how to incorporate cyber-security into our working and personal lives?  Does applying anti-malware software to your operating systems give you enough protection?  Do employees and family members know how to spot a potential threat? Are your cyber-security measures fit for purpose, or a one size fits all approach? 

If you are reading this article, then you will likely be looking for assistance, or at least a starting point in strengthening your cyber-security protection measures. 

There are many forms of cyber-attack, but the most common is ransomware.  Once an organisation’s systems have been penetrated, the criminals will deny access to the systems by adding a level of sophisticated encryption that can’t be restored.  The criminals will then apply pressure on the organisation to pay the ransom to release the encryption, and on payment give access back to your systems. 

This kind of attack will directly affect an organisation’s workflow, reputation, operations, supply chains and depending what industry sector, it can in some cases, affect life or death situations. 

Did you know? 

  • 91% of successful data breaches start with a spear email-phishing attack. 
  • 10-15% of email-phishing attacks are making it through your filters. 
  • Ransomware has increased by 229% since 2017 with approximately 600 attacks every minute. 
  • In 2022/2023, 72% of organisations were affected by a ransomware attack. 
  • “Ransomware-as-a-Service” is freely available to buy on the web, enabling anyone to create a cyber-attack.
  • 80% of organisations who pay the ransom were subject to another attack (as the criminals know you will pay!). 
  • The average ransom fee is £200,000, however, the largest reported ransom paid was $40million. 

More than ever, employees are often the link in the vulnerability of an organisation’s network security. They are frequently exposed to sophisticated phishing and ransomware attacks. Our paramount advice is to train your employees, help them be the first line of defence and remain vigilant. 

Consequently, understanding cyber-crime threats, identifying vulnerabilities and implementing security procedures will help mitigate the risk of a cyber-crime, attack and/or data breach. 

Benefits of implementing a cyber-security framework

Implementing a cyber-security framework provides several benefits for organisations. It helps: 

  • Identify and prioritise cyber-security risks 
  • Enable a proactive approach to cyber-security 
  • Provides a common language for communication among stakeholders 
  • Sets standards for establishing and maintaining a robust cyber-security posture 
  • Reduce operational risk and potential reputational and financial impact of cyber-attacks and data breaches 
  • Facilitate compliance with regulatory requirements 
  • Demonstrate a commitment to cyber-security to customers and stakeholders 

 

How to implement cyber-security measures 

The proposed place to start is to follow and implement a cyber-security framework; as outlined in the checklists below. 

IDENTIFY | PROTECT | DETECT | RESPOND |RECOVER 

 

Identify

The best place to start is to understand and record where your information is stored, who has access to the information, and then grade which data sets are critical to your operations.   

If for example, every employee has access to all areas of your data infrastructure, consider applying access control measures to limit who has access to the data. 

Next, assess what, if any, security measures you have in place already. Are they active, if so, do they need updating? 

These assessments will help form your governance framework and help determine where your vulnerabilities are. 

IDENTIFY 

  • Conduct assessments across your organisation to identify physical assets, connectivity, third-party infrastructure and current security provisions. 
  • Review your currentgovernance framework and risk mitigation strategies. 
  • Provide you with a “Gap Analysis” that identifies immediate control weaknesses, threats, vulnerabilities, strengths and areas for development. 
  • Create a “Risk Register” and identify your critical list of control weaknesses versus actions required by best practice cyber-security guidelines and/or privacy legislation. 
  • Review your current cyber insurance policy and cross reference with your cyber-security posture. 
  • Develop and provide you with a clear “Framework Road Map” needed for regular review of security controls. 

 

Protect

This phase is all about improving and implementing measures to combat your cyber-security threats.; and will include developing better processes and procedures, and communicating these to the whole organisation. 

Introducing written policies, staff training and awareness sessions will help change your organisation’s culture and approach to preventing cyber-attacks from happening in the first place.  

Depending on the size and sector of your organisation, you may need to invest and incorporate additional protective technologies to enhance your cyber-security posture. 

PROTECT 

  • Review your “Framework Road Map” and introduce specialist cyber-security software and hardware Protective Technologies to add value to your cyber-security posture. 
  • Review your policies & procedures  and provide you with a plan for “Cyber-Security Protection by Design”, needed to ensure compliance. 
  • Improve your cloud/server/network access controls and privileged user accounts. 
  • Review the information security provisions and vulnerabilities of external cloud platforms, third-party applications and supply chain. 
  • Implement Cyber Essentials, Cyber Essentials Plus accreditation, or support an ISO27001 (or equivalent NIST) certified Information Security Management System. 
  • Assess your organisation’s firewalls, encryption, anti-virus and malware security provisions. 
  • Implement a “Response Team”, and define security roles and responsibilities. 
  • Implement an accountability, communications and reporting line structure. 
  • Design and coordinate a business and disaster recovery plan during a cyber-security event or crisis. 
  • Design and implement consistent security audits into regular working practices. 
  • Coordinate an educational awareness plan and implement training activities for all employees and stakeholders. 
  • If required, provide your organisation with an outsourced and independent Chief Information Security Officer (CISO) and participate as an independent member of your “Risk Supervisory Board”. 

 

Detect

Once your cyber-security posture and the culture is in a good position, the next phase is to consider identifying technical gaps in your security. This will include bringing in penetration testing measures and working with your protective technologies to highlight technical threats to your organisation. 

It is good practice to keep monitoring the work you have already completed and ensure that regular testing has been incorporated into your working practices. 

It is also worth performing cyber-security due diligence with all your key vendors and supply chain, to ensure they are also following your protocols, or at least a high standard of cyber-security. 

DETECT 

  • Conduct specific internal & external penetration testing to identify operational and control weaknesses, highlighting areas for development. 
  • Coordinate and work with Protective Technologies partners, reporting on vulnerabilities and immediate threats to the organisation. 
  • Identify connection gateways to the internet and other communication systems. 
  • Conduct information and connectivity audits across the organisation to review, identify and assess where sensitive data is held and/or shared. 
  • Perform security due diligence into supply chains, clients and key employees. 
  • Examine mis-configurations and internal/external unauthorised access. 
  • Continuously review and update your “Framework Road Map” and policies & procedures to ensure continued compliance and protection. 

 

Response

Now is a good time to test your incident response and reporting procedures. This can be in the form of desktop exercises incorporating different scenarios.  Take any learnings from this phase, and add these to your cyber-security framework. 

Hopefully this will not happen, but in the event of a cyber-attack or data breach event, you will now be well equipped with a response plan that will assist you with your reporting obligations and communications with relevant parties. 

RESPONSE 

  • In the event of a cyber-security event and/or data breach, implement a 24hrs a day incident response support Response Team. 
  • Coordinate and implement business continuity planning measures to mitigate threats. 
  • Work with Protective Technologies partners and assist the Response Team react to vulnerabilities and immediate threats to the organisation. 
  • Test and review the Response Team’s communication and reporting line structure. 
  • Where necessary, improve communication methods and response to cyber threats. 
  • Identify cyber threat trends and implement necessary protection strategies. 
  • Continuously review and update your “Framework Road Map”, roles & responsibilities, policies & procedures to ensure continued compliance and protection. 

 

Recover

Lastly, after a cyber-attack or data breach, it is vital to learn from such an event, not only to determine how the event happened, but also how you responded during and after the event. 

RECOVER 

  • Continuous communication with key stakeholders and supervisory authorities. 
  • Liaise with the cyber-insurance company and implement recovery measures. 
  • Work with Protective Technologies partners and to implement patch management and remove vulnerabilities and immediate threats to the organisation. 
  • Review and update the Response Team’s communication and reporting line structure. 
  • Review the Response Team’s reaction to vulnerabilities and threats to the organisation. 
  • Improve business continuity training activities. 
  • Implement forensic analysis to identify root cause of security threats. 
  • Continuously review and update your “Framework Road Map”, roles & responsibilities, policies & procedures to ensure continued compliance and protection.

How we can help 

Our understanding of cyber-crime threats, data protection, data security procedures and assessing vulnerabilities, allows our Team to provide Clients with measures to mitigate the risk of a cyber-crime, attack and/or data breach. 

Working alongside the client’s team of technical, IT, risk and compliance leaders, TenIntelligence acts as a CISO, an extension of in-house resources.  We help assess an organisation’s cyber risks by designing and implementing a cyber-security strategy and culture through policies, procedures and controls needed to strengthen defences and achieve compliance standards. 

If you need help implementing a cyber-security strategy, contact us at info@tenintel.com for a free 30 minute consultation. 

 

Written by

Neil Miller, CFE | Founder and CEO

Industry Insights – Added Protection for Our Clients

Industry Insights, character and regulatory references complement and add value to quantitative data and information with respect to individuals, entities and markets. Industry Insights are a crucial part of Due Diligence research and provides clients with deepened understanding and valuable context in respect of people’s characters, entity workings and events/circumstances. It is especially valuable when trying to capture sensitive or adverse information. 

What are Industry Insights? 

Industry Insights involve interviewing previous co-workers and business associates of the individual/entity in question to obtain qualitative data with regards to their operational capabilities and any possible red flags regarding their professional and sometimes personal history. 

As well as supplementing the information we have already obtained, these interviews are invaluable for discovering new points of interest, especially with regards to sensitive subjects such as litigation, insolvency, bad press or character flaws. 

The interviews are conducted by our team in multiple languages who are highly skilled in this field. It is not sufficient to simply ask questions from a set list. Our team can adapt lines of questioning to obtain detailed information or explanations of points of interest we have identified.  

Our team achieve this by preparing extensively for these interviews, including thorough background research on the subject’s professional history.  

We assess the relevance and credibility of each source before contacting them. This is to ensure that we can garner the maximum amount of information possible from each interview. 

Our interviews are usually conducted virtually, allowing us to contact sources worldwide. 

In most cases, we will receive authorisation from the individual in question to contact sources for interviews. However, if there is legitimate interest regarding the prevention of financial crime, we can conduct discreet interviews.  

What Red Flags are identified through Insights? 

Industry Insight not only allows us to further explore an individual’s professional history, but also investigate how the Insight subject behaves in a professional setting. For example, although a Subject may look to have no issues on paper, we have encountered instances where a source had provided serious criticism of a director’s management style or boardroom etiquette.  We have also had cases where interviews with Insights have exposed possible regulatory violations by a director. 

A Source can provide further insight into any possible accusations of fraud or other potential crimes that have been identified for the Subject. This allows us to clarify whether these represent a serious red flag or not. Read more on how Due Diligence reveals potential red flags

Why are Industry Insights vital for Enhanced Due Diligence? 

Industry Insights allow our team to obtain new, qualitative data that can be synthesised with the information we have obtained through our standard searches to produce a high-quality overview of an individual’s background. This allows our clients to make informed decisions with a plethora of thoroughly researched data supporting their conclusions. 

For further information on our due diligence, intelligence and investigation services please contact us on info@tenintel.com. 

 

Written by

James Weeds | Senior Analyst