DEFENCE MECHANISMS
If you’re in business, you’re at risk – a target to all sorts of continuity exposures…
If you’re in business, you’re at risk – a target to all sorts of continuity exposures, and not just natural disasters. Risk management is a vast subject that narrows down to one indisputable fact: the best defence strategy is to be prepared.
The definition of risk management, according to the International Risk Management Institute website, is: “The practice of identifying and analysing loss exposure and taking steps to minimise the financial impact of the risks they impose.”
Perhaps a layman’s definition could simply be – staying on top of the challenges that keep business owners awake at night!
There is so much that can be lumped under the heading of risk management – from those increasingly frequent natural disasters to technology risks such as cyber-threats, risks associated around worker safety, late payments, volatile markets, new regulations, the economy – we could go on.
Instead, we’ve selected some key risk exposures and gone to the experts for some strategies and advice. It’s far from comprehensive, and the risks are in no particular order – but tuck yourself in, and let’s see if we can get you sleeping more soundly!
1. Cyber-security
Let’s kick off with the risk that arguably causes the most grief – cyber-security.
In a global survey conducted by Marsh and Microsoft, 60 percent of New Zealand respondents listed cyber incidents in their top five risks, and only 22 percent said they were highly confident in managing, responding and recovering from one. What’s more, 43 percent of respondents did not assess the cyber risks of their vendors or suppliers.
The 2017 Norton SMB Cyber Security Survey found that almost one quarter of Kiwi SMBs (24 percent) had experienced a cyber-attack or hacking attempt compared to 18 percent in 2016. And cybercrime cost New Zealand SMBs an average of $15,592 in the past 12 months.
Large scale global ransomware attacks and the rise of cryptocurrencies have dominated headlines – the latter contributing to an increase in cryptocurrency scams, with its associated crypto-mining (programs that steal computer and mobile phone resources, slowing down and even damaging devices).
Phishing campaigns that steal data on people are becoming increasingly sophisticated; spear phishing is a targeted version where the attacker emails specific people asking for information. CERT NZ, the government-backed agency charged with improving the country’s cyber-security, has seen a report involving a chief executive posting comments on social media while away at a conference. A seemingly legitimate email is then received by his company’s accounts payable ‘from the CE’, requesting to urgently pay an invoice. By the time CE returned, the money had gone.
Another disturbing example was the Office 365 phishing and ‘credential harvesting’ campaign that circulated in 2017.
Rob Pope, director of CERT NZ, says no business is too small to be targeted. “With the increase in opportunistic cyber-attacks, anyone can be affected. It’s not about living life in fear, or not doing new things because there could be risks, instead it’s about having a solid foundation of cyber-security actions that are easy to implement.”
Pope says small businesses should also think about how mobile devices are used as part of business work, to prevent attackers gaining access to data.
“Your mobile devices need the same level of management and control as any other device.”
(For information about what different cybersecurity issues are and how they can affect you, visit: https://www.cert.govt.nz/businesses-and-individuals/guides/)
Norton is a rich source of security tips as well – a standout involves default passwords.
Make it a habit to change default passwords on all network-connected devices, like smart thermostats or Wi-Fi routers, during set-up. And if you decide not to use Internet features on various devices, disable remote access as an extra precaution.
Multifactor authentication is another simple measure for protecting yourself, and your business, from the cyber-attacks mentioned here.
But we’ll leave the final word on cyber-security to Ashley Wearne, GM Australia and New Zealand for Sophos (the company behind Intercept X, an endpoint protection product).
“Cyber-attacks are real and happening every day, to businesses of all sizes – and it’s not just an IT issue. It’s vital that all levels of the business understand the exposures, risks and business implications posed by the technologies keeping us connected.”
2. Health and safety
Worker health and safety (H&S) is another important consideration under the umbrella of risk management. Nowadays technology plays a major role in ensuring that businesses meet their obligations under New Zealand’s H&S regulations.
An example of this is safety monitoring technology being marketed by Get Home Safe (GHS) – a Kiwi-developed service combo of cloud-based software and GPS-enabled mobile app.
If you have staff who travel or work alone, there is an element of risk that if something goes wrong they may not be able to call for help. GHS doesn’t just share your location, it proactively checks you are OK and is backed by a robust overdue alerting process.
“It’s this risk of not being able to call for help yourself that greatly compounds all other risks associated with any employees traveling or working alone,” explains GHS director and founder Boyd Peacock.
“GHS fits into travel or working alone policy and procedure as being the fail-safe way for all staff to record their work intentions and check in to confirm they are OK, either during or at the safe completion of what they are doing.”
It’s the safety net that sits below every other measure you have in place to cover all obscure, highly unlikely and unforeseen situations, he adds. “To ensure no employee’s left in a situation where they need assistance, [and there’s nobody around].”
Peacock anticipates more companies phasing out manual ways of doing things and automating across every aspect of their admin and safety systems.
“It is fine and well to make it policy you must phone into the office at the start and end of every high-risk task, but the practicalities of actually doing that and keeping a record soon becomes onerous,” he explains. “Which is where GHS makes things quick and easy.”
Peacock is amazed at the variety of applications for his technology. These range from ferry operators logging trips and passenger numbers, lab workers ‘pressing a button’ hourly, aged-care workers checking in after a home visit, and truckers checking in after 14 hours on the road.
“One of the more unique situations we know about is a regional council using Get Home Safe while flying staff between mountainsides planting for erosion control. Staff on the ground, in the air and on the road had full situational awareness on the same screen.”
Peacock says companies are looking for a technology that does much more, and is less error-prone, than simply texting or phoning.
“GHS has a 12-month retention rate of more than 90 percent, so we must be doing something right.”
3. Payment protection
With online shopping growing exponentially, Card Not Present (CNP) and tap-and-go style payments have become hugely popular. While these changes are welcomed in the market, they’ve led to a dramatic increase in fraud for merchants.
“Failing to update to technologies that deal with new payment types only mean greater cost implications for businesses, whether in the form of increased fraud, chargebacks or customer dissatisfaction,” explains Andrew Reszka, Verifi’s regional lead-Australia and New Zealand.
“For merchants and banks alike, this can have enormous cost implications – in the hundreds of millions of dollars.”
For every non-fraud dispute that results in a chargeback the bank charges a fee, he says.
“Often, this fee falls to the merchant who may experience recurring disputes, whereby they struggle to distinguish between legitimate and fraudulent claims – putting themselves at risk of being out of pocket for goods or services provided.”
Reszka believes it’s up to merchants and banks to tackle the issue in a more collaborative manner. To address the issue, Verifi’s primary offering is a chargeback prevention tool. The Cardholder Dispute Resolution Network (CDRN) is a “closed loop” platform that connects global card issuing banks with merchants, to resolve cardholder disputes, often within 24 hours, rather than the current industry average of 30 days.
Also, Verifi’s Order Insight (OI) solution manages dispute deflection before it even reaches the point of becoming a chargeback.
4. Contingency planning
Contingency planning is a key element of risk management, particularly in New Zealand given the number of natural disasters the country experiences. It’s for this very reason that more Kiwi businesses are embracing offshore data centres, Australia in particular, explains Joshua Bartlett, southern region manager-enterprise for information management specialist OpenText.
He says businesses are running a disaster recovery strategy where data is replicated in two data centres located hundreds of kilometres apart, to help reduce potential downtime and disruption. “As technologies advance, however, contingency planning also needs to incorporate potential impacts of security incidents, both internal and external, not just the effects of climate change and natural disasters.”
In terms of developing a contingency plan, Bartlett says it’s essential to understand the information that is critical to keeping a business running at optimal level, and how this could be impacted in the event of an emergency.
“Start with the key information – what can’t go offline, what information needs to always be available and who has access to it – and then form an overall strategy.
“This is not a linear process by any means, and requires engagement across the entire business to ensure all key information is incorporated in the contingency plan and overall risk management process.
“Following this structure will ensure that when an emergency occurs, information either never goes offline or is available as soon as possible,” he says. “This entire process should engage IT partners and risk management firms where relevant, to help and develop comprehensive business contingency plans.”