Security in your business – Getting your processes right
Although not entirely employment law related I just wanted to give you a warning about ‘cyber fraud’ and to emphasise why it is necessary to ensure that you and your staff have the correct training and information available about your processes and particularly steps to take in securing your business from fraud and cyber crime.
I have been contacted by several clients and heard from a few business contacts recently about incidents that have taken place and businesses who have been the victims of this fraud or who have had a near miss.
The fraud involves someone in the business receiving an email which purports to be from a colleague or senior manager, and which on the face of it looks like a legitimate email. The content of the email then requires the urgent transfer of money to a bank account, the details of which are included in the email.
The outcome on at least two occasions was that the person receiving the email has sent money to the bank details in the email. Of course it then turns out that the bank is not a legitimate business or customer and the money cannot be traced. The business is then left in the position of having to try to recover the money, which can be extremely difficult and often impossible.
The problem is that the emails are very much like the everyday emails the employee receives and you can see how it works on occasion, someone is really busy, they get an email from their boss asking for an urgent payment or transfer and they just get on a do it.
This is why you need to educate your employees and ensure that you have a robust system in place that covers your protocols for making money transfers or payments.
As a minimum I recommend:
- Only authorise specific people to be able to make bank transfers or payments;
- Have a protocol or process in place that must be followed before payment or transfers are made in all circumstances;
- Educate all employees on how to spot fraudulent emails.
I recommend that you ensure all employees receive regular training or updates on cyber crime and fraud, as the different types of fraud evolve fairly quickly.
In addition, you also need to consider how you would address this issue with an employee who inadvertently makes a payment or transfer following a fraudulent email or communication. If you have clear procedures and protocols in place then it would be reasonable and fairly straightforward to deal with it by way of a disciplinary offence, however it becomes harder if you don’t’ have any processes or procedures. You can still investigate in accordance with your disciplinary procedure but you would need to carefully consider the reasonableness of your decision. In the absence of clear guidance for employees you would need to look at the way you have operated in the past and what is considered to be normal practice.
You may also wish to consider whether you would want to have the option of recovering the money lost from the employee responsible. It is necessary to think about this in advance as you will need to add a clause in your employment contracts and/or details in your staff handbook which enable you to recover money from the employee in the event that they are negligent.
I would be very happy to provide you with some resources to help you to set up a policy to prevent this happening and also to assist you in getting those clauses in your contacts and procedures to protect your business should you need to.