Tony skinner 00:02
Hi, and welcome to the podcast channel www.podcastmybusiness.com.au. And today we have Darren Murphy from www.coreintegrity.com.au. Hi, Darren, how you doing?
Darren 00:16
Tony I’m doing pretty good. And in the current times to be honest that can be a challenge for many.
Tony skinner 00:19
yeah, where about you located?
Darren 00:22
So we’re located in Sydney, in a nice little suburb of crow’s nest on the north side, and +we operate across the whole country.
Tony skinner 00:31
I’m in Sydney as well, I’m just down the road from you. So there you go. So we can get out and about we feel sorry for our Melbournian brothers and sisters, but hey, you know, what can you do? Alright, cool. So, what I wanted to cover we’ve had a couple of interviews in relation to cybersecurity we’ve had one covering the core cyber security issues, another one we just had, related too training for cyber security. But we also need to cover off on the more physical side of security and cyber security, especially as so many people, obviously working from home at the moment. And there’s huge risks with doing that.
Darren 01:16
Yeah, absolutely. I mean, a lot of focus goes on to cybersecurity in terms of the technology itself. But the stuff that we get involved in and what we see is, you know, you are only as strong as your weakest link. And often that is your people in terms of what they do, whether they follow the policies and the procedures and whether they’re up to speed on what they shouldn’t be doing. And importantly, you know, how the organization actually then investigates and responds to a cybersecurity issue.
Tony skinner 01:42
That’s what I guess they asked you to come in and is that the area of workplace investigation services and like,
Darren 01:50
yeah, that is so we do a range of workplace investigations. So all the common stuff that you see around you fraud and corruption and bullying and harassment, but increasingly, we Getting called upon to use a network of experts to do cyber response in terms of investigation. So that’s examining material and looking through laptops and different things to try and understand what’s taking place. And the reason we get brought in quite often it’s because of our strong food record background. So looking at small to medium enterprises that have had an email compromise, which is known as a B, C, business email compromise, and having a look at how that’s taken place, and whether the, the bad actors are still sitting in their network on their computers.
And what you often say, Tony, is that they sit in the environment or on the laptop for a period of months, they mimic the employees behavior, and at the right time they strike by writing a fake email and changing an invoice and then asking for payment details to go to a new account. And that’s how most small medium enterprises are losing money these days with business email compromises.
Tony skinner 02:51
Yeah, absolutely. And I would just touch on your background with frauds and scams with the New South Wales Police and also the Commonwealth Bank. So to pretty good Organizations that would have large teams to help to manage all of that.
Darren 03:06
Yeah, they do you’re spot on they’re particularly come, oh, thank you no massive investigation teams as well as fraud teams. But unfortunately, you know, for most businesses today, they’re quite stretched thin, particularly with COVID. And they’re losing employees and kind of protect their revenues. But they’re also more susceptible than ever, as you mentioned, with the remote working, people working from home. And it’s much easier to target those businesses and they just don’t have the resources in terms of financial capacity or the capability to respond to these things properly.
Tony skinner 03:38
Yeah, and it’s interesting to cybersecurity can mean a whole range of things, and sure, hacking and bad actors and what have you is one way but also another way is employees working from home, copying and taking information from your business database, such as customer data and so on. And her learning a copy of that. leaving and going somewhere else.
Darren 04:02
Yeah, that’s a really, that’s a really good point, actually, we see a lot of what we calling you know, confidentiality breaches. So employees that are breaching the terms of their employment agreement by stealing confidential information. And you make a really good point, if you’re working at home and you don’t have the right security settings, it’s very easy to be able to work on a bring your own device or like an iPad, and save that material to your local machine. And then you’ve now got custody of it forever. You get to leave the organization, hand back the laptop, no one, no one’s any of the wiser.
But next thing you know, you’ve got to listen to customers or you’ve got the strategic plan of the business and you can then use that to your advantage. We sing a bit of that.
Tony skinner 04:41
Right. So they so that that is I guess, fraud as well. So I guess you can’t get into any techniques too much. But if that’s something that’s fairly straightforward to investigate, or it takes a lot of time and effort to get to the bottom of that,
Darren 04:57
well, no two cases of this Same and everyone is different on its own mirrors. And, you know, I’m not a deep sort of cyber security expert in terms of the techie stuff. But what we bring to bear is the investigation methodology, you know, so that methodical approach. And it sort of comes in two parts, incident response for the business. So we we provide a lot of initial incident response and advice, the executives of the business or the owner about this is what you’ve been exposed to, this is what you need to do. This is what you need to consider.
That’s a bit of project management and advice.
And then the next part of your question is digging into the detail about what’s actually happened. And we use a team of people who are far smarter than me, they come in, and they aggregate that data, they sift through it and they look at things like the, you know, Microsoft online environment, looking at credentials, looking at what other machines have been compromised, but also importantly, sifting through the data and being able to look for things that might sit in that data to indicate
Tony skinner 05:51
that have been compromised. Yeah, absolutely. And what I like is this integrity advisory services is both being proactive. Again, people working from home. So I can see that could mean that spot checks and so on and so forth check people are being compliant as well, is that something that you would look at?
Darren 06:12
Well, probably not spot checks. But you know, we focus a lot on the integrity lifecycle which you touched on, which is, you know, prevent, detect and respond, and importantly, out of all that optimize, right, so, unfortunately, what we’re seeing with a lot of organizations is they don’t want to find the money to respond to be preventative or proactive up front, and particularly in COVID, right, like, they just worry about surviving, and we totally get that.
But what invariably happens is when you have to respond to an issue, you’ve now got to find three or four times more money than you otherwise would have to find. So let’s say it was gonna cost you 10 grand to do some education and training or some proactive initiatives. When you go to have a fraud event. It’s often 40 Grand 200 grand plus the time and effort to respond to that. So it’s really hard to drill that message into smaller and medium enterprises that you’ve got to find some budget and some time To build your capability in a preventative way, rather than just waiting for the issue to arise, and then just find the money to respond. Okay?
Tony skinner 07:08
Absolutely, it is. So what are some tips that would help businesses to protect themselves?
Darren 07:16
So with people that are working from home, you know, we’re hearing about people feeling less connected to the workplace. And look, I’m all for working from home, I think it’s great that you can save time when your commute, spend more time with your family. But I think there’s got to be that balance that keeps people connected. So we’re starting to see some of our bigger clients recognize that people are feeling disconnected. And they’re now starting to resume some of the online or video conferencing training.
So we’ve got a lot of stuff booked in for the rest of the year where now a big organization is going to go let’s do some training with some people. Let’s get them on zoom calls or teams calls and keep them connected. And so I think for a smaller business that doesn’t have that kind of infrastructure, you’ve got to look for ways to keep those people connected. I mean, that’s the first thing. Second of all, you’ve got to obviously have the right systems and procedures in place to protect your business. So even with our business, you know, we spent a bit of money earlier this year when COVID started to really strengthen their own IT security, we got two different firms in to come in, look at all the endpoint protection and encryption and different things on the laptops, build a VPN, increase our firewall, so the range of those sort of technical solutions that you can use experts for. And then the next part is, you know, respond when something happens. It’s very, very easy these days to want to look at other things, protecting your revenue.
But ultimately, if you let a little thing go, like a little fraud, or a little bit of misconduct, it grows and other people notice that and it erodes your culture, and ultimately, it’s going to cost you more money to respond longer term.
Tony skinner 08:44
So what do you mean by a little bit of fraud, let’s say a curious term.
Darren 08:52
Well, we see people that you know, take little bits of money, you know, whether it’s through corporate credit card expenses, so they might buy it. Things of a personal nature on a corporate credit card and they think they can get away with it. And the organization’s faced with a choice of do they look into it? Do they clamp down? Or do they let it slide. And we see things around conflicts of interest with external suppliers where they’re taking gift and entertainment or giving favorable treatment to suppliers. In exchange, they might be getting some gift cards or some other things back. So there’s little bits of fraud and corruption that happens. And I call the corporate credit card stuff and those little things. In fact, the gateway drug, it’s just a little bit that they start off with. And the next thing you know, they become hooked, and it becomes a bigger event.
Tony skinner 09:36
Yeah, that’s interesting, because I know we’ve all like a lot of us when we’ve been working for other businesses have put in little expenses claims that little bit extra for lunch or dinner or what have you or the extra person that’s come along and surely Well, no, I haven’t watched it, I don’t care. There’s no, there’s no consequence. It’s my own business. So that’s fine. But, you know, it’s not uncommon to add in little bits like that. And it’s curious how you regard that as a gateway drug or a gateway fraud on to other things, because I guess that could be a little test on the systems themselves.
Darren 10:23
Yeah, totally. And looking at the thing, that’s fraud that’s really, really interesting is that most people that commit fraud, they’re not what you call the average, you know, criminal that you can easily identify. So if you and I walk down the street, and we see some people hanging around doing the wrong thing, it’s really easy to sort of spot people that look a bit shady or might be affiliated with a biker gang or whatever the case may be. But when it comes to fraud, they’re everyday people like you and I and the reason that is because of the thing called the fraud triangle. Have you ever heard of the fraud triangle?
Tony skinner 10:51
I have not, but please let me know.
Darren 10:54
Alright. So the fraud triangle is an is an old theory, invented by a gentleman called Donald creasy Back to the 60s and 70s. And it talks on the premise of a triangle where the first leg of the triangle, the first point is that you’ve got to have some kind of pressure in your life, right? So you’ve got, you’ve got financial pressure, you’re keeping up with the Joneses, you want to buy a new bike, you’ve over committed on your mortgage, you’ve got some kind of underlying pressure in your life, you’ve lost your job, your partner’s lost a job.
So with COVID, there’s an increase in pressure in people’s lives. The next point is you’ve got the opportunity to commit fraud. So by virtue of your role at work, you’ve got access to using a corporate credit card, or you’ve got access to appointing a supplier and getting a kickback. You’re working in a bank, you’ve got the ability to take some money out of someone’s account, whatever the case may be. So you’ve now got two of the three legs, which is the pressure in your life and the opportunity to commit fraud. But unlike most people, we all don’t commit fraud except for a very small few. And that’s where they come to the third piece, which is they’re now rationalize their behavior. So what that means is they look at all the factors and they go, right, I got I got screwed over for promotion, or I’m getting neglected at work or I’ll pay it back.
There’s a range effect as it goes through their mind when they think, okay, I can rationalize and justify my behavior. When those three things come together. That’s when you see good people doing bad things in businesses.
Tony skinner 12:11
I’ve just written down what you just said. So I can come back to that. So I can utilize that in the podcast and it’s fantastic. I like the idea of the pyramid of the fraud pyramid. Because it’s a triangle. What is a pyramid? Look, it’s a sign come off the
Darren 12:28
same thing.
Tony skinner 12:30
Yeah, come with those things in a desert in Egypt. two triangles, aren’t they?
Darren 12:33
Yes. That’s right. A pyramid three dimensional triangles, two dimensional.
Tony skinner 12:39
So how would a business go about preventing that from occurring?
Darren 12:50
So number of ways, you’re going to take a holistic approach, right? So rather than just putting your head in the sand and thinking that everything’s gonna be okay, you’ve got to accept sometimes people are gonna To do the wrong thing, organizations start out and they set out policies and procedures that govern or the expectations around behavior and conduct. So that’s the first part, then you’re going to invest in education and training. And when we go in to do an investigation, we often see a bit of a disconnect between what the leadership saying and what the cultures and the values say about the organization, and what the boots on the ground are doing. And that’s because people don’t understand what the policies and procedures and expected behaviors are, because it either hasn’t been distributed or disseminated to them recently.
They haven’t invested in education and training. So I’ve got some clients that are really productive in this space, big companies. One of them is a global manufacturer of motor vehicles, every two years, they call us and say, We want you to come and retrain our top 200 leaders on fraud and corruption awareness training. So they put their money where their mouth is and they invest in that. So that’s a really big thing.
Taking the time to educate your people on what fraud is, what corruption is and what we expected you behavior wise. And then the rest bonding, you see something that you don’t expect, you see something’s out of alignment with your values or the expected behaviors, you’ve got to take action. The standard that you won’t pass is the standard that you set for everybody else. So if you turn a blind eye to the small group corporate credit card fraud or a couple of lazy lunches and some kickback dollars from the supplier, then you’re setting the course for what other people are going to do.
Tony skinner 14:23
Okay, yeah, so you’ve got to stay straight and narrow and even the ATO, as well looks at various things along those lines.
Darren 14:34
The data, a lot of data these days, everything’s connected.
Tony skinner 14:40
You got to get your accountant to do your taxes got all this, how much interest you earned. This is what you did last year. This is and you’re going you bosses, they know more than what I do.
Darren 14:48
They’ve really improved their data collection and monitoring over the last, you know, five or 10 years and they moved I don’t know where that word improved. I mean, I know some good people that work in government And they’re doing their best to try and really improve the way that they collect data and monitor. I mean, job keep is a great example when we started applying for job keeper. They’re asking not only what is your revenue, but what are you expected to be next month. So when you see Scott Morrison and Frydenberg talking about why this guy leant back, it’s because they’ve got the data, they’ve seen what we’ve posted as a revenue, what we’ve expected our revenue to be, and what reality is, and now they’re able to go You know what, these, this group of organizations don’t need job caper anymore, but these ones do.
Tony skinner 15:30
Yeah, and look, I’m certainly in full agreement with that base and hospitality and travel related definitely need more support. Those who are builders and landscapers and the like, don’t need the support solely.
Darren 15:47
And we and we can do that. Like, I’m happy to say right, we had a slight dip at the start of the lockdown in back in March whenever it was, and businesses rebounded because people are having more fraud, more corruption, more integrity issues, and I legitimately don’t fit into this The future of shopkeeper and nor should I? That’s the way it goes.
Tony skinner 16:03
Absolutely. Yeah, I’m the same. So that’s good. All right, no worries. Darren, is there anything else you’d like to add?
Darren 16:08
I think the big takeaway that I’d like to leave people with is, you know, don’t eat small, don’t ignore little problems because they do fester and become big problems. And, you know, if you’re a leader of a small and medium business or a larger organization, you’ve got to appreciate that the little things that you do to invest in being a bit more proactive and preventative, can actually pay off in the long term. Your people that come to work every day in your organization, most of us come to work to do a good job. And we want to contribute and be our best and when we see other people misbehaving or doing the wrong thing, and then getting away with it. What that does is it basically it erodes our culture, but it makes us all think, why am I doing this? So as a leader, you know, you’ve got to see those things and go, right, I’ve got an obligation to take action on that. And particularly 98% of us are coming to work and doing a good job.
Tony skinner 16:54
Yeah, absolutely. That’s true though. What is that superannuation thing from Little things big grow and sustain
Darren 17:03
Yes, that’s right.
Tony skinner 17:05
All right. Thanks for your time, Darren.
Darren 17:07
All right. Thanks, Tony