Your Latest Security Threat is Internal, not External - and you Need the Whole Business to Solve it

Team Workiro
September 3, 2024
2 min read

There’s a new risk to your business, and it’s not hackers or malware or even any kind of deliberate attack. It's almost exclusively internal and there’s no limit on what it could cost you - by law. It’s not something that can be prevented by making password policies even more annoying or blocking USB sticks: you need better business processes and proof that you monitor them, which is a job that goes way beyond the IT security team. 

It lies within the new Economic Crime and Corporate Transparency Act (ECCT), which was enacted in 2003, and includes upcoming legislation on “Failure To Prevent Fraud” which applies to all large businesses. The key word here is “prevent” - even if the crime is accidental, you can be held liable, because your business failed to prevent it. You won’t be able to claim ignorance and you will be held liable for people across the entire business, and there is no limit on the fine that the Serious Fraud Office can apply for non-compliance.

Under the terms of the ECCT any “associate” of the company can commit fraud, even if they’re only employed by a subsidiary or not based in the UK, and the company will be held liable for not preventing it. It doesn’t matter if the associate wasn’t directed by management, either - if the business benefits from the fraudulent activity, directly or indirectly, then the business can be held liable under the Act. 

The range of possible activities is significant too, including false representation, false accounting, fraudulent training and fraud by failing to disclose information. The precise details have yet to be confirmed by the government, but the scope of the law makes it entirely plausible that staff members deep within an organisation, in an overseas office, can commit fraudulent activity for which the business as a whole will be held responsible. 

It’s a major new responsibility for business owners, and while the Failure to Prevent Fraud legislation hasn’t come into effect yet, you should start preparing now. To defend yourself, you need to have “reasonable processes to prevent fraud” in place - which means you need a clear and reliable view of data and activity across the business. 

Having to share business-critical documents in a secure and easily monitorable way is the problem that Workiro was created to solve. It creates a centralised hub which automatically stores vital emails and documents, handles secure document signing, and maintains a chronological history of each version, so you can tame your internal processes and have complete visibility on the data flow through the organisation.

That’s just the first step, though - you need to pair those organisational skills with a robust compliance policy, and a holistic view of potential issues across the entire organisation. Get a head start on this preparation by signing up for our upcoming webinar “Trading in the UK? You need to comply with the ECCT Act”, hosted by Workiro’s CISO Luke Keily in conversation with Payhawk’s Director of Solutions Engineering, Robbie Hadfield. Both Workiro and Payhawk have robust software solutions for delivering and monitoring business operational processes, and Luke and Robbie have extensive experience and insights in how different organisations can ensure compliance with this type of legislation. 

Register for the webinar here.

Share this article

Team Workiro

Book a Discovery Call

Want to find out more about how Workiro works? Book a zoom-based discovery call with one of our experts who’ll be happy to answer any questions you may have, to ensure Workiro is the right fit for your business needs.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Your Latest Security Threat is Internal, not External - and you Need the Whole Business to Solve it

Blog
The author image who wrote the blog article
By
Team Workiro

There’s a new risk to your business, and it’s not hackers or malware or even any kind of deliberate attack. It's almost exclusively internal and there’s no limit on what it could cost you - by law. It’s not something that can be prevented by making password policies even more annoying or blocking USB sticks: you need better business processes and proof that you monitor them, which is a job that goes way beyond the IT security team. 

It lies within the new Economic Crime and Corporate Transparency Act (ECCT), which was enacted in 2003, and includes upcoming legislation on “Failure To Prevent Fraud” which applies to all large businesses. The key word here is “prevent” - even if the crime is accidental, you can be held liable, because your business failed to prevent it. You won’t be able to claim ignorance and you will be held liable for people across the entire business, and there is no limit on the fine that the Serious Fraud Office can apply for non-compliance.

Under the terms of the ECCT any “associate” of the company can commit fraud, even if they’re only employed by a subsidiary or not based in the UK, and the company will be held liable for not preventing it. It doesn’t matter if the associate wasn’t directed by management, either - if the business benefits from the fraudulent activity, directly or indirectly, then the business can be held liable under the Act. 

The range of possible activities is significant too, including false representation, false accounting, fraudulent training and fraud by failing to disclose information. The precise details have yet to be confirmed by the government, but the scope of the law makes it entirely plausible that staff members deep within an organisation, in an overseas office, can commit fraudulent activity for which the business as a whole will be held responsible. 

It’s a major new responsibility for business owners, and while the Failure to Prevent Fraud legislation hasn’t come into effect yet, you should start preparing now. To defend yourself, you need to have “reasonable processes to prevent fraud” in place - which means you need a clear and reliable view of data and activity across the business. 

Having to share business-critical documents in a secure and easily monitorable way is the problem that Workiro was created to solve. It creates a centralised hub which automatically stores vital emails and documents, handles secure document signing, and maintains a chronological history of each version, so you can tame your internal processes and have complete visibility on the data flow through the organisation.

That’s just the first step, though - you need to pair those organisational skills with a robust compliance policy, and a holistic view of potential issues across the entire organisation. Get a head start on this preparation by signing up for our upcoming webinar “Trading in the UK? You need to comply with the ECCT Act”, hosted by Workiro’s CISO Luke Keily in conversation with Payhawk’s Director of Solutions Engineering, Robbie Hadfield. Both Workiro and Payhawk have robust software solutions for delivering and monitoring business operational processes, and Luke and Robbie have extensive experience and insights in how different organisations can ensure compliance with this type of legislation. 

Register for the webinar here.

Author:
Team Workiro
Follow team Workiro for actionable work tips, how they apply to real-life scenarios, and take a deeper dive into our supercharged enterprise content management system, which seamlessly integrates with NetSuite.