14 minute read
Protecting your security business from cybersecurity risk
By Tony Vizza, Director of Cyber Security Advocacy, Asia-Pacific, (ISC)²
Operational risks associated with cyber security have now taken centre stage for organisations across the globe. Magnified by the frenetic pace of digitisation due to organisations large and small shifting their operations to predominantly work-fromhome arrangements due to COVID-19, organisations have had to rapidly activate, implement and extend IT-based services simply to survive.
This immediate change has resulted in organisations forgoing standard levels of due diligence and risk assessment they would ordinarily employ – resulting in a huge increase in the amount of cyber breaches that have wreaked additional havoc at a time when organisations are desperately trying to stay afloat in grim social and economic circumstances. The United States Federal Bureau of Investigation (FBI) has recorded a 400% increase in cybercrime since the beginning of the COVID-19 pandemic. Here in Australia, the Federal Governments Australian Cyber Security Centre (ACSC) is releasing regular updates regarding the elevated cyber security threat environment being caused by COVID-19. This new landscape has already amplified a heightened threat environment, with the (ISC) 2 Cyberthreat Defence Report for 2020 indicating that 81% of organisations globally suffered some sort of cyber breach in the previous year, a record high.
Whilst these are challenging times for all organisations, there are ways to help protect organisations from cyber security breaches. For Australian organisations, the definitive resource to achieve this is the Australian Signals Directorate (ASD) Essential Eight. The Essential Eight comprises the mitigation strategies deemed as critical to provide a minimum baseline of cyber security readiness appropriate to organisations large and small. The Essential Eight includes a subset of the comprehensive Strategies to Mitigate Cyber Security Incidents, which the Australian Government is aiming to achieve. The strategies seek to prevent malware delivery and execution, limit the extent of cyber security incidents and recover data and systems availability. In this article, we consider the Essential Eight strategies and how to apply them to a security business context.
The old saying “prevention is better than cure” is very applicable to cybersecurity issues, and the Essential Eight includes four strategies that aim to ensure that cyber incidents don’t occur in the first instance. These strategies include:
1.
2.
3.
4.
Application Control. This seeks to prevent the running of unauthorised or unapproved applications which may be malicious in nature. This includes application installers, files such as DLL’s and scripts. A good starting point is to restrict any installation of applications unless approved by a qualified system. Another prudent approach is to ensure that your organisation uninstalls any applications it doesn’t need or use. Patch Applications. Patches are released by application developers to address any new vulnerabilities discovered in those applications. Applications that should be patched regularly include but are not limited to web browsers, productivity applications such as those in the Microsoft Office suite (Word, Excel and PowerPoint), Java, Flash and programs such as Adobe Acrobat. While many applications include automated patching, these systems can fail, so patching should be verified. Configure Microsoft Office Macro Settings. Microsoft Office macros can be useful but can also be used to deliver and execute malicious code on workstations. The best approach is to block all macros from the internet and only allow digitally signed macros that have been tested and reside in a trusted location. User Application Hardening. This refers to the practice of disabling options within programs that could be exploited to deliver and execute malicious code on a system. In practice, this means configuring web browsers to block Flash, ads or Java from executing; disabling unneeded features in applications such as Microsoft Office, browsers, PDF viewers and other applications that your organisation uses. In doing so, your organisation reduces the attack surface a miscreant can use to gain access.
TO PREVENT MALWARE RUNNING REVOVER DATA Daily Back up of Data Application Whitelisting TO PREVENT MALWARE RUNNING TO PREVENT MALWARE RUNNING Patch Applications
Multi Factor Authentication ASD ESSENTIAL EIGHT Disable Untrusted Macros TO LIMIT THE EXTENT OF INCIDENTS TO LIMIT THE EXTENT OF INCIDENTS Patch Operating Systems Restrict Admin Privileges TO PREVENT MALWARE RUNNING TO LIMIT THE EXTENT OF INCIDENTS User Application Hardening
The extent to which cybersecurity incidents affect an organisation can be managed. The Essential Eight includes three strategies that seek to ensure that should a breach occur, limits to the harm done can be established. These strategies include: 1. Restrict Administrative Privileges. Administrator or “superuser” accounts allow full access to an organisation’s IT environment. Access to Administrator accounts is prized by cyber criminals given the access these accounts offer. Administrator accounts should only be assigned to skilled, trusted and experienced personnel and only for specific purposes. Regular auditing of
Administrator privileges should be undertaken and Administrator accounts should never be used to perform everyday tasks that can be done with a User account without privileged access. 2. Multi-factor Authentication. Stronger user authentication is a must to ensure that only authorised individuals have access to information and systems.
Multi-factor authentication (often referred to as Two-Factor Authentication or 2FA) involves the use of a password or passphrase (something you know) coupled with use of a token or PIN number (something you have).
Multi-factor authentication is especially critical when users are seeking to access a privileged system or to access sensitive data, which is why banks, superannuation companies and other financial institutions rely on 2FA to ensure authorised access. 3. Patch Operating Systems. Operating systems are the foundation of IT systems. Operating systems are not just confined to desktops, laptops and servers. Network switches, routers, access points, network storage and mobile devices also use an operating system. Security vulnerabilities in operating systems can be used to further compromise systems already affected so patching operating systems is essential to limit the spread of a breach.
Operating systems should be patched as soon as practicable, preferably within 48 hours of the release of a patch that addresses an ‘extreme’ or
‘high’ risk vulnerability. Patches should only be downloaded from officially supported vendor sources.
Assuming an organisation has suffered an adverse cyber incident, the focus shifts to ensuring data is recovered and systems are restored as quickly as possible to ensure the organisation can carry on with operations. The Essential Eight includes one strategy to address this phase, based on the time-honoured concept of backing up your data on a daily basis and maintaining those backups for at least three months. Backups should include new and changed data, software configurations and should be regularly tested to ensure that should the backed-up data be needed on short notice, it’s complete and accessible. In addition, a copy of the backed-up data should be kept disconnected from the rest of the network.
Ransomware is one of the most prevalent forms of cyber incidents taking place today. By ensuring that your IT environment is backed up regularly, any ransomware incident can be managed by the affected organisation through restoration of its IT systems from a recent backup. This minimises downtime and harm and helps the organisation avoid the choice of negotiating with cyber criminals.
IN CONCLUSION
Adopting the ASD Essential Eight for your business will help to address the increasingly critical issue of cyber risk using a set of fundamental set of strategies that are effective, achievable and will offer real protection from cyber security issues. As always, if your organisation is unsure of how to proceed to protect itself, always seek the assistance of a qualified and certified cyber security professional.
WHEN IS A CASUAL NOT A CASUAL?
By Chris Delaney
A Full Federal Court recently handed down a decision that has prompted employers to rethink how they organise the work carried out by “casual” workers. In this article Chris Delaney explains the decision in WorkPac v Rossato and other cases and the implications for employers in the Security industry.
So, what is the definition of a casual? There is no legislative definition of a casual. Many awards define a casual as ‘an employee who is engaged and paid as such’ which leaves it to Courts to decide what criteria should be considered to achieve a more accurate definition.
Casual workers get no annual leave, personal leave, notice of termination or redundancy pay. Instead they are entitled to a 25% pay loading.
Casuals have no guaranteed hours, are employed on an “ad hoc” or “as needs basis”, often to meet irregular operational demands i.e. to cover leave, and unexpected peaks in demand etc. Casuals have no real expectation of continuing employment.
As we will see in Rossato, his rosters were received up to seven months in advance, giving him a real expectation of continuing employment.
Modern Awards often include provisions for Casual Conversion which allow a casual who has worked regularly for 12 months to seek full or part time status depending on the hours worked over the period.
This may be a good indicator of how the courts are thinking in order to reach their decisions.
BACKGROUND IN WORKPAC V ROSSATO Mr. Rossato was a dump truck operator for WorkPac, a labour hire company. His work was covered by an Enterprise Agreement. He had several separate consecutive contracts over a period of about three and a half years, each for fly in fly out. He could easily be considered a “long term casual”. f
f
f
The contracts stated that he was engaged as a casual; He was paid $55.00 per hour including a 25% casual loading that was identified in 3 of the contracts; and Only one contract included a clause indicating that the casual loading was paid in lieu of leave, notice and redundancy entitlements.
Mr. Rossato was a dump truck operator for WorkPac, a labour hire company. His work was covered by an Enterprise Agreement. He had several separate consecutive contracts over a period of about three and a half years, each for fly in fly out. He could easily be considered a “long term casual”.
Mr Rossato made a claim against WorkPac for untaken annual, personal and compassionate leave entitlements. WorkPac took the dispute to the Federal Court and was unsuccessful. It appealed and was also unsuccessful.
The result was not unexpected. Two years earlier the Federal Court came to a similar decision in WorkPac v Skene which ASIAL reported in Security Insider at the time. The Federal Court made its decision based on: f The similarities in Skene; f Rossato was employed for an indefinite duration; and f His employment was ‘stable, regular and predictable’. The Court ruled that Mr Rossato should have accrued, and had access to: f Annual leave; f Paid personal/carer’s leave; f Paid compassionate leave; and f Payment for public holidays. WorkPac argued that if Mr Rossato is to be a permanent employee, it should be able to use the 25% casual loading that was paid to him to ‘set off’ the outstanding leave entitlements. The Federal Court said that because the casual loading could not be separately identifiable from his ordinary rate of pay and there was no clause in the contract permitting WorkPac to ask for the money back, they could not seek reimbursement.
THE ISSUE OF DOUBLE DIPPING The decision that Rossato was a permanent employee was not remarkable. What is of major concern to employers is the court’s finding that he could keep all casual loading payments and be entitled to all of his accrued and untaken annual, personal and compassionate leave entitlements. The court found that: f a casual loading payment made “in lieu” of an entitlement, is not the same as satisfying that very entitlement. Therefore, a payment
f
made “in lieu” of the entitlement, could not be said to have satisfied the entitlement to paid absence; an employee’s entitlement to paid annual leave accrues progressively over the course of a year’s service and from year to year, according to the employee’s ordinary hours of work. The liability to make the payment however, arises only when the employee takes a period of annual leave or when, on the termination of the employee’s employment, the employee has a period of untaken annual leave. Thus, WorkPac had made the casual loading payments before they were even liable for the leave payments;
f
the casual loading payments could not, at the time they were made, have been regarded as lawfully discharging Mr
Rossato’s entitlements to annual leave. Section 92 of the FW Act prohibited the cashing out of paid annual leave, including cashing out by pre-payment of the annual leave entitlements. Had Mr
Rossato’s employment continued and his entitlement to take periods of paid leave recognised,
WorkPac would not have been entitled in that circumstance to bring into account its earlier cash out or pre-payment of amounts in respect of annual leave. After the decision in Skene in 2018 the federal Government introduced a regulation into the Fair Work Regulations (Section 2.03A) to overcome the possibility of double dipping by employees claiming NES entitlements “in lieu” of the Casual loading.
The court found, that Mr Rossato was not seeking any amounts “in lieu” but making a claim of statutory leave entitlements. So, the arguments for setting off were irrelevant.
CONCERNS FOR EMPLOYERS
Clearly the courts see long term casual employees who work regular and systematic hours as permanent employees rather than casual employees.
The main issues of concern for employers are the double dipping, the need for a clear and unambiguous definition of a casual and what to do right now to mitigate against the risks arising from the Federal court decision.
Employers may be exposed to claims for unpaid legal entitlements from existing and former long-term casual employees.
WHAT EMPLOYERS SHOULD DO
Employers should assess the risks: 1. Review casual employment to assess the level of risk associated with them being considered to be permanent employees. Are they true casuals working irregular hours, on an as needs basis or are they working regularly and systematically, perhaps on a roster and could reasonably expect that to continue? 2. Review the roster cycles. Are your casuals given regularly rostered work? Do they have the right to accept or reject all or part of a roster? Do they provide written notice to you of the availability or unavailability for the work you have on offer?
3.
Review casual contracts. Do you have written employment contracts with your casual employees? Do the contracts: A.
B.
C.
D.
Clearly state that there is no offer and should be no expectation of continuing employment? Identify a 25% casual loading and that the loading is paid to compensate for not getting paid annual leave, personal leave and redundancy? Have a set off clause and a clause permitting the employer to reclaim casual loading payments in circumstances where the employee is considered permanent? Allow casual employees the right to reject work? 4.
5.
Review payslips. Do they clearly show the classification as “casual”? Do they show the 25% casual loading and explain what it is for? Review opportunities for Casual Conversion. Do you have a process/letter for offerring long term casuals conversion to permanent full time or permanent part time so that the employee can make an informed decision whether they do or do not want to convert?
6.
Review your pay roll system.
Do you have a facility to track the hours and rosters for casual employees to ensure such employees are properly classified at all times. The Australian Government is flagging the possibility of making further legislative changes in light of this decision from the Federal Court, which some are saying allows for ‘double dipping’ by casual employees.
Until there is a change in legislation to resolve this issue employers need to be aware of the risks associated with using long term casuals on a regular and systematic basis.
ASIAL in conjunction with other industry associations and the University of Wollongong is conducting research into the use of casuals across a range of industries.
The data collected will be vital in helping to build a body of evidence that demonstrates the important role flexible work arrangements play in the modern workplace and the need to facilitate such flexibilities in the Award system.
Members requiring assistance or further information should email ir@asial.com.au.
About the Author:
Chris Delaney
Chris Delaney is a highly regarded employee relations professional with over 40 years’ experience in industrial relations and human resources. He has held senior executive industrial relations positions with Nestle and BHP.
Note: The information provided above is for convenient reference only. ASIAL and Chris Delaney & Associates Pty Ltd provide this information on the basis that it is not intended to be relied upon in any cases, as the circumstances in each matter are specific. Accordingly, we provide this information for general reference only, but we advise you to take no action without prior reference to a workplace relations specialist.
