31 October 2019

Indigenous voices send vital message on intergenerational trauma

Author :

A collaboration of Indigenous voices gathered in Perth to discuss solutions on the impacts of intergenerational trauma stemming from forced removal policies.

There are currently 20,421 indigenous children in out of home care, representing 37.3 per cent of the out of home care population. Since Kevin Rudd’s apology to Stolen Generation survivors, the rate of forcible children has increased massively.

Whilst there are concerns that children being placed in out of home care may experience the same loss of identity and connection to family, country and culture, this should not be cited as a second Stolen Generation.

Healing is part of life and continues through death and into life again. It occurs throughout a person’s life journey as well as across generations”, said Helen Milroy, Professor at the University of Western Australia and Commissioner for the National Mental Health Commission, when speaking at the National Indigenous Social and Emotional Wellbeing Forum in Perth.

“Healing is not just about recovering what has been lost or repairing what has been broken. It is about embracing our life force to create a new and vibrant fabric that keeps us grounded and connected, wraps us in warmth and love and gives us the joy of seeing what we have created,” said Helen.

The four-day conference, run by Akolade in partnership with Yokai and Two Point Co, focuses on the wider issues relating to social and emotional wellbeing and mental health in Indigenous communities. Tuesday 29 October, kicked off with a pre-conference focused on supporting Stolen Generations survivors.

Indigenous Elders and community leaders from different walks of life and different parts of Australia shared the message that something needs to be done. The impact of previous forced removal policies are impacting today’s younger generations, and Australia’s seeing higher child removal rates than ever as a result.

The impact of intergenerational trauma is profound and growing, and if nothing is done it will continue to tear families and communities apart.

Maisie Austin, Chief Executive Officer of the Northern Territory Stolen Generations Aboriginal Corporation, highlighted the ongoing impacts of forcible removals on Stolen Generations survivors. In order to help survivors of Stolen Generations and their families heal, and stop ongoing cycles of negativity, intergenerational trauma needs to be effectively addressed. It is important that the impacts of forcible removal on families and communities are fully understood in order to find ways forward.

“It’s important to address the impacts that past forcible removal policies are having on today’s younger generations, and to ensure history isn’t forgotten or repeated,” Austin said. Governments, communities and organisations need to collaborate and share knowledge and resources to address these issues. Intergenerational trauma is a growing problem, which can sometimes lead to different issues, such as family breakdowns, resulting in children being placed in out-of-home care.

The remaining days of the conference will see further discussions on breaking down the stigma and shame attached to mental illness in Aboriginal and Torres Strait Islander communities, vital to opening the conversation and enabling better access to services. With cases of Indigenous suicide increasing at an alarming rate, Australia urgently needs to rethink the services currently being offered and implement strategies to increase Social and Emotional Wellbeing.

If individuals and communities can work together and better understand the different constructs of mental health, then a holistic approach to social and emotional wellbeing with culturally inclusive services may be better accessed. It’s important that everyone works together to build trust in services and start the conversation on mental health, because mental health is everyone’s business.

Want to find out more about upcoming events and industry updates? Join our mailing list here.

Written by: Mimmie Wilhelmson

Mimmie grew up in Sweden and first came to Australia as a backpacker after high school. After travelling around the country for two years she returned to Europe and pursued a Bachelor’s degree in Journalism in London. But the longing for Australia and the sun became too strong. After having worked for some time in the media industry, Mimmie decided to make a change and swap the news for conferences. She now gets to do what she loves the most, meeting new people and keep learning about cultures and issues while producing conferences on current topics.

21 February 2019

Business Process Compromise - Insider and Outsider Threat

Author :

Last year I was at a security symposium in Sydney where I bumped into a friend working for a large security vendor. We discussed the latest industry rumours, trends and shared a few interesting stories on breaches - this is when I asked if his firm performs risks assessments for Business Process Compromise (BPC) to which he replied - "No". I was now thinking how on earth do they perform security assessments when they only look at one half of the big picture? Surely the other big half is equally as important? Don't believe me? - what about the big cyber-heist of Bangladesh's Central Bank which I will use as a case study a little later.

Interestingly I was told by my friend that often business process compromise results in fraud which is the responsibility of Human Resources, Finance, and Risk Officers. For those of you that have not heard of business process compromise - simply explained means that someone with deep knowledge (subject matter expert) as to how a process works typically in finance, sales, procurement and payroll, can bypass security controls, checks and balances, to commit financial theft, sabotage or intellectual property theft.

What makes business process compromise difficult to detect and counter is that it's usually performed by employees in sensitive or senior roles. These people are trusted to do the right thing and this makes it extremely difficult to identify who of them is biased to this type of behaviour - worst still, these employees know processes extremely well, including how security is configured on their specific systems such as finance, payroll and accounts payable - so monitoring for malicious actions and detection is that much more difficult. 

For those of you new to the concept of business process compromise it is important to note that there are two classes of malicious actors - the insider which is typically an employee or contractor employed by your firm, and the outsider which typically is someone outside of the organisation such as a terminated or ex-employee, consultant, technology vendors, supplier, etc. Both of these classes of the malicious actor have intimate knowledge of how your sensitive corporate functions work, for example, the financial platform consultant knows how your accounts payable process works front-to-back because they configured and installed the system based on your processes which they helped you capture and articulate. 

Now, should the financial platform consultant switch to the dark side (criminal intentions) and decide to commit fraud by issuing you a fake invoice using clever means such as Business Email Compromise (BEC) and social engineering - more than likely they will succeed, and more than likely detection will take many months if not longer.

The case involving the cyberheist at the Bangladesh Central Bank (BCB) was a combination of both insider and outsiders threat actors staging a sophisticated attack which involved hacking, social engineering, corruption of employees, intimate knowledge of the central bank operations, and deep knowledge of international financial banking platform - SWIFT

In a nutshell, what happened, malicious actors hacked into the SWIFT platform owned by the Bangladesh Central Bank and sent fraudulent instructions to their major bank account held at the Federal Reserve Bank of New York. The instructions were to transfer $1 Billion US dollars to offshore bank accounts in low compliance jurisdictions such as Philippines, Sri Lanka, Macau, etc. The majority of the payments were stopped, but $81 Million dollars made it through and ended up in fake bank accounts in a Philippine bank which was then transferred to a local casino and never to be found - the trail ended at the bank! Very sophisticated operation.

In summary, the following key points were identified as weaknesses which led to the cyber heist, I have summarised a few:

  • Insider threats were involved in some capacity - somehow malware got onto a "supposedly" secure machine, the only mechanisms available were email or USB memory stick. There are suggestions that someone most probably inserted an infected USB memory stick into the SWIFT server which allowed cybercriminals to create an undetected backdoor. The cybercriminals were probably accessing the infected server from anywhere from a few weeks to a year.
  • Insider threats most probably disabled the CCTV camera which was not working on the weekend the criminal activity took place. There are tell-tale signs of sabotage which investigators believed strongly pointed to the central bank employees or building maintenance contractors.
  • Outsider threats had intimate knowledge of global banking and settlements processes as they specifically targeted the central bank on a Friday which in Bangladesh is a bank holiday, this meant nobody was available to detect and stop the fraudulent fund's transfer.
  • Outsider threats built and deployed malware which specifically targeted the SWIFT payment platform - suggestions were that nation-states might have been involved as the malware was extremely sophisticated in that it covered the criminal's trail. 
  • Outsider threats knew that the Federal Reserve of New York has limited manpower to manually check for fraudulent payments, and also had knowledge that there was no 24 x 7 hotline to alert their employees to halt fraudulent payments.
  • Outsider threats created fake bank accounts 1 year before the heist of the Philippine bank - they corrupted the branch manager to create the fake accounts, and immediately settle the transfer and convert it to cash. (She was arrested - but was probably a minor player in the grand heist)

Now the interesting bit - how do you assess your vulnerability to business process compromise? The approach I advise is to identify your key business process, whatever they are - payroll, HR, accounts payable, finance, etc. Bring together diverse groups from within your firm, and even your trusty security consultants and ask them to let their minds run free - ask the question: if they were to commit the ultimate white-collar crime within your firm what would it be? how would they do it? Take note as the scenarios might sound far-fetched and impossible, but with time and resources, they are more than likely achievable.

Some methods to reduce exposure to business process compromise includes:
  • Listen to employee concerns in regard to insecure processes and systems.
  • Performing criminal and employment history background checks on new employment candidates, this includes contractors.
  • Monitoring employee movements - in some industries employees are asked to detail their travel plans. 
  • Monitoring of employee wealth - financial theft is sometimes identified by employees living beyond their means.
  • Regular physical and cyber security assessments. (Yes, physical security too!)
  • Auditing of employee access to facilities - both CCTV footage and electronic keycard access logs.
  • Using simple Machine Learning (ML) based in a wider context such as incorporating physical security and IT system logs. (Out of hours access to sensitive platforms might give away signs of possible fraud)
  • Cyber security awareness - teach employees tell-tale signs of phishing and social engineering. Build a culture where employees are encouraged to challenge suspect instructions.
  • Human resources should be vigilant with employee behaviour in particular with repeat offenders that don't respect company policies

I hope you found this article of interest. Feel free to contact me if you would like to further discuss - I look forward to a gold old chat!

Written by:
John Kouroutzoglou

19 February 2019

Number 1 Strategy Guaranteed  to Help Your Organisation to Survive Disruption

Author :

There are many disciplines that contribute to organisational resilience which include governance, risk, compliance, business continuity, security, emergency and crisis management but whatever the nature of a business disruption is that tests an organisation’s resilience, there will always be the common factor of people being affected. Whether it is staff who are expected to respond and restore the business to business as usual, or stakeholders who do not receive the service they are paying for or the general public who are in the building that may be impacted by the flow on effects of the disruption.  

In order for an organisation to survive disruption, it must ensure that their people can survive the disruption first and foremost because without the people there is no organisation. The organisation must then ensure that they have a culture of resilience that permeates through all their policies, processes, procedures to support their people. 

Resilience is often mistaken simply as the ability to bounce back, but it is actually so much more. There are two key themes that are not immediately evident from the usual resilience definitions. The first is that resilience is not just reactive, but crucially is also proactive, meaning managing risk in advance, learning from the experience of others, and actively preventing disruptions both at personal and organisational levels.

Second, resilience is not just about coming back to where you were before, but instead using each setback as an opportunity to advance towards a larger goal and purpose. 

Resilience is an increasingly important skill to have in today's climate of change. First, it was IQ (Intelligence Quotient), then it became EQ (Emotional Quotient). Now there is increased importance on RQ (The Resilience Quotient). 

These skills are increasingly needed by people of all ages and all life stages. As change accelerates, people need the mental skills to thrive despite adversity. It is worth remembering that someone's resilience capacity is not constant throughout life. We can improve our resilience, and our resilience can be worn down 

Whether it gets worn down due to the environment and external events or through internal negativity, the fact is, no one is invincible. As resilience improves, we gain a natural resistance against being worn down, although a toxic environment will eventually get to us. This is worth keeping in mind as the work environment is where many people spend most of their time, meaning it has a key influence on their resilience. 

The benefit is not just to the organisation, but to individuals themselves. Resilience increases their own sense of safety at a subconsciousness level, improving relationships, goal achievement, sense of purpose and overall sense of wellness. This translates into greater compassion and empathy at a societal level, highlighting how an organisation drive for resilience can have a profound global impact. Cultivating resilience, therefore, represents a major long-term opportunity.

By developing your organisation's resilience culture, there should be: 

  • A reduction in absenteeism and presenteeism; 
  • An increase in staff retention; 
  • Improved productivity and flexibility; 
  • Increased engagement and work satisfaction; 
  • Improved communication, collaboration and innovation;  
  • The development of a shared mindset.

The question now is, how do you start to develop this resilience culture in your people? 

It starts with an assessment of the current level of resilience at the individual and team level which can then be aggregated to the organisational level. This baselining assessment can then be used to inform the development of a tailored program that will develop various aspects of resilience.  

One such assessment tool is the Predictive 6 Factor Resilience scale which is a psychometric assessment across six domains including Vision, Composure, Reasoning, Health, Tenacity and Collaboration. The differentiating component of this assessment tool to others is its forward-looking Momentum score which can predict future movement (declining or improving) of resilience levels. 

There are many ways that an organisation can then go about improving the resilience levels of their staff whether it is through targeted information campaigns, provision of online tools, the introduction of mental health first aid officers, therapeutic drumming workshops, running of regular simulations/exercises, or conducting formal resilience training classes. 

The important thing to remember is that developing resilience is not a once-off process and doesn’t happen overnight. It takes time but it is worth it for when (not if) a big disruption occurs. 

 Blog written by:

TAMMIE HORTONChief Executive OfficerPhynix Initiative and Former Business Continuity Manager Department of Education and Training