Are you up to date on unfair contracts legislation for small business?

New Australian Consumer Law came into effect from 12th November 2016 that makes unfair contract terms forced upon small businesses by larger organisations void. What it means is that if a small business is handed a standard form contract from a large organisation with clauses that are unfair to them and they are given no opportunity to negotiate them, then these clauses may be unenforceable. This legislation is aimed at providing small businesses protection against standard “take it or leave it” contracts when the size and negotiating power of the two companies is out of balance.

The criteria as detailed by the ACCC for the types of contracts that the legislation is applicable to are:

  1. The contract must be meet the following conditions to be considered:
  • it is for the supply of goods or services or the sale or grant of an interest in land
  • at least one of the parties is a small business (employs less than 20 people, including casual employees employed on a regular and systematic basis)
  • the upfront price payable under the contract is no more than $300 000 or $1 million if the contract is for more than 12 months.
  1. The contract is entered into or varied on or after 12 November 2016.
  2. The contract is offered to the small business as a “take it or leave it” contract with no negotiation of contract terms.

Unfair clauses may include:

  • terms that enable one party (but not another) to avoid or limit their obligations under the contract.
  • terms that enable one party (but not another) to terminate the contract.
  • terms that penalise one party (but not another) for breaching or terminating the contract.
  • terms that enable one party (but not another) to vary the terms of the contract.

If a contract meets the above criteria, then any unfair clauses within it, as determined by a court or tribunal, will be void.

Unfortunately, many “take it or leave it” contracts with unfair clauses are still being commonly offered.

For further information:

https://www.accc.gov.au/system/files/Unfair%20contract%20terms%20-%20A%20guide%20for%20businesses%20and%20legal%20practitioners.pdf

Are your security systems ready for power blackouts this summer?

There have been many warnings about the possibility of power blackouts in Australia this coming summer so now is a good time to check that your security systems won’t fail if blackouts occur.

These are a few things to consider:

  1. When is the last time that the batteries were changed in field control equipment? If the security systems are being maintained in accordance with Australian Standard AS/NZS 2201.1:2007 Intruder alarm systems, then each battery will be legibly and durably marked with the month and year of installation.
  2. When is the last time that access control and security alarm systems were tested on battery power alone for an extended period? If the batteries are to maintain power to their associated equipment for eight hours, then the test should be for this period. When batteries fail, access control doors unlock.
  3. When is the last time the UPS was tested? The only true test is to shut off power to the building in a controlled manner and see that everything still operates. Switching off the input power to the UPS alone will not identify if any equipment has been incorrectly connected to non-UPS power.
  4. When is the last time that generator power was tested and refueled? Generators often fail when they have insufficient fuel.
  5. If a power outage extends for a longer period than batteries, UPS and /or generators have been designed for, what are the contingency plans for events such as electrically locked doors unlocking, camera surveillance turning off, alarm systems failing etc.? How are the assets and information within the facility to be protected? Providing security guards may be a response, but if an extended power blackout is widespread, then the demand for guards may be higher than the available supply.

Choosing a Security Consultant

On August 20, the Australian Government released the publication Australia’s Strategy for Protecting Crowded Places from Terrorism 2017. This document has, among other things, provided much needed guidance on the selection of security consultants.

It states:

Professional and qualified security consultants play an important role in undertaking full security risk assessments of crowded places and recommending appropriate protective security measures (Box 3).

Looking at these considerations:

Security Licence

The licensing requirements for security consultants varies considerably between the states and territories and a licence in one state or territory is not valid in another.

The following table shows some of the differences. These are just for the individual licences – companies have more variances.

The most rigid licensing requirements are in ACT, NSW and WA. In the other states and territories either no licence is required or no qualifications are required to obtain a licence. However, the inconsistency in the qualification requirements to obtain a license opens up a loophole when mutual recognition laws between the states are applied. For example, a Registered Security Adviser in Victoria (who is not required to be qualified and can apply for a licence without ever been physically seen by the licensing authority) can simply apply for mutual recognition and obtain a full licence in any other state without having any qualifications.

Having a licence in any state or territory is therefore no guarantee that the consultant holds qualifications in security.

Education, qualifications, skills, and experience

So, what education, qualifications, skills, and experience should a security consultant hold?

The absolute minimum qualification is generally considered to be a Certificate IV in Security and Risk Management (although a Diploma is more common). This provides a very basic understanding of the security risk assessment processes but does not touch on any technical subjects. It’s enough to get a licence in some states but it doesn’t let the consultant speak with authority on any technical matters.

The Australian Government Security Construction and Equipment Committee Security Zone Consultant Scheme Policy (2013) includes the following minimum education and experience requirements for any security consultant wishing to apply for SCEC endorsement which will permit them to advise on and certify high security government security systems. It could be reasonably inferred therefore that this is what they expect security consultants to have as a minimum.

Once accepted into the SCEC Endorsed Security Zone Consultant program, candidates are given several days training and an examination at the conclusion.

ASIS International has a different qualification and experience requirement for the granting of their CPP (Certified Protection Professional) accreditation. The eligibility requirements to apply are:

  • Nine years of security work experience, with at least three of those years in responsible charge of a security function; or
  • A bachelor’s degree or higher and seven years of security work experience, with at least three of those years in responsible charge of a security function.

Applicants are then required to sit an examination.

Referee reports

Referee reports need to be relevant to the project that a security consultant is being considered for. How well a consultant carried out a security risk assessment for one client is no indication of how well they can design a CCTV system for another.

Security clearance (where required)

Security clearances are given at the following levels in Australia:

Most security consultants will hold at least a Baseline security clearance. If they don’t have this then it isn’t necessarily a problem, but you would want to establish why they haven’t obtained one. A security clearance picks up a lot more than a simple police check.

Professional association and affiliations

Some of the associations and affiliations that are relevant to individual consultants in Australia include:

  • ASIAL
  • ASIS (American but common in Australia)
  • Association of Investigators and Security Professionals
  • Australian Institute of Professional Investigators
  • Australian Standards
  • Engineers Australia (Membership enables exemption from some SA security agent licence requirements)
  • Security Providers Association of Australia Limited
  • Victorian Security Institute (VSI)

Previous experience conducting security reviews

When looking at this, look for how they previously assessed the risks and how the recommended risk mitigation measures realistically addressed these risks.

The following is from an earlier blog of ours:

If you ask two security consultants to provide a security risk assessment of your premises, then most likely you will receive two different results. A main cause of this is that it is common for security risk assessors to take the approach of identifying risks as being simply extreme, high, medium or low. This is done by assessing the likelihood of a risk as rare through to certain and rating the consequences as insignificant through to catastrophic.  This approach provides a quick result but the results will vary between individuals.

A significant problem with this approach is that any risk with a catastrophic potential consequence is invariably rated as being an extreme or high risk no matter how unlikely the risk is. An example of this is the risk of terrorism.  This risk is often rated as the highest risk to a site, even if it is inconceivable that this risk would occur. The other obvious problem is that different risk assessors will view the likelihood of risks occurring differently, so the level of risk the assessment says that you are exposed to will depend on who carried out the assessment. This is a particular problem if the client has a number of properties that they need assessed.

Another approach, and one that we use in our consultancy practice, is to quantify the risks as far as possible. Instead of rating the risk of burglary, for example, as being medium or high, this approach looks at the local crime statistics and identifies the number of times per annum that the client can expect a burglary attempt. The method then looks at the security measures, either that are in place or proposed, and through a standard spreadsheet, identifies the likelihood of an attempted burglary succeeding. This then provides the number of expected successful burglaries per annum. All the potential consequences of burglary are then applied to this risk, e.g. value of losses, property damage, interruption to operations etc. to determine a consequence value. From all this data, a relative risk score is provided through a spreadsheet. As consequences will vary between clients and the attractiveness to a burglar vary also, spreadsheets need to be developed for each type of client. In this approach, using standardised spreadsheets, different risk assessors will provide identical results.

Ability to effectively undertake the security review (subject matter knowledge)

Satisfying this requirement is linked to the consultant’s qualifications and experience. For example, if a consultant is recommending the implementation of vehicle bollards, are they suggesting a particular brand or are they citing which elements of local and international standards need to be met.

Impartiality of advice (consider any commercial affiliations)

An independent security and risk consultants will not provide any insurance, guards, equipment, installation services, training, employment services or any other item that may be a recommendation in their reports.

Integrity and impartiality in their recommendations is critical and they must have a policy in place that refuses acceptance of any benefit from any supplier.

Published professional work

As the phrase goes “Publish or Perish”. The government has listed this as a consideration in assessing a security consultant, so consultants should be able to provide a list of their professional publications.

Other considerations

There are a number of other considerations that the Australian Government hasn’t mentioned:

  • Professional indemnity insurance ($10 million is the accepted norm).
  • Public liability insurance ($20 million).
  • Quality Assurance (Do they have a system compliant to  ISO 9001?).
  • Safety Management (Do they have a system compliant to  AS4801 ?).
  • Are they Australian Government Security Construction and Equipment Committee (SCEC) Endorsed?

 

Are Australian airports secure?

Recent events in Australia have brought our airport security into the spotlight. When we compare our airport security with other countries, it becomes evident that there is much room for improvement at home.

The most striking difference between security at Australian airports and those in many overseas countries, is that in Australia we only have one weapons screening barrier and that this is well inside the airport. This is a serious deficiency for a number of reasons.

Firstly, when there is no screening at the entry to the airport, only travellers are screened, visitors are not. Anyone can enter the airport with a weapon or explosive device and mix with the crowds of people in arrivals, departures or in the busy retail areas. The area of biggest risk in an Australian airport is a terrorist attack in an area where large numbers of people gather and this is most likely in the departures hall. The recent advice of the Australian Government to arrive early at the airport has significantly increased the attractiveness of this area to terrorists as the number of people present at any time has greatly increased. In 2011 suicide bombers attacked Domodedovo International Airport near Moscow that resulted in 37 deaths and 173 injuries. At the time, they were not screening visitors to the airport, now they are.

Secondly, the weapons screening is a single point of failure. A number of factors could combine to allow a weapon to pass through the screening point such as staff distraction, corruption, failure to follow procedures, equipment underperforming. This year, a man in Texas was sentenced to three years prison for bribing a security guard on five occasions in order to smuggle drugs through passenger security screening at SFO. This single point of screening is very rare in many countries. Most overseas airports have screening at the entry to the building (some where all luggage is opened at the entry and inspected) and again at the passenger departures entry. Some go further and have screening at the departure gate lounges. It is also usual for screening to occur at international flight transfer points. In doing so, the single point of failure is removed.

Full body scanners are deployed at the screening points at major airports in Australia. These however are usually only used to screen a sample of passengers. Where these are deployed at overseas airports, all passengers are screened.

The security of baggage handling for departing flights in Australia is also of concern. I personally have had four suitcases forced open, damaged and have had items stolen from them at one particular airport. In one instance, this was reported to the Federal Police but no response was received. This is understandable as their website states that “The AFP carefully considers all reports of Commonwealth crimes, however we do not have the resources to investigate every reported crime.” It’s reasonable to assume therefore that people engaged in petty crime on Commonwealth property such as interfering with baggage at airports know this and have no fear of being caught.

Of course, there are many places in the world where airport security is far worse than Australia, but we can do much better.

Biometrics – You can’t change them if they’re stolen

There has been a lot of discussion about “improving” security of financial and other transactions by moving to a bio-metric solution. The logic is that if you authenticate a transaction with a fingerprint, stored camera image of your face, a voice print or other means, then you will have a higher level of security than having a card, which can be stolen or copied, and a PIN which can be compromised if discovered.

This sounds OK on the surface but it has a major flaw. If a card is stolen or a PIN is discovered then the card can be replaced and the PIN changed. This can result is a short-term inconvenience but the security breech can be recovered from. However, currently some bio-metric authentication methods can be compromised and if so, the fingerprint, voice print or facial image cannot be changed to remedy the situation. Once your bio-metric signature is stolen, the thief has it forever.

An alternative simple solution for improved security, that is common in some parts of Europe, is for the bank to send an SMS for all transactions. For this to be compromised, a person would need to have the card, PIN, mobile phone and mobile phone access code to carry out a fraudulent transaction in a face to face situation. For internet transactions, they would need to know the card details and CVV. This SMS solution offers a very high level of security and in the unlikely situation where it is compromised, the security breech can be quickly remedied.

As an added precaution, I recommend removing the CVV from all cards. The banks don’t like you doing this but the CVV is effectively a PIN for internet transactions. The CVV is needed for internet transactions, so if your card including the CVV is copied, it can be used for online purchases. It’s no different from having your PIN written on your card. Removing the CVV will not affect any legitimate face to face transaction as it is not needed in this instance.

Another measure to increase card security is not to sign the card but to write “Ask for ID” in the signature space on the card. Although signatures are being phased out, it is still useful.

Bio-metrics have their place, in electronic access control systems for example, but they are a bad idea for use in financial transactions. You can’t cancel your fingerprints and order new ones.

Our first web page – 1998!!!

The site archive.org is a great resource. You can change and delete web pages, but they remain on the web forever. Have a look at our first beta attempt at a web page from 1998 :

https://web.archive.org/web/19981206000050/alphalink.com.au/~core

 

 

Consistency in security risk assessments

If you ask two security consultants to provide a security risk assessment of your premises, then most likely you will receive two different results. A main cause of this is that it is common for security risk assessors to take the approach of identifying risks as being simply extreme, high, medium or low. This is done by assessing the likelihood of a risk as rare through to certain and rating the consequences as insignificant through to catastrophic.  This approach provides a quick result but the results will vary between individuals.

A significant problem with this approach is that any risk with a catastrophic potential consequence is invariably rated as being an extreme or high risk no matter how unlikely the risk is. An example of this is the risk of terrorism.  This risk is often rated as the highest risk to a site, even if it is inconceivable that this risk would occur. The other obvious problem is that different risk assessors will view the likelihood of risks occurring differently, so the level of risk the assessment says that you are exposed to will depend on who carried out the assessment. This is a particular problem if the client has a number of properties that they need assessed.

Another approach, and one that we use in our consultancy practice, is to quantify the risks as far as possible. Instead of rating the risk of burglary, for example, as being medium or high, this approach looks at the local crime statistics and identifies the number of times per annum that the client can expect a burglary attempt. The method then looks at the security measures, either that are in place or proposed, and through a standard spreadsheet, identifies the likelihood of an attempted burglary succeeding. This then provides the number of expected successful burglaries per annum. All the potential consequences of burglary are then applied to this risk, e.g. value of losses, property damage, interruption to operations etc. to determine a consequence value. From all this data, a relative risk score is provided through a spreadsheet. As consequences will vary between clients and the attractiveness to a burglar vary also, spreadsheets need to be developed for each type of client. In this approach, using standardised spreadsheets, different risk assessors will provide identical results.

New blog site and free giveaway

We are happy to announce the first installment of Connley Walker’s security industry blog at www.connleywalker.com.au/blog

To celebrate this, Connley Walker is providing Simon Walker’s book “Operational risk management: Controlling opportunities and threats. ISBN 0957907400, 2001” as a free download.

This book was first published by Connley Walker in 2001 and has been used for many years as a university text book. The book is now out of date as some standards that it refers to have now changed, but it offers a solid structure for applying risk management. We are considering a complete re-write to bring it up to date.

The book is now freely available for download from the link www.connleywalker.com.au/ORM2001.pdf

All we ask in return is that you like us on our social media links.

EXTRACT OF A REVIEW FROM (US) RISK MANAGEMENT MAGAZINE:

“Risk managers receive countless newsletters, press releases and e-mails heralding new and exciting ideas for the profession. Unfortunately, the products rarely live up to the scores of sensational words that marketers use to promote them. Walker’s book on operational risk management, however, delivers what it promises: a truly thought– provoking approach to risk and risk management.”