Connect

EP86: Practical Ways to Assess and Mitigate Cyber, Privacy and Contractor Risks in Your Business

How are you managing key risks in your growing business? Burying your head in the sand works... until it doesn't.

Listen on Spotify
Listen on Apple Podcast
Watch on YouTube

How are you managing key risks in your growing business? Burying your head in the sand works... until it doesn't.

This week I interview Dianne Gilbert, an expert in risk management for small to medium businesses. She helps Founders identify and mitigate risks to ensure they can continue to enjoy the business growth they're experiencing, and avoid ending up in court, bankrupt or dealing with unnecessary pain.
 

This week, we explore 3 critical risk areas in small to medium businesses and how to evaluate and mitigate them.

If you want to know where to start to address cybersecurity, privacy and sham contracting risks in your business, then this is the episode for you.

 

 A BIT MORE ABOUT DIANNE GILBERT: 

Dianne Gibert is the founder of Certex International, which is licensed with JAS-ANZ to issue certifications in quality, safety, and environmental management.

Certex was established over 15 years ago and is one of the few fully Australian owned certification bodies.

As a boutique business, Certex specialises in small-medium businesses, supporting them to realise the power of management system controls so their businesses can grow and prosper.

Dianne has a background in banking and finance, then after achieving an MBA with Melbourne Business School, was a management consultant for 10 years.

She specialises in compliance, not only against certification standards, but also in the key statutory areas of employment screening and engagement, safety and privacy.

She has presented at a number of Australian and international conferences on these topics.

WATCH SOME OF THE HIGHLIGHTS FROM THIS WEEK'S EPISODE ON YOUTUBE:

 

Here are some of the best bits: 

07:23 - 14:45 - Practical steps and examples to help you mitigate cybersecurity risk.

 22:31 - 35:40 - Practical steps and examples to help you mitigate privacy & data breach risks.

39:25 - 47:00 - Practical steps and examples to help you mitigate sham contracting risks.

47:01 - 49:12 - Dianne’s 4 key priorities to help you self-assess and reduce your business risks.

 

Podcast Transcript

[00:02:50] Sean Steele: Welcome back to our regular listeners and to anybody joining us for the first time. We are thrilled to have you. My guest this week is Dianne Gilbert, Founder of Certex. We met a few months ago, I guess, Dianne, which was lovely to meet you and it's probably not every day that you have people get introduced and find out that you specialise in risk management and go, wow, I really want to talk to somebody about risk management.

[00:03:14] Dianne Gilbert: This is true. Most people run in the other direction.

[00:03:19] Sean Steele: But I have a reason. So, just as a bit of background for the listeners, you founded your business in 2004, almost 20 years ago now. That's amazing. And you do certifications and you do audits of certification standards. I know a number of my clients that have things like ISO 9001 or, you know, they audit OHS standards or food safety or many things. And lots of Founders will have heard of these sort of certification systems. But what was most interesting to me in our conversation was that, I believe since 2018 you developed a suite of business risk assessment tools called the iSuite, and it helps Founders assess risks in their business, like safety, cybersecurity, privacy, contractors, recruitment, quality, ethics, stuff like that. And I think that's absolutely fantastic. When I was the group CEO at EdventureCo, one of the things that we did was actually build a whole bunch of internal best practice auditing tools, so we could go into any business that we are about to buy, or have just bought and essentially audit their entire sales function and go; okay, what does best practice look like? Where are their gaps as a sort of best practice auditing tool? And so, I'm a big believer in having something that's quality that helps you ask the right questions and answer them so you know where your gaps are. And from that you can move forward and do something sensible. So, thank you for joining me today. I'm thrilled to get to have this conversation.

[00:04:40] Dianne Gilbert: Thank you. Well, thank you very much for inviting me on and yes, I am very passionate about this area. I think it can make or break businesses and. You know, there is definitely things that businesses can do to minimise that risk, so.

[00:04:55] Sean Steele: Well, you know, and I guess the context with which I wanted to approach today was, one of the traps of entrepreneurship is growth, fundamentally. And as Founders, you know, we're very, many Founders are very opportunity focused, growth focused. They're thinking out, you know, six months to three years, and they're thinking about revenue and customers and products and services, and they're not…. Many of them are not wired, don't think, it's not sort of part of their DNA to have a black hat on or necessarily look for more evidence. They're often you just trusting their gut and that is great. And that's part of how the business gets built and that is completely normal. However, we work with a lot of Founders at ScaleHQ (www.ScaleHQ.com.au), who particularly, once they pass mid seven figures, like, you know, maybe they're passing b $4-5-6 million, something like that, and they've got clear sight set on breaking through 10 and then building up to 20. You are not going to get to 20 if you don't pay attention to risks, full stop. From 10 to 20, your world will come unstuck if you haven't been paying attention already. And so, my view is between like 2 and 10 is the time to sensibly and at the right speed build in some risk orientation, some risk assessments in key areas that your business is exposing. You're not going to be exposed to all of them in exactly the same way, but so that you don't, accidentally, lose your business or end up with a gigantic bill that you can't afford or have to sack half of your team or like just the pain that comes with a big risk blowing up in your face is just soul destroying when you spent all this time building the thing. And so, I wanted to chat today because I can see, you know, there's lots of risks we could talk about, but cybersecurity, privacy and data protection and contracting are three areas I hear about regularly, and particularly in that 1 to 10 mil range quite often the level of, I guess, like maturity in your understanding of the risk itself is not there because it has, you know, it's kind of like that's something that happens to big companies and like, I don't really need to think about that yet. But that's where the problem starts. And at some point, if you don't either have yourself accountable or somebody else accountable for helping you think about these risks in a more serious way, you can lose your business, and that just makes me, there's nothing that makes me more sad than seeing a Founder who's put their whole life and soul into their business, lose it or have a major back step because they weren't paying attention. So, that's what today is all about. How does that sound to you?

[00:07:23] Dianne Gilbert: Look, I absolutely agree with everything you've said. The only thing I would say is that I think monitoring risks starts even earlier, actually. It is absolutely true. The bigger you get, the more you have to lose. And it is even more important as you grow. And it's also absolutely true that when you're growing, you want to focus on the growth because until you've got a business, you've got nothing to protect anyway. So, get the business there first. But even as a smaller business, keep an eye on those risks because they help you dedicate the right amount of management time and effort to the most important areas. Absolutely, as you grow the level of your risk control will become more sophisticated and more significant. But even the smaller businesses do need to be aware of it because when the legislation was written, it did not make allowance for your size. It does in some areas, but mostly it doesn't. So yeah, start early is the only thing I would say.

[00:08:23] Sean Steele: Yeah. Well, that sucks. And that's awful to know.

[00:08:28] Dianne Gilbert: But I am here to tell you some of the things that you can do to help with that.

[00:08:32] Sean Steele: Yes, exactly. And so just before anybody goes; oh my God, I'm not going to listen to a whole podcast on risk, and how boring, I just want to talk about money. I'm asking Dianne today to give you really practical things that you can personally do yourself in those three risk areas. So, share a bit of a story about how this is playing out, maybe things that have changed. What can you personally do as a Founder to address these risks on your own or with your team so that you can understand where your risks are and you know what to do about them. So, can we just jump straight into, I mean, you've had an illustrious career, but I don't want to get practical with you. So, maybe rather than the career story, let's actually just start with cybersecurity. Like, can you give me a story, especially, this is such a difficult, gigantic area for a seven-figure Founder is like, I don't even know where to start with cybersecurity. Talk to me about someone who you seen impacted either business-wise or personally by not paying attention to this risk area.

[00:09:26] Dianne Gilbert: Yeah. And look, there are so many examples. You would have to be sleeping under a rock if you hadn't heard of the Medibank, the Optus and the Latitude. And, you know, they're very painful. Optus, I think…

[00:09:37] Sean Steele: Medibank, Optus, and Latitude customer, just so that we know and yep, all three have data breaches with my details. That's why I'm personally right on top of cybersecurity in my family.

[00:09:48] Dianne Gilbert: The only good thing about that is that they all have to pay to rectify it. So, it shouldn't be at financial cost to them, but you can imagine what it's going to be for those businesses. But it's not just them, it seems to be a number of people say to me, they're really too small to be caught up in something like that. Well, that's not actually true. Generally speaking, the bigger businesses will be targeted because although they're harder to break, they've got more to lose. The smaller businesses are really easy to dive into. They may not have massive amounts of data, but they're in there all the time. So, my accountant who operates from a little suburb used to, I don't work with him any longer, but he used to operate from a little suburban place up north in Melbourne. He was hacked and all of his financial records for all of us, all of his clients were frozen, and until he paid a ransom. That goes back five or six years ago, he could not operate. And then once he paid the ransom, he almost didn't have enough funds left over to repair the problem and to address the situation.

[00:10:51] Sean Steele: Can you share how much the ransom was? I'd love to know what the size of these.

[00:10:55] Dianne Gilbert: It was expressed in Bitcoin, so I don't know what it was. So, it was his challenge, not only, I mean, he had to understand what that was too, which he didn't. So, whatever it was, was significant, I would say. And it can hit everybody. So, there was a local school here in Melbourne that was hacked and the credit card information was taken for quite a number of the parents. We see so many different businesses that are being hacked. I keep a, we do a lot of work in recruitment and I keep an eye on the number of data breaches that are being recorded. Recruitment is really being targeted. Defence is so concerned, like this is a real thing and your business really needs to be aware of it. So, if you want to provide into some of those critical infrastructure asset industries such as health, banking, defence, education, you really need to have controls over your systems. Now, what that means is that you need to be aware of the risk, and for each of these three areas, I think that's the best place to start. Look at what you have, look at where there are potential vulnerabilities, and the potential for people to access the systems that you have. Generally, they could fall into three areas. The first is that it's about, what type of systems do you have? So, do you have a whole variety of systems? Are they in-house in your offices? Are you working through the cloud? Through the cloud doesn't necessarily mean that you've got greater security. It just means it's another set. It's just being held elsewhere. One would hope that that system has better controls than what you might be able to implement locally, but it doesn't protect from everything. So, what are the systems? Where are they? Who's looking after them? And I think in fact, one of the problems with Optus was that they had a lot of systems and a lot of data, they'd stopped using them even, but they hadn't taken any steps to close them down and protect them. So, it's not just your current, it's also your legacy systems that you've got. Find out about that. The second thing is to look at the access controls that may exist. So, often when you start a business in particular, everybody has access to everything. You've only got three people, and everyone has to do everybody else's job. So, everybody gets access to everything as they must, and then all of a sudden, you've got 150 people, they've still got access to everything

[00:13:29] Sean Steele: Or you're sharing, you're trying to save money, so you've bought one license and you're all sharing the username and password, so you've all got super admin access.

[00:13:37] Dianne Gilbert: Yeah, exactly. I know all about that one too. So yeah, we've all been through it. But that is a massive risk and in fact that was the background to the Medibank and quite possibly the latitude one as well, that once, firstly it was human error that possibly opened up the initial access, but then the fact that the sensitive data wasn't zoned off into different areas meant they could just grab the whole lot, which is what they did. And the only thing that restricted it was that, at least in the case of Medibank, they observed that there was this suspicious activity and they shut it down. But not after a vast amount of data had already been released, but it was widely accessible. They got into the system, could go wherever they please. So, keep it locked into the areas that are important. And that might mean, for example, that information about your individuals personal sensitive data, any credit card, or it's another whole field if you're holding credit card and financial information. But keep that locked away and separate.

[00:14:45] Sean Steele: And I think there's two things there. Like, you know, in education you end up dealing with quite, because there's two … one is, you know, we're talking about cybersecurity. And so essentially someone getting into your system. And then the second part is all, what are they actually going to get access to based on the severity of this data. And you've always just got to imagine what's going to happen to my business if this information gets published on the internet and what happens to the protection? What's the risk for the person whose data I've just shared? Because that's probably the, you know, so yes, it could be your financial data, in which case you're like, all right, well it's my stuff, maybe I don't think that's such a big deal, you know, but for your client's data or your employee's data, you know, their full name, date of birth, address, like everything that you've got in your HR system, like everything that you've taken as induction, their superfund, their tax file number, their BSB, the account number, like all the stuff that you have, just imagine that that's hit the front page of the newspaper. You've got to think through that. So, for example, in education we had, we had to lock down a lot of data with using, to your point, the user controls, the permission levels because we had students, unique student identifiers, we had student’s tax file numbers, we had like really sensitive data. And some of these students, quite a few, were under the age of 18. So, the risk level just went through the roof in terms of protecting the data of someone who's under 18. And so, we had to really scrutinise, we had to obfuscate data and we were using Salesforce, so that was great. Had a good capability to go. No one should be able to see this. There's only like three people in this organisation who can actually even see this field. It's just all sort of blurred out or X’s or whatever. And one of the big risks, and I see, I had a client with about, I think they got maybe 50 to 80 people. They had somebody download a spreadsheet. Luckily their system could kind of audit, but somebody had left the organisation. Last thing they did was to download a spreadsheet of like 40,000 customer records and stick it on the Excel sheet, put it on a USB key and leave. And so whilst the business was able to identify that it happened, it had already happened. So, they weren't prevented from downloading it. That feature was quite available to them, which I know all sounds scary, but it’s a level of consciousness about how do we close up some of these holes.

[00:17:03] Dianne Gilbert: Yeah. As you're talking, Sean, the word comes into mind, Amateurs. You do not want to be seen in the market when you're putting all your effort into building this business and this new product and service, you don't want to be seen as an amateur. And that is, if you make a rookie mistake like this, it might not actually be your fault, but it won't matter, the market will see it the way they want to see it. So, often it's way more than the financial costs and they are significant, it's the reputational damage.

[00:17:35] Sean Steele: Yeah. So, sorry because I interrupted you. You were on step three, I think.

[00:17:40] Dianne Gilbert: Yeah. Okay. Thank you. And the final thing is to have it managed so it's not set and forget. In fact, even in the office in my business yesterday, we were saying; okay, in the same way that we have a bookkeeper who's in every week who keeps an eye on stuff, we might make our own internal transactions, but we have someone oversight on a regular basis. Do the same for technology. We are so dependent and we are so ignorant of how it works. We really need to have people who keep a close eye on it, who report regularly, who monitor what's going on. So, had there been monitoring of what are the security protocols, who's left the business, who has access to this now, who is even been promoted, what extra level of access they get. All of that stuff needs to be very carefully kept an eye on and any attempts to hack. So, managing it, monitoring it, and watching it, it's very, very important. So, they're the three things there.

[00:18:39] Sean Steele: Okay, and one of the things from cybersecurity that I learned, because, you know, one of the businesses we bought in my last gig was the largest IT training company and had probably the most extensive cybersecurity training suite. One of the things I learned through that process was that, 97% of your vulnerabilities are in the front line.

[00:19:01] Dianne Gilbert: Yep.

[00:19:01] Sean Steele: So, if you've got a team of, even of 5 people, 10 people, 20 people, doesn't matter. Those people at the front line are usually the ones who have the least training in cybersecurity. And so, they're the ones clicking on links. They're the ones that don't spy the phishing email properly. They're the ones who see the email that you may have already normalised in your own head what a slightly dodgy email looks like, but you can't assume that everybody else actually knows that. And basic cybersecurity training for your frontline is cheap and it's easy and there's platforms all over the place that provide it. So, as a really like firebreak stage one before anything else, like train the people who are actually receiving the emails from customers with the email, the common inboxes, all those sorts of things. Like they're the ones who are likely to click on something and all of a sudden you've got some malware, and all of a sudden, somebody is inside your network before you've done anything else. That's the leakiest part of your ship.

[00:19:59] Dianne Gilbert: It is, a hundred percent. And you asked me earlier, Sean, to think about if there was one thing I would recommend in relation to cybersecurity. It's, don't use emails. Pretty much don't use them. They are so dangerous. They are the source of phishing. They are the source of so many problems. They're also really bad communication tool. They're excellent for backing up. Excellent for confirming. They're really bad for everything else. So, my one single tip, there are more, of course, there's the Essential Eight. There's a whole lot of security controls that you can put in place. There's even if you want to go… 

Sean Steele: What’s the Essential Eight?

Dianne Gilbert: Oh, the Essential Eight is made available through the Australian Signals Directorate, which is the government body setting security standards for all industry. There are a wide range of tools that they provide with that. There's actually 37, I think, different measures that they recommend, but these Essential Eight will give a 93% level of protection. And they're things like password controls and staff training and having the necessary protocols in the business, that sort of thing.

Sean Steele: Great.

Dianne Gilbert: It's still not simplest.

[00:21:09] Sean Steele: Can you maybe after this interview, can you send me the link to that and we'll make sure that we include it in the show notes for people. And one of the things I like that you said there is, I'm already feeling if I've got my Founder hat on, I'm already going, I don't have time for this. I don't have the skills for it. I don't know where to start. How am I going to keep it up? I'm not very good at maintaining things, blah, blah, blah. It's like, okay, great. Set aside a bit of money. Get a contractor or a company who can help you do those things, give them that list and have them work through the list. Like at least you can take away. You are never going to absolve yourself of all cyber security risk. You know, that's not going to happen. They're going to move fast and you can’t, but you absolutely can get rid of the 80% with 20% of the effort, like close up the things that are actually obvious and that somebody else can just help you systematically build in over, even if it's over 12 months. But starting and having somebody accountable for thinking about it with some kind of framework is going to take you a long way there.

[00:22:07] Dianne Gilbert: Yeah. Oh, look, absolutely. I think that's the way, I mean, the word in the industry is that there are two types of people in this world, those that have been hacked, and those that will be it. It is absolutely a real issue, and the bigger you are, the harder it is to manage. But yes, you've got to start. It's very important.

[00:22:28] Sean Steele: Okay. Cybersecurity. Should we talk about privacy?

[00:22:31] Dianne Gilbert: Let's talk about privacy because that's very closely related to security because one of the very valuable assets that can get stolen if your security isn't up to scratch, is personal data. Could be financial, could be other things, but it's also personal. Now, oftentimes there's a confusion between what's private-personal information and what's confidential. And whilst there's no hard and fast definition, privacy is all around the information of the individual, what could be used to identify them. And with the new reforms that are coming through in the next 12 to 18 months, that definition will be expanded to include identifying them not by person, address, name, image, but by the device that they use, because, yeah, online, that's who we are. We are the devices that we use, but that's personal. Confidential is information about the business. What's your customer list, your business plans, all that kind of stuff. Now, both are very important, but privacy legislation refers to the personal information. And there are, well, the three that we mentioned with the cybersecurity, they’re all included. Personal data, but there's been others. One business I'm working with right now is a very successful recruitment business up in Brisbane, and they've done incredibly well. They've got now, I think, nearly a hundred staff, so they've grown well that sizeable for this industry. And they've recently been attacked, I guess is the word to describe it by one of the candidates. The candidate didn't get the job and was pretty unhappy and has been pursuing them now for bad practice in relation to a police record check. So, I won't go into the details, but it's enough to say that this is highly sensitive information, and in the absence of a very strong privacy framework, that business is leaving itself open to this kind of attack. Because, as you said earlier, you can't close off every loop, but what you can do is you can have a really strong framework to say, this is how we see it. This is how we manage things, and if an accident happens, that's what it is. Otherwise, it's negligence.

[00:24:52] Sean Steele: So, can you maybe give a couple of common examples? So, for example, I mean, that's a good example. So, sounds like candidate has had a police check done as part of the process and somehow that police check has been provided as information to a client without their permission or something like that. Okay. What would be a couple of other common examples?

[00:25:08] Dianne Gilbert: Correct. It pretty much is but it was complicated by the fact that the police check had technically expired, so it had hit the, I can't think of the term, but whatever it is that describes that it was no longer relevant and shouldn't have been mentioned. So, that's what they're going through. And apart from the time and trouble it's taking and distraction to the business, they've paid an excess of a hundred thousand dollars in legal fees already in that the…

[00:25:36] Sean Steele: To protect themselves.

[00:25:38] Dianne Gilbert: Well, just to see if they can argue this case and they may or may not win it. For many other recruitment agencies, there are some ridiculous cases where candidate files have just been left outside, where businesses have been sharing the information, there's been no closure once people have left there. So, Privacy Information being picked up by others is a very big issue, and it's only going to get bigger, and the reason for that is that we've got the reforms coming through. So, any business that has any links to Europe at the moment needs to comply with the GDPR requirements, which are extremely onerous, highly prescriptive. We in Australia don't have the same level of controls, but we're seen as a country which has a few gaps. So, the reform is seeking to close them. A couple of those changes are likely to be that that 3 million turnover threshold will be eliminated. Meaning every business in Australia will need to comply with the Privacy Act. So, you may have started as a young business thinking, you don't have to worry, but you will soon.

[00:26:52] Sean Steele: Can you just give us a little insight to what are some of the things that, as a result of the Privacy Act that you really need to pay attention to protecting? Like what are the most sensitive areas or the most common problems?

[00:27:05] Dianne Gilbert: The most challenging, well, there are a couple of areas, but one is collecting information you don't really need. So, recently I booked online to park my car and was asked my postcode and my name. What relevance is that? So, many businesses collect way more information than they need, many businesses, again, like Optus, they collect it for way too long. Some businesses, if they trade, even have the mistaken belief that part of the value of the business relates to the volume of data that they hold. In actual fact, it's a liability, not an asset. So, if you no longer need it, you shouldn't hold it. Some businesses make the mistake of collecting data because it's convenient to do so, not because they need it at that point. So, you may be collecting a credit card information or information that you think you may need in the future, but you don't need right now. Well, that's not acceptable either. But again, it gets…

[00:28:05] Sean Steele: I can think of an easy example of that. You know, are a business who wants to send, I don't know, potential clients and clients, something on their birthday, but rather than asking for the day and the month, you ask for the day, the month, and the year. Well, why do you need the year? You doing anything with that? Now all of a sudden, you've got something that's extra sensitive, even though you've already covered, captured something that's sort of partly sensitive, you've now got something you don't need. And you just created a problem for you, like a maintenance problem for yourself. Because now you've got to do something with that.

[00:28:34] Dianne Gilbert: Yeah. Exactly right. Look, that's quite true. Another example is if you are recruiting staff to ask their nationality, well, that's not information that you need, and it could cause a diversity or equal opportunity problem as well. All you need is to know that they've got the right to work in Australia. Similar question, but slightly different. So, it can be how you ask the information that can be relevant too.

[00:29:00] Sean Steele: So, what steps would you have somebody go through to sort of self-assess? Actually, what are the sort of consequences for a privacy breach? Can you give us an example of, you know, you obviously talked about, well, number one, you're going to have a whole bunch of legal fees if you end up in some dispute with someone over privacy problem. But what about actual penalties?

[00:29:19] Dianne Gilbert: Well, with the reform come, new penalties, it's up to an outstandingly painful figure, like 50 million or a certain percentage of the profit that you make over a period of time. Those penalties are almost unimaginable, so don't focus on those. It's more to do with the rectification and again, the reputational damage. They're the most likely issues that you're going to be facing. I mean, why would people share information with you if you can't be trusted to look after it? So, again, I'll take you through a couple of steps that you could do, but the one single piece of advice is put yourself in their shoes. What would you like to have done to protect your data? How would you prefer to have it used? I have another example of stuff to remembered. Again, it's a recruitment example. Medical locums who get placed in hospitals will be asked to collect information on their vaccination status. And that's not unreasonable because hospitals are pretty high-risk spaces and you can catch diseases. And it used to be, and I've seen many examples of this, where once the vaccination records were collected, they were broadcast all of the hospitals. So, all of the hospitals would have information on the locum, the STD status. And in two cases, the HIV status, which was positive and the poor, an individual didn't even know that. But now everybody in the hospitals do. So that's absolutely appalling. Would you like that to happen to your data? And that's the question that you need to ask yourself in your business. What are you collecting and how would you like your data to be managed? And I think we've got a better understanding of that now. Like the privacy has been in place since 1988, it's been around for Yonks and we've previously had the view that; well, it's okay, no one can really cause any damage. We rather the service, it's more important than what is being done with the data. But that mindset is now shifting. So, to keep in mind that, so steps to…

[00:31:27] Sean Steele: So, just before you get to steps, one of the things I really like about us thinking about the sort of psychology, if you think about where often this happens, it's very innocuous, right? You know; hey, we're going to need to, like let's say in an education business, we need to enrol students in a course, somebody builds a form, but how much thinking goes into what fields you need in the form? And some people are form happy and feel happy, and they're like, oh, this would be interesting to know. This would be interesting to know. And so, it's almost like you need to start with completely the opposite, don't you? You need to start with what is the bare ass minimum we must have and anything else, I really like that context of like; I don't want any data in my business that I do not need because I have now got a much bigger problem in protecting it, obfuscating it, deleting it, clearing it out. Like I don't want to have that exposure. So, every bit of say, you should almost be scared of every form that you've got is in, do I have any data that I don't need? How do I get rid of that data so I can actually protect myself? Yeah. It's quite a big flip in rather than going; oh, I just get as much as possible because I'm sure at some point in the future it'll be valuable to me. Well, yeah it can easily be the opposite.

[00:32:33] Dianne Gilbert: Yeah, I think you've explained it really, really well there. You've summarised it beautifully.

[00:32:38] Sean Steele: So, the steps are?

Dianne Gilbert: So, the steps are not dissimilar from the cybersecurity. The first is do an investigation to find what data you are collecting, what are you holding, and at what point in the process are you collecting it. So, you do a major mapping exercise of what have you got. Then you look at the risks. Are you collecting the right data, holding it in the right places? Is it sufficiently secure? Is it available to everybody when it should really only be available to a few? And then have a…the other thing to think about is an external assessment because oftentimes you don't know what you don't know. And I think particularly… well, no, all three topics, really having somebody else to come in and have a look at it and ask the question. Why do you really need this? How long are you holding it for? Where is it, how is it being destroyed? And destruction is not the same as archive, for example. Yeah. But some people don't understand that and they find it very hard to lose. And, and then again, two, there is differences in understanding some data that you collect might be in relation to an individual, but it represents your business activities. So, well, if you've had an interview with a person for a job and you make an assessment on their skills and their capacities, that's your information. You need to have that because that's evidence that you followed the proper process internally. If you employ them once and then they leave, subsequently, the information that you hold on them when they're an employee, that's your business data. You must hold that. It is about an individual, but it still is your activities and you need to hold onto it. So, there's a lot of twerks and complexities. I was asked yesterday, now that the legislation has gone through for Victoria regarding deletion of Covid 19 vaccination data. How do we handle it? Yeah. It's not easy, so having somebody to come in and overview what you are doing can be very helpful.

[00:34:39] Sean Steele: Is there a, if you were just dealing with, if we kind of just roll back up to privacy principles, I'm assuming there's probably some really easy to follow, almost like cheat sheets without having to read like 400 pages of legislation. There's probably some nice summary-based stuff to kind of go, okay, as you said before, if you follow these 16 steps, you'll actually take care of 93% of the risks and you probably won't deal with the 7%. But actually, you know, they're probably going to require the next level up. Like how do we get rid of the basic ones? Any resources you can point us to for Founders to follow?

[00:35:09] Dianne Gilbert: The OAIC website has a lot of information, but as you would expect, it is expansive, comprehensive, covers everything, and it may not apply to you. There are various places, businesses that specialise in providing privacy information, but I'd have to say, look, I honestly don't know anyone else that provides the same service that we do for one hour we give you the assessment. Maybe there are, I don't know.

[00:35:40] Sean Steele: Yeah, I think one of the things that I would encourage Founders to do is in circumstances where, I think back to some of the risks that we had to address in education. One of the issues when you don't have any policies developed, so let's just say for example, in a large education institution, someone needs to be accountable for the enrolment process, which includes what data is captured, what things are asked for, are they compliant, blah, blah, blah. One of the challenges of many organisations is that nobody is actually accountable for the policy that drives what data is captured in that area. Now, you may not have a policy today, but in the absence of making somebody accountable, actually what you do is you try to make everybody accountable. And then when something goes wrong, you're trying to blame everyone. And the moment you actually say; Sean Steele, you are accountable for the enrolment process and every bit of data that gets collected in that process and the protection of the data that's come from that process, all of a sudden Sean Steele cares a hell of a lot about the risk to Sean Steele, because now he's got his name on a document that everybody can see that he is the accountable person for that data, and all of a sudden, Sean Steele will skill himself up on privacy principles, on the Electronic Communications Act, on anything he needs to know about. And this is obviously a real-life scenario that happened to me as I was growing up as an executive. Because I realised all of a sudden, I was enrolling 12,000 students, a year across many different entities, all who had different processes. And I actually had to get my head around our obligations because we could be very easily exposed if we didn't manage it well. And so it's an interesting, one of the things that I think can be almost a tip for Founders is, again, Founders who are like glazing over already. Because they're just going; oh, like my brain is just not wired to think about risk. There's probably somebody in your business who already is wired to think about risk or somebody that you trust who is in your, like your accountant or someone like that. Like somebody who already is wired to think, to look for, mismatches, who looks for problems, who looks for data that doesn't make sense together. Like there's usually somebody around. Now again, it might be a finance person, it might be a legal person, it might be an administrator or who knows, but you set up a bit of a rhythm of like looking at though…It's a great professional development opportunity for the individual. It gives you an extra set of eyes and ears on the problem. They may still need support from Certex or whoever, but they're going to actually learn a hell of a lot and be able to help you just systematically tackle those things one at a time over a period of time. You're not going to do it all at once. Start with the biggest risk, where you think you've got the most exposure, and then work your way through the other ones, but build it into a systematic meeting. You know, we teach our Founders to build, we have risk committee structures, we've got risk frameworks. We help them identify all the kind of big areas and make sure there's some. Quality of collaboration, talking about it, right questions being answered. Then there's a bunch of activity that follows it. That's a nice thing to do, subject to the size of the business. But the reality is, if you don't allocate anyone to it and you don't make any ability accountable for managing it, it's just not going to happen. So, even if it's complex, that's part of the self-managing process without having to rely on external parties is to internalise some accountability.

[00:38:56] Dianne Gilbert: Yeah, look, you're absolutely right. And in the same way that safety now puts the responsibility right up there with the most senior managers of the organisation. So does privacy. It requires a management system where the ultimate responsibility is at the top. The implementation has to be across the business. So yeah, I think that's really important to recognise that, the business has this responsibility, and in fact, people in the business have this responsibility.

[00:39:25] Sean Steele: Can we talk about … I'm conscious of our time. Let's talk about contracting. Like, you know, contracting has, feels like it's one of those risks. And let's be forthrightly a big fan of variable cost models. You know, teaching in programs have seen it's incredibly valuable in businesses to help you have your costs rise and fall with your revenues so that you're not carrying lots of fixed costs. Because that can be as big a risk as anything else. You know, you build up all your fixed costs to meet some temporary revenue, the revenue disappears, you're carrying too much cost, and all of a sudden, you've got huge problems in the business. That's actually a risk. So, contracting can be a great way to build a more flexible variable cost workforce. But of course, you then have to go to the next level of detail and go, are these people actually contractors? Are they actually employees? What all of a sudden if that line is blurry, what's my exposure? So, can you please talk to us about what does contracting risk look like these days?

[00:40:19] Dianne Gilbert: Look, it is no less risk than the other two areas that we've talked about. But it's probably harder to understand. The legislation has been changing, but more to that, it's the courts that have been varying their interpretation on that. So, it's actually not fully clear what we've got right now. Some contractors are clearly that and others should be employees. You made the point earlier when you might be buying a business, sometimes you need to do your due diligence because otherwise you could be slammed with something that's hidden. And this is a classic area because if the business has previously been using contractors, now they're claimed as employees, penalties, $93,000 per individual where there's a breach plus all of the penalties. So, superannuation, long service leave, holiday leave, all that kind of stuff. It can be an incredibly expensive exercise to get it right. But as you say, there's a real need to use contractors, and how do you get to have that flexible workforce? Or insecure workforce. We're seeing other pressures there too.

[00:41:30] Sean Steele: Even though there may be a few discrepancies and a bit of subjectivity depending on the case, what are some of the things that are the most important things to consider as to whether this person is going to be a contractor or is going to be perceived as an employee?

[00:41:42] Dianne Gilbert: Okay. Out of more recent court cases, we find that now the agreement that you strike is the place where they will start, but it could be overturned because you cannot make an agreement and then go and manage the relationship a totally different way, but do be very clear in the agreement. One thing that, so in the agreement for contractors, it needs to be things like, that the contractor has the right to perform the work the way they choose at the time they choose using their own equipment and they have the right to decline that work as well. Unlike an employee who will pretty much, you would expect them to do as they're told in a way or as an instructed, really. But contractors are different. They do it their own way. So that's one thing. Another is that if you have them working for you and nobody else over an a very extended period of time to the point where they've pretty much become part of your system, it's hard to disengage them from the employee status. There are various others…

[00:42:45] Sean Steele: There used to be a sort of 80%, from recollection, a sort of 80% rule, like if they're making more than 80% of their income from you, then you are likely to be considered to be their employer. Is that still something that is sort of considered as a factor?

[00:43:01] Dianne Gilbert: It's a useful rule of thumb, but it's not being contemplated by the judges in any of the recent cases. So, it's not, it's the alienation of personal income, I believe, and I don't believe that it's still a real factor. It might be for the tax office, but not when it comes to fair work or decisions around contractors.

[00:43:20] Sean Steele: If those people are not providing, are not contractors, like, you know, just sole traders with an ABN, with an Australian Business Number, but they actually operate under a company structure, so they may be a sole director, but they're providing, they're using a company structure, not an ABN structure, do you think it makes a difference to the likelihood?

[00:43:39] Dianne Gilbert: It can, it still may not be adequate because you still need to look at the other factors, how they're working, how long under instruction and whatever. And one of the traps that many businesses fall to when they use a company is that they pay them as if they were an employee. So, they use this, and this is a whole problem with Sham contracting. They use it as a mechanism to underpay. In actual fact, when you're paying a contractor, it's the contractor then that's responsible for tax and superannuation. You need to pay them enough insurances as well to cover all of those expenses. Now, very often, contractors are professionals, IT, project managers, engineers, and they expect that, well paid and that will be well covered. So, having a cover company can be very helpful, but it's like the other measures, any one of them is not sufficient on their own. So, you need to think for.

[00:44:33] Sean Steele: Very interesting. So, you know, I think this is really an area where if you are using contractors, it doesn't cost a lot to get somebody who's got external expertise to look at what you're doing, look at the agreement, look at how it's set up, look at all the contracting arrangements, like inside a day, I'm sure you would get some exceptional feedback from somebody who knows what they're doing, from an industrial relations perspective to go; are these actually sham contracting arrangements? Or are some of these people are high risk and others are fine? But it is big exposure, right? Like, you know, you get this one wrong, and as you said, it's not only the penalties, it's the back pay, all of a sudden, you'd have this person for five years and now you're going back and adding on top super, you're adding PAYG, all sorts of tax payments and things, bit ugly.

[00:45:22] Dianne Gilbert: Yeah, that's true. And the trigger for any of these problems can come from many sources. I've seen when somebody was, , terminated from a role, they went straight to fair work to say, well, we're not really a contractor. We're not really a contractor, we're an employee. It's an unfair dismissal case. And that was supported. We see it when there's a… any time an individual can become upset, this is one of the, if they go to a lawyer in particular, this is one of the approaches that they'll explore. So, it's a real issue.

[00:45:56] Sean Steele: And you know, certainly, our audience is not full of people using kind of gig economy style workers where it's really small packages. But of course, there's lots of big cases around the world with the Ubers and so on around are these people, employees, are they contractors? And I mean, fundamentally a lot of them are, I don't want to get into it, but it's a hot topic. It remains a hot topic. There's been some pretty big cases of relatively small businesses that have been super exposed. And so, it's just one thing that you want to have, you know, I always think about this stuff is like sleep at night factor stuff. Like, you know, I don't want to be lying awake at night wondering if tomorrow all of my customers data has just been exploded across the internet, or I'm being held at ransom because of it. And when I pay that ransom, I may or may not actually have alleviated that risk whatsoever. So, great. I've paid some money, maybe I've got access to my computer again. But it doesn't mean that I'm unexposed. I'm still exposed. I've just paid a lot of money. You know, difficult situations to be in.

[00:46:58] Dianne Gilbert: Yes, exactly.

[00:47:01] Sean Steele: Dianne, we are kind of heading towards probably a sensible place to wrap up. What haven't we talked about that you would really like to get across to help people get out of overwhelmed. Because you can listen to a podcast like this and go; oh my God, my business is going to fall apart. I've don’t know what I'm doing, it's too hard and maybe I don't want to use an external party, and so far. Like what, what advice would you give to a Founder who's maybe feeling a little overwhelmed by some of the potential risks in this area?

[00:47:28] Dianne Gilbert: Yeah, look, I would always suggest you just start with that, that word risks, just to sit down and ask what could be likely to hit the business. So, go through each of the categories that we've talked about this morning, and there would definitely be others as well that you'd want to look at. Not all risks are ones that you have to worry about. If you evaluate them in terms of consequence, but also in terms of likelihood. It's only the high highs that you have to be worried about, really, at least initially anyway. So, get your head around what those very high-level ones are and work through. As you do, I have a little four step mantra that I always mention that I think can be helpful to put it into some kind of a context. The first is that you do need to understand your legal obligations as business, because ignorance never was an excuse. The second is that you should be putting your policies and procedures in place that not only reflect the legislation, but that reflect your business because your business is different. It has a different set of expectations, different stakeholders, so you can adapt it as you need. The third is to implement, and the final is to keep records. If you have all of those things in place, then if anything goes wrong, you can point to a framework. You can point to the fact that I think, as I said at the beginning, that it's a, if something has gone wrong, it is an accident. If however, you don't have that in place and it's considered negligence, then you're in a whole different world of pain. So, start with the risks and consider those four elements, and you don't have to do everything at once. It's just the high highs you begin with.

[00:49:12] Sean Steele: Very well said. And as I mentioned before, Founders who are listening, if this is just so far out of your skillset, which by the way, it's out of my skillset, it's like, my DNA just lights up in all the wrong ways to go; I don't want to spend any time thinking about this. And yes, I will because I have to, but actually, find somebody who's actually wired to think about this, enjoys it, and sees the patterns and sees the mismatches because they're probably going to be better at thinking through this process. So, get somebody to support you in the process, whether they're internal or external. Have somebody just help you build the capability over time, starting with the biggest risks working through to the lowest. Like it's an ongoing, it's not a one-off thing, it's an ongoing piece of work that you've got to constantly got to be evaluating, but it has to form part of your business. If you want to break through eight figures, you're putting yourself and all of your people and all their families at big risk if you don't start to pay attention at some point. So hopefully, whilst this may have felt like a bit of a harsh wake up call for some, and someone might be feeling a little overwhelmed, it doesn't have to be overwhelming. Dianne has given you some great practical steps to get started. We'll have some resources for you in the show notes. And I really appreciate you sharing your perspective on how our Founders can protect the businesses that they put so much heart and soul into. Dianne, thank you very much for today.

[00:50:23] Dianne Gilbert: It's been my absolute pleasure. Thank you very much, and I hope it's…

[00:50:26] Sean Steele: If our audience wanted to get in touch with you or learn more about the iSuite of tools that you've got, where would they go?

[00:50:32] Dianne Gilbert: They can go to our website on www.certex.com.au.  And our contact details are there, or they can email to [email protected]. And we'd love to hear from them. We can help with the initial assessment. The other thing we're developing right now is an external internal support, so we can act as an external advisor for you. You may still have the responsibility. We can't shift that, that's legal, but we can provide all the support as an external party. So, we know there's a problem area and we're here to help with it.

[00:51:13] Sean Steele: Lovely. Well, thank you so much, Dianne. Really appreciate your wisdom today. Thanks so much.

[00:51:18] Dianne Gilbert: Thank you very much, Sean.

 

About Sean Steele

Sean has led several education businesses through various growth stages including 0-3m, 1-6m, 3-50m and 80m-120m. He's evaluated over 200 M&A deals and integrated or started 7 brands within larger structures since 2012. Sean's experience in building the foundations of organisations to enable scale uniquely positions him to host the ScaleUps podcast.


If you’re enjoying the Scale Ups podcast, subscribe, rate and review.

Listen on Google Podcast
Listen on Apple Podcast
Leave a Review

Follow, Watch or Listen

Terms   Contact    Pod

Privacy   Blog    © ScaleHQ 2023

Terms   Contact   Pod

Privacy   Blog   © ScaleHQ 2023

Follow, Watch or Listen