Top 4 Strategies to Handle High Risk Employee Terminations

Top 4 Strategies to Handle High Risk Employee Terminations

For most employers, employee terminations can be extremely stressful and difficult. Apart from the risks associated with terminated employees seeking recourse for unfair dismissal under relevant provisions of the Fair Work Act, businesses may also experience negative impacts through suffering damage to their reputation and the diversion of resources to defend claims made against them. Terminations may also affect morale and culture, while in a worst case scenario a disgruntled employee may pose a safety threat.

Regardless of the reason, employee terminations should be handled in the most professional and ethical manner with precautionary measures being taken to minimize risk. However, there are many cases in which an employee poses a risk to the company based on past behaviors and/or actions.

While it can be difficult to eliminate the risks of firing an employee entirely, undertaking an appropriate process in advance of the termination of employment can significantly reduce risks. This blog is designed to help you terminate employees effectively while protecting employees, yourself and the company.

We will help you understand

  • Who is a High-Risk Employee?
  • When is it acceptable to terminate an employee?
  • 4 Strategies to handle high risk employee terminations

Who is a High-Risk Employee?

Termination reasons may range from personal reasons such as subpar performances to reasons beyond a person’s control such as downsizing, mergers, and organizational restructuring. Indeed, there are multifaceted reasons that go into the decision to let an employee go. However, people have different coping mechanisms and will react differently to such bad news, including some who will react badly, even violently. These employee terminations are regarded as high-risk.

Some of the top six signs of an employee who’s likely to turn violent include:

  • Alcohol and drug abuse
  • Constant conflicts with colleagues, friends, family
  • Financial distress
  • Mental health issues
  • Job-related complications
  • Marital problems

In particular, if an employee is being terminated due to serious misconduct related to harassment or previous incidents of violence, employers are placed in a difficult position. On the one hand, they need to terminate the employee as soon as possible to prevent further incidents. On the other hand, they may trigger another incident due to the termination.

Employers should not be deterred from doing the right thing by their other staff, and should proceed with the termination – however, there are ways to minimise the risk of another incident.

When is it acceptable to terminate an employee?

Your first step in this process should, of course, be to ensure that the termination is reasonable. While it is not a justification for violence, it is understandable if an employee is upset or angry regarding a termination that is unfair or unreasonable. Further, while the employee may not react badly in the moment, you will be at risk of legal action regarding an unfair or unreasonable termination. Below are some guidelines on fair versus unfair dismissal from various jurisdictions.


According to the Fair Work Commission, an unfair dismissal is when an employee is dismissed from their job in a harsh, unjust or unreasonable manner. The Fair Work Commission may consider an employee has been unfairly dismissed if:

  • the person was dismissed the dismissal was harsh, unjust or unreasonable 
  • the dismissal was not a case of genuine redundancy
  • the employee worked for a small business and the dismissal was not done according to the Small Business Fair Dismissal Code

When determining whether a dismissal is harsh, unjust or unreasonable, they consider all of the following circumstances: 

  • was there a valid reason for the dismissal related to the employee’s capacity or conduct
  • was the employee notified of that reason and given an opportunity to respond
  • if the employer didn’t allow the employee to have a support person present at any discussions about the dismissal, was that unreasonable
  • whether the employee had been previously warned that their performance was unsatisfactory
  • if the size of the business, or lack of dedicated human resource management specialists or expertise impacted on the procedures that the employer followed when they dismissed the employee, and  any other matters that the Fair Work Commission considers relevant. 

According to the Fair Work Commission, the stronger claim of unlawful termination is when an employee is dismissed by their employer for one or more of the following reasons:

  • a person’s race, color, sex, sexual orientation, age, mental or physical disability, marital status, family or carer’s responsibilities, pregnancy, religion, political opinion, national extraction or social origin (some exceptions apply, such as where it’s based on the inherent requirements of the job)
  • temporary absence from work because of illness or injury
  • trade union membership or non-membership or participation in industrial activities
  • being absent from work during maternity leave or other parental leave
  • temporary absence from work to engage in a voluntary emergency management activity
  • exercising or planning to exercise a workplace right by making a complaint or inquiry in relation to your employment, or participating in proceedings against an employer.

Generally, employees are protected from unfair termination under the General Protections provisions of the Fair Work Act 2009. However, all employees are protected from unlawful termination.

Acceptable reasons for termination may involve:

  • Inability to fulfill requirements of the role
  • Poor performance
  • Misconduct or inappropriate behavior
  • When a role is no longer required

Nonetheless, whether dismissal was fair in the above circumstances depends on the handling of the termination and whether a fair process was followed. 

United States

In the U.S., the Equal Employment Opportunity Commission protects employees from unfair termination for reasons such as race, religion, age, etc.

Age Discrimination

The Age Discrimination in Employment Act of 1967 (ADEA) protects certain applicants and employees 40 years of age and older from discrimination on the basis of age in hiring, promotion, discharge, compensation, or terms, conditions or privileges of employment.


Section 503 of the Rehabilitation Act of 1973 prohibits federal contractors and subcontractors from discriminating against and requires affirmative action for qualified individuals with disabilities in all aspects of employment.

Ethic/National Origin

Title VII of the Civil Rights Act of 1964 prohibits discrimination in hiring, promotion, discharge, pay, fringe benefits, job training, classification, referral, and other aspects of employment, on the basis of race, color, religion, sex or national origin. 


The Immigration and Nationality Act prohibits employers (when hiring, discharging, or recruiting or referring for a fee) from discriminating because of national origin against U.S. citizens, U.S. nationals, and authorized aliens or discriminating because of citizenship status against U.S. citizens, U.S. nationals, and the following classes of a aliens with work authorization: permanent residents, temporary residents (that is, individuals who have gone through the legalization program), refugees, and asylees.

Read more in the U.S. Department of Labor website on different rights and protections.

Reasonable reasons for termination of employment may include:

  • Incompetence, including lack of productivity or poor quality of work
  • Insubordination and related issues such as dishonesty or breaking company rules
  • Attendance issues, such as frequent absences or chronic tardiness
  • Theft or other criminal behavior including revealing trade secrets
  • Sexual harassment and other discriminatory behavior in the workplace
  • Physical violence or threats against other employees

All of these behaviors are impediments to the proper functioning of your business. The first three can directly impact your business effectiveness, reduce profits, and hurt morale in the workplace. The second set of three pose risks to the health, safety, and reputation of your employees, customers, and the business in general.

United Kingdom

According to the U.K. Government, valid reasons for termination of employment include:

  • their capability or conduct
  • redundancy
  • something that prevents them from legally being able to do their job, for example a driver losing their driving licence

Even if you have a fair reason, the dismissal is only fair if you also act reasonably during the dismissal and disciplinary process.

There’s no legal definition of ‘reasonableness’, but if you’re taken to an employment or industrial tribunal they would consider whether you:

  • genuinely believed that the reason was fair
  • carried out proper investigations where appropriate
  • followed the relevant procedures
  • told the employee why they were being considered for dismissal and listened to their views (in Northern Ireland, the employer must do this in writing)
  • allowed the employee to be accompanied at disciplinary/dismissal hearings
  • gave the employee the chance to appeal

4 Strategies to Handle High Risk Employee Terminations

Host the meeting in a neutral location

When dealing with potential high risk employee terminations, hold the meeting in a neutral location. By doing so, you’ll be avoiding exasperating the employee as they’ll feel less cornered. For cases where the employee has a history of violence and is likely to pose a risk to other you, colleagues, and the company, ensure you have a third party present during the meeting. Have security in the vicinity or in the room where the termination meeting is happening.

Draft the termination in advance

Do not terminate on Fridays or before holidays to deny the employee the free time to consider revenge. According to FBI Statistics, 77% of violent attackers have spent a week or more planning their attacks. To soften the blow for the employee, offer them the option for immediate outplacement service. 

Think of security of an on-going process

Visible, on-going and well-planned security is critical to preventing violence or upheaval. Performing continuous reviews of security measures, testing new ideas and keeping security flexible, are all part of a living, breathing security strategy.  In the workplace, situations and circumstances change all the time— new employees are brought onto the team, office spaces are renovated and revamped, employees are promoted or fired, etc.— which is why your security needs to be adapted and updated as necessary. For example, as part of a commitment to building a more comprehensive security strategy, you may consider hiring a third-party security company to perform in-depth background checks on new staff members. Understanding employee histories plays a pivotal role in preventing workplace violence.

Change passwords and deactivate their badge or keycard. If necessary, change building locks as well for physical security. Security guards manning the building should be notified of any attempted breaches. Ensure no system access remains whatsoever – these strategies can also help fight against data schemes which may occur after an employee leaves.

Practice Open Communication

When terminating an employee, many challenges can be attributed to a lack of clear communication. Establishing open lines of communication, particularly when dismissals or terminations are expected, is crucial. When the reasons for an employment action are communicated, and an opportunity or platform to engage employees about the situation is created, the chances of a backlash are reduced. Engaging in open, consistent and honest dialogues with employees—not just via emails, text messages or notices pinned to office doors—reduces the risks associated with employee terminations. Ultimately, making time for face to face conversations with employees will lead to eased tensions, and potentially even more amicable dismissals.

During the conversation, explain why the employee is being let go and stress it is not personal. Have ready their final paycheck, information on benefits, and a number to call if they have questions. Inform the employee that they may use the company’s grievance procedure for any final work-related complaints.

Things to Consider

When terminating an employee, a company should always consider the potential security risks involved and plan accordingly. It may be necessary to involve key personnel from various departments including, human resources, legal, security and/or direct supervisor(s). Planning should include, but is not limited to, asking and reviewing the following questions:

  • What is the basis for termination?
  • Does the employee have a history of disciplinary issues?
  • Has the employee ever made verbal threats towards management and/or co-workers?
  • Does the employee have a known criminal history?
  • Has the employee ever displayed violent or aggressive behavior towards anyone in the workplace?

In addition to evaluating possible risk factors, how the termination is handled is vital in minimizing risk. Preparing for the separation should include the four “W’s” – Who, When, Where and What.

  • Who – Company policy may dictate who handles the termination. It may be the responsibility of human resources or the employee’s immediate supervisor. It is important to establish who should be involved and only those individuals should be present for the termination.


  • When – Schedule the termination early in the week. This can help prevent the employee from dwelling on it over the weekend and considering some form of revenge. Offer the employee immediate outplacement services to focus his/her attention on the future and discourage retaliation. If it is believed there may be the potential for a hostile situation, be prepared by having security present at the separation or on standby and ready to respond if needed.


  • Where – For security reasons, high risk employee terminations should be held on a first level floor with easy access to a building exit. Ideally, the room where the separation is held should contain a desk, which can serve as a barrier between management and the employee. The employee should always be seated furthest from the door, enabling a quick exit should the situation turn hostile. Following the separation, the employee should be immediately escorted from the building. In situations where the termination is conducted offsite, a neutral location should be chosen where the employee will not feel cornered or attacked. Personal items left in an office or workstation can be gathered and mailed to the employee by management.


  • What – An employer needs to ask what access does the employee have to company resources. This includes physical access to corporate offices and/or field offices, as well as company property, such as vehicles, desktop/laptop computers, cellular phones, identification badges, etc. On the day of termination, procedures should be in place as to how the property will be collected. Terminated employees must return all company property immediately upon request. An employer should also be mindful that sometimes personal items take on characteristics of company property. For example, if an employee uses the company data system on a personal device, that access needs to be immediately removed. It is recommended employers have a section in the employee handbook devoted to personal property and how it is treated during employment and after separation. Post-termination should also include notifying building security, if applicable, and the changing of company passwords and locks.

How Polonious can Help

Being prepared for a high risk employee termination is not only essential for the safety of those involved but necessary to protect the overall business operation. Furthermore, as with every personnel decision, careful documentation of the events and actions leading up to and following the termination is strongly recommended.

We have prepared a guide to help you understand key documents to record for each type of investigation as well as relevant laws to keep in mind across Australia, US, and the UK.

The Polonious Case Management System can also help with the investigative process from start to finish. The Polonious Case Management Software provides a consistent process that is procedurally fair for all parties, while recording all actions and decisions to ensure all evidence of the process is documented and auditable alongside any evidence gathered regarding the incident or investigation. Everything recorded in Polonious is then available in detailed reporting for identifying trends and problem areas. This is key to making workplace improvements from problem areas which may have caused the termination.

The documents arising from these workplace investigations often contain very sensitive materials. Investigators and HR teams have a duty to preserve documents and/or electronically stored information (ESI) while also protecting security and anonymity.

Polonious’ ISO27001 certified security ensures your evidence and case files are stored securely, while our detailed security configuration ensures you can keep employees fully anonymous, or known only to specific individuals, depending on the level of anonymity requested.

There are many risks associated with high-risk employee terminations. This guide will help you terminate employees effectively while protecting employees, yourself and the company.

There are many risks associated with high-risk employee terminations. This guide will help you terminate employees effectively while protecting employees, yourself and the company.

There are many strategies that can help protect against risks such as drafting the termination in advance, hosting the meeting in a neutral location and practicing open communication.

There are many strategies that can help protect against risks such as drafting the termination in advance, hosting the meeting in a neutral location and practicing open communication.

Book a Demo Now

Learn more about how Polonious can help you conduct fair workplace investigations today.

6 Alarming Fraud Schemes to Look out for During the Pandemic

6 Alarming Fraud Schemes to Look out for During the Pandemic

The COVID-19 pandemic has forever changed the way that we live our lives. Social distancing, mask wearing, and hand sanitising have all become common activities these days. However, a more sinister by-product of the pandemic is the overall increase in the level of fraud as people spend more and more time online. Fraudsters have been able to exploit the loss of jobs, financial vulnerability and shortage of supplies experienced by most businesses.

According to PWC, 35% of Australian entities have experienced fraud in the previous 24 months from 2020, a figure that is expected to rise over the next two years. 

While the pandemic has triggered this growth in the rate of fraud, the overall response to the fraud has been limited. With physical restrictions placed on staff, difficulties in conducting remote interviews, and a lack of access to evidence, investigation efforts have hit many roadblocks in the current environment. 

This blog will explore the latest trends in fraud and how your business can effectively investigate and prevent these frauds from occurring. 

Payment Fraud

Consumers are now doing more of their shopping online rather than in person as a result of the lengthy lockdowns. This has led to a boom in the e-commerce industry, with total online sales in Australia increasing 67.1% from March to October 2020. 

Fraudsters hope to slip by unnoticed within this flood of consumers, using stolen or fraudulent information and digital wallets to make bogus transactions that businesses will be left paying for. In 2020, 68% of anti-fraud professionals noticed an increase in payment fraud.

Not only does this inundation of online transactions create the perfect veil for payment fraudsters, it also introduces inexperienced consumers and businesses to the market. These newer parties are less aware of and thus more susceptible to these types of frauds. 

To protect against payment fraud, businesses should:

  • Pay close attention to the size of the transactions, since the average fraudulent transaction is three times greater than normal transactions.
  • Use a fraud protection platform like Address Verification Services to confirm that the cardholder’s billing address matches the respective card issuer.
  • Be wary of orders using payment types other than credit cards and contact the buyer for information if something looks suspicious. 

Identity Theft

In response to the decline in economic activity, governments around the world have issued grants aimed at supporting small businesses. In NSW, sole businesses, sole traders and not-for-profit companies whose revenue fell by 30% or more during the lockdown qualified for a $1,500 fortnightly payment

However, due to the large number of applicants and minimal due diligence involved with these applicants, fraudsters are able to exploit this system and receive payments they are not entitled to. One method they use to do so involves stealing the identity of a legitimate business. These businesses are often operating with reduced or overworked staff, with limited resources to keep these fraudsters at bay and are thus easy targets. 

Another scheme fraudsters will engage in is using publicly available information about these businesses and posing as a lender. Fraudsters will request further information about a business’s claim application, scamming them out of sensitive information. You may get emails, SMS texts, instant messages and social media posts:

  • With links claiming to have important updates about the latest COVID-19 safety measures, or claiming to have information on the location of possible cases in your area.
  • Pretending that you or your employees have been in a COVID affected area and asking for personal information.
  • Offering to help you access a government “benefit” or “subsidy”
  • Claiming to assess you or your employees’ eligibility for the vaccine, or placing you on a fake waitlist. 

To avoid being scammed by these fraudsters, consider undertaking the following actions:

  • Only search for financial assistance via the official government website available here.
  • Do not click any links or open any attachments if you are unsure of an email, call or SMS, and contact the organisation using contact details that you have found yourself (e.g., through a Google search)
  • Ignore emails that claim to be about online government or business services which include links to sign in pages, or ask for your personal information, account details, PIN or passwords.

Cyber Fraud

More businesses are now encouraging their employees to work from home, even when there are no lockdowns in place. Studies have shown that 67% of workers are either partially or wholly working from home, compared to 42% pre-COVID. The pivot towards online work has also brought with it relaxed information security protocols and workers who are unfamiliar with new technologies, which leaves businesses more vulnerable to attacks from fraudsters. 

Phishing and malicious software are the most common instances of cyber fraud. Phishing involves sending fraudulent communications that appear to come from a reputable source, with the goal to steal sensitive information like credit card and login details. Fraudsters will also encrypt the victims’ data and will offer the victim a passcode to retrieve it in return for cryptocurrency payments. 

There are many ways that you can protect yourself against cyber fraud, which include:

    • Training employees to spot and avoid cyber attacks, reminding them that only “one wrong click” can give fraudsters access
    • Ensure strong passwords are being used
    • Check that any software you use is up-to-date with the latest versions of fixes
    • Turn on multi-factor authentication as an additional level of security
    • Identify key personnel who are critical to the effective running of your business, and have a plan of action when they are not available.
    • Formulate an incident response so that your response to an event is swift 

      Fake Charities

      Another common example of fraud in this pandemic-era involves scammers impersonating a charity that is collecting money for people affected by COVID-19. They will either pretend to be a well-known charity or create one with a name similar to a real charity, and even set up a fake website to lure unsuspecting victims in.

      Falling for this scam can be avoided with the following actions:

      • Check the supposed charity’s credentials by using this website, since all genuine charities must be registered.
      • Be wary of communications that use highly emotive language or stress urgency. Fraudsters will use high-pressure tactics to manipulate people into performing actions. 
      • Ignore emails that ask you to send funds to a foreign bank, as these are highly unlikely to be legitimate.

      Business Email Compromise

      A fraudster may pose as a supplier or employee to request payment or change their bank details. They will do so by compromising an existing employee email or using your company’s logo and brand. For example, the fraudster will pretend to be a supplier and ask that you send your usual payments to a different account and use COVID-19 as an excuse.

      To avoid this situation, make sure each employee has a secure password, and know your supplier’s contact details so that any other communications can easily be flagged as suspicious. 

      Supply Scams

      This type of fraud involves fraudsters using fake websites and social media to sell you COVID-related products you will never receive, like hand sanitiser, gloves, or surgical masks. They may also ask you to pay for the vaccine or get early access for you or your employees. 

      Again, training your employees to look out for and avoid these scams is vital. You should also be aware that COVID-19 vaccines are voluntary, free, and available to all people in Australia.

      Protecting Your Customers

      Your customers are also vulnerable to the attacks of fraudsters who will pose as your business and steal revenue from you. To reduce the risk of this occurring, you can:

      • Advise your customers that you will never contact them to ask for their customer login or payment details.
      • Monitor who is mentioning your business name online through services like Google Alerts.
      • Create strong passwords for your business accounts and update passwords with staffing changes.


      Due to the major disruptions caused by the pandemic, businesses must be on high alert to the new frauds that scammers have devised in this new environment. Not only will these frauds have a large impact on your business’ revenue, it will also hurt your reputation, customer trust and employee morale. Overall, businesses need to be more wary of the communications they receive from unknown sources, and implement strategies that will improve the overall security of the business. 



      Whistleblower hotlines are a key asset in preventing internal fraud

      Fraudsters will use stolen information and digital wallets to make bogus transactions.

      Making your hotline confidential will ensure employees feel comfortable using it.

      Ensure your employees are using strong passwords to avoid cyber fraud.

      Book a Demo Now

      Learn more about how Polonious can help you investigate and respond to fraud.

      Standards of Proof in Workplace Investigations

      Standards of Proof in Workplace Investigations

      An investigation of a complaint of discrimination or harassment should be as comprehensive and conclusive as reasonably possible – it must consider all relevant facts. It is important to demonstrate that the internal investigation was thorough and afforded natural justice, if legal action ensues. Understanding the Rules of Evidence in Workplace Investigations lays a critical foundation for any successful investigation.

      Any workplace investigation should be conducted having regard to the possibility that the matter could end up in a tribunal, such as the Fair Work Commission in Australia, the U.S. Department of Labor or in the court system. Non-compliance with procedural fairness can put investigators under risk under regulations such as the Equality Act 2010 in the UK and workplace laws outlined by the Department of Labor (DOL).

      In the event that this occurs, any investigation which has failed to observe basic rules of evidence may put companies, employees and investigators at risk.

      Generally, compliance with procedural fairness requires that: 

      • a thorough, confidential investigation is carried out and all relevant evidence (from any witnesses and documents) obtained
      • the subject of the complaint is given an opportunity to respond to the allegation and any evidence found
      • concrete evidence is used to substantiate any claim

      The importance of following the rules of evidence in workplace investigations cannot be understated due to the potential risks involved. There are more considerations regarding procedural fairness which we have covered here: Better Workplace Investigations: 10 Steps to Ensure Procedural Fairness.

      This guide will help you understand the Rules of Evidence and how this applies to workplace investigations.

      This comprehensive guide will understand:

      • Rules of Evidence in Workplace Investigations
      • Obtaining relevant evidence
      • Running robust Interviews
      • Balance of Probabilities

      Rules of Evidence in Workplace Investigations

      The laws of evidence prescribe standards to which a fact must be proved:

      • in civil proceedings, facts must be proved on the balance of probabilities; and
      • in criminal proceedings, facts must be proved beyond reasonable doubt.

      The rules of evidence govern what information is able to be placed before a decision maker for determination of an issue. These rules influence how a party goes about proving its case. Parties seek to persuade the decision maker of a fact by producing evidence. In doing so, a party should consider three issues:

      • how to present evidence of the fact;
      • whether the evidence is admissible or relevant (that is, whether the decision maker will permit it to be given); and
      • the weight of the evidence (that is, how much importance the decision maker will give to it in reaching its decision).

      Obtaining Evidence

      It is important that the investigator obtains as much relevant evidence as possible to help prove the case.

      Evidence may include:

      • physical evidence such as documents, stolen items, etc.
      • photographs and fingerprints at a crime scene
      • medical evidence

      In a workplace investigation, evidence may involve documents of the following kinds:

      • wage slips regarding underpaying wages or entitlements of employees
      • receipts or ledgers regarding deductions, cashbacks or requirements to spend money of employees
      • email communisations regarding unfair dismissal or bullying of a worker
      • witness statements regarding workplace harassment

      When obtaining and evaluating evidence, the investigator must be able to recognise what constitutes relevant evidence versus irrelevant evidence.  For example, evidence of someone’s character is irrelevant during a fact-finding investigation, though similar type behaviour or a tendency to behave in a certain way may be – provided it is sufficiently similar to the matters currently under investigation and can be assessed as relevant.

      It is important to review all of the evidence collected and have an open mind to what the evidence is telling you.  Take away any preconceived ideas, ‘gut feels’ or biases when assessing the evidence you collected, and make sure you have been thorough and open to all avenues of inquiry.  This will ensure you have collected sufficiently reliable and relevant evidence to make a finding with.

      Balance of Probabilities versus Reasonable Doubt

      When a decision maker decides whether a matter has been proven, it does so according to a benchmark which must be reached. This is generally known as the standard of proof. Decision makers must apply the appropriate standard of proof when deciding whether a matter has been proven. The decision maker must decide whether it is satisfied to the requisite degree that the matter alleged has been proven.

      In civil matters, the decision-maker must be satisfied that the allegation has been proven on the balance of probabilities, while criminal matters require that the court be satisfied beyond a reasonable doubt.

      The required standard of proof is based more upon the type of case than where or how it is raised. For example, cases heard in civil courts also adhere to the balance of probabilities rather than the higher standard of ‘beyond reasonable doubt’ as found in criminal matters. Meanwhile, a decision maker may determine that a serious or sensitive matter should be held to a higher standard of proof than a simple balance of probabilities. However, balance of probabilities is the accepted standard for all non-criminal matters.

      It is important to note, though, how the respondent to a complaint may react to a determination made on the balance of probabilities. Most people are familiar with the ‘beyond reasonable doubt’ standard, particularly when facing serious allegations. You may conclude on the balance of probabilities that an event did occur, or was more likely to have occurred, despite the respondent having an explanation or some other kind of ‘doubt’ they can place on the case.

      You may even have a strong case in this regard but, especially with more serious cases, the respondent may believe that they have generated doubt and thus feel upset if the allegations are confirmed. Thus, it is important to clearly explain the standard of proof and the reasons for your decision, when communicating it to the respondent and the complainant.

      How Polonious can Help

      Evidence collection and management is a critical element of any successful investigation. Using the Polonious Case Management Software ensures a consistent process that is procedurally fair for all parties, while recording all actions and decisions to ensure all evidence is documented and auditable. Everything recorded in Polonious is then available in detailed reporting for identifying trends and problem areas. 

      Polonious’ ISO27001 certified security ensures your evidence and case files are stored securely, while our detailed security configuration ensures you can keep employees fully anonymous, or known only to specific individuals, depending on the level of anonymity requested.

      Title Banner - Workplace Investigations: Standards of Proof

      Understanding the Rules of Evidence in Workplace Investigations lays a critical foundation for any successful investigation.

      A robust investigation must comply with relevant laws and company policies.

      A robust investigation must comply with relevant laws and company policies.

      Book a Demo Now

      Learn more about how Polonious can help you conduct robust workplace investigations today

      Health Insurance Code of Practice vs General Insurance Code of Practice – What are the differences?

      Health Insurance Code of Practice vs General Insurance Code of Practice – What are the differences?

      According to Safe Work Australia, a code of practice provides detailed information on how you can achieve the standards required under relevant health and safety laws. Codes of practice set standards of good industry practice in areas relating to:

      • Service provision
      • Standards of professional conduct
      • Practice standards
      • Ethical behaviour

      These codes promote higher standards of business and personal ethics. Many companies subscribe to codes applicable to their practises for reasons such as:

      • Strengthening relationships with their customers
      • Improving complaints handling
      • Reducing the number of disputes through improved service delivery

      Entities such as the Insurance Council of Australia (ICA) in Australia, the Financial Conduct Authority in the U.K., and the National Association of Insurance Commissioners in the United States set and maintain insurance standards across the globe.

      The general insurance industry in Australia, an industry covering roughly $40bn in premiums, is going through large-scale regulatory and compliance changes with the introduction of the new General Insurance Code of Practice 2021. However the health insurance industry, covering roughly $26 billion in premiums is currently not subject to the same level of regulation.

      While we have written extensively on the impacts of the GICOP changes to general insurance investigations, it is important to understand how these compare to other industry codes, and how these codes might be updated in the near future to replicate some of the changes from GICOP. This blog will compare the general insurance code and health insurance code in order to understand the overlaps as well as the differences.

      This blog will cover:

      • What is the General Insurance Code of Practice
      • What is the Private Health Insurance Code of Conduct
      • Comparison of the General Insurance Code and Health Insurance Code

      What is the General Insurance Code of Practice

      The General Insurance Code of Practice is a voluntary Code of Practice maintained by the Insurance Council of Australia under which ICA members agree to follow certain principles and standards in providing general insurance services.

      The Insurance Council of Australia (ICA) has released a new General Insurance Code of Practice, and all insurers were required to implement the changes by July 1, 2021. The industry is going through one of the largest regulatory and compliance changes in history. New General Insurance Code of Practice: What changes for investigation teams? can help you understand how it applies to your practice.

      Purpose of the General Insurance Code of Practice

      According to the ICA, the Code is intended to be a positive influence across all aspects of the general insurance industry including product disclosure, claims handling and investigations, relationships with people who are experiencing vulnerability, and reporting obligations. The code sets out standards such as openness, fairness and honesty when providing to customers. It also sets out timeframes for insurers to respond to claims, complaints and requests for information from customers.

      A full copy of the Code is available at Insurance Council of Australia.

      What is the Private Health Insurance Code of Conduct

      The Private Health Insurance Code of Conduct is a self-regulatory and voluntary code to promote informed relationships between Private Health Insurers, consumers, agents, brokers and corporate brokers. 

      Purpose of the Private Health Insurance Code of Conduct

      The Code’s objective is to maintain and enhance regulatory compliance and service standards across the private health insurance industry. According to Private Healthcare Australia, the code is designed to help you by providing clear information and transparency in your relationships with health funds. 

      Private Health Funds who are signatories to the Code agree to:

      • work towards improving the standards of practice and service in the private health insurance industry;
      • provide information to consumers in plain language;
      • promote better informed decisions about their private health insurance products and services by:
      • ensuring that policy documentation is full and complete;
      • providing clear explanations of the contents of their policy documentation when asked by a consumer; and
      • ensuring that persons providing information on health insurance are appropriately trained
      • ensure information between consumers and the fund is protected in accordance with privacy principle
      • provide information to consumers on their rights and obligations under their relationship with the consumer, including information on this Code of Conduct; an
      • provide consumers with easy access to the fund’s internal dispute resolution procedures, which will be undertaken in a fair and reasonable manner and to advise them of their rights to take an issue to an external body such as PHIO

      A full copy of the Code is available at Private Healthcare Australia.

      Comparison of the General Insurance Code and Health Insurance Code

      Although both the General Insurance Code and Health Insurance Code aims to set higher standards of service and transparency in your relations with customers, there are a few notable differences.

      Who Monitors the Code

      The General Insurance Code Governance Committee (CGC) independently monitors the Code to ensure companies are meeting their obligations, and achieving service standards consumers can trust.

      The Code of Conduct Compliance Committee established by Private Healthcare Australia ensures the Health Insurance Code is being adhered to.  

      What the Code Covers

      The General Insurance Code of Practice covers many aspects of a customer’s relationship with their insurer, from buying insurance to making a claim, to providing assistance to those experiencing financial difficulty including uninsured third parties. General insurance products covered by the Code include:

      Personal Classes

      • Accident and sickness
      • Consumer credit
      • Home
      • Motor
      • Personal and domestic property
      • Residential strata
      • Travel

      Commercial Classes

      • Business
      • Contractors all risks
      • Primary industries
      • Industrial special risks
      • Liability
      • Motor
      • Other commercial products 

      However, the General Insurance Code of Practice does not cover life and health insurance products issued by life insurers or registered health insurers. In addition, the General Insurance Code of Practice is not applicable for things such as:

      • Workers compensation
      • Marine insurance
      • Medical indemnity insurance
      • Compulsory third-party insurance
      • Reinsurance

      Meanwhile, the Private Health Insurance Code of Practice covers only Private Health Insurance, as well as some provisions covering intermediaries by extension – though they also have their own code, the Private Health Insurance Intermediaries Code of Conduct.

      Requirements for Investigations under the General Insurance Code of Practice

      One of the key differences between the codes are the requirements around investigations. The General Insurance Code of Practice outlines many requirements pertaining to investigations.

      The COP has a quality assurance program to regularly monitor and review investigations. This may include reviews of:

      • recordings, statements, affidavits or transcripts of interviews
      • Investigators’ records of investigation activities
      • Complaints about investigations, including disputes referred to the Australian Financial Complaints Authority

      The quality assurance program will include reviews of non-genuine claims indicators to make sure they remain relevant, appropriate and do not discriminate. These are reviewed at least once a year.

      If an investigation has gone on for 4 months, the claim will be independently reviewed by an Employee with appropriate authority, knowledge or experience, according to COP. Complainants will be informed when this happens.

      Some additional constraints are summarised below

      • Investigators are required to remain objective, honest, efficient, transparent and fair at all times.
      • A single interview sitting may only last for up to 90 minutes. 
      • If the total interview time required is over 4 hours, the Investigator must obtain written consent from the ICA.
      • The Investigator must record all offers of breaks, and the interviewee’s responses.
      • If another interview time is needed, it will not be organised without at least a 24 hour break, unless otherwise agreed.
      • If during the interview it becomes apparent that an interpreter is needed (even though one had not previously been requested or arranged), then the Investigator or Employee will: a. pause the interview; and b. restart it at a later time, or date, once an independent interpreter has been arranged.
      • If during the interview the employee requires additional support (example: lawyer, consumer representative or a friend), the Investigator will: a. pause the interview; b. advise you of the support person’s role in the interview process and c. restart the interview at a later time, or date, once the support person has been arranged.
      • There will be a 5 minute break in the interview every 30 minutes. However, if an employee claims to be experiencing vulnerability, then there will be a 5 minute break every 30 minutes.
      • Employees can request additional breaks and stop the interview early and reschedule if needed.

      Requirements for Investigations under the Private Health Insurance Code of Practice

      There are currently no requirements around investigations under the Private Health Insurance Code of Practice. The recent changes to the GICOP requirements may add pressure on the private health insurance industry to adopt similar measures. However, these changes are unlikely to affect investigations in this industry for several reasons. Firstly, fraud in this industry is more likely to be related to providers than claimants. Secondly, and relatedly, the majority of ombudsman complaints are about other aspects of policy or service – though benefit payment delays were a significant proportion of complaints, and this could be affected by a poorly managed investigation. If similar measured are adopted by Private Healthcare Australia, they are more likely to apply to policy conditions, communication, sales, and service.

      Breaches to the Code

      The Code Governance Committee prepares an annual compliance report. Significant Breaches to the code will be reported to the Code Governance Committee within 10 Business Days. The Code Governance Committee may impose additional sanctions for Significant Breaches of the Code, including requiring them to do any one or more of the following:

      • compensate an individual for any direct financial loss, or damage, we caused them arising from a Significant Breach;
      • publish the fact that we have committed a Significant Breach of the Code;
      • pay a community benefit payment for a Significant Breach up to a maximum of $100,000. The size of the community benefit payment must be in proportion to our gross written premium and number of customers.

      The Code of Conduct Compliance Committee established by Private Healthcare Australia also publishes an annual report on the operation of the Code, including a summary of compliance. This report will be published on the websites of Private Healthcare Australia and the Members Health Fund Alliance.

      If a health fund fails to comply with a sanction, the Committee may do one or more of the following:

      • Take action to enforce compliance with the code or sanction.
      • Disqualify and immediately ban the health fund from using the Code of Conduct tick logo.
      • Name the health fund in the annual report as having not complied with the Code and/or having not complied with a sanction.
      • Report the breach on the PHA and Members Health Fund Alliance website.
      • Request that the Health fund report the breach on their own website.
      • Request that any issued sanctions be published on the non-compliant Health Fund’s website.
      • In cases where the Committee considers the breach of the Code may constitute a breach of any regulatory or legislative obligation, report the health fund to the appropriate government agency.
      • Request the health fund publish corrective advertising within one month of the request

      How Polonious Can Help

      In the ever-changing regulatory and compliance environment, organizations need to continue to stay up-to-date in their knowledge and conduct to avoid costly risks such as reputational and financial damage.

      Polonious is constantly adding new features with further configurability and can also deploy new code as required. Our experts can utilize our legal and technical expertise to help you adhere to industry codes, company policies and relevant laws, while enabling you to improve productivity and workflow. 


      A comparison of the General Insurance Code and Health Insurance Code will help you understand the large-scale changes to the General Insurance Code as well as the health insurance code and how it applies to your practice.

      A comparison of the General Insurance Code and Health Insurance Code will help you understand the large-scale changes to the General Insurance Code as well as the health insurance code and how it applies to your practice. 

      However workplace bullying is not limited to aggressive behaviour, and includes many other forms of treatment including ostracising particular employees.

      It is important for companies to subscribe to codes applicable to their practice in order to avoid any reputational harm.

      Book a Demo Now

      Learn more about how Polonious can help you improve workflow while complying with laws and regulations

      7 Steps for Investigating Data Breaches

      7 Steps for Investigating Data Breaches

      According to the NSW Information and Privacy Commission, a data breach occurs when there is a failure that has caused or has the potential to cause unauthorised access to your organisation’s data. The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

      Investigation is an integral part of a data breach response. The goal is to clarify the circumstances of the breach, assess the damage caused by it, and develop a further plan of action depending on the results of the investigation. Most often the breach is caused by a hacking, but sometimes involves a negligent employee. It’s important to understand the necessary procedures for privacy and security breaches in order to minimize potential risks and limit access to leaked information before it’s too late. 

      A well-executed incident response can help minimize breach impact, reduce fines, decrease negative press, and ultimately help your company get back on track. There are a number of important considerations to make when investigating privacy and security breaches.

      This blog will cover:

      • Data Breach Detection
      • Potential Impacts of Data, Privacy and Security Breaches
      • 7 Steps for Investigating Data Breaches
      • Best Prevention and Response Plan 

      Data Breach Detection

      A company typically learns they’ve been breached in one of four ways:

      1. The breach is discovered through detection systems (via review of intrusion detection system logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts).
      2. The breach is discovered by your own employees.
      3. External parties discover the breach while investigating another matter.
      4. A customer complaint.

      Potential Impacts of Data Breach


      The impact of a data breach depends on the nature and extent of the breach and the type of information that has been compromised. 

      Serious impacts of a data breach could include:

      • Risk to individuals’ safety
      • Financial loss to an individual or organisation
      • Damage to personal reputation or position
      • Loss of customer or public trust in an organisation or the services it provides
      • Commercial risk through disclosure of commercially sensitive information to third parties
      • Threat to an organisation’s systems, impacting the capacity to provide services
      • Impact on organisation reputation, finances, interests or operation.

      Breaches of personal data can result in significant harm, including people having their identities stolen or the private home addresses of protected or vulnerable people being disclosed. In some circumstances, this can expose an individual to a significant risk of harm. 

      Organisations should also consider the risks that could result from data breaches:

      • that result in a loss of data integrity, i.e. where information is maliciously altered
      • a loss of availability, where important systems may no longer be useable
      • where data may not be disclosed, but is rendered inaccessible, with potentially harmful consequences for individuals.

      7 Steps for Investigating Data Breaches


      Here is a general guide of the steps you need to take when responding to and investigating a cybersecurity incident. Steps may vary depending on each investigation, requirement, industry, etc.

      1. Detect the privacy and/or security breach

      Each investigation begins with incident detection. This step is aimed at determining the fact that a data breach has occured. You can confirm this by inspecting the signs of a data breach.

      According to the National Institute of Standards and Technology (NIST) of the United States Congress, there are two types of data breach signs: precursors and indicators.

      A precursor is a sign that an incident may occur in the future. It can be:

      • Web server logs indicating a search for vulnerabilities in an organization’s network
      • Discovery of a vulnerability that affects the organization’s network
      • An announcement by a hacker group that they intend to attack the organization

       In general, precursors are rare and mostly help organizations to stay vigilant.

      An indicator is a direct sign that an incident may have occurred or is occurring right now. Common examples of data breach indicators include:

      • Buffer overflow attempts against a database server
      • Multiple failed login attempts from an unfamiliar remote system
      • Bounced emails with suspicious content

      Here are some important questions to ask yourself:

      • Who is affected by the breach? The assessment may include reviewing whether individuals and organisations have been affected by the breach, the level of sensitivity of the data that is affected, how many individuals and organisations have been affected, and whether any of the individuals have personal circumstances which may put them at particular risk of harm.
      • What was the cause of the breach? The assessment may include reviewing whether the breach occurred as part of a targeted attack or through inadvertent oversight. Was it a one-off incident or does it expose a more systemic vulnerability? What steps have been taken to contain the breach? Has the data been recovered? Is the data encrypted or otherwise not readily accessible?
      • What is the foreseeable harm to the affected individuals/organisations? The assessment may include reviewing what possible use there is for the data. For example, could it be used for identity theft, threats to physical safety, financial loss, or damage to reputation? Who is in receipt of the data? What is the risk of further access, use or disclosure, including via media or online?

      2. Take Urgent Incident Response Actions

      There are a number of urgent steps you should take when a data breach is detected. The first thing you should do after detection is to record the date and time of detection as well as all information known about the incident at the moment.

      Then, the person who discovered a breach must immediately report to those responsible within the organization. Access to breached information should also be restricted to stop the further spread of leaked data.

      Overall, you may stick to this general checklist:

      First 24 Hours Response Checklist:

      • Document the time and date the data breach was discovered
      • Notify the response team
      • Isolate the location of data breach
      • Stop additional data loss
      • Gather all possible data about data breach
      • Interview the people who discovered the data breach
      • Document the investigation
      • Perform a risk assessment
      • Notify law enforcement and regulators

      3. Gather Evidence

      Collecting and checking all evidence related to the data breach is the next step per data breach response best practices. Make sure to gather data from all your cybersecurity tools, servers, and network devices and to collect information from your employees during interviews.

      First and foremost, act quickly and gather as much information about the data breach as you can. The better your understanding of the situation, the better your chances of minimizing the consequences.

      The list of data you should collect includes:

      • The date and time the data breach was detected
      • The date and time a response to the data breach began
      • Who discovered the breach, who reported it, and who else knows about it
      • What was viewed, changed, or stolen and how
      • A description of all events related to the incident 
      • Information about all contacts involved in the breach
      • Identification of the systems affected by the incident
      • Information on the extent and type of damage caused by the incident

      When an organization becomes aware of a possible breach, it’s understandable to want to fix it immediately. However, without taking the proper steps and involving the right people, you could inadvertently destroy valuable forensic data used by investigators to determine how and when the breach occurred, and to make recommendations in order to properly secure the network against the current attack or similar future attacks. 

      When you discover a breach, remember:

      • Don’t panic
      • Don’t let panic lead you to hasty actions
      • Don’t wipe and re-install your systems (yet)
      • Do follow your incident response plan

      4. Analyze the Data Breach

      Once you’ve gathered as much information about the incident as you can, you need to analyze it. This step is aimed at determining the circumstances of the incident, as well as the scope of the breach and who are the affected parties you need to notify. In addition, you may have to answer a series of questions that will further assist in the investigation:

      • Was any suspicious traffic detected?
      • Did the attacker have privileged access to data?
      • How long has the data been compromised?
      • Were people or special software involved in the data breach?
      • Was the data breach intentional and were outside attackers involved?

      Having carefully analyzed information on the data breach, you can draw some conclusions about the source of the breach to effectively stop it. You can also gather a list of affected, or potentially affected parties in preparation for step 5.

      5. Notify related parties

      Next, you should notify all affected organizations and individuals, as well as law enforcement if the breach was significant enough. Timely notification is a very important data breach investigation procedure as it will enable individuals to take measures to protect lost data, such as changing passwords, or at least to be careful in case scammers take advantage of the data breach. Additionally, in many jurisdictions there are mandated notification timeframes, which we will discuss below.

      The list of those to be notified will vary depending on the type of compromised data and may include:

      • Employees 
      • Customers 
      • Investors 
      • Business partners
      • Regulators
      • And others

      Pay particular attention to notice periods. They depend on the regulations and standards you need to comply with and the type of data affected (personal data, financial data, etc.). Failure to notify regulators in a timely manner could result in liability and extensive fines.


      In Australia, entities with existing personal information security obligations under the Australian Privacy Act are required to notify the Office of Australian Information Commissioner (OAIC) and affected individuals of all “eligible data breaches.

      United States

      As of yet, there has been no federal legislation enacted covering data breach investigation or notification processes, and the laws are a patchwork of state or industry specific laws. For example, organizations that need to comply with the Health Insurance Portability and Accountability Act(HIPAA) must notify each affected individual within 60 days after discovering a breach. Fines for a HIPAA violation may be up to $25,000. The minimum fine is $100. Most states have their own specific laws that deal with security breaches. For example, in California, a business must notify each resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.

      United Kingdom

      The GDPR requires data supervisors to notify the appropriate supervisory authorities no later than 72 hours after discovering a data breach. The GDPR sets a maximum fine of €20 million or 4 percent of annual worldwide turnover (whichever is greater) for a data breach.

      Similar guidelines apply to organizations in Canada under the Breach of Security Safeguards Regulations.

      Many other countries also have laws and regulations regarding the use and unauthorized disclosure of personal data. If your organization operates in more than one country, you should consider local data breach legislation and include its requirements into your incident response plan.

      6. Take containment, eradication and recovery measures

      The next step is to mitigate and remediate the effects of the breach. Let’s see how each of these measures can help you effectively mitigate the consequences of a data breach. 

      Containment measures

      The goal of these measures is not only to isolate compromised computers and servers but to prevent the destruction of evidence that can help investigate the incident.

      Conduct a comprehensive data breach containment operation and preserve all evidence, being careful you don’t destroy it. For example, if a data breach is caused by malware, it may not create files on disk but may place itself entirely in RAM because it’s harder to detect this way. Therefore, it’s unacceptable to power off the computer, as all the information contained in RAM will be lost.

      Also, monitor the attacker’s activities and determine whether any data is leaking during the investigation.

      Here are possible measures you can take for containment:

      1. Disconnect from the Internet by pulling the network cable from the firewall/router to stop the bleeding of data. 
      2. Document the entire incident. Document how you learned of the suspected breach, the date and time you were notified, how you were notified, what you were told in the notification, all actions you take between now and the end of the incident, date and time you disconnected systems in the card data environment from the Internet, disabled remote access, changed credentials/passwords, and all other system hardening or remediation steps taken.
      3. Disable (do not delete) remote access capability and wireless access points. Change all account passwords and disable (not delete) non-critical accounts. Document old passwords for later analysis. 
      4. Change access control credentials (usernames and passwords) and implement highly complex passwords: 10+ characters that include upper and lower case, numbers, and special characters. (Avoid passwords that can be found in any dictionary, even if you are substituting special characters in place of letter characters.)
      5. If you process payments, segregate all hardware devices in the payment process from other business critical devices. Relocate these devices to a separate network subnet and keep them powered on to preserve volatile data. 
      6. Quarantine instead of deleting (removing) identified malware found by your antivirus scanner for later analysis and evidence. 
      7. Preserve firewall settings, firewall logs, system logs, and security logs (take screenshots if necessary).
      8. Restrict Internet traffic to only business critical servers and ports outside of any payment-processing environment(s). If you must reconnect to the Internet before an investigator arrives, remove your credit card processing environment(s) from any devices that must have Internet connectivity and process credit cards via dial-up, stand-alone terminals obtained from your merchant bank until you consult with your forensic investigator.
      9. If relevant, contact your merchant processing bank (if you haven’t already) and let them know what happened. 

      Eradication measures

      Next, it’s important to eliminate all causes that led to the data breach. For example, if the breach occurred as a result of an insider threat, security specialists should disable all accounts that leaked information. If the threat was external, such as malware, it may be necessary to clean up the affected system and patch exploited vulnerabilities.

      Recovery measures

      After a successful eradication step, it’s necessary for the organization to return to normal operations. This includes putting the affected systems back into a fully operational state, installing patches, changing passwords, etc.

      Security specialists should carefully monitor the network, recovered computers, and servers to ensure that the threat has been fully removed.

      7. Conduct a root cause analysis

      Once you’ve taken basic actions to counter the data breach, it’s time to analyze the incident and its consequences and take steps to prevent similar issues in the future. Every data breach should be thoroughly audited afterwards. The specifics of each audit depend on the data breach itself and its causes.

      In general, an audit may include:

      • Reviewing the organization’s cybersecurity systems
      • Analyzing causes of the data breach
      • Creating a plan to prevent similar incidents in the future
      • Reviewing policies and procedures to reflect lessons learned from the data breach
      • Improve cybersecurity awareness among employees

      The 5 Whys and 5 Hows technique may help you achieve continuous improvement at any organization. The 5 Why method is simply asking the question “Why” enough times until you get past all the symptoms of a problem and down to the root cause. The 5 Hows are then used to determine a root or permanent solution to the “root cause (s)” of the problem.

      How to Perform 5 Why & 5 How

      1. Form the Team

      The 5 Why & 5 How exercise should be performed by a team, not an individual. The team should include diverse members. Each team member will bring their own unique viewpoint of the problem and ask important questions that may not otherwise have been asked.

      2. Define the Problem

      Develop a clear and concise problem statement. The team should keep their focus on the process and not on the personnel. The team should also determine the scope of the problem to be addressed. If the scope is too narrow the problem solving exercise could result in small improvements when larger, broader improvements are needed. Adversely, defining the problem with too broad of a scope could extend the time required to resolve a problem and generate solutions that might not fit the corporate culture or align with corporate strategy, and never be carried out. When you take the time to clearly define the problem up front, it often saves time and makes solving the problem easier.

      3. Ask Why

      Next the team leader or facilitator should ask “Why” the problem or failure occurred. The responses should be backed by facts or data and not based on an emotional response. The responses should also focus on process or system errors.

      The facilitator should then ask the team “if the identified causes were corrected, could the failure or problem still occur?” If the answer is yes, then move on to the second “Why” and then the third, fourth, fifth and so on until the answer is no.

      Note: It is not always necessary to ask “Why” five times. The root cause could be identified during the third or fourth “Why”. It may also take more than five times to get through the symptoms of the problem and down to the root cause. In addition, by the 3rd, 4th, or 5th “Why”, you may likely discover a systemic or management practice as the cause.

      4. Determine and Implement Corrective Actions

      Upon determination of the root cause(s), a list of appropriate corrective actions should be developed to address each root cause. 5 How is a useful method of brainstorming resolutions to the root causes and developing action items to resolve the problem. The facilitator should ask the 5 Hows related to the issue at hand. How can this cause be prevented or detected? Keep asking “How” until you get to the root solution that resolves the root cause. The actions should have an owner and a due date. Regular meetings should be held to update the team on the status of the actions until all are completed. Upon completion of the recommended actions, the effectiveness of the actions should be determined. 

      Basic 5 Why Example

      There are various formats used to document the 5 Why exercise, some more detailed than others. The following is an example of the basic 5 why process.

      Problem statement – the file ‘evilcode.php’ was injected into our web service, allowing an attacker to gain configuration information, though they were stopped without further attacks.

      1. Why? There was a remote code execution vulnerability in our web application
      2. Why? No-one updated the web framework.
      3. Why? Web applications and frameworks aren’t part of our patching process.
      4. Why? It’s too hard and takes too much time to apply updates to web applications.
      5. Why? We haven’t built processes, procedures, and pipelines to allow for easy updating of web applications.

      Caution must be observed to assure that the “Whys” follow a logical path. One method to check if the progression follows a logical path is to read the causes in reverse order. When you read the causes or “Whys” in reverse order, they should follow a logical progression to the problem statement or failure mode. Referencing the example above, the progression would be like this:

      • There is no documented, easily understandable, efficient process for updating web applications
      • Therefore – employees need to figure it out for themselves each time, which is hard and time consuming
      • Therefore – web applications were not included in our regular patching process
      • Therefore – no-one updated the web framework
      • Therefore – there was a remote code execution vulnerability in our web application
      • Therefore – someone was able to inject malicious code into our web service and gain configuration information 

      By thoroughly implementing these steps, you can get a better understanding of the data breach that occured, discover its true causes, and determine the best pathway for mitigating its consequences.

      Best Prevention and Response Plan


      After the cause of the breach has been identified and eradicated, you need to ensure all systems have been hardened, patched, replaced, and tested before you consider re-introducing the previously compromised systems back into your production environment. During this process, ask yourself these questions:

      • Have you properly implemented all of the recommended changes?
      • Have all systems been patched, hardened,
        and tested?
      • What tools/reparations will ensure you’re secure from a similar attack?
      • How will you prevent this from happening again? (Who will respond to security notifications and be responsible to monitor security, Intrusion Detection System, and firewall logs?)

      There are many elements of a good prevention plan. According to the Data Breach Guideline created by the Information and Privacy Commission, here are some suggestions:



      • Make sure you’re aware of your organisation’s privacy principles as well as the types of breaches that might affect your organisation.
      • Identify the individuals in your organisation responsible for privacy and data protection. These are the staff members who will provide support for understanding and implementing data breach prevention practices, as well being the contact points in the event that you identify as suspected breach.
      • Establish honest and consistent privacy and data breach communication channels with employees.


      • Ensure that you are aware of proper processes and that they are followed.
      • If you identify where privacy and data protection improvements to processes can be made, communicate this with management.
      • Minimise the transporting and copying of data in common processes, especially if this is done using portable devices, email, or syncing files to local devices.


      • Be aware of privacy and data protection policies and abide by them. Provide feedback on policy that is difficult to implement so that it may be improved.
      • Relevant policies include those that cover computer and email use, BYOD, information access restrictions and conditions, and personal information collection and use.


      • Abide by the data protection policies and practices of your Agency with regard to the use of computers, emails and other electronic devices.
      • Ensure that security protections, such as passwords and two-factor authentication are compliant with your organisation’s rules.
      • Avoid transferring data through insecure methods, such as USB-sticks, paper copies, unencrypted attachments to emails.
      • Keep applications on your devices updated to the latest version, as vulnerabilities are frequently patched.
      • Be aware of the data you hold on your computer and your devices. Avoid replicating data across multiple devices, especially if they are portable and may be lost, stolen or misplaced.

      How Polonious can Help

      Data breaches carry significant risks and can incur significant losses, so the sooner you deal with them, the better. Proper investigation will help you identify the extent of an incident and take measures to mitigate it in order to minimize the risks.

      It’s best to have a set of measures prepared to respond to data breaches, such as an incident response plan and a pre-assembled response team. Coordinated actions and a consistent approach can significantly speed up the process of recovering after a breach. Polonious Systems offers a rich set of features for data breach investigation and mitigation.

      Additionally, Polonious maintains ISO27001 certification to ensure its own processes and software are kept to the highest international standards for security. This includes regular penetration testing, code reviews, disaster recovery and business continuity drills, as well as frequent internal audits and twice yearly external audits of our processes.

      Workplace bullying can cause significant psychological distress and put your organisation at risk of litigation as well as absenteeism and staff turnover.

      Data, Privacy and Security Breach are one of the top risks facing companies today. There are 7 steps for Investigating Data Breaches.

      A robust root cause analysis is an integral part of a data breach investigation.

      A robust root cause analysis is an integral part of a data breach investigation.

      Book a Demo Now

      Learn more about how Polonious can protect your organization from data, privacy and security breaches

      Benefits of Moving to AWS

      Benefits of Moving to AWS

      Polonious offers a number of hosting options, primarily focused on AWS but including self-hosting by clients as well as hosting on Polonious’ own co-located servers. However, over the last few years most new clients have signed up for our AWS hosting option, and Polonious has successfully migrated many companies into the AWS cloud.

      This is often requested in order to meet ever-increasing security and compliance requirements. Technical requirements such as stronger network security, encryption in transit and at rest, and secure log retention as well as operational requirements such Business Continuity and Disaster Recovery, where AWS offers multiple levels of redundancy versus co-located servers, and especially versus self/on-premises hosting. Polonious’ Knox Grade infrastructure is easy to implement on AWS and, together with AWS’ own security setup, provides ISO27001 certified levels of confidentiality, integrity and availability.

      For these reasons, many organisations are moving computing services to the cloud, not just case management. With deep AWS product knowledge and close working relationships with clients, Polonious can help you implement a secure, robust cost-effective cloud solution.

      This blog will help you understand the benefits AWS brings to our clients, to help you determine which solution works best for your organization.

      This blog will address:

      • What is AWS (Amazon Web Services)
      • Benefits of AWS
      • How we can help

      What is AWS

      AWS stands for Amazon Web Services, the world’s “most comprehensive and broadly adopted cloud platform”. AWS helps millions to:

      • Lower their business costs, by only paying for cloud services and storage they need
      • Become more agile, offering systems you can access from anywhere in the world
      • Innovate faster, removing time spent worrying about in-house servers and software

      Amazon Web Services (AWS) provides a reliable, scalable and low-cost infrastructure platform powering businesses in 190 countries around the world. It can help streamline fragmented processes, speed up project delivery, and reduce company costs. 

      AWS encompasses many services, including everything from databases to machine learning. Popular services include AWS RDS (reliable database services), AWS S3 (simple, secure storage) and AWS EC2 (scalable compute capacity). Polonious uses all those services for our AWS hosting option.

      According to Yahoo Finance, Amazon Web Services are trusted by some of the world’s largest companies, including Unilever, Intel and Dropbox. However, Amazon’s cloud service is a good choice for virtually every type of company, no matter how big or small. From a start up to a Fortune 500 company, every business has the option to customize a spot for themselves on the cloud.

      Benefits of AWS

      Data Protection and Encryption

      All data on the AWS network is automatically encrypted including data in transit and at rest. With AWS, you can control where your data is stored, who can access it, and what resources your organization is consuming at any given moment. Fine-grain identity and access controls combined with continuous monitoring for near real-time security information ensures that the right resources have the right access at all times. 

      Point-in-time recovery and continuous backup

      Polonious on AWS offers detailed backup and recovery options, with daily snapshots of the database and backups of the transaction logs for 35 days (created in 5 minute intervals). This transaction log can be used to roll back data to any day and time within the last 35 days and allows a RPO of only 5 minutes. Additionally nightly snapshots of the database are created and stored for 10 days.

      Governance, Risk and Compliance

      Given the gravity, complexity, and growing number of risks that organizations face, the regulatory/compliance landscape is rapidly evolving. AWS supports more security standards and compliance certifications than any other offering, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171, helping satisfy compliance requirements for virtually every regulatory agency around the globe. Enhanced data security ensures compliance with relevant regulatory requirements. Take a look at the AWS compliance programs.


      One of the key benefits of AWS migration is enhanced performance. Using the AWS cloud platform you could easily deploy, manage, and monitor your applications. Thus bringing better alignment between application utilization and business performance. 

      Enhanced Security

      Data theft and cybersecurity are an increasing risk to many companies; learn more about the nature of these crimes in: Workplace Fraud: 3 Common Data Theft Schemes. AWS offers way more security as compared to a company’s own hosted website or storage. AWS has redundant data centers in all major jurisdictions around the globe.  This allows for sophisticated failover solutions that are hard to implement on-premise or via co-located server centers.

      How Polonious can Help

      Polonious has led multiple migration projects which allows our clients to enjoy the benefits of enhanced security, compliance and performance. Using our technical and legal expertise, we help organizations through all the phases of migration projects from discovery to execution. Polonious offers a multi-stage approach to transformation: diagnosing the state of your current hosting solution, creating the best AWS migration strategy for you, then transitioning your instance. We take the time to ensure that your cloud migration goes smoothly and is in-line with your company goals.

      Polonious’ Knox Grade infrastructure is ISO27001 compliant, meaning it meets internationally recognised security standards. This infrastructure comes with intrusion and threat detection, secure web application firewalls, and detailed backup and point-in-time recovery. Additionally, it is regularly penetration tested and drilled against various disaster recovery scenarios. The Polonious Case Management Software offers an opportunity to take advantage of better methodologies, technology and workflows to integrate compliance and customer service into everyday processes.

      Our team is experienced in large-scale AWS migrations, having led many successful migration projects.

      AWS is 'Amazon Web Services', one of the leading cloud hosting providers.

      AWS is ‘Amazon Web Services’, one of the leading cloud hosting providers.

      Benefits of migrating to AWS include improved backup, recovery, and availability options, as well as easier installation of our Knox Grade security options.

      Benefits of migrating to AWS include improved backup, recovery, and availability options, as well as easier installation of our Knox Grade security options.

      Migrate to AWS Now

      Are you an existing co-located or on-premise hosted customer? Or a new customer who would like to explore secure case management hosted on AWS? Contact us today.

      SIU Insights report 2021How do you compare to other SIUs?

      Check out some interesting results from our SIU management survey. Submit below form to receive the download link and related updates going forward.

      GICOP changes 2021Download the GICOP whitepaper and stay compliant.

      Our whitepaper covers all aspects you need to know to stay compliant with the latest GICOP changes coming into effect in 2021. Submit below form to receive the download link and related updates going forward.