Cybercrime is on the rise in UK businesses, but companies are doing little to protect themselves against it and other forms of fraud.
According to the latest Global Economic Crime Survey by management consultants Pricewaterhouse Cooper (PwC), organisations could do much to limit the effects of fraud, but they fail to carry out proper risk assessments and only react when a fraud is discovered.
The 2011 Global Economic Crime Survey was completed by 3,877 respondents from 78 countries, 178 of them from the UK. The responses from the UK organisations form the basis of a separate report entitled “Combating Cybercrime to Protect UK Organisations.”
UK and global cybercrime statistics
According to the cybercrime statistics contained in the PwC report, cybercrime now ranks as the third most important form of economic crime in the UK, after asset misappropriation and accounting fraud. In the global survey, cybercrime rated fourth (bribery and corruption were third in the global survey.)
If an organisation doesn’t really know what cybercrime is, how can they expect to know who should be responsible for tackling it? There are several indications in our survey that UK organisations need greater clarity.
Global Economic Crime Survey report
PwC said in the report that since the last survey in 2009, economic crime in the UK has risen by 8%, with more than half of respondents reporting at least one incident of economic crime in the last year, and 24% reporting more than 10 incidents in the same period.
While asset misappropriation and accounting fraud have come down by 8% and 5% respectively since 2009, cybercrime is becoming more widespread. Twenty six percent of UK respondents, mostly in the financial services industry, said they have suffered a cybercrime in the last year.
Most likely to commit cybercrime
Most respondents (58%) said the biggest risk of cybercrime was from external sources, while another 29% said it was a mixture of internal and external sources, and 8% pointed the finger at insiders. (In the global survey this last figure was higher, at 13%).
Globally, most internal fraud was carried out by senior management, but in the UK, 65% of internal fraud was carried out by middle managers, an increase of 38% since 2009. PwC said in the report that the typical internal fraudster is a non-graduate male, aged between 31 and 40, employed in the organisation between three and five years.
IT department employees were seen by most respondents as the most likely to commit cybercrime, whereas few saw any risk coming from HR (14%) or legal (8%), even though those departments handle sensitive and confidential information. “Organisations shouldn’t ignore these departments, as cybercrime can happen anywhere,” the report said.
Most UK companies appeared to take internal fraud seriously, with 84% saying they had dismissed culprits (the global figure was 77%). Three-quarters reported the crime to the police, and nearly a third told their regulators.
Departments responding to cybercrime
Confusion over what constitutes cybercrime, and who should tackle it, prevents companies from mounting an effective defence, PwC said in the report. “If an organisation doesn’t really know what cybercrime is, how can they expect to know
who should be responsible for tackling it? There are several indications in our survey that UK organisations need greater clarity,” it said.
While the majority of respondents said tackling cybercrime should be the responsibility of the head of IT or IT security (48%), 33% said it should be a senior executive; 8% said it should be someone in the business unit affected; and 4% said the operational risk department should take control.
In reality, however, PwC indicated that a response to a cybercrime requires collaboration from different parts of the business. To illustrate that point, it posed a hypothetical case where an employee commits an accounting fraud by gaining illicit access to a corporate finance system. The report concluded the incident should be tackled by an accounting expert supported by a technology specialist.
Steps for reducing cybercrime
While most agreed that cybercrime awareness was important in beating cybercrime, 45% of respondents said they had no cybersecurity-related training in the last year. Only 24% of UK respondents received face-to-face training, which most people agreed was the most effective. “Given the current economic environment, it’s not really a surprise that organisations went for lower cost methods such as emails, posters, banners and computer-based packages,” PwC said in the report.
William Beer, a director in PwC’s risk assurance services group, said companies can reduce the effect of cybercrime by conducting regular formal fraud risk assessments. “Most organisations are in fire fighting mode when it comes to this issue," Beer said. "They need to have more regular assessments and become more proactive.”
Assessments, he said, can help companies plan for the far-reaching implications of a breach, such as damage to brand and reputation.
Beer added that technology can play an important role in detecting and preventing fraud, but they need to be deployed properly. “Automated systems are a step in the right direction, but they tend to be used in silos and not across the business,” he said. “For instance, the banks have good automated fraud detection systems in their credit card business, but then don’t use it for the online banking side of the business. That is quite counterproductive.”