Published on the 06/11/2018 | Written by Pat Pilcher
Focus less on tech and more on people says PwC...
Cybercrime and its impact on businesses has been a recurring headline throughout 2018. According to PwC’s Global Economic Crime and Fraud Survey, almost half (49 percent) of its respondents said their companies had been victims of fraud. PwC says this is up from the 36 percent recorded in the previous year’s survey.
Mention cyber crime or fraud and most people picture a shadowy figure hunched over a laptop, but PwC’s report shows 52 percent of all reported fraud over a 24 month period was internal – up from 46 percent in 2016. This is supported by the Association of Certified Fraud Examiners’ 2018 Report to the Nations, which was based on 2,690 occupational – or internal – fraud cases worldwide. The 220 cases in the Asia/Pacific region (38 AU and 8 NZ) averaged US$236,000 in losses to the business concerned. The report notes that 41 percent of fraudsters were managers, with 26 percent owners/executives and employees accounted for 30 percent of cases.
“Forty-one percent of fraudsters were managers, while employees accounted for 30 percent of cases.”
Seventy three percent of convicted fraudsters were also male. And the older they are and longer they’ve been with the organisation, the higher are both the risk and the losses.
The survey data is presented a useful ‘Illegal Insiders‘ infographic produced by Raconteur, which shows the three most significant industries targeted by fraudsters were manufacturing, professional services and the energy sector. The three most frequent types of fraud in the PwC study were extortion (21 percent), asset misappropriation (24%) and disruption of business processes (30 percent).
The one factor reported as most effective in detection was a hotline for staff to tip off management to suspected fraudulent activity.
In New Zealand, the Government Communications Security Bureau (GCSB) have called on larger organisations to up their game when developing internal cybersecurity strategies. The GCSB’s findings were the result of a survey of 250 ‘nationally significant’ organisations by the National Cyber Security Centre. While 73 percent of organisations surveyed had bolstered their spending on cybersecurity, the GCSB says their investments are not translating into increased confidence in cyber security resilience levels.
The GCSB’s findings are echoed in a report by the Institute of Directors in partnership with Aura Information Security aimed at helping organisations better understand and decrease cyber risks.
While many organisations have invested in cybersecurity, many directors believe it to be an organisational blind spot says Institute of Directors CEO Kirsten Patterson. “Directors are telling us that they are not getting sufficient information about cyber risks and incidents, or the actions they have and should be taking to address these.”
The report found that cybersecurity reporting needs to improve, and that directors want detailed reports on cybersecurity risks and prevention to have confidence that key business assets – with data now recognised as being included in that – are being protected.
The report details principles on reporting to boards and provides questions to help boards identify and develop metrics. The Institute of Directors says it hopes the report will help inform and inspire organisations to improve cybersecurity reporting to boards.
Aura Information Security general manager Peter Bailey, notes that cyber attacks are growing in number and becoming increasingly sophisticated. “The number of online attacks impacting New Zealand businesses is growing – both in number and complexity. In order to provide effective oversight, boards need to have access to regular high-level holistic reporting on cyber risks and the state of their organisation’s cybersecurity programme.”
And even with sophisticated cyber attacks, the most common forms are scams and phishing where there is a human element involved.
While PwC found that 44 percent of its respondents were planning to increase cybersecurity spending over the next two years, they also found that many companies were treating compliance, ethics and enterprise risk management as separate functions that operated in separate silos within an organisation. The net result of this says PwC, is that “these functions rarely add up to a strategic whole. The parts of an organisation that investigate fraud, the parts that manage the risk of fraud, and the parts that report fraud to the board or regulators become disjointed.”
The PwC report goes on to note that while technology has a role to play, it isn’t always the most effective means of combating fraud.
“Organisations decide to pour even more resources into technology. Yet these investments invariably reach a point of diminishing returns, particularly in combating internal fraud. So, while technology is clearly a vital tool in the fight against fraud, it can only ever be part of the solution.”
PWC say this is because fraud is often the result of many conditions and human motivations. They say the most critical factor in a decision to commit fraud comes down to human behaviour. The methodology recommended by PwC to combat this is what they call the ‘fraud triangle’. It starts with an incentive (which PwC says is often pressure to perform from within the organisation) and gets followed by an opportunity and internal rationalisation. PwC say that all three of these must be present for an act of fraud to occur, but that each needs to get addressed individually.