Senior managers need to take cybercrime more seriously. According to PricewaterhouseCoopers' (PwC) economic crime report, Cybercrime: Protecting Against the Growing Threat, businesses face serious threats from cybercriminals, from both within and outside their organizations.
The PwC report calls cybercrime one of the top four economic crimes – just after asset misappropriation, accounting fraud, and bribery/corruption – and it warns that cybercrime doesn’t get the attention it deserves. Instead of looking at cybersecurity from all angles, organizations have pigeonholed it as an IT problem.
These crimes aren't limited to big companies. While no industry is immune, communications and insurance companies top the list. The PwC survey says that "54 percent of the respondents who experienced economic crime were from organizations with more than 1,000 employees. But crimes committed against small and medium-sized organizations are on the rise as well, suggesting that fraudsters are now targeting these organizations more often."
CEOs should clearly define responsibilities for cybercrime, keep up-to-date on the latest developments in the field, and make sure their companies are constantly tracking risks and quickly handling problems as they arise. These and other conclusions were reported after nearly 4,000 people from seventy-eight countries were surveyed.
Highlights of the survey include:
Sixty percent of respondents said their organization doesn’t monitor the use of social media sites.
Two in five respondents had no cybersecurity training.
Thirty-four percent of respondents experienced economic crime in the last twelve months, up from 30 percent reported in 2009. Half of those respondents perceive the risk of cybercrime to be on the rise.
Almost one in ten who reported fraud suffered losses of more than $5 million.
Fifty-six percent of respondents said the most serious fraud was an "inside job."
Suspicious transaction monitoring has emerged as the most effective fraud detection method (up from 5 percent in 2009 to 18 percent in 2011).
"Although they are aware of the risks, companies are doing little about it and continue to be reactive rather than proactive in fighting cybercrime", the survey said. It also stated that more than half of respondents don't have, or aren't aware of having, access to forensic technology investigators, in-house capability to investigate cybercrime, and a media and public relations plan. Forty percent said they don’t have the in-house capability to prevent and detect cybercrime.
The survey found that the typical profile of an internal cybercrime fraudster is a junior employee or middle manager (cited by 84 percent), under the age of forty (65 percent), and employed by the organization for less than five years (51 percent).
So what actions should an organization take to defend against cybercrime? Here’s what the experts said in the report:
Get the CEO involved – the CEO and the board of directors need to be aware of the risks and opportunities of the cyberworld.
Look at how prepared an organization is for cybercrime – unlike traditional economic crime, cybercrime is fast-paced and new risks emerge all the time, which means an organization needs to adapt its procedures continually to reflect these.
Be aware of the current and emerging cyberenvironment (situational awareness) – only then can an organization make well-informed decisions and do the right things at the right times.
Set up a cyberincident response team that can act and adapt quickly – an organization can then track, assess risk, and deal with an incident as soon as it's spotted.
Recruit people with the relevant skills and experience – they can pass this knowledge on to everyone else, helping to create a "cyberaware" organization that can protect itself better.
Take a tougher and clearer stance on cybercrime – an organization should demonstrate it means business by taking legal action against cybercriminals and announcing what it's doing about threats and incidents.