2014 Global Fraud Survey
New challenges – Cybercrime
Reinforcing the commitment to ethical growth
New risks emerge from what the organization does, from changes in the markets in which it operates and from developments in external threats. One of the most significant examples of these developing threats is cybercrime.
Cyber attacks are now a fact of life for business, posing a dynamic, relentless menace for leading companies. The threat is growing, and our survey suggests organizations may not be keeping pace.
“We are witnessing a fast evolution of criminal behavior and patterns, exploiting technology developments and existing legal loopholes.” — Cecilia Malmström, EU Commissioner for Home Affairs
Are some executives underestimating the severity of threat caused by cybercrime?
Nearly 50% of the respondents in our survey see cybercrime as a very or fairly low risk to their business — 17% see it as a “very low risk,” and only 19% see it as a “very high risk.”
A real and growing risk
A real and growing risk
Q: How much of a risk would you say cybercrime poses to organizations like yours?
Base: All respondents (2,719); financial services (264); technology, communications and entertainment (184); government and public sector (51); life sciences (108); consumer products/retail/wholesale (604); oil, gas and mining (152); manufacturing/chemicals (468) The “don’t know” and “refused” percentages have been omitted to allow better comparison between the responses given.
Regulators and governments are painting a different picture. Mary Jo White, the Chair of the U.S. SEC, described cyber security threats as of “extraordinary and long-term seriousness.” According to research by the Economist Intelligence Unit, nearly a third of all businesses sampled have seen an increase in the number of attacks over the past year.
Our survey results suggest that some executives may be naïve regarding the scale and severity of the threat posed to their business. Our survey results also suggest that businesses may be slow in adapting to the source of these threats. Respondents continue to see hackers as the biggest concern — and are underestimating the risk from organized crime syndicates as well as “advanced persistent threats.” Developing an effective response is more difficult without a proper understanding of the potential sources of attacks.
Who owns the risk?
Cyber risks manifest themselves in areas beyond the scope of the chief information security officer. They affect employees, business systems and interactions between an organization and its stakeholders — including regulators.
Governance of the risks, therefore, needs to be built around several executives, including the CEO, chief financial officer (CFO), chief information officer (CIO), chief technology officer (CTO) and the general counsel. In the event of a breach, the general counsel’s role quickly increases in significance as managing the messaging for authorities and the content and timing of any disclosures are critical. Our results also show executives wanting their boards to discuss the risks regularly.
Detecting and diagnosing the threat
Cyber attacks probe defenses, searching for weaknesses. An effective defense requires scrutiny of a company’s entire IT platform using diagnostic testing. Diagnostic testing should encompass all networks, systems, logs and events and search for evidence of the four elements of a cyber attack:
- Entry — to identify evidence of malware that provides the attacker with a digital “beachhead”
- Lateral movement — identifying evidence of the extent to which an attack has spread across different parts of the network
- Harvesting — identifying unusual activity or tools across accounts and data sources that indicate the unauthorized capture of information
- Exfiltration — identifying efforts by the attacker to remove data