Fraud and security risks, including cyber-crimes, hit an all-time high in 2017, according to a new report from risk advisory firm Kroll.
The survey finds that experiences of fraud have become more pervasive. The proportion of executives who said their companies fell victim to at least one instance of fraud over the past 12 months increased to 84 percent from 82 percent in the previous survey. Levels of reported fraud have steadily risen every year since 2012, when the reported occurrence was just 61 percent.
Kroll’s annual Global Fraud & Risk Report also found a small increase in the level of cybersecurity incidents. A full 86 percent of executives surveyed said their companies had experienced an online security incident or information theft, loss, or attack over the past 12 months, up a click from 85 percent in 2016. Seven in 10 respondents reported the occurrence of at least one security incident during the past year, compared to 68 percent in the previous survey.
“Respondents are experiencing a heightened sense of vulnerability to fraud, cyber, and security risks, with information-related risks now being the area of greatest concern,” the report stated. “As criminals continue to find new ways to monetize confidential data, including personal data, data assets are becoming increasingly valuable and attractive targets.”
Info Under Attack
Indeed, the most common types of corporate fraud usually involve data theft. For the first time in the Kroll report’s 10-year history, information theft, loss, or attack was the most prevalent type of fraud experienced, cited by 29 percent of respondents, up 5 percentage points from the previous year. Theft of physical assets or stock, long the most common type of organizational loss, was the second most frequently cited incident in 2017 at 27 percent.
Cyber attacks represent one of the most persistent threats to confidential information, says Kroll. In fact, the reported level of occurrence for every type of cyber-incident included in the survey increased in the last 12 months.
Those incidents also appear to be increasing in severity. In the year when major viruses such as WannaCry and Petya hit across the world, 36 percent of executives surveyed said their companies had been impacted by a virus or worm attack, an increase of 3 percentage points. One in three said they had suffered an email-based phishing attack, up 7 percentage points from the last report, and 27 percent had suffered a data breach.
Still, physical theft or loss of intellectual property was by far the most common type of security incident. Of those executives whose company experienced a security incident this past year, 41 percent said their organizations fell victim to IP theft or loss.
“People instinctively think about data being targeted by cyber-attacks, but not all threats to information are confined to the digital realm,” says Jason Smolanoff, global cybersecurity practice leader for Kroll. “There is a convergence between physical and digital threats, with issues arising from equipment with sensitive data being stolen or lost, for example, or employees with access to highly sensitive information accidentally or intentionally causing a breach.”
Fraud Incidents More Costly
In addition to reporting extremely high incidence levels, respondents indicated that the repercussions of fraud, cyber, and security events were costly and wide-ranging, affecting employees, customers, as well as the organization’s reputation and bottom line.
Businesses suffered significant economic damage from fraud, with nearly one-in-four respondents reporting losses of 7 percent or more of company revenues, an extremely worrisome increase from the prior year when only 3 percent of respondents reported this magnitude of financial impact.
Approximately three quarters of respondents said customers had been negatively impacted by all three risk factors: 76 percent by a fraud incident, 74 percent by a cyber incident, and 74 percent by a security incident. Almost two-thirds said that a fraud, cyber, or security incident had impacted the company’s reputation.
Beware the Inside Job
Insiders and ex-employees continue to pose the greatest threat to companies around the world. Respondents revealed that fraud, cyber, and security incidents are often inside jobs perpetrated by members of management or current, former, or temporary and freelance employees.
Of those reporting a fraud incident, 81 percent cited one or more insiders as perpetrators. Similarly, 58 percent of respondents who reported a cyber incident and 71 percent of those who experienced a security incident primarily identified insiders as the perpetrators.
“Senior executives are becoming acutely aware that threats to their organizations can arise at any time and originate from any place,” says David Fontaine, CEO of Kroll. “Insiders and ex-employees continue to pose a significant threat and have, together with external criminals and threat actors, more tools at their disposal than ever before with which to target and exploit companies.”
Managing the Risks
Nearly all anti-fraud measures mentioned in the survey were widely adopted by over 70 percent of respondents, with information controls the most widely implemented anti-fraud measure at 78 percent.
Reflecting the high levels of vulnerability reported by respondents to cyber intrusions, the top three cyber-risk mitigation measures that executives expect their companies to implement in the next 12 months all address the problem of intrusions. Executives say their companies have adopted intrusion detection systems that are device-based (57 percent), endpoint threat monitoring tools (55 percent), and intrusion detection systems that are network-based (54 percent).
Cybersecurity is also rapidly becoming a board governance mandate as the anticipated likelihood of an incident grows, compounded by increasing regulatory pressures and the costly reputational risks associated with data privacy and data loss events. Nearly half (46 percent) of respondents currently involve the board of directors in the formulation of cybersecurity policies and procedures. Another 40 percent say they plan to do so in the next 12 months.
Fontaine says companies need to take a more comprehensive approach to fighting fraud and cyber-theft. In the face of these mounting threats,” he says, “organizations seeking to manage and mitigate the possibility of loss must take a holistic approach to enterprise risk management and implement diverse and layered measures that can enhance their ability to anticipate, detect, and respond to threats.”
Joseph McCafferty is editor and publisher of Internal Audit 360°.