The UK has seen a double-digit rise in economic crime against corporates in the last two years. More than half, 55 per cent of organisations affected, an increase of 11 percentage points since 2014, significantly outstripping the level in countries such as the US (38 per cent) and China (28 per cent). Globally, the economic crime rate has remained largely static at 36 per cent.
This is according to the biennial PwC Global Economic Crime Survey 2016. The audit firm polled more than 6,000 participants in 115 countries, including the United Kingdom.
The survey found that 60 per cent of economic crime in the UK was by outsiders, up from 56 per cent in 2014. While there was a decline in the number of organisations reporting economic crime perpetrated by employees (31 per cent), there was a large increase in frauds committed by senior management which more than doubled from 7 per cent to 18 per cent.
Andrew Gordon, PwC’s Global & UK Forensics leader, said: “While the prevalence of traditional fraud, such as asset misappropriation, has fallen since 2014, there has been a huge rise in organisations reporting cybercrime. Technology is driving almost every other area of economic crime as well. Business needs to minimise the opportunities for economic crime through rigorous fraud risk assessment, supported by a culture based on shared corporate values and robust policies and compliance programmes.”
Cybercrime has experienced the fastest growth of all economic crime. Some 44 per cent of UK organisations that had experienced economic crime in the last 24 months were affected by cyber incidents, a jump of 20 percentage points from 2014 – and substantially higher than the global response of 32 per cent. The rise of cybercrime is in contrast with some of the traditional forms of economic crime, including bribery, asset misappropriation and procurement fraud, which have declined.
Just over half (51 per cent), of UK organisations say they expect to be the victim of cybercrime in the next two years, suggesting it will become the UK’s largest economic crime. However, only 12 per cent of respondents believe that law enforcement authorities have the necessary skills and resources to investigate it. Almost a third of UK entities have no cyber response plan in place. The fast take up of cloud-based storage and growing prevalence of the ‘internet of things’ are some of the reasons for this year’s steep increases in cybercrime in the UK, leaving anything connected to the office network now vulnerable to hackers.
Global corporate intelligence leader at PwC, Mark Anderson, said: “Hackers are now more ambitious than ever. Their aim goes beyond targeting financial information to include a company’s ‘crown jewels’ – customer data and intellectual property information, the loss of which, can bring down an entire business. The threat of cybercrime is now a board level risk issue, but not enough UK companies treat it that way.”
UK respondents say the greatest concern about a cyber-attack is the potential disruption to services – 31 per cent say it would have a medium-to high impact. Surprisingly, almost half say that cybercrime would have no impact on their reputation and almost 60 per cent are not concerned about the potential for theft of intellectual property.
This year’s survey points to the rise of the so-called ‘silver fraudster’ in the UK with a strong shift towards more senior and experienced employees carrying out corporate fraud. Senior management fraud is often more difficult to detect and prevent, and usually has a much greater impact on an organisation. This change is therefore a particular concern for UK entities. While those in middle management remained the most responsible for economic crime (36 per cent), half the instances committed by staff involved employees over the age of 40, and the number carried out by staff over the age of 50 tripled from 6 per cent to 18 per cent.
The survey found that 45 per cent of internal fraudsters had worked for more than five years within the organisation they defrauded and 21 per cent had more than a decade of service. In contrast, the number of junior staff carrying out economic crime has fallen since 2014 from 45 per cent to 28 per cent.
While the vast majority (86 per cent) of UK organisations have formal business ethics and compliance programmes in place, far fewer (63 per cent) back up these rules with regular training and communication. Moreover, frauds that staff typically commit, such as accounting and HR fraud, have risen in number in the last two years. Financial services companies are set to be the biggest spenders on compliance in the UK in the next two years while compliance budgets for other industries are under pressure as they face demands to do more with less, according to survey responses.
Tracey Groves, the head of ethics and compliance in PwC’s UK Forensics practice, said: “Economic crime is a question of culture, not just compliance. Even the best compliance programmes will fail if a company’s culture accepts wrong-doing as a norm.
“While it is encouraging that so many UK organisations understand the value of having a code of conduct, it’s crucial to back it up through regular training and engagement with employees. Unfortunately our survey shows this just isn’t happening enough.”
Other findings include:
· 20 per cent of UK organisation say they have never performed a fraud risk assessment while 44 per cent do so annually.
· 5 per cent of respondents say they have been asked to pay a bribe in the past 24 months while 7 per cent feel they lost a business opportunity to a competitor who was willing to pay it.
· 22 per cent of frauds were detected through suspicious transaction monitoring, fraud risk management (14 per cent); data analytics (8 per cent); internal audit (8 per cent) and accidental discovery (8 per cent).
The survey is available at: www.pwc.co.uk/gecs.
Comments
Yaroslav Rosomakho, Channel Solutions Manager, Advanced Threats at Arbor Networks, said the news was no surprise. “In fact, we believe this figure is far too low. Threats are evolving at an alarming rate with the average attack 60 times more powerful than a decade ago as highlighted in our recent Worldwide Infrastructure Security Report. We are more connected and reliant on technology than ever before, and as a result, the number of routes for an attack is increasing exponentially. In this new landscape, it’s clear that companies must do more as attackers continue to evolve.”
“Organisations need to be vigilant and ensure they have the right security in place to deal with hackers. What’s becoming essential, especially for larger organisations and high-value targets, is having the ability to detect and contain threats quickly – even when they make it past the perimeter defences. This isn’t all about technology – although having the right tools helps – people and process are key in this.”
Ross Brewer, VP and MD of international markets at LogRhythm says: “It’s not surprising that more than half of UK businesses expect to fall victim to cybercrime over the next two years – cyber-attacks are now an inevitable part of business life. What’s worrying is the apparent lack of planning companies have in place. At a time when businesses should be fully aware of the repercussions, failing to implement a cyber security strategy makes no business sense.
“Just as traditional fraud has long been a priority for businesses, so must cybercrime. Online crime is evolving and, as this report indicates, is fast becoming the number one threat to business continuity. Whether it’s combating the internal or external threat, businesses need a well thought out response plan in place.
“Firstly, businesses must put greater importance on education within the workplace. Employees will always pose a threat – whether intentionally or unintentionally – so stricter access control and overseeing of employee activity is also needed . Secondly, businesses must have tools in place that gives them insight into network activity that the human eye cannot provide. By using intelligent security that monitors the network, businesses will be able to identify threats as soon as they appear. Organisations need to minimise risk and planning is key. If companies don’t start realising this soon, they will likely suffer long-term economic and reputational damage.”
John Lord, Managing Director at GBG, said: “It is incredibly important that data is utilised correctly to minimise the risk of the booming business that is fraud, or indeed the implications once that company has been targeted by a fraudster. Businesses need a safety net in place so that when they are a victim of a cyberattack, the use of any customer data compromised is prohibited so that its value to those with malicious intent is worthless. In the battle against fraud, data needs to be seen as a good thing. Data transparency can be used incredibly effectively as a way of battling fraud. When data is shared freely between the public and private sectors, across geographical and political boundaries and amongst international bodies, a more accurate picture of global fraud patterns can be established. The more transparent we can be with data, the more it can be used to gather insights and intelligence that will stop the bad guys in their tracks.”
And David Kennerley, senior manager for threat research at Webroot, said: “All the signs over the past year have pointed to cybercrime increasing, but it is surprising that PwC found the number of companies hit to be as low as one in four. This is likely because so many attacks go unrecognised for a long period of time.
“What is worrying is that only half of the respondents expect some form of cyberattack in the next two years, because every organisation is at risk – regardless of size, location and product offering. Essentially, if a business makes money or holds data – of which all do – then it is a potential target.
“Hackers are becoming more inventive with their targeting, from small businesses to large corporations. Organisations need to bear this in mind and take a proactive approach to security.
“There’s no magic wand. In simple terms, it’s about completing comprehensive risk assessments, creating policies and understanding industry best practices, evaluating possible technologies then implementing a solution. Security training should always be at the heart of an organisation’s security program as technology alone will not stand up against a motivated attacker. Everyone within the organisation – from IT to the marketing department – should be made responsible for the security of its assets. With the recent success cyber criminals have seen, we can only expect more companies to be affected in two years’ time when the next PwC survey is released.”
Rob Lay, Customer Solutions Architect in UK and Ireland at Fujitsu said that the study highlights just how crucially important it is for businesses to remember that a cyber-attack is not always a faceless hacker trolling the internet to find an open-door to a business’s data – but that the malicious attacks often come from within: “To reduce the impact of malicious insider attacks, businesses can implement access-based controls to regulate what data can be seen by whom. This way, they can monitor who is trying to access data that isn’t relevant to them, highlighting their potentially malicious intentions. Organisations should also look to encrypt their data where possible and perform regular vulnerability scans of their internal network to understand what vulnerabilities exist and could therefore be exploited by a malicious insider.
“Another important defence is monitoring staff behaviour. Insiders do not ‘go bad’ without warning but typically start to display out-of-character behaviour at least 30 days before the first theft or compromise. They may access parts of the network to which they either lack authorisation, or which are simply not required for their work; they may start keeping unusual hours; they may even make explicit threats, or worrying comments to colleagues. By monitoring activity to spot anomalies, an organisation can identify when an employee may pose a higher risk.
“It’s also clear that businesses are still struggling to deal with the volume and type of threats they face. Companies should focus some effort on ensuring that they have suitable response processes in place, along with better visibility of what is going on within their environments. With the effective lack of any perimeter due to mobility, cloud and other developments such as IoT, understanding what is happening, being able to interpret that in the context of the business and then being able to take appropriate action based on informed business decisions means that companies will be much better equipped to respond to these attacks as and when they happen.”
