Attacks/Breaches

7/16/2018
10:30 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Time to Yank Cybercrime into the Light

Too many organizations are still operating blindfolded, research finds.

At a time when the public and governments are watching their every move, today's organizations are up against an unprecedented wave of crime and fraud-related risks that affect their internal and external relationships, regulatory status, and reputation. Unfortunately, not enough companies are truly aware of the fraud threats they face.

According to PricewaterhouseCooper's 2018 Global Economic Crime and Fraud (GECF) Survey, a poll of some 7,200 respondents across 123 different countries, 49% say their companies had been victimized by fraud or economic crime, up from 36% in 2016. This uptick can be attributed to a greater global awareness of fraud, more survey responses, and better understanding of what constitutes "fraud." But every company — no matter how vigilant — can have blind spots.

Some 44% of poll respondents indicate that they intend to increase spending in the next two years. Great — but where? These days, organizations are harnessing some seriously powerful technology and data analytics tools to battle the fraudsters. On top of these tech-based controls, many firms are also expanding whistleblower programs and taking care to keep leadership informed about real and potential breaches.

Despite the increased spending, many organizations are still trying to prevent fraud through a reactive, defensive approach. Only 54% of global organizations indicate that they have completed a general fraud or economic crime risk assessment in the past two years. Less than half had conducted a risk assessment to assess their vulnerability to cybercrime. Even worse, one in 10 performed zero risk assessments in the past two years.

According to PwC's CEO Survey 2018, a majority (59%) of CEOs agree or strongly agree that organizations are feeling more pressure to hold leaders accountable for any misconduct perpetrated on their watch. That may be why some 71% of CEOs measure the levels of trust between their workers and their organization's senior leadership.

The Perpetrators
As highlighted in PwC's GECF report, some 68% of external fraudsters are agents, vendors, shared service providers, and customers. Troublingly, 52% of all frauds are committed by people inside the organization, and, astonishingly, in almost a quarter (24%) of reported internal frauds, senior management are the bad guys

Cybercrime has grown up. Cybercriminals are estimated to rake in $1.5 trillion in annual cybercrime-related revenues, which means that detecting and warding off threats has necessarily become a core business issue.

No doubt much to their chagrin, 41% of executives surveyed say they spent at least twice as much on investigations and attack prevention as they lost to cybercrime itself. Because today's bad-guy geeks are as smart — and sometimes smarter — as the companies they attack, the business world is crying out for a new perspective on the diverse reality of cyber threats and related frauds.

Often, the first indication an organization gets that something major is happening is when they detect a cyber-enabled attack, such as phishing, malware, a distributed denial-of-service attack or a traditional brute-force attack. The increasing frequency, sophistication, and lethality of such assaults are prompting firms to seek ways to beat the bad guys at their own game, before they can do any damage. This is smart, but it also leads inevitably to a deeper look at fraud prevention.

Consequences Can Be Devastating
Over a third of all respondents have been targeted by cyberattacks. These attacks can severely disrupt business processes and lead to substantive losses: 24% of respondents who were attacked suffered asset misappropriation, and 21% were digitally extorted. It can be hard for companies to accurately gauge the bottom-line impact of cyberattacks, but 14% of survey respondents who said cybercrime was the most disruptive fraud said they lost over $1 million as a result. One percent lost over $100 million.

Overall, cybercrime was over twice as likely than any other fraud to be named as the most disruptive and serious economic crime expected to impact organizations in the next two years. Twenty-six percent of respondents said a cyberattack in the next two years would be the most disruptive to their business; 12% said they expected bribery and corruption to be most disruptive; while 11% said the same about asset misappropriation. In reality, cyberattacks have become so widespread that measuring their occurrences and effects is becoming less strategically productive than figuring out how the fraudsters did it.

Invest in People, Not Just Machines
To battle cyber threats in a meaningful way, organizations can harness a universe of sophisticated technologies they can use to protect themselves against fraud. These tools — including machine learning, predictive analytics, and other artificial intelligence (AI) techniques — aim to monitor, analyze, learn, and predict human behavior.

Only 14% of organizations are using AI to protect against threats. The majority continue to depend on manual, old-school processes and tools. In turn, 34% of respondents say they thought their organization's use of technology to fight fraud and/or economic crime is creating too many false positives. To minimize the rate, it's critically important to rely on much stronger on analytics and AI.

Besides tech, the human mind is far harder to influence. Research has found that few organizations have fully wrapped all the relevant risks and threats into their digital strategy. The first way to prevent rationalization is to zero in on the climate that rules employee behavior — the organizational culture. Companies should make full use of surveys, focus groups, and in-depth interviews to assess the strengths and weaknesses of that culture. Consistent training is also key. That way, potential weak cultural spots — ones that may lead a disgruntled employee to exact expensive revenge — can be identified.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...