Attacks/Breaches

7/16/2018
10:30 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Time to Yank Cybercrime into the Light

Too many organizations are still operating blindfolded, research finds.

At a time when the public and governments are watching their every move, today's organizations are up against an unprecedented wave of crime and fraud-related risks that affect their internal and external relationships, regulatory status, and reputation. Unfortunately, not enough companies are truly aware of the fraud threats they face.

According to PricewaterhouseCooper's 2018 Global Economic Crime and Fraud (GECF) Survey, a poll of some 7,200 respondents across 123 different countries, 49% say their companies had been victimized by fraud or economic crime, up from 36% in 2016. This uptick can be attributed to a greater global awareness of fraud, more survey responses, and better understanding of what constitutes "fraud." But every company — no matter how vigilant — can have blind spots.

Some 44% of poll respondents indicate that they intend to increase spending in the next two years. Great — but where? These days, organizations are harnessing some seriously powerful technology and data analytics tools to battle the fraudsters. On top of these tech-based controls, many firms are also expanding whistleblower programs and taking care to keep leadership informed about real and potential breaches.

Despite the increased spending, many organizations are still trying to prevent fraud through a reactive, defensive approach. Only 54% of global organizations indicate that they have completed a general fraud or economic crime risk assessment in the past two years. Less than half had conducted a risk assessment to assess their vulnerability to cybercrime. Even worse, one in 10 performed zero risk assessments in the past two years.

According to PwC's CEO Survey 2018, a majority (59%) of CEOs agree or strongly agree that organizations are feeling more pressure to hold leaders accountable for any misconduct perpetrated on their watch. That may be why some 71% of CEOs measure the levels of trust between their workers and their organization's senior leadership.

The Perpetrators
As highlighted in PwC's GECF report, some 68% of external fraudsters are agents, vendors, shared service providers, and customers. Troublingly, 52% of all frauds are committed by people inside the organization, and, astonishingly, in almost a quarter (24%) of reported internal frauds, senior management are the bad guys

Cybercrime has grown up. Cybercriminals are estimated to rake in $1.5 trillion in annual cybercrime-related revenues, which means that detecting and warding off threats has necessarily become a core business issue.

No doubt much to their chagrin, 41% of executives surveyed say they spent at least twice as much on investigations and attack prevention as they lost to cybercrime itself. Because today's bad-guy geeks are as smart — and sometimes smarter — as the companies they attack, the business world is crying out for a new perspective on the diverse reality of cyber threats and related frauds.

Often, the first indication an organization gets that something major is happening is when they detect a cyber-enabled attack, such as phishing, malware, a distributed denial-of-service attack or a traditional brute-force attack. The increasing frequency, sophistication, and lethality of such assaults are prompting firms to seek ways to beat the bad guys at their own game, before they can do any damage. This is smart, but it also leads inevitably to a deeper look at fraud prevention.

Consequences Can Be Devastating
Over a third of all respondents have been targeted by cyberattacks. These attacks can severely disrupt business processes and lead to substantive losses: 24% of respondents who were attacked suffered asset misappropriation, and 21% were digitally extorted. It can be hard for companies to accurately gauge the bottom-line impact of cyberattacks, but 14% of survey respondents who said cybercrime was the most disruptive fraud said they lost over $1 million as a result. One percent lost over $100 million.

Overall, cybercrime was over twice as likely than any other fraud to be named as the most disruptive and serious economic crime expected to impact organizations in the next two years. Twenty-six percent of respondents said a cyberattack in the next two years would be the most disruptive to their business; 12% said they expected bribery and corruption to be most disruptive; while 11% said the same about asset misappropriation. In reality, cyberattacks have become so widespread that measuring their occurrences and effects is becoming less strategically productive than figuring out how the fraudsters did it.

Invest in People, Not Just Machines
To battle cyber threats in a meaningful way, organizations can harness a universe of sophisticated technologies they can use to protect themselves against fraud. These tools — including machine learning, predictive analytics, and other artificial intelligence (AI) techniques — aim to monitor, analyze, learn, and predict human behavior.

Only 14% of organizations are using AI to protect against threats. The majority continue to depend on manual, old-school processes and tools. In turn, 34% of respondents say they thought their organization's use of technology to fight fraud and/or economic crime is creating too many false positives. To minimize the rate, it's critically important to rely on much stronger on analytics and AI.

Besides tech, the human mind is far harder to influence. Research has found that few organizations have fully wrapped all the relevant risks and threats into their digital strategy. The first way to prevent rationalization is to zero in on the climate that rules employee behavior — the organizational culture. Companies should make full use of surveys, focus groups, and in-depth interviews to assess the strengths and weaknesses of that culture. Consistent training is also key. That way, potential weak cultural spots — ones that may lead a disgruntled employee to exact expensive revenge — can be identified.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-10008
PUBLISHED: 2018-12-10
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy san...