Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/16/2018
10:30 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Time to Yank Cybercrime into the Light

Too many organizations are still operating blindfolded, research finds.

At a time when the public and governments are watching their every move, today's organizations are up against an unprecedented wave of crime and fraud-related risks that affect their internal and external relationships, regulatory status, and reputation. Unfortunately, not enough companies are truly aware of the fraud threats they face.

According to PricewaterhouseCooper's 2018 Global Economic Crime and Fraud (GECF) Survey, a poll of some 7,200 respondents across 123 different countries, 49% say their companies had been victimized by fraud or economic crime, up from 36% in 2016. This uptick can be attributed to a greater global awareness of fraud, more survey responses, and better understanding of what constitutes "fraud." But every company — no matter how vigilant — can have blind spots.

Some 44% of poll respondents indicate that they intend to increase spending in the next two years. Great — but where? These days, organizations are harnessing some seriously powerful technology and data analytics tools to battle the fraudsters. On top of these tech-based controls, many firms are also expanding whistleblower programs and taking care to keep leadership informed about real and potential breaches.

Despite the increased spending, many organizations are still trying to prevent fraud through a reactive, defensive approach. Only 54% of global organizations indicate that they have completed a general fraud or economic crime risk assessment in the past two years. Less than half had conducted a risk assessment to assess their vulnerability to cybercrime. Even worse, one in 10 performed zero risk assessments in the past two years.

According to PwC's CEO Survey 2018, a majority (59%) of CEOs agree or strongly agree that organizations are feeling more pressure to hold leaders accountable for any misconduct perpetrated on their watch. That may be why some 71% of CEOs measure the levels of trust between their workers and their organization's senior leadership.

The Perpetrators
As highlighted in PwC's GECF report, some 68% of external fraudsters are agents, vendors, shared service providers, and customers. Troublingly, 52% of all frauds are committed by people inside the organization, and, astonishingly, in almost a quarter (24%) of reported internal frauds, senior management are the bad guys

Cybercrime has grown up. Cybercriminals are estimated to rake in $1.5 trillion in annual cybercrime-related revenues, which means that detecting and warding off threats has necessarily become a core business issue.

No doubt much to their chagrin, 41% of executives surveyed say they spent at least twice as much on investigations and attack prevention as they lost to cybercrime itself. Because today's bad-guy geeks are as smart — and sometimes smarter — as the companies they attack, the business world is crying out for a new perspective on the diverse reality of cyber threats and related frauds.

Often, the first indication an organization gets that something major is happening is when they detect a cyber-enabled attack, such as phishing, malware, a distributed denial-of-service attack or a traditional brute-force attack. The increasing frequency, sophistication, and lethality of such assaults are prompting firms to seek ways to beat the bad guys at their own game, before they can do any damage. This is smart, but it also leads inevitably to a deeper look at fraud prevention.

Consequences Can Be Devastating
Over a third of all respondents have been targeted by cyberattacks. These attacks can severely disrupt business processes and lead to substantive losses: 24% of respondents who were attacked suffered asset misappropriation, and 21% were digitally extorted. It can be hard for companies to accurately gauge the bottom-line impact of cyberattacks, but 14% of survey respondents who said cybercrime was the most disruptive fraud said they lost over $1 million as a result. One percent lost over $100 million.

Overall, cybercrime was over twice as likely than any other fraud to be named as the most disruptive and serious economic crime expected to impact organizations in the next two years. Twenty-six percent of respondents said a cyberattack in the next two years would be the most disruptive to their business; 12% said they expected bribery and corruption to be most disruptive; while 11% said the same about asset misappropriation. In reality, cyberattacks have become so widespread that measuring their occurrences and effects is becoming less strategically productive than figuring out how the fraudsters did it.

Invest in People, Not Just Machines
To battle cyber threats in a meaningful way, organizations can harness a universe of sophisticated technologies they can use to protect themselves against fraud. These tools — including machine learning, predictive analytics, and other artificial intelligence (AI) techniques — aim to monitor, analyze, learn, and predict human behavior.

Only 14% of organizations are using AI to protect against threats. The majority continue to depend on manual, old-school processes and tools. In turn, 34% of respondents say they thought their organization's use of technology to fight fraud and/or economic crime is creating too many false positives. To minimize the rate, it's critically important to rely on much stronger on analytics and AI.

Besides tech, the human mind is far harder to influence. Research has found that few organizations have fully wrapped all the relevant risks and threats into their digital strategy. The first way to prevent rationalization is to zero in on the climate that rules employee behavior — the organizational culture. Companies should make full use of surveys, focus groups, and in-depth interviews to assess the strengths and weaknesses of that culture. Consistent training is also key. That way, potential weak cultural spots — ones that may lead a disgruntled employee to exact expensive revenge — can be identified.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.