Is law enforcement capable of dealing with fraud and cybercrime?
In a word, no! It appears that trust in law enforcement to actually do anything is appallingly low and in the UK it is far below the global average. This cannot have been helped by recent failures of the Serious Fraud Office to win long and costly trials such as the recent Libor cases. Nor will it have been helped by public sentiment that wanted to see bankers tried for their part in the recent global financial crash.
So what are those numbers?
- Just 20% had the confidence in UK authorities to deal with economic crime while 49% said no. Globally those numbers were 28% and 44% respectively.
- Only 12% felt UK authorities were capable of dealing with cybercrime with 57% saying no. Globally those numbers were 23% and 45% respectively.
Both of these will come as a serious reputational blow to UK authorities such as the Serious Fraud Office and the National Cyber Crime Unit which is part of the National Crime Agency. They have all had significant budget increases yet have failed to pursue and successfully bring winnable cases to trial.
So what are companies doing if they don’t trust the relevant authorities? According to pwc, 83% begin with an internal investigation but are also willing to use external auditors, legal advisors and specialist forensic investigators. The problem here is what happens at the end of the investigation? Rather than expose the company to reputational damage it is likely that many cases just go away as part of a confidential settlement between employer and employee. This means that the employee is clear to move from job to job continuing to commit crimes.
Where does cybercrime fit into all of this?
According to the press release: “The rise of cybercrime is in stark contrast with some of the traditional forms of economic crime, including bribery, asset misappropriation and procurement fraud, which have declined.” As with all cybercrime the anonymity it affords the attacker and the ease with which cybercriminals are able to attack systems has a lot to do with this shift.
When it comes to placing the blame on what is the cause, pwc states: “The fast take up of cloud-based storage and growing prevalence of the ‘internet of things’ are some of the reasons for this year’s steep increases in cybercrime in the UK, leaving anything connected to the office network now vulnerable to hackers.”
This is a statement that will cause concern among many cloud providers and the wider technology industry. There has been a concerted effort to improve cloud security over the last two years with increasing amounts of data being encrypted when stored. The problem here is that too few of the cloud services are purchased through corporate IT. Instead they are purchased by users and that is where the disconnect between security and enterprise data comes.
Sadly this was not brought out by the report at all. If pwc had looked around it would have discovered that a lot of the underlying security disconnect has been highlighted by companies such as Skyhigh Networks. Earlier this year it reported that of the 16,000 cloud services it had assessed only 8.1% were enterprise ready when it came to security. With users uploading sensitive data into these services this is a major concern that breaches compliance rules and is likely to result in large fines when the EU GPDR comes into force.
While the majority of cybersecurity attacks come from outside the organisation pwc notes that the internal threat has risen 58% in the last year. The biggest threat is phishing where employees are persuaded to accept malware and this means that there is a need for better education of users. This is all about education and persuading employees not to open files that they don’t recognise. Curiosity killed the cat and curious users unwittingly enable cybercrime.
Global corporate intelligence leader at PwC, Mark Anderson, commented: “Hackers are now more ambitious than ever. Their aim goes beyond targeting financial information to include a company’s ‘crown jewels’ – customer data and intellectual property information, the loss of which, can bring down an entire business. The threat of cybercrime is now a board level risk issue, but not enough UK companies treat it that way.”
The biggest issue for many organisations continues to be the lack of a cyber attack response plan. This is something that has been highlighted by many companies over the last few years. With the EU GDPR bringing in the need for breach notification companies need to start building their plans quickly. Plans have to be more than just technical steps and need to take into account the reputational damage of a breach and the need to handle press and public relations.
In the report pwc says that 30% of respondents admitted to having no response plan. While 2/3rds say this is likely to change the figure still shows a shocking lack of awareness. It only takes a look at what happened very publically to Talk Talk to demonstrate just how damaging a poor response plan can be. Failure to inform customers, constantly changing the story and not acting quickly enough are still causing ongoing repetitional and fiscal damage to the company months after the attack took place.
This report will be uncomfortable reading for many. While it is littered with sales messages from pwc there is still a wealth of other information that is interesting. There is also a number of key action points that companies need to take away, not least around process, people and a need to sort out cultural issues.
The fact that fraud is declining everywhere but in the boardroom is not good news for UK businesses nor is the rise in cybercrime. Perhaps the most surprising statistic is the lack of trust that UK law enforcement is able to deal with any issues arising from fraud or cybercrime. If employees do not think there is any realistic chance of getting caught or prosecuted it will only embolden those who are tempted to commit crime to do so.