ACCA - The global body for professional accountants

Risk and reward


The rise of cybercrime has triggered well-founded fears about the damage it can do to a business, not least its brand, say PwC’s Tony Parton.

From the News International hacking scandal to Wikileaks, from Anonymous to Megaupload, cybercrime is rarely out of the headlines now. While the law struggles to keep pace with technological advances, businesses are finding themselves increasingly exposed to a wide range of different online threats. Furthermore, the cross-jurisdictional nature of cyberattacks often allows criminals to operate with little fear of being traced, caught or prosecuted. With cybercrime quickly developing a reputation as the crime of the 21st century, organisations are increasingly exposed to the risk of falling victim to it.

So what exactly is cybercrime? For the purposes of our 2011 Global Economic Crime Survey, which focused on this threat, we defined cybercrime as: ‘An economic crime committed using computers and the internet. It includes distributing viruses, illegally downloading files, phishing and pharming, and stealing personal information like bank account details. It’s only a cybercrime if a computer, or computers, and the internet play a central role in the crime, and not an incidental one.’

Lacking definition

Although this definition is a fairly standard classification, there is currently no global consensus on how the issue should be defined. This creates a challenge for organisations: if they are unable to determine what qualifies as a cybercrime threat, how can they hope to tackle cybercrime in practice? The term ‘cybercrime’ has been used publicly to refer to a very wide range of threats, ranging from economic crime and espionage, through to ‘hacktivism’, terrorism and even, on a national scale, cyber-warfare.

According to our survey, cybercrime now ranks as one of the top four most prevalent economic crimes in the world. With 23% of our respondents saying their organisation had experienced it in the previous 12 months, it comes in just behind accounting fraud (24%) and bribery/corruption (24%), if a long way short of asset misappropriation (72%). Just 1% of respondents reported experiencing IT/online-related fraud in our last survey in 2009. The surge is attributable to a combination of greater media attention, regulatory focus, the significant rise in the use of technology for business transactions, and advances in technology that have made cybercrime easier to undertake.

And it’s not just the volume of cybercrime incidents that is rising, but also the cost. Reputational damage was cited as the biggest fear for 40% of respondents in our 2011 survey. Risks include the theft of intellectual property, service disruption, the removal of personal information, significant destruction in brand value and loss of market share.

Inside and out

There has been a shift in recent years in where cybercrime threats are seen as coming from. Organisations are beginning to see cybercrime as an internal threat as much as an external one. It is critical that organisations recognise it’s not just the IT function that presents a major risk; HR and legal departments (until recently seen as low-risk areas) as well as finance also hold a great deal of confidential information of great value for cybercriminals.

So what can organisations do to defend themselves against cybercrime?

It is crucial that CEOs and board members become more cyber-savvy. A quarter of the organisations in our survey say there is no regular, formal review of cybercrime threats by the CEO and the board. Here, situational awareness is key – organisations are well placed to respond to the issue only when they understand both the current and emerging cyber environment they operate in.

Organisations should also ensure they have a formal cyber incident response plan in place, with a team trained to react swiftly to any cyber crisis that may arise. As with many types of crime, when a cybercrime occurs, the first few hours are very important. An effective defence strategy should ultimately be led by the CEO and the board, establishing a clear tone from the top and ensuring that cybercrime policies are implemented and enforced consistently across the whole business.

Organisations should look to review their existing IT security functions regularly to ensure they evolve in line with the cyber risk landscape. It is also vital that staff are provided with cybercrime-specific training to raise company-wide awareness of the issue, as well as informing staff of their individual responsibilities in the cybercrime fight.

Finally, by pursuing legal action against known cybercriminals and publicising this process, organisations can send a strong message to the international community that they will do whatever it takes to protect their brand.

The World Economic Forum’s Global Risks 2011 report noted that: ‘Cyber-security issues now top the list of risks to watch, ahead of weapons of mass destruction and resource security.’ What’s more, only 4% of the respondents to our survey reported that they perceived cybercrime risks to be falling.

Not walking the talk

What is worrying, however, is the apparent disconnect between many organisations’ projected intentions, and the reality in terms of their capabilities and controls. Despite high perceptions of the threat that cybercrime poses, three out of five organisations still do not pay attention to social media sites and 40% of respondents admitted that their organisation does not currently have the capability to prevent and detect cybercrime.

As the technological landscape in which we operate continues to change, organisations must remain vigilant in the face of the rising cybercrime threat. Smartphones and tablet devices, social media and cloud computing, all provide a wealth of attractive business solutions and opportunities, but also carry significant risks which organisations cannot afford to ignore. Those that successfully embrace new technologies, while at the same time dealing appropriately with the risks of cybercrime, will be the ones to secure a competitive advantage in today’s technology-driven environment.

Three out of five organisations still do not pay attention to social media sites and 40% do not currently have the capability to prevent and detect cybercrime.

Five ways to protect your organisation:

1          Nurture and share cyber skills internally
2          Reassess your security function’s fitness and readiness
3          Leadership by a cyber-savvy CEO, with a cyber risk-aware culture
4          Set up a cyber incident response team and a crisis response plan
5          Take a strong and transparent legal stance against cybercriminals.

PwC’s Global Economic Crime Survey 2011 was based on 3,877 responses from senior executives and managers in organisations in 78 countries.

Tony Parton is a corporate investigations partner with responsibility for PwC’s forensic services in the UK and emerging markets. He has specialised in civil and criminal financial fraud investigations and as an accounting expert in corporate disputes. He has extensive experience of investigating alleged breaches of anti-corruption laws and regulations.He was assisted in working on this article by Jack Gray, an associate in PwC’s forensic services practice, who has worked on a number of high-profile

Visit PwC’s site to view the global economic crime survey.

This article originally appeared in Accountancy Futures issue 5 2012.

Published: 11 Jan 2013