Global Economic Crime Survey — How cybercrime impacts business
Release date: July 5, 2012
Host: Alana Detenbeck
Guests: Sarah MacGregor, Krista Mooney
Running time: 16:27 minutes
In this episode of Strategy Talks, Sarah MacGregor and Krista Mooney discuss PwC’s Global Economic Crime Survey and what organizations can do to detect and prevent cybercrime.
Voiceover: Welcome to Strategy Talks, the business podcast series from PwC Canada. This interview series featuring new topics and guests every episode is designed to give you valuable insight into some of today’s hottest issues affecting your business.
Alana: Our world relies increasingly on the internet and connected technologies, yet according to PwC’s Global Economic Crime Survey, the threat of cybercrime is growing. Welcome to Strategy Talks I am Alana Detenbeck your host for today’s episode. With me today to discuss how cybercrime impacts businesses and other key findings of our survey are two senior practitioners from PwC’s Forensic Services group, Sarah MacGregor and Krista Mooney.
Thanks for joining me today Sarah and Krista. Sarah could you maybe give us a bit of background about the nature of the survey and what it contains?
Sarah: Sure thanks Alana. PwC publishes its Global Economic Crime Survey every two years and our 6th and most recent survey was released this past November. Our survey complied responses from nearly 4,000 people across 78 different countries in order to provide a global perspective on economic crime. Respondents to the survey were primarily senior executives from both public and private companies of varying sizes. This recent survey turns the spotlight on the growing threat of cybercrime. With an increasing reliance on technology, companies are potentially opening themselves to attacks from criminals anywhere in the world. Our survey looks at the significance and the impact of cybercrime and how it affects businesses worldwide.
Alana: So let’s first discuss cybercrime. Krista maybe you could run us through on what cybercrime is and how common it is.
Krista: Sure...cybercrime is really just another form of economic crime, the key differentiator being that it is a crime committed using the computers and the Internet. So cybercrime would include such things as distributing viruses, illegally downloading files and hacking into another computers to obtain user names, passwords and potentially other types of confidential information. So is cybercrime becoming more popular?... most definitely, the results of our survey have cybercrime ranked as one of the top four economic crimes and we think there are a number of reasons for this. The first being that there has been increased focus in the media and from regulators on cybercrime cases. This is likely led to heighten awareness of this type of economic crime and has resulted in organizations putting additional controls in place to detect cybercrime and of course advancements in technology have likely made it easier to commit cybercrime. Cybercrime is certainly an interesting area of focus that many companies should watch closely over the coming weeks and months.
Alana: So Sarah where does the threat of cybercrime come from? Are there any countries in particular that we should be on the lookout for?
Sarah: Well, the majority of Canadian survey respondents, felt that the greatest threat to their organization, was cybercrime committed by someone external to the organization and of these respondents, most felt that the threats came somewhat equally from both within and outside their own country. The top five countries (in no particular order) that were reported globally as being the most likely origins for perpetrating cybercrimes were Hong Kong and China, India, Nigeria, Russia and the USA. This really highlights for us the global nature of cybercrime and the fact that traditional geographic boarders won’t necessarily provide protection to Canadian companies. Some respondents felt that the threat of cybercrime came from within their organization and of those respondents, most felt that the information technology department posed the greatest risks, which isn’t surprising when we stand back and think about it because we would expect IT personnel to have the necessary skills and opportunity to commit cybercrime. Now clearly, cybercrime can come from internal or external, domestic or global sources. So companies need to be diligent in assessing their risks and being prepared.
Alana: Krista what can an organization do to reduce their risks of being a victim of this type of cybercrime?
Krista: In our experience there is considerable room for improvement in terms of responding to the risks of cybercrime. Forty-nine percent of our Canadian survey respondents indicated that they had not received cybercrime awareness training over the past 12 months, so that’s certainly concerning to us. As a starting point, it is important for organizations to implement a cyber crisis response plan, so they can appropriately and quickly respond in a crisis situation. It’s also important for CIOs and CEOs of organizations to really have a clear understanding of the cybercrime environment including the risks and opportunities it presents to employees and those external to the organization. Training employees regarding cybercrime and such things as appropriate internet usage is really important as well. In our experience, this training is much more effective if it takes place face to face through presentations, team meetings and workshops as opposed to e-mail announcements, e-learns and posters. In-person training where all employees come together really demonstrates an organizations’ commitment to inappropriate behaviour such as cybercrime. So, in summary, there are a variety of different mechanisms that organizations can employ to reduce the risk of cybercrime and it really does start with tone at the top.
Alana: Excellent. Now if we look at more general economic crimes — are Canadians experiencing more or less economic crimes today than they have in the past?
Krista: Interesting question Alana. The results this year showed that the 32% of our Canadian survey respondents reported being victims of economic crime in the past 12 months. While this does represent a decline from our 2009 survey, these results are fairly consistent with those globally. We found it interesting that although Canada has historically reported higher instances of economic crime than our global counterparts, our 2011 survey really showed that now we are reporting fewer. And we think that there are likely a few reasons for this: for one, Canadian organizations maybe more diligent in terms of implementing robust anti-fraud regimes causing an increased awareness of fraud and a decrease in the perceived opportunities to commit fraud. In addition, the Canadian economy has generally been stronger than that of our global counterparts resulting in an environment with less visibility to fraud which normally arises during periods of economic down turn and turmoil. And lastly, perhaps more sophisticated frauds, such as cybercrime are being committed which are inherently more difficult to detect and therefore report than other types of economic crime.
Alana: So which industries are more susceptible to fraud, which ones need to be on their guard?
Sarah: Well Alana, our survey shows that truly no industry is immune to fraud and economic crime; it’s prevalent across all industries and all sectors globally. Consistent with results in our prior year’s surveys, we found the reported incidents of fraud remained highest in the communications and insurance sectors. However, fraud in the government sector has also increased by 9% since 2009, which is a new trend immerging. Our survey has found typically the highly regulated industries such as financial services typically report more economic crime because their systems requires greater transparency, thereby increasing the likelihood of detecting fraud. It’s important to understand in the context of our survey, that these are just the reported instances of fraud, there may be a reluctance in certain industries to report fraud; certainly some industries over others.
Alana: What exactly is economic crime and what are the most common types experienced by companies?
Krista: For purposes of our survey, economic crime is defined as the intentional use of deceit to deprive another of money, property or a legal right, and the key word here is “intentional” of course, for there to be fraud there needs to be some element of intent. The most common type of fraud encountered by organizations surveyed was “asset misappropriation”, which is basically the theft of physical assets such as equipment or supplies or monetary assets such as cash. And one factor that makes asset misappropriation more common than other types of fraud is the fact that it’s relatively unsophisticated; meaning that it essentially can be perpetrated by any level of authority in an organization. In our experience a common fraud that we’ve seen in this area involves setting up fictitious vendors where the perpetrator ultimately diverts funds to himself or herself. And sometimes this type of fraud can involve collusion amongst various individuals within an organization, particularly when there are a number of controls in place that need to be circumvented in order for the fraud to be perpetrated. Accounting fraud was another common fraud type of economic crime cited by survey respondents, and this really involves accounting manipulations, fraudulent borrowing, fraudulent applications for credit, or processing unauthorized transactions or journal entries. So basically anything that has an impact on the financial statements or disclosures could be considered accounting fraud.
Bribery and corruption is another type of economic crime experienced by survey respondents, and this type of economic crime has received increased scrutiny of late, given the focus by regulators and law enforcement on companies doing business in emerging markets or foreign derestriction. And we found in our experience, that bribery and corruption often occurs in developing countries where there tends to be a weaker anti-fraud regime in place thereby allowing this type of fraud to be executed or perpetrated. So in summary, asset misappropriation, accounting fraud, bribery and corruption and of course cybercrime were the most common types of economic crime cited by survey respondents. These types of economic crimes being reported are fairly consistent with our prior survey results as well.
Alana: Sarah could you maybe take us through what the impact of a fraud on a company is?
Sarah: Sure…Fraud truly has a significant impact on companies, both with respect to direct financial losses and also with respect to related collateral damage that it may experience. Globally our survey found that almost one in 10 respondents reported losses of more than US$5 million.
Sarah: In addition to the direct financial loss associated with bribery and corruption in particular was much higher, with almost one in five respondents suffering losses of more than US$5 million. Interestingly about 13% of our global survey respondents indicated that in the last 12 months, their organization chose not to enter a new market or declined to pursue a new business opportunity due to the risk of corruption and bribery. This may speak to the greater awareness amongst organizations of foreign corruption and the impact that the corruption can have on the organization’s reputation and plans for expansion. In addition to these financial losses, respondents noted collateral damage including such things as a negative impact to their employee morale, business relations or their brand and reputation. Organizations should not under estimate the impact of fraud and the continuing effects it can have on their business.
Alana: Who are the types of people that we should be on the lookout for with respect to fraud?
Krista: The majority of our survey respondents who are victims of economic crime in the last 12 months indicated that the fraud was perpetrated by someone internal to the organization, so an employee. This certainly does represent a shift from our prior survey results which found that the typical fraudster was someone external to the organization. We think this drives home the increase need for organizations to improve internal controls to ensure that economic crime is detected and highlights the need for strong tone at the top and communication that this behaviour is simply not acceptable.
Always interesting, of course, is the typical profile of a fraudster, and no Alana, it wouldn’t be you. Our survey showed that the typical fraudster is someone who is male between the ages of 31and 40 and employed by their company between three and five years. The majority of fraudsters we found were junior staff or middle management. While the survey showed that less fraud is being committed by senior management, any fraud at this level really is concerning to us given the fact that it tends to be more sophisticated and of larger dollar amounts. I think Sarah and I would both say that in our experience while the typical profile of a fraudster certainly rings true, we’ve seen many instances of female fraudsters; especially those with gambling problems. And often the intention amongst these fraudsters is to pay back the money that they stole. However, one thing leads to another and until eventually the fraudulent scheme can no longer be covered and it ultimately gets detected. So while the typical fraudster profile may be that of a male, many females are also key players in the fraud world.
Alana: What happens to these men and women after the crime is detected?
Krista: The most common action, (as you would expect when fraud is detected) is for dismissal of the employee, followed by involving law enforcement and taking civil action against the fraudster to potentially recover funds that were misappropriated. Interestingly enough, 4% or our survey respondents did nothing. In our experience, while fraud is certainly devastating to an organization, at the same time it presents a real opportunity for the organization to react and demonstrate to its employees that this type of behaviour will not be tolerated. Employees are really watching when these types of events take place and often the company’s response will go a long way towards preventing future occurrences. The key is demonstrating strong tone at the top and zero tolerance for this type of behaviour at any level within the organization whether it be the CEO or a more junior employee.
Alana: Sarah may be you can let us know, how are frauds detected and what can companies do to prevent fraud?
Sarah: Our survey found that the most common detection method was the use of what is referred to as suspicious transaction reporting. What that includes is different electronic techniques such as data analytics which will detect irregularities or anomalies in data and transactions. In addition to suspicious transactions reporting, frauds were also detected commonly by internal audits, by tip offs whether internal or external to the organization, use of fraud risk management programs and even by accident.
We truly believe that a corporate culture showing the importance of integrity and where senior management is seen as walking the talk and a company having a well communicated comprehensive anti-fraud regime is less likely to be victimized by economic crime. Ways that an organization can protect itself against economic crime include: One, first know who you are dealing with , whether it’s your staff, your suppliers, your partners, your agents, It’s important to do appropriate diligence to ensure you are working with trusted individuals and companies. Secondly, we would recommend aligning your information technology, your internal audit and the board in the company’s fight against economic crime. Each of these, respective areas can bring their expertise and experience to the table to ensure that the company considers all relevant fraud risks and takes the necessary steps to mitigate any losses. Last but not least, we recommend conducting regular fraud risk assessments.
Our survey found a clear correlation between companies that conduct a fraud risk assessment and how many frauds are reported, in other words if you look for fraud you are more likely to find it. Clearly our survey shows that fraud remains a challenge for all organizations and new types of frauds such as cybercrime are continuing to immerge. To effectively fight economic crime, companies must be aware of these changes and adapt their detection methods and responses.
Alana: Thank you Krista and Sarah for your time. Once again this is Strategy Talks and I’m your host Alana Detenbeck. Also, if you’d like to get more information or to download a copy of the Global Economic Crime Survey for 2011, please visit the website at www.pwc.com/ca/crimesurvey.
Voiceover: This concludes this episode of Strategy Talks. Thank you for listening, we hope you’ll join us again soon for another episode. To download or subscribe to this podcast series or to find more information, please visit pwc.com/ca/strategytalks.
The information in this podcast is provided with the understanding that the authors and publishers are not herein engaged in rendering legal accounting, tax or other professional advice or services. The audience should discuss with their professional advisors how the information may apply to their specific situation.
Copyright 2012 PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, an Ontario Limited Liability Partnership or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity.