The reality in 2016 is that like every other aspect of commerce, economic crime has, to some extent, gone digital. In a hyper-connected business ecosystem that frequently straddles jurisdictions, a breach in any node of that system – including third parties such as service providers, business partners or government authorities – can compromise the organisation’s digital landscape in a variety of ways. What’s more, cyber risk now encompasses more than our traditional view of computers: we’ve observed a sharp increase in attack activity involving the so-called Internet of Things, including cars and household devices.
Here’s the digital paradox: organisations today are able to cover more ground, more quickly, than ever before – thanks to new digital connections, tools and platforms which can connect them in real time with customers, suppliers and partners. Yet at the same time cybercrime has become a powerful countervailing force that’s limiting that potential.
This year’s global economic crime survey points to the disquieting fact that too many organisations are leaving first response to their IT teams without adequate intervention or support from senior management and other key players. What’s more, the composition of these response teams is often fundamentally flawed, which ultimately affects the handling of breaches.
From our firm-wide work on digital strategy and execution with thousands of companies globally, we’ve identified practices that distinguish leaders in the digital age. Chief among these is a proactive stance when it comes to cybersecurity and privacy. This necessitates that everyone in the organisation – from the board and C-suite to middle management and hourly workers – sees it as their responsibility.
The incidence of reported cybercrime among our respondents is sharply higher this year, jumping from 4th to 2nd place among the most-reported types of economic crime. Notably, it was the only economic crime to have registered an increase in that category. Over a quarter of respondents told us they’d been affected by cybercrime. Ominously, another 18% said they didn’t know whether they had or not.
Losses can be heavy. A handful of respondents (approximately 50 organisations) said they had suffered losses over $5 million; of these, nearly a third reported cybercrime-related losses in excess of $100 million.
Among survey respondents, reputational damage was considered the most damaging impact of a cyber breach – followed closely by legal, investment and /or enforcement costs. The insidious nature of this threat is such that of the 56% who say they are not victims, many have likely been compromised without knowing it. A concerning trend we have observed is that of hackers managing to remain on organisations’ networks for extended periods of time without being detected.
Responsibility for redressing cyber vulnerabilities starts at the top. Yet our survey suggests that many boards are not sufficiently proactive regarding cyber threats, and generally do not understand their organisation’s digital footprint well enough to properly assess the risks, despite the fact that in several countries boards have a fiduciary responsibility to shareholders when it comes to cyber risk (for example, the U.S. Securities and Exchange Commission has issued a warning that future examinations will consider a company’s cyber response capabilities1). Astoundingly, less than half of board members actually request information about their organisation’s state of cyber-readiness.
Only 37% of respondents – most of them in the heavily regulated financial services industry – have a fully operational incident response plan. Three in ten have no plan at all, and of these, nearly half don’t think they need one.
Should a cyber crisis arrive, only four in ten companies have personnel that are “fully trained” to act as first responders, of which the overwhelming majority (73%) are IT security staff.