Cyber: the new face of fraud
As investigators we tend to be very good at keeping up with latest trends; indeed many of us remember when credit card fraud and internet scams were new. As with any new fraud scheme, it’s natural for us to adapt accordingly, responding with new controls, monitoring techniques, detection methods and so on.
But how many of us are truly aware of the fraud risks posed by the significant cyber threat? And for those who are, do they have the support of a cyber-savvy organisation and senior management?
The threat from cyber crime has increased dramatically for three important reasons. Firstly, the internet de-risks fraud for the perpetrators – they can be anywhere in the world and can easily mask their identity and location. Secondly, the internet has concentrated the targets. To do business today organisations have to be connected to the internet, thus all targets are conveniently concentrated in one place: cyber space. Thirdly, functional transferrable skills are concentrated and their development is encouraged. As if it wasn’t enough that cyber criminals became organised – hiring technical talent, implementing project management, performing quality reviews and so on – the virtual ethos has been augmented by physical concentrations, so called “Silicon Valleys” of cyber crime (see How a Remote Town in Romania Has Become Cybercrime Central, Wired Magazine, February 2011).
Cyber criminals are operating in a perfect storm of opportunity, and we as fraud professionals need to up our game to meet and exceed their capabilities, skills and motivation.
To do this we need to convince our organisations that cyber crime is not just an IT or information security issue. We need to understand the nature of the threats. Is the greater threat from outside attack or from IT-literate employees stealing intellectual property? Are we more likely to suffer a network breach or be a victim of social engineering? We need to ask and answer these questions, and then achieve a balance of preventive, detective and responsive/investigative efforts.
It’s not easy; we can’t just unplug from the internet or ban the use of new technology. The business needs of the organisation will demand quick adoption of new technology, development of mobile applications, connection of unsecured devices and more. As fraud investigators we need to develop complete awareness of the situation and an unprecedented agility to respond.
The stakes are high. Press reports indicate that data breaches can cost companies hundreds of millions of dollars. The frauds against the European emissions trading registries were worth about €45 million, and that doesn’t include impact of the spot trading market being shut down for a number of weeks.
Can you remember when it was rare to see headlines about events like these? How many have you seen this week?
To understand how cyber threats have increased in scale and sophistication – and the impact this can have on an organisation – the PwC Fraud Academy is hosting an event on 5 July 2011. Our information security team, cyber crime investigators and external guest speakers will discuss their views on cyber crime, the associated risks and methods for dealing with it.