While corporate fraud is reported to be rising globally, with asset misappropriation still the most common type, cybercrime is seen shooting up the charts, especially in the United States, according to the just-released 2011 Global Economic Crime Survey conducted by PwC.
Of the 3,877 executives at organizations in 78 countries responding to the survey, 34% said they had experienced economic crime in the last 12 months, up from 30% in 2009. In the U.S., 45% said their company had experienced fraud, compared to 35% in 2009, and 40% of those said that they had been affected by cybercrime. In 2009, cybercrime was hardly on the radar, said speakers at the PwC media lunch held on Tuesday to introduce the U.S. supplement to the global report.
Companies have become more sophisticated and savvy at internal controls, preventing fraud and conducting risk assessments, so they are more likely to recognize fraud and report it now, says Didier Lavion, principal of PwC’s forensic services practice.
“The cost of fraud is not just in dollars lost,” Lavion says. Launching an investigation and repairing customer loyalty, shareholder trust and brand damage means that a $5 million fraud can require $25 million in replacement revenue to fix, assuming a 20% profit margin, according to the the report.
Meanwhile, cybercrime has shifted from the high school solo hackers of the 1980s to attacks launched by groups of hacktivists, such as Anonymous, organized criminals and nation states, Lavion says. In the U.S., 42% of respondents said cybercrime is the fraud they're most likely to experience 2011, as compared to 26% of global executives who picked it.
Corporate leaders are just beginning to catch on, though, according to the survey: 15% of respondents said C-suite executives review cybercrime risks only once a year, while 33% said they never review the risk, or do so only sporadically.
Many companies have a long way to go in preventing cybercrime, says Kimberly Kiefer Peretti, a director in PwC’s forensic services practice based in Washington, D.C., and a former senior litigator for the Justice Department's Computer Crime and Intellectual Property Section.
“Advanced hackers often find it easy to get in and move around the systems,” she says.
Companies need to take a risk-based approach to cybercrime rather than a compliance-based one, Peretti adds. “No one is monitoring what goes out of a company,” she says. “You could have massive data files sent out on the CFO’s computer.”
For a look at what companies should do to prevent cybercrimes, see Unprepared for Hackers.