Companies are well aware of the threat of cybercrime from outside of their organisations. IT and counter fraud policies are designed to protect against this threat, for example not allowing access to company emails on unencrypted devices and procedures for opening external attachments - a simple phishing email can be a gateway for a coordinated campaign against a business’ IT systems.
However, although businesses are aware of and are tackling the threat of traditional forms of internal fraud, as the workforce becomes more computer literate the risk of internal cyber fraud increases. No one knows the systems better than the employees who use them every day. A recent study conducted by PwC indicated that 50% of people seeking to defraud a company are within its own workforce. This figure has been on the rise for the past few years.
McAfee estimate that cybercrime is worth a staggering $445 billion a year worldwide. The increase in the use of external applications and devices on company networks just further heightens the risk.
Does your business have the proper policies and governance in place to deal with this risk?
Does your business have a policy about the connection of personal devices to work computers?
How will internal cybercrime manifest?
The cult film ‘Office Space’ showed cash diversion in action and cash diversion remains a risk today. It can be complex and premeditated or seemingly at random, for example an employee may find a glitch by accident and see an opportunity.
However, it may not just be cash which is being stolen. In the information age, data is hugely valuable which in turn creates the risk of information theft. If the proper protections are not in place, information theft may not only hurt the business commercially but could put them in the firing line of the Information Commissioner’s Office and the fines that come with it. Could employees be selling information on potential leads to rivals or even selling customer information? Valuable intellectual property is a prime target of information theft.
In addition to addressing the direct losses that stem from such internal security breaches, some forms of damage are more difficult to quantify. System down time can bring businesses to a standstill and management time dealing with a cybercrime attack can equally be costly. Businesses are now so reliant on computer systems; any disruption to them can be very costly. The reputational damage that can also stem from cybercrime can be huge and difficult to remedy.
It can be difficult to pinpoint and target internal cybercrime. It is often sophisticated because the perpetrators know the systems inside and out; they know the system’s vulnerabilities and how to exploit them. On many occasions, businesses spend significant sums on IT security but failure to train employees to part of the security process is often where perpetrators can expose weakness.
How you can protect your business
Educating staff about the importance of cyber security is crucial. As well as the how, it is important to talk to them about why it is important. Training on overall good security practice, as well as more targeted job-specific training can be useful.
Businesses should consider who actually requires access to what within their organisation. It will be important to risk assess certain roles in the organisation and tailor internal policies accordingly. Look at all functions of the business. Consider embedding security provision in the supply chain, possibly by making it part of requirement in tenders. It will be important to also give consideration to less obvious entrances to cybercrime such as personal mobile devices and EPOS systems.
Risk can be mitigated by considering your internal reporting procedure. It is important for all businesses to consider having a procedure for whistleblowing in place, to give employees the confidence to speak up should they see any potential wrongdoing.
We provide expert advice to businesses in relation to fraudulent activity and cybercrime.
We have also just launched a new product, DWF Speak Out, which provides an effective and efficient whistleblowing hotline to help businesses supply their employees, contractors and suppliers with a confidential method of reporting concerns, including fraud and corruption issues and instances of cybercrime.
If you'd like to find out more about how Speak Out could benefit your business and your employees, request a call-back from a member of our teamThis information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.