PwC: Why you should incorporate cybercrime into your risk assessments

Worldwide, digital technology continues to transform and disrupt the world of business, exposing organisations to a multitude of opportunities and threats. Therefore, it is hardly surprising that cybercrime continues to rise rapidly, ranking as the second-most reported crime in this year’s PwC Global Economic Crime Survey and taking fourth place from a South African perspective.

The fast take-up of cloud-based systems to store information by businesses and the growing use of the 'internet of things', where everyday objects are connected to the internet, are particularly more vulnerable to cyberattacks. The rise in cybercrime has caught many businesses off guard with no plans in place to fend off online fraud. 
Most organisations are still not adequately prepared for, or even understand the risks faced, with only 35 percent of South African organisations reporting they have a fully operational cyber incident response plan in place. 

The 2016 Global Economic Crime Survey interviewed 6,337 participants in 115 countries. In South Africa, 232 organisations from a broad spectrum of industries took part in the survey.

The incidence of reported cybercrime among our respondents is substantially higher this year, with a 23 percent increase reported from the previous survey conducted in 2014. So although cybercrime in the South African context has shifted two places from sixth to fourth position, it is the percentage increase that is more alarming.  A third of respondents said they had been affected by cybercrime. Another 16 percent said they didn’t know whether they had or had not been victims of cybercrime. 
In terms of financial losses, at least 27 percent of respondents who have experienced cybercrime had losses between $1 and $50,000 while 3 percent had experienced losses greater than $100 million. It is concerning to note that 14 percent of respondents don’t know or were unable to quantify financial losses even though they had been victims of cybercrime.
 

South African businesses considered financial losses to be the most damaging impact of a cyber breach, followed closely by legal implications and reputational damage. This differed from the global perspective, where reputational, legal and regulatory impacts were considered to be the most significant.

Over the last few years, cybercrime has evolved to a point where it can be classified into two categories: Firstly, the kind that steal money or data that is monetisable and bruise reputations; and secondly, the kind that steal IP and lay waste to an entire business. The latter are usually classified as transfer-of-wealth attacks.

Although the long-term damage to organisations and the economy is far-reaching and far higher for transfer-of-wealth attacks, the damage arising from the theft of credit cards or personally identifiable information can also be damaging. This comes in the wake of the promulgation of privacy legislation such as the Protection of Personal Information (PoPI) Act and the impending Cybercrimes and Cybersecurity Bill. South African organisations will increasingly find themselves having to deal with regulators and other authorities in the event of an incident arising.

According to the survey findings, almost three quarters of organisations (69 percent - a 15percent increase on 2014) see an increased risk of cyber threats. A disparity was noted between the responses of CEOs and CFOs: 83 percent of Chief Executive Officers and only 57 percent of Chief Financial Officers see an increased risk in cyber threats.   
Responsibility for redressing cyber vulnerabilities requires input from the board to ensure risks are properly addressed and identified. However, the survey suggests that many boards are still not sufficiently proactive regarding cyber threats and many do not understand their organisation’s digital policies to assess the risks. Only 48 percent of boards are requesting information around cyber-readiness locally; this is slightly higher than the global average of 43 percent. Only 35 percent of respondents have a fully operational incident response plan; 13 percent don’t know if they have one; and 12 percent do not have one nor do they intend implementing one.
 

Should a cyber crisis arise, only 34 percent of organisations have personnel that are ‘fully trained’ to act as first responders, and 20 percent of organisations indicate that they will make use of outsourced personnel. Through the investigations we have conducted we often find that organisations who make use of outsourced digital forensics providers only start procuring services when an incident occurs – and delays in the procurement process often result in a time lag during which critical evidence is lost or damaged.

On a closer study of incident response teams, we noted that teams are still weighted towards having more IT security personnel (73 percent) and IT staff (62 percent), while only 28 percent of organisations include digital forensic specialists.

Although organisations have made significant strides, in particular regarding the sophistication and preparation around cyber-attacks since 2014, most organisations are still not adequately prepared for them to understand the risks they face or manage the incidents effectively. It is critical that companies incorporate cybercrime into their risk management assessments. Organisations need to understand and plan for cyber threats in the same way as any other potential business threat. This includes drafting a response plan, as well as monitoring and scenario planning.