The Epidemic of Cybercrime in Small Businesses
Incidents of fraud and cybercrime against businesses are growing at an alarming rate, seriously jeopardizing the ability of many companies to grow and increase profitability. The problem is particularly serious for small businesses that may lack the resources to deal with cyber-threats and absorb losses from cybercrimes.
According to the 2011 Global Economic Crime Survey released by PricewaterhouseCoopers, nearly half of all surveyed businesses reported suffering some form of fraud in the past year, up 10 percentage points since 2009.
Likewise, the incidence of fraud costing the business in excess of $100,000 has also increased considerably, from 44% to 2009 to 54% in 2011. Approximately 10% of businesses report that fraud has cost their company more than $5 million in the past year.
The survey results also show that after asset misappropriation, cybercrime is the most common form of fraud affecting the business community, with almost one in two (40%) respondents indicating that they believe their companies have been victimized by cybercriminal activity in the past year.
Although 61% of survey respondents indicated heightened awareness about the perceived risk of cyber-attacks in 2011, approximately half indicated that C-suite leadership either never or infrequently (once a year) review the organization's cyber fraud prevention strategy. Instead, cyber fraud prevention is conducted on an ad hoc basis, typically in response to an actual attack.
"Clearly, many executives have yet to seize upon the serious nature of the cybercrime threat," adds Didier Lavion, principal in PwC's forensic services practice.
"Cybercrime has emerged as a formidable threat, thanks to deeply determined, highly skilled, and well-organized cybercriminals, from nation states to hacktivists, from criminal gangs to lone-wolf perpetrators. Organizations need to be aware and adjust to this changing landscape."
Last October the Securities and Exchange Commission reacted to the increasing risk to all businesses of cyber-attack by requiring the disclosure of information about such attacks. This is an important step for the SEC. However, requiring the disclosure of hacking is one thing; estimating the potential loss is quite another. Perhaps more important from a financial reporting point of view is risk assessment. Companies should evaluate the risks of a possible attack and disclose them as well so the public better understands where are the vulnerabilities.
The SEC identifies a variety of cyber-attacks including gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption. Cyber-attacks may also be carried out in a manner that does not require gaining unauthorized access, such as by causing denial-of-service attacks on websites. Cyber-attacks may be carried out by third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at obtaining necessary to gain access.
The SEC identifies possible costs of cyber-attacks and other negative consequences:
- Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused.
- Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack
- Increased cyber-security protection costs may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants
- Lost revenues may result from unauthorized use of proprietary information or the failure to retain or attract customers following an attack
- Litigation may occur and the reputation of the business may be damaged in the eyes of investors and customers
One problem in identifying a cyber-attack on a timely basis is the sophistication of attack methods. It may take months to identify an attack after it happens. The tell-tale signs that many people look for, like advertising pop-ups and slower speeds, are no longer good indications of whether your malware has made its way into your computer. According to cyber-security experts, these new methods gather information and wait until an opening in your system occurs to send out the information to potential abusers.
One thing you can do to protect yourself is to turn on your computer’s anti-virus software and make a habit of checking for updates every month or every quarter. Also, make sure your operating system’s firewalls are activated.
Over 10,000 cyber-attacks happen every single day, targeting both big and small businesses. But small businesses are much more likely to fall victim to the attack, rather than stop it or prevent it. Hackers target small firms because they don't have the protection, at least according to the results of Panda Security’s fall 2010 survey of data security:
- 36% rely on free consumer antivirus applications.
- 31% have no anti-spam.
- 23% have no anti-spyware.
- 15% have no firewall.
- 13% have no security at all.
There can be no doubt that building adequate cyber-attack defenses is a cost worth incurring because of the potential for damage to one’s business. Small businesses should think of it as a cost of insurance to prevent a greater catastrophe from occurring.
Blog posted by Steven Mintz, aka Ethics Sage, on December 12, 2011