Information theft, loss, or attack was the most prevalent type of fraud experienced in 2017, according to a study by risk consulting firm Kroll.
It was cited by 29% of respondents to a survey of over 500 senior executives worldwide on fraud, cyber and physical security risks, and edged out theft of physical assets or stock, long the most common type of organisational loss which dropped to second(27%) in terms of frequency this time round. Coming in third was management conflict of interest (26%).
Cyber attacks a key threat to confidential information
Cyber attacks represent one of the most persistent threats to confidential information. The reported level of occurrence for every type of cyber incident included in the survey increased in the last 12 months.
In 2017, a year when major viruses such as WannaCry and Petya hit across the world, nearly four in 10 (36%) executives surveyed said their companies had been impacted by a virus or worm attack, an increase of 3 percentage points year-over-year. One in three (33%) said they had suffered an email-based phishing attack (up 7 percentage points from the last report), 27% had suffered a data breach, and 25% were affected by data deletion. Beyond digital threats, information was highly susceptible to loss through other means: 29% of executives surveyed said equipment with sensitive data was stolen, while 27% said equipment was “lost.”
Physical theft or loss of intellectual property (IP) was by far the most prevalent type of security incident. Of those executives whose company experienced a security incident this past year, 41% said their organisations fell victim to IP theft or loss.
Mr Jason Smonaloff, Senior Managing Director and Global Cyber Security Practice Leader for Kroll, said: “In a digitised world with growing levels of data creation, collection, and reliance for businesses, information assets have become increasingly valuable and exposed to threats. Exacerbating the challenge of safeguarding data is that criminals and other threat actors are continually developing new ways to monetize confidential information, including personal data.
“People instinctively think about data being targeted by cyber attacks, but not all threats to information are confined to the digital realm. There is a convergence between physical and digital threats, with issues arising from equipment with sensitive data being stolen or lost, for example, or employees with access to highly sensitive information accidentally or intentionally causing a breach.”
Fraud, cyber and security risks at all-time high
The Kroll study, the 2017/18 Kroll Annual Global Fraud & Risk Report, generally found that fraud, cyber and security risks are at an all-time high. The proportion of executives reporting that their companies fell victim to at least one instance of fraud over the past 12 months increased to 84%, from 82% in the previous survey. Levels of reported fraud have steadily risen every year since 2012, when the reported occurrence was just 61%.
An even greater percentage of executives surveyed (86%) said their companies had experienced a cyber incident or information theft, loss, or attack over the past 12 months, slightly up from 85% in 2016. Seven in 10 respondents (70%) reported the occurrence of at least one security incident during the past year, compared to 68% in the previous survey.
Respondents were found to experience a heightened sense of vulnerability to fraud, cyber, and security risks, with information-related risks now being the area of greatest concern. As criminals and other threat actors continue to find new ways to monetize confidential data, including personal data, data assets are becoming increasingly valuable and attractive targets.
Nearly all anti-fraud measures mentioned in the survey were widely adopted by over 70% of respondents, with information controls the most widely implemented anti-fraud measure at 78%.
Reflecting the high levels of vulnerability reported by respondents to cyber intrusions, the top three cyber risk mitigation measures that executives expect their companies to implement in the next 12 months all address the problem of intrusions: i.e., intrusion detection systems that are device-based (57%), endpoint threat monitoring tools (55%), and intrusion detection systems that are network-based (54%).
The study also found that cyber security is also rapidly becoming a board governance mandate as the anticipated likelihood of an incident grows, compounded by increasing regulatory pressures and the costly reputational risks associated with data privacy and data loss events.
A large proportion of respondents have adopted security risk mitigation measures. 66% of respondents have a plan for securing intellectual property, with almost a quarter (24%) planning to implement these measures over the next 12 months.
The Kroll survey was conducted online from June to August 2017 with 540 senior executives who hold positions across multiple industries and geographies.