As International Fraud Awareness Week approaches, it’s fair to ask, “Why aren’t business leaders making cyber risk management a higher priority?”
A recent Business Barometer survey found that “Fear of cybersecurity breaches seems to be eclipsing any efforts to address them.” and found these concerns among financial decision-makers:
- External cyber fraud, which rose to 56% in 2016 from 37%;
- Internal payment fraud, cited by 31%; and
- Not knowing whether they were impacted by fraud or not – 60%.
In the last 12-18 months, the character of cyber breaches has evolved heavily into fraudulent activities like phishing and ransomware. The statistics have changed: failures of technology have long since been eclipsed by failures of people, policies, and processes. The rate and severity of attacks on highly visible organizations like Equifax, Yahoo, the SEC, and Deloitte continues to increase with no end in sight. As International Fraud Awareness Week approaches, it seems fair to ask, “Why aren’t business leaders making cyber risk management a higher priority in their organization?”
Fraud professionals should have a handle on the greatest threats to their organizations. A worldwide survey by the Association of Certified Fraud Examiners (ACFE) revealed the top areas of concern for anti-fraud professionals:
“If fraud attacks are the flu, then the Equifax data breach was a raging fever: a symptom (albeit a dramatic one) of a larger illness that will almost inevitably infect any organization that hasn’t had its shots.”
As James Richardson recently wrote, “Boards have shown a marked disinterest in getting involved with issues surrounding cybersecurity and financial fraud threats, generally leaving it as an issue for IT, Finance or Audit departments to wrestle with. It’s an unfortunate case of misdirected priorities, especially when Gartner’s Report, which looks at fraud’s functional detection and protection architecture, stresses quite the opposite, stating that ‘one of the biggest assists an organization can unwittingly provide a fraudster gang is to fail to align and engage across all channels.’”
Breaches that have an ever-increasing impact are rapidly changing the attitudes of board members and the C-suite. Prime examples include: disclosures that 3 billion Yahoo! accounts were hacked; that the SEC was breached; that a leading cybersecurity services vendor Deloitte had been hacked; and that Equifax exposed information from virtually every household in the U.S. If this heightened awareness fails to create widespread cyber risk mitigation efforts, expect to see coercive measures emerging from government regulations.
“…despite headlines featuring Equifax, Sonic, Deloitte and Whole Foods – and cybersecurity companies consistently preaching that attacks are not a matter of “if” but “when” – many organizations are still not taking fraud prevention seriously. Instead, they’re simply crossing their fingers and hoping they won’t get hit, while at the same time surrendering to the notion that if it will happen eventually, why fight it?”
Each year, the ACFE runs a worldwide study of fraud, and the 2016 study uncovered these interesting 10 facts about business fraud:
- Year after year, organizations worldwide consistently lose 5% of their topline revenue to fraud.
- The 2016 total loss is estimated to be $6.3 billion with an average case loss of $2.7 million, a median loss of $150,000, and 23% losses of $1 million or more.
- The median duration of a loss was 18 months; schemes that lasted five years or more caused a median loss of $850,000.
- The most common fraud detection method is tips; companies with hotlines are almost twice as likely to detect fraud.
- Surprisingly, the median loss incurred by small organizations was the same as for the largest organizations, but the impact on small organizations, of course, was much greater.
- The types of fraud differ by organization size; large organizations have more corruption, while smaller ones suffer more larceny (e.g., skimming, payroll, check tampering).
- The most highly represented verticals were banking/financial services, government, and manufacturing.
- The most common anti-fraud measures were external financial audits.
- The most common weaknesses contributing to fraud were a lack of internal controls and an ability to override existing controls.
- Three-fourths of fraud incidents were perpetrated by people in seven departments: accounting, operations, sales, executive/upper management, customer service, purchasing, and finance.
“…security and potential payment fraud is often overshadowed by other concerns that more directly impact a company’s ability to achieve strategic objectives. When you add this lack of top-level support to a backdrop that includes a historic lack of funding for such initiatives, it’s not much of a surprise that companies haven’t made much headway in effectively battling cybersecurity and financial fraud threats.”
ITProPortal, Nov. 6, 2017
Top Three Ways to Prevent Fraud
Clearly, the majority of fraud incidents are spread across the entire organization. If concerned about fraud, where would someone concerned begin? We can suggest three broad areas that must be addressed.
- Institutionalize Policies from the Top Down
To make headway requires a strong commitment from the top down. Paying lip service without being willing to invest any resources is worthless. Gaps that represent weak areas must be identified and addressed with comprehensible policies. The key success factors in fighting fraud are security, resources, and convenience; effective policies must balance them.
- Create a Security-Conscious Culture
Once the board and C-suite communicate that the organization is taking action, responsibility must be allotted to a broad base of people. Fraud and cybersecurity are not just the purview of a few specific people. A “fraud-conscious culture” requires participation across the entire organization, including accounting, operations, sales, executive/upper management, customer service, purchasing, and finance, as well as IT and security. Training to recognize unusual activity and report it immediately is critical to the creating this culture and consciousness.
- Implement Effective Processes
While having the right backing and policies in place, and creating a culture that takes fraud into account are prerequisites for success, they are pointless without incorporating effective processes into the operational fabric of the organization. Based on knowledge of how the organization operates, design processes that allow adequate freedom to achieve the desired results, but lock down key resources and establish checkpoints that can reveal anomalous behavior clearly.
International Fraud Awareness Week needs all of us to elevate our game. Fraud detection is not just the job of professional fraud examiners. Just as with quality, it must be embedded within the culture of the organization, and supported with strong policies and processes.