UK businesses are at or near the top of the global table for reporting fraud, cyber and security incidents, according to executives surveyed for the 2016/17 Kroll Annual Global Fraud and Risk Report.
The vast majority (90%) of UK participants said they had been affected by fraud in the past 12 months, a significant increase on the 74% of UK businesses reporting incidents of fraud in the 2015 report and much higher than the current global average of 82%. The only country to report a higher incidence of fraud was Colombia (95%).
Executives in the UK also reported the second highest rate of cyber incidents (92%) after Colombia (95%), again much higher than the global average of 85%. Virus and worm infestations were the most common cyber incidents reported, in line with most other countries.
The second biggest type of cyber incident reported was insider theft of customer or employee data – and at 27% of companies this was much higher in the UK than in other regions. Similar to respondents in other countries, those in the UK said customer records were the most likely target and that ex-employees were the most likely perpetrators of cyber incidents.
Along with respondents in the Middle East, those in the UK experienced the highest rate of security incidents in the past year. The majority (82%) said their company had been affected by a security incident, 13% higher than the global average.
Tommy Helsby, Co-Chairman, Kroll Investigations & Disputes, commented: “This year’s Kroll Global Fraud and Risk Report shows that it’s becoming an increasingly risky world, with the largest ever proportion of companies across the board reporting fraud and similarly high levels of cyber and security breaches.
“One reason for the growth in reported incidents by UK organisations could be that companies are simply more aware of their responsibilities and vulnerabilities and have now accepted that managing and reporting fraud, cyber and security incidents is part of ‘‘business as usual’’. Indeed, executives from the UK were more likely to feel highly vulnerable to a wide range of incidents than respondents in other countries around the world.
“However, it’s clear that as well as recognising the risks, UK organisations need to have systemic processes in place to prevent, detect and respond to fraud, cyber and security risks if they are to avoid reputational and financial damage.”
Global results
Despite widespread concerns about external attacks, the findings reveal that across all regions, the most common perpetrators of fraud, cyber and security incidents over the past 12 months were current and former employees.
Six out of ten respondents (60%) at companies that suffered from fraud identified a combination of perpetrators that included current employees, former employees, and third parties, with almost half (49%) involving all three groups. Junior staff were cited as key perpetrators in two-fifths (39%) of fraud cases, followed by senior or middle management (30%) and freelance or temporary employees (27%). Former employees were also identified as responsible for 27% of incidents reported.
Overall, 44% of global respondents reported that insiders were the primary perpetrators of a cyber incident, with former employees the most frequent source of risk (20%), compared to 14% citing freelance or temporary employees and 10% citing permanent employees. Adding agents or intermediaries to this “insider” group as quasi-employees increases the proportion of executives indicating insiders as the primary perpetrators to a majority, 57%.
Over half of respondents (56%) said insiders were the key perpetrators of security incidents, with former employees again the most common of these (23%).
Fraud and security concerns impact overseas expansion
Over two-thirds (69%) of global executives say their companies have been dissuaded from operating in a particular country or region due to fraud concerns and just under two-thirds (63%) because of security threats.
The road to resilience
While insiders are cited as the main perpetrators of fraud, they are also the most likely to discover it. Almost half (44%) of respondents said that a recent fraud had been discovered through a whistleblowing program and 39% said it had been detected through an internal audit.
Indeed, three in four respondents indicated that their companies (76%) have adopted employee-focused anti-fraud measures such as staff training or whistleblowing hotlines. 82% of respondents have adopted anti-fraud measures focusing on information such as IT security or technical countermeasures, and 79% have implemented physical security measures.
The most commonly reported cyber risk mitigation action was conducting in-house security assessments of data and IT infrastructure, implemented by 76% of the survey respondents’ companies.
