Cybercrime increased during the COVID-19 pandemic globally. Some risk experts believe inadequate regulatory compliance before the pandemic is partly to blame and they are warning worse is to come. Many now recommend increasing cooperation between financial institutions, strengthening regulation as well as improving risk management systems.
“Most high-profile cyber incidents can be prevented by following actionable steps that dramatically improve an organisation’s cyber resilience,” says the head of the UK’s National Cyber Security Centre, Lindy Cameron.
There was an 85% increase in all types of cybercrime over the past year, according to figures from the Office for National Statistics (ONS) in the UK. These figures related to the year ending June 2021 compared with the pre-COVID year ending June 2019. These cybercrimes included ‘computer misuse incidents’ and were “driven entirely by an increase in unauthorised access to personal information, including hacking,” according to the ONS.
Some of this increase in cybercrime is attributed to more people being vulnerable to fraud during lockdowns from working from home. Underlying reasons for this include inadequate viral software at home, insufficient IT training of staff to identify online security threats (such as from phishing) and inadequate oversight by management of decision-making by employees.
Conversely, employees were also more liable during ‘lockdown’ to commit fraud.
In totality, the outlook for financial cybercrime is grim. Globally, financial crimes, including cybercrime, is predicted to increase in the next year. According to the Association of Certified Fraud Examiners (ACFE) in Austin, Texas, US: “Our members expect this trend to persist and 90% anticipate a further increase in the overall level of fraud.”
Cyberfraud continues to be the largest area of risk for companies. Over 85% of respondents to a recent ACFE member survey reported it increased. The types of cyberfraud include payment fraud, such as credit card fraud, fraudulent mobile payments and identity theft. Other types are business email compromises, hacking, ransomware, and malware issues.
ACFE predicts all these will increase in the coming 12 months.
But sometimes cybercrime originates from within a company.
The ACFE’s ‘Fraud in the Wake of COVID-19: Benchmarking Report’ suggests there will be an increase in occupational fraud, otherwise known as internal fraud, due to three main factors. These are: opportunity, pressure and rationalisation which affect all staff.
Mary Breslin, Founder and Managing Partner of US-based risk management firm, Verracy explains that the extensive changes many organisations needed to implement working from home measures “have provided new opportunities for this kind of fraud.”
Whilst the Coronavirus Job Retention Scheme has been considered a success, with the vast majority of people back in employment, Breslin believes many employees post lockdowns have financial pressures on them, such as family members losing employment, plus health care emergencies, which in the USA can result in costly medical bills as well as rising costs of living in many countries. This puts financial stress on many and she believes such cases can be reason for employees to ‘rationalise’ fraud. Lockdowns have a psychological and social impact on employees.
“Many people are feeling disconnected from their organisation due to remote working,” Breslin says. Others, she explains may feel wronged by their organisation due to how they have been treated while working remotely. “Just think of the stories and articles you have read about employers demanding employees leave their camera on all day or have keystroke software installed,” Breslin adds.
Return to work/managing ‘hybrid’ work
ICAEW has researched preventing misconduct within a hybrid working environment. The research explains there are four main drivers behind misconduct, which can ultimately lead to financial losses for a company.
ICAEW agrees with Breslin that one significant driver for misconduct or committing fraud by employees is the ‘rationalisation’ argument.
The other three drivers are:
- ‘Lack of supervision.’ This is because in an office it is easier to enforce the firm’s values, when staff sit together and spend most of the day in the office.
- Poor wellbeing.’ While some people have flourished working at home, others have struggled with family pressures and extra hours, especially people with caring responsibilities. This has sometimes led to exhaustion among employees, and it is recognised that people who are tired may make poor ethical decisions.
- ‘Absence of reminders about workplace values.’ It is understood that there are fewer ‘nudges’ or reminders to uphold a workplace’s ethics when people are at home.
These are all important and ongoing issues as firms will need to think about their control environments and the return to work for staff, especially as many workers will continue to work in a hybrid capacity, partly from home and partly in the office.
“Ultimately, the main way to prevent misconduct by employees is to promote and maintain an ethical culture, even where teams are operating remotely.” says Sophie Wales, ICAEW’s Director of Trust and Ethics. “There are some key steps firms can take including reinforcing ethical messages through a range of communication channels to reach those working in a hybrid way.” There is further discussion of maintaining an ethical culture in this article.
Cybercrime and Ransomware
Other significant risks to companies come from outside.
Ransomware, for example, represents a large threat to online security, according to the National Cyber Security Centre CEO, Lindy Cameron.
“It’s an urgent issue,” she says.
She believes ransomware attacks, where hackers encrypt data and demand payment for it to be restored, is rising. The crime is also becoming increasingly sophisticated and is a real threat to many businesses. Such cybercrimes not only shut down an organisation’s ability to function, but the criminals will often threaten to publish “exfiltrated data on the dark web”.
What can companies do?
Lindy Cameron believes that companies should not overly rely on their technology departments.
“It’s also about the business continuity element and how companies respond and recover,” she says.
Part of this preparedness for companies could include increasing anti-fraud budgets, rolling out anti-fraud training as well as professional development.
The Financial Conduct Authority
Recently there has also been increased pressure on companies regulated by the Financial Conduct Authority (FCA) in the UK to get tougher on financial crime.
The regulator believes the onus should be on companies.
‘White collar’ crime expert David Hamilton at law firm, Pinsent Masons in the UK says the FCA is currently focusing on individual accountability within firms. The regulator holds senior managers responsible when financial crimes are committed.
“The FCA will continue to monitor and assess senior managers’ competence and capability, considering whether they possess the required skills and knowledge,” he says.
Risk assessments and reporting suspicious activity are areas that the FCA insists businesses demonstrate are part of the day-to-day running of their company. All FCA-regulated UK companies are currently expected to introduce a suite of policies, procedures and controls to convince authorities that their business is well-prepared to manage financial fraud. This includes all financial crime but is primarily focused on preventing money laundering by financial institutions and professions associated with them.
“The FCA believes that private enterprises are the first line of defence against financial crime such as cybercrime and money laundering and that porous or inadequate controls present “a significant threat that financial systems will be abused by criminals,” Hamilton says.
So, what is the best defence for a company against cybercrime?
Lindy Cameron urges the boards of companies to take responsibility for financial crime from within the firm as well as for cybercrime that originates from outside it. Board members need to be up-to-date with systems within a company. She adds offline backups are needed in this online world. In particular, the board including the CEO, need to understand the nuts and bolts of how their company operates.
“I don’t think any chief executive would get away with saying they don’t need to understand legal risk because they have a general counsel. I think the same should be true of cyber risk,” she concludes.