Cybercrime is now the fourth largest economic crime in SA and worldwide, according to the findings of the latest PricewaterhouseCoopers (PwC) economic crime survey.

The report, released on Tuesday, polled almost 4 000 companies worldwide, 123 of them from SA.

Ahead of cybercrime are financial statement fraud, bribery and corruption, and asset misappropriation, which an enormous 73% of global respondents said they had experienced. Cybercrime has affected 26% of respondents.

Louis Strydom, director at PwC and head of the company’s forensic audit division, say there has also been a worrying shift in the internal perpetrator profile away from entry and mid-level staff to senior management. However, he says formal anti-fraud frameworks are becoming more effective in SA. He says SA survey participants reported higher levels of the non-financial impact of economic crime — that is, effects that could not necessarily be directly quantified.

Of SA respondents, 60% said they had experienced economic crime during the period of review. But that is down from 83% in 2005, 72% in 2007 and 62% in 2009. Worldwide, there was a decline until 2009, when the figure was 30%, but it has grown again, to 34%, in 2011. Strydom says he suspects this is due to the global economic downturn.

The hardest-hit sector worldwide is communications. “The mobile business is growing rapidly and has become a target,” Strydom says. Second is the insurance industry, then government and state-owned enterprises, hospitality and leisure, and financial services. According to Strydom, government features prominently in part because it is slower to respond to new threats.

Cybercrime hasn’t previously been addressed by the report, yet leapt to fourth position in both SA and globally. Worldwide, 23% of respondents said it had affected them, with 26% saying likewise in SA.

The World Economic Forum’s Global Risks 2011 report says cyber security issues now top the list of risks to watch, ahead of weapons of mass destruction and resource security.

PwC’s survey defines cybercrime as “an economic crime committed using computers and the Internet. It includes distributing viruses, illegally downloading files, ‘phishing’ and ‘pharming’, and stealing personal information like bank account details. It’s only a cybercrime if a computer, or computers, and the Internet play a central role in the crime, and not an incidental one.”

Compared to conventional crime, cybercrime often offers the same rewards for criminals, but with fewer risks to them. The criminal is seldom physically present and can be in a different jurisdiction, making them more difficult to identify, arrest and prosecute using traditional means, and Strydom says current laws are not mature enough to prosecute cybercriminals with sufficient impact.

The challenge of cybercrime is that, as with technology generally, it’s hard to keep abreast of the developments and companies are finding themselves constantly playing catch-up.

“Organisations and governments need to constantly update their responses. Preventative controls are much harder to implement for cybercrime than, say, asset misappropriation,” says Strydom.

Asked whether they thought cybercrime was an internal or external threat, 32% of SA respondents said both, 45% saw it as external and 14% saw it as an internal threat only. Strydom says that even though almost half see it as an external threat, they’re wrong. “Insiders such as employees, agents, contractors and customers with access to the company back-end or similar are all threats.”

Internally, areas perceived by SA to be most at risk are operations, IT departments, finance, physical/information security divisions, marketing and sales and human resources departments. Senior executive/board-level and legal divisions were deemed the least at risk. Worldwide, IT was seen as the biggest risk, followed by operations and marketing and sales.

SA organisations say they are most concerned about actual financial loss from cybercrime activity, rather then reputational damage, theft or loss of personally identifiable information and theft of data.

In terms of anticipating and warding off cybercrime, Strydom says few SA organisations have “all the elements of a holistic response framework in place”.

Only 53% of SA companies have in-house capabilities to prevent and detect cybercrime; 37% have internal capabilities to investigate; 58% have access to forensic technology investigators; 37% have a media and PR management plan; and 50% have a controlled emergency network shutdown procedure. This makes SA worse in each category, except in forensics, compared to global respondents.

Forty-six percent of SA respondents have never conducted a cybercrime risk assessment, while 59% respond only once something has happened, despite having engaged with cybercrime experts. Fully forty percent say they have not received any awareness communication or training despite cybercrime’s growing prevalence.

Worryingly, in terms of internal perpetrators of economic crime generally, in SA more senior management is involved than previously. Up to 36% of economic crime was committed by senior management in 2011, a large jump from the 17% recorded in 2009.

Strydom says respondents were specifically targeted, but aren’t all PwC clients. “We try to get the biggest companies globally to respond, those with employees with more than 10 000 staff. But we also look at mid-tier companies and the public sector.”

The report suggests that there is also valuable information for the would-be cybercriminal on social networks. Strydom says even something as simple as a job title can make someone a target, particularly if that role includes things like payroll and procurement. “We need to sensitise people and explain the value of being more sensitive about what we share,” says Strydom.

Organisations must create an environment where people aren’t scared to report internal fraud and will be protected. “The fraud line shouldn’t route to the CEO, but to the chairman of the fraud committee, or similar. You have to be able to guarantee anonymity.”

Strydom says there are cultural challenges to whistleblowing in SA, but that this is proving less problematic with the younger generation where cultural norms are less entrenched. — Craig Wilson, TechCentral