Protecting your business against the increasing risk of cybercrime

Cyber SecurityAudit

17 November 2021

Cyber fraud risk is no longer a theoretical risk running through the brains of information technology masterminds. It has taken a rapid, dark and sinister turn in becoming a reality and is now one of the top key risks faced by organisations in the global business community.

Neither public and private sectors, including not-for profits and private enterprises, are immune from cyber fraud risk intrusions. Cybercrime does not respect, nor does it recognise geographical or sovereign boundaries when cyberattacks are launched.

These are technological driven invasions of an organisation’s previously “secured” systems. The actual attacks and thefts can be activated from anywhere in the world. Such attacks have been designed to steal an organisation’s propriety information and confidential databases which can cause immediate mayhem and crisis, and unluckily for some, long lasting devastating effects.

There are many unsuspecting organisations out there with unfortified gaps in their systems that have been attacked or will be susceptible to future attack. Unfortunately, in New Zealand, we have seen recent cyber-attacks at a large district health board and at some of our large telecommunication companies. Even our central banker, the Reserve Bank of New Zealand experienced an unwanted intrusion.

With the onset of the COVID-19 pandemic still not behind us globally, the opportunities for cyber crime has intensified as fraudsters continue to take advantage of organisations that by necessity, have had to move to, and continue working in a more remote and distributed work environment.

The spike in cybercrime is real with fraudsters continually trying to exploit the current COVID-19 health and economic emergency. Many organisations have taken action of some kind to mitigate their cyber risks, however their biggest challenge is knowing where to target their limited resources (and spend) to make a realistic improvement in their resilience to a rapidly evolving cybercrime threat.

The nature of the fraud risk

Organised crime groups have diverted resources from traditional drug manufacturing and distribution because of the profitable nature of cybercrime attacks. Cybercriminals think that an anxious population, vulnerable people at the highest risk, and masses of disinformation awash on social media represent a good ‘business’ opportunity.

All of the above equates to a massive opportunity to prey on organisations and attempt to defraud them while they are at their most susceptible.

Phishing and ransomware attacks have increased, and this has been compounded by organisations setting up new ways of remote working at a pace which does not always allow effective cyber security arrangements to be put in place.

It is also the case that some organisations do not have an adequate level of visibility of their third-party suppliers of technology-related services, or enough knowledge of the extent to which they are properly protected or not.

Three cyber fraud review steps

1. Understand your cyber risk vulnerability

Your cyber risk vulnerability can be measured on a Cybercrime Vulnerability Scorecard Tool. The vulnerability scorecard measures an organisation’s cybercrime vulnerability in terms of its:

a) attractiveness to cyber criminals

b) potential damage in event of a cyber breach

c) strength/weakness of cyber security and resilience

2. Examine your external vulnerability

Examine your domains to see if your emails can be spoofed. An assessment should identify out of date, unsupported software, open ports which can be hacked, and known vulnerabilities which have not been resolved.

3. Scan the Dark Web

Scan the Dark Web (where much cybercrime is organised and planned) for indications that your organisation may be targeted.

A search of the Dark Web, being that part of the Web, which cannot be searched using normal search engines, should be conducted for identification of compromised emails and passwords (normally for sale at $2 each). The search should also identify any emails and passwords being sold which relate to an organisation’s domain names.

All business organisations need to be in total control of their business systems, whether these are financial or non-financial systems. Cyberattacks will continue to seriously impact organisations, financially and also threaten their ongoing viability.

The biggest risk in the current business environment would be the failure to assess and have in place a robust cyber risk mitigation process. So, if cybercrime isn’t near the top of your Risk Register, it might be time to think again.

Crowe has developed the Cybercrime Vulnerability Scorecard Tool on the basis of joint research with Europe’s largest forensic research centre at the UK’s University of Portsmouth. Talk to your adviser or get in touch with us to discuss how we can assess your risk of cybercrime and provide you with a report that outlines your cybercrime vulnerability rating and a checklist of what you need to do.

Author: Les Foy

Before joining Findex Wellington in 2000, Les developed his own management consultancy practice. Prior to this, Les gained substantial financial management, external audit and internal audit experience as a partner in KPMG and Arthur Andersen. He has extensive audit and advisory experience both in New Zealand and overseas....