When online fraud was included for the first time this year, the official crime rate nearly doubled. More worryingly, official figures undoubtedly under estimate the scale of the problem as they do not take into account unreported crimes. In an era of reduced resources for policing it is estimated that less than one in a 100 cyber frauds are investigated and only one in every 650 fraud ends in a conviction.
For business, cyber crime poses reputational as well as other commercial risks and costs. These can range from direct financial loss, to the inability to access and operate systems and longer term reputational damage. It should also be remembered that cyber criminals may be looking for confidential commercial information such as customer lists, the loss of which can impact directly on turnover and profitability.
Accordingly, businesses are encouraged to address the threat they face by reviewing their current level of preparedness. This requires not only an assessment of the measures they have in place but also what steps they would take to respond to a breach of security.
Clearly there are technical protective measures that every business should consider. The Government’s Cyber Essentials Scheme recommends, amongst other things, the use of boundary firewalls and internet gateways, secure configuration of systems, user access control and malware protection.
However, the technical aspect of cyber security is only part of any effective cyber security policy. A recent survey by the accountants PwC found that 50% of the most serious security breaches were caused by human error. The challenge for business is therefore as much a human one even if investment in both human and technical firewalls carries a financial cost.
Ensuring employees are aware of the risks faced by an organisation and have the know how to respond is essential for an effective cyber security policy. At the end of the day the success or failure of a fraud may depend upon whether an individual recognises that something is ‘not quite right’.
Such fraud awareness training should compliment other internal counter fraud measures and policies. Unfortunately there will always be those cases where employees connive with outside fraudsters.
One of the most telling statistics from the PwC survey was that 32% of businesses had not conducted a security risk assessment. This was notwithstanding 74% of the small businesses surveyed had had a security breach.
Given the legal duties directors owe their companies, “hoping it will not happen to us” is clearly not a strategy. All businesses take precautions to protect themselves against physical thefts – taking steps to combat ‘digital burglary’ should be no different.
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.