Organizational Complexity Poses Critical Cyberrisk

According to a recent survey on IT security infrastructure, 83% of businesses around the world believe they are most at risk because of organizational complexity.

“Employees are not following corporate security requirements because they are too difficult to be productive, plus policies hinder their ability to work in their preferred manner,” noted the Ponemon Institute’s “The Need for a New IT Security Architecture: Global Study,” sponsored by Citrix. “It is no surprise that shadow IT is on the rise because employees want easier ways to get their work done.”

Shadow IT, the information technology systems built and used by an organization without explicit approval, has largely cropped up because employees feel official tools are too complex or otherwise difficult and inefficient. As a result, company data is being put on personal devices and official business is conducted on platforms that enterprise security teams can not monitor or secure.

Nearly three-quarters of respondents said their business needs a new IT security infrastructure to reduce risk. With increasing amounts of sensitive data stored, new technology like the internet of things adopted, and new cyberrisk threats constantly emerging, addressing individual security challenges may be impossible, Citrix Chief Security Officer Stan Black told eWEEK. Rather, companies should focus on larger issues like controlling complexity, developing and maintaining strong incident response plans, and rigorously vetting vendors with access to systems or responsibility for storing data.

Check out more of the report’s findings in the infographic below:

organizational complexity cyberrisk

Fraud Incidents Rise in 2016, Kroll Finds

Reports of fraud have risen in the past year. In fact, incidences of every type of fraud have reached double-digit levels, according to the Kroll Global Fraud & Risk Report 2016/2017. Overall, 82% of executives reported falling victim to at least one instance of fraud in the past year, up from 75% in 2015.

Theft of physical assets remained the most prevalent type of fraud in the last year, reported by 29% of respondents, up 7 percentage points from 22% of respondents in the last survey. Kroll reported that vendor, supplier, or procurement fraud (26%) and information theft, loss, or attack (24%) were the next two most common types of fraud cited, each up 9 percentage points year-over-year.

Kroll found that most threats come from within an organization, with current and ex-employees being the most frequently cited perpetrators of fraud, cyber, and security incidents over the past 12 months. External parties were also identified as active perpetrators.

In the United States:
Kroll-fraud

• On the complexity of fraud risks, the majority (60%) of executives who reported suffering fraud incidents identified some combination of perpetrators, including current employees, ex-employees, and third parties, with almost half (49%) involving all three groups.

• Almost four in 10 respondents (39%) who were victims experienced fraud perpetrated by a junior employee, 30% by senior or middle management, 27% by ex-employees, and 27% by freelance/temporary employees. Agents and/or intermediaries were also cited by 27% of respondents as involved in carrying out fraud.

• Insiders were cited as the main perpetrators of fraud, and also identified as the most likely to discover it. Almost half (44%) of respondents said that recent fraud had been discovered through a whistleblowing system and 39% said it had been detected through an internal audit.

Among anti-fraud measures, the widest adoption—reported by 82% of executives surveyed—focused on information, such as IT security and technical countermeasures. The converse of the finding is concerning: nearly one out of five respondents (18%) have not adopted such protections.
kroll fraud risk

According to the report:

80% of respondents in the U.S. experienced fraud in the past 12 months, an increase of 5 percentage points on the previous year. This figure is 2 percentage points below the reported global average of 82%. Intellectual property (IP) theft, piracy, or counterfeiting is a clear threat to companies in the U.S., which was reported by just over a quarter (27%) of U.S. participants, almost twice the reported global average. The U.S. was the only country where IP theft was the most common type of fraud reported. Information theft, loss, or attack was the second most mentioned type of fraud impacting companies in the U.S., followed by conflicts of interest in the management team. The main perpetrators of fraud were reported to be insiders. Where fraud had been discovered, 36% of executives in the U.S. reported that junior employees were responsible, and 32% named senior or middle management. Respondents in the U.S. were most likely to have adopted IT security measures, followed by financial controls and asset security as their top three ways to mitigate fraud risk. In the U.S., the most common way fraud was detected was not through a whistle-blower, as it was for most of the other countries surveyed, but through an internal audit. Nearly half (49%) of U.S. participants said it was the most common detection mechanism.

Risk Management Profession Given an ‘A’ by CNN Money

Risk management is a career that has long flown under the radar. Because it is not a common job choice, a frequent question of risk managers is how they found theirPemberton2 way into the profession. Risk managers say they wouldn’t do anything else. The reasons they list include interesting duties that differ from day to day, opportunities for creative thinking and problem-solving, and collaboration with other areas in their company.

Now CNN Money has made the job’s advantages official, listing risk management director as the “second best job in America” of the top 100 “careers with big growth, great pay and satisfying work.”

According to CNN Money:

The job has evolved in recent years to be about more than just natural disasters. Directors are now also tasked with identifying, preventing, and planning for all the risks a company might face, from cybersecurity breaches to a stock market collapse.

Asked why she thinks the job is great, Julie Pemberton, vice president at Diatom Ventures and RIMS 2016 president, told CNN Money:

As they uncover new risks, risk management directors must also advise the company on how to address them. That keeps me totally engaged and gives me the ability to be creative and find solutions for the business. I’m constantly contributing to the business in a meaningful way.

The job as risk management director was given a grade “A” for personal satisfaction, “A” for its benefit to society, “B” for telecommuting and “B” for low stress. Top pay for the job was listed as $200,000 with median pay of $131,000.

Business Interruption Seen as Top Risk Globally

A survey of more than 1,200 risk managers and corporate insurance experts in over 50 countries identified business interruption as the top concern for 2017. According to the sixth annual Allianz Risk Barometer of top business risks, this is the fifth successive year that business interruption has been seen as the biggest risk.
top-10-risks

“Companies worldwide are bracing for a year of uncertainty,” Chris Fischer Hirs, CEO of AGCS said in a statement. “They are concerned about rather unpredictable changes in the legal, geopolitical and market environment around the world. A range of new risks are emerging beyond the perennial perils of fire and natural catastrophes and require re-thinking of current monitoring and risk management tools.”

While natural disasters and fires are what businesses fear most, non-damage events such as a cyber incident, terrorism or political violence resulting in denial of access are moving higher up on the scale, according to the report. These types of incidents can cause large loss of income to companies, without actual physical loss.

The second concern, market developments, could result from stagnant markets or M&As, or from digitalization and use of new technologies.

Cyberrisk, third on the list of perils, has jumped up from 15th place in just four years. Cyber was identified as the second concern in the United States and Europe.

According to Allianz:

The results indicate that cyber risk occupies a significant portion of a company’s exposure map. The risk now goes far and beyond the issue of privacy and data breaches. A single incident, be it a technical glitch, human error or an attack, can lead to severe business interruption, loss of market share and cause reputational damage. Of the top 10 global risks in the 2017 Allianz Risk Barometer, a cyber incident could be a potential root cause or trigger for 50% of them. In addition, the toughening of data protection regulation regimes around the world is also contributing to this risk being at the forefront of risk managers’ minds, as penalties for non-compliance are increasingly severe.

Fourth on the list, natural catastrophes added up to $150 billion in total economic losses in 2016—with insured losses accounting for $42 billion of those losses—up from $28 billion in 2015, according to the report. Businesses also are more concerned about the impact of climate change and increasing weather volatility year-on-year.

Trump outlook for 2017

“Opportunities and challenges,” says Ludovic Subran, head of Euler Hermes Economic Research and deputy chief economist of Allianz research. “Companies which are domestic, either a regional multinational or national, will benefit. However, the business environment for large multi-national corporations who do have global, strongly regionally diversified business models will be more challenging. Stronger regional interests will make the lives of companies more complicated as there will be increasing protectionist regulation.”