How effective is your integrity risk program?
August 7, 2023
Major update to the Certificates Module
October 7, 2023
The pandemic has accelerated the digitisation of Australian businesses as organisations move their entire staff to remote working, have said goodbye to paper print outs and embraced video conference tools. With the increasing reliance on working remotely and utilising digital technologies comes a greater risk of businesses being exposed to cyber fraud.
Australians lost $77 million to scams in the first six months of 2020 alone as fraudsters took advantage of COVID-19, businesses lacking in proper IT security, social isolation and millions of employees working from home. This is up $19 million on the same period from 2019!
As the pandemic continues to change our day-to-day lives, we have seen organisations of all sizes, across a wide range of industries, experience increased rates of both internal and external fraud. In one instance, we even saw an Australian organisation experience at least one false billing scam attempt per week on a shared finance email account.
Small businesses are especially at risk as they often have inadequate cyber and information security protocols, low-to-no internal controls, no segregation of finance function duties, and a lack of employee training and awareness. According to CSO Australia, small businesses lost 42% more to business email compromise (BEC) scams in the first half of 2019 compared to that of 2018. This is just the tip of the iceberg as many scams and information security breaches go unnoticed or are not reported. We expect these figures to jump considerably when reporting is compiled in early 2021.
Current high-risk scams involve cyber criminals targeting businesses via sophisticated email compromise where they purport to be from a legitimate entity. The scammers then request the recipient to follow a link to reset a password, access an online file or track a postal shipment. These scams are easy entry points for cyber criminals with the objective of gaining access to the employee’s email account to watch their behaviour and strike at a moment of vulnerability.
Business email compromise scams rely heavily on human error achieved through social engineering and targeted phishing attacks. We often see fraudsters intercept legitimate invoices and change the payment details redirecting funds to their own accounts. Unsuspecting employees and businesses with unsophisticated internal controls are unaware their system has been compromised or that the cyber criminals are ‘living’ in their inbox.
Once a scammer has access to one account within an organisation, there is an increased risk the organisation’s network will be compromised further. In this scenario, the criminal can assume multiple identities within an organisation to perpetrate sophisticated fraud events.
We have seen a sharp increase in small to medium enterprises being targeted in this fashion. Whilst the first point of call for affected businesses is their internal or external IT provider, these providers can often lack the requisite skills to conduct a thorough forensic investigation to get to the bottom of the issue.
Regardless of your size or industry, no business is safe from cyber fraud. We have worked with clients with only two employees who have lost hundreds of thousands of dollars all the way through to government departments that have been exposed to sophisticated scams.
We have developed some key insights that business owners and executives should be aware of:
- Organisations with multiple offices or disparate locations are at higher risk, providing an opportunity for fraudsters to skilfully impersonate fellow employees. Emails received from a scammer purporting to be a fellow employee cannot be easily verified due to distance between offices or locations combined with poor internal processes. Risks have been heightened this year with most organisations moving a large percentage of their business to remote working and increased reliance on digital communication.
- Businesses in the construction industry are at especially high risk due to the volume of invoices distributed involving large sums of money. Combined with poor internal controls, the industry is placed at heighten risk. Sub-contractors are at even greater risk as they are often sole traders with no formal security protocols in place.
- The most common response when an organisation experiences a BEC attack is to contact their internal or external IT providers with a key focus on their security systems. This may involve forced password resets and updating or changing software. However, false billing and BEC scams rely on human error and a lack of internal processes to be successful and this one-dimensional response may leave the organisation vulnerable to further attacks. It is vital a thorough forensic investigation is conducted to determine how the fraud was perpetrated, which employees were impacted, and the processes involved that led to the compromise. Part of the solution is to make IT security enhancements however it needs to be supported with a more thorough fraud risk response.
- Once the compromise has been investigated, it is recommended the impacted organisation undertake a comprehensive fraud risk review. Assessing the businesses threat environment, the risks to that business (and industry), and examining the controls in place to prevent or mitigate further incidents is pivotal. This process is often eye opening for business leaders and highlights the vulnerabilities within the business.
- Whilst often considered an expensive initiative, employee education is key to reduce your organisation’s ongoing risk of cyber fraud or attacks. If every employee is educated to understand existing scams, how the scams are perpetrated and the controls in place to prevent or minimise the scams from occurring, then your team can go a lot further in protecting your business.
Business email compromise and other cyber fraud event can have serious consequences for businesses and employees and damage to your brand and reputation. To help protect against integrity risks, businesses need to have effective policies and procedures in place and ensure that employees understand and adhere to those policies and procedures. Often, policies are not up to date, difficult for their employees to access or have not been attested by their employees to confirm their understanding. This leaves businesses more vulnerable. Only after experiencing an integrity risk issue businesses realises the need to have an effective integrity risk program in place.
When it comes to the constantly evolving world of fraud and cyber risks to your business, the key is to be on the front foot.
At Corethix, we have developed an online and fully integrated software platform that allows businesses to quickly and easily create a centralised one-stop integrity risk program. The Corethix software platform includes up to date policy templates, pre-configured policy surveys and incident reporting tools. This enables businesses to quickly and easily create policies and configure surveys, registers and incident reporting functions, while providing a single, user friendly online source for employee access.
If your business experiences a cyber fraud event, take a moment to get the right advice about how your organisation will respond. Engage an experienced forensic investigation team who will coordinate your response and work closely with your internal or external IT team.
Thank you to Guest Author Dylan Bohnen