The Global Economic Crime Survey Cybercrime: are you at risk?

Transcription

1 The Global Economic Crime Survey Cybercrime: are you at risk? Hungarian country report December 2011

2 Table of contents 1) Introduction 3 2) Executive Summary Key findings 4 3) Fraud, the fraudster and the defrauded. What are we facing in Hungary? 6 4) Who is committing economic crime? The profile of the perpetrators 10 5) What actions do organisations take against the perpetrators? 13 6) How successful are Hungarian organisations in detecting and preventing economic crime? 14 7) Cybercrime in Hungary. Is your organisation ready to deal with it? 16

3 Introduction We are pleased to present the 2011 PwC Global Economic Crime Survey Hungarian results to you. We have prepared our 6th biannual global survey and the Hungarian country edition for the 5th time with the aim of assisting Hungarian business leaders and corporate executives by providing unparalleled insight into the impact of economic crime on organisations worldwide. With almost 4000 responses from senior executives in 78 countries, including 85 leading companies within Hungary, this is the most comprehensive global survey of economic crime available to businesses. Economic crime doesn t discriminate. It affects organisations all over the world. And no industry or organisation is immune. The fallout isn t just the direct costs; economic crime can seriously damage brands or tarnish a reputation, leading organisations to lose market share. As society becomes less tolerant of unethical behaviour, businesses need to make sure they re building and keeping public trust. Our aim with the survey was to assess: corporate attitudes to fraud in the current economic environment; which types of fraud are the most prevalent and who are the main perpetrators; what are the costs to businesses; what steps organisations are taking to detect and prevent fraud; Accordingly, our report is divided into two key sections: The current fraud environment in Hungary focusing on the type of frauds committed, and how they are detected, who is committing them and what steps organisations are taking to prevent them; Cybercrime in Hungary its impact on organisations, their awareness of the crime and what organizations are doing to combat the risks. what steps, if any, are Hungarian organisations taking to combat and prevent cybercrime and cyber threats. We sincerely thank all respondents and organizations who have participated in the survey, and without which we would not have been able to produce this report. We hope that this information will further assist the readers in their ongoing fight against economic crime. Miklós Fekete Partner, Advisory, PwC Global Economic Crime Survey 3

4 Executive Summary Key findings The Current Fraud Environment in Hungary 1 Our survey results show that 1 out of 4 Hungarian businesses (2) experienced one or more instances of economic crime in the past 12 months. In many cases, the incidents of economic crime were detected by accident or by means that were beyond the influence of management. The frequency of economic crime has increased compared to the previous survey. In 2009, 25% of those participants who suffered economic crime reported more than 10 cases. No one reported having experienced more than 100 instances. In 2011, however, 29% of those who suffered economic crime reported more than 10 cases, including who suffered more than 100 instances over the past 12 months. Asset misappropriation is the most prevalent type of fraud in Hungary (50% of cases reported). It is followed by bribery and corruption (3) which is the second most common economic crime experienced not only in Hungary, but in the CEE region as well. Accounting fraud (21%) is the third most prevalent type of fraud reported by survey participants in Hungary. The responses indicate that in the majority of Hungarian cases external parties to the organisation are the main perpetrators of economic crime (5). Fraud committed by vendors increased significantly from 2009 to While in 2009 there was no instance reported where the main external perpetrator was a vendor of the organisation, in 2011, 15% of external fraudsters were reported to be vendors. This figure is higher than in CEE (13%) and substantially higher than the global figure (9%). Results show that economic crime committed by agents and intermediaries is much higher in Hungary (31%) than in the CEE (16%) and globally (1). When asked about internal perpetrators, Hungarian respondents commented that, for those organisations who had suffered economic crime, the majority of internal perpetrators belonged to the management of their organisations. 4 of internal perpetrators were middle management, and even more concerning is that economic crime committed by senior management increased compared to 2009 (22 % in 2011 vs. 1 in 2009). The differences among Hungarian organisations are becoming more apparent in respect of how they react 1 Regional (CEE) and global comparison throughout the report is not exact and is for indicative purposes only, due to the differences in statistical sample sizes. 4 Global Economic Crime Survey

5 to economic crime being perpetrated against them. Some organisations have a zero tolerance approach. However, our survey results show that in 1 out of 5 cases reported (22%), organisations did not take any action against the internal perpetrator. Moreover, in one fifth of the cases the internal perpetrator was only transferred (22%) within the organisation, compared to CEE (5% transferred) and global results ( transferred). If you combine those responses, in Hungary, it tells us that almost 50%, who are identified as the internal perpetrator of an economic crime, was either allowed to get away with it or only moved internally within an organisation. The survey results also show that 17% of cases were discovered by accident in Hungary, which is higher than the CEE average (10%) and global () figures. Organisations cannot rely on chance to detect such incidents if they would like to avoid the costly damage of economic crime. 85% of the organisations who have already implemented a whistle blowing mechanism consider it as an effective tool in prevention and detection of economic crime. However, the results also show that nearly half of the Hungarian organisations (45%) have not yet established whistle-blower mechanism. Regular fraud risk assessment helps organisations to analyse their exposure to fraud and minimise chances for fraud and damages. However, 61% of respondents did not perform a fraud risk assessment at their organisations or had only performed it once over the past 12 months. Cybercrime in Hungary Our survey discovered that despite global and local media attention, respondents in Hungary potentially underestimate cybercrime threats. While 39% of respondents globally, indicated that their perception of cybercrime threats on their organisations has increased in the past 12 months, only 1 of Hungarian respondents commented that their perception of cybercrime risk increased. Our survey also concluded that Hungarian respondents are a lot less concerned about damages and financial losses from cybercrime activity than regional and global survey participants. While globally the figure was 40%, in Hungary only 27% of respondents said they were very concerned about reputational damage. On average across CEE 2 was the figure, in Hungary only 1 of respondents said they were very concerned about actual financial losses from cybercrime activity. The lack of concern may be due to a lack of awareness. It is worrying to learn that 42% of respondents did not receive any cyber security training in the past 12 months which would suggest that they are potentially unaware of the risks that cybercrime presents to their organisation. While globally 26%, and in CEE 22% of respondents believe that their organisation will likely face cybercrime in the following 12 months, in Hungary only of respondents believe so. Today, most people and businesses rely on the internet and other technologies. Organisations are potentially opening themselves up to cyber criminals and organisations need to be prepared for cyber threats. More than half of Hungarian respondents (5) feel that cybercrime threats are mainly external to the organisation and only 21% perceived them as both an internal and external threat. This is much lower than CEE (43%) and global (42%) figures. Experience has shown that to neglect internal threats can be very dangerous, particularly internal hacking by employees for their own purposes. 36% of respondents in Hungary said their organisation does not have an in-house capability to prevent and detect cybercrime, and 73% said their organisation does not keep an eye on social media sites, or they are not aware of them. There is no reason that Hungary should be at less risk of cybercrime than any other country, so the results in this area may indicate that organisations should consider where their risks are and where the threats come from. Global Economic Crime Survey 5

6 Fraud, the fraudster and the defrauded. What are we facing in Hungary? Economic crime continues to be a serious issue affecting organizations in Hungary. No industry is immune. Our survey indicates that more than 1 in 4 Hungarian organisations (2) reported having experienced one or more instances of economic crime in the past 12 months. 36% 3 32% 30% 2 26% 2 Has your organisation experienced any economic crime within the last 12 months? 2 30% 30% 3 3 Hungary CEE Global 30% % of respondents This figure may only be the tip of the iceberg and many instances may remain undetected. In our experience it would be extremely difficult for organisations to detect all instances of fraud, and even more difficult if the organization does not grant anonymous ways to report economic crime and/or does not perform fraud risk assessments regularly. In comparison to this: 61% of Hungarian respondents said that no fraud risk assessment was performed at their organizations or it was performed only once in the last 12 months. 45% of respondents indicated that their organisation does not have a whistle-blowing mechanism implemented. 6 Global Economic Crime Survey

7 Types of economic crime The frequency of economic crime has increased compared to our previous survey: In 2009, 25% of those participants who suffered economic crime reported more than 10 cases. No one reported having experienced more than 100 instances in the previous survey. In 2011 however, 29% of those who suffered economic crime reported more than 10 cases, including who suffered more than 100 instances over the last 12 months. This indicates repeated instances/ attempts of economic crime against organisations and signals that organisations are increasingly vulnerable to repeated fraud if they do not implement ways to prevent and detect economic crime or learn from and correct weaknesses which may have been exploited. Asset misappropriation is the most common economic crime (50% of cases reported) in Hungary, followed by bribery and corruption (3) and accounting fraud (21%). Respondents indicate that bribery and corruption is still more prevalent in Hungary (3) than in the CEE region (36%) and on a global level (2). In global and regional comparison, both asset misappropriation and accounting fraud is less frequent in Hungary than elsewhere. One potential reason for this could be due to the fact that these types of economic crimes are not being detected accurately. Asset misappropriation Bribery and corruption Accounting fraud Anti-competitive behaviour Tax fraud Money laundering Other Sustainability fraud Espionage Insider trading IP infringement Cybercrime What types of economic crime has your organisation experienced within the last 12 months? 1% 1% 2% 2% 6% 7% 7% 10% 7% 12% 13% 9% % 21% 23% 1 A future contributing factor may be due to the current unstable economic times. Potential reductions in headcount within organisations (which may occur in downturns and recessions) make fewer resources available to detect and prevent economic crime. For example, reduction of internal audit staff may lead to less fraud being detected and prevented in the future which puts organisations at greater risk. Also, redundancies can lead to issues where there is insufficient segregation of duties due to a lack of resources. 36% 3 50% 72% 69% Global CEE Hungary 0% 10% 20% 30% 40% 50% 60% 70% 80% % of cases reported Global Economic Crime Survey 7

8 Cost of fraud and collateral damage It is very difficult to accurately estimate the financial impact of economic crime. However, we asked our respondents to estimate, to the best extent possible, the cost of fraud and economic crime, they have suffered. The survey found that economic crime caused damages between USD 100k to USD 5 million for 42% of those respondents who suffered fraud over the last 12 months in Hungary. In addition to the direct losses, damage to employee morale is the most significant indirect cost of fraud (42%) and respondents indicated that there had been a significant impact on business relations (33%), as well as a negative impact on the company s reputation (13%). The study also found that damage to employee morale and business relations in Hungary are far greater than they are on regional or global level. 46% of Hungarian respondents who were victims of economic crime indicated that they suffered less than USD 100k damages. In the current economic environment, when all companies are seeking the most cost effective ways to operate, preventing and detecting economic crime could, rather than being an additional overall cost, actually result in savings for companies. 45% 40% 35% 30% 25% 20% 15% 10% 5% % How significant was the impact of the economic crime that you have experienced within your organisation in the last 12 months? 13% 19% 1 42% 29% 2 33% 20% 19% 15% 13% Reputation/brand Employee morale Business relations Relations with regulators % who indicated significant impact Hungary CEE Global 8 Global Economic Crime Survey

9 Global Economic Crime Survey 9

10 It is very important that organisations clearly communicate to their business partners and customers the expectations regarding business ethics, as well as consequences of unethical behaviour. If organisations are determined and stand firm against unethical business partners that will have a deterrent effect and will result in less damage caused by external perpetrators. Miklós Fekete, Partner, Advisory, PwC Who is committing economic crime? The profile of the perpetrators In 5 of cases reported Hungarian respondents indicated that fraud has been committed against the organization by external fraudsters. Thinking about the most serious economic crime your organisation experienced in the last 12 months, who was the main perpetrator of fraud? 5% In 3 of cases reported, economic crime was committed by internal fraudsters. It is interesting to note that both in regional and global comparison, the situation is the reverse of what the Hungarian respondents reported and more economic crime is reported to be committed by internal perpetrators (CEE 53% and 56% globally) than by externals % 56% 43% 40% Don't know Internal fraudsters External fraudsters Hungary CEE Global % of cases reported The fact that the percentage of cases committed by external perpetrators is high in Hungary both in regional and global comparison could be due to a number of reasons. For example: External perpetrators in most cases are customers (3), followed by the organisation s agents/ intermediaries (31%) and vendors (15%). While in 2009 no instance was reported where the main external perpetrator was a vendor of the organisation, in 2011, 15% of external fraudsters were reported to be vendors. This figure is higher than in CEE (13%) and globally (9%). 10 Global Economic Crime Survey

11 Thinking about the most serious economic crime your organisation experienced in the last 12 months, who was the main perpetrator of external fraud against your organisation? 15% Vendor Customer Agents/Intermediaries Don't know 31% 3 Other % of cases reported in Hungary Fraud committed by agents/ intermediaries (31%) is nearly double the regional (16%) and global (1) average. Based on our experience, due to a lack of resources some organisations tend to neglect the importance of background checks on their business partners. This can lead to, in many cases, organisations not having a clear picture about the past business history and reputation of their business partners. If corporate intelligence/background checks of external parties (agents, intermediaries, vendors etc.) are not performed, questionable business ethics cannot be identified in time, and the organisation can become a victim of economic crime. We would recommend that organisations step-up their efforts in this area, as it is clear this is a growing issue in Hungary and not one repeated in neighbouring countries or globally. As a key prevention measure, knowing your business partners prior to engaging with them is less costly than dealing with the unpleasant consequences. When you identify an incident of potential fraud which action are you most likely to do first? Use internal resources to perform an internal investigation Contact external legal advisors Engage a specialist forensic investigator Consult with your auditor Wait to see if further indications of potential fraud in the same area may arise 1% Economic crime is often committed by collaboration of internal and external perpetrators. However, the success in detecting the internal party is strongly dependent on the objectivity of the investigation carried out. Two-thirds of respondents (66%) indicated that they first use internal resources to perform an investigation, and only of respondents said they engage a specialist forensic investigator. Engaging independent forensic experts from the beginning of the investigation ensures the impartial and objective investigative work, thus guaranteeing the independence and objectivity during the entire process. 6% 19% 66% % 10% 20% 30% 40% 50% 60% 70% % of respondents Hungary Global Economic Crime Survey 11

12 The independent members of supervisory boards and audit committees have a big responsibility when the involvement of senior management comes into question in relation to economic crimes. It is in the best interest of all supervisory and audit committee members that they are aware of the results of fraud risk assessments performed by the organisation, as well as, the efficiency of controls in place. Márta Hegedűsné Szűcs, Partner, Assurance, PwC Thinking about the most serious economic crime your organisation experienced in the last 12 months, at what level was the main perpetrator of internal fraud within your organisation? 11% Profile of the internal fraudster The majority of internal perpetrators (67%) in Hungary belong to management. This includes mainly middle management (4 of the cases reported) and 22% committed by senior managers of the organisations. It is a great concern that fraud committed by senior management increased compared to our 2009 survey (1). The vast majority of internal perpetrators (67%) in Hungary have been working for the organisation for more than 6 years. Included in this are employees who have been for working for the organisations for more than 10 years (33%). 4 of internal fraudsters are highly qualified, minimum 1st degree graduates. 22% Between 41 and 50 years of age (56%) Male (67%) 67% % of cases reported in Hungary Senior and middle management Junior staff members Other With the organisation for more than 6 years (67%) 1 st degree graduate (4) Interesting to note, that global and CEE results indicate that typical internal perpetrators are usually younger (between 31 and 40 years of age, 43%), and have been with the organisation between three to five years (30%). The average perpetrator in Hungary is older and working for the organisation for longer. 12 Global Economic Crime Survey

13 Unfortunately it seems, that Hungary, is the country of no consequences based on the survey as well. It is astonishing, that in 22% of cases reported the organisations did nothing against the main internal perpetrator. Even more concerning is that in many cases the internal perpetrator was only transferred within the organisation. A very important element of a transparent economy is that economic crime and perpetrators are dealt with properly by the organisation in all cases. Tamás Lőcsei, Partner, Tax, PwC What actions do organisations take against the perpetrators? The results of the survey show that economic crime remains often without consequences in Hungary. In every 5th case reported (22%) the organization did nothing against the main internal perpetrator which is concerning compared to CEE (7%) and globally (). In CEE only 25% of internal fraudsters keep their jobs, in Hungary, our respondents tell us this is almost double, with 4 remaining employed. The difference among organisations in Hungary is becoming more apparent in respect of how seriously they are treating the issues of economic crime. Internal perpetrators were transferred in one-fifth of cases (22%) in Hungary, which is very high both in regional (5%) and global () comparison. Internal perpetrators were dismissed in only half of the cases (56%) reported in Hungary which is a much lower percentage than regional (75%) and global responses (77%). If organisations are only transferring perpetrators within the organisation rather than potentially dismissing them, the perpetrators will continue to remain within the organization and possibly find other ways to commit fraud and economic crime. It is important for organisations to demonstrate a zero tolerance level for fraud in order to set the right tone within the organisation. It is important that deterring actions are taken and consequences of fraud are clearly communicated to all employees. Thinking about the most serious economic crime your organisation experienced in the last 12 months, what actions, if any, did your organisation take against the main internal perpetrator? Dismissal Law enforcement informed Civil action was taken, including recoveries Transfer 5% 22% 1 Warning/reprimand 13% 22% Did nothing 7% 22% Notified relevant regulatory authorities 17% 11% 11% 1% Other 2% 0% Don't know 3% 5% 0% % 33% 4 56% 77% 75% 0% 10% 20% 30% 40% 50% 60% 70% 80% % of cases reported (multiple answers possible) Thinking about the most serious economic crime your organisation experienced in the last 12 months, what actions, if any, did your organisation take against the main external perpetrator? Law enforcement informed Cessation of the business relationship Civil action was taken, including recoveries Notified relevant regulatory authorities Other Did nothing Don't know 7% 15% 5% 6% 3% 1% 0% In the case of external perpetrators law enforcement was informed (5), cessation of business relationship (46%) commenced, and civil action was taken including recoveries (46%). 63% 66% 5 39% 53% 46% 43% 56% 46% 40% 37% 31% 0% 10% 20% 30% 40% 50% 60% 70% 80% % of cases reported (multiple answers possible) Global CEE Hungary Global CEE Hungary Global Economic Crime Survey 13

14 How successful are Hungarian organisations in detecting and preventing economic crime? Our survey results show, that 17% of incidents were detected by accident in Hungary which is much higher than the result in CEE (10%) and globally (). Organisations cannot rely on chance in detecting fraud incidents if they would like to be confident that they will avoid the costly damages of economic crime. At the same time, it is encouraging to see that there are responsible corporate executives who are not leaving the detection of economic crime to chance. They use proactive methods like fraud risk management (13%), effective internal audit (13%), and suspicious transactions reporting (13%). Proactive identification and detection of economic crime are the most powerful tools in the fight against economic crime. Corporate control Corporate culture Beyond the influence of Change of personnel/duties management Internal audit Fraud risk management Electronic and automated suspicious transaction reporting Corporate security Internal tip-off External tip-off Whistle blowing system Law enforcement/ investigative media Thinking about the most serious economic crime your organisation experienced in the last 12 months, how was the crime initially detected? By accident Others 0% 0% 2% 3% 5% 5% 6% 6% 3% 6% 7% 10% 9% 10% 13% 13% 11% 13% 11% 11% 13% 1 15% 17% 1 Global CEE Hungary 0% 5% 10% 15% 20% % of cases reported The responses also show that nearly half of Hungarian organisations (45%) have not established and introduced whistle-blower mechanism. However, 85% of the organisations who have already implemented a whistle blowing mechanism consider it as an effective tool in prevention and detection of economic crime. Our experience also shows that employees are more willing and likely to report fraud or suspicions if anonymity is granted. If organisations do not offer such mechanisms, it is much more likely that not all fraud cases will be detected, since employees do not feel safe to voice their information or suspicions. 14 Global Economic Crime Survey

15 Fraud risk assessment a powerful tool for detecting fraud In the last 12 months, how often has your organisation performed a fraud risk assessment? In order to successfully prevent fraud, it is important that organisations continuously assess and monitor fraud risks and identify gaps. Regular fraud risk assessment helps organisations to analyse their exposure to fraud. It is therefore concerning, that more than half of the respondents (61%) did not perform fraud risk assessment or performed it only once over the past 12 months within their organisations. 12% 1 6% 7% 33% 2 % of respondents in Hungary Once Not at all Quarterly Every six months Don't know More often Hungarian organisations cited that the main reasons for not performing fraud risk assessments were the perceived lack of value (29%) from fraud risk assessment, despite the fact that, this would be a proactive approach to combat economic crime. Two-thirds (67%) of respondents who indicated that their organisation did not perform a fraud risk assessment either did not know why a fraud risk assessment has not been performed at their organisations or indicated that they are unsure what this actually involves. The more fraud risk assessment is performed the more likely organisations are to detect fraud. In difficult economic times, organisations should see the prevention of fraud as a major tool to save on costs. If economic crime and resulting financial damages can be prevented, direct savings can be achieved. Global Economic Crime Survey 15

16 Emerging technologies present new challenges to organisations and internal audit professionals: mobile applications and devices, social media, cybercrime all these risks need to be assessed and organisations need to be prepared. Andrea Major, Partner, Assurance/SPA, PwC Cybercrime in Hungary. Is your organisation ready to deal with it? Our survey discovered that in Hungary, only 1 of respondents perceived that cybercrime threats to the organisation increased over the past 12 months whilst globally the figure was 39%. Has your perception of the risks of cybercrime to your organisation changed over the last 12 months? Global 57% 39% CEE 6 30% 6% Remained the same Increased Decreased Hungary 80% 1 6% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% % of respondents What is cybercrime? The Global Economic Crime Survey (GECS) 2011 focused on the financial crime and fraud aspect of cybercrime and for the purposes of our survey questionnaire, Cybercrime was formally defined as follows: Cybercrime, also known as computer crime, is an economic offence committed using the computer and internet. Typical instances of cybercrime are the distribution of viruses, illegal downloads of media, phishing and pharming and theft of personal information such as bank account details. This excludes routine fraud whereby a computer has been used as a by product in order to create the fraud and only includes such economic crimes where computer, internet or use of electronic media and devices is the main element and not an incidental one 2. The above definition may be considered a fairly common definition of Cybercrime, yet it would appear that many perceive this as a wider phenomenon which makes the definition open to different interpretations. There is no standard globally accepted definition of Cybercrime available and implications of not having a clear-cut definition could be that if organisations are not aware what the dangers are, where the dangers come from and how cybercrime can impact their business, then it is the harder to detect and combat cybercrime. 2 As defined in GECS 2011 by PwC in conjunction with our survey academic partner, Professor Peter Sommer. 16 Global Economic Crime Survey

17 While globally 26%, and in CEE 22% of respondents believe that their organisation will likely face cybercrime in the following 12 months, in Hungary only of respondents believe so. As today most people and business rely on the internet and other technologies, organisations are potentially opening themselves up to cyber criminals and organisations need to be prepared for cyber threats. In recent days even Facebook has been subject to such attacks. How concerned are you about the effect of cybercrime activity on your organisation? Is your organisation s reputation at stake? Our survey also concluded that Hungarian respondents are a lot less concerned about damages and financial losses from cybercrime activity than regional and global survey participants. While globally the figure was 40%, in Hungary only 27% of respondents said they were very concerned about reputational damage. In Hungary only 1 of respondents said they were very concerned about actual financial losses from cybercrime activity. In CEE the figure was 2. Theft or loss of personal identifiable information IP theft, including theft of data Actual financial loss from cybercrime activity Reputational damage 1 21% 35% % 2 36% 33% 40% 3 27% 0% 10% 20% 30% 40% % of respondents who indicated they were Very Concerned Global CEE Hungary The lack of concern may also be due to a lack of awareness. It is concerning to learn that 42% of respondents did not receive any cyber security training in the past 12 months which would suggest that they are potentially unaware of the risks that cybercrime presents to their organisation. Low cybercrime awareness does present risks for all organisations and industries. Organisations seem to be taking a reactive rather than a proactive approach towards cybercrime threats. Our survey shows that in Hungary: 36% of Hungarian respondents do not have or are not aware whether their organisation has in-house capabilities to prevent and detect cybercrime; 5 of Hungarian respondents do not have or are not aware whether their organisation has in-house capabilities to investigate cybercrime; 51% do not have or are not aware whether their organisation has controlled emergency network shut down procedures in place; 37% of respondents engage experts only when the incident has already occurred. Unfortunately at that stage, mitigation of damages is the only solution and not a proactive prevention. Global Economic Crime Survey 17

18 Social media is a revolution in the way in which people communicate. Also businesses are engaging with social media for numerous reasons including marketing, communicating with customers, and collecting information. But there is a wide range of commercial risks related to their usage. In addition to increasing unproductive time by employees, they create security risks for the company they are another channel where sensitive data can leak or malicious code can get into the company. Lee Coles, Director, Forensic Services, PwC Where does the cybercrime threat come from? Is it really an external threat to the organisation? Where do you see the greatest cybercrime threat to your organisation coming from? Global 13% 46% 29% 12% More than half of Hungarian respondents (5) feel that cybercrime threats are mainly external to the organisation and only 21% perceived it as both internal and external threat. This is much lower than the CEE (43%) and global (42%) figures. CEE 13% 43% 30% 13% Hungary 5% 5 16% 21% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% % of respondents Internally Externally Both internally and externally Don't know Experience has shown that to neglect internal threats can be very dangerous, particularly around internal hacking by employees for their own purposes. Such examples include: disgruntled employees accessing HR data to extract personal information (pay data, bonuses etc); an employee accessing other colleagues s; extracting key information from accounts payable department, setting up dummy suppliers in the system, and/or extracting funds from the organisations; misuse of social media sensitive information going public etc. Management of cybercrime risks Organisations monitoring social media sites? Whilst social media sites such as Facebook or LinkedIn may not be the real source of Cybercrime, they can be used to social-engineer Cybercrime more effectively (phishing attacks). For example, social media sites can be used to collect information about a targeted individual, to research certain staff members or to install malware onto the user s computer, making the cybercrime more effective. 73% of respondents in Hungary stated that their organisation either does not monitor the use of social media sites or that they are not aware of it. This is higher than in CEE (59%) and globally (60%). This also indicates that there is a lack of awareness of the cyber security risks these sites can present to the organisation. Of those Hungarian respondents who said their organisation is taking measures to prevent the risks of social media and networking, 65% said they monitor internal and external electronic traffic including web pages, which is lower than the CEE (82%) and globally (85%). 18 Global Economic Crime Survey

19 Reducing the risks What actions should organisations take to defend themselves against cyber security attacks? 1. Get the CEO involved the CEO and Board needs to be aware of the cyber threats. They need to understand the risks and opportunities of the cyber world. 2. Reassess the security function and preparedness of the organisation should a cybercrime occur unlike traditional economic crimes, cybercrime is fast paced with new risks emerging which means an organisation need to continually adapt its procedures to reflect these. 3. Awareness organisations need to have a clear awareness of its current and emerging cyber environment. If this is in place, well informed and prioritised decisions and actions can be taken. 4. Create a cyber incident response team which needs to act with speed and agility. A well functioning cyber response team means an incident is spotted anywhere in the business will be tracked, risk assessed and escalated. 5. Educating all employees an organisation needs to embed a cyber awareness culture, through recruiting those with the relevant skills so that this knowledge can be shared with all employees creating a cyber aware organisation which is better able to protect itself. 6. Take a more active and transparent stance towards cybercrime take action by pursuing cybercrime perpetrators through legal means, and communicate more publicly regarding the actions the organisation is taking regarding the threats, incidents and responses. Global Economic Crime Survey 19

20 Contacts Miklós Fekete Partner, Advisory Tel.: George Surguladze Senior Manager, Forensic Services george.surguladze@hu.pwc.com Tel.: PwC firms help organisations and individuals create the value they re looking for. We re a network of firms in 158 countries with close to 169,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it PwC. All rights reserved. Not for further distribution without the permission of PwC. PwC refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firm s professional judgment or bind another member firm or PwCIL in any way.