Theft of information assets was reported by 27.3% of companies over the past 12 months, up from 18% in 2009. In contrast, reported incidences of theft of physical assets or stock declined slightly from 28% in 2009 to 27.2% in 2010, according to the survey.
“That is a trend that appears to be accelerating,” said Richard Plansky, managing director of Kroll’s Business Intelligence and Investigations division. “What we are seeing is a reflection of an economy that is increasingly information based. It is reflection of an economy in which the value of businesses is measured more by the ideas that they make than the things they make.”
Having an information-based economy is a "double-edged sword”, observed Plansky in an interview with Infosecurity. “On the one hand, it makes critical information more easily available; it makes it easier to work as an enterprise by breaking down silos; it makes it easier to work as a team. On the other hand, it makes critical information more easily available to people who have bad intentions. The value of a company lives in digital form on information systems and on portable media, and with more people than every before having easy access to it, this leads to the kinds of results you are seeing in this fraud survey.”
According to the survey, information-based industries reported the highest incidence of theft of information and electronic data over the past 12 months. These include financial services (42% in 2010 versus 24% in 2009); professional services (40% in 2010 versus 27% in 2009); and technology, media and telecoms (37% in 2010 versus 29% in 2009).
Nearly one-third (28%) of respondents cited information infrastructure complexity as the single most important factor in raising their exposure to fraud. However, despite the increased risks, only 48% of companies are planning to spend more on information security in the next 12 months, down from 51% last year.
The survey of 801 senior executives from 760 global companies, a majority with revenues over $500m, was conducted by the Economist Intelligence Unit on behalf of Kroll. Twenty-nine percent of respondents were based in North America, 25% in Europe, just under a quarter in the Asia-Pacific region, and 11% from Latin America, the Middle East, and Africa. Ten industries were covered, with no fewer than 50 respondents drawn from each industry. The highest number of respondents came from the financial services industry (13%).
The study found that the amount lost by businesses to fraud rose from $1.4m to $1.7m per billion dollars of sales in the past 12 months—an increase of more than 20%.
A striking finding of the survey was that almost half of the respondents (48%) said that fear of fraud had dissuaded them from pursuing business opportunities abroad. The biggest impact was on emerging economies, with fraud deterring 11% of businesses operating in China and similar percentages of businesses operating in Africa (11%) and Latin America (10%). “Fraud…is serious enough that it is a drag on market entry. I think that is fairly significant”, Plansky said.
The survey found that 88% of those surveyed had been victimized by fraud over the past 12 months. China is the top market in which companies suffered fraud, with 98% of businesses operating there affected. Colombia ranked second, with a 94% incidence of fraud in 2010, followed by Brazil with 90%.
The survey found that close to two-thirds (63%) of companies in the US and UK were misinformed or unsure about which fraud-related regulations applied to them. As a result, many companies were unprepared to deal with the regulatory risks: less than one-half (47%) were confident that they had the controls in place to prevent fraud at all levels of the operation, compared with 42% who said they had assessed the risks and put in place monitoring and reporting procedures.
In addition the survey found that the majority of fraud among companies in North America, Europe, Asia-Pacific, the Middle East, and Africa was perpetrated by employees.
Plansky offered the following advice to companies to secure their information assets.
“Companies need to get a handle on the information they have in-house, where it lives, who has access to it. Once they do that, there are a number of things that can be done from a technology point of view and a policies and procedures point of view to ensure that access to critical information is controlled and locked. Then companies need to have a plan about how to react if they have a loss of data….that means knowing how to determine whether a breach is ongoing….Companies should have resources in place to get the data back. Many of the instances of data loss that we see at Kroll involve the loss of something physical, like a laptop, USB drive, or disk.”
Plansky also advised companies to have in place resources to determine their legal and regulatory obligations. “The regulatory framework is a complete patchwork….It is very difficult to know what your obligations are. It’s important to have professional resources to advice you on your obligations so you can comply.”