Are employees the biggest threat to your business?

Fraud is on the rise, with around 43% of organisations reporting this type of crime last year, up from 41% in 2020, according to a survey by PwC. European companies were hit harder than other regions, with 56% experiencing this activity.  

Cyber attacks – which commonly include phishing, viruses, malware, ransomware and spyware – were the leading cause of external fraud, with 31% of respondents experiencing it. According to a report by Kroll, the top five impacted industries in 2022 were professional services, health care, financial services, manufacturing and technology and communications.

Individuals may be motivated to commit fraud because of greed or to make easy financial gains, but also due to pressure such as job loss, debts, addiction or health problems. The cost-of-living crisis is exacerbating the issue, with research by Cifas showing a rise in customers falsely claiming refunds or trying to obtain financial products with fraudulent information.

For companies, the key vulnerable element remains employees, both as facilitators for fraud knowingly or unknowingly and as perpetrators themselves. A report by the security awareness training platform KnowBe4 highlights that many employees lack confidence in or even knowledge of various cyber security risks, such as suspicious links or attachments in an email. 

One of the most famous hackers in the world, Kevin Mitnick, used fairly basic social engineering during some of his most successful attacks during the 1990s. Yet employee understanding of social engineering is inadequate. Cyber security and data privacy training – an essential frontline defence – was interrupted during Covid-19 lockdowns, despite working from home creating additional risks. 

In some cases, employees may circumvent controls to commit fraud, such as colluding with external actors. PwC's survey showed that this activity rose from 21% in 2020 to 26% in 2022. The situation was worse in China and Hong Kong, where half of companies fell victim last year. 

Fraud committed by employees alone is also a risk. High-profile cases include the trader Kweku Adoboli who used his knowledge of UBS' processes to cover his tracks when gambling £1.3bn ($1.6bn) of the bank's money on unauthorised trades before he confessed. 

Losses for Societe Generale were even higher when junior derivatives trader, Jerome Kerviel, discovered how to hack the bank's fraud detection system to make unauthorised trades, which resulted in losses of $7.2bn.

The banks received fines of £30m and €4m ($4.4m), respectively, for failures in their controls. 

Financial losses are not the only risk companies face. Data loss is also a serious issue that can compromise competitive advantage and cause reputational harm. That can lead to a loss of clients, potentially even leading to business closure. Breaches of laws such as the EU's General Data Protection Regulation (GDPR) can also result in hefty fines.

While it is important that organisations build resilience to these potentially serious threats by investing in technology and implementing stronger controls, training and whistleblowing procedures remain key; they should also have contingency plans in place should the worst happen to protect them operationally and financially.  

To discuss any of the themes within this article, or your cyber insurance requirements, please contact Ben Geffen or Daniel Leahy.