Impact of Data Breaches and Cyber Fraud

The potential costs of cyber fraud and data breaches are a leading concern for small business entrepreneurs. But all small business entrepreneurs need to be serious about security and can take steps to protect their businesses from harm.

Three years ago, the The Wall Street Journal estimated that the cost of cybercrime in the U.S. was approximately $100 billion. The estimate disputed other reports which pegged the numbers by as much as ten times higher.

In 2015, the British insurance company Lloyd’s estimated that cyber-attacks cost businesses as much as $400 billion a year, which includes direct damage plus post-attack disruption to the normal course of business. Some vendor and media forecasts over the past year put the cybercrime figure as high as $500 billion and more.

From 2013 to 2015 the cybercrime costs quadrupled, and it looks like there will be another quadrupling from 2015 to 2019. Juniper research recently predicted that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019, increasing to almost four times the estimated cost of breaches in 2015.

One solution is to move data processing to the cloud. Storing data in the cloud protects it from any physical harm that may befall the business, such as natural disasters that can destroy company servers. It can also create better protection from cyber threats because cloud hosting providers often provide greater security against data breaches than small business can set up on their own.

Small business entrepreneurs can take steps to boost security locally by ensuring that passwords are managed properly and office Wi-Fi networks are secured.

The short and long terms consequences of a data breach are very similar to that of a larger business.

Short-term

• Loss of data and personal records of customers
• Financial loss
• Lost customers
• Immediate loss in profits due to lack of sales
• Data breach notification
• Cost of reissuing compromised cards
• Legal fees
• Regulatory Fines

Long-term

• Brand and reputation damage
• Jobs lost
• Forensic firm and other third-party costs
• Class action lawsuits
• Updating and fixing network security
• Identity and Credit Monitoring Services
• Long term drops in investment

For many of the short-term consequences, the impact they have on a business can be easily quantified due to the immediate costs associated with lost customers and data breach notification costs for example. While the long-term consequences associated with a data breach are not as clear, we do know that the impact on small businesses is great. 60 per cent of small businesses fold within six months after a cyber-attack or data breach.

It is important to note that data breaches and fraud can occur internally as well as externally. You will need to ensure that your company has adequate protection to safeguard against fraud from employees.

One of the most serious threats to the success of a small business is employee theft. Misplaced trust, lax hiring and supervision, and a failure to implement basic financial controls can lead to an environment that is ripe for internal theft and fraud.

The Association of Certified Fraud Examiners estimates that the typical business will lose an average of 6 per cent of revenues from employee theft. The ACFE Report to the Nation on Occupational Fraud and Abuse indicates that small businesses suffer disproportionate losses because of the limited resources they have to devote to detecting fraud.

Suggested Solutions:

These best practices will keep your company as safe as possible.

Security Protection

Keep your software up to date. An out-dated computer is more prone to crashes, security holes and cyber-attacks than one that's been fully patched. Hackers are constantly scanning for security vulnerabilities and if you let these weaknesses go for too long, you are greatly increasing your chances of being targeted.

Educate your employees. Make your employees aware of the ways cybercriminals can infiltrate your systems, teach them to recognize signs of a breach, and educate them on how to stay safe while using the company’s network.

Implement formal security policies. Having companywide security policies in place can help reduce your likelihood of an attack. Ensure everything requires strong passwords — those with upper- and lowercase letters, numbers and symbols — that should be changed every 60 to 90 days. Sixty-five per cent of SMBs that have a password policy do not strictly enforce it. Ensure that your security policies are designed to prevent from employee tampering.

Practice your incident response plan. IBM's Henderson recommended running a drill of your response plan (and refining, if necessary) so your staff can detect and contain the breach quickly should an incident occur.

Prevention against Employee Theft

It is vital to an organization, large or small, to have fraud prevention plan in place. The fraud cases studied in the ACFE 2014 Report revealed that the fraudulent activities studied lasted an average of 18 months before being detected. Imagine the type of loss your company could suffer with an employee committing fraud for a year and a half. There are ways you can minimize fraud occurrences by implementing different procedures and controls.

Know Your Employees - Fraud perpetrators often display behavioural traits that can indicate the intention to commit fraud. Observing and listening to employees can help you identify potential fraud risk. It is important for management to be involved with their employees and take time to get to know them. Often, an attitude change can clue you in to a risk. This can also reveal internal issues that need to be addressed. For example, if an employee feels a lack of appreciation from the business owner or anger at their boss, this could lead him or her to commit fraud as a way of revenge. Any attitude change should cause you to pay close attention to that employee. This may not only minimize a loss from fraud, but can make the organization a better, more efficient place with happier employees. Listening to employees may also reveal other clues. Consider an employee who has worked for your company for 15 years that is now working 65 hours a week instead of 40 because two co-workers were laid off. A discussion with the employee reveals that in addition to his new, heavier workload, his brother lost his job and his family has moved into the employee’s house. This could be a signal of a potential fraud risk. Very often and unfortunately, it’s the employee you least expect that commits the crime. It is imperative to know your employees and engage them in conversation.

Make Employees Aware/Set Up Reporting System - Awareness affects all employees. Everyone within the organization should be aware of the fraud risk policy including types of fraud and the consequences associated with them. Those who are planning to commit fraud will know that management is watching and will hopefully be deterred by this. Honest employees who are not tempted to commit fraud will also be made aware of possible signs of fraud or theft. These employees are assets in the fight against fraud. According to the ACFE 2014 Report, most occupational fraud (over 40%) is detected because of a tip. While most tips come from employees of the organization, other important sources of tips are customers, vendors, competitors and acquaintances of the fraudster. Since many employees are hesitant to report incidents to their employers, consider setting up an anonymous reporting system. Employees can report fraudulent activity through a website keeping their identity safe or by using a tip hotline.

Implement Internal Controls - Internal controls are the plans and/or programs implemented to safeguard your company’s assets, ensure the integrity of its accounting records, and deter and detect fraud and theft. Segregation of duties is an important component of internal control that can reduce the risk of fraud from occurring. For example, a retail store has one cash register employee, one salesperson, and one manager. The cash and check register receipts should be tallied by one employee while another prepares the deposit slip and the third brings the deposit to the bank. This can help reveal any discrepancies in the collections.

Documentation is another internal control that can help reduce fraud. Consider the example above; if sales receipts and preparation of the bank deposit are documented in the books, the business owner can look at the documentation daily or weekly to verify that the receipts were deposited into the bank.

Internal control programs should be monitored and revised on a consistent basis to ensure they are effective and current with technological and other advances. If you do not have an internal control process or fraud prevention program in place, then you should hire a professional with experience in this area. An expert will analyse the company’s policies and procedures, recommend appropriate programs and assist with implementation.

Monitor Vacation Balances - You might be impressed by the employees who haven’t missed a day of work in years. While these may sound like loyal employees, it could be a sign that these employees have something to hide and are worried that someone will detect their fraud if they were out of the office for a period of time. It is also a good idea to rotate employees to various jobs within a company. This may also reveal fraudulent activity as it allows a second employee to review the activities of the first.

Live the Corporate Culture - A positive work environment can prevent employee fraud and theft. There should be a clear organizational structure, written policies and procedures and fair employment practices. An open-door policy can also provide a great fraud prevention system as it gives employees open lines of communication with management. Business owners and senior management should lead by example and hold every employee accountable for their actions, regardless of position.