e-Criminals turn up the heat on business

15 December 2008

Computer screen
A recent survey found that businesses are spending more money on fighting digital crime.
Many big businesses are struggling to cope with IT risk and what they perceive as the growing threat of high-tech crime.

According to a membership survey by The Corporate IT Forum – the UK business association of over 150 large, blue-chip companies - 69% of companies reported increases, or dramatic increases, in deliberate high-tech crime.

The survey also found businesses spending more money on fighting digital crime: 68% said they are forced to spend up to 40% of their security budget protecting themselves against high-tech criminals.

Investigating e-crime

Worryingly, confidence in the UK authorities’ ability to tackle so called e-crime is very low, despite the government establishing the Police Central e-crime Unit (PCeU) earlier this year.

Fifty-seven per cent of respondents said that they felt that incidents of e-crime would not be investigated properly if reported; as a consequence just 4% of organisations surveyed said they ‘always report’ incidents while 60% said they sometimes did and 36% rarely report it.

Scale of the problem

Digital crime is increasing. It rose by more than 9% in 2007 according to another new report from online identity firm Garlik. It says more than 3.5 million online crimes were committed in the UK last year.

In 2007, the sharpest rise was in online financial fraud, with more than 250,000 incidents reported in 2007; a 20% rise on the previous year.

The report highlights a growing professionalism among online criminals, with personal and credit details being traded online. Garlik said that the information black market doubled over the period, with more than 19,000 illicit traders identified.

Shopping mall for criminals

Dawn Simmons, Practice Leader of the cyber and IT risk team at Lloyd’s broker Jardine Lloyd Thompson, believes there will be an upsurge in e-crime as a direct result of the economic climate. “The internet is like a shopping mall to would-be criminals and e-crime is increasingly a preferred option, as it is easier to carry out and harder to detect,” she tells lloyds.com.

Paul Howard, Head of insurance and risk management at Sainsbury’s Supermarkets Ltd, says that e-crime is an ever-present risk and something that all companies have to face. But some companies are more vulnerable than others, he says.

“Some organizations might be more prone to ‘hacktivism’ for example, if they are involved in environmental issues, for instance. Companies that hold a lot of personal data will also be attractive to e-criminals,” Mr Howard says. “But as with ‘bricks & mortar’ crime, the most attractive companies are the ones with ineffective defences. If you make it difficult for criminals they will try again with someone else.”

Handling IT risk

Michael Porteous, Senior Consultant at Aon Global Risk Consulting, says that many large, global corporations do not handle IT risk well. He is developing a methodology that can be used to identify and quantify IT risk exposures.

“A great number of the larger companies simply don’t have the methodology in place to manage IT risk responsibly, to make their business processes more resilient,” he says.

Mr Porteous believes industry is very poorly prepared and that companies underestimate their own reliance on IT. “But criminals are increasingly sophisticated and do understand it,” he says. “They are becoming more organised, investing resources to identify and exploit small vulnerabilities in networks, which will result in large returns.”

Existing risk management philosophies are not widely applied to IT risk by big organisations, he says. There needs to be more focus on IT service providers and the risks around them, for example, Mr Porteous believes: “At the moment there is little or no IT risk accountability placed on organisations or their suppliers.

“IT budgets are huge – in the billions for big corporations – and there should be accountability for IT related losses for the sake of investors in the same way as corporations are held accountable for a poor M&A deal or poor financial risk management,” Mr Porteous says. “A major IT-related failure can create a similar sized IT loss that can damage a company’s reputation, result in loss of market share and impact shareholder value.”

JLT’s Dawn Simmons says that smaller companies are vulnerable too: “SMEs are increasingly targeted because they are typically not aware of their exposure to e-crimes, nor do they have the funds to sufficiently invest in IT security, resulting in them being more susceptible to e-crime.” Ms Simmons says that creates a problem for bigger companies as their critical suppliers are often SMEs.

Transferring risk

Both big corporations and SMEs can transfer some of their e-crime risk, however, as Simmons points out: “Insurance is available from Lloyd’s to cover risks such as extortion and denial of service attacks. There is a market for third party liability coverage related to breach of privacy or data loss and there are first party coverages related to security breaches,” she says.

Capacity for third party liability of up to £250 million is available for larger risks but affordable cover does depend on issues such as how much third party liability is capped and the demonstrable security measures in place.


This article is provided for general information purposes only and is subject to the full terms and conditions on our website. Any insurance products referred to in this article will be subject to separate terms and conditions and this article should not be regarded as a substitute for referring to those terms and conditions.
Last updated on 15 Dec 2008