Introduction Paper
The Impact of Cybercrime: How IT Controls can be used to Prevent Internal and External Financial Frauds and the Best Way to Tackle This Growing Threat
Overview
Little more than two hundred years ago, the business market faced significant threat from financial frauds because of a lack of established accounting regulations, oversight, and proper internal and external controls. Realizing the need for change, in the article Events that Shaped a Century (2005), the author discussed some of the highlights that the accounting regulatory bodies began take to implement change in key areas such as the financial standards, guidelines, and controls for which public companies are expected to comply (p. 1). Although legislation has been essential in establishing the high ethical and professional standards for which accounting is now associated with, the threat from financial fraud has never gone away. Instead, as the markets and industries evolved, so too did the threats and risks associated with them.
The threat, however, is much larger than most realize. Cybercrime is one of the largest risks to business security and individual privacy. Currently, the rise and ubiquitous use of technology has led to a rapid increase in cybercrime and IT fraud. As Holtfreter and Harrington (2014) discussed, the vast majority of companies are not prepared, and improperly protected, in the event they are targeted for a cybercrime or hack (p.28). In order to properly address the threat, both business leaders and auditors must become educated on the current IT threats and proactive in establishing effective cyber security safeguards. Although there are many IT security threats, companies are at greatest risk from data breaches, or security breaches, where criminals target either paper or electronic sensitive company information. The threat can be either internal, from employees improperly being able to access information; or external, from hackers being able to access improperly guarded data (p. 28). Holtfreter and Harrington (2014) noted that Shawn Henry, a former member of the FBI’s Cyber Crime Unit asserted:
I don’t see how we will ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model…in that you will never get ahead, never become secure, never have a reasonable expectation of privacy or security. (p. 28)
History
The sheer numbers and cost of cybercrime is staggering. In a recent article by CBS (2015), it was stated that there are over four thousand attacks every day across the Internet, which equals nearly three attacks each minute (p. 1). For the average business, they estimate an average of 46 attacks each day, with an average of 1.7 per week actually getting past the network security (p. 1). The chance of a data breach personally affecting one’s business or personal life is almost unavoidable at this point. In 2014, almost half of Americans had some portion of their personal information stolen by a hacker (p. 1). In 2013, over 40% of companies reported a data breach, which compromised consumer or company information (p.1). As of 2015, the estimated amount of credit card fraud will total over $18 billion (p.1).
Of course, these statistics have greatly increased in size and significance. According to CBS (2015), from the years 2012 to 2013 the rise in identity theft was 594% (p. 1). In Parker’s article (2015), he reports that the Secret Service found the number of small business cyber-attacks had increased from 141 in 2009 to 761 in 2010 (p. 631). Perhaps, the largest data breach in recent memory was the Target security breach in 2013. During this attack, Krebs (2016) reported hackers were able to access the CVV numbers and PIN numbers, which were incorrectly stored on corporate servers for ease of access in an unencrypted state, for over 70 million users (p.1). Upon further systems testing, there were other security issues such as weak or default passwords, running outdated software, which led to missing vital security patches, and the biggest issue of all was that once the hackers accessed the network, they were able to access every area of the company, down to the cash registers at every store (p. 1). At the time of the breach, Bedner (2015) pointed out that Target Corporation did not employ a Chief Information Security Officer or a compliance officer, and unfortunately, that is far too common (p. 30). Most individuals’ underestimate the threat cyber-attacks pose to them. In corporations, Bedner discussed how the response to an attack is generally reactionary (p. 30). This is compounded because companies are often lulled into a false sense of security. Bedner states, “But at smaller companies, where budgets are tight and personnel are overworked, they just go to the IT person whose responsibility is to keep the organization running, thinking, ‘he understands security’” (p. 30).
Accounting Rules and Regulations
Before tackling cybercrime, the accounting bodies and governmental regulators were laying the groundwork for the acceptable standards within the business and accounting industry, as they relate to the larger topic of fraud. Brink et al. (2013) discussed the impact of the Dodd-Frank Act of 2010, which was designed to reduce fraud by providing monetary rewards to whistleblowers that alert the Securities and Exchange Commission (SEC) to corporate fraud (p. 88). However, the most influential legislation to reduce fraud in the last century, was the Sarbanes-Oxley Act of 2002. As Gupta et al. (2013) highlighted, the Sarbanes-Oxley Act required increased attention towards the strength of internal controls; and also required that the executive management of public companies attest to the veracity of their financial statements (p. 374).
Since the rise in cybercrime, there have been several new laws, which have been created in response. One of the most far-reaching is the Computer Fraud and Abuse Act of 1986 (CFAA). As Flowers et al. (2013) discussed, the CFAA criminalizes any unauthorized access to a computer, whether the activity is domestic or foreign (p. 4). DiLascio (2016) also pointed to the United States Cyber Command (USCYBERCOM), which was established in 2009 to help mitigate cyber-attacks on military network activity (p. 1). In 2008, the United States division of the Department of Homeland Security created the National Cybersecurity Center, as well as, the National Cyber Security Division (p. 1).
To address foreign cyber threats, many countries have established cyber laws, as well. For example, Flowers et al. (2013) discussed how Europe has created the Council of Europe Convention on Cybercrime (p. 6). The Philippines is a notorious area for cybercrime due to their lack of effective oversight and prosecution. In 2012, they made some efforts towards improvement in this area by establishing the Cybercrime Prevention Act (p. 14). The European Union has established a Computer Emergency Response Team (CERT-EU), as well as, creating a European Cybercrime Center for the coordination and training for effective cyber security prevention (p. 19).
As fraud and cybercrime have impacted legal regulations, these concepts also have significance when related to accounting principles. The principles that are affected most when a cybercrime occurs are comparability, consistency, and relevance. As reiterated by the Federal Accounting Standards Advisory Board (2013), company data, from sensitive documents and corporate financials stored on company servers, must remain trustworthy, secure, and consistent year after year (p. 6). Fraud in any form will degrade the integrity of these principles; and it is likely that the company’s work will no longer be able to be consistent, relevant, or reliable.
Purpose Statement and Research Questions
Properly managing and understanding IT fraud risk is one of the most important tasks for those in executive management and for those performing external audits of corporations. In order to prevent future large-scale financial frauds and data breaches, both corporations and auditors must be aware of the current security threats and preventative measures available to them. While there have been numerous studies on financial fraud, IT audit, and cyber security, the problem is much greater than general facts or statistics surrounding individual issues. Since cybercrime is generally underestimated, this causes both the companies and the auditors to not place proper emphasis on mitigating and locating potential security vulnerabilities that may result in serious financial loss for the company. The purpose of this study will be to explore the impact of cybercrime. More specifically, the study will look at how cybercrime has affected behavior and how corporations and auditors can improve practices to help mitigate cyber-attack and fraud risk. The study will also provide analysis on common cyber-attack methods, so the user can gain a better understanding and, hopefully, take preventive action. The research questions are as follows:
1. What is cybercrime?
1. What is the impact of the current laws surrounding cybercrime?
2. What are some common and dangerous attacks?
3. What steps can a corporation take to increase their IT security practices?
4. What steps can an auditor take to become more aware of potential IT vulnerabilities?
5. Is the cost for securing IT worthwhile for the average company?