As cyberespionage and ransomware attacks wreak increasing damage on the world economy, it makes sense that many companies think their biggest threats comes from external actors. But most risk still emanates from inside the organization, according to the Kroll's Global Fraud & Risk Report.

The report was based on a survey conducted among 540 senior executives across six continents and found that a significant amount of companies' fraud, cybersecurity and security incidents were caused by current or former employees.

Ex-employees, for example, were key perpetrators in 37 percent of security incidents that happened outside the cyber realm. What's more, 25 percent of security incidents were caused by middle- or senior-level employees, while 26 percent were by junior employees.

Junior employees were also the most likely to cause fraud incidents, followed by ex-employees.

And while most cybersecurity incidents were caused by random cyberattackers, at 34 percent, ex-employees still accounted for 28 percent of all attacks, while senior or middle management employees accounted for 19 percent, and junior employees 16 percent.

Alan Brill, senior managing director with Kroll's cyber security and investigations practice, noted that oftentimes, organizations will concentrate too much on high-tech cybersecurity needs, such as protecting their networks, and miss the fact that their biggest “risk factor comes from those who have access to sensitive information.”

One major shortcoming among organizations is not properly ensuring former employees do not have access to enterprise systems. “You need to be able to not just plan the steps the company is going to take [when an employee leaves], but you have to have a way of knowing that the steps are actually being done. I think in many cases, there is a disconnect from what managers believe is being done and what is happening on the ground,” Brill said.

Brill also advised organizations to ensure that “the right agreements are [in] place” to limit employees' and contractors' access to sensitive information, and train employees on the appropriate data handling procedures.

Most companies surveyed took measures to mitigate the risk of insider threats. Over 80 percent restricted employees from installing software on company devices and had employee training programs. Over 75 percent had internal cybersecurity policies and procedures.

But Brill noted that it's not enough to just have security programs and policies without constantly reviewing their usefulness. He said that many companies need to use “metrics to understand if what they're doing is effective,” and build their security programs around tested results.

Such proven programs are becoming increasingly necessary given the wide range of fraud and cybersecurity incidents that organizations face in the current economy. The survey found, for example, that 29 percent of respondent companies suffered fraud, which resulted in information theft, loss or attack, while 27 percent had theft of physical assets or stock, and 26 percent uncovered a conflict of interest.

Information theft and conflict of interest incidents were experienced by 5 percent more companies in 2017 than in 2016, the biggest increase among all types of fraud incidents.

Brill noted that such conflict of interest incidents are becoming more common as enterprises rely on more vendors in their supply chain and as compliance offices become “more able to detect conflicts of interest” through the use of better compliance technology.

With regards to cyber incidents, the survey found the amount of companies attacked by malicious viruses rose 3 percent to 36 percent in 2017, while those suffering email phishing attacks rose 7 percent to 33 percent, which Brill attributed to such scams becoming more sophisticated.

When compared with the 2015 survey results, respondents believed they're more vulnerable to all types of threats in 2017 than they were two years prior, with the exception of theft of physical assets or stock. Areas where respondents believe their vulnerability had increased the most since 2015 included IP theft, management of conflicts of interest, and market collusion.