Combating the evolving threat of fraud

May 2018 Editor's Choice, Security Services & Risk Management

It is impossible to pin an exact number on how much fraud costs the South African economy, but analysis of leading research reports on the subject puts it easily in the billions of rands per year. According to a February 2018 report by PWC, the proportion of South African organisations that have experienced economic crime now stands at a shocking 77%.

Fraud risk today is faced by companies from internal, external, regulatory and reputational avenues, and while senior management is taking centre stage as a growing threat from within, the report also revealed that fraud committed by consumers ranked as the second most reported economic crime over the 24-month period studied.

Although the sources and methods of committing fraud are ever-changing, human nature tells us that people have probably been committing fraud against each other ever since mankind started trading goods. A man who knows all too well that the weakest link in this chain is the human one, is Garth de Klerk, CEO of the South African Insurance Crime Bureau (SAICB). “Fraud is a contact sport,” he says, “and although fraudsters are always developing more high-tech approaches, the vulnerability of individuals to be corrupted remains at the core of the problem.”

While acts like burning down one’s own building to claim on the insurance money will always be one type of approach (what de Klerk euphemistically refers to as ‘fraud light’), the bigger issue is large-scale fraud perpetrated by criminal syndicates. These syndicates target an individual, or individuals, within an organisation with promises of generous sums of money and/or threats to coerce them into helping to infiltrate the organisation’s internal systems. After taking the first bribe, the insider becomes even easier for the syndicate to control by threatening to expose their previous crime.

De Klerk says it is vital that businesses implement best-practice approaches like segregation of duties, and that they have internal controls in place which are thoroughly documented, implemented and enforced. “Not only should these principles be rigorously applied, they should be prominently advertised internally to serve as a deterrent,” he adds.

If an employee suspects fraud is taking place within their organisation, de Klerk advises they should approach the relevant management structure with their suspicions, and they can take confidence from the fact that laws are in place to protect the rights of whistle blowers. “Once notified, a company must report the fraud to the SAPS to initiate an investigation into the matter,” he continues. “It is essential for companies to take decisive action so that they are seen clearly to be hard on fraud – a zero-tolerance policy is the most effective strategy.”

This zero-tolerance policy is paying dividends in the insurance sector in particular, thanks to the efforts of the non-profit SAICB. The bureau has had a number of high-profile insurance companies join its ranks as members over the last few months, as they are embracing the benefits of a centralised approach that allows them to recognise commonalities across the different members’ operations.

On the subject of emerging and future threats, de Klerk warns that criminal syndicates are becoming smarter in everything they do. For example, as they are becoming more cyber-savvy, so-called spear phishing attacks on C-suite executives are becoming more commonplace and more sophisticated. “What is more, these syndicates are growing increasingly smart about understanding the law and how to manipulate it to their own ends,” he warns.

The cyber threat is real

According to Nobuhle Nkosi, head of financial lines Africa at Allianz Global Corporate & Speciality (AGCS), “Last year was another record-breaker for data breaches. In 2017, the Equifax breach leaked the personal information of approximately 143 million individuals (44% of the US population). The NSA leak of multiple exploits was widely used by popular ransomware. And in 2016, 57 million Uber accounts were released from a data breach.”

Nkosi refers to the results of the 2018 SonicWall cyber threat report released in March, which highlighted the fact that with WannaCry, Petya and Bad Rabbit all becoming headline news in 2017, ransomware was a hot topic for the second year in a row. “SonicWall Capture Labs threat researchers found that while attackers didn’t push the same volume as they did in 2016, the number of variants jumped considerably,” she states.

SonicWall Capture Labs detected 184 million ransomware attacks in 2017 compared to 638 million in 2016, however there was also a corresponding 101,2% increase in new ransomware variants – a key indicator that attack strategies are shifting. While ransomware volume took a substantial dip, other malware attacks jumped significantly in 2017. All told, SonicWall logged 9,32 billion attacks – an 18,4% increase over 2016.

Threats to watch out for in 2018

“As digitalisation together with smart factories increase across grids, machines, public networks and other facilities, cyber incidents may disrupt many industries. New vulnerabilities are arising in which cyber criminals could exploit the increase in interconnectivity. Whether accidental or planned, the end result of these incidents is business interruption. Businesses across all sectors may be impacted,” Nkosi portends.

As the SonicWall cyber threat report puts it, data breaches and cyberattacks are no longer back-of-mind concerns. To the modern executive, they represent the number one risk to business, brand, operations and financials – so much so that the premier insurance sector is very considerate of cyberattacks.

While the Meltdown and Spectre vulnerabilities were first disclosed to the public in early 2018, the processor vulnerabilities were actually discovered last year. In fact, Intel notified Chinese technology companies of the vulnerability before alerting the US government. SonicWall adds that threat actors and cybercriminals are already leveraging memory as an attack vector. “Since these memory-based attacks are using proprietary encryption methods that can’t be decrypted, organisations must quickly detect, capture and track these attacks once they’re exposed in memory - usually in fewer than 100 nanoseconds. Chip-based attacks will be at the forefront of the cyber arms race for some time to come,” the company predicts.

The Internet of Things (IoT) was also a big target, demonstrated by the new IoT Reaper botnet that borrows code from 2016’s first IoT open-source botnet, Mirai. The SonicWall report expects that IoT devices will be in the crosshairs in 2018, as ‘smart’ hardware is not updated regularly and is often physically located in unknown or hard-to-reach places.

Mitigating the risks

Nkosi explains that a way for companies to mitigate against cyber risk is to employ a chief information security officer (CISO) or equivalent to implement a comprehensive information security management system (ISMS). “Although it is costly and time consuming, it is necessary not just for the information security but also for the long-term health of the business,” she says.

She further makes reference to the 2017 cost of cybercrime study conducted by Accenture, which found that by taking the following three steps, organisations can further improve the effectiveness of their cybersecurity efforts to fend off and reduce the impact of cybercrime:

1. Invest in security intelligence and advanced access management, and yet recognise the need to innovate to stay ahead of the hackers.

2. Organisations should not rely on compliance alone to enhance their security profile but undertake extreme pressure testing to

identify vulnerabilities more rigorously than even the most highly motivated attacker.

3. Balance spend on new technologies, specifically analytics and artificial intelligence, to enhance programme effectiveness and scale value.

The Accenture study further concluded that “Organisations need to recognise that spending alone does not always equate to value. Beyond prevention and remediation, if security fails, companies face unexpected costs from not being able to run their businesses efficiently to compete in the digital economy. Knowing which assets must be protected, and what the consequences will be for the business if protection fails, requires an intelligent security strategy that builds resilience from the inside out and an industry-specific strategy that protects the entire value chain. As this research shows, making wise security investments can help to make a difference.”



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Winners of the 2025 Southern Africa OSPAs
Editor's Choice
The winners of the 2025 Southern Africa Outstanding Security Performance Awards (OSPAs) were revealed on Wednesday, 4th June, at Securex South Africa. Winners from all categories (except the Lifetime Achievement) will be featured in the second Global OSPAs set to take place in 2026.

Read more...
Deepfakes and digital trust
Editor's Choice
By securing the video right from the specific camera that captured it, there is no need to prove the chain of custody for the video, you can verify the authenticity at every step.

Read more...
A new generational framework
Editor's Choice Training & Education
Beyond Generation X, and Millennials, Dr Chris Blair discusses the seven decades of technological evolution and the generations they defined, from the 1960’s Mainframe Cohort, to the 2020’s AI Navigators.

Read more...
From the editor's desk: Showtime for Securex
Technews Publishing News & Events
We have once again reached the time of year when the security industry focuses on Securex. This issue includes a short preview, with more coming online and via our special Securex Preview news briefs. ...

Read more...
Chubbsafes celebrates 190 years
Gunnebo Safe Storage Africa News & Events Security Services & Risk Management
Chubbsafes marks its 190th anniversary in 2025 and as a highlight of the anniversary celebrations it is launching the Chubbsafes 1835, a limited edition 190th-anniversary collector’s safe.

Read more...
New law enforcement request portal
News & Events Security Services & Risk Management
inDrive launches law enforcement request portal in South Africa to support safety investigations. New portal allows authorised South African law enforcement officials to securely request user data related to safety incidents.

Read more...
Continuous AML risk monitoring
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
AU10TIX, launched continuous risk monitoring as part of its advanced anti-money laundering (AML) solution, empowering businesses to detect behavioural anomalies and emerging threats as they arise.

Read more...
Back-up securely and restore in seconds
Betatrac Telematic Solutions Editor's Choice Information Security Infrastructure
Betatrac has a solution that enables companies to back-up up to 8 TB of data onto a device and restore it in 30 seconds in an emergency, called Rapid Access Data Recovery (RADR).

Read more...
Key design considerations for a control room
Leaderware Editor's Choice Surveillance Training & Education
If you are designing or upgrading a control room, or even reviewing or auditing an existing control room, there are a number of design factors that one would need to consider.

Read more...
Digitising security solutions with AI and smart integration
Regal Security Distributors SA Technews Publishing Integrated Solutions
The Regal Projects Team’s decades of experience and commitment to integration have brought the digital security guard to life as a trusted force for safer, smarter living.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.