Combating the evolving threat of fraud

May 2018 Editor's Choice, Security Services & Risk Management

It is impossible to pin an exact number on how much fraud costs the South African economy, but analysis of leading research reports on the subject puts it easily in the billions of rands per year. According to a February 2018 report by PWC, the proportion of South African organisations that have experienced economic crime now stands at a shocking 77%.

Fraud risk today is faced by companies from internal, external, regulatory and reputational avenues, and while senior management is taking centre stage as a growing threat from within, the report also revealed that fraud committed by consumers ranked as the second most reported economic crime over the 24-month period studied.

Although the sources and methods of committing fraud are ever-changing, human nature tells us that people have probably been committing fraud against each other ever since mankind started trading goods. A man who knows all too well that the weakest link in this chain is the human one, is Garth de Klerk, CEO of the South African Insurance Crime Bureau (SAICB). “Fraud is a contact sport,” he says, “and although fraudsters are always developing more high-tech approaches, the vulnerability of individuals to be corrupted remains at the core of the problem.”

While acts like burning down one’s own building to claim on the insurance money will always be one type of approach (what de Klerk euphemistically refers to as ‘fraud light’), the bigger issue is large-scale fraud perpetrated by criminal syndicates. These syndicates target an individual, or individuals, within an organisation with promises of generous sums of money and/or threats to coerce them into helping to infiltrate the organisation’s internal systems. After taking the first bribe, the insider becomes even easier for the syndicate to control by threatening to expose their previous crime.

De Klerk says it is vital that businesses implement best-practice approaches like segregation of duties, and that they have internal controls in place which are thoroughly documented, implemented and enforced. “Not only should these principles be rigorously applied, they should be prominently advertised internally to serve as a deterrent,” he adds.

If an employee suspects fraud is taking place within their organisation, de Klerk advises they should approach the relevant management structure with their suspicions, and they can take confidence from the fact that laws are in place to protect the rights of whistle blowers. “Once notified, a company must report the fraud to the SAPS to initiate an investigation into the matter,” he continues. “It is essential for companies to take decisive action so that they are seen clearly to be hard on fraud – a zero-tolerance policy is the most effective strategy.”

This zero-tolerance policy is paying dividends in the insurance sector in particular, thanks to the efforts of the non-profit SAICB. The bureau has had a number of high-profile insurance companies join its ranks as members over the last few months, as they are embracing the benefits of a centralised approach that allows them to recognise commonalities across the different members’ operations.

On the subject of emerging and future threats, de Klerk warns that criminal syndicates are becoming smarter in everything they do. For example, as they are becoming more cyber-savvy, so-called spear phishing attacks on C-suite executives are becoming more commonplace and more sophisticated. “What is more, these syndicates are growing increasingly smart about understanding the law and how to manipulate it to their own ends,” he warns.

The cyber threat is real

According to Nobuhle Nkosi, head of financial lines Africa at Allianz Global Corporate & Speciality (AGCS), “Last year was another record-breaker for data breaches. In 2017, the Equifax breach leaked the personal information of approximately 143 million individuals (44% of the US population). The NSA leak of multiple exploits was widely used by popular ransomware. And in 2016, 57 million Uber accounts were released from a data breach.”

Nkosi refers to the results of the 2018 SonicWall cyber threat report released in March, which highlighted the fact that with WannaCry, Petya and Bad Rabbit all becoming headline news in 2017, ransomware was a hot topic for the second year in a row. “SonicWall Capture Labs threat researchers found that while attackers didn’t push the same volume as they did in 2016, the number of variants jumped considerably,” she states.

SonicWall Capture Labs detected 184 million ransomware attacks in 2017 compared to 638 million in 2016, however there was also a corresponding 101,2% increase in new ransomware variants – a key indicator that attack strategies are shifting. While ransomware volume took a substantial dip, other malware attacks jumped significantly in 2017. All told, SonicWall logged 9,32 billion attacks – an 18,4% increase over 2016.

Threats to watch out for in 2018

“As digitalisation together with smart factories increase across grids, machines, public networks and other facilities, cyber incidents may disrupt many industries. New vulnerabilities are arising in which cyber criminals could exploit the increase in interconnectivity. Whether accidental or planned, the end result of these incidents is business interruption. Businesses across all sectors may be impacted,” Nkosi portends.

As the SonicWall cyber threat report puts it, data breaches and cyberattacks are no longer back-of-mind concerns. To the modern executive, they represent the number one risk to business, brand, operations and financials – so much so that the premier insurance sector is very considerate of cyberattacks.

While the Meltdown and Spectre vulnerabilities were first disclosed to the public in early 2018, the processor vulnerabilities were actually discovered last year. In fact, Intel notified Chinese technology companies of the vulnerability before alerting the US government. SonicWall adds that threat actors and cybercriminals are already leveraging memory as an attack vector. “Since these memory-based attacks are using proprietary encryption methods that can’t be decrypted, organisations must quickly detect, capture and track these attacks once they’re exposed in memory - usually in fewer than 100 nanoseconds. Chip-based attacks will be at the forefront of the cyber arms race for some time to come,” the company predicts.

The Internet of Things (IoT) was also a big target, demonstrated by the new IoT Reaper botnet that borrows code from 2016’s first IoT open-source botnet, Mirai. The SonicWall report expects that IoT devices will be in the crosshairs in 2018, as ‘smart’ hardware is not updated regularly and is often physically located in unknown or hard-to-reach places.

Mitigating the risks

Nkosi explains that a way for companies to mitigate against cyber risk is to employ a chief information security officer (CISO) or equivalent to implement a comprehensive information security management system (ISMS). “Although it is costly and time consuming, it is necessary not just for the information security but also for the long-term health of the business,” she says.

She further makes reference to the 2017 cost of cybercrime study conducted by Accenture, which found that by taking the following three steps, organisations can further improve the effectiveness of their cybersecurity efforts to fend off and reduce the impact of cybercrime:

1. Invest in security intelligence and advanced access management, and yet recognise the need to innovate to stay ahead of the hackers.

2. Organisations should not rely on compliance alone to enhance their security profile but undertake extreme pressure testing to

identify vulnerabilities more rigorously than even the most highly motivated attacker.

3. Balance spend on new technologies, specifically analytics and artificial intelligence, to enhance programme effectiveness and scale value.

The Accenture study further concluded that “Organisations need to recognise that spending alone does not always equate to value. Beyond prevention and remediation, if security fails, companies face unexpected costs from not being able to run their businesses efficiently to compete in the digital economy. Knowing which assets must be protected, and what the consequences will be for the business if protection fails, requires an intelligent security strategy that builds resilience from the inside out and an industry-specific strategy that protects the entire value chain. As this research shows, making wise security investments can help to make a difference.”


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Sustainability School opens for enrolment
Education (Industry) News Security Services & Risk Management
Three-part programme, first developed for Schneider Electric employees, is now available for free for companies worldwide. Attendees learn how to future-proof their businesses and accelerate their decarbonisation journeys.

From the editor's desk: Get Smart
Technews Publishing News
      Welcome to the fourth issue of Hi-Tech Security Solutions for 2023, which is also the first issue of Smart Security Solutions. As noted in previous issues, Hi-Tech Security Solutions has been rebranded ...

Accenture Technology Vision 2023
Editor's Choice News
New report states that generative AI is expected to usher in a ‘bold new future’ for business, merging physical and digital worlds, transforming the way people work and live.

Economists divided on global economic recovery
Editor's Choice News
Growth outlook has strengthened in all regions, but chief economists are divided on the likelihood of a global recession in 2023; experts are concerned about trade-off between managing inflation and maintaining financial stability, with 76% anticipating central banks to struggle to bring down inflation.

Success in business process best practices
Technews Publishing Kleyn Change Management Editor's Choice Integrated Solutions Security Services & Risk Management
This month we commandeer time with the woman who is spearheading our national conversation on Women in Security, Lesley-Anne Kleyn, to get to know the lady herself a little better.

Security awareness training
Training & Education Security Services & Risk Management
It is critically important to have a security awareness solution that uses the limited time available to train effectively, and one that provides targeted education that is relevant to users.

Technology to thwart solar panel thieves
Asset Management, EAS, RFID Security Services & Risk Management Products
A highly efficient industrial network is coming to the rescue of the solar industry, as solar panels, inverters and batteries are being targeted by thieves and threaten to destabilise the industry.

Banking the unbanked comes with security risks
Financial (Industry) Security Services & Risk Management
As grim as it was, the pandemic of recent years and its resultant global economic crisis were a prime catalyst for record number of first-time bank users, the previously unbanked.

Vulnerabilities in industrial cellular routers’ cloud management platforms
Industrial (Industry) Cyber Security Security Services & Risk Management
Research from OTORIO, a provider of operational technology cyber and digital risk management solutions, unveils cyber risks in M2M protocols and asset registration that expose hundreds of thousands of devices and OT networks to attack

Smart Security Solutions
Technews Publishing Products
Stop by the Smart Security Solutions stand at Securex and discover the new rebranded Hi-Tech Security Solutions. Given the realities in the market we face today, effective security is no longer a silo ...