printer friendly version

Combating the evolving threat of fraud

It is impossible to pin an exact number on how much fraud costs the South African economy, but analysis of leading research reports on the subject puts it easily in the billions of rands per year. According to a February 2018 report by PWC, the proportion of South African organisations that have experienced economic crime now stands at a shocking 77%.

Fraud risk today is faced by companies from internal, external, regulatory and reputational avenues, and while senior management is taking centre stage as a growing threat from within, the report also revealed that fraud committed by consumers ranked as the second most reported economic crime over the 24-month period studied.

Although the sources and methods of committing fraud are ever-changing, human nature tells us that people have probably been committing fraud against each other ever since mankind started trading goods. A man who knows all too well that the weakest link in this chain is the human one, is Garth de Klerk, CEO of the South African Insurance Crime Bureau (SAICB). “Fraud is a contact sport,” he says, “and although fraudsters are always developing more high-tech approaches, the vulnerability of individuals to be corrupted remains at the core of the problem.”

While acts like burning down one’s own building to claim on the insurance money will always be one type of approach (what de Klerk euphemistically refers to as ‘fraud light’), the bigger issue is large-scale fraud perpetrated by criminal syndicates. These syndicates target an individual, or individuals, within an organisation with promises of generous sums of money and/or threats to coerce them into helping to infiltrate the organisation’s internal systems. After taking the first bribe, the insider becomes even easier for the syndicate to control by threatening to expose their previous crime.

De Klerk says it is vital that businesses implement best-practice approaches like segregation of duties, and that they have internal controls in place which are thoroughly documented, implemented and enforced. “Not only should these principles be rigorously applied, they should be prominently advertised internally to serve as a deterrent,” he adds.

If an employee suspects fraud is taking place within their organisation, de Klerk advises they should approach the relevant management structure with their suspicions, and they can take confidence from the fact that laws are in place to protect the rights of whistle blowers. “Once notified, a company must report the fraud to the SAPS to initiate an investigation into the matter,” he continues. “It is essential for companies to take decisive action so that they are seen clearly to be hard on fraud – a zero-tolerance policy is the most effective strategy.”

This zero-tolerance policy is paying dividends in the insurance sector in particular, thanks to the efforts of the non-profit SAICB. The bureau has had a number of high-profile insurance companies join its ranks as members over the last few months, as they are embracing the benefits of a centralised approach that allows them to recognise commonalities across the different members’ operations.

On the subject of emerging and future threats, de Klerk warns that criminal syndicates are becoming smarter in everything they do. For example, as they are becoming more cyber-savvy, so-called spear phishing attacks on C-suite executives are becoming more commonplace and more sophisticated. “What is more, these syndicates are growing increasingly smart about understanding the law and how to manipulate it to their own ends,” he warns.

The cyber threat is real

According to Nobuhle Nkosi, head of financial lines Africa at Allianz Global Corporate & Speciality (AGCS), “Last year was another record-breaker for data breaches. In 2017, the Equifax breach leaked the personal information of approximately 143 million individuals (44% of the US population). The NSA leak of multiple exploits was widely used by popular ransomware. And in 2016, 57 million Uber accounts were released from a data breach.”

Nkosi refers to the results of the 2018 SonicWall cyber threat report released in March, which highlighted the fact that with WannaCry, Petya and Bad Rabbit all becoming headline news in 2017, ransomware was a hot topic for the second year in a row. “SonicWall Capture Labs threat researchers found that while attackers didn’t push the same volume as they did in 2016, the number of variants jumped considerably,” she states.

SonicWall Capture Labs detected 184 million ransomware attacks in 2017 compared to 638 million in 2016, however there was also a corresponding 101,2% increase in new ransomware variants – a key indicator that attack strategies are shifting. While ransomware volume took a substantial dip, other malware attacks jumped significantly in 2017. All told, SonicWall logged 9,32 billion attacks – an 18,4% increase over 2016.

Threats to watch out for in 2018

“As digitalisation together with smart factories increase across grids, machines, public networks and other facilities, cyber incidents may disrupt many industries. New vulnerabilities are arising in which cyber criminals could exploit the increase in interconnectivity. Whether accidental or planned, the end result of these incidents is business interruption. Businesses across all sectors may be impacted,” Nkosi portends.

As the SonicWall cyber threat report puts it, data breaches and cyberattacks are no longer back-of-mind concerns. To the modern executive, they represent the number one risk to business, brand, operations and financials – so much so that the premier insurance sector is very considerate of cyberattacks.

While the Meltdown and Spectre vulnerabilities were first disclosed to the public in early 2018, the processor vulnerabilities were actually discovered last year. In fact, Intel notified Chinese technology companies of the vulnerability before alerting the US government. SonicWall adds that threat actors and cybercriminals are already leveraging memory as an attack vector. “Since these memory-based attacks are using proprietary encryption methods that can’t be decrypted, organisations must quickly detect, capture and track these attacks once they’re exposed in memory - usually in fewer than 100 nanoseconds. Chip-based attacks will be at the forefront of the cyber arms race for some time to come,” the company predicts.

The Internet of Things (IoT) was also a big target, demonstrated by the new IoT Reaper botnet that borrows code from 2016’s first IoT open-source botnet, Mirai. The SonicWall report expects that IoT devices will be in the crosshairs in 2018, as ‘smart’ hardware is not updated regularly and is often physically located in unknown or hard-to-reach places.

Mitigating the risks

Nkosi explains that a way for companies to mitigate against cyber risk is to employ a chief information security officer (CISO) or equivalent to implement a comprehensive information security management system (ISMS). “Although it is costly and time consuming, it is necessary not just for the information security but also for the long-term health of the business,” she says.

She further makes reference to the 2017 cost of cybercrime study conducted by Accenture, which found that by taking the following three steps, organisations can further improve the effectiveness of their cybersecurity efforts to fend off and reduce the impact of cybercrime:

1. Invest in security intelligence and advanced access management, and yet recognise the need to innovate to stay ahead of the hackers.

2. Organisations should not rely on compliance alone to enhance their security profile but undertake extreme pressure testing to

identify vulnerabilities more rigorously than even the most highly motivated attacker.

3. Balance spend on new technologies, specifically analytics and artificial intelligence, to enhance programme effectiveness and scale value.

The Accenture study further concluded that “Organisations need to recognise that spending alone does not always equate to value. Beyond prevention and remediation, if security fails, companies face unexpected costs from not being able to run their businesses efficiently to compete in the digital economy. Knowing which assets must be protected, and what the consequences will be for the business if protection fails, requires an intelligent security strategy that builds resilience from the inside out and an industry-specific strategy that protects the entire value chain. As this research shows, making wise security investments can help to make a difference.”

Share this article:

Further reading: