South Africa Second Most Targeted Cybercrime Country
In this regard the Global Economic Crime and Fraud Survey 2018 – Sixth South African Edition-- published by PWC and available at https://www.pwc.co.za/en/assets/pdf/gecs-2018.pdf makes enlightening reading. The report highlights many of the issues important to the combatting of fraud generally but that apply equally in approaches that we may take to protecting personal information and combatting cybercrime.
In the first instance South Africa ranks number 1 in the top 10 countries reporting most economic crime, the incidence of 77% of organisations being adversely affected by fraud. Dealing with the category of cybercrime, South Africa ranks second in the world and the headline provided by PWC is “Surprisingly, while the instances of reported cybercrime shows a small decrease in the South African context, it retains its second place in the global rankings, albeit at a lower rate of occurrence than 2016”.
Looking to the future, the report states “... more than a quarter of South African respondents (26%) believe that cybercrime will be the most disruptive economic crime to affect their organisations over the next 24 months.” This is extremely significant and the report poses the question “In light of investigating fraud costing up to 10 times as much as the fraud itself, potentially amounting to millions of Rand, are we not still being too reactive?” The answer to that question lies to some extent to the attitude taken by boards and senior executives to the protection of personal information and compliance with legislation in this regard. Very often the “tone at the top” referred to by PWC consists of the “right words”. Once that veneer is scratched the failure to act on those “rights words” belies the true motivations of C-suite and senior executives. We have seen in many other countries the damaging effect reported breaches of personal information may have on a company. Indeed, recently the Liberty Life hack resulted in a sharp drop in the share value of the company. This reinforces what PWC are saying and in the light of bad behaviour being discovered “... both company and leadership could lose much of their goodwill faster than they acquired it.”
The reaction of Liberty Life in controlling the damage of the discovery of the hack it to emphasise that there was no financial loss to clients. This deflected from the fact that it failed miserably in protecting sensitive personal information of its clients. As the raw material of cybercrime is personal information, their seeming disregard for the other consequences of the hack by Liberty is quite astounding. The generalised and vague answers to clients’ questions and its reluctance to provide the specifics about the personal information that may have been affected, to which clients have a right, simply reinforces the subordination of the clients’ constitutional right of privacy to a lesser consideration than maximising financial results. This is contrary to the Twin Peaks model that the financial sector claims should be the measure of a company’s actions.
A similar instance occurred with Standard Bank and the credit card fraud perpetrated against it. Aside from a reported R300 million loss and the fact that the bank’s clients did not suffer any loss, we know nothing more. What actually went wrong? To what extent may their clients have been indirectly compromised? These are questions that would be answered had the implementation of the Protection of Personal Information Act had not been patently delayed by the powers that be and an independent Information Regulator been operationally functional.
The question for organisations in South Africa relating to the protection of personal information and combatting cybercrimes is, will they follow the example of the ruling party’s failure in governance and its reluctance to act against senior politicians and officials resulting in enormous damage to the South African economy at the expense of South African citizens? Or will they act proactively, take responsibility and be accountable for how the organisations protect personal information and combat cybercrime? It is a choice to act properly and lawfully or by failing to do so, to aid and abet criminals that may attack your customers. As PWC observes: “Your customers are the lifeblood of your business. As business models continue to evolve through the digital revolution, many are getting exposed to payment fraud for the first time. How you handle that fraud will profoundly affect your own outcomes.”
©Mark Heyink 2018