In Summary

The young technophile and the finance savvy guy, who has worked for one organisation for several years, is the apple of any human resource manager’s eye.

But increasingly, this is becoming the profile of the most dangerous employee in most East African companies — seen as the mastermind of the rising number of fraud cases in the region.

Improved technology, a growing number of techno-savvy employees and increased access to the Internet have opened up companies in the East African region to fraudsters, according to anti-fraud experts and business executives. Further, companies are ill-prepared to fight this intrusion, which is costing them millions of dollars annually arising from information security breaches and corporate theft.

This is the conclusion reached by risk researchers at financial advisory firm Deloitte in the report 2011 East Africa Security Study Report: Protecting What Matters, released on Thursday last week.

According to the report, 60 per cent of organisations in the region see financial fraud as the threat could have the biggest impact on their business in the next one year.

Risk experts said while rising cases of fraud are motivated by personal greed, there are increasing cases which are driven by pressure on individuals to achieve higher profit and budget targets.

Profits

Across the region, companies are putting their executives under renewed pressure to deliver on profit targets on the back of a poor economic growth outlook.

Surging food and fuel-driven inflation and exchange rate volatility have dimmed the economic outlook for this year in most EAC countries, spreading fears of low corporate earnings next year, should the situation worsen, and putting companies on notice to cushion their profitability.

The Deloitte report surveyed executives mainly from financial services, energy, telecoms and manufacturing in Kenya, Uganda and Tanzania. Security analysts said regional firms are not prepared for the potential security threat, especially financial institutions which present the most attractive targets due to the lure of money that can be easily siphoned out of accounts.
“Fraud is a threat but banks have been upping their cushions to fight it. Fraud trends are moving away from cheques where we have put enough controls,” said Habil Olaka, the chief executive officer at the Kenya Bankers Association, the industry lobby.

“Going forward, we expect the number of fraud attempts and the money being targeted to rise but cases of success might not be significant,” he added.

More than half — 54 per cent — of the companies polled by Deloitte said they were not doing anything or were simply not concerned with cyber-criminal capabilities.

Deloitte said weak control structures in most EAC companies are making it easy for fraudsters, exposing companies to costly financial and reputational risks.

It estimates that financial institutions in Kenya alone are reeling from losses of nearly $30 million through fraud cases reported in 2010.

In the first quarter, the firm says about $3.7 million was lost, with the second quarter recording a higher figure of $3.9 million. In the third-quarter, $17 million was siphoned with $5 million disappearing in December alone.

In Uganda, it is estimated that about 7 per cent of an average organisation’s annual revenue is lost to fraud while financial institutions and telecoms lose between 15-20 per cent of their annual revenue to fraudsters.

Fraud is one of the major risks facing Uganda’s insurance companies, according to the Institute of Internal Auditors of Uganda.

Risk experts cited identity theft, electronic funds transfer, bad cheques, credit card fraud, loan fraud, forgery of documents and investment scandals as some of the ways used to defraud financial institutions in the region.

“Organisations in East Africa are ill-prepared to detect, prevent and investigate information security breaches….some barriers include lack of sufficient budgets, lack of skilled professionals and visibility within the organisation,” said Julie Nyang’aya, partner, enterprise risk services at Deloitte East Africa.

“Insider fraud poses the greatest growing threat to East Africa businesses.

The average fraudster is no longer a ghostly outsider probing your organisation for vulnerabilities, but an insider.”

Audit firm KPMG in its 2011 report dubbed Analysis of Global Patterns of Fraud: Who is the Typical Fraudster gives the profile of a fraudster as a male, 36-45 years old employee who most likely works in the finance function or in a finance- related role, holds a senior management position and has worked for the company for more than 10 years.

Growing cases of fraud and cyber crime mean that companies will have to invest more money in detection and preventive mechanisms as today’s fraudsters are more adept and sophisticated, meaning strategies to thwart them must be tactical and cutting edge.

Safaricom, for example, has been running campaigns educating users of its mobile money service M-Pesa on how to avoid exposing themselves to fraud as it tightens security controls in the system.

Anti-fraud experts fear that M-Pesa’s unparalleled success in the money transfer business is a perfect target for cyber criminals who can expose the system to huge losses.

Last year, the company said it had only reported suspected or actual fraud in 0.006 per cent of total transactions since its inception four years ago.

The EAC is considering adopting uniform laws to fight growing incidents of cyber crime covering electronic transactions, signatures and authentication, cyber crime, data protection and privacy.

The policy has already been approved by the EAC Council of Ministers in what could usher in stronger anti-fraud laws in the region.

Technology market players say hacking is expected to grow in the coming, months as more businesses go online with the arrival of fibre-optic cable and the high Internet speed they offer.

Amid the growing volume of vendor sales hype in the region, information security professionals are less likely to have the information they need to cushion organisations, said Deloitte.

Internet security experts say the advent of high speed connectivity will draw the attention of international hackers who were previously put off by the slower satellite connections.

Hackers
“Companies should limit the amount of information accessible to the general staff in the wake of increasing hacking.

Security measures like encrypting, auditing and monitoring would help limit who has access to company data,” said William Makatiani, manager enterprise risk services at Deloitte East Africa.

Organisations in the region nevertheless face a difficult challenge with the demand for opening up corporate IT environments through outsourcing and technologies such as cloud computing.

“Although technology solutions are the most important piece in the security puzzle, failure to train people in physical and technical security will leave organisations vulnerable,” said the Deloitte survey.

The study cites employees who leave workstations logged on while taking breaks or those who share passwords as some of the most common sources of security breaches.