www.securityfocusafrica.com | Vol 40 No 4
April 2022
The official industry journal for professional risk practitioners: security, safety, health, environment and quality assurance
CIT
DRONES & attacks in GUARDING
SA
SASA update News Meet snippets newly appointed ConCourt judge from around world Jodythe Kollapen Combating the sea of corruption in the maritime sector: ISS
R
O
N FO
S
B
U
PE
S
SINE
securityfocusafrica.com Security Focus Africa has been marketing suppliers to buyers in Africa since 1980, and is the official industry journal of the Security Association of South Africa (SASA). Our readers form the core of Southern Africa’s buyers and decision-makers in the security products and services industry. Our digital platform has a highly-focused readership of people at the very heart of the security industry. Our news is distributed via website, digital magazine, and social media. Our annual Security Focus Africa Buyers Guide is searchable via our online directory, with over 760 businesses and branches throughout Africa. Need to find a service or supplier? We will help you find exactly what you need.
PO Box 414, Kloof 3640, South Africa Tel: +27 (31) 7646977 Fax: 086 762 1867 Email: contact@contactpub.co.za
Security Focus AFRICA w w w. s e c u r i t y f o c u s a f r i c a . c o m
The official industry journal for professional risk practitioners: security, safety, health, environment and quality assurance
KEEPING YOU IN THE KNOW | CONNECTING PEOPLE WITH PEOPLE
DIGITAL BUYERS GUIDE
to security services & products Promote your business
Attract customers
Increase your sales
Claim your listing on www.securityfocusafrica.com/buyersguide
Security Focus Africa is known for having the most comprehensive directory of service providers in Africa. We have been a trusted source of information for more than 41 years, and now offer this valuable resource online. The market is tough out there. What makes your business different from any other? For starters, be more accessible on the internet. Online searches are now the preferred method of finding information and contact details, so the better your online presence, the more business you will get.
BENEFITS OF LISTING YOUR BUSINESS:
• By claiming your listing, you can keep your company’s information up to date at your own convenience • Upgrade your listing online at any time to maximise your brand exposure • Improve your SEO and online presence • We provide a targeted audience for your business • See your stats – know how many people are seeing your listing
Security
For as little as R2,400, you can get the edge over your competitors by providing indispensable information to your customers on our online directory.
Affordable advertising is just a click away.
Focus
AFRICA
BUYERS GUIDE
www.securityfocusafrica.com/buyersguide KEEPING YOU IN THE KNOW | CONNECTING PEOPLE WITH PEOPLE
XXX
Security Focus Africa: Serving the South African security industry for 41 years
CONTENTS www.securityfocusafrica.com The official industry journal for
| Vol 40 No 4
April 2022
professional risk practitioners:
CIT
VOL 40 NO 4 APRIL 2022
nt and quality assurance
security, safety, health, environme
DRONES & in NG ck DIs ta AR at GU
SA
16
SASA update ets wst sn NeMee ointed ConCourt judge ly app newipp wo ndythe enrld Kollap from arouJod in the Combating the sea of corruption
maritime sector: ISS
No need to compromise your security!
Get quality and affordable batteries brought to you by
G S S Group
COVER STORY CASH-IN-TRANSIT ATTACKS IN SOUTH AFRICA: DAILY AND DEADLY 16 The deadly shootout between a gang of heavily-armed cashin-transit robbers and police in Johannesburg once again highlighted the ruthlessness and lack of regard for life that characterises this particular crime form. It’s happening on a regular basis, impacting not only on the country’s economy but also, and far more importantly, on people’s lives.
40
THE BRAND YOU CAN TRUST 4
+27 (0) 10 140 7137
sales@gssgroup.co.za
SECURITY FOCUS AFRICA APRIL 2022
www.gssgroup.co.za
securityfocusafrica.com
Official Journal of the Security Association of South Africa
Published by Contact Publications (Pty) Ltd (Reg No. 1981/011920/07)
Vol 40 No 4
30 REGULARS EDITOR’S COMMENT 6 Of floods, fire, heroes and ubuntu.
ASSOCIATION NEWS 8 Update from SASA. MEDIA STATEMENT 10 Security Association of Namibia
(SAN) hosts 29th Annual General Meeting.
TECHNOLOGY UPDATE 11 Smart living enabled: How the shift from 4G to 5G impacts security and surveillance.
NEWS IN BRIEF News snippets from around 12 the world.
PERSONALITY PROFILE 15 Professor Monray Botha. OPINION PIECE 19 Enterprise networking and the
rise of SD-WAN in powering the hybrid office.
ISS TODAY 20 Combating the sea of corruption in the maritime sector.
PRESS RELEASE 22 Emergency numbers which
should be saved on your phone. 23 QR payments find favour with businesses and consumers, drives new innovation. 24 Bridging the great divide between operational and information technology. 25 Tips to secure your business against cybercrime in the cloud era. securityfocusafrica.com
PRESS RELEASE 26 Inadequate protection leaving
insured vulnerable to fraud. 27 Drug testing in the workplace — keep it as consistent as alcohol testing. 28 Orchestrating multicloud: Implementing a strategy that works. 29 Data: The missing puzzle piece for SA business success.
LAW AND SECURITY 30 Data theft by employees. SECURITY IN ACTION 33 Improvements deliver faster access to hologram image register.
CYBER SECURITY 34 SA’s industrial challenge:
limited resources to respond to unlimited cyberthreats. 35 DDoS attacks hit a record high in Q4 2021. 36 Four top cybersecurity threats that organisations should prepare for in 2022. 37 Microsoft Security delivers new multi-cloud capabilities.
OPINION PIECE 38 Securing the perimeter is not enough to protect your data — what happens if a bad actor is already inside?
TEL: 031 764 6977 FAX: 086 762 1867 MANAGING DIRECTOR: Malcolm King malcolm@contactpub.co.za
EDITOR: Ingrid Olivier ingrid@securityfocusafrica.com
SENIOR GRAPHIC DESIGNER: Vincent Goode vincent@contactpub.co.za
DISTRIBUTION MANAGER: Jackie Goosen jackie@contactpub.co.za
POSTAL ADDRESS: PO Box 414, Kloof 3640, South Africa
PUBLICATION DETAILS: Security Focus Africa has 12 issues a year and is published monthly, with the annual Buyers’ Guide in December. Due to the Covid-19 crisis, we will only be publishing digitally, until further notice.
EDITORIAL CONTRIBUTIONS: Editorial contributions are welcome. For details please email editorial@securityfocusafrica.co.za.
ADVERTISING ENQUIRIES: Malcolm King Email: malcolm@contactpub.co.za
Security Focus Africa is a member of
THE LAST WORD 40 Security, xenophobia and the rule of law.
DIRECTORY 42 Security and related
associations and organisations.
43 ADVERTISERS INDEX
www.securityfocusafrica.com 5
EDITOR’S COMMENT
Of floods, fire, heroes and ubuntu As South Africa recovers from the recent floods and fires that ravaged large parts of the country, the distinction between its heroes and its villains has never been more visible to me. On one side of the divide are the victims and the heroes. On the other, the criminally opportunistic.
M
y heart aches for those who died, were injured, lost loved ones, their homes, their belongings. And it rages at those who could have, and should have, done more to prevent these tragedies. The people in high places, elected and/ or employed to ensure that their constituents’ fundamental rights are
6
SECURITY FOCUS AFRICA APRIL 2022
safeguarded, but who failed them – yet again – with empty promises, jobs not properly done — or even done at all, corruption, theft… the list is long. At the same time, I am deeply moved by the acts of courage and ubuntu displayed by so many of its citizens. South Africa can hold its head high when it comes to per capita heroes. Aside from the trained
professionals, our heroes include regular folk who jumped into raging waters to help, fought their way through fire and smoke to save lives and property, who are collecting food and essentials for victims, raising funds, and getting their hands dirty as they help clean up.
securityfocusafrica.com
EDITOR’S COMMENT
In his article Top 5 Professions You Need Courage to Take, Scott Miller puts firefighting at the top of his list of brave occupations. “Imagine looking at a building in flames and the terror that image seeds into an ordinary person’s brain. It takes courage to take on a profession that includes walking into a flaming building and searching for survivors. But jumping into the belly of the fire-breathing beast is not the only test of nerves that these brave people have to face… firefighters also deal with chemical spills that most of us would run away from.” SAFSI (Southern African Fire Services Institute) says that since its founding in 1959, the country’s firemen are viewed as professionals rather than ‘brawny and
securityfocusafrica.com
not-so-brainy’ men involved in skilled labour. Until now, I wasn’t aware of the extensive training that professional firefighters undergo: emergency services, ambulance work, civil defence, creating fire safety plans for public buildings, handling and cleaning hazardous material (‘hazmat’) spills and so much more. Well done and thank you to all of our firefighters, our emergency and medical personnel, our security officers and yes, our police officers, too. SAPS (South African Police Service) is consistently and widely criticised by the public for the wrongdoings of some of its members. The key word here is ‘some’. There are many officers whose work is exemplary – have a look at https://www.facebook.
com/SAPoliceService to see their daily successes. Some pay the ultimate price: last week, Sgt Busisiswe Mjwara, Sgt Mathews Phakati and their dog (K9 Leah) died during a search for three drowning victims in the Msunduzi River. My personal list of heroes includes the Gift of the Givers Foundation https:// giftofthegivers.org/, the largest non-governmental disaster response organisation on the African continent. In the 29 years since its formation by South African medical doctor Imtiaz Ismail Sooliman, it has raised more than R3.8 billion in aid for 45 countries. ‘KZN Flood Relief’ is one of its current appeals — https://giftofthegivers.org/disasterresponse/kzn-flood-relief/37064/. The Gift of the Givers Foundation provides unconditional assistance to those in need, whether they’re humans or animals, and regardless of religion, race, or political affiliation. I was amazed to read on its flood relief page that calls had been coming in, not just from those requesting assistance but also from “corporates wanting to support stricken communities. With all our troubles, frictions, and challenges, this is indeed an incredible country where the spirit of Ubuntu always takes centre stage and reigns supreme.” The best description I’ve come across for ‘ubuntu’ is in the New World Encyclopedia. ‘Ubuntu’, it says, “is a traditional African concept that can be roughly translated as ‘humanity towards others’. Ubuntu embodies all those virtues that maintain harmony and the spirit of sharing among the members of a society. It implies an appreciation of traditional beliefs, and a constant awareness that an individual’s actions today are a reflection on the past, and will have far-reaching consequences for the future. A person with ubuntu knows his or her place in the universe and is consequently able to interact gracefully with other individuals. One aspect of ubuntu is that, at all times, the individual effectively represents the people from among whom he or she comes, and therefore tries to behave according to the highest standards and exhibit the virtues upheld by his or her society.” It’s this that makes me proud to be a South African.
Ingrid Olivier, Editor ingridolivier@idotwrite.co.za SECURITY FOCUS AFRICA APRIL 2022
7
ASSOCIATION NEWS
Update from SASA I can hardly believe that we’re almost half way into 2022 and that winter is around the corner! Here is a summary of what’s been happening in our industry and with SASA since the last issue. From the desk of Tony Botes, SASA National Administrator.
C
ovid-19 The State of Disaster has been lifted after more than two years, but precautions are still being imposed for everyone’s safety. Who knows when – if ever – Covid will be a thing of the past? Perhaps we’ll just have to learn to forevermore live with wearing masks and sanitising. National Bargaining Council for the Private Security Sector (NBCPSS) The NBCPSS is still growing in capacity – maybe not fast enough – but a great improvement over what the case was when the Department of Employment and Labour was handling wage complaints. To date, there have been a number of very successful wage prosecutions, some with significantly high restitution orders issued and served on non-compliant
8
SECURITY FOCUS AFRICA APRIL 2022
employers. Quite a few were settled in the process, and many have been rubber-stamped by the CCMA (Commission for Conciliation, Mediation and Arbitration), delivered to the Sheriff of the High Court, and warrants of execution served on these (criminally, in many cases) non-compliant employers. SASA will continue, as in the past, to support the NBCPSS in the drive to identify unscrupulous employers, and assist them and PSIRA (Private Security Industry Regulatory Authority) in bringing them to book. Unfortunately, they are still seriously under-resourced in respect of their numbers of agents (inspectors), but this is being attended to by the ongoing employment and upskilling of additional manpower, which will lead to more prosecutions and a greatly improved level of compliance. That said, stamping out the rife criminality in the industry is a huge
challenge for these two regulatory bodies, which only have about 120 inspectors tasked with policing 100,000plus companies. The Council is also in the process of taking over its administration and financial affairs – currently outsourced – which is another major step forward. Wage negotiations The process of three-yearly wage negotiations, for the period March 2023 to February 2026, has commenced, with a few explanatory meetings already behind us. It’s going to be an extremely difficult exercise to reach agreement, due to the current state of the economy, and having analysed what we believe to be impossible and unrealistic demands from ‘organised labour’ (participating trade unions). Fortunately, the three employer parties – SASA, SANSEA (South African National Security Employers’ Association) and CEO
securityfocusafrica.com
ASSOCIATION NEWS
(Consolidated Employer Organisation) – have a very strong and competent team, so we’re hoping that the outcome of this process will be both peaceful and successful. SASA will keep its members updated. PSIRA PSIRA responded to our objections to what we believe to be unreasonable and excessive increases in their annual fees (for both employers and employees) and monthly levies, after a number of interactions between them and the employer organisations, by reducing them — slightly. Not to our total satisfaction, but every bit helps. On the other hand, PSIRA has not budged one iota on their uniform regulations and the prohibition of certain colours and branding. SASA, therefore, had to ‘go it alone’, serving legal papers on the Minister of Police and PSIRA to challenge this legislation, which has potentially devastating financial consequences for companies. Although we support the initiative to prevent security businesses from wearing uniform styles, colours and emblems intended to confuse the public by closely resembling those of SAPS (South African Police Service), SANDF (South African National Defence Force), Correctional Services, Metro and Municipal Police, and any other law enforcement agencies, we
securityfocusafrica.com
strongly believe that the Minister and PSIRA have gone too far with this legislation. Let’s wait and see how an independent court views the respective arguments. SECUREX After a break of two years, we are pleased to confirm that this popular event will be taking place from 31 May to 2 June 2022. SASA will, as always, have a stand at Securex and we have also arranged a speaking slot in their Seminar Theatre. See you there! Security Officers’ Day Launched last year by SASA, Security Officers’ Day is designed for security companies to honour their officers. It will take place on 4 December 2022, and every year thereafter on the same date. We really need to recognise the difficult and dangerous work that security officers perform, so we are asking SASA members, as well as all other security employers and consumers, to celebrate this special day, as they see fit. Benefits of SASA membership: We are working on expanding membership benefits, which will be communicated to all members once finalised. Currently, these include: • A strictly applied Code of Ethics • Representation at national and local government level
• Industry exposure in the media as well as at major shows and exhibitions • Contacts and networking opportunities • Discounted training courses, events and seminars • Access to a security library managed by UNISA (University of South Africa) • Updates on new legislation and other industry-relevant information • Access to security-related and affiliated associations in South Africa and overseas • The SASA national website • A central administration office • Free digital subscription to Security Focus Africa magazine, the official journal of SASA • A mentorship programme which is designed to guide and assist startup security companies with attaining the compliance standards required to qualify for Gold Membership For more information about what SASA does and how it can assist you and your company, or to report any wrongdoings or concerns, please contact: Tony Botes, SASA National Administrator, at: Tel: 0861 100 680 / 083 650 4981 Cell: 083 272 1373 Email: info@sasecurity.co.za / tony@sasecurity.co.za Website: www.sasecurity.co.za
SECURITY FOCUS AFRICA APRIL 2022
9
MEDIA XXX STATEMENT
Security Association of Namibia (SAN) hosts 29th Annual General Meeting The security sector employer representative known as the Security Association of Namibia (SAN), that was established on 5 November 1992, successfully hosted its 29th Annual General Meeting in Windhoek on 26 November 2021, at Bauern Stube Family Restaurant, Windhoek.
I
n his opening statement, the outgoing President of the Security Association of Namibia, Mr. Hans Miljo, said the following; “SAN will continue to advocate and ensure total compliance in the security industry”. Mr Miljo further raised concerns in that there has been no prosecution instituted by the Ministry of Labour, Industrial Relations and Employment creation in response to countless security companies that have been and still not compliant to the minimum wage as per the provision of the Labour Act 23, 1998. To SAN, this shortfall has serious hallmarks that tell us that Ministry of Labour, through their inspectors, does not prioritise the need to have the industry regulated. In his response to the concern raised by the SAN President, the Honourable Deputy Minister Dr Kashikola, who attended as the guest speaker, alluded that the neglect the industry faces is an issue that SAN needs to address, including the arbitration issue where compliance is not met. The Deputy Minister, Dr Kashikola further commented the role played by the Security Industry is supplementary to activities of his Ministry in combating crime, protection of lives and property and thus the need for the security industry to be regulated, to minimise security risks within the Republic of Namibia. Dr Kashikola also said that the regulation of the security industry within Namibia will further ensure and enhance
10
SECURITY FOCUS AFRICA APRIL 2022
the industry to act through certification of every security provider through SAN’s competency assessment and ensuring compliance to existing laws and that certification of security officers, through training, to be provided by SAN will further create sustainable employment for security officers and accredited qualifications. The deputy Minister, Dr Kashikola concluded with appreciation for the cooperation between SAN and Namibian Police which is important since the Bill has made provision for the mechanism between private and state security apparatus and security organisations are well placed for the strengthening of exchange of intelligence. Apart from the line Ministry of Labour, Industrial Relations and Employment Creation, Ministry of Home Affairs, Immigration, Safety and Security the Association engages on a continuous basis, with Trade Unions as important stakeholders in the industry and members of the National Bargaining Council for the Private Security Sector (NBCPSS), which hosts a wide range of powers. Speaking through video conference, the Security Association of South Africa’s (SASA) National Administrator, Mr. Tony Botes, confirmed that SASA is the largest of the employers’ organisations in South Africa which plays a dominant role for the security industry with cooperation agreements with SAN, CAPSI in India, Security Association of Mozambique and Security Association of Singapore.
Mr. Botes further stated that SASA, with its many accomplishments, such as being recognised as a bargaining council for the private security industry and working closely with the Private Security Industry Regulatory Authority, is willing to share and support the Security Association of Namibia to accomplish similar objectives in Namibia, for the benefit of both security industry employers and their employees. A new Security Association of Namibia council was elected for 2022-2024, being President: Mr. Dawid Nuuyoma (G4S Namibia), Vice President, Mr. Corinus Kotze (G4S Namibia), Vice President: Mr. Dhiginina Uutaapama (Dog Force Security Services), Treasurer: Mr. Onesmus Hanhapo ( Sine Technologies Solutions), with the following as council members: Mrs. Seriane Mukuta (Elitjisola Trading Investment ), Mrs. Carona Viljoen (Crown Security), Mr. Absalom Tobias (Windhoek Security Services), Mr. Bartholomeus Koopman (Eagle Night Watch Security), Mr. Advocate Matomola (Extra Defence Protection Services), Mr. Fanie Horn (Namibian Protection Services). The outgoing president, Mr. Hans Miljo (Crown Security) was provided with an Honorary Life Membership to the council after serving more than 10 years as the Security Association of Namibia president. The new Council and the SAN National Administrator assures its membership of its quest to find long term sustaining solutions to the challenges that the industry faces.
securityfocusafrica.com
TECHNOLOGY UPDATE
Smart living enabled: How the shift from 4G to 5G impacts security and surveillance 5G goes beyond just the ability to surf the internet at a faster pace. Consumers may still be awaiting mass availability of 5G-enabled devices, but the groundwork is already being laid for the infrastructure and for businesses to embrace its full potential. By Marcel Bruyns, Sales Manager at Axis Communications.
T
he shift from 4G and 4G LTE to 5G is far-reaching, and although its growth is relevant to most sectors, we can expect to see real and impactful applications in the network security and surveillance sector, particularly when it comes to smart buildings and cities of the future. It is therefore important to know what 5G’s core benefits are, and how it forms part of effective digital transformation strategies and smart living initiatives. The rollout of 5G 5G networks are likely to cover one-third of the world’s population by 2025, accounting for as many as 1.2 billion connections.[1] This global rollout is happening right now, with private and state entities investing exponential amounts into constructing new and upgrading existing infrastructure to deliver what some now consider an essential service. 5G is not just about delivering faster and better broadband service. The technology can expand into new areas, such as sensitive and high-priority communications and, more notably, the realisation of large-scale internet of things (IoT) networks and infrastructure.[2] With the infrastructure eventually in place, 5G network carriers and suppliers can offer affordable and comprehensive options to businesses and individuals based on their technical and digital requirements. Network security and surveillance sectors may not be the primary driving force behind the rollout, but they do stand to benefit from 5G and, as such, should begin making the necessary investments into their own research, development, and existing operations. Overcoming the obstacles Companies are moving forward with 5G, gaining a better understanding of how the technology best suits the application requirements of their respective industries. But it’s still essential to manage expectations. We may refer to big
securityfocusafrica.com
numbers – with the number of future 5G connections being in the billions – but a wide-scale rollout is still a long-term prospect, and it’s at the mercy of several pertinent factors. 5G requires spectrum. Countries and regions are taking steps to consider and apply the appropriate policies that will govern the provision of spectrum to operators — a process that takes time. And there is the infrastructure itself. While some countries are moving swiftly to establish their own 5G networks, developing nations are still working to provide widespread connectivity. Their existing – and considerable – investments into 4G networks and technology may compromise or elongate timetables regarding an eventual 5G rollout. Then we must consider usage parameters, which are already creating notable real-world impact. In January 2022, mobile networks in the US were forced to delay the activation of 5G services near airports after receiving concerns from federal aviation authorities. Questions were raised about how the surrounding 5G signals might interfere with essential in-flight safety equipment such as altimeters.[3] It’s still early days for 5G and, while this may be a circumstantial scenario, it does highlight the need for collaboration and planning between all concerned sectors to ensure a smooth and efficient rollout. Smart cities, smart applications, and a smart future We need to take a holistic view on the rollout of 5G. It plays a significant role in smart cities — futuristic urban areas that use the latest tech for the benefit of citizens and businesses. In this scenario, IoT is key, giving cities the ability to use a network of interlinked hardware to gather, process, and effectively use data. And this is not just a trend. Technology spending on smart city initiatives is forecast to more than double between 2018 ($81 billion) and 2023 ($189.5 billion).[4]
Within a smart city, you have mobility and monitoring solutions that work together to not only identify typical, everyday problems, but also to compile the necessary data to solve them. It is predicted that in 2023, outdoor surveillance cameras will have a 32% market share for 5G IoT solutions worldwide.[5] This enables license plate recognition, traffic monitoring, and vehicle detection, all made possible by a series of edge-computing cameras and other surveillance equipment that feed back to a central hub. Faster transfer speeds allow for quick-time responses from officials, and data is efficiently compiled and processed through the cloud. Body-worn surveillance equipment on city law enforcement is another example. Using 5G-enabled wireless technology, cameras integrated with established video management systems can transmit live pictures to a central command centre, where officials can react in real time. The efficacy of a solution such as this depends on the width and breadth of network coverage within the targeted area, but 5G guarantees the speed. And, when combined with edge computing, the reaction time becomes even quicker. There is long-term value to this thinking and approach, but it also depends on trusted partners and vendors that can deliver on these solutions. The security industry is ever-evolving, and the shift from 4G to 5G opens up more new opportunities to contribute to smart buildings, smart cities, and critical infrastructure. Let’s make sure we make the most of those opportunities.
SECURITY FOCUS AFRICA APRIL 2022
11
ASSOCIATION NEWS
News snippets from around the world Agrizzi and Smith’s key relationship in Bosasa fraud scandal unfolds in court papers
Ramaphosa returns SA to National State of Disaster in response to KZN floods
War crime, crime against humanity, genocide: what’s the difference?
South Africa has returned to a national state of disaster, this time in response to the devastating floods in KwaZulu-Natal that have claimed more than 400 lives. President Cyril Ramaphosa made the announcement in an address late last Monday night. https://ewn.co.za/
News24 takes a look at the different categories of the most serious crimes known to man, which the International Criminal Court (ICC) in The Hague was set up to prosecute. https://www.news24.com/news24/ world/news/war-crime-crime-againsthumanity-genocide-whats-thedifference-20220413
Best-case scenario: loadshedding until Friday — Stage 6 ‘not envisioned for this week’ Shortly after stepping up load shedding to stage 4 last Tuesday, Eskom announced the earliest it will be able to consider ending the rolling blackouts will be 22 April 2022. Speaking at a press briefing, Eskom’s group executive for generation, Philip Dukashe, said load shedding would be reassessed only on Friday. “At this stage we do not envision stage 6 being necessary this week. We are hoping that will continue to be the case,” Dukashe said. www.timeslive.co.za/
12
Six undocumented suspects to appear in court for R1 million worth of cable theft Six suspects arrested for the stealing of copper cables worth R1 million and failing to produce valid passports are expected to make their first appearance at Harrismith Magistrate’s Court shortly. They were arrested on 13 April, after residents alerted the police about two suspicious vehicles at a house in Makgolokweng Village. www.iol.co.za/
Hundreds left homeless after devastating Langa fire
Khayelitsha mass shooting: Alleged gunman back in court for bail
Western Cape premier Alan Winde has appealed for donations of essential items to help those left homeless and destitute by recent, devastating fires in the Joe Slovo informal settlement in Langa. www.timeslive.co.za/
The man accused of the late-March 2022 mass shooting in Khayelitsha is set to apply for bail. Thirty-six-year-old Thando Shuba is facing six counts of murder in relation to the attack. www.thesouthafrican.com/
SECURITY FOCUS AFRICA APRIL 2022
Cash ‘gratifications’, university fee payments and the gift of a VW Polo for a daughter are mentioned in court papers as being among bribes allegedly made in return for Bosasa being awarded valuable tenders. The story of an alleged corrupt relationship between former Bosasa logistics company chief operating officer-(COO)-turned-whistle-blower Angelo Agrizzi and ANC parliamentarian Vincent Smith is unfolding in court papers. The businessman and the politician are seen as key players in the state’s case relating to a multimillionrand fraud scandal that involved many prominent political figures. www.dailymaverick.co.za/
Art and crime — the dark side of the antiquities trade For most people, museums are where we go to look at works of art or ancient artefacts. But those who can afford it prefer to have them much closer, paying millions to display exclusive pieces in their living room or study. The collection of art and antiquities is worth $50 billion (€45 billion) globally… and there is, unfortunately, an ugly side to the art market: illegal trade. It’s estimated that the illegal art trade makes up about five percent of the whole industry, and while that may seem like a small figure, it appears to be a stubborn and growing problem that’s increasingly tarnishing the art world. www.euronews.com/
10,000 SANDF members deployed to flood-hit KZN The South African army said last Monday that it had deployed 10,000 troops to help the nation’s East Coast recover from storms that have claimed more than 440 lives and ravaged infrastructure. Some of the troops include plumbers and electricians to help restore power and water, which have been cut off in some
securityfocusafrica.com
NEWS IN BRIEF
areas for over a week. The troops are also providing field accommodation and water purification systems. It is reportedly the deadliest storm on record for Durban and the surrounding areas of the KwaZulu-Natal province. https://ewn.co.za/
UJ flood relief fund to go to Gift of the Givers due to lack of trust in government The chair of the UJ council, Mike Teke, and vice-chancellor and principal Professor Tshilidzi Marwala will be donating R120,000 to the KZN flood relief fund. Marwala said UJ was expecting to raise more than R1 million, which would be handed over to Gift of the Givers: “People will ask why them, and the reason is very simple, we don’t believe that government has the capacity to handle funds. This is from the lessons we learnt from the disappearance of Covid-19 funds. So, Gift of the Givers, as a trusted entity, would be a good one.” www.news24.com/
Four sinkholes have developed as a result of illegal mining activities, JRA says The Johannesburg Roads Agency (JRA) says it has identified and barricaded four sinkholes that have developed as a result of illegal mining activities in the Booysens vicinity after a recent collapse of the roads. www.timeslive.co.za/
World Bank plans $170 bn financing to ease ‘multiple crises’ The World Bank is preparing a $170 bn package of financial help in response to the overlapping global crises of war, pandemic and inflation that are hitting the poorest countries particularly hard, its president has said. David Malpass warned that Russia’s invasion of Ukraine had added to pressures caused by the Covid-19 crisis and soaring cost of living, and there was a need to provide assistance quickly. Under proposals that will be discussed with the World Bank’s member governments at the spring meeting of the Washington-based organisation, $50 bn would be spent over the next three months, with a further $120 bn of financing provided over the following year. www.theguardian.com/
securityfocusafrica.com
Russia ‘attacking 300-mile front’ as phase two of war begins; ‘bunker busting bombs’ dropped on Mariupol steel plant A major new offensive in eastern Ukraine has reportedly begun, with Russia reportedly dropping ‘bunker busting’ bombs on Mariupol steel plant, where remaining civilians and troops are holed up, and there are concerns about Russia ‘going nuclear’. https://news.sky.com/
WhatsApp group admins are getting the power to delete messages, as ‘Communities’ rolls out On Thursday, WhatsApp announced ‘Communities’, a system to manage groups of groups under a single umbrella. Some related changes are coming to standard WhatsApp groups even before Communities becomes available, such as emoji reactions. There is also a new power for group admins: to delete messages from other people, and silent exits from groups. www.businessinsider.co.za/
Watergate — whistle-blower lifts lid on ‘probably the most perfect example of ANC State Capture’ A whistle-blower, frustrated by a lack of action against more than 65 top officials in the Department of Water and Sanitation (DWS) who were implicated in widespread corruption, has given DM168 access to reports that reveal the department to be what the whistle-blower calls ‘probably the most perfect and comprehensive example of ANC State Capture’. The documents
reveal details of officials’ complicity in corruption and violations in virtually all Water Boards, municipality, water and sanitation projects, and questionable suppliers in every province, running into tens of billions of rands over a decade. www.dailymaverick.co.za/
Machine learning and AI is coming for corrupt officials Data science is an emerging field of inquiry usually associated with buzzwords such as big data, machine learning and artificial intelligence (AI). All of these terms have their roots in classical statistics. Statistical learning is quite simply, learning from data. This is made possible by two conspiring realities: the costs of storing data has decreased over the years, and computational power has increased exponentially. This means that it is possible to find patterns and correlations in very large datasets (hence the term big data)… the possibilities for machine learning to tackle corruption are very exciting. https://mg.co.za/
Global finance meeting puts war-driven food security in the spotlight Global finance leaders are putting the growing crisis over food insecurity and skyrocketing food prices at centre stage as members of the International Monetary Fund (IMF) and World Bank grapple with the brutal effects of Russia’s war against Ukraine. Russia and Ukraine produce 14 percent of the world’s wheat supply, according to the United Nations (UN), and the loss of commodities due to the war has resulted in soaring food prices and uncertainty about the future of
SECURITY FOCUS AFRICA APRIL 2022
13
NEWS IN BRIEF
food security globally, especially in impoverished countries. The UN’s Food and Agriculture Organization Food Price Index has made its biggest jump since its inception in 1990, reflecting an all-time high in the cost of vegetable oils, cereals and meat, according to the organisation. A late March report from the organisation stated that the global number of undernourished people could increase by eight million to 13 million people into 2023, ‘with the most pronounced increases taking place in Asia-Pacific, followed by sub-Saharan Africa, and the Near East and North Africa. If the war lasts, impacts will go well beyond 2022/23.’ www.marketwatch.com/
Rampant crime in Durban amid flood devastation Durban Central SAPS (South African Police Service) has made several arrests in the wake of the KwaZulu-Natal floods that left parts of the city damaged last week. Crimes range from aggravated robbery, possession of stolen property, drug possession to loitering. https://bereamail.co.za/
Two police officers, K9 dog die in KZN floods National Police Commissioner, General Fannie Masemola, says he’s saddened by the deaths of two police officers and a police dog in KZN. Female diver, Sergeant Busisiswe Mjwara, was conducting a search in the Msunduzi River when she got into difficulty and drowned. A police dog unit, K9 Leah, also drowned while assisting Mjwara. Thirty-one-year-old Constable Thandazile Sithole died when her home collapsed on her earlier this week. At least 30 police officers have been affected by the floods. Counselling services to affected areas, including police stations and units, are being provided. www.enca.com/
US voters worried about crime: the White House needs to listen Voters – both Democrats and Republicans – keep telling politicians what issue matters most to them. Covid-19? Hunger? Those are big on the list, but again and again, voters say they are worried about crime. Last year, New York City elected Eric Adams, a former cop who talked about little else during the race, as its mayor. Crime is also a serious issue in Los Angeles’ mayoral race.
14
SECURITY FOCUS AFRICA APRIL 2022
Politico reports: “Frustrations over crime and homelessness are setting the tone in the race to become Los Angeles’ next mayor, pushing progressive candidates like Rep. Karen Bass to set their liberal priorities aside — and bolstering the chances of a billionaire centrist in California’s most sprawling and diverse metropolis.” www.washingtonpost.com/
be cleared at ports and that considerable damage to the rail network linked to the port needs to be repaired. Gordhan estimates that between 8,000 to 9,000 containers have accumulated at the port because trucks could not reach the harbour areas. www.news24.com/
Airport home affairs official arrested in connection with R110K per person smuggling scam
Fourteen suspects have been arrested in connection with the murder of Zimbabwean national Elvis Nyathi in Diepsloot earlier this month. Police Minister Bheki Cele and Home Affairs Minister Aaron Motsoaledi visited the area following the killing and protests. The two ministries promised to embark on a joint operation to weed out undocumented foreign nationals and fight crime in Diepsloot. www.enca.com/
A Home Affairs official has been arrested at OR Tambo International Airport for allegedly helping five people enter South Africa without the required documents. It is alleged that he facilitated the entry of five Bangladeshis and is believed to be a key link in an international syndicate in both countries. www.news24.com/
Fraudulent document manufacturing plant uncovered in Hillbrow A tipoff from the community has led to the arrest of a 47-year-old suspect who was found with fraudulent documents in Hillbrow, Johannesburg, last week. www.iol.co.za/
KZN floods: Durban port clogged with debris, faces backlog of 8,000 containers — Gordhan The Durban port has been reopened after severe rainfall and flooding last week. Public Enterprises Minister Pravin Gordhan says that backlogs still need to
14 arrested for Elvis Nyathi murder
Easter operations in Limpopo see police net over 1,600 suspects Police in Limpopo arrested 1,632 suspects between 10 and 17 April 2022 in a successful joint operation, according to provincial police spokesperson, Lieutenant Colonel Mamphaswa Seabi. Aged between 19 and 60, the suspects were arrested on varying charges, including possession of unlicensed firearms and ammunition, possession and dealing in drugs and illicit cigarettes, murder, attempted murder, robbery, burglary, theft of motor vehicles, contravention of the Road Traffic Act, sexual offences, stock theft and more. www.iol.co.za/
securityfocusafrica.com
PERSONALITY PROFILE
Professor Monray Botha In conversation with Professor Monray Marsellus Botha, voice for whistleblowers, former Head of the Department of Mercantile Law at the University of Pretoria, and now Professor in Private Law at the University of Johannesburg.
H
is social media message is to “Do everything in style and with (com) passion!” and he leads by example, is passionate about justice in general, and improving the safety of whistleblowers, more specifically. The co-managing editor of three books as well as multiple published reports and papers, Monray holds BLC, BCom (Hons), LLB, LLM, MCOM and LLD degrees as well as AIPSA, Alternative Dispute Resolution and Corporate Law diplomas. Monray’s areas of interest include labour and corporate law, and corporate governance and social responsibility, and his research focuses on the social contract and the relationship it has with social justice and protection of the most vulnerable members of society. And yet, despite his impressive qualifications, he is a warm people’s person with a sense of humour. He is also a brave man, lending his considerable voice to the call for whistleblowers and their families to be better protected and compensated. “I believe that whistle-blowing should be made a national strategic priority,” he said in an article in The Conversation, published on 23 September 2021. “The extent of corruption in (South Africa) has been laid bare at the judicial commission probing allegations of state capture over the past three years. Corruption can impede a country’s economic growth, and undermine democratic principles, stability, and trust. Whistle-blowing is one of the mechanisms used to deter corruption. It plays a role in encouraging accountability, transparency, and high standards of governance, in both the private sector and public institutions. Whistleblowers help combat criminal conduct and should thus be afforded protection by the state.” But, he adds, “South Africa’s system is flawed. …The country was shocked by the murder of a woman who had exposed corruption in the procurement of Covid-19 personal protective equipment.” He’s referring to Babita Deokaran, head of financial accounting at the Gauteng Department of Health, who was gunned down outside her Johannesburg home on 23 August 2021. According to a media statement by the Special Investigating Unit (SIU), part of the South African Police Service (SAPS) , she was one of more than 320 witnesses in the unit’s investigation into Personal Protective Equipment (PPE) tender
securityfocusafrica.com
corruption and procurement irregularities, in both the department and the private sector. Long before her death, Monray wrote a journal paper titled: “The Protection of Whistleblowers in the Fight against Fraud and Corruption: A South African Perspective”. In it, he warns that criminal and irregular conduct can endanger economic stability, hence the critical role of the whistleblower as a corporate governance mechanism. “Whistle-blowing is healthy for organisations — managers no longer have a monopoly on information, and they need to know that their actions can – and will – be monitored and reported to shareholders and to the public at large. Whistle-blowing should, therefore, be a safe alternative to silence, since it deters abuse. Many catastrophes would be averted if employees did not turn a blind eye, and if employers did not turn a deaf ear nor blame the messenger instead of heeding the message.” It’s not that simple, though. “Potential whistle-blowers face difficult choices, in that they either report the misconduct with the risk of retaliation, or they keep quiet in order to keep their jobs — and protect their lives and their families, in some instances.” Yes, the PDA (Protected Disclosures Act) and the Companies Act provide protection to employees and other stakeholders who dare to blow the whistle against irregularities or wrongdoing, he says, but despite being in place since 2000, the PDA has a poor track record when it comes to protecting whistle-blowers. Early years Born in 1975 in Kimberley, Monray attended school there until his family moved to Warrenton in 1991. After matriculating, he went on to complete most of his degrees. He remembers his mother fondly. “She was a skilled cook who could whip up great creations with a limited to non-existent budget. One winter, she made aniseed rusks from scratch in our little black coal stove and the meticulousness of her preparation, baking, resting and cutting of the rusks will stay with me forever.” Pursuing a legal career was by coincidence, he says. “My adopted sister actually applied for law and then I thought about it and what I would like the law to do, especially taking into account the era in which I grew up, and where some members
of society were treated differently, faced injustices, and did not have access to basic rights. I was always inquisitive and wanted to know why this is happening …” The future Keen to do a PhD in Commerce and to write a book on how the lack of worker participation initiatives in organisations are failing this vulnerable group, Monray would also love to travel to Iceland by boat, run a couple of marathons abroad, open his own bistro on a small boutique wine farm, with a sustainable garden, and live close to the sea. His best advice: “Make a list of your dreams, what you want to achieve as well as the values and principles that you want to live by, and what your ideal world would look like. Then make a list of things that you want to change. Eliminate those things over which you have zero control, and focus on the things that you have left and how they will fit into your growth as a member of society who contributes positively.” Who inspires you? “Michelle Obama and Oprah Winfrey are two people whom I admire based on the struggles they overcame and the levels of success and impact they have achieved. I admire honest, hardworking people who understand their role in the bigger team and common goals. I respect people who are transparent, fair, accountable, disciplined but can also let go and have a bit of fun — even in a work setting now and then!” And what can’t you tolerate? “Micro-managers, inflexible and toxic work environments, people who should not be in management positions, bullies, rude, dishonest people who speak down to others and want to put others down to make themselves look better.”
SECURITY FOCUS AFRICA APRIL 2022
15
CIT & BANKING SECURITY
Cash-in-transit attacks in South Africa: Daily and deadly The deadly shootout between a gang of heavily-armed cash-in-transit (CIT) robbers and police in Johannesburg, South Africa, on 21 February, once again highlighted the ruthlessness and lack of regard for life that characterises this particular crime form. And it’s happening on a regular basis, according to Grant Clark, head of the Cash-In-Transit Association of South Africa (CITASA), impacting not only on the country’s economy but also, and far more importantly, on people’s lives.
C
ITASA, which was registered as a legal entity in November 2021, comprises South Africa’s three major cash-in-transit companies, namely SBV, G4S and FCS (Fidelity Cash Services). The official spokesperson for the CIT industry, Clark says it meets frequently with the South African Police Service (SAPS) and other role players in a collaborative effort to curb CIT robberies, ensure the flow of objective and prompt information, and collate, capture, analyse and report on CIT-crime-related matters.
16
SECURITY FOCUS AFRICA APRIL 2022
“The transportation of cash in South Africa is vital for our daily economy,” CITASA says. “Cash service providers move cash to various points of transaction, which keeps the wheels of the economy moving. Community support – providing information to law enforcement agencies, reporting suspicious activities in their environments, and respecting the services provided by CIT companies by giving them the space they require to perform their duties – is therefore critical. And we condemn, in the strongest terms, people taking cash from crime scenes. Not only are they
putting themselves in harm’s way, but they’re also committing a crime for which they can be prosecuted.” CIT is a complex crime, the entity stresses, and, contrary to popular belief, robbers are not necessarily part of a gang or syndicate in the true sense of the word. “It is more like the inclusion of expert individuals working together to get a specific job done and to reap the benefits (in this case — money). An individual is included in a ‘job’ because of his expertise and the role to be fulfilled, in either vehicle-on-road-attacks or crosspavement robberies.”
securityfocusafrica.com
CIT & BANKING SECURITY
In the criminal world, CITASA continues, individuals become known for their skills: providers of explosives and weapons, bombers, drivers, cash collectors of cash, shooters, and stoppers. The groups are well organised and carry out attacks with military precision, the Rosettenville attack being one example. “They are ruthless and have no regard for life, property, or assets.” Trends According to CITASA, the highest number of CIT attacks in South Africa occurred in 2017. In 2021, CIT attacks increased by eight percent year-on-year, and in 2022, most of the reported CIT incidents (77 as of 12 April), were cross-pavement robberies, followed by attacks on armoured vehicles. According to Wahl Bartmann, CEO of Fidelity Services Group: “Vehicle bombings don’t only account for huge financial losses, they often lead to fatalities as well, which is unacceptable”. Key vulnerabilities in the cash management industry International risk mitigation company Lowers Risk Group, in its white paper Security and Collaboration in the Cash Management Industry makes the point that CIT is more than moving cash and coins from one to point to another. “Although we continue to use ‘CIT’ as common shorthand, the industry might be more accurately called the ‘cash management industry’. (It) now provides services including virtual vaults, comprehensive ATM services, and auditing and banking functions such as deposit processing, branch bank orders, and check imaging. Armoured carriers are just the most visible part of the system to most people,” it says. And wherever there’s a lot of money in circulation, there’s the potential for loss at ‘innumerable points’. The paper then identifies three key vulnerabilities in the CIT system: loss of life, organisational fraud, and ATM attacks. Loss of life is the top concern, and even when ‘controls are in place to minimise street and branch attack exposures, the resulting losses can still be substantial… an ongoing threat to the industry that cannot be understated’. Then there’s organisational fraud. “As in most industries, the biggest vulnerabilities are internal, including losses from errors in processing and servicing as well as internal theft or
securityfocusafrica.com
fraud,” says Lowers Risk Group. “There are many opportunities for loss in the transfer and handling of cash and coin, and of course cash is the perfect liquid prize that can be hidden or exchanged.” The group’s third concern is the ‘significant vulnerability of ATMs’. “Without question, a robbery event could result in a significant loss and, as previously mentioned, with the nature of street attacks taking place against an armed CIT person, could involve a high degree of violence.” What’s behind CIT crime? One of a number of contributing factors is South Africa’s dire socioeconomic situation, says CITASA. “Poverty, unemployment, and moral decay are endemic, and not only here but also in our neighbouring countries. Some CIT robbers become involved in CIT robberies out of need — but continue because of greed.” Then there’s the blatant disrespect for human life, other people’s property, and law enforcement, it adds. Criminals don’t fear apprehension and even if they are
caught, facing prosecution is not a given. As a result of the lack of deterrence, repeat offending is common amongst CIT robbers. Another major concern is the easy availability of illegal weapons and explosives in South Africa, since they form an integral part of the modus operandi of cash-in-transit robbers, CITASA notes further. CITASA has recently identified the involvement of foreign nationals in CIT robberies, no thanks to South Africa’s porous borders that allow them easy access into the country to commit crimes. Solutions CIT companies are investing in the latest personal protective equipment (PPE), and providing ongoing training in the use of effective technology in order to protect the lives of their personnel and their clients’ assets, says CITASA. They’re also deploying air support, additional tactical support units and integrated camera systems with live streaming, using dye-stained cash-carrying devices,
SECURITY FOCUS AFRICA APRIL 2022
17
CIT & BANKING SECURITY
Groups of up to 20 highly trained and armed suspects are often involved in these attacks, which are carried out with military precision.
controlling access to cash through segregated vault systems, putting protective foam systems into armoured vehicles, and using run-flat tyres. Product innovation is key to keeping staff, customers, and assets safe, agrees Bartmann. “All our CIT vehicles are armour-plated and have on-board systems designed to protect both officers and cash, within reason. We have also redesigned our CIT vehicle configuration with the result of there being a noticeable decrease in incident numbers and losses, and we’ve added remote mobile monitoring and CCTV surveillance as well as proactive helicopter support patrols across the Eastern Cape, KwaZulu-Natal and Gauteng.” Bartmann says Fidelity invests a lot of time, money, and research into developing and onboarding technological defense mechanisms as well as in training its CIT officers. But he adds: “Even though we have successfully defended a number of attacks, urgent attention is needed to reduce these unacceptably high numbers.” Following an attack on an ATM team
18
SECURITY FOCUS AFRICA APRIL 2022
in Dunoon, Cape Town, on 3 February 2022, SBV Services’ Group CEO Mark Barrett said in a statement that his company would “do everything possible to support the authorities in apprehending the suspects involved in this attack.” Further, SBV offered a R1 million reward for information leading to the successful arrest and prosecution of the attackers. The company operates a 24/7 hotline that promises complete confidentiality. In a recent media statement, former National Police Commissioner General Khehla Sithole spoke of the various policing disciplines that had worked through the night following the Rosettenville attack. The National Task Team had cornered the group of heavily-armed suspects, he said, killing eight, arresting 10, and seizing 10 high-performance vehicles, six AK47 assault rifles, three rifles and a number of explosives. Three members of the South African Police Service (SAPS) were shot and wounded during the attack, which Sithole called a ‘show of force’ by the state. And, on eNCA Live on 1 April 2022, the country’s newly
appointed Commissioner of Police, General Fannie Masemola, vowed to “intensify efforts to curb cash-in-transit heists”. “But it’s not nearly enough,” says Bartmann. “The volume, the intensity, and the planning behind the recent spate of CIT attacks in 2022 is extremely concerning. Groups of up to 20 highly trained and armed suspects are often involved in these attacks, which are carried out with military precision. We are fighting a silent war that is starting to spill over into civilian areas as well. The unacceptable loss in lives over the last six to eight weeks is evidence of the severity and violence of the attacks.” Sources CITASA: alicem@citasa-sa.co.za / Grantc@citasa-sa.co.za Fidelity Cash Management: fidelity-services.com/our-productsservices/fidelity-cash-solutions/ SBV: www.sbv.co.za Lowers Risk Group: www.lowersriskgroup.com
securityfocusafrica.com
OPINION PIECE
Enterprise networking and the rise of SDWAN in powering the hybrid office A fresh era of networking has arrived, introducing the hybrid framework and the hybrid office while reviving the capabilities of Software-Defined Wide Area Network (SD-WAN). By Amritesh Anand, Associate Vice President - Pre Sales at In2IT Technologies
S
o, what does this mean for today’s business and why is everyone talking about SD-WAN when just the other day, like the mainframe, it was reported dead? This is because the pandemic changed everything by redefining the need for remote working. Many organisations have since adopted new hybrid models that deliver both remote work capabilities and office collaboration, with remote work proving an overwhelming success for both employees and employers, with the advantages of a hybrid work culture becoming clearly apparent in the past two years. Thanks to underlying technologies like SD-WAN and cloud adaptation, remote working has now become realistic for every organisation to plan and deploy. However, it is critical to ensure this planning is done properly, considering all the factors that must be addressed before and during any new network implementation for hybrid workspaces. Challenging working conditions Many organisations have already planned and adapted to their new ways of working which are supported and enhanced through collaborative tools and remote application access. This makes it extremely important to ensure that enterprise networks are quality driven and capable of understanding, managing, and prioritising various types of networks and application traffic, depending on user requirements and communication type. Customer
securityfocusafrica.com
Relationship Management (CRM) tools are critical for operations and need to be accessed remotely and securely. More critical, however, is the requirement for security as the risk of cyber breach is higher when resources no longer ‘sit’ behind the organisation’s firewall when working remotely. With this in mind, network elements must be planned, designed, and implemented properly and it is SD-WAN that can meet this new way of working, bringing together advanced traffic engineering to provide policybased performance with stringent security using zero trust architecture. New hybrid reality Since lockdown restrictions eased, many employees now split their time between working from home and in the office. This new hybrid workforce model is challenging for enterprise networks and infrastructure, requiring IT leaders to create new IT and security policies along with the right investments in technology to ensure continuous improvements in workforce productivity and efficiencies in the new hybrid model. To this end, the three key network infrastructure priorities for powering an effective hybrid workforce have become an SD-WAN driven network, a digital collaboration
platform and a more flexible approach to security. A network infrastructure that is SD-WAN allows organisations to centrally deploy and manage branches and remote users, providing advanced traffic engineering for policy-based network traffic prioritisation that manages the changes and challenges of hybrid workforce network activity. Aligning security and performance While speed and performance are important, security is the single most critical network infrastructure consideration today, given the rise of cybercrime and remote workers. As transactions move to the cloud and the internet, networks have become highly distributed, creating additional attack surfaces. To counter this, most SD-WAN service providers operate from a Zero Trust security architecture which assumes that there is no inside network and that every user and device are not to be trusted by default. Every user access request and transaction must pass through strong authentication and authorisation processes defined using zero trust policies over the SD-WAN network. The need for collaboration tools is set to remain the new norm as we adjust to living in a socially-distanced world, which has led to the adoption of Web Real-Time Communication (WebRTC) based collaboration tools instead of app-driven tools, as these offer the flexibility of browser-based meetings, without the need for an additional plugin. Here, SD-WAN based networking prioritises specific cloud-based collaboration tools to ensure users have a low-latency unified communications experience. SD-WAN networking and multi-cloud environments are the dynamic technology duo that will enable organisations to leap ahead of the pack when it comes to the design and implementation of hybrid-capable, resilient networks. SD-WAN technology establishes secure, performance-driven connectivity to applications running on cloud or multi-cloud environments, streamlining IT operations by integrating with security services on major cloud providers and SDN platforms through a centralised portal, addressing all of the challenges and concerns involved with planning, implementing and managing hybrid workspaces for the foreseeable future.
SECURITY FOCUS AFRICA APRIL 2022
19
OPINION ISS TODAY PIECE
Combating the sea of corruption in the maritime sector Weak oversight mechanisms and Africa’s sea-blindness make the maritime industry an ideal target for graft. 5 Apr 2022. By Richard Chelin, Senior Researcher, ENACT, ISS and Denys Reva, Researcher, Maritime, ISS. Republished from https://issafrica.org/iss-today/combating-the-sea-of-corruption-in-the-maritime-sector?utm_ source=BenchmarkEmail&utm_campaign=ISS_Today&utm_medium=email.
G
rand corruption in Africa’s maritime sector has led to overfishing, resource scarcity and a rise in criminality, with coastal communities most affected. The problem is highlighted by two ongoing trials in Southern Africa – Namibia’s Fishrot scandal and Mozambique’s Hidden Debt scandal. And due to the international stakeholders involved, both have had consequences extending well beyond their country’s borders.
20
SECURITY FOCUS AFRICA APRIL 2022
The trials reveal the intricate web of corruption, money laundering, illicit financial flows and offshore accounts coupled with the complicity of global businesses and government officials. More importantly, they show that the maritime sector desperately needs better governance structures and systems of accountability and transparency. Awareness of maritime issues is low among most African countries. This sea-blindness makes it an ideal industry
to target for corruption, as oversight mechanisms are weak. According to the Stable Seas Maritime Security Index, most African countries received a low rule of law score due to their weak judiciary and legislative branches. Poor governance in remote coastal areas and a lack of capacity to oversee the entire coastline are also factors. Maritime governance is defined as the ability of a government to effectively control its maritime domain through
securityfocusafrica.com
TECHNOLOGY ISS TODAY UPDATE
actions and partnerships with private, non-governmental and international stakeholders. This mix of players makes the shipping and ports industries particularly vulnerable to graft. A 2019 study by the Eastern and Southern Africa Anti-Money Laundering Group identified the transport and storage sectors as arguably the most prone to corruption.
The mix of private and public players makes the shipping and ports industries vulnerable to graft There are several forms of fraud and corruption in the maritime sector. Under-invoicing is a common type of fraud whereby the importer asks the exporter to declare on the invoice that the goods are of lower value than the actual sale price. Corruption can involve facilitation payments to customs officers to allow illegal goods through or turn a blind eye to specific procedural requirements. Bribes are also paid to gain contracts, affect quota allocation or influence
securityfocusafrica.com
tenders. These forms of grand corruption often involve international businesses and government officials and are widespread in the fishing industry. According to the United Nations Office on Drugs and Crime, most countries haven’t undertaken even a basic corruption risk assessment of their fishing industries, leaving them vulnerable. This was evident in the Namibian Fishrot scandal, where a former government minister demanded bribes in return for a fishing contract in the country. Members of Namibia’s ruling party have channelled millions of dollars in exchange for fishing quotas allocation. In South Africa, senior fisheries department officials have been accused of colluding with a private company, allocating tenders for processing and exporting abalone.
executives of a shipbuilding company, three former senior Mozambican government officials and three former London-based investment bankers. Along with the financial costs, the scandal wrecked Mozambique’s reputation as an investment destination and saw funds squandered that should have been used to improve education and livelihoods. Namibia’s Fishrot scandal also damaged the country’s image regarding corruption, and the kickbacks and bribes deprived local fishing communities of potential economic benefits.
Few countries have done even a basic corruption risk assessment of their fishing industries
A critical vulnerability associated with lucrative maritime contracts is the lack of transparency in the sector. This needs specific attention, along with more general anti-corruption measures. African governments that have signed the United Nations Convention against Corruption must take the next step and implement it. This is vital for establishing procurement systems based on openness and accountability. Financial disclosure systems to help scrutinise public officials’ assets must be improved. And countries should adopt ‘beneficial ownership frameworks’ that allow for investigations of assets held by private individuals or companies doing business with the state. And of course, high-profile suspects must be prosecuted to dismantle criminal networks and act as a deterrent. Anti-corruption and anti-bribery training for government officials should include awareness about maritime governance. Electronic communication and digitisation, which removes the human factor, can reduce opportunities for fraud at a practical level. In the maritime sector, especially at ports, digitisation could improve governance and efficiency, although it does come with new risks. The Southern African cases show that Africa’s maritime sector is vulnerable to corruption and fraud on a transnational scale. Public and private players need to examine and strengthen their maritime governance structures to reduce
Corruption allegations have also been levelled at South Africa’s Department of Mineral Resources and Energy for its award of the Risk Mitigation Independent Power Producer Procurement Programme tender worth around R225-billion. In its court application against the department, DNG Energy alleged corruption that saw its rival Karpowership SA emerge as a preferred bidder, obtaining the majority share of the 2,000MW programme. After the case was dismissed in court, Parliament’s portfolio committee scrapped its investigation into the matter. Mozambique’s Hidden Debt scandal – centred on the maritime industry – exceeded all previous corruption cases in the country in scale and impact. The scheme involved three companies securing international loans based on their role in the maritime sector. The loans cost the country an incurred off-budget expenditure of around US$2.2 billion, increasing Mozambique’s debt to untenable levels. According to the United States Department of Justice, kickbacks and bribes from maritime projects in 2018 amounted to more than US$200 million. Among those indicted were two
A critical vulnerability for lucrative maritime contracts is the lack of transparency in the sector
SECURITY FOCUS AFRICA APRIL 2022
21
PRESSXXX RELEASE
Emergency numbers which should be saved on your phone Emergency situations are traumatic, and understandably so. When things go wrong, it is perfectly natural to panic and not think clearly. Remembering an emergency telephone number could therefore be a very tough ask at that point in time.
M
ake sure that the most important emergency contact numbers are pre-programmed on your phone, or listed on a piece of paper where anyone in the house can easily see it,” says Charnel Hattingh, Head of Communications and Marketing at Fidelity ADT. These numbers are not all necessarily for emergency services or for police, she adds. “It can also include people you trust, to know that they will come to your aid when you need them.” Hattingh recommends the following numbers to be saved or put on a list on the wall: • The closest police station. Ask them if they have specific contact numbers allocated for certain clusters, especially when you are living in relatively big policing districts. • The closest fire station and hospital. • Your neighbourhood watch organisation. • If your town or city has a law
22
SECURITY FOCUS AFRICA APRIL 2022
enforcement or municipal policing service, add their contact details to the list. • The contact details for your armed response company’s monitoring centre. This is helpful in cases where you need to cancel a possible false alarm. Fidelity ADT Johannesburg and Outlying areas is 086 12 12 401 for emergencies and Fidelity ADT Pretoria is 086 12 12 501 for emergencies. Some towns also have special community contact centres in operation, which work alongside the SAPS and local governments to coordinate emergency calls. • The names and numbers for your neighbours. “Putting this list of numbers together can give you a great sense of certainty, knowing that you have the correct contact details available when something goes wrong. Parents can also help their kids be a lot safer and security conscious by teaching them how to remember these important numbers,” says Hattingh.
Charnel Hattingh, Head of Communications and Marketing at Fidelity ADT.
securityfocusafrica.com
PRESSXXX RELEASE
QR payments find favour with businesses and consumers, drives new innovation Although already on a steep adoption curve, Covid has fast tracked many organisations’ digital payments strategies. QR codes in particular are finding favour amongst major South African banks. Capitec’s most recent peer2peer (P2P) account-based payment offering is the latest that Entersekt has helped roll out. And the company says the payment method is likely to continue gaining traction both locally and abroad.
J
uniper Research expects almost a third of the world’s population, or 2.2 billion people, to adopt QR payments by 2025. The research company goes on to say that while the payment method is showing particularly strong growth in emerging markets, QR payments are also showing potential in other markets, including the US. “QR payments are ideal for the South African market. Local customers have shown that they are eager to try new and more convenient payment methods, particularly if they are mobile-based, and even more so if they are within their existing banking app. These truly contactless payments also make excellent business sense for banks and we have seen strong interest from financial service providers in South Africa and abroad,” says Jonathan van der Merwe, product manager at Entersekt. Entersekt helped roll out Nedbank’s firstin-market Scan to Pay function in 2018. The payment offering allows Nedbank Money App users to pay any physical or online retailers who offer MasterPass, Snapscan, Pay@ or Zapper QR codes. Partnering with Entersekt, Absa launched its in-app QR payment option in April 2021. The QR offering was on the back of a host of other digital payment additions including Apple Pay, Samsung Pay, Garmin Pay and Fitbit Pay as well as their virtual card. The bank also added its digital fraud warranty to the product, signifying its comfort in the security of the
securityfocusafrica.com
payment option. Most recently, Entersekt and partners helped Capitec enable their new PayMe QR offering which is a peer2peer accountbased offering. “Our digital payments solution supports the market across a wide range of use cases, including QR and clickable payment links across both card and account rails. We are seeing a lot of interest in this offering as it means customers can pay with their card or through their bank account, which is new in the market.” The user experience is central to the success of the QR payments solution, van der Merwe explains, because it “creates confidence in the payment experience. Customers will have the exact same user journey each time they want to pay someone or a merchant using the QR payment option.” This unified experience is key in driving down friction in the payment process, he explains. “A consistent user experience also helps drive adoption. Because customers experience a journey under the same brand within their app, they have an innate trust in the process. The process is so quick and simple — customers don’t have to remember information, they don’t need to input account numbers or names, they don’t have to create a beneficiary. Without logging into the app, customers can create a code that others can scan, and payments can be made. The user experience is so simple that customers will quickly get hooked on this payment
method,” he says. Van der Merwe says the versatility of QR payments is also helping drive the adoption of the payment method globally. “Keeping the QR functionality in-app is another reason to get customers to download and use banking apps, which in turn helps banks speed up their digitalisation efforts. It’s no surprise that interest in QR payments is quickly growing amongst global banks and organisations looking to use QR to initiate other digital experiences. By using our QR solution, banks can enable quick payment actions as customers would have been validated using two-factor authentication at login. Our QR roadmap is rapidly expanding as we see the demand for the technology increase,” van der Merwe concludes. About Entersekt Entersekt is a leading provider of strong device identity and customer authentication software. Financial institutions and other large enterprises in countries across the globe rely on its multi-patented technology to communicate with their clients securely, protect them from fraud, and serve them convenient new experiences, irrespective of the channel or device in use. They have repeatedly credited the Entersekt Secure Platform with helping to drive adoption, deepen engagement, and open opportunities for growth, all while meeting their compliance obligations with confidence.
SECURITY FOCUS AFRICA APRIL 2022
23
PRESSXXX RELEASE
Bridging the great divide between operational and information technology Most enterprises know that cyberattacks in the information security realm are continuously growing in sophistication, severity and number. However, up until now, many organisations that run plants, factories, pipelines and other infrastructure have paid less attention to the threats they face in the realm of operational technology (OT). By Paul Lowings, Security Executive at new-age solutions and systems integrator, +OneX.
T
he future of companies, and therefore the economy in general, is today directly related to their ability to successfully transform digitally. Along with exploding technology innovations and the pressure of a global pandemic, this transformation was accelerated in South Africa during 2020/2021, and our skills need to evolve along with this shift. “Digital recent global, OT-focused cyberattacks highlight why South African utilities, manufacturers, oil and gas companies and other organisations that run industrial infrastructure would be wise to take note of the growing range of cyber threats faced by their OT systems and infrastructures. In one example, an intruder breached a water treatment plant in Florida in the US. The attacker briefly increased the quantity of a corrosive chemical called sodium hydroxide in the water from 100 parts per million to 11,100 parts per million before an operator intervened. In another, cybercriminals launched a ransomware attack on the Colonial Pipeline, which disrupted a major supply of fuel to the East Coast of the US for a week in May. As these examples show, OT attacks can be even more serious in nature than information security breaches because of the level of economic upheaval, supply chain disruption and human harm they can cause. This has prompted Gartner to warn that attackers may have ‘weaponised’ OT environments to hurt or kill people by 2025. Gartner says that threats to OT environments have evolved from process
24
SECURITY FOCUS AFRICA APRIL 2022
disruption threats like ransomware to a more alarming type of attack: compromising the integrity of industrial systems. Let’s look closer at what OT security is, before delving into why OT threats are growing and what organisations can do about it. Defining OT and OT security OT is the hardware, software and other technology used to monitor and control physical processes, devices, and infrastructure. Examples include the Supervisory Control and Data Acquisition (SCADA) systems used to manage processes such as water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, and electric power transmission and distribution, or to monitor and control manufacturing processes on a production line. By the Gartner definition, OT security is “Practices and technologies used to (a) protect people, assets, and information, (b) monitor and/ or control physical devices, processes and events, and (c) initiate state changes to enterprise OT systems.” There is a maturing toolbox of specialised OT security solutions, including firewalls, security information and event management (SIEM) systems, identity access and management tools, and early-stage threat detection and asset identification solutions that companies can implement to enhance their cybersecurity posture. Yet OT security remains neglected in many organisations because the engineers in the OT environment usually don’t have much
background in cybersecurity, while IT teams tend to regard OT as outside their responsibility and core competence. On a technical level, OT uses vendors, technologies, platforms and protocols that are unfamiliar to IT professionals. Plus, OT networks were, in the past, run independently of IT networks and were usually not connected to the Internet. Misconfigured networks and Internet exposure brings threats to OT The only way a hacker could access OT systems was if they could get to a physical terminal that controlled them or if a misconfigured network allowed access between the IT and OT environments. However, that all started to change 10 to 15 years ago as more OT systems started to be connected to the Internet, with the goal of gathering data to drive analytics and create new business efficiencies. Along with the benefits of converging IT and OT networks, and connecting OT to the Internet, this trend has exposed OT to a growing range of cyberthreats. Yet even as OT and IT networks converge, the two disciplines tend to run as completely separate functions with little sharing of information. This is somewhat understandable, given how different IT and OT security are in practice: IT cyberattacks are more frequent, OT attacks are more destructive; and IT systems tend to be upgraded and patched more often than OT systems. In the world of the Fourth Industrial Revolution, it is clear that OT will become more digital in the years to come. Even though there are many differences in the risks, objectives and operating models for OT and IT, there are clear benefits to getting the teams responsible for each into closer alignment. In so doing, the C-suite gets a better sense of the overall risk and threats the business faces and who should be accountable for managing them. Gartner recommends that enterprises align their standards, policies, tools, processes, and staff between the IT and the business to the changing OT systems. This is called IT/OT alignment, and it is about crafting a strategy that spans the security lifecycle, from the production floor up to the enterprise. Getting started Given the lack of visibility that most organisations have into their OT environment, the place to start with a coherent OT strategy is with a risk and vulnerability assessment. There are powerful tools to help enterprises identify assets that could be affected by cyber-risks, so they can prioritise controls and responses. Since most companies lack in-house skills that straddle the divide between IT and OT, they can often benefit from the skills of a systems integration partner that knows both worlds.
securityfocusafrica.com
PRESSXXX RELEASE
Tips to secure your business against cybercrime in the cloud era The cloud is very attractive to South African businesses. It provides flexible and agile technology — ideal for companies keen to digitise, automate and innovate. Cloud models inherently use operational funding, creating better cost control and reducing up-front investment risks.
A
bove all, a business can choose what to own and rent: when you use a service such as Office365 or AWS virtual machines, you can own your business data but not the underlying email servers and software, reducing maintenance and skills costs. “Cloud technology is revolutionary,” says Brendan Kotze, Chief Development Officer for cybersecurity company, Performanta. “It makes business strategies more flexible — they can pick what technologies they need on favourable terms, and they can scale up and down as their needs change.” Local, state-owned enterprises, public and private enterprises, and SMMEs flock to the cloud. A 2020 report from cloud vendor Nutanix claims that 88 percent of local enterprises consider hybrid cloud ideal for their organisation. Software giant SAP reports that the local cloud market had doubled in the past three years, with mid-market companies leading the charge. And a 2021 study by World Wide Worx reveals that cloud technologies made an overwhelmingly significant contribution in dealing with the Covid-19 pandemic. The cloud security conundrum But there is a dark side to cloud computing. As companies switch to cloud systems, they reduce reliance on carefully engineered security systems, says Kotze. “Traditional security operates like a castle. It has deep moats, high walls, and access is checked at the gates. You distinguished between what was inside and outside your technology castle. Cloud technologies are decentralised — you might have a server at your premises, backups on a cloud server, and your employees use a remote third-party collaboration service such as Slack or Teams. You cannot control that
securityfocusafrica.com
in the same way you used to apply security. It’s a very significant risk for companies,” says Kotze. Decentralised technology infrastructure, remote work and increased reliance on user devices create new criminal attack opportunities. Cybercrime activity has surged since 2010 as decentralised technologies take centre stage. The pandemic’s shift to hybrid workplaces prompted an additional jump in cyber-attacks. In 2013, the US retailer Target was hacked, compromising around 40 million people’s details. In 2021, criminals breached a vendor called Solarwinds, compromising over 30,000 companies. In the same year, ransomware attacked business operations at the Colonial Pipeline in the US, shutting down energy delivery for most of the country’s East Coast. Though not all such hacks are cloud-specific, the decentralised models that underpin cloud technologies have encouraged criminals. Cloud security: what to know Companies can secure the cloud in draconian ways. They could force employees and customers to change passwords daily, use multiple firewalls and virtual private networks, and operate on locked-down devices. But such measures have a very negative effect on productivity, says Kotze. “It’s important to strike a balance between cloud security and access. If you don’t, you make it much harder for people to do their jobs. You also put an enormous support burden on IT staff who have better things to do with their time and qualifications. And ultimately, you can end up with overly rigid systems and protocols. You might as well get rid of spreadsheets and take up paper ledgers again.” Yet a balance is possible with the proper security practices. Kotze provides the following tips to create effective business cybersecurity:
• Zero trust: Zero trust security is a framework that looks at every digital activity with suspicion. Is a user meant to copy that file? Should a specific account log in at unusual times? Just as credit card companies flag suspicious transactions, zero trust security does the same, using automation and artificial intelligence to respond quickly. Every business should look for zero trust features in its security. • Shared responsibility: Security shouldn’t be outsourced entirely. A third-party cloud provider cannot take care of all your security needs. Major cloud platforms such as Microsoft Azure and Amazon Web Services have excellent security. But you must still strategise and coordinate your security, preferably with the help of a security executive or manager. • Top-down strategies: Security is a living ecosystem that evolves as business needs change. In a digital economy, business operations and strategy align closely with technology. Security is not exempt and requires guidance through risk, governance, compliance and policy. Such elements have to originate from the highest levels: the board, chief officers and senior management. • Employee inclusion: Train and include employees in security conversations. If not, they can fall prey to criminals through extortion and mimicking trustworthy people. Employees will also find ways around safeguards if the latter stops them from being productive — a phenomenon called Shadow IT ie: employees use unauthorised services, such as sharing files through private Gmail accounts. • Go beyond audits and compliance: Meeting compliance requirements, such as the Protection of Personal Information Act (POPIA) or PCI (Payment Card Industry) compliance, reinforce security. But it’s not sufficient. Nor does passing an audit. Cybercriminals are motivated and creative. They will exploit any resulting gaps due to the tension of a dynamic workplace and rigid bureaucracy. • Create visibility: Business systems can be complex, utilising multiple vendors and service providers. Monitoring such environments is very cumbersome. It’s crucial to consolidate visibility and reporting of different technology components, not to mention cheaper than the millions needed to repair damage from an attack. • Security Partners: Companies can work with security consultants to craft strategies and cost management. They can use managed security service providers: companies that invest in scalable security skills and software. A security partner with a proven track record and references can manage security operations, leaving the business to focus on security strategy.
SECURITY FOCUS AFRICA APRIL 2022
25
PRESSXXX RELEASE
Inadequate protection leaving insured vulnerable to fraud SA’s insurance industry has access to a large amount of personal info, but in many cases this is currently only secured by a username and password, which is woefully inadequate to protect people from identity theft and account takeovers.
I
nsurance industry discovers multi-factor authentication good for more than just security The insurance industry has always been quick to secure their customers’ assets — after all, their business depends on it. In today’s data-driven era, however, the world has come to realise that personal and financial information can be as valuable and therefore requires the same care when it comes to security. Traditionally, banks have excelled at protecting their customers’ information and access to their funds. Many business leaders in other industries, however, insurance included, do not yet fully understand the value and extensive operational benefits that come with embracing multi-factor authentication (MFA), says global authentication expert, Entersekt. “When compared to the bigger banks, many insurance companies tend to be in the earlier phases of their digital transformation journey. Until now, the key driver for insurers has been to enable self-service customer channels. But to achieve this, there must be layers of security installed on their digital platforms to ensure that customers accessing system information are who they say they are. More than just protecting transactions, such as claims payments, insurance leaders must also take a close look at how robust their security is when it comes to keeping fraudsters from accessing personal information,” explains Pieter de Swardt, Senior Vice President: Sales Operations at Entersekt. De Swardt goes on to explain that the broader insurance industry has access to a large amount of personal information that, if in the wrong hands, can easily be used to defraud patients. In many cases this sensitive information is currently only secured by a username and password, which is woefully inadequate.
26
SECURITY FOCUS AFRICA APRIL 2022
Protecting the whole ecosystem The insurance industry has a fairly large ecosystem and when it comes to protecting personal information, business and security leaders need to give thought as to how they will ensure that all the necessary checks and balances are in place throughout that ecosystem. “Not only are we getting more enquiries from insurance companies themselves, but also their service providers, including brokers, doctors, pathologists and others. By having access to patients’ personal information, the risk profiles of service providers are increased, causing them to seek stronger security measures to mitigate operational risks,” de Swardt shares. De Swardt explains that this requirement is also driving the adoption of multi-factor authentication across the broader insurance ecosystem. Focusing on security as a foundation and enabling strong authentication is the first step to securing data, according to De Swardt. Strong authentication to prove who is accessing the data is a must, as well as a system that is optimised to detect if an imposter is attempting to access user information. Multi-factor authentication (MFA) is an effective way to control access to data by requiring a user to present credentials from at least two of the following categories: Something only they know, such as a PIN; something only they have, such as a smart card or mobile phone; and something the user is, which includes biometric data. By requiring at least two, or a combination of these authentication factors, MFA makes it extremely difficult for a hacker to access the data. De Swardt also points to the very large reputational risk that comes with a data breach, especially in healthcare, which can be exceptionally costly. In the US alone, more than 40 million patient records were compromised in 2021, with
some hospitals facing damaging legal action as a result. This has placed a spotlight on the very urgent need for the entire healthcare sector, including the many health insurance companies working closely with the hospitals, to better protect user data. “The sensitivity of medical information means a data leak can be catastrophic for a healthcare company, and rightly so. Our personal information is valuable and should be protected. While there is a need to ensure a low-friction environment for authorised professionals, it is vitally important that providers do everything possible to protect their customers’ data.” So much more than just security De Swardt goes on to explain that far more than just providing strong security, MFA can impact operational efficiencies as well. “Call centres are very important channels in the insurance and healthcare space. Multi-factor authentication methods can be used effectively to drive down time spent verifying callers and establishing positive caller ID. Rather than clients having to go through a raft of knowledge-based questions, agents can quickly send a mobile identity request via a push notification, which the customer can accept and then the call can proceed. This streamlined process significantly reduces the time an agent has to spend verifying a caller, and at the same time, drastically improves the customer experience,” he explains. What’s more, de Swardt adds that using MFA in call centre engagements also ticks a very big regulatory box since there is an auditable record of each customer interaction. These iron-clad records also cut down on the number of disputes where customers claim they didn’t authorise actions, when in fact, they did. “It’s hard to deny the benefits of a security solution that can have such a positive effect on the user experience,” de Swardt concludes. “Some of our clients are saving countless operational hours and, at the same time, their end-customers benefit from stronger security with a better user experience. The right solution can truly be a win-win.” About Entersekt Entersekt is a leading provider of strong device identity and customer authentication software. Financial institutions and other large enterprises in countries across the globe rely on its multipatented technology to communicate with their clients securely, protect them from fraud, and serve them convenient new experiences irrespective of the channel or device in use. They have repeatedly credited the Entersekt Secure Platform with helping to drive adoption, deepen engagement, and open opportunities for growth, all while meeting their compliance obligations with confidence.
securityfocusafrica.com
PRESSXXX RELEASE
Drug testing in the workplace — keep it as consistent as alcohol testing As much as alcohol testing has become an expected legal requirement for road safety and workplace safety, the impact of drugs is still largely overlooked. By Rhys Evans, Managing Director at ALCO-safe.
I
t is important to remember that the effect of drugs in the workplace is just as dangerous as alcohol. The need for workplace drug testing is therefore equally critical as drugs impair an individual’s ability to perform tasks by affecting depth perception and reaction time. This could result in a serious workrelated injury (or even death) if the use of drugs goes unnoticed in the workplace. Simply including a random drug testing policy and procedure to ensure health and safety protocols are covered, is not enough. Businesses need to implement drug testing on a consistent and regular basis in order for it to be truly effective, and it should be treated as equally important as an organisation’s alcohol testing schedule. As the country’s vaccination levels rise and more people return to the workplace, health and safety measures that focus on intoxicating substance use for employees are going to become increasingly important. Drugs are just as intoxicating as alcohol and can have a massive effect on workplace performance, with the biggest noticeable impact being on the individual’s reliability. Absenteeism becomes increasingly common, along with decreased performance and a lack of motivation when the individual does come to work, often due to a hangover or drug come-down. In the workplace
securityfocusafrica.com
itself, there is an increased risk of accidents due to impaired concentration. Depending on the drug that person uses, it might make them drowsy, or it might affect their depth perception and decision-making ability. Keeping substances out of the workplace Overall, intoxicating substances lead to a decrease in performance, which in turn has a negative impact on production, along with an increased risk of accidents. An increase in accidents means more downtime, which again affects productivity and creates a vicious cycle. Failure to notice a culture of substance abuse in the workplace is not a situation for management to apply plausible deniability. If there are people in a workplace using substances, that kind of behaviour has a tendency to spread unchecked. To keep intoxicating substances out of the workplace, it is essential to have a company policy that communicates clearly that there will be zero tolerance of drugs and alcohol, while detailing the procedures and grounds on which employees will be tested for the presence of substances. Along with this foundational policy that clearly states the consequences of being caught out by means of a breathalyser or saliva test, it is necessary to have mechanisms whereby employees can
voluntarily seek assistance, for substance abuse problems without fear of punitive disciplinary measures being taken against them. Even if it’s just providing sick leave and referring the individual to a treatment centre, it’s important that businesses handle such situations carefully and with empathy. Preventative, not punitive Breath alcohol testing and saliva testing needs to happen regularly and visibly if it’s to have a deterrent effect in the workplace. People are more likely to be deterred from partaking in intoxicating substances if they know that there is a strong chance they will get caught out at work. In addition to a clear workplace policy, consistent and visible substance testing procedures and consequences for testing positive, alongside awareness training on the dangers of alcohol and substance abuse, is important. Educating employees on the health and occupational risks associated with alcohol and drugs in the workplace is critical to the effectiveness of any safety policy. It’s essential that people understand that the rules are there to keep everyone safe, they’re not there to catch people out and get them fired.
SECURITY FOCUS AFRICA APRIL 2022
27
PRESSXXX RELEASE
Orchestrating multicloud: Implementing a strategy that works VMWare Principal Partner and Africa’s only neutral cloud infrastructure business, Routed, says implementing a workable multicloud strategy hinges on a business properly assessing applications within its current infrastructure environment to decide which cloud is ideal for each of its applications.
T
his should be balanced against the ability to provide fault tolerance for each application across cloud operators, as well as the integration between applications which might affect decisions to deploy applications together on the same cloud platform, or across multiple cloud platforms,” says Andrew Cruise, Managing Director, Routed. Another equally important consideration is ensuring internal resilience when migrating or developing applications on any cloud platform. “It’s much better to first mitigate risk and avoid downtime caused by relatively minor issues, and only then design fault tolerance or failover between cloud operators in the event of a major downtime incident on one of your cloud operators,” he says. An organisation’s choice of providers should be dictated by their ability to deliver a secure, performant and highly available hosting experience, combined with the required features and functions for all business applications. “Your provider’s credibility and reliability track record should be investigated and their expertise to run your business-critical applications queried,” notes Cruise. He adds that a multicloud approach
28
SECURITY FOCUS AFRICA APRIL 2022
does not have to include all cloud operators or indeed any of the hyperscale cloud operators. “Risk mitigation dictates that multiple cloud operators should be chosen, but it should also be feasible for these to use one consistent platform, which is what VMware Cloud has been designed to do.” The benefits of multicloud typically fall into two groups; the first being the value features of each individual cloud and the second group centred on risk mitigation, it’s important to remember that these two groups are inherently in conflict. “By definition, unique platforms, software and functions offered by a specific cloud provider are not offered by the others and therefore it is nearly impossible to load balance or provide cross-cloud resilience for applications that are developed with these toolsets across multiple cloud platforms,” explains Cruise. Achieving resilience requires a lowest common denominator approach, which means using tools, functions and software available across all the cloud platforms in use. “Notably, the exception to this conflict is the VMware Cloud ecosystem: whether hosted in AWS, Azure, GCP, or any of the global
Andrew Cruise, Managing Director, Routed.
hyperscale clouds, or on a local VMware cloud operator, or on VMware Cloud Foundation on dedicated internally managed infrastructure, a common toolset and software stack facilitates a consistent experience for hosted applications,” he says. While multicloud and its place in digital transformation continues to evolve, Cruise cautions that it may not be suitable for every organisation, and those that do embark on the journey should expect proper implementation to take time. “Cloud hype has progressed from the urgent ‘move to cloud!’ call of a decade ago, to ‘hybrid cloud rules’ five years ago, to the ‘multicloud or bust!’ message of today. Of course, each of these blanket statements has merit but there is no magic silver bullet for a business’s infrastructure requirements. Although the predicted move to cloud has been slower than the experts predicted, I believe that the multicloud story will be slightly more common than niche,” says Cruise.
securityfocusafrica.com
PRESSXXX RELEASE
Data: The missing puzzle piece for SA business success The latest South African Chamber of Commerce and Industry (SACCI) Business Confidence Index rose to a three-month high of 94.1 up from 92 in the previous month[1].
T
his is attributed to the recovery of external trade and retail sales following the easing of Covid-19 restrictions and the end of the travel ban imposed by several countries. However, to continue this upward trajectory, businesses, especially small businesses that are the lifeblood of South Africa’s economy, need to find further ways to improve their sales in 2022 and beyond. Zane van Rooyen, Product Marketing Manager at field sales management CRM and mobile ordering app Skynamo says that one of the most valuable assets businesses can use is data analytics, but many are not tapping into this gold mine. This is reflected in a survey by McKinsey which revealed that 57% of businesses worldwide are not using data analytics effectively to drive sales[2]. “Accurate data and analysis are crucial for attracting potential customers, closing prospective deals, and empowering teams to make more informed decisions. Information such as shopping preferences, age, gender, occupation, and even marital status gives them the ability to smartly segment their customer base,” says van Rooyen. “Crunching the data will ensure that sales teams segment their customer base in a way that specifically targets diverse groups at varying times on different platforms — a strategy that is bound to bring big benefits.” Creating unique value propositions Van Rooyen points out that another key component in creating sales success is to formulate value propositions. “When properly executed, value propositions have proved to give companies the edge over their competitors. However, only a few companies do this well.” “In its most basic form, the value proposition is the “why” someone should do business with you,” he adds. “It’s important to note that it should extend well beyond an added incentive, a catchphrase, or a positioning statement.” Instead, it is a business’ ace, says van Rooyen. “It’s the value it offers that exceeds competitors and positions the company as the solution to its customer’s needs. “It requires a headline, a subhead, the very reason why someone should
securityfocusafrica.com
do business with you. It is your heartbeat, defining who you are as an organisation.” He says that when a business combines data analysis with its value proposition, it instantly results in a powerful sales tool to unleash. “Consider the scenario: Your sales team has carefully analysed the data, formulated a customer profile, and learned the core value proposition of the company. They are now confident enough to engage or target a customer, knowing the product or service on offer speaks directly to the specific needs of the prospect completely. Their confidence and knowledge of the customer and the product or service are a winning combination,” he explains. Driving sales team productivity Creating sales success through data-driven leads is based on a lot of factors, but integrity ranks very high. “It takes a sales team treating every lead with the respect they deserve. It means analysing all the data for each lead, formulating a persona, and doing due diligence. It takes a realisation that each potential lead forms an integral part of the development of the buyer persona you are creating,” says van Rooyen. “Sales teams that conduct a granular analysis of their closed/won and closed/lost opportunities provide valuable insight into what went wrong with a deal and why,” he points out. “It opens the door to discussions on the sales cycle, the process followed, the discussions held with the prospect. Then the most crucial aspect: why the deal tanked. Teams need to be developed to analyse their successes, as well as failures, is an important skill to instil in the overall pursuit of your sales success story.” Technology paves the way “Sales success is created by cleverly merging data analysis, lead generation and improved customer experiences,” says van Rooyen. “Businesses that can master this report higher lead conversions and sustained success.” Today technology solutions allow sales teams to spend more time in the field while still balancing the administrative requirements involved in carefully assessing and analysing data, he adds. “Thanks to the fourth industrial revolution, we have field sales apps and
Zane van Rooyen, Product Marketing Manager, Skynamo.
programmes that allow businesses to tap into one of their most valuable resources, data, and now is the time for companies to embrace this or be left behind,” van Rooyen concludes. About Skynamo Established in Stellenbosch, South Africa in 2012, Skynamo is a leading field sales technology provider with close to 10,000 users at nearly 1,000 companies across a wide range of industries in Southern Africa, Australasia, the UK, Europe and the US. Skynamo’s field sales mobile app and cloud-based management platform are used by manufacturers, wholesalers and distributors with sales teams in the field, selling products to an existing base of customers. Skynamo integrates with a wide range of ERP and accounting software to improve order accuracy and fulfilment. Skynamo was named Sage ISV Partner of the Year for 2019 (Africa & the Middle East) and an Acumatica Certified Application and Customer Verified Application. Skynamo received $30million in funding from US based software investment firm Five Elms Capital in 2020 and forms part of the Stellenbosch-based Alphawave group of software and electronics companies, with more than 100 employees in South Africa, the United Kingdom and the United States.
SECURITY FOCUS AFRICA APRIL 2022
29
LAW & SECURITY
Data theft by employees Theft of data by employees: POPIA, IP, and competition law implications, employees stealing personal information and other sensitive data from their employers can be a serious problem. By Charles Kinnear, Era Gunning, Nicole Gabryk, André J Maré and Jeremy de Beer.
T
he theft of confidential company information has been on the rise since the start of the global coronavirus pandemic, where the move to the digital world and working from home have resulted in less stringent safeguards to protect information than would otherwise exist in the office. While the motive may arguably be admirable in this context, it does raise a broader question: what can employers and other affected parties do when their sensitive information is leaked, stolen, or otherwise compromised? Well, like with all legal questions, the answer depends on the facts and circumstances.
30
SECURITY FOCUS AFRICA APRIL 2022
Crime of theft When an employee steals information, the obvious answer may be to lay a charge of theft. However, it is not as simple as this. Theft requires an intention to permanently deprive an owner of their property, in this case, information. If an employee were to steal physical documents, or a hard drive, this would be sufficient to sustain a charge of theft, as confirmed in the case of Rex v Cheeseborough, where two former employees of the complainant firm stole two documents belonging to the complainant company and then joined a new firm, a competitor with the complainant firm. Where an employee copies the information and later
distributes those copies, the employer has not been permanently deprived of their property. Although an argument could be made that the copies are also the property of the employer, and as such, theft of such copies is still theft as the employer has been permanently deprived of those specific copies, it is likely more advisable to pursue a copyright claim against the wrongdoers where there has been unlawful copying of information. Copyright infringement A copyright infringement can have both civil and, in limited circumstances, criminal consequences. In terms of the Copyright Act, 1978, an employer would be able to
securityfocusafrica.com
LAW & SECURITY
pursue a civil claim for copyright infringement against an employee that unlawfully copies information protected by copyright where the employer is the owner of such copyright. This position is protected in statute under the Copyright Act with ownership generally determined by the type of work involved, while employers are also strongly advised to include terms to this effect in employment agreements, thus removing any doubt whatsoever regarding ownership in works of copyright. These works would generally include documents, reports and the like created by the employee in the course and scope of their employment, but this will depend on the specific employee’s role and may also include artistic works or computer programs/software. A criminal case is also possible, as per the usual process of reporting criminal conduct to the police and ultimately having it prosecuted by the National Prosecuting Authority. Section 27(1)(f) of the Copyright Act provides that “any person who at a time when copyright subsists in a work, without the authority of the owner of the copyright, distributes for any other purposes to such an extent that the owner of the copyright is prejudicially affected, articles which he knows to be infringing copies of the work, shall be guilty of an offence”. The Copyright Act further provides that the penalty for such an offence, if it is a first conviction, is a fine not exceeding five thousand rand or imprisonment for a period not exceeding three years, or to both such fine and such imprisonment, for each article to which the offence relates. In the case of subsequent offence, the penalties increase to a ten thousand Rand fine and five years’ imprisonment. The delict of unlawful competition Another potential avenue, in parallel to pursuing a copyright infringement, would be to rely on the delict of unlawful competition. This claim can take many forms, including the misappropriation of confidential information or trade secrets, that is, using or disclosing information that is useful, not publicly available and has commercial value which was imparted or received in confidence, often in a fiduciary or employment relationship. This would require proving all the usual elements of a delictual claim, namely, wrongful conduct of a competitor using or disclosing confidential information, which has caused harm to the owner of that information, and that such conduct
securityfocusafrica.com
was intentional or negligent. It is in essence, much the same as a general civil claim for damages. The Competition Act The disclosure of competitively sensitive information to a competitor may also constitute a contravention of the Competition Act, 1998. Generally, competitively sensitive information includes information about an entity’s pricing, trading terms, customers, costing, strategy, innovation, profitability, marketing, etc. that is not in the public domain and that affects its competitive offerings. Where an employee of a firm provides competitively sensitive information to that firm’s competitor, this may constitute a contravention of section 4(1)(a) of the Competition Act, which provides that “an agreement between, or concerted practice by, firms or a decision by an association of firms, is prohibited if it is between parties in a horizontal relationship and if it has the effect of substantially preventing or lessening competition in a market, unless a party to the agreement, concerted practice, or decision can prove that any technological, efficiency or other procompetitive, gain resulting from it outweighs that effect”. An exchange of competitively sensitive information may contravene this section insofar as it may remove strategic uncertainty from competitive decisions for one or more parties and the removal of the strategic uncertainty may lead to the softening of competition i.e. tacit collusion. What will become important is whether the employee responsible for leaking the information has actual or ostensible authority to represent the firm concerned and to agree and bind it to participation in the cartel activities. Where an errant employee is on a frolic of their own, and there is no actual or ostensible authority for their conduct, there will be no basis for imputing liability to the firm. An example of this would be where the wrongdoer’s employment with the firm concerned was terminated before the wrongdoer leaked the information. In such instances it is unlikely that a contravention of the Competition Act would be sustained. The Competition Act is generally aimed at preventing collusive conduct between competitors rather than corporate espionage. Where a firm has its confidential information leaked to a competitor by a disgruntled employee, and that competitor is conferred a competitive advantage thereby to the victim firm’s
detriment, this conduct is not truly within the focus of the competition authorities as it does not involve any collusion. However, this will once again turn on whether the employee had actual or ostensible authority at the time of the disclosure. It is worth noting that in the case of Ferro, the Competition Tribunal dismissed an application in terms of which Ferro (Pty) Ltd sought to change various merger conditions requiring divestiture on the grounds that a former employee allegedly stole certain confidential and competitively sensitive information being used to unfairly compete with Ferro. The Tribunal held that Ferro’s recourse was with the High Court as the theft of information was not a competition issue, and that ‘the kind of information exchange that is prohibited by section 4 [of the Competition Act] is usually a voluntary exchange between competitors collaborating to avoid competition between them’. Monitoring communications to detect theft under RICA and POPIA Organisations often wish to monitor their employees’ work-related communications to establish whether confidential information is being leaked or stolen. To this end, the application of the Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (‘RICA’) and the Protection of Personal Information Act, 2013 (‘POPIA’) should be considered. RICA, among other things, places restrictions on companies wishing to monitor telephonic, e-mail and other communications of employees at the workplace. In terms of section 5, such communications may be monitored if one of the parties to the communication gives written consent thereto. Under section 6(1), the monitoring of communications is also permissible if these communications have been made ‘in the course of the carrying on business, in the course of its transmission over a telecommunication system.’ Section 6(2) sets specific requirements to do so, including that the CEO must have made all reasonable efforts to inform the relevant employee in advance of such monitoring or the employee’s expressed or implied consent has been obtained. In terms of POPIA, it is important to note that ‘the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence’, such as alleged theft of data,
SECURITY FOCUS AFRICA APRIL 2022
31
LAW & SECURITY
would constitute special personal information, that may not be processed unless, for example, the employer has obtained the consent of the relevant employee. Reading RICA and POPIA together, employers should consider obtaining consent from employees to monitor communications within the scope of their employment. Cybercrimes and POPIA violation Section 22 of POPIA imposes a mandatory security compromise notification obligation ‘[w]here there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person’. The theft of personal information by an employee and subsequent disclosure thereof to unauthorised third parties would invariably trigger a reporting obligation to the Information Regulator and, as a general rule, affected data subjects. The employer may be held vicariously liable for loss caused by its employee’s data breach. In the UK Supreme Court decision of WM Morrison Supermarkets plc v Various Claimants, Morrisons Supermarket was sued by numerous of its employees on the basis that it was alleged to be vicariously liable for a data breach caused by the malicious conduct of a disgruntled employee in terms of the UK Data Protection Act, 1998 (‘DPA’) on which POPIA is closely modelled. In this case, Morrisons suffered a serious data breach when the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details) was posted online by a disgruntled Morrisons employee. The data breach had serious implications for Morrisons’ share price, and a number of employees (whose data had been leaked) brought proceedings against Morrisons for damages. While the court ultimately found that Morrisons was not vicariously liable, in that the employee had not been furthering Morissons’ business, but rather pursuing a personal vendetta, the South African courts are likely to make a different finding. Based on the decision in the Supreme Court of Appeal in Stallion Security (Pty) Ltd v Van Staden, where the court found the employer to be vicariously liable for the actions of the employee and ordered the employer to pay damages, in circumstances where the employee acted intentionally and ‘entirely for his own purposes’.
32
SECURITY FOCUS AFRICA APRIL 2022
Importantly, POPIA makes provision for a form of statutory vicarious liability for employers, in the event of a contravention of the Act by any of its employees. Section 99(1) of POPIA provides that a civil action for damages may be instituted against the responsible party [the employer] irrespective of whether there is intent or negligence on the part of the responsible party. In addition, in terms of section 109(3), when determining an appropriate administrative fine for criminal offences under POPIA, the Information Regulator is obliged to consider various factors, including whether the responsible party [the employer] or a third party [the employee] could have prevented the contravention from occurring, or whether there was any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information. Breach of contract Lastly, it bears mention that the simplest remedy may take the form of a breach of contract. This could take several forms, depending on whether the party leaking the information is still an employee of the victim firm at the time of the leak. Where there is still an employment relationship, the breach of trust occasioned by the employee’s misconduct in leaking the information would likely serve as grounds for dismissal. Where the employee has already left the employ of the victim firm, it may still be breach of contract in respect of various clauses which survive
the termination of the employment contract, for instance, confidentiality clauses generally drafted to survive the termination of employment and are enforceable even after an employee leaves their role. Another example would be a restraint of trade clause, which generally remains enforceable against an employee several years after their employment has been terminated, in order to prevent that employee from competing unfairly with their former employer. In order for such a restraint to be enforceable, there must be a protectable interest, which our courts have held includes trade secrets. As such, it would be possible to claim damages for breach of contract in these instances. Ultimately, a claim for breach of contract will depend on what was agreed to between the affected firm and the wrongdoer. Other A recent report by cybersecurity software company Code42, found that when workers walk away from their jobs they’re increasingly bringing home sensitive company data, and found that there was a 40% increase in ‘data exposure events’ between the first half of 2020 and the first half of 2021. Facebook was recently thrust into the spotlight when ex-employee Frances Haugen leaked vast amounts of damning internal research to the US authorities and the press, detailing how Facebook knew its sites were potentially harmful to young people’s mental health. Be safe and secure.
securityfocusafrica.com
SECURITY IN ACTION
The Hologram Image Register (HIR), which is the secure registry of holographic images, established by the International Hologram Manufacturers Association.
An image of an Hologram.
Improvements deliver faster access to hologram image register The Hologram Image Register (HIR) – the secure registry of holographic images, established by the International Hologram Manufacturers Association (IHMA) to safeguard hologram copyright and underpin the use of holograms in authentication and security printing – has received its first major makeover since its launch in 1993.
T
he HIR is the only system of its type for the authentication community. The centrally held global database of secure holograms is operated on behalf of the IHMA by the Counterfeiting Intelligence Bureau under the strictest confidence and security that supports ISO14298*. It enables hologram manufacturers and producers to verify that their hologram design, or elements of a hologram design, do not infringe copyright or allow the unintentional copying of existing security holograms. The image registration is completed once the design has received clearance. The HIR is also available to law enforcement agencies to check for the provenance of a design when they need information on a suspect hologram. The changes are designed to improve user efficiency and effectiveness by enabling faster online registration and copyright checking of hologram designs, and came into effect in February 2022. The streamlining of the Copyright and IP section of the HIR secure portal offers distinct advantages to IHMA members. It
securityfocusafrica.com
will further and significantly reduce the time taken for registration, which is a fully online process where artwork is submitted electronically to provide quicker design checks. The hologram manufacturer submitting a design search will be expected to have the authorisation of their customers to use copyrighted artwork provided for use in the final hologram. This is achieved by acceptance in the portal of Warranties and Indemnities to that effect, significantly speeding up the whole verification process and ensures copyright/IP is clearly identified and protected for all parties. IHMA chair Dr Paul Dunn, said: “The new, easier-to-use features are a beneficial step forward, representing a significant update and redesign of the HIR requirements. These reflect more accurately the way current holograms are designed and used, undoubtedly facilitating an increase in the registration of images and securing their integrity.” The HIR includes more than 10,000 registrations, a number that is growing by the day. It has helped to prevent numerous attempts to source copy holograms, and
has also helped to confirm that a suspect hologram was, indeed, a fake, which in turn has led to arrests and prosecution of the counterfeiters. Moreover, registration of a hologram design with the HIR is increasingly a pre-condition of tenders and procurement, particularly by government bodies such as central banks, revenue authorities and passport issuers, as well as brand owners. *ISO 14298 – Management of Security Printing (and Security Foil) Processes specifies requirements for the management of security printing processes. Its goals are: • To improve the security for the industry in regards to security printing and aid the fight against fraud and forgery • To reduce trade barriers by encouraging uniform practices around the world • Satisfy clients’ increasing security needs Issued on behalf of the IHMA by Mitchell Halton Watson Ltd. For further details contact: Andy Bruce on +44 (0) 191 233 1300 or email andy@mhwpr.co.uk
SECURITY FOCUS AFRICA APRIL 2022
33
CYBER SECURITY
SA’s industrial challenge: limited resources to respond to unlimited cyberthreats As South African business and industry is increasingly connected to the rest of the world through the cloud – whether it’s for operations or manufacturing – local enterprises need to consider the less desirable consequence of being connected to colleagues, suppliers, and service providers all over the world: vulnerability to cybercrime. By Carlo Bolzonello, country manager for McAfee Enterprise in South Africa.
W
hile these technologies offer the benefits of remote support, preventive and just-in-time maintenance reporting, and company-wide visibility into production status, many local organisations are having to adapt legacy operating systems and ‘plug’ them into the cloud, to achieve the economies of scale required by their parent organisations. These legacy operating systems are often no longer supported by their original vendors, and manufacturers are often hard-pressed to keep controls on their budget and want to sweat their assets for as long as possible. Neglecting to take a comprehensive and wide-ranging approach to cyber security in manufacturing leaves industrial companies open to two types of attacks: ransomware and the theft of intellectual property. Ransomware often enters the organisation through a seemingly innocent route — often a ‘recruiter’ offering employment, or a ‘researcher’ conducting a survey that requires an exchange of information. Ransomware mercenaries use these interactions to install malware that hobbles or halts production, and, much like in a kidnapping, hold the system ransom until a fee is paid. When losses in production amount to hundreds of millions of dollars a day, it’s often quicker and easier for businesses to just pay the ransom to have control of their facilities returned — but they can seldom be confident of the integrity of
34
SECURITY FOCUS AFRICA APRIL 2022
their environment going forward, and they’ve let the malevolent actor know that they are a potential repeat target. Intellectual property theft is most often a slow, methodical type of attack that frequently goes unnoticed until a business notices that its competitors have gained access to product design or other information that previously gave them a competitive edge. It’s not always competitors that are guilty of this kind of cybercrime — there are cyber mercenaries for hire who first research their target, reading publicly available reports and identifying opportunities to access information that can be sold to the highest bidder. The complexity of attacks continues to evolve, and with many nation states adopting a ‘blind eye’ approach to cyber law enforcement, it’s difficult to trace cyber criminals, and even more challenging to prosecute and convict them. It’s clear that enterprise cybersecurity demands have never been greater, and that protecting a business’s people, technology, and operations from cybercrime requires the input of a trusted cybersecurity advisor. Having the right security solutions in place and building out a cyber security strategy to protect what matters most to operations, needs to be a priority. Choosing the right security products can give businesses visibility and control over data and threats across public, private, and hybrid cloud environments, including data loss prevention, remote
browser isolation, and zero trust network access. It’s more important than ever to have a set of consistent data loss prevention policies that protect data in the cloud, on corporate endpoints, and on unmanaged devices, which have become more ubiquitous since the Covid-19-inspired move to remote working. That’s why it’s important for a security solution to offer seamless integration, providing a frictionless protection experience across multiple environments. Real-time database protection from external, internal, and intra-database threats should offer robust security and continuous compliance, without requiring architecture changes, expensive hardware, or downtime. Just as machine learning is helping businesses, industries and manufacturers achieve greater productivity, so too is this technology making it easier to find and address cyber threats, ransomware , and other advanced attacks. While South Africa may feel geographically far from some of the nations that experience the greatest number of cyberattacks, global connectivity means that local businesses are just as vulnerable as their counterparts abroad. It’s even likely that they are more vulnerable due to the perception that cyberattacks and ransomware incidents are location-based. The truth is that they are not — attacks follow the money, and attackers are slick professionals that are digital guns for hire, indiscriminate in who they target to achieve their goals.
securityfocusafrica.com
CYBER SECURITY
A comparative number of DDoS attacks: Q3 and Q4 2021 as well as Q4 2020. Data for Q4 2020 is taken as 100%
DDoS attacks hit a record high in Q4 2021 Compared to Q3 2021, the total number of Distributed Denial of Service (DDoS) attacks in Q4 shows an increase of 52%. This is 4.5 times more than the same time the previous year. These and other findings were published in the new Kaspersky DDoS attacks in Q4 2021 report.
D
istributed Denial of Service (DDoS) attacks pose a huge threat to businesses and organisations that provide online services. During such an attack, cybercriminals send multiple requests to the attacked web resource with the aim of exceeding the website’s capacity to handle multiple requests and prevent the website from functioning correctly. These attacks may last several days, causing huge disruptions for organisations. From October to the end of December 2021, Kaspersky researchers observed a massive increase in the number of DDoS attacks — a record number in the entire history of Kaspersky’s observations of this threat. Kaspersky researchers define several reasons for such an increased volume of attacks. Firstly, the last three months of any year are always rich in DDoS attacks. Online retail peaks due to sales and holidays, exam period for students starts and cyber activists, generally, become more active and this leads to an increase in the
securityfocusafrica.com
number of attacks. Secondly, the volume of the DDoS market is inversely proportional to the cryptocurrency market. This is due to the capacity for organising DDoS and cryptocurrency mining being interchangeable — botnet owners tend to redirect the power to mining when the cryptocurrency grows, and to DDoS when it falls. This is exactly what we observed in the fourth quarter, an increase in the number of DDoS attacks against the backdrop of a sharp drop in the value of cryptocurrencies. Most of the DDoS attacks in Q4 were reported in the United States (43.55%), China (9.96%), Hong Kong (8.80%), Germany (4.85%), and France (3.75%). “The DDoS threat landscape is constantly changing, reflecting the current economic and social trends. We expected the growth of DDoS attacks in Q4 due to the sales season but the unstable situation in the cryptocurrency market put the DDoS landscape on another level completely,
with an absolute record in the number of attacks. Relying on the trends of previous years, the first quarter of 2022 should not show a significant decrease in DDoS attacks. Thus, we urge implementing professional solutions to safeguard your organisation against DDoS attacks,” comments Alexander Gutnikov, security expert at Kaspersky. To learn more about DDoS attacks in Q4 2021 visit Securelist.com. To stay protected against DDoS attacks, Kaspersky experts offer the following recommendations: • Maintain web resource operations by assigning specialists who understand how to respond to DDoS attacks. • Validate third-party agreements and contact information, including those made with internet service providers. This helps teams quickly access agreements in case of an attack. • Implement professional solutions to safeguard your organisation against DDoS attacks. For example, Kaspersky DDoS Protection combines Kaspersky’s extensive expertise in combating cyberthreats and the company’s unique in-house developments. • It’s important to know your traffic. It’s a good option to use network and application monitoring tools to identify traffic trends and tendencies. By understanding your company’s typical traffic patterns and characteristics, you can establish a baseline to more easily identify the unusual activity that is symptomatic of a DDoS attack. • Have a restrictive Plan B defensive posture ready to go. Be in a position to rapidly restore business-critical services in the face of a DDoS attack. About Kaspersky Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialised security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.co.za.
SECURITY FOCUS AFRICA APRIL 2022
35
CYBER SECURITY
Four top cybersecurity threats that organisations should prepare for in 2022 One of the biggest challenges that IT departments are currently facing, is making sure their cybersecurity protocols fit into existing employees’ workflows and patterns within the hybrid environment. If they don’t succeed, users may well put the company at risk by attempting to bypass critical security policies in efforts to make their remote working experiences easier. Bradley Pulford, Vice President & Managing Director, HP Africa.
T
he threat landscape is going to evolve and expand at a high pace in the year ahead. We should expect to see ransomware gangs continue putting lives at risk, the weaponisation of firmware exploits and much more. Here are four key cybersecurity trends organisations need to be prepared for in 2022. Continued commoditization of software supply chain attacks could result in more high-profile victims targeted Cybercriminals are always ahead of the curve when it comes to password theft. According to PCW, 54 percent of African CEOs are very concerned about the fast-evolving nature of cyberthreats. One of the common threats target software supply chains. SMBs and high-profile victims may be targeted. Targeting software supply chains allows ransomware threat actors to increase the scale of their attacks by accessing multiple victims through a single initial compromise. The pandemic has shown a lot of new cybersecurity issues and companies are working diligently to ensure they are prepared for anything that comes their way in the future. One of the major changes include enhanced software supply chain security, transitioning to a zerotrust framework for cybersecurity and increased scrutiny on the cybersecurity measures. Ransomware gangs could put lives at risk and engage in ‘pile-ons’ Despite a community driving to ban ransomware activity from online forums, hacker groups use
36
SECURITY FOCUS AFRICA APRIL 2022
alternate personas to continue to proliferate the use of ransomware against an increasing spectrum of sectors, affecting the financial, utilities and retail sectors most often, accounting for nearly 60% of ransomware detections. This is according to research done by cyber company Trellix. The research highlights that South Africa is only seventh on the list of countries that have experienced the most number of ransomware attacks, despite it only having the 32nd largest gross domestic product (GDP) in the world. Ransomware will continue to be a major risk in 2022, with victims potentially being hit more than once. The method will be akin to ‘social media pile-ons’ – once an organisation is shown to be ‘soft’ or to have paid a ransom, others will pile-on to get their share of the action. In some instances, threat actors will hit a company multiple times – doubling or even tripling extortion rackets. Ransomware operators will almost certainly intensify how they pressure victims into paying ransoms. Beyond data leak websites, attackers will use increasingly varied extortion methods, such as contacting customers and business associates of victim organisations. Weaponisation of firmware attacks will lower the bar for entry Firmware provides a fertile opportunity for attackers looking to gain long-term persistence or perform destructive attacks. The security of firmware is frequently neglected by organisations, with much lower levels of patching observed. In the last year we’ve seen attackers performing
reconnaissance of firmware configurations, likely as a prelude to exploiting them in future attacks. Previously these types of attacks were only used by Nation State actors. In the next 12-months we can expect to see the TTPs (Tactics, Techniques, and Procedures) for targeting firmware trickle down, opening the door for sophisticated cybercrime groups to weaponised threats and create a blueprint to monetise attacks. The lack of visibility and control over firmware security will exacerbate this issue. Certain industries, such as healthcare, where these attacks could be more probable, should start thinking about the risks posed by low-level malware and exploits. Hybrid work will create more opportunities to attack users The shift to hybrid work will continue to create problems for organisational security. The volume of unmanaged and unsecure devices has created a wider attack surface. Threat actors could start to target the homes and personal networks of top executives, or even government officials, as these networks are easier to compromise than traditional enterprise environments. Phishing will remain an ever-present threat in the era of hybrid work. The line between personal and professional has been blurred, with employees using home devices for work, or corporate devices for personal tasks. This will continue, and it’s likely there will be an increase in phishing attacks targeting both corporate and personal email accounts, doubling attackers’ chances of a successful attack. A new approach to security is needed The rise of hybrid working and continued innovation from threat actors means 2022 has plenty of nasty surprises in store. As a result, a fresh approach to secure the future of work is required. We urge organisations to deliver protection where it is needed most: the endpoint. Organisations should embrace a new architectural approach to security that helps to mitigate risk. This involves applying the principles of Zero Trust — least privilege access, isolation, mandatory access control and strong identity management. This approach requires resilient, self-healing hardware designed to hold its own against attacks and recover quickly when needed, while also containing and neutralising cyber-threats. For example, disposable virtual machines can be transparently created whenever the user performs a potentially risky activity, like clicking on an email attachment or link. This means any malware lurking inside is rendered harmless and allows organisations to drastically reduce their attack surface.
securityfocusafrica.com
CYBER SECURITY
Microsoft Security delivers new multi-cloud capabilities
Microsoft is announcing new advances to help businesses strengthen visibility and control across multiple cloud providers, workloads, devices, and digital identities. These new features and offerings are designed to secure the foundations of hybrid work and digital transformation. Please find an overview of the news below and visit Microsoft’s microsite for more details.
T
he always complex security landscape has become increasingly more so since Covid-19 kicked hybrid/remote work into high gear almost two years ago. These days, businesses are operating on a wide range of different devices, operating systems, and clouds. These complex environments can be cumbersome for IT professionals to manage security and employee access across so many different platforms. Cybercriminals crave this level of complexity because they know it’s harder for IT to protect the gaps across platforms. With 92% of organisations embracing a multi-cloud strategy, the time to act is now. Today, Microsoft shared some news to help simplify security for businesses and help eliminate gaps between platforms: • Microsoft Defender for Cloud’s native capabilities for workload and
securityfocusafrica.com
security posture management will be extended to the Google Cloud Platform (GCP) — This adds to existing Azure and AWS capabilities, seamlessly integrating IT cloud security tools now into the world’s three biggest clouds without any dependencies on Google 1st party tools. The support for GCP comes with a simplified onboarding experience, more than 80 out-of-thebox recommendations to harden customer environments, and more. - Other New Features Include: ◊ New, Multicloud Secure Score gives organisations a central view of their posture across clouds, as well as for each cloud individually for a central view of their security posture. ◊ Automatic provisioning ensures that as soon as new resources are
added to the environment, threat protection is provisioned to them right away. • CloudKnox Permissions Management enters public preview — The integration of this acquisition from July 2021 gives organisations the increased visibility and control of permissions management as they augment their Zero-trust postures across all the platforms they use. These pieces of news are important steps in Microsoft’s security strategy of simplifying for customers and protecting them wherever they are, across platforms, across devices, across clouds. For a closer look at the news, see the blog post by Vasu Jakkal, CVP of Microsoft Security, Compliance and Identity, or visit Microsoft’s microsite to see all the details of today’s news.
SECURITY FOCUS AFRICA APRIL 2022
37
OPINION PIECE
Securing the perimeter is not enough to protect your data — what happens if a bad actor is already inside? Despite the fact that it is a decades-old exploit, phishing remains a top threat to organisations today.
B
By Kate Mollett, Regional Director at Commvault Africa.
ad actors looking to steal personal information and credentials will use phishing scams because they are simple and effective, and once they have access, they can exfiltrate data and spread ransomware. Stolen credentials give bad actors authorised access to networks, and once they are inside, they can inject malware and wreak havoc. The traditional ways of securing networks, like firewalls and VPNs, are no longer enough, and securing the perimeter is challenging in a remote working, borderless world. Zero trust has become critical to not only ensure authorised access only, but to continually validate access to prevent bad
38
SECURITY FOCUS AFRICA APRIL 2022
actors with stolen credentials from infiltrating networks and deploying ransomware attacks. Are they who they say they are? A ransomware attack is often not the first port of call for bad actors, and it can be seen as a symptom of a bigger problem. Typically, what happens is that threat actors will gain access to a network, and then begin to infiltrate other areas of the organisation. Only once widespread access has been gained will a ransomware attack be deployed. If they gain access using stolen credentials, it may take a long time to identify the attack, by which time a significant amount of damage may already have been caused.
Kate Mollett
securityfocusafrica.com
OPINION PIECE
Think of your network as a house, and a bad actor as a contractor, like a plumber. When we need a plumber, we will verify their identity before we let them in the house. But once they have access to the house, unless we are aware of where they are and what they are doing, they may be doing damage such as stealing valuables. This is similar to a network. Just because someone has the credentials to access it, does not mean they should simply be allowed in. It is essential to keep validating and monitoring the access, and to ensure that the person accessing the network is who they say they are — this is the basis of zero trust. Multiple layers make for stronger security In order to ensure effective security and zero trust, multiple layers need to be addressed, including user access, the architecture itself, the network and the data. Multifactor authentication is essential for advanced login security, and on top of this, privileged access management ensures that credentials are secured and data cannot be accessed illegitimately. Least privileged access and role-based authentication with additional authorisation controls help to limit access to data. The key is to implement authentication, authorisation and then audit to continuously ensure access is
securityfocusafrica.com
restricted to people with legitimate permission. The architecture itself also needs to be addressed, for example, by validating binaries to ensure they are coming from the application they say they are. It is also advisable to implement CIS controls to limit exposure, reduce the threat landscape and make it difficult for threats that have gained access to spread using known vulnerabilities and exploits. Addressing the architecture layer strengthens the foundation. The data element Zero trust is the principle of architecting a secure solution to protect networks, but data requires additional considerations. Segmentation needs to be implemented to reduce access to data, and the network topology must be controlled to protect backup data. It is also essential to have multiple copies of data, and an immutable copy of data that cannot be altered or infected, with air-gapping to ensure better protection. Finally, it is important to include monitoring and alerting to ensure that should incidents happen, they can be identified quickly, before they can cause issues. Zero trust is the basis of effective data protection in a borderless, remoteworking world, by ensuring you continuously gate and validate trust
throughout data protection and access processes. To achieve this, you need a layered architecture, as well as effective application, network and authentication controls. Above all, whatever zero trust technologies and protocols are in place, your backup and protection solution needs to be complementary to this. About Commvault Commvault (NASDAQ: CVLT) liberates business and IT professionals to do amazing things with their data by ensuring the fundamental integrity of their business. Its industry-leading Intelligent Data Services Platform empowers these professionals to store, protect, optimise, and use their data, wherever it lives. Delivering the ultimate in simplicity and flexibility to customers, its Intelligent Data Services Platform is available as software subscription, an integrated appliance, partner-managed, and software as a service — a critical differentiator in the market. For 25 years, more than 100,000 organisations have relied on Commvault, and today, Metallic is accelerating customer adoption to modernise their environments as they look to SaaS for the future. Driven by its values – Connect, Inspire, Care, and Deliver – Commvault employs more than 2,700 highly-skilled individuals around the world. Visit Commvault.com or follow us at @Commvault.
SECURITY FOCUS AFRICA APRIL 2022
39
THE LAST NEWS WORD
SECURITY, XENOPHOBIA AND THE RULE OF LAW On 11 April 2022, President Cyril Ramaphosa, in his weekly newsletter, addressed the concerns that have been widely debated around the actions and stances adopted by Operation Dudula, an unregistered community organisation seen to be a split-off grouping from the Put South Africans First movement. By Peter Bagshawe.
B
oth movements have an anti-immigrant stance, with Operation Dudula claiming to be driven by the burden placed on public health services, job opportunities and social grants due to the ‘influx of illegal immigrants’ to the disadvantage of South African citizens. Additional accusations of criminality within immigrant communities have been made by Operation Dudula leaders. Operation Dudula came to prominence after the July 2021 insurrection. Within President Ramaphosa’s newsletter, three extracts resonated and
40
SECURITY FOCUS AFRICA APRIL 2022
these are quoted below. “Attacking those we suspect of wrongdoing merely because they are a foreign national is not an act of patriotism. It is immoral, racist, and criminal. In the end, it will lead to xenophobia, whose consequences we have lived through in previous years. “Even as we intensify our fight against crime, there is no justification for people taking the law into their own hands. “We are a democracy founded on the rule of law.” Xenophobia and violent attacks are not new to South Africa and the effects of
xenophobia are far reaching and tragic. Between May 2013 and June 2014 there were instances of xenophobia in Cape Town, Pretoria and Port Elizabeth, targeting principally Somali nationals that led to calls by the Somali Prime Minister for intervention and the protection of his nationals. In April 2015 there were waves of attacks against foreign nationals and their businesses that started in Durban and ran through Kwa-Zulu Natal and Gauteng, with Alexandra particularly affected. Malawi announced it would repatriate its nationals, which was followed by other African countries. The
securityfocusafrica.com
THE LAST NEWS WORD
South African National Defence Force was deployed to Alexandra to stabilise the situation. In October 2015, attacks targeting Pakistani, Somali, Bangladeshi and Ethiopian owned spaza shops took place over a protracted period in Grahamstown, with low levels of reaction by the South African Police Service being reported. June 2016 saw riots and looting of foreign owned businesses in Tshwane, with March 2019 marked by attacks and looting of foreign owned shops in Durban. In September 2019, widespread riots and looting took place in Johannesburg in conjunction with a nationwide strike by truck drivers protesting the local employment of non-South African drivers. This has been ongoing and has seen escalating violence, blockades of national routes, the burning of trucks and assaults on foreign drivers. Given the sad litany of incidents referred to above, the call by the President to halt attacks on foreigners and the direct link to xenophobia is not surprising. The linking of criminality or suspected criminality in this regard seems to be directed towards allegations made by Operation Dudula of illegal immigrants being linked to criminal and gang activity, Operation Dudula often refers to the breaching of the Immigration Act by illegal immigrants in entering South Africa. In addition, the current high level of unemployment, lack of service delivery and anger at corruption are factors driving Operation Dudula and its followers. The fight against crime (including xenophobia) was highlighted by President Ramaphosa and this needs to be looked at from two areas. Firstly, the ability of the South African Police Services to combat crime at a local, rural, or suburban level is not in line with their Mission Statement ‘To create a safe and secure environment for all people in South Africa.’ Logistics, morale, supply chain, management and allegations of corruption and manpower dictate that this cannot, despite the best efforts of many committed serving members, be achieved. The saga of the removal from office of former National Police Commissioner General Khehla Sitole and his fractious relationship with Minister of Police Bheki Sithole has impacted on the administration of the South African Police Service. The appointment of General Sehlahle Fannie Masemola as the new National Commissioner of Police has
securityfocusafrica.com
brought in a career policeman with extensive multidisciplinary experience to head the South African Police Services and in this regard, he deserves support. The downside is that many consider his appointment as linked to his relationship with Minister Cele, with it also being regarded as an interim appointment as the National Commissioner is two years away from mandatory retirement at age 60. Should his appointment be extended, this would have to be by way of the State President obtaining special permission from Parliament for him to continue. The question that arises is how much can Masemola achieve in the period available to him? The second aspect to be reviewed links to President Ramaphosa’s statement that our democracy is founded on the rule of law. Also on 11 April 2022, National Director of Public Prosecutions Shamila Batohi, addressing the Frederick van Zyl Slabbert Honorary Lecture at Stellenbosch University, said that the rule of law in the country is on ‘life support’. Batohi said that state capture and corruption had cost South Africa over R1.5 trillion and expanded on this by saying that South Africans could not then be blamed for protesting a lack of basic services such as water, sanitation, and basic infrastructure. Batohi committed her department to fighting for the survival of the rule of law and has given a six-month timeline for the commencement of prosecution of those identified as involved in corruption. Here, there is a link to resources being made available to the National Prosecuting Authority from the South African Police Service, the Hawks and, in instances, other Departments of the State together with
funding and manpower resources to achieve the six-month target. The Zondo Commission Reports further highlighted endemic corruption and the breakdown of the rule of law which are aligned with the aim of the National Prosecuting Authority. The State President’s weekly newsletter was measured and targeted a situation that needed to be addressed in line with concerns raised by political parties, the media and society at large. There can be no doubt that the President was not aware of the content of the address given by the National Director of Public Prosecutions whilst the newsletter was being drafted and it is likely that the National Director of Public Prosecutions was similarly unaware of the content of the newsletter. However, having reviewed both, anomalies are apparent, and analysis shows that there is a disconnect at multiple levels within the administration. The removal of the disconnect is essential for the administration of safety, the upholding of the rule of law and the closure of the debate around the outcome of the Zondo Commission hearings. The run up to the 55th African National Congress Elective Conference in December 2022 is likely, based on a divided organisation, to remove focus from several pressing issues that require cohesion on at least a parliamentary level, and this is a further potential bar to the closure of the gaps identified. PETER BAGSHAWE holds a Bachelor of Law degree from the former University of Rhodesia and a Bachelor of Laws degree from the University of the Witwatersrand.
SECURITY FOCUS AFRICA APRIL 2022
41
DIRECTORY
SECURITY ASSOCIATION OF SOUTH AFRICA (SASA) ADMINISTRATION Suite 4, Blake Bester Building, 18 Mimosa Street (cnr CR Swart Road), Wilro Park, Roodepoort Suite 147, Postnet X 2, Helderkruin 1733 National Administrator: Tony Botes t: 0861 100 680 | e: tony@sasecurity.co.za c: 083 272 1373 | f: 0866 709 209 Membership, accounts & enquiries: Sharrin Naidoo t: 0861 100 680 | e: admin@sasecurity.co.za c: 083 650 4981
SASA OFFICE BEARERS
REGIONAL OFFICE BEARERS
National President: Marchél Coetzee c: 084 440 0087 e: marchelcoetzee@omegasol.com
Gauteng: Gary Tintinger c: 084 429 4245 e: gary.tintinger@cwexcellerate.com
National Chairperson: Franz Verhufen c: 082 377 0651 | e: fverhufen@thorburn.co.za
KwaZulu-Natal: Clint Phipps c: 082 498 4749 e: clint.phipps@cwexcellerate.com
National Deputy Chairperson: Louis Mkhethoni c: 082 553 7370 e: louis.mkhethoni@securitas-rsa.co.za
Western Cape: Koos van Rooyen c: 082 891 2351 | e: koos@wolfgroup.co.za
SECURITY AND RELATED ASSOCIATIONS AND ORGANISATIONS PSIRA (Private Security Industry Regulatory Authority) Eco Park, Centurion t: +27 (0)12 003 0500/1 | Independent hotline: 0800 220 918 | e: info@psira. co.za | Director: Manabela Chauke | Chairperson: T Bopela | Vice chairperson: Z Holtzman | Council members: Advocate A Wiid | Commissioner A Dramat APPISA (Association for Professional Private Investigators SA) Bertie Meyer Crescent, Minnebron, Brakpan | e: info@appelcryn.co.za | www.appelcryn. co.za | c: +27 (0)73 371 7854 / +27 (0)72 367 8207 | Chairperson: Ken Appelcryn ASIS International Johannesburg Chapter No. 155. Box 99742, Garsfontein East 0060 | t: +27 (0)11 652 2569 | www.asis155jhb.webs. com | President/chairperson: Johan Hurter | Secretary: Chris Cray ASIS International (Chapter 203: Cape Town – South African Security Professionals) President/chairperson: Yann A Mouret, CPP Secretary: Eva Nolle t: +27 (0)21 785 7093 | f: +27 (0)21 785 5089 | e: info@aepn.co.za | www.asis203.org.za BAC (Business Against Crime) Box 784061, Sandton 2146 | t: +27 (0)11 883 0717 | f: +27 (0)11 883 1679 | e: info@bac.org.za CAMPROSA (Campus Protection Society of Southern Africa) President: Des Ayob | e: 27149706@nwu.ac.za Executive Secretary: Derek Huebsch | e: huebsch. derek@gmail.com | www.camprosa.co.za CISA (Cape Insurance Surveyors Association) Shahid Sonday t: +27 (0)21 402 8196 | f: +27 (0)21 419 1844 | e: shahid.sonday@saeagle.co.za | Mike Genard t: +27 (0)21 557 8414 | e: mikeg@yebo.co.za DRA (Disaster Recovery Association of Southern Africa) Box 405, Saxonwold 2132 | Chairperson: Grahame Wright | t: +27 (0)11 486 0677 | f: (011) 646 5587 | Secretary/treasurer: Charles Lourens t: +27 (0)11 639 2346 | f: +27 (0)11 834 6881 EFCMA (Electric Fencing and Components Manufacturers Association) Box 411164, Craighall 2024 | t: +27 (0)11 326 4157 | f: +27 (0)11 493 6835 | Chairperson: Cliff Cawood c: +27 (0)83 744 2159 | Deputy chairperson: John Mostert c: +27 (0)82 444 9759 | Secretary: Andre Botha c: +27 (0)83 680 8574 ESDA (Electronic Security Distributors Association) Box 17103, Benoni West 1503 | t: (011) 845 4870 | f: +27 (0)11 845 4850 | Chairperson: Leonie Mangold | Vice chairperson: David Shapiro | www.esda.org.za ESIA (Electronic Security Industry Alliance) Box 62436, Marshalltown 2107 | t: +27 (0)11 498 7468 | f: 086 570 8837 | c: 082 773 9308 | e: info@esia. co.za | www.esia.co.za FDIA (Fire Detection Installers Association) Postnet Suite 86, Private Bag X10020, Edenvale, 1610 | t: +27 (0)72 580 7318 | f: 086 518 4376 | e: fdia@fdia. co.za | www.fdia.co.za | President/chairperson: Clive Foord | Secretary: Jolene van der Westhuizen FFETA The Fire Fighting Equipment Traders Association) Postnet Suite 86, Private Bag X10020,
Edenvale 1610 | Chairperson: Belinda van der Merwe Administration manager: Rosemary Cowan | t: +27 (0)11 455 3157 | e: rosemary@saqccfire.co.za | www.ffeta.co.za FPASA (Fire Protection Association of Southern Africa) Box 15467, Impala Park 1472 | t: +27 (0)11 397 1618 | f: +27 (0)11 397 1160 | e: library@fpasa.co.za | www.fpasa.co.za | General manager: David Poxon GFA (Gate & Fence Association) Box 1338, Johannesburg 2000 | t: +27 (0)11 298 9400 | f: +27 (0)11 838 1522 | Administrator: Theresa Botha HSA (Helderberg Security Association) Box 12857, N1 City Parow 7463 | t: +27 (0)21 511 5109 | f: +27 (0)21 511 5277 | e: info@command.co.za | www.command.co.za | Chairperson: Stephen van Diggele IFE (Institution of Fire Engineers (SA) Treasurer: Andrew Greig | President: Mike Webber | Administrator: Jennifer Maritz | PO Box 1033, Houghton 2041 | t: +27 (0)11 788 4329 | f: +27 (0)11 880 6286 | e: adminstaff@ife.org.za | www.ife.org.za ISA (Insurance Surveyors Association) Box 405, Saxonwold 2132 | Chairperson: Graham Wright | t: +27 (0)11 486 0677 | Vice chairperson: Alan Ventress | Secretary: Alex dos Santos LASA (Locksmiths Association of South Africa) Box 4007, Randburg 2125 | t: +27 (0)11 782 1404 | f: +27 (0)11 782 3699 | e: lasa@global.co.za | www.lasa.co.za | President/chairperson: Alan Jurrius | Secretary: Dora Ryan NaFETI (National Firearms Education and Training Institute) Box 181067, Dalbridge 4014 | Chairperson: MS Mitten | Vice chairperson: Ken Rightford | t: +27 (0)33 345 1669 | c: +27 (0)84 659 1142 NaFTA (National Firearms Training Association of SA) Box 8723, Edenglen 1613 | National chairperson: Peter Bagshawe | t: +27 (0)11 979 1200 | f: +27 (0)11 979 1816 | e: nafta@lantic.net POLSA (Policing Association of Southern Africa) t: +27 (0)12 429 6003 | f: +27 (0)12 429 6609 | Chairperson: Anusha Govender c: +27 (0)82 655 8759 PSSPF (Private Security Sector Provident Fund) Jackson Simon c: +27 (0)72 356 6358 | e: jackson@ psspfund.co.za | www.psspfund.co.za SAESI (Southern African Emergency Services Institute) Box 613, Krugersdorp 1740 | t: +27 (0)11 660 5672 | f: +27 (0)11 660 1887 | President: DN Naidoo | Secretary: SG Moolman | e:info@saesi.com SAFDA (South African Fire Development Association) 45 Oxford Road, Forest Town, Johannesburg | e: info@safda.net | t: 083 402 4002 SAIA (South African Insurance Association) Box 30619, Braamfontein 2017 | Chief executive officer: Viviene Pearson | Chairperson: Lizé Lambrechts t: +27 (0)11 726 5381 | f: +27 (0)11 726 5351 | e: info@saia.co.za SAIDSA (South African Intruder Detection
Services Association) | Association House, PO Box 17103, Benoni West 1503 | t: +27 (0)11 845 4870 f: +27 (0)11 845 4850 | e: saidsa@mweb.co.za www.saidsa.co.za | Chairperson: Johan Booysen Secretary: Cheryl Ogle SAIS (South African Institute of Security) Postnet Suite 86, Private Bag X10020, Edenvale, 1610 Chairperson: Dave Dodge | Administration manager: John Baker | t: +27 (0)63 782 7642 | e: info@instituteofsecurity.co.za | www.instituteofsecurity.co.za SAN (Security Association of Namibia) Box 1926, Windhoek, Namibia | Administrator: André van Zyl | t: +264 81 304 5623 | e: adminsan@iway.na SANSEA (South African National Security Employers’ Association) Box 62436, Marshalltown 2107 | Administrators: SIA t: +27 (0)11 498 7468 | f: 086 570 8837 | e: galen@sansea.co.za SAPFED (Southern African Polygraph Federation) President: Flip Vorster | c: +27 (0)82 455 1459 | e: info@sapfed.org | Secretary: Anrich Gouws | e: admin@sapfed.org | www.sapfed.org SAQCC FIRE (South African Qualification Certification Committee) Postnet Suite 86, Private Bag X10020, Edenvale 1610 | t: +27 (0)11 455 3157 | www.saqccfire. co.za Executive Committee: Chairperson: Duncan Boyes Vice chairperson: Tom Dreyer 1475 Committee: Chairperson: Lizl Davel Vice chairperson: John Caird D&GS Committee: Chairperson: Nichola Allan; Vice chairperson: Clive Foord General Manager: Rosemary Cowan | e: rosemary@saqccfire.co.za – Address, phone and website all remain as is. SARPA (South African Revenue Protection Association) Box 868, Ferndale 2160 | t: +27 (0)11 789 1384 | f: +27 (0)11 789 1385 | President: Naas du Preez | Secretariat: Mr J. Venter, Van der Walt & Co SIA (Security Industry Alliance) Box 62436, Marshalltown 2107 | t: +27 (0)11 498 7468 | Chief executive officer: Steve Conradie | www.securityalliance.co.za SKZNSA (Southern KwaZulu-Natal Security Association) t: +27 (0)39 315 7448 | f: +27 (0)39 315 7324 | Chairperson: Anton Verster c: +27 (0)82 371 0820 VESA (The Motor Vehicle Security Association of South Africa) Box 1468, Halfway House 1685 | t: (011) 315 3588/3655 | f: +27 (0)11 315 3617 | General manager: Adri Smit VIPPASA (VIP Protection Association of SA) Box 41669, Craighall 2024 | t: +27 (0)82 749 0063 | f: 086 625 1192 | e: info@vippasa.co.za | www. vippasa.co.za | Enquiries: Chris Rootman c: +27 (0)82 749 0063 | e: vippasa@protectour.co.za
* Every attempt has been made to keep this information up to date. If you would like to amend your organisation’s details, please email jackie@contactpub.co.za 42
SECURITY FOCUS AFRICA APRIL 2022
securityfocusafrica.com
INDEX
INDEX OF ADVERTISERS AND CONTRIBUTORS ADVERTISER
PAGE
April 2022
WEBSITE
ALCO-safe
27
www.alcosafe.co.za
+OneX
24
+OneX
CITASA
16-18
Commvault
39
Email: alicem@citasa-sa.co.za / Grantc@citasa-sa.co.za Commvault.com
Entersekt
23,26
www.entersekt.com/
Fidelity Cash Management
16-18
fidelity-services.com/our-products-services/fidelity-cash-solutions/
GSS
4
www.gssgroup.co.za
HP Africa
36
http://www.hp.com
ISS
20
www.isssafrica.org
Kaspersky
21
www.kaspersky.com
Lowers Risk Group
16-18
www.lowersriskgroup.com
SBV:
16-18
www.sbv.co.za
Security Association of South Africa (SASA)
8, IBC
www.sasecurity.co.za
securityfocusafrica.com
SECURITY FOCUS AFRICA APRIL 2022
43
DRIVING COMPLIANCE in South Africa’s Private Security Industry
With a five decade legacy, SASA is the greatest advocate of industry compliance, serving as resource for its members, an educational platform for consumers of security services, and an essential link between the private security industry and government. The Security Association of South Africa (SASA) is nationally recognised by the Government, South African Police Service and all Municipalities as having members with a proven track record within the industry and a Code of Ethics by which members must abide. SASA Gold Membership promotes compliance not only to the industry role-players, but to the end-users of security services as well. Join SASA today and find out more about how we can fight the scourge of non-compliance, promoting SASA Gold Membership as an essential requirement for all security service providers, ensuring industry excellence for the private security industry.
For more information, contact the SASA Administrator on admin@sasecurity.co.za Postal Address: Suite 147, Postnet X2 Helderkruin, 1733. Tel: 0861 100 680 Fax: 086 670 9209
www.sasecurity.co.za
