Theft prevention
Theft Incident Response Playbook for South African SMEs
What to do in the first 24 hours after theft or fraud in your business: containment, evidence, reporting, legal process, and recovery actions.
#incident response
#fraud response
#theft reporting
#saps
#south africa
#business continuity
Theft Incident Response Playbook for South African SMEs
When theft happens, the first 24 hours determine whether losses escalate or stabilize. Most businesses lose more in poor response than in the original event.
First 2 Hours
- Stop ongoing loss (freeze affected access/accounts).
- Preserve evidence (CCTV, logs, receipts, emails).
- Record incident timeline while fresh.
- Notify owner/leadership response team.
2 to 8 Hours
- Contact bank fraud team where payment theft risk exists.
- Open SAPS case for criminal incidents.
- Notify insurer and check policy reporting deadlines.
- Restrict internal communications to factual updates.
8 to 24 Hours
- Start root-cause review (control failure mapping).
- Implement immediate control patches.
- Prepare staff/customer communication where needed.
- Define recovery owners and deadlines.
Evidence Pack Checklist
- CCTV exports with timestamps
- Transaction and audit logs
- Supplier/customer communications
- Staff statements
- Loss estimate and affected assets list
Post-Incident Recovery
- Update SOPs and approval workflows.
- Retrain staff on revised controls.
- Increase monitoring on risk points for 90 days.
- Run management post-mortem with measurable actions.
Disclaimer: Legal reporting and disciplinary procedures must comply with SA law and internal policy. Use professional advice for high-value or sensitive incidents.