Skip to content

Cybersecurity in South Africa: 3 Tipping Point Moves for Big Business

LinkedIn Article banners 12
Listen to the Podcast

Cybersecurity in South Africa: 3 Tipping Point Moves for Big Business

Cybercrime is expected to cost the world $10.5 trillion annually by the end of this year. It’s an almost unimaginable amount of money, and surely not a cost businesses can continue to bear for very long.

In 2023, South Africa ranked in the top three most targeted African countries for cyberattacks, according to a report by Kapersky. Top of the list of crimes was ransomware attacks targeting critical infrastructure and financial services.

The recent declaration from Cell C that data compromised in a cybersecurity incident in January this year has now been unlawfully disclosed by RansomHouse throws into stark relief just how serious the problem is. There is clearly an urgent need for far stronger cyber risk mitigation strategies within all businesses in South Africa.

At the time of the Cell C breach, the company was quick to reassure its clients that they had taken “immediate action to contain the issue” and had engaged cybersecurity experts to assist them with their investigation.

The fact that a scant three months later, RansomHouse went ahead and released the sensitive data they’d stolen clearly indicates the time to engage cybersecurity experts is before there is a breach, not afterwards.

Especially when you consider that the average cost of a single breach in South Africa is just shy of R54 million.

Of course, Cell C is only one in a line of big businesses in South Africa to have been hit with a cyber-attack in recent years.

In June 2022, RansomHouse claimed responsibility for an attack on Shoprite, which compromised customer data (mainly ID numbers) in Eswatini, Namibia and Zambia. A year earlier, Transnet was targeted and ended up declaring a force majeure.

The worrying thing is, it’s not just big corporates falling victim to attacks. Cybercriminals frequently hit smaller businesses, as they know their security measures are likely not as stringent as larger companies with bigger budgets.

Last year, UK-based cybersecurity firm Sophos estimated almost 70% of all South African companies had been hit by a ransomware attack in 2023. Of these, three-quarters resulted in data being encrypted.

The masterminds behind the attacks are often appropriately referred to as phantoms. Unless an organisation claims responsibility, we very seldom know who or where the criminals are. Capitalising on the easy anonymity of our highly digitised life, cybercriminals operate through encoded channels from anywhere in the world they choose. It’s an impersonal crime with a terrifying and crippling impact.

Only a few years ago, cash in transit heists were the lucrative crime du jour, but the risks and logistics became increasingly challenging as businesses began fighting back. The internet is far quicker, easier and more rewarding.

It’s also extremely accessible.

Where cybercrime might have started out as an “IT specialists’ thing,” it has increasingly become the playground of organised criminals looking for much bigger payouts that they could ever realistically hope to achieve in “the real world.”

Cybercrime is no longer an IT problem; it’s become a business-wide issue that needs the buy-in and commitment of every part of the business – and every employee in it – to solve.

As the current president of the G20, South Africa is under considerable pressure to get its internal ducks in a row and show itself as a world-leading digital economy. But in the light of our ongoing battle with cybercriminals, have we bitten off more than we can chew?

“South Africa is a significant role player in digital connectivity on the continent, says Trisha Govender, Manager: MANCOSA School of Information and Digital Technology (SIDT). “However, we are one of the most targeted countries in the world in terms of cybercrime.”

She believes that while South Africa has a legal framework that can deal with cyber risks in theory, it’s not enough to pivot in line with growing trends.

“South Africa has a strong tech ecosystem, growing AI and fintech sectors, and government-led digital initiatives; however, its cybersecurity infrastructure is too weak to support a globally competitive tech economy,” she says.

So, what needs to change?

It’s clear there’s an urgent need for significant investment, by government and business, in ongoing cybersecurity education. Companies also need to put the right incentives in place to attract, and more importantly, retain, the relevant skilled professionals.

Govender also believes that “The Government needs to mandate cybersecurity compliance for critical infrastructure and industries, and we must improve government-business cybersecurity collaboration.”

All of which sounds great, but it’s very unlikely to happen within the next year or so, perhaps longer. In the meantime, your business – and mine – faces the daily threat of a potential cyber-attack. 

Fortunately, there are high-impact, tipping point moves company executives can make immediately to help protect their businesses.

These are three of the most critical:

Board-Level Cyber Governance

Research shows that 80% of company boards are unaware that accountability for cyber risk rests with them – even when this function is outsourced.

Cybersecurity strategy must be elevated from a purely technical issue to a business risk issue, on a par with financial, operational, compliance, reputational or strategic risks.

Effective cyber governance means the board must understand their organisation’s cyber risk posture, actively engage in cybersecurity discussions, and ensure appropriate resources and strategies are in place.

Investing in People (Not Just Tech)

No matter how much you invest in tech solutions, human error remains the cause of the overwhelming majority of successful cyber-attacks. Recent research cites a figure of as much as 68%.

Human beings are always going to be the weakest link in the cybersecurity chain. Most often, errors occur as a result of one of two issues: skills-based errors (when people doing routine things become bored or distracted) or knowledge-based errors (when a less-experienced employee makes a mistake – like clicking on a link in an email from an unknown contact – because they lack knowledge or don’t follow specific rules).

The good news is, if people are the first line of attack, they can also be the first line of defence.

Fostering a culture of security awareness is key. When everyone understands their role in protecting data – and has been offered access to the right training and awareness programmes – common attacks likes phishing and social engineering are more easily thwarted.

Third-Party Risk Management

Worryingly, a high proportion of data breaches come through third parties, particularly supply chains. In fact, recent reports claim supply chain cyber-attacks have grown by over 300% since the Covid pandemic.

Larger and more complex business often don’t have a full view of their supply chains, making them more susceptible to this kind of attack.

The solution is simple:

  • Assess all vendors before onboarding – use security ratings (instead of more “old school” questionnaires) to give you instant visibility into the external security posture of a potential vendor.
  • Incorporate cyber risk into your vendor contracts. This won’t prevent a third-party data breach, but your vendors will be held accountable if their security posture weakens.
  • Continuously monitor vendors for security risks. Security postures will change over time, so keep a regular eye in their controls.

Facing cyber security as a whole business risk can feel scary and intimidating, but if you only focus on the tech side of things, you’re ignoring half the problem.

Following the simple guidelines I’ve outlined above is a great way to start, and if you’d like to know more about employee risk training, please get in touch.