One threat bigger than load-shedding in South Africa

Cybercrime is on the rise in South Africa, and many local companies are unprepared for the significant threat it poses to organisations and consumers.

The most recent Allianz Risk Barometer for 2025 showed that cybercrime has become the single biggest threat to businesses worldwide.

The report explained that cyber incidents, including ransomware attacks, data breaches, and IT outages, are now the top global business risk, marking their fourth consecutive year at the top. 

A decade ago, only 12% of global respondents cited cyber as a major concern. In 2025, that number surged to 38%.

“Cyber is the top risk across North and South America, Europe, and Africa, dominating industry concerns from aviation to legal services,” Allianz said. 

“More importantly, it now ranks as the number one risk in South Africa, overtaking long-standing issues like load-shedding and political instability.”

Allianz explained that this concern is not just theoretical, citing two recent, high-profile cyberattacks on two major South African organisations – Cell C and the South African Bureau of Standards (SABS). 

“Both incidents have raised serious questions about compliance, cybersecurity readiness, and whether these attacks could have been prevented,” it said.

In December 2024, Cell C confirmed that it had suffered a major ransomware attack, which included sensitive unstructured customer data, including ID numbers, bank details, driver’s licenses, medical records and passport information.

This data was compromised and later leaked on the dark web. Cell C issued follow-up communication to customers in early January 2025. 

However, the eight-day delay between public disclosure and customer notification drew criticism.

The SABS breach followed a similar pattern, as ransomware paralysed the organisation’s systems in November 2024, with clients being informed on 26 November. 

“Shockingly, it was later revealed in Parliament that, by February 2025, core systems remained encrypted and inaccessible. This marked the third cyberattack on the SABS in just five years,” Allianz pointed out.

Preventable risks

The World Wide Industrial & Systems Engineers’ lead ISO specialist, Herman Stroop, said both attacks were entirely preventable.

“Neither Cell C nor SABS were ISO/IEC 27001 certified – a globally recognised standard for information security management,” he explained. 

“This standard isn’t just a technical checklist. It’s a framework that forces an organisation to understand its vulnerabilities, assess its risks, and apply controls that address these risks in a structured, auditable way.”

The ISO/IEC 27001 standard focuses on Confidentiality, Integrity, and Availability, which form the foundation of modern information security. 

Stroop explained that it requires organisations to conduct ongoing risk assessments, implement policies and technical controls, and continuously monitor and update these defences in response to emerging threats.

He added that the absence of such a system is often due to a lack of strategic commitment from leadership. 

“Cybersecurity is wrongly seen as an IT issue,” he explained. “Top management often fails to view it as a core business risk, resulting in underinvestment in preventative frameworks like ISO/IEC 27001.”

He said one key challenge in South Africa is poor enforcement of existing regulations, including the Protection of Personal Information Act (POPIA) and Minimum Information Security Standards.

These regulations lay out clear expectations for information governance, yet Stroop said many organisations either ignore or delay compliance due to a perceived lack of consequences.

“The irony is that prevention is far cheaper than remediation,” he said. Following a cyberattack, organisations often suffer reputational damage, legal liability, and operational downtime.

Stroop said these consequences far exceed the cost of implementing an ISO-compliant Information Security Management System.

Corporate transparency

Stroop further slammed Cell C and SABS’ handling of their attacks, saying they provide examples of poor transparency. “Details about the nature of the attacks and how they were handled remain vague,” he said. 

“When an organisation isn’t ISO-certified, it usually doesn’t have the documentation, procedures or incident response plans to respond properly – let alone communicate clearly – during a breach.”

The Information Regulator previously reported that South Africa sees between 150 and 300 cyberattacks each month – and that’s just the reported incidents. 

Many incidents go unreported due to reputational fears or because organisations are not compliant with POPIA and fear investigation.

Stroop argued that ISO 27001 should be mandated for public institutions and critical infrastructure operators. 

“Without minimum compliance levels, we’re just waiting for the next disaster. It’s not a matter of if, but when,” he said.

There has been some progress on this front. Certain insurance providers are beginning to offer premium reductions for ISO-certified organisations, and some major corporate clients also now demand vendor certification. 

“It’s becoming a market differentiator. Organisations serious about protecting their data and reputation cannot afford to ignore ISO 27001 any longer,” Stroop said.

“In a digital age where the threat landscape evolves daily, being unprepared is no longer an option.”