'Cybercrime ranks as No 1 risk in SA, overtaking long-standing issues': expert

Cybercrime now ranks as the No 1 risk in South Africa, overtaking long-standing issues including load-shedding and political instability.

According to the Allianz Risk Barometer 2025, cyber-incidents — including ransomware attacks, data breaches and IT outages — are now the top global business risk, marking their fourth year at the top. 

A decade ago, only 12% of global respondents cited cybercrime as a major concern. In 2025, that surged to 38%.

“Cyber is the top risk across North and South America, Europe and Africa, dominating industry concerns from aviation to legal services,” said Allianz.

Cell C suffered a major ransomware attack in December 2024, exposing sensitive customer data such as ID numbers, bank and medical details, and passports, which were later leaked on the dark web. Similarly, the SABS faced a ransomware attack in November 2024. By February 2025, its core systems were still encrypted — marking the third cyberattack on the organisation in five years.

Herman Stroop, lead ISO Specialist at WWISE, a leading ISO standards and systems implementation consultancy, believes both breaches were entirely preventable.

“Neither Cell C nor SABS were ISO/IEC 27001 certified — a globally recognised standard for information security management. This standard isn't just a technical checklist. It's a framework that forces an organisation to understand its vulnerabilities, assess its risks, and apply controls that address these risks in a structured, auditable way,” he said.

The ISO/IEC 27001 standard focuses on confidentiality, integrity and availability — the foundation of modern information security. It requires organisations to conduct ongoing risk assessments, implement policies and technical controls, and continuously monitor and update these defences in response to emerging threats.

According to Stroop, the absence of such a system is often due to a lack of strategic commitment from leadership. 

“Cybersecurity is wrongly seen as an IT issue. Top management often fails to view it as a core business risk, resulting in underinvestment in preventive frameworks like ISO/IEC 27001,” he said.

Further Stroop said that poor enforcement of existing regulations is a key challenge in South Africa.

He said while the Protection of Personal Information Act (Popia) and Minimum Information Security Standards (Miss) lay out clear expectations for information governance, many organisations either ignore or delay compliance due to a perceived lack of consequences.

“The irony is that prevention is far cheaper than remediation. In many cases, organisations suffer reputational damage, legal liability and operational downtime that far exceed the cost of implementing an ISO-compliant Information Security Management System,” Stroop said.

He believes that Cell C and SABS also provide examples of poor transparency as details about the nature of the attacks and how they were handled remain vague. 

“When an organisation isn’t ISO-certified, it usually doesn’t have the documentation, procedures or incident response plans to respond properly — let alone communicate clearly — during a breach,” said Stroop.

According to the Information Regulator, South Africa sees between 150 and 300 cyberattacks reported each month — and that’s just the reported incidents. Many go unreported due to reputational fears or because organisations are not compliant with Popia and fear investigation.

Stroop believes that ISO 27001 should be mandated for public institutions and critical infrastructure operators.

“Without minimum compliance levels, we're just waiting for the next disaster. It’s not a matter of if but when.”

However, he said some insurance providers are beginning to offer premium reductions for ISO-certified organisations, while major corporate clients now demand ISO 27001 certification from vendors. 

“It’s becoming a market differentiator. Organisations serious about protecting their data and reputation cannot afford to ignore ISO 27001 any longer.”

TimesLIVE