South African companies face an alarming volume of cyber threats, yet experts believe the actual scale is far higher than reported. Check Point Software Technologies recorded an average of 2 113 weekly attacks in July 2025, but regulators say the real number is likely far greater.
Reported incidents don’t reflect the true threat level
The Information Regulator received only 2 374 incident reports for the entire 2024/25 financial year. This mismatch suggests that most cyberattacks go unreported or undetected. Mukelani Dimba, the regulator’s executive for education and communication, says the gap highlights how incomplete the national picture still is.
Muhammad Ali, managing director of World Wide Industrial & Systems Engineers (WWISE), says businesses remain dangerously underprepared. He highlights a trend in which cybercriminals target smaller third-party suppliers to gain access to larger corporate networks. “Most vulnerabilities arise from delays in applying security patches. Spear phishing is still the biggest threat when attackers use realistic, personalised tactics.”
Major breaches reveal weak national preparedness
South Africa has already experienced several large-scale breaches, including the exfiltration of around 2 terabytes of data from a mobile network operator and a breach at a major property group that exposed sensitive client information. Ali says many businesses still overlook recovery readiness. “Backup integrity and disaster recovery sites are vital. Simulation tests are the only way to know you can manage an incident. It’s not if you’ll get attacked – it’s when.”
Cybersecurity must be seen as a strategic investment
Ali says cyber resilience must shift from a compliance exercise to a long-term strategic priority. He believes leaders need simplified education supported by live demonstrations to understand the financial and reputational impact of a breach.
Human behaviour remains the most significant vulnerability. Ali says short, engaging awareness programmes work best. “Training must be relevant and interactive. Campaigns should also cover personal online safety because risky behaviour often starts outside the workplace.”
AI, IoT and emerging tech demand structured governance
With AI, automation and the Internet of Things expanding the threat landscape, Ali stresses the importance of international standards. ISO/IEC 27001 for information security and ISO/IEC 42001 for AI management help organisations build risk-aware governance and continuous improvement.
He notes that adoption in South Africa remains low due to concerns about cost or complexity. A qualified consultant, however, can guide implementation and reduce administrative pressure.
Ali says companies should only work with auditors registered with bodies such as the South African Auditor & Training Certification Authority or the Chartered Quality Institute | IRCA. “Think of cybersecurity like insurance. It protects your most valuable assets.”
A zero-trust approach is essential
Ali urges business leaders to start with awareness sessions for executives and boards. They should then adopt a process-based approach supported by industry expertise.
“Don’t trust anyone,” he says. “Scan backups for malware, verify integrity, and test disaster recovery systems. ISO 27001 certification reduces cyber insurance costs, boosts customer confidence and remains the leading assurance standard for corporates.”
![](https://essentialflavours.co.za/wp-content/uploads/2025/07/Media-Xpose-HiRes-White-scaled.png")