Underfunding of critical cyber defences is leaving South African organisations exposed to increasingly damaging cyberattacks. New research has found that 97% of South African organisations say they have been negatively impacted by a lack of budget for their cyber resilience efforts.

The latest Mimecast State of Email Security 2022 report, which tracks responses from 1 400 IT and cybersecurity professionals in 12 countries, found that South African organisations allocate on average 12% of their IT budgets to cyber resilience — below the global average of 14%.

While this may not seem like a big difference, what is interesting is that more than half of South African respondents (53%) have less than 10% of their budget allocated to cyber resilience, compared to only a third (34%) saying the same globally.

Access the full report and view the South African briefing here

On average, South African security professionals say they need a 21% budget allocation to enable them to ward off incoming cyberattacks and other threats — especially at a time when nearly all cyberattack types are growing in volume and sophistication.

SA firms face escalating cyberattacks

“Ninety-four percent of South African companies have been targeted by an e-mail-related phishing attack in the past year, with nearly two-thirds citing an increase in such attacks,” says Brian Pinnock, cybersecurity expert at Mimecast. “The cost of ransomware attacks is also piling up, with three in five organisations (60%) citing damage from a ransomware attack — up from less than half (47%) in 2020. And of companies paying the ransom, the average ransomware payment reached R3.2-million (Mimecast State of Ransomware Readiness report), despite nearly half (43%) of such payments resulting in companies being unable to recover their data.”

The impact of successful cyberattacks on South African organisations can be severe, affecting productivity, taking critical systems offline, damaging trust with customers and leading to loss of reputation. To protect against attack, 89% of companies either have a cyber resilience strategy or are actively planning to put one in place.

Lack of cyber resilience hurting companies

However, the goal posts for true cyber resilience have moved just as the volume and sophistication of attacks have changed, says Pinnock. “Only a third of organisations we surveyed stated they currently have an effective cyber resilience strategy in place, down from 41% in 2021. This points to growing recognition that corporate cyber resilience is often not keeping pace with the tools and techniques used by threat actors.”

The costs of a lack of cyber resilience preparedness are mounting: nearly half (49%) of organisations experienced business disruption due to a lack of preparedness, 48% experienced data loss and 42% saw an impact to employee productivity.

Cybersecurity conversation must enter boardroom

“There is an important conversation to be had in the boardrooms of corporate South Africa,” says Pinnock. “Without adequate budget allocation, our public and private sectors will continue to be vulnerable to attack, at great cost to organisations and their customers.”

Pinnock points to the extensive downtime suffered by South African victims of cyberattacks over the past year as a motivating factor for assigning additional budget towards cyber defences. “Companies that fell victim to a ransomware attack suffered an average of nearly 11 days of downtime, with one in 10 reporting downtime of more than three weeks. In our current economic environment, that amount of downtime can be crippling to organisations.”

Cyber resilience strategies are also meant to provide continuity in the event of service outages. “Our research found that nearly two-thirds (64%) of Microsoft 365 users have experienced an outage in the past year, while nearly all (93%) feel that additional safeguards are needed to protect their Microsoft 365 applications.”

Positive impact expected from government mandates

New government mandates for cyber resilience — such as those contained in legislation including Popia and the Cybercrimes Act — are expected to have a significant impact on organisations’ cyber resilience. Of all the countries surveyed, South African respondents expect the greatest change. Forty-six percent of organisations believe they will see an overall improvement in the level of cybersecurity in their business because of government mandates, while 36% expect a decrease in risk of cyberattacks impacting their business.

“Safeguarding South African organisations against the rising tide of cyberattacks requires greater commitment to cyber resilience from the board and executive levels all the way through the organisation,” says Pinnock. “Allocating adequate budgets, implementing effective technologies and controls, and instilling a culture of cyber awareness throughout the organisation all build towards greater cyber resilience and can help companies prevent and recover faster from cyberattacks. In light of the continued global instability and increasingly disruptive business environment, organisations will need to urgently address shortcomings in their cyber resilience efforts – or risk suffering devastating consequences.”