Cybercrime dethrones load-shedding as top threat to South African businesses

Germany-based financial services firm Allianz says cybercrime has overtaken load-shedding and political instability as the top concern for businesses in South Africa.

According to the Allianz Risk Barometer 2025, cybercrime dominates industry concerns across various sectors, and it says recent incidents affecting Cell C and the South African Bureau of Standards (SABS) could have been prevented.

“Cyber is the top risk across North and South America, Europe, and Africa,” says Allianz.

“More importantly, it now ranks as the number one risk in South Africa, overtaking long-standing issues like load-shedding and political instability.”

The firm highlights two recent, high-profile cyberattacks on Cell C and the SABS.

“Both incidents have raised serious questions about compliance, cybersecurity readiness, and whether these attacks could have been prevented,” it says.

In December 2024, Cell C confirmed that it had experienced a significant cybersecurity incident, during which customer data, including ID numbers, banking details, and passport information, was compromised and leaked on the dark web.

The SABS was the victim of a ransomware attack that paralysed its systems in November 2024. More concerning is that it was revealed in February 2025 that core systems were still encrypted and inaccessible.

The incident marked the third cyberattack on the SABS in the past five years.

Herman Stroop, lead ISO specialist at World Wide Industrial and System Engineers, said both incidents were preventable.

“Neither Cell C nor SABS were ISO/IEC 27001 certified — a globally recognised standard for information security management,” he says.

“This standard isn’t just a technical checklist. It’s a framework that forces an organisation to understand its vulnerabilities, assess its risks, and apply controls that address these risks in a structured, auditable way.”

The ISO/IEC 27001 standard prioritises confidentiality, integrity, and availability, which comprise the foundation of information security in the modern age.

The standard requires companies to carry out ongoing risk assessments, implement technical controls and policies, and consistently monitor and update their defences.

Cell C and the SABS dropped the ball

Stroop says the absence of such a system at Cell C and the SABS could suggest a lack of strategic commitment from leadership within the organisations.

“Cybersecurity is wrongly seen as an IT issue. Top management often fails to view it as a core business risk, resulting in underinvestment in preventative frameworks like ISO/IEC 27001,” he said.

Stroop highlights non-compliance and poor enforcement of regulations as a key challenge in South Africa.

While policies and laws such as the Protection of Personal Information Act (POPIA) and Minimum Information Security Standards (MISS) provide clear expectations, many organisations ignore or delay compliance.

“The irony is that prevention is far cheaper than remediation,” he says.

“In many cases, organisations suffer reputational damage, legal liability, and operational downtime that far exceed the cost of implementing an ISO-compliant Information Security Management System.”

Stroop says Cell C’s and the SABS’ communications regarding their respective incidents are examples of poor transparency, with the organisation providing vague details on the attacks and their responses.

He indicated that this could result from these companies not being ISO-certified.

“When an organisation isn’t ISO-certified, it usually doesn’t have the documentation, procedures or incident response plans to respond properly — let alone communicate clearly — during a breach,” Stroop says.

South Africa’s Information Regulator’s data shows that between 150 and 300 cybersecurity incidents are reported each month.

However, many go unreported due to reputational fears and over POPIA compliance concerns.

Stroop believes the ISO 27001 standard should be mandatory for public institutions and critical infrastructure operators in South Africa.

“Without minimum compliance levels, we’re just waiting for the next disaster. It’s not a matter of if, but when,” he said.