South African companies continue to suffer cybercrimes, with many only introducing preventative measures after it is too late.

Cybercrimes have increased in recent years, and private and public companies in South Africa have been targeted.

For instance, the Department of Justice and Constitutional Development was hit by a ransomware attack in 2021.

To make matters worse, the Information Regulator recently gave the Department a R5 million fine for not renewing its antivirus software, which would have flagged the attack.

Aon South Africa’s 2023 Cyber Risk Survey for South Africa has thus provided insight into the cyber practices used by South African companies in many market segments.

“The survey offers commentary on the future direction of cybersecurity, given the rapidly evolving manner of the risk, its solutions and legislative policies, to provide forward-looking guidance to businesses from a South African perspective,” said Zamani Ngidi, Cyber Solutions Senior Client Manager at Aon.

The survey found the following:

• 22% of respondents suffered a cyber incident in the past five years.

• Furthermore, 67% of participants deploy a cyber risk management tool.

• Only 50% of respondents have a board-level cyber champion.

• 72% of participants purchase cyber insurance.

However, one of the biggest concerns expressed by Aon was that companies are likely to only strengthen their cyber security following a cyber incident.

“We question whether companies that have suffered a cyber-attack would have better cyber risk management practices in place than those who did not suffer an attack,” said Zamani.

“The findings in the survey show that of the 22% of respondents that have suffered a cyber-attack, all subsequently have the full stack of cyber-related covers and tools in place as opposed to their counterparts, with less than 50% uptake on mitigation controls.”

The survey also showed that only 43% of South African companies with revenue less than R100 million have a cyber risk management tool, compared to the 80% for companies with over R100 million in revenue.

“It points to two possible scenarios, where smaller companies are finding the cost of proactive risk management too high, or it could point to a perception that the risk is only reserved for companies with a higher revenue bracket,” Ngidi added.

Read: New government surveillance laws for South Africa are coming