Internet Security
As geopolitical conflict escalates in the Middle East, driving up fuel prices among many other issues, South African cyber networks have become particularly vulnerable to hacking. What does this mean for your network connection, data protection and your company?
Following the arrival of the US cybersecurity company investing in South Africa earlier this year, Palo Alto aims to provide secure networks and job opportunities to combat unemployment and the skills gap.
The regional director for Southern Africa, Justin Lee, says that the cybersecurity network’s Unit 42 is tracking a surge in hacktivist activity and phishing campaigns in the conflict’s wake, causing ripple effects well beyond the region.
ALSO READ: AI is dumping 150-page complaints on finance ombud’s desk
‘A breach every three hours’
Lee says that organisations in South Africa are breached every three hours and that 90% of these cyberattacks are preventable.
“Globally, the time between a network intrusion and data theft has dropped to around 72 minutes, down from 285 minutes in 2024.”
Acknowledging the countries’ significant strides in digital governance, accelerating towards a centralised MyMzanzi platform that was Cabinet-approved, he points out how the attack surface grows just as rapidly as digital ambitions.
According to Unit 42 research, Palo Alto Networks’ threat intelligence division has identified over 750 major incidents across 50 countries, suggesting that the primary drivers of breaches are not sophisticated.
“In 87% of investigated cases, responders had to piece together evidence from two or more separate systems, meaning fragmented defences, not novel techniques, are enabling most attacks.”
Interpol reports show that cybercrime costs South Africa around R2.2 billion every year. Along with the Information Regulator currently receiving around 284 breach notifications monthly.
Complexity
According to Lee, most organisations in South Africa have significantly invested in cybersecurity; however, the problem is that those investments have made things more complicated, not more secure.
“Complexity is the enemy of speed, and right now, complexity is winning.”
The 2026 Unit 42 incident response report shows common trends among nation-state actors, moving beyond espionage to prepositioning within critical infrastructure and establishing footholds that can be activated later. This poses a strategic risk to ports, utilities, and transport networks, especially for a logistical hub like South Africa. The urgency is compounded by a shift in global threat patterns.
“We are seeing actors target the operational technology layers of critical infrastructure.”
Lee says that a fragmented security architecture simply cannot provide the required protection to prevent these breaches.
“These environments often rely on older systems that cannot be easily patched. Securing them requires visibility not just across the IT network, but deep into the industrial control systems that manage essential services.”
“However, with more than nine in ten breaches stemming from preventable gaps, the path forward is clearer than the scale of the problem might suggest,” Lee concluded.
Phishing and Fragmented Defences
Phishing campaigns are hack attacks that are seen as an attempt to steal sensitive information, usually in the form of usernames, passwords, credit card numbers and even banking details. According to Lee, South Africa is particularly exposed after organisations recorded a 60% increase in data breaches in 2025.
Fragmented defences are also known as exposed loopholes in networks that are open to exploitation. Companies are operating under two-thirds of cybersecurity roles, with one-third of these roles being open or “unfilled”. Attempting to manage 57 security tools across 16 vendors is not possible, leaving room for hackers to enter the server.
“With nearly two-thirds of cybersecurity roles currently unfilled, small teams are already stretched thin. In the public sector, fragmented procurement cycles across more than 20 disparate statutes have made consolidation harder still.” Lee says.
Closing “open doors”
Identity-related weaknesses were found in almost 90% of breaches that were investigated by Unit 42. Another report showed that 99% had more access than needed to over 680 000 accounts across cloud environments, and in many of these cases, permissions were unused for over 60 days.
Lee warned that for government bodies handling sensitive citizen data at scale, unmanaged accounts pose a critical exposure risk.
“Attackers are very good at finding ‘open doors’.
“If someone leaves the organisation and their account is still active six months later, that’s an ‘open door’,” he says.
He says that the organisations navigating this environment most effectively are those with reduced complexity, using fewer integrated platforms, relying on routine automated responses, and building consistent visibility across their environments.
“Platformisation is not about ripping everything out and starting again. The goal is a security environment that is simple enough to manage and fast enough to respond.”
Data Protection
As computing power grows, the standards for encryption that are secure today may no longer be secure, meaning that data stolen now could be unlocked in the future.
“It starts with knowing exactly where sensitive data resides and how it is encrypted. If you don’t build the ability to swap out encryption standards today, the cost of retrofitting it later will be prohibitive.”
Organisations operating under the data protection mandates of the Privacy Protection Information Act and the Cybercrimes Act, and building cryptographic flexibility into their architectures, are now facing a question of compliance as much as of security.
READ MORE: The future of travel is AI: What you should know
About the Author
