Latest news with #AllianzRiskBarometer2025
IOL News
01-05-2025
- Business
- IOL News
Cybersecurity: how the Cell C and SABS attacks could have been prevented
Two recent, high-profile cyberattacks—one on mobile telecommunications provider Cell C and another on the South African Bureau of Standards (SABS)—have rocked South Africa. Image: Independent Newspapers Cybercrime has become the single biggest threat to businesses worldwide. According to the Allianz Risk Barometer 2025, cyber incidents — including ransomware attacks, data breaches and IT outages — are now the top global business risk, marking their fourth year at the top. A decade ago, only 12% of global respondents cited cyber as a major concern. In 2025, that number surged to 38%. Allianz noted, 'Cyber is the top risk across North and South America, Europe, and Africa,' dominating industry concerns from aviation to legal services. More importantly, it now ranks as the number one risk in South Africa, overtaking long-standing issues like load shedding and political instability. This concern is not just theoretical. Two recent, high-profile cyberattacks—one on mobile telecommunications provider Cell C and another on the South African Bureau of Standards (SABS)—have rocked South Africa. Both incidents have raised serious questions about compliance, cybersecurity readiness, and whether these attacks could have been prevented. Cell C confirmed in a December 2024 media release that it had suffered a major ransomware attack. Sensitive unstructured customer data — including ID numbers, bank details, driver's licenses, medical records and passport information — was compromised and later leaked on the dark web. Video Player is loading. Play Video Play Unmute Current Time 0:00 / Duration -:- Loaded : 0% Stream Type LIVE Seek to live, currently behind live LIVE Remaining Time - 0:00 This is a modal window. Beginning of dialog window. Escape will cancel and close the window. Text Color White Black Red Green Blue Yellow Magenta Cyan Transparency Opaque Semi-Transparent Background Color Black White Red Green Blue Yellow Magenta Cyan Transparency Opaque Semi-Transparent Transparent Window Color Black White Red Green Blue Yellow Magenta Cyan Transparency Transparent Semi-Transparent Opaque Font Size 50% 75% 100% 125% 150% 175% 200% 300% 400% Text Edge Style None Raised Depressed Uniform Dropshadow Font Family Proportional Sans-Serif Monospace Sans-Serif Proportional Serif Monospace Serif Casual Script Small Caps Reset restore all settings to the default values Done Close Modal Dialog End of dialog window. Advertisement Video Player is loading. Play Video Play Unmute Current Time 0:00 / Duration -:- Loaded : 0% Stream Type LIVE Seek to live, currently behind live LIVE Remaining Time - 0:00 This is a modal window. Beginning of dialog window. Escape will cancel and close the window. Text Color White Black Red Green Blue Yellow Magenta Cyan Transparency Opaque Semi-Transparent Background Color Black White Red Green Blue Yellow Magenta Cyan Transparency Opaque Semi-Transparent Transparent Window Color Black White Red Green Blue Yellow Magenta Cyan Transparency Transparent Semi-Transparent Opaque Font Size 50% 75% 100% 125% 150% 175% 200% 300% 400% Text Edge Style None Raised Depressed Uniform Dropshadow Font Family Proportional Sans-Serif Monospace Sans-Serif Proportional Serif Monospace Serif Casual Script Small Caps Reset restore all settings to the default values Done Close Modal Dialog End of dialog window. Next Stay Close ✕ While a follow-up communication was sent to customers in early January 2025, the eight-day delay between public disclosure and customer notification drew criticism. The SABS breach followed a similar pattern — ransomware paralysed the organisation's systems in November 2024, with clients being informed on 26 November. Shockingly, it was later revealed in Parliament that, by February 2025, core systems remained encrypted and inaccessible. This marked the third cyberattack on the SABS in just five years. Herman Stroop, Lead ISO Specialist at WWISE (World Wide Industrial & Systems Engineers), said that both attacks were entirely preventable. 'Neither Cell C nor SABS were ISO/IEC 27001 certified — a globally recognised standard for information security management,' Stroop said. 'This standard isn't just a technical checklist. It's a framework that forces an organisation to understand its vulnerabilities, assess its risks, and apply controls that address these risks in a structured, auditable way,' Stroop added. The ISO/IEC 27001 standard focuses on Confidentiality, Integrity, and Availability (CIA)—the foundation of modern information security. It requires organisations to conduct ongoing risk assessments, implement policies and technical controls, and continuously monitor and update these defences in response to emerging threats. According to Stroop, the absence of such a system is often due to a lack of strategic commitment from leadership. 'Cybersecurity is wrongly seen as an IT issue,' he says. 'Top management often fails to view it as a core business risk, resulting in underinvestment in preventative frameworks like ISO/IEC 27001. One key challenge in South Africa is poor enforcement of existing regulations. While the Protection of Personal Information Act (POPIA) and Minimum Information Security Standards (MISS) lay out clear expectations for information governance, many organisations either ignore or delay compliance due to a perceived lack of consequences," Stroop said. 'The irony is that prevention is far cheaper than remediation,' Stroop noted. 'In many cases, organisations suffer reputational damage, legal liability, and operational downtime that far exceed the cost of implementing an ISO-compliant Information Security Management System.' Cell C and SABS also provide examples of poor transparency. Details about the nature of the attacks and how they were handled remain vague. 'When an organisation isn't ISO-certified, it usually doesn't have the documentation, procedures or incident response plans to respond properly — let alone communicate clearly — during a breach,' Stroop added. According to the Information Regulator, South Africa sees between 150 and 300 cyberattacks reported each month—and that's just the reported incidents. Many go unreported due to reputational fears or because organisations are not compliant with POPIA and fear investigation. Stroop believes that ISO 27001 should be mandated for public institutions and critical infrastructure operators. 'Without minimum compliance levels, we're just waiting for the next disaster,' he says. 'It's not a matter of if, but when.' And there is movement. Some insurance providers are beginning to offer premium reductions for ISO-certified organisations, while major corporate clients now demand ISO 27001 certification from vendors. 'It's becoming a market differentiator,' Stroop concludes. 'Organisations serious about protecting their data and reputation cannot afford to ignore ISO 27001 any longer.' In a digital age where the threat landscape evolves daily, being unprepared is no longer an option. BUSINESS REPORT
TimesLIVE
25-04-2025
- Business
- TimesLIVE
'Cybercrime ranks as No 1 risk in SA, overtaking long-standing issues': expert
Cybercrime now ranks as the No 1 risk in South Africa, overtaking long-standing issues including load-shedding and political instability. According to the Allianz Risk Barometer 2025, cyber-incidents — including ransomware attacks, data breaches and IT outages — are now the top global business risk, marking their fourth year at the top. A decade ago, only 12% of global respondents cited cybercrime as a major concern. In 2025, that surged to 38%. 'Cyber is the top risk across North and South America, Europe and Africa, dominating industry concerns from aviation to legal services,' said Allianz. Cell C suffered a major ransomware attack in December 2024, exposing sensitive customer data such as ID numbers, bank and medical details, and passports, which were later leaked on the dark web. Similarly, the SABS faced a ransomware attack in November 2024. By February 2025, its core systems were still encrypted — marking the third cyberattack on the organisation in five years.
The Herald
25-04-2025
- Business
- The Herald
'Cyber crime ranks as the number one risk in SA, overtaking long-standing issues': expert
Cyber crime now ranks as the number one risk in South Africa, overtaking long-standing issues including load-shedding and political instability. According to the Allianz Risk Barometer 2025, cyber incidents — including ransomware attacks, data breaches and IT outages — are now the top global business risk, marking their fourth year at the top. A decade ago, only 12% of global respondents cited cyber crime as a major concern. In 2025, that surged to 38%. 'Cyber is the top risk across North and South America, Europe and Africa, dominating industry concerns from aviation to legal services,' said Allianz. Cell C suffered a major ransomware attack in December 2024, exposing sensitive customer data such as ID numbers, bank and medical details, and passports, which were later leaked on the dark web. Similarly, the SABS faced a ransomware attack in November 2024. By February 2025, its core systems were still encrypted — marking the third cyberattack on the organisation in five years. Herman Stroop, lead ISO Specialist at WWISE, a leading ISO standards and systems implementation consultancy, believes both breaches were entirely preventable. 'Neither Cell C nor SABS were ISO/IEC 27001 certified — a globally recognised standard for information security management. This standard isn't just a technical checklist. It's a framework that forces an organisation to understand its vulnerabilities, assess its risks, and apply controls that address these risks in a structured, auditable way,' he said. The ISO/IEC 27001 standard focuses on confidentiality, integrity and availability — the foundation of modern information security. It requires organisations to conduct ongoing risk assessments, implement policies and technical controls, and continuously monitor and update these defences in response to emerging threats. According to Stroop, the absence of such a system is often due to a lack of strategic commitment from leadership. 'Cybersecurity is wrongly seen as an IT issue. Top management often fails to view it as a core business risk, resulting in underinvestment in preventive frameworks like ISO/IEC 27001,' he said. Further Stroop said that poor enforcement of existing regulations is a key challenge in South Africa. He said while the Protection of Personal Information Act (Popia) and Minimum Information Security Standards (Miss) lay out clear expectations for information governance, many organisations either ignore or delay compliance due to a perceived lack of consequences. 'The irony is that prevention is far cheaper than remediation. In many cases, organisations suffer reputational damage, legal liability and operational downtime that far exceed the cost of implementing an ISO-compliant Information Security Management System,' Stroop said. He believes that Cell C and SABS also provide examples of poor transparency as details about the nature of the attacks and how they were handled remain vague. 'When an organisation isn't ISO-certified, it usually doesn't have the documentation, procedures or incident response plans to respond properly — let alone communicate clearly — during a breach,' said Stroop. According to the Information Regulator, South Africa sees between 150 and 300 cyberattacks reported each month — and that's just the reported incidents. Many go unreported due to reputational fears or because organisations are not compliant with Popia and fear investigation. Stroop believes that ISO 27001 should be mandated for public institutions and critical infrastructure operators. 'Without minimum compliance levels, we're just waiting for the next disaster. It's not a matter of if but when.' However, he notes that some insurance providers are beginning to offer premium reductions for ISO-certified organisations, while major corporate clients now demand ISO 27001 certification from vendors. 'It's becoming a market differentiator. Organisations serious about protecting their data and reputation cannot afford to ignore ISO 27001 any longer,' he said. TimesLIVE
TimesLIVE
24-04-2025
- Business
- TimesLIVE
'Cyber crime ranks as the number one risk in SA, overtaking long-standing issues': expert
Cyber crime now ranks as the number one risk in South Africa, overtaking long-standing issues including load-shedding and political instability. According to the Allianz Risk Barometer 2025, cyber incidents — including ransomware attacks, data breaches and IT outages — are now the top global business risk, marking their fourth year at the top. A decade ago, only 12% of global respondents cited cyber crime as a major concern. In 2025, that surged to 38%. 'Cyber is the top risk across North and South America, Europe and Africa, dominating industry concerns from aviation to legal services,' said Allianz. Cell C suffered a major ransomware attack in December 2024, exposing sensitive customer data such as ID numbers, bank and medical details, and passports, which were later leaked on the dark web. Similarly, the SABS faced a ransomware attack in November 2024. By February 2025, its core systems were still encrypted — marking the third cyberattack on the organisation in five years. Herman Stroop, lead ISO Specialist at WWISE, a leading ISO standards and systems implementation consultancy, believes both breaches were entirely preventable. 'Neither Cell C nor SABS were ISO/IEC 27001 certified — a globally recognised standard for information security management. This standard isn't just a technical checklist. It's a framework that forces an organisation to understand its vulnerabilities, assess its risks, and apply controls that address these risks in a structured, auditable way,' he said. The ISO/IEC 27001 standard focuses on confidentiality, integrity and availability — the foundation of modern information security. It requires organisations to conduct ongoing risk assessments, implement policies and technical controls, and continuously monitor and update these defences in response to emerging threats. According to Stroop, the absence of such a system is often due to a lack of strategic commitment from leadership. 'Cybersecurity is wrongly seen as an IT issue. Top management often fails to view it as a core business risk, resulting in underinvestment in preventive frameworks like ISO/IEC 27001,' he said. Further Stroop said that poor enforcement of existing regulations is a key challenge in South Africa. He said while the Protection of Personal Information Act (Popia) and Minimum Information Security Standards (Miss) lay out clear expectations for information governance, many organisations either ignore or delay compliance due to a perceived lack of consequences. 'The irony is that prevention is far cheaper than remediation. In many cases, organisations suffer reputational damage, legal liability and operational downtime that far exceed the cost of implementing an ISO-compliant Information Security Management System,' Stroop said. He believes that Cell C and SABS also provide examples of poor transparency as details about the nature of the attacks and how they were handled remain vague. 'When an organisation isn't ISO-certified, it usually doesn't have the documentation, procedures or incident response plans to respond properly — let alone communicate clearly — during a breach,' said Stroop. According to the Information Regulator, South Africa sees between 150 and 300 cyberattacks reported each month — and that's just the reported incidents. Many go unreported due to reputational fears or because organisations are not compliant with Popia and fear investigation. Stroop believes that ISO 27001 should be mandated for public institutions and critical infrastructure operators. 'Without minimum compliance levels, we're just waiting for the next disaster. It's not a matter of if but when.' However, he notes that some insurance providers are beginning to offer premium reductions for ISO-certified organisations, while major corporate clients now demand ISO 27001 certification from vendors. 'It's becoming a market differentiator. Organisations serious about protecting their data and reputation cannot afford to ignore ISO 27001 any longer,' he said.
