A staggering four out of five South African organisations -78% – were hit by ransomware in the past year, a considerable increase from the 51% that reported an attack in 2022, and well above the global average of 66%.

This is according to a new independent report from Sophos which surveyed 3 000 IT/cybersecurity leaders in 14 countries, including 200 in South Africa.

Exploited vulnerabilities were the most common root cause of attack for South African organisations, used in 49% of incidents. Compromised credentials were the second most frequent attack vector, used in 24% of attacks.

Eighty nine percent of attacks resulted in data being encrypted. This is higher than the global average of 76% and a considerable increase from the 45% reported by South African respondents in last year’s survey. Data was also stolen in 35% of attacks where data was encrypted, higher than the global average of 30%.

The survey says that 100% of South African organisations whose data was encrypted got data back, slightly above the global average of 97%; and backups remain the most common method used for restoring data with 76% of South African respondents whose data was encrypted using this approach. This is in line with the 80% that used backups in the 2022 survey. Twenty four percent of local organisations that had data encrypted used multiple recovery methods in parallel.

Forty five percent of those that had data encrypted in South Africa paid the ransom, slightly down from both last year’s rate of 49% and the 2023 global average of 47%. Two respondents from South Africa whose organisation paid the ransom shared the same exact amount. One of these respondents reported paying $5-million or more.

Excluding any ransom payments, the average (mean) bill incurred by South African organisations to recover from a ransomware attack was reported at $0,75-million, including costs of downtime, people time, device cost, network cost, lost opportunity, etc. This is considerably less than the global average cost of $1,82-million.

Other highlights regarding South African companies from the Sophos report include:

• 82% of private sector South African organisations hit by ransomware said the attack caused them to lose business/revenue, slightly lower than the global average of 84%.
• 53% of South African organisations took up to a week to recover from the attack. Twenty nine percent took up to a month, while 19% took between one and six months.
• 98% of South African organisations say they have some form of cyber insurance with 47% having a standalone cyber policy and 51% having cyber as part of a wider business policy. By comparison, globally, 91% have cyber coverage with 47% having a standalone policy, and 43% a wider business policy that covers cyber.
• 98% of South African respondents whose organisation had purchased cyber insurance in the last year said the quality of their defences had a direct impact on their insurance position. Sixty six percent said it impacted their ability to get coverage.
• 61% said it impacted the cost of their coverage (the premium).
• 19% said it impacted the terms of their policy, for example, the total amount of coverage or sub-limits.