South African Airways (SAA) on Wednesday shared details of its preliminary investigation into the recent cyberattack on its digital systems, but it is just the latest national public entity to fall victim to an accelerating pattern of targeted breaches.
By Stephen Osler, co-founder and business development director at Nclose
The fact that flight operations were not impacted is commendable. But we must stop celebrating near misses and start confronting a much starker reality: South Africa is flying without a cybersecurity safety net.
In a country where key infrastructure has already been flagged as vulnerable by numerous parties and even as part of the country’s greylisting by the FATF, the announcement this week of a “digital transformation roadmap” for government ironically lands against the backdrop of yet another breach. The ambition to centralise and digitise the state’s service delivery is admirable – but it will introduce scale, complexity, and risk at levels our national cyber strategy is not yet equipped to contain.
The breach at SAA is significant not just because of the systems hit, but because of what it tells attackers: that critical infrastructure in South Africa is a soft target. Every successful attack reinforces this perception – and every delay in implementing the promised National Cybersecurity Authority invites more.
At Nclose, we’ve seen this up close. Threat actors are no longer probing for weaknesses in the obvious places. They’re exploiting the blind spots between third parties, legacy infrastructure, and underfunded security postures. They move laterally, stay silent, and when they strike, the incident response clock is already well underway.
The assumption that cybersecurity is an “IT issue” has long expired. What SAA, the SABS, SAWS, the NHLS, and others have in common is that they are national assets – their digital risk is economic risk. It affects supply chains, reputations, and investor confidence. A hit on an airline or standards body isn’t isolated. It has ripple effects across industries and global partnerships.
If we want to stop being surprised by breaches, we need to stop assuming the status quo is good enough. Resilience starts with visibility: knowing what systems you have, what data they hold, and where your exposures are. Then comes testing – not once a year, but continuously. And finally, response readiness: having not just a plan, but the muscle memory to execute it under pressure.
The government’s timeline of delivering a full national cybersecurity authority by 2028 is too far away. In the meantime, we need practical collaboration between public and private sectors, sharing threat intelligence and bolstering the real-time defence capabilities of entities that form the backbone of our country’s functionality.
This isn’t about panic. It’s about preparation. Because if attackers are iterating, so must we. If they’re automating, so must we. And if they’re coming – and they are – then every unpatched system, every under-resourced IT team, every untested response plan is a liability South Africa can no longer afford.