Kathy Gibson reports – Cybersecurity readiness remains alarmingly low in 2025. Organisations are still struggling with many of the basics, compounded by new complexities introduced by AI and an ongoing skills shortages.
This is according to Cisco’s 2025 Cybersecurity Readiness Index, which shows that just 5% of organisations in South Africa have achieved the ‘Mature’ level of readiness required to effectively withstand today’s cybersecurity threats.
This number is unchanged from the 2024 Index, highlighting that the majority of companies remain in formative stage of security readiness, while facing new complexities such as hyperconnectivity and AI.
The report shows that AI is revolutionising security and escalating threat levels, with nearly nine in 10 organisations (87%) facing AI-related security incidents last year. However, only 59% of respondents are confident their employees fully understand AI related threats, and 61% believe their teams fully grasp how malicious actors are using AI to execute sophisticated attacks. This awareness gap leaves organisations critically exposed.
Fady Younes, MD of cybersecurity for Cisco Middle East & Africa says, “The speed at which AI is being weaponised by threat actors is outpacing traditional security approaches. Globally, we’re seeing that fragmented defences and under-resourced teams can’t match the scale or sophistication of today’s attacks. Organisations must shift from incremental upgrades to integrated, AI-native strategies that can defend at machine speed, anything less is no longer sustainable.”
AI is compounding an already challenging threat landscape. In the last year, over half of organisations (54%) suffered cyberattacks, hindered by complex security frameworks with siloed point solutions.
Nabeel Rajab, a cybersecurity expert at Cisco South Africa, says the Index measures readiness across five key pillars: Identity intelligence, machine trustworthiness, network resilience, cloud reinforcement and AI fortification.
Based on a double-blind survey of 8 000 private sector security and business leaders in 30 global markets, including 150 businesses in South Africa, respondents detailed their deployment stages for each solution. Companies were then categorised into four readiness stages: Beginner, Formative, Progressive, and Mature.
He points out that there is still a lot of uncertainty around AI, but – perhaps surprisingly – it’s not the top attack vector that companies have to contend with.
Networking touches the whole organisation, while there has also been a big move to cloud computing over the last few years.
An important aspect of securing the orgnisation is machine trustworthiness, and a lot of focus is going into this pillar. “Digital business is about connecting users to resources,” Rajab says. “Companies need to protect their resources where they reside, which is usually on machines and access from machines. So the machine is a huge area of focus.”
However, perhaps the biggest attack surface is identity. “People are failing to see that identity is becoming the next perimeter,” Rajab explains. “When you are accessing something, you have to identify yourself, and attackers are starting to realise that if they can just get credentials of someone they can get access. Why hack in if you can log in?”
Rajab adds that South African organisations are waking up to the realisation that they are being heavily targeted in cyberattacks, and don’t necessarily have the resources to respond. “There are some aspects that are being missed, especially when it comes to things like skills,” he says. “Work is being done, but we are still not seeing the right levels of maturity.”
Cybersecurity readiness is important for individual organisations, but also for the country as a whole, Rajab points out.
“This can have a huge knock-on implication for the economy, and GDP could be impacted.
“These kind of numbers are important when we look for investment.”
Globally, the lack of cybersecurity readiness is alarming as 22% of respondents anticipate business disruptions from cyber incidents within the next 12 to 24 months. Further:
- AI’s Expanding Role in Cybersecurity: An impressive 92% of organisations use AI to understand threats better, 89% for threat detection, and over 80% for response and recovery, underscoring AI’s vital role in strengthening cybersecurity strategies.
- GenAI Deployment Risks: GenAI tools are widely adopted, with 47% of employees using approved third-party tools. However, 21% have unrestricted access to public GenAI, and 40% of IT teams are unaware of employee interactions with GenAI, underscoring major oversight challenges.
- Unmanaged Device Vulnerability: Within hybrid work models, 75% of organisations face increased security risks as employees access networks from unmanaged devices, further exacerbated by using unapproved Gen AI tools.
- Investment priorities are shifting: While 30% of organisations plan to upgrade their IT infrastructure, only 8% allocate more than 10% of their IT budget to cybersecurity. This highlights the need for more focused investment in defence strategies as threats continue to rise.
- Complex Security Postures: Over 60% of organisations report that their complex security infrastructures, dominated by the deployment of more than ten point security solutions, are impeding their ability to respond swiftly and effectively to threats.
- Talent Shortage Impedes Progress: A staggering 78% of respondents identify the shortage of skilled cybersecurity professionals as a major challenge, with more than half reporting more than ten positions to fill.
Smangele Nkosi, GM of Cisco South Africa, concludes: “To meet today’s cybersecurity demands, organisations must prioritise AI-powered solutions, streamline their security architecture, and build greater awareness of AI-driven threats. It’s crucial to focus on AI for faster detection, response, and recovery — while also addressing talent shortages and mitigating risks from unmanaged devices and shadow AI.”