No one enters the cybersecurity sector expecting serenity. The pace is relentless, and the stakes are high.
By Brendan Widlake, regional director of Veeam Software South Africa
According to the World Economic Forum, the weekly number of cyberattacks has more than doubled, now hovering just below 2 000.
That figure might seem exaggerated until you consider how many high-profile breaches have made headlines recently – and those are just the ones we know about.
What’s more concerning is the speed at which attackers are evolving. AI, once a theoretical threat, is now a practical weapon.
Phishing techniques have become disturbingly sophisticated, and attackers are even weaponising chatbots to develop malicious code as they innovate at pace.
Thankfully, governments have responded with commendable urgency. New regulations are emerging across the globe, and law enforcement has successfully dismantled several major threat groups.
But these victories can be misleading. They create a sense of calm that’s not only temporary but dangerous. Cyber threats don’t vanish – they adapt.
No getting off this ride
The one constant in cybersecurity is change. Just last year, it seemed like the industry was on a big high, with major cyberthreat groups like LockBit, Black Cat, and Black Basta either being shut down, disappearing, or simply ceasing operations.
For a moment, it created the impression that the tide was turning. Even ransomware payments dipped slightly worldwide, reinforcing the sense that pressure on attackers might finally be taking effect.
But South Africa has seen the opposite. While high-profile takedowns grabbed global headlines, local organisations continued to face a steady stream of attacks across sectors as varied as finance, retail, healthcare and government services.
Public analysis from Interpol’s African Cybercrime Assessment Report shows that South Africa is among the most targeted countries on the continent for ransomware, financial fraud, and data theft.
Industry data has echoed the trend, with multiple reports highlighting the country’s high rate of cyber incidents and rising ransomware activity.
And when established groups fall away, the vacuum opens the door for smaller crews and opportunistic attackers who move faster, hit harder and care far less about who they disrupt.
Money might still be a driver, but many of these newcomers are more focused on targets that can cause the most disruption, rather than who might pay the biggest ransom. Today, you can split the market largely in two.
Those high-cost, targeted attacks are still very much present, aiming at larger enterprises at deeper pockets. But on the other side, you’ve got volume-driven Ransomware-as-a-Service attacks, driven by those smaller groups and lone wolves, aiming to create as much chaos as possible.
So, while on the surface, it might seem like an improved landscape, the same threats are still very much present, and new ones are already here.
Making the right choices
Regulation has been moving here as well, just not always in the headlines. POPIA forced organisations to treat data protection as something real and measurable, not a policy in a drawer.
It introduced breach-notification rules and security safeguards, and put the Information Regulator in a position to expect organisations to account for how they handle personal information.
For many businesses, that was the first time cybersecurity felt tied to legal responsibility rather than internal best practice.
There is often a gap between regulation and real-world execution. POPIA compliance varies widely, and even in regulated industries, resilience depends more on operational maturity than on how complete the paperwork looks.
Compliance is necessary, but it cannot carry the full weight of resilience. Threat actors do not slow down when a regulation takes effect.
Organisations that pause at “compliant” often discover the hard way that the rulebook does not keep pace with attackers who have no obligation to follow it.
Keeping moving
Right now, the sector is sitting in the middle of a perfect storm. Big-name takedowns are lulling organisations into a false sense of security, while new attackers emerge from the wings, using new and improved tools.
And the focus on regulatory compliance risks misleading organisations and obscuring the true scope of improvements that could be made to their data resilience.
In times like this, organisations need to turn their attention inwards. Rather than scrambling to react to attacks with one hand, while also trying to meet compliance deadlines and keep day-to-day operations running smoothly with the other, they should try a different approach.
Using data resilience maturity models, organisations can better understand their current posture and create a structured path to improve it.
A critical part of that maturity is consistency. All environments, whether on-premises, in public cloud, across SaaS applications, or in containerised platforms such as Kubernetes, need to be protected with the same enterprise-grade data resilience standards.
Fragmented approaches, where one tool protects on-prem workloads, another handles cloud and SaaS workloads, and SaaS data is left exposed or reliant on native retention policies, create blind spots that attackers quickly exploit.
Increasingly, organisations are recognising the value of unified and managed resilience services that reduce skills overhead and simplify compliance.
SaaS-based data protection and digital vaulting services, for example, allow businesses to extend consistent protection across Microsoft 365, Azure, AWS, and other platforms without adding certification burdens or operational complexity.
When resilience tooling is aligned across environments, sovereignty and recovery objectives become practical rather than aspirational.
With attacks more frequent than ever and attackers arguably as unpredictable as ever, special attention also needs to be paid to recovery. While having mature data resilience should always be ‘plan A’, your recovery ‘plan B’ needs to be just as developed, if not more so.
Data resilience is a journey that can’t be completed overnight, and attackers won’t wait until you get yours up to scratch before they strike.
Ask yourself – right now, how long would it take my organisation to recover from an attack? Take a long, hard look at the answer, and if you wouldn’t be able to wait that long without a severe business impact, perhaps you need to take a look at your recovery plan before the storm hits.