Globally, the time between a network intrusion and data theft has dropped to around 72 minutes – down from 285 minutes in 2024. For South African organisations, which recorded a 60% rise in data breaches in the first half of 2025 alone, that shrinking window is fast becoming an impossible one to close.
This poses a specific challenge to the public sector, where the Cabinet-approved Roadmap on the Digital Transformation of the South African Government is accelerating toward a centralised MyMzansi platform. South Africa has made significant strides in digital governance, climbing to 40th place in the most recent UN e-Government Index – but as digital ambitions grow, so does the attack surface.
Research from Unit 42, Palo Alto Networks’ threat intelligence division and drawing on more than 750 major incidents across 50 countries, suggests the primary driver of breaches is not attacker sophistication. In 87% of investigated cases, responders had to piece together evidence from two or more separate systems – meaning fragmented defences, not novel techniques, are enabling most attacks.
“Most South African organisations have invested significantly in security,” says Justin Lee, Palo Alto Networks regional director for Southern Africa. “The trouble is that those investments have made things more complicated, not more secure. Complexity is the enemy of speed and, right now, complexity is winning.”
Lee explains that the average South African organisation manages around 57 security tools across 16 vendors – more than double the global average. “With nearly two-thirds of cybersecurity roles currently unfilled, small teams are already stretched thin. In the public sector, fragmented procurement cycles across more than 20 disparate statutes have made consolidation harder still.”
The urgency is compounded by a shift in global threat patterns. The 2026 Unit 42 Incidence Response Report identifies a growing trend of nation-state actors moving beyond espionage to pre-positioning within critical infrastructure – establishing footholds that can be activated later.
For a logistical hub like South Africa, this poses a direct strategic risk to ports, utilities and transport networks. “We are seeing actors target the operational technology layers of critical infrastructure,” says Lee. “These environments often rely on older systems that cannot be easily patched. Securing them requires visibility not just across the IT network, but deep into the industrial control systems that manage essential services. A fragmented security architecture simply cannot provide that.”
Identity-related weaknesses featured in nearly 90% of breaches investigated by Unit 42.
A separate analysis of over 680 000 accounts across cloud environments found that 99% held more access than they needed and, in many cases, permissions were unused for 60 days or more. For government bodies handling sensitive citizen data at scale, unmanaged accounts represent a particularly acute exposure.
“If someone leaves the organisation and their account is still active six months later, that’s an open door,” Lee warns. “Attackers are very good at finding open doors.”
The organisations navigating this environment most effectively are those that have reduced complexity – consolidating on to fewer integrated platforms, automating routine responses, and building consistent visibility across their environments.
“Platformisation is not about ripping everything out and starting again,” says Lee. “The goal is a security environment that is simple enough to manage and fast enough to respond.”
Quantum readiness is also emerging as a longer-term consideration. As computing power grows, encryption standards that are secure today may not remain so, meaning data stolen now could be unlocked in the future. For organisations operating under the data protection mandates of POPIA and the Cybercrimes Act, building cryptographic flexibility into their architecture now is becoming a compliance question as much as a security one.
Lee stresses that this won’t come from a single product solution: “It starts with knowing exactly where sensitive data resides and how it is encrypted. If you don’t build the ability to swap out encryption standards today, the cost of retrofitting it later will be prohibitive.”
The stakes are not abstract. Interpol estimates that cybercrime costs the South African economy approximately R2,2-billion annually and the Information Regulator currently receives around 284 breach notifications every month.
“However, with more than nine in 10 breaches stemming from preventable gaps, the path forward is clearer than the scale of the problem might suggest,” Lee says.