South Africa now features among the most targeted countries on the continent for cybercrime, with regional policing analyses warning of sustained growth in financially motivated attacks, including business email compromise and ransomware[1].
The CSIR State of Cybersecurity in South Africa survey undertaken in 2024/25 shows that there is a high and rising share of companies experiencing incidents alongside large gaps in basic controls and skills[2].
At the same time, the National Security Strategy identifies cyber-related threats to critical infrastructure, financial stability and public services as a national risk, acknowledging that current governance and coordination mechanisms are not yet keeping pace with the speed of digital transformation[3]. And yet, says Mandla Mbonambi, CEO of Africonology, the country is moving faster on AI adoption than almost any other readiness metric suggests it should. That tension between accelerating capability and lagging control is where risk currently lives.
“AI isn’t waiting for governance to catch up,” he continues. “Organisations are deploying it because the competitive pressure is real, but the security infrastructure to match that deployment is often not in place, and this is the gap attackers are exploiting.”
The numbers support this concern. According to Cisco’s 2025 Cybersecurity Readiness Index, based on a survey of 8,000 security and business leaders in 30 markets, only 4% of companies have achieved a Mature level of readiness capable of withstanding modern cyberattacks[4]. And 71% expect that a cybersecurity incident is likely to impact their business in the next 12-24 months. Most, say Cisco, are not prepared for these threats because readiness levels are remaining relatively stagnant while AI surges in adoption and scale.
The structural problem is that South Africa’s cybersecurity posture has been audit-driven and reactive with many companies relying on periodic testing models and fragmented tooling.
These approaches are too slow for AI-accelerated attack cycles. AI adoption is outpacing the foundations needed to secure it and companies aren’t ready, especially across the key pillars of talent, data readiness and a robust posture for controlling access to AI systems and datasets.
Infrastructure readiness is equally strained as companies are struggling to establish the right levels of scalability and flexibility required to benefit from AI, and they lack confidence in the availability of computing resources to manage AI workloads. On top of that, security teams are worried. They are concerned that AI is shrinking the time between vulnerability discovery and exploitation faster than companies can remediate.
“Enterprise AI deployment is already moving ahead of the frameworks needed to manage it safely, so companies are exposed to fragmented standards around data security, AI accountability, identity risks and incident response at a time when AI systems are expanding the attack surface,” says Mbonambi.
“However, there are encouraging signs. It’s not all AI doom and attack surface gloom. Companies are investing in upskilling existing staff and allocating more budget to hiring talent, but they have a way to go to get ready enough for what AI is bringing to the threat table.”
That’s the nub of the problem. The threat profile itself has changed because AI is reimagining security on both sides of the fence. AI-generated phishing is a fast-growing attack vector as the technology allows attackers to craft highly personalised, grammatically precise, contextually convincing communications. These intelligent threats are essentially eliminating the red flags that employees were trained to detect.
“Ransomware operators are using machine learning to automate vulnerability identification, and this is compressing the time between initial compromise and full encryption, plus ransom demands are being customised based on financial profiling of the victim,” says Mbonambi. “Then there’s the growing threat of shadow AI, where employees are using tools without policy guidance and uploading sensitive information into unsecured third-party platforms.
There’s limited to no board oversight, data classification policy or audit trail. Not only is this risky for the business as a whole, but it also puts the company in a reputational and financially compromised position. If there’s a breach, it can face a hefty fine from the Information Regulator under POPIA.”
Companies must find a way of creating symmetry between AI adoption and cybersecurity protection. It costs cybercriminals less and less to launch sophisticated and targeted campaigns, less than it costs companies to defend against them.
“Security,” concludes Mbonambi, “is a core business capability and needs to be built in from the start so that your business carries less risk while still moving rapidly towards AI adoption and innovation. South African organisations have the talent and the intent, now there is just the need for urgency.”
