Cyber threats, particularly ransomware, represent one of the most significant risks to enterprises today. Ransomware attacks are no longer just an IT issue; they have become full-blown business crises with financial, legal, and reputational consequences. Boards and executive committees must take ownership of cyber resilience, recognising that paying a ransom does not guarantee full data recovery—only 57% of compromised data is ever recovered. The question is not if your organisation will be targeted, but when.
Cybersecurity is a board-level issue, and the level of preparedness today will determine whether an organisation survives tomorrow’s cyber threats.
Understanding the threat landscape
Recent cyber-attacks in South Africa underscore the increasing sophistication and frequency of these threats. The South African Weather Service (SAWS) suffered a cyberattack in January 2025, disrupting critical forecasting services. The South African Bureau of Standards (SABS) was hit by ransomware in December 2024, halting certification services and affecting businesses reliant on regulatory approvals. In June 2024, the National Health Laboratory Service (NHLS) faced a cyberattack that delayed medical test results and impacted patient care. The Companies and Intellectual Property Commission (CIPC) experienced a breach in February 2024, compromising corporate registration data and raising concerns about identity theft.
Beyond external threats, organisations must acknowledge the risks posed by insiders. Many boards assume that ransomware attacks originate solely from external cybercriminals, but insider threats are just as dangerous. Negligent employees may click on phishing links, use weak passwords, or share credentials unknowingly. Disgruntled employees can sabotage systems or leak sensitive data, while compromised employee accounts provide attackers with unauthorized access. Organisations must proactively monitor unusual internal activity, restrict administrative privileges, and implement logging and alerts to detect suspicious behaviour early.
The supply chain risk
Cyber threats do not stop at an organisation’s perimeter. Third-party vendors and suppliers with access to critical infrastructure and data can serve as entry points for attackers. Some of the biggest cyberattacks globally, such as SolarWinds and MOVEit, were supply chain attacks where hackers breached a third-party provider to gain access to multiple companies. Many smaller vendors lack strong cybersecurity measures, making them prime targets. Organisations must rigorously vet third-party vendors before granting access, enforce multi-factor authentication (MFA) for external partners, and limit third-party access to the bare minimum necessary.
The role of AI in ransomware
Artificial Intelligence (AI) is transforming the ransomware landscape for both attackers and defenders. Cybercriminals leverage AI to craft highly convincing phishing emails, deploy adaptive malware that evades detection, and automate hacking tools that rapidly exploit vulnerabilities. As these threats evolve, organisations must adopt AI-driven security solutions that identify ransomware activity before execution, automate threat responses to contain infections, and enhance phishing detection through machine learning. The growing ransomware threat demands that boards assess risks stemming from internal staff, third parties, and AI-driven attacks proactively.
Why boards must treat ransomware as a business risk
Ransomware attacks can bring operations to a halt for days or weeks, expose sensitive corporate and customer data, result in regulatory fines and legal liabilities, and inflict severe reputational damage. While board members are not responsible for configuring firewalls or selecting IT security tools, they must lead the organisation’s response strategy and ensure business continuity. The financial impact of ransomware extends beyond ransom demands—operational downtime results in lost revenue, compliance violations can lead to hefty penalties under regulations like South Africa’s Protection of Personal Information Act (POPIA) and Europe’s General Data Protection Regulation (GDPR), and customer trust may be irreparably damaged. Investing in prevention is always more cost-effective than managing the aftermath of an attack.
The board’s role in cyber resilience
Cybersecurity must be embedded in corporate culture, and leadership plays a critical role in setting the tone. Boards should assess whether executives take cybersecurity seriously, ensure employees feel empowered to report suspicious activity, and integrate cybersecurity goals into performance metrics. Strong leadership involves active participation in cybersecurity simulations, integrating cyber awareness into onboarding and training, and rewarding employees for identifying threats. A robust security culture is far more effective at mitigating risk than relying solely on expensive software solutions.
Boards must ensure that their organisations have comprehensive cyber resilience plans in place. These plans should extend beyond IT recovery to include business continuity, legal considerations, and public trust management. Key pillars of a resilient organisation include:
- Immutable backups and clean room recovery: Backups must be protected from modification by hackers, with regular restoration testing. Disaster recovery environments should be isolated from the primary IT infrastructure to ensure recovery remains unaffected by an attack.
- Incident response planning: A response plan should cover various outage scenarios and involve key business units, including HR, operations, legal, PR, and IT. Crisis communication strategies must be developed to protect brand reputation, and critical response documents should be stored offline for accessibility in an emergency.
- Table-top simulations: Regular executive-led cyber crisis drills, and annual IT recovery testing are essential to validate system restoration processes. Lessons learned from past incidents should inform continuous improvements to cybersecurity strategies.
To pay or not to pay?
Boards should determine in advance whether they will pay a ransom in the event of an attack. This decision must weigh the risks and ethical considerations, acknowledging that ransom payments do not guarantee full data recovery and may inadvertently fund further cybercrime. If a company decides to pay, it must ensure compliance with legal requirements, as ransomware payments often involve international transactions and cryptocurrency. Engaging a ransomware negotiator can help assess options, delay payment while recovery efforts proceed, and explore alternative decryption keys.
Organisational preparedness and cyber insurance
Cyber insurance can provide financial relief during a ransomware attack, covering ransom payments, forensic investigations, regulatory fines, and public relations damage control. However, businesses that cannot afford cyber insurance must establish external partnerships in advance, including ransomware negotiators, legal firms with cyber expertise, technical response teams, forensic auditors, and PR firms. Pre-negotiating contracts with these vendors ensures that an organisation is not left scrambling for help during an attack.
Cyber resilience on a budget
Not all cybersecurity measures require substantial investment. Cost-effective yet impactful strategies include implementing least privilege access, disabling unused service accounts, enforcing strict patch management, segmenting networks to prevent ransomware spread, mandating multi-factor authentication and strong passwords, and conducting regular cybersecurity awareness campaigns.
Measuring cybersecurity ROI
Boards often struggle to justify cybersecurity spending because it does not provide immediate returns. Instead of framing cybersecurity as an expense, organisations should highlight the financial exposure it mitigates. For example, presenting security investments as reducing potential ransomware damages by tens or hundreds of millions can help secure board approval. Every currency unit spent on prevention saves significantly more in recovery costs.
Post-attack reputation management
A well-managed response can prevent customer churn and protect shareholder confidence. Transparency, proactive regulatory engagement, and clear internal communication are essential. Case studies illustrate the consequences of poor responses, such as Equifax’s delayed breach disclosures in 2017, versus strong crisis management strategies like Maersk’s rapid recovery and transparent updates following the NotPetya attack.
Conclusion
Cyber threats are an enterprise risk, not just an IT problem. Boards and executive committees must take ownership of cyber resilience, ensuring their organisations are prepared to respond effectively to ransomware attacks. The time to establish cybersecurity strategies, incident response plans, and leadership engagement is now—not when an attack is already underway. The question remains: is your organisation truly prepared? If not, the time to act is today.
