Practically two-thirds of South African authorities entities assessed by the auditor-general have notable weaknesses of their cybersecurity defences, with penetration testing revealing that a number of authorities environments had been breached in the course of the 2024/2025 monetary 12 months.
The findings are contained within the Auditor-Common South Africa’s consolidated common report on nationwide and provincial audit outcomes for 2024/2025, which paints a damning image of the state of data safety throughout the general public sector.
The AG’s workplace assessed the cybersecurity controls of 70 nationwide and provincial authorities entities, evaluating governance frameworks, threat administration, compliance, operational controls and incident response. It additionally performed technical assessments together with penetration testing and vulnerability scanning.
Of the 70 entities assessed, 45 (64%) had notable weaknesses of their cybersecurity posture, together with 23 high-impact entities. Eight entities (11%) — 4 of which had been categorized as excessive affect — exhibited vital vulnerabilities that might be exploited if not remedied.
The commonest failings included a scarcity of backup testing, the absence of vulnerability administration instruments, weak entry controls, unpatched techniques, and inadequate logging and monitoring of administrator actions. Many entities lacked mature incident response capabilities and restoration procedures, the report discovered.
SABS nonetheless recovering
The report singles out the South African Bureau of Requirements as a case examine in what occurs when warnings go unheeded. In November 2024, the SABS skilled a ransomware assault that totally encrypted its data techniques, triggering a whole shutdown of enterprise functions. The entity was unable to submit its 2024/2025 monetary statements because of this.
The AG famous that the bureau’s cyber-risk publicity had been heightened by outdated techniques, weak password insurance policies, poor entry controls and an untested catastrophe restoration plan — and that the SABS had did not act on suggestions the AG had been making since 2021/2022.
“The cyberattack revealed the absence of a structured response mechanism, an untested catastrophe restoration plan and a delayed restoration course of,” the report stated. SABS was nonetheless recovering techniques and information on the time of the report — 15 months after the assault.
The SABS was not the one entity to endure a breach. The Nationwide Well being Laboratory Service was hit by a cyberattack in June 2024 that disrupted its techniques. The KwaZulu-Natal Nature Conservation Board skilled a separate cybersecurity incident in February 2025 that rendered its monetary system inaccessible and prevented it from submitting monetary statements.
Past cybersecurity, the AG reported an total decline within the power of IT management environments throughout the 191 entities it audited. Extra entities regressed on this space than improved.
Learn: R12.1-billion wasted as authorities IT initiatives collapse
Safety administration was the weakest management space, with solely 69 entities (36%) rated as having good controls, whereas 103 (54%) had been rated as regarding and 19 (10%) as poor.
The report additionally flagged R5.5-billion in authorities IT infrastructure spending throughout 2024/2025 that “has did not assist modernisation and resilience as many auditees nonetheless function with ageing infrastructure”. — © 2026 NewsCentral Media
Get breaking information from TechCentral on WhatsApp. Enroll right here.
