Posts List
Featured News
Business & Gov
Why cybersecurity awareness is failing South African businesses and what to fix first
Charmé van der Westhuizen, New Business Development Manager at IPT
South African businesses are investing heavily in cybersecurity technology. Detection tools are becoming more sophisticated, monitoring is more advanced, and response capabilities are faster. Yet most breaches still begin with a human error. This shows that technology is not the problem. Instead, it is how cybersecurity is approached.
For many businesses, cybersecurity awareness remains a compliance activity rather than a risk discipline. Training is scheduled annually, attendance is recorded, and certificates are issued. From a governance perspective, the requirement has been met. From a risk perspective, little has changed.
Not a one-off event
In practice, behaviour is shaped by what is reinforced, not what is presented once a year. When training is concentrated into a single intensive session, it competes with operational pressures and fades quickly out of memory. The reality of South African business environments is that teams are stretched, inboxes are full, and urgency is constant. Under those conditions, knowledge without reinforcement does not stick.
If we accept that human behaviour remains the entry point for most cyber incidents, then awareness cannot sit on the periphery of the security strategy; it must be embedded in business operations.
Thinking differently
The first issue to fix is cadence. Short, consistent training delivered over time improves employee skills much more effectively than infrequent, high-intensity workshops. This is not because the content is different, but rather because repetition alters how employees respond to cyberattacks. When people are exposed more frequently to common threat scenarios, they can better identify any potential attack.
The second issue is relevance. Many organisations roll out uniform training across the entire business. That approach assumes that all employees experience the same risk exposure. In reality, risk varies by department. Finance teams face different attack patterns from sales teams. HR manages different types of sensitive information from operations. When awareness programmes fail to reflect those realities, they lose credibility.
Cybersecurity is often described as an IT responsibility. It is not. It is behavioural risk management embedded across departments. If awareness is not tailored to role-based exposure, engagement drops and risk remains unevenly distributed.
The third issue is measurement. Awareness programmes frequently rely on completion metrics rather than behavioural indicators. Attendance does not equal building a resilient organisation. A signed acknowledgement does not demonstrate that a company has now improved its cyber defences.
Identifying threats
When organisations assess behavioural vulnerabilities at the outset, they gain visibility into actual exposure. Automation can then deliver targeted reinforcement at regular intervals, addressing identified weak points rather than rotating generic topics. Over time, this produces measurable improvement instead of superficial coverage.
Automation, in this context, is not about sophistication for its own sake. It is about consistency and accountability. It ensures that awareness is not dependent on manual scheduling or shifting priorities. Weaknesses are identified, addressed, and re-evaluated systematically.
Without that structure, awareness remains reactive.
More than compliance
South African businesses operate in a regulatory and economic environment where reputational damage and operational disruption carry significant consequences. Clients, partners, and regulators increasingly expect demonstrable risk management, not theoretical commitment.
The uncomfortable reality is that many companies are investing more in detecting breaches than in preventing the human actions that trigger them.
Fixing cybersecurity awareness does not require a new platform as a starting point. It requires reframing awareness as an ongoing behavioural discipline supported by structured reinforcement, role-based relevance, and measurable improvement.
Technology will always be essential. But until awareness is integrated into operational processes and treated as a governed risk control, the human layer will remain inconsistently defended.
The number of tools deployed does not define cybersecurity maturity. It is reflected in how people behave under pressure. That is where the real work begins.
Tech & Events
Winning the tender is when the real risk begins
Morag Evans, CEO of Databuild
Winning a tender tends to create a sense that things are under control. The project is secured, teams are briefed, and attention shifts quickly to getting work underway. What is less visible at that point is how quickly the risk profile changes.
Recent building failures have brought these risks into sharper focus, but the underlying issue is not what happens when things go wrong. It is what is already in motion long before that point.
In the South African context, the award is often a signal that risk exposure is starting to build. For example, financial commitments must be locked in, operational demands start increasing on the business, and more of the project begins to sit outside the company’s direct control. On paper, the job is just starting. In practice, the pressure has already begun.
An interconnected environment
This impacts the entire delivery chain. Equipment moves between sites. Materials travel long distances before they reach their destination. Subcontractors come and go. Labour is managed under pressure. Each of these introduces its own set of risks, and they do not operate in isolation. It is here where the gap often appears. Insurance is treated as a requirement to be satisfied before work begins, rather than a reflection of whether the project has been fully understood.
Spend time near active sites, and the patterns are clear. Materials do not arrive when expected. Equipment is either delayed or stolen. Invariably, deliveries get disrupted. Sites are forced to pause, not because the work cannot continue, but because something in the chain has broken. The costs do not always show immediately, but they accumulate quietly in the background.
Transport risk alone has become more complex. The movement of goods, particularly over long distances, exposes contractors and manufacturers to increasing levels of disruption. Truck hijackings remain a persistent concern across key routes, affecting not only delivery timelines but also the availability of critical materials. When a delivery does not arrive, it is not just a logistics issue. It affects scheduling, labour allocation, and ultimately project viability.
At the site level, security risks are equally present. Equipment and materials are valuable, often unsecured, and frequently targeted. In some cases, projects are disrupted by organised groups seeking access, influence, or payment. These realities are part of the operating environment in the South African construction sector.
Layer onto that the administrative risks. Contract disputes, delays, and compliance requirements all sit alongside the physical build. When timelines change or costs increase, those pressures come to the fore very quickly. For contractors operating on tight margins, there is very little room to absorb unexpected events.
More than ticking boxes
This is why insurance cannot be approached as a checklist exercise. It is not simply about having a cover in place. It is about whether the right risks have been identified early enough, and whether the project has been structured to absorb disruption.
Cover for plant and machinery, goods in transit, liability, and business interruption should not be afterthoughts. They are indicators of how well the project has been scoped and understood. If those conversations only begin after the tender has been awarded, the process is already reactive.
What is changing in the market is not just the level of risk, but who is carrying it. The construction sector is seeing increased participation from newer contractors entering the tender environment. This is a positive shift in terms of competition and opportunity. Still, it also means that more projects are being delivered by teams that may not yet have experienced the full spectrum of operational risk.
Managing pressure
At the same time, pricing pressure continues. Margins are tighter. Timelines are more demanding. The tolerance for disruption is lower, even as the likelihood of disruption increases. That combination creates a fragile operating environment where small issues can escalate quickly.
From a broader industry perspective, risk is becoming more fragmented. It no longer sits in one obvious place. It moves between logistics, site operations, compliance, and external factors such as security and infrastructure reliability. Managing that requires a more integrated approach, not just to insurance, but to how projects are planned from the outset.
The contractors who navigate this successfully tend to have one thing in common. They do not separate delivery from risk. They treat insurance, logistics, and operational planning as part of the same conversation, not as separate steps in a process.
In construction, outcomes are rarely decided on site alone. They are shaped long before work begins, in the decisions made around planning, coverage, and preparedness. Winning the tender may feel like the milestone that matters. In practice, it is the moment when the risk exposure is revealed.