Abstract
The world has experienced prevalent cyber-attacks since the Fourth Industrial Revolution, which were exacerbated by Covid-19 and the adoption of digitisation. The South African public sector organisation has been in the spotlight, as a result of recurring cyber-attacks on the IT infrastructure since the pandemic. These attacks have exposed vulnerabilities within the South African public sector Information Technology (IT) infrastructure. It was imperative for the South African public sector organisation to prioritise cybersecurity as part of the board’s agenda, as the impact suffered by public sector organisations, includes amongst other financial losses, data loss, reputational risk, and business disruptions.
This study investigated the state of cybersecurity readiness within South African public sector organisations varying from State-Owned Entities (SOEs), national departments, and municipalities. It also highlighted attempts to disclose and to report on the state of cybersecurity readiness with specific focus on cybersecurity threats, cybersecurity skills, IT investment, cybersecurity budgeting, and cybersecurity awareness training. Despite limitations imposed on this study, there were adequate disclosures on cybersecurity initiatives and related information in integrated reports and annual reports. The study applied a qualitative content analysis methodology to achieve its objectives.
The findings indicated that the agenda of cybersecurity was not being prioritised. The study also identified limitations in IT investment and cybersecurity budget, shortage in cybersecurity skills, and non-implementation of lessons learned from past cyber-attack experiences. The recommendations emanating from the study suggested that the South African government should be directly involved in cybersecurity initiatives, including investment in IT infrastructure upgrades, cybersecurity budgets, cybersecurity upskilling, and continued cybersecurity awareness training to drive the South African public sector to the desired state of cybersecurity readiness.