Nearly two-thirds of South African government entities assessed by the auditor-general have notable weaknesses in their cybersecurity defences, with penetration testing revealing that multiple government environments were breached during the 2024/2025 financial year.
The findings are contained in the Auditor-General South Africa’s consolidated general report on national and provincial audit outcomes for 2024/2025, which paints a damning picture of the state of information security across the public sector.
The AG’s office assessed the cybersecurity controls of 70 national and provincial government entities, evaluating governance frameworks, risk management, compliance, operational controls and incident response. It also conducted technical assessments including penetration testing and vulnerability scanning.
Of the 70 entities assessed, 45 (64%) had notable weaknesses in their cybersecurity posture, including 23 high-impact entities. Eight entities (11%) — four of which were classified as high impact — exhibited significant vulnerabilities that could be exploited if not remedied.
The most common failings included a lack of backup testing, the absence of vulnerability management tools, weak access controls, unpatched systems, and insufficient logging and monitoring of administrator activities. Many entities lacked mature incident response capabilities and recovery procedures, the report found.
SABS still recovering
The report singles out the South African Bureau of Standards as a case study in what happens when warnings go unheeded. In November 2024, the SABS experienced a ransomware attack that fully encrypted its information systems, triggering a complete shutdown of business applications. The entity was unable to submit its 2024/2025 financial statements as a result.
The AG noted that the bureau’s cyber-risk exposure had been heightened by outdated systems, weak password policies, poor access controls and an untested disaster recovery plan — and that the SABS had failed to act on recommendations the AG had been making since 2021/2022.
“The cyberattack revealed the absence of a structured response mechanism, an untested disaster recovery plan and a delayed recovery process,” the report said. SABS was still recovering systems and data at the time of the report — 15 months after the attack.
The SABS was not the only entity to suffer a breach. The National Health Laboratory Service was hit by a cyberattack in June 2024 that disrupted its systems. The KwaZulu-Natal Nature Conservation Board experienced a separate cybersecurity incident in February 2025 that rendered its financial system inaccessible and prevented it from submitting financial statements.
Beyond cybersecurity, the AG reported an overall decline in the strength of IT control environments across the 191 entities it audited. More entities regressed in this area than improved.
Read: R12.1-billion wasted as government IT projects collapse
Security management was the weakest control area, with only 69 entities (36%) rated as having good controls, while 103 (54%) were rated as concerning and 19 (10%) as poor.
The report also flagged R5.5-billion in government IT infrastructure spending during 2024/2025 that “has failed to support modernisation and resilience as many auditees still operate with ageing infrastructure”. — © 2026 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.
