The R44.2m click: why human error is South Africa’s biggest cyber threat

Cyber-attacks are getting smarter, faster, and more personal, and even the best security technology can’t stop them if people keep clicking on the wrong links.

Craig Freer, director of managed services provider Qwerti, says businesses are fighting a new kind of battle, one that no longer targets servers and firewalls but the people behind the screens.

“Cybercriminals have shifted the attack vector to your employees, not your systems,” he says. “They’ve realised humans are the easiest way in.”

Phishing remains the number one threat, and it’s getting harder to spot. Attackers build convincing profiles of staff from social media and other online data. “They might know you play golf or follow a certain news site,” Freer says. “Then they send a fake breaking-news link or a spoofed email from a supplier. All it takes is one click.”

Around 88% of all cyberattacks are directly or indirectly linked to human error. In South Africa, data breach costs are typically around R44,2 million per incident. IBM’s 2024 Cost of a Data Breach Report found the global average cost of a breach is  $4.88 million.

And the tactics are evolving. Business Email Compromise (BEC), a type of cybercrime where attackers gain access to or impersonate legitimate business email accounts to trick victims into transferring money or sensitive data, is one of the most financially damaging forms of cyber-attack. It caused reported losses of more than US $2.77 billion in 2024, according to the FBI’s Internet Crime Report.

Modern security stacks include everything from antivirus to endpoint detection and response (EDR), email scanning, and multifactor authentication. Yet Freer says all that technology can still fail if one employee clicks a malicious link or opens a dangerous attachment.

“Security systems are getting stronger, but criminals are adapting faster,” he explains. “Technology can detect, filter, and monitor, but it can’t stop human curiosity or carelessness.”

Attackers are also using AI to make phishing attempts more believable, from deepfake voices to hyper-personalised messages. “It’s no longer the obvious fake emails,” Freer says. “These are messages that sound and look legitimate.”

The most effective defence, Freer says, is to make employees an active part of the protection system through ongoing awareness and testing. Many organisations achieve this by running simulated phishing campaigns – fake scam emails that test how staff respond to potential threats. “If someone clicks the link, they’re immediately enrolled in cybersecurity training,” he explains. “This approach has proven effective in improving awareness, identifying vulnerable users, reducing breach risk, and building a lasting culture of vigilance.”

Organisations that conduct regular phishing simulations and follow up with targeted education see significantly lower breach rates and faster incident response.

Freer adds that human firewall training needs to be reinforced by HR policies and culture. “Cyber awareness should be in the employee handbook. Everyone needs to know it’s part of the job.”

Freer warns of the lasting damage to businesses that don’t pay attention to human error. “Imagine half your customers pay their invoices into a fraudster’s bank account. What happens to your business?”

The long-term fallout from a breach can be devastating, not just in money lost, but in reputation and customer trust. “In South Africa, phishing is one of the top cyber threats, and it can take months for companies to identify and contain a breach.”

Freer notes that effective cybersecurity today depends on continuous vigilance and education, not one-off solutions. Managed security teams play a vital role by monitoring systems for threats, addressing vulnerabilities as they emerge, and keeping employees informed and alert. When a single careless click can cost millions, cultivating a strong human firewall has become essential to business resilience.

PERSONAL FINANCE