In South Africa, cybersecurity breaches have become routine. The country ranks in the top 20 globally for cybercrime, with human error still behind the vast majority of incidents. The financial impact is equally sobering, with the average cost of a data breach sitting in the tens of millions of rand. Cyber insurance has quietly shifted from a safety net to a question about what happens when your security fails.
Most incidents begin with a compromised identity, a phishing email that appears legitimate, or even a login that triggers no alarms. From there, attackers can move laterally to change privileges and embed themselves using the same tools your teams rely on. By the time the company is aware of the attack, it is too late.
While security alerts are commonplace, being able to respond decisively is not. There is a gap between detecting a breach and acting on it. Often, this is the difference between a manageable incident and a full-scale insurance claim.
How to protect your business
Locking down identity remains the priority. That means enforcing phishing-resistant multi-factor authentication for privileged accounts, removing legacy authentication methods, and applying conditional access policies that reduce unnecessary exposure.
At the same time, detection needs to be made actionable. Endpoint and identity telemetry should be centrally visible, properly tuned, and mapped to clear severity levels with defined ownership, so alerts lead to decisions rather than delays.
Containment cannot be improvised under pressure. Organisations need to rehearse critical actions such as disabling compromised accounts, isolating endpoints, and blocking lateral movement before an incident occurs.
Backups must also be hardened and proven, with immutable or offline copies and regularly tested restore processes that align with real business recovery expectations. Reducing the blast radius through segmentation, least privilege, and regular access reviews further limits impact, while a well-defined incident response plan, supported by exercises and, where appropriate, managed detection and response with clear SLAs, ensures the organisation can move quickly from detection to containment when it matters most.
Tightening the screws
Losses driven by ransomware, business email compromise, and lost data have forced a shift in how cyber risk is assessed. Underwriting is no longer based on what an organisation says it has in place. Instead, it is driven by whether those controls demonstrably reduce the likelihood, speed, and impact of an attack.
A common misconception is that having cybersecurity solutions in place means the company is protected. But these do not guarantee containment when a hacker gains access to the system. Security effectiveness is not measured during an audit but during an incident.
Questions like how quickly you can isolate a compromised account or contain lateral movement become important. If the company is unsure how to respond, then the best technology in the world cannot protect them.
From compliance to capability
Cybersecurity has become too much of a compliance checkbox. But attackers do not care about compliance cycles. They operate around the clock. A company’s cybersecurity tools must therefore provide extensive remediation capabilities. When this happens, incidents are contained earlier, and the financial impact is significantly lower. That is what insurers are measuring.
No single control makes you “insurable-ready.” It comes down to how well everything works together when something goes wrong. Identity controls help stop the initial slip. Endpoints make it harder for ransomware to take hold. Segmentation and access controls limit how far an attacker can move if they get in. Prevention tools can catch early signals before things escalate. But the real test is how quickly you respond when it matters.
Managed detection and response is critically important. This could be the difference between seeing a cyber incident and being able to act on it. The faster you act, the less damage an attacker can cause. Perfect security is not realistic. What matters is how well you contain the failure.
A different kind of risk conversation
What we are seeing is that cyber insurance is reshaping how organisations think about security. Boards are paying closer attention, given that insurability is directly tied to business continuity. A major incident without adequate coverage, or with coverage denied due to inadequate controls, can have major repercussions on the business.
The conversation is moving away from products and towards risk outcomes. Customers are less interested in what a tool does in theory and more concerned with whether their environment can withstand a real-world attack. That creates an opportunity for more meaningful engagement. It allows the discussion to focus on financial exposure, operational resilience, and measurable risk reduction.
Cyber insurance does not prevent incidents. It does not guarantee recovery. And it does not excuse weak controls. What it does is expose whether an organisation is prepared to deal with failure.
Because that is what cybersecurity has become. Not a question of if something goes wrong, but how contained it is when it does. The organisations that come through incidents with minimal damage are not necessarily the ones with the most tools. They are the ones who can see clearly, act quickly, and operate with discipline when it matters most.
Next steps
If you are unsure how quickly your organisation can detect, contain, and recover from a real incident, start with a practical readiness review. Validate your ability to disable compromised accounts, isolate endpoints, and restore critical services within agreed timeframes.
If you would like support, Duxbury Networking can help you benchmark your current capability and build a response plan that stands up to both attackers and insurers.
