block text image

South African Companies Recorded a 60% Rise in Data Breaches – Here’s Why IT Security Isn’t Enough

A collaborative perspective from IS³ and CSI³

¹In the first half of 2025 alone, South African companies recorded a 60% rise in data breaches.

²Digital banking fraud incidents had risen 86% in 2024. And yet, the conversation in boardrooms is still firmly anchored in IT security: firewalls, endpoint protection, zero-trust architecture.

Necessary, but increasingly insufficient.

The attack surface has expanded well beyond what a CISO’s dashboard shows. And the organisations that understand this first will be the ones that remain operational when others don’t.

What the Converged Enterprise Actually Looks Like

Financial institutions today run on three overlapping technology layers.

ET
ET

Engineering technology — is the layer that designs, models, and governs the built environment and industrial systems that underpin operations. It’s the bridge between the physical and digital worlds that is often the least visible layer in financial services.

OT
OT

Runs the physical world: the power management systems keeping your data centres cool, the building automation, the control systems behind your ATM network infrastructure, and so much more.

IT
IT

Manages data, transactions, and connectivity. It’s well-governed, well-funded, and well-understood. It’s where most of the security investment goes.


Cybersecurity and cyber resilience

The challenge is that IT and OT systems continue to converge. They share networks, data flows, and infrastructure, yet many organisations treat the two as separate domains.

This gap is a governance blind spot and an active threat vector for banking and financial services.

³The FSCA and South African Reserve Bank (SARB) have started connecting these dots already. Joint Standard 2 of 2024 on cybersecurity and cyber resilience, which came into effect on 1 June 2025, requires banks to maintain effective cyber resilience capabilities to monitor, detect, respond to, and recover from cyberattacks, across the full scope of critical operations.

The Prudential Authority has further flagged that reliance on third parties, if not adequately managed, may result in concentration risk, cybersecurity risk, and operational resilience concerns.

Compliance is the floor, not the ceiling. There are two questions to ask yourself in this regard:

  1. Whether your organisation has genuine visibility across all three layers.
  2. Whether your organisation has the operational intelligence to act on what it sees.

critical sectors

In Conversation with CSI³: The View from the Operational Front Line

CSI³ — Critical Systems and Industrial Information Infrastructure — is a company specialising in OT systems assurance, uptime management, and cyber risk management for critical and industrial environments. We sat down with Tshisi Makhari, Cluster Executive: Industrial OT of CSI3 to get the unfiltered view.

IS³: Banking and financial services executives understand IT risk very well. How do you explain to them why IT security competence alone isn’t enough when IT, OT, and ET have converged?

A cybercriminal isn’t just looking to steal a database anymore; their new target is to manipulate physical infrastructure used in non-traditional engineering industries. Whilst IT security protects data packets, OT and ET security protect your physical infrastructure, people, and production lines responsible for real-time demands. How is the financial industry impacted by this?

Let me explain.

Target systems that use operational and engineering technologies (incl PLC, HMI, SCADA) in financial industry are:

  • Smart ATM and Cash Processing Networks
  • Building Automation Systems (BAS) & HVAC for Data Centres
  • Physical Security & Access Control Infrastructure
  • Banking of Things (BoT) Technologies
  • High-Frequency & Algorithmic Trading Engines
  • Agentic AI & Quantitative Modelling Systems

In banking IT, the supreme guiding principle is the CIA Triad:

  1. Confidentiality first
  2. Integrity second
  3. Availability third.

In critical industrial environments (OT/ET), the priority is entirely inverted to the AIC Triad: Availability is king, followed by Integrity, with Confidentiality a distant third. As the IT, ET and OT layers have converged, a vulnerability in a corporate IT email phishing scam can bridge the gap into the OT network, altering the ET logic. To protect converged infrastructure, you need an integrated approach that respects that a cyber risk is seamlessly tied to an operational uptime risk. Air gapping is no longer practical.

IS³: You work across mining, power, utilities, and other critical sectors

IS³: You work across mining, power, utilities, and other critical sectors. What does the threat landscape look like when attackers specifically target the seam between IT and OT — and how does that pattern show up in financial services environments?

When threat actors target this pivot point, they exploit a cultural, structural, and technical mismatch. Attackers don’t only breach an operational environment by connecting directly and/or remotely to the OT environment; they also breach the IT corporate network (via phishing, compromised supply chains, or unpatched edge devices) and deliberately hunt for the technical seam to cross over.

Modern financial institutions rely on massive, highly automated physical infrastructure that is prone to OT cyber risks. The True “OT” of Financial Services primarily consist of two layers.

  1. Data Centre and Building Management Infrastructure, which is the physical backbone of the digital ledger. This includes Industrial HVAC/cooling systems, Uninterruptible Power Supplies (UPS), Power Distribution Units (PDUs), and automated fire suppression systems.
  2. The Distributed Edge, which includes Automated Teller Machines, Electronic Vaults and Smart Branch kiosks. These are essentially physical robotic cash-dispensers controlled by an embedded IT operating system, communicating via specialised operational protocols.

The risk is in the bridge. Whether a client is managing a fleet of haul trucks in a mine or a Tier 4 data centre for a tier-one bank, the security of the identity systems, the rigidity of network segmentation, and the strict policing of the remote-access gateways at the IT/OT seam dictate whether an organisation stays online or goes dark.

IS³: If a Chief Risk Officer at a major South African bank asked you: “Where do I start?” — what are the first three things you’d tell them to do?

Start by including OT in the scope of your risk quantification, operational resilience, and regulatory compliance.

To establish immediate control over the IT/OT seam, the first three high-impact, non-negotiable directives are:

  • Map and Isolation-Test the Data Centre “Air-Gaps” including a forensic network discovery specifically aimed at finding undocumented bridges between IT and OT.
  • Enforce “Zero-Trust Identity” for all third-party maintenance ingress, including hardware, software and devices from OEMs and external maintenance teams.
  • Conduct a “Kinetic-Impact” Cyber Tabletop exercise including the physical infrastructure team, not just IT.

Explore OT cybersecurity here.

Where IS³ Fits Into This Picture

For decades, IS³ has worked at the intersection of IT, OT, and ET — in environments where the stakes of getting it wrong are immediate and physical. For example, in mining, an unplanned production stoppage can cost millions, and in power and utilities, a compromised control system can affect entire regions.

Over time, industries like these have built a discipline of connected operational intelligence. Not IT security bolted onto OT systems. But a unified view of how technology layers interact, where the vulnerabilities live at the seams between them, and how to maintain uptime and resilience even in hostile environments.

The underlying challenge for financial services isn’t much different: complex, converged technology environments where failure in any one layer can cascade across all three.
IS³ brings the same operational intelligence framework to financial services that keeps critical industrial infrastructure running. The tools are proven. The methodology is battle-tested.

The Conversation Continues at the Saxon

Discover-X - The Conversation Continues at the Saxon
These questions don’t have simple answers. They require peers in a room, sharing what’s working, what isn’t, and what the horizon looks like from where each of them sits.
That’s the premise behind Discover-X. This is an IS³ invitation-only executive intelligence experience, taking place on 21 July 2026 at The Saxon, Johannesburg.

Designed for senior leaders navigating the complexity of connected, converged enterprises, Discover-X brings together decision-makers from across industries, including banking and financial services, to explore AI, cyber security, connected operations, and enterprise intelligence. This isn’t a vendor showcase. It’s a peer-level conversation.

FAQs

What is cyber resilience in financial services?

Cyber resilience in financial services is the ability to monitor, respond to and recover from cyber incidents while maintaining critical operations. As data breaches and digital banking fraud continue to rise, organisations need resilience across IT, OT and ET environments.

Why does IT security alone no longer provide sufficient protection for banks?

IT security remains essential, but IT, OT and ET environments now share networks, data flows and infrastructure. This convergence can create governance blind spots and expose organisations to risks that extend beyond traditional IT systems.

How can financial institutions improve resilience across IT, OT and ET environments?

Financial institutions can improve resilience by gaining visibility across IT, OT and ET environments, strengthening governance, managing cyber risk across critical operations and adopting a connected operational intelligence approach.

Why is visibility across IT, OT and ET environments important?

Visibility across IT, OT and ET environments helps organisations identify risks, improve resilience and maintain operational continuity. As these systems become increasingly interconnected, a lack of visibility can create governance blind spots and expose critical operations to cyber and operational risks.

Please note that Discover-X is a curated, invitation-only experience. Submitting your registration is the first step. Our team will be in touch to confirm your attendance.

  1. Source: LexAfrica, South Africa’s Data, AI & Cybersecurity Outlook 2026 (February 2026) / IT-Online, March 2026.
  2. Source: South African Banking Risk Information Centre (SABRIC), Annual Crime Statistics 2024. Digital banking fraud incidents rose 86% year-on-year to 97,975 cases, with gross fraud losses of R1.888 billion.
  3. Source: FSCA & Prudential Authority, Joint Standard 2 of 2024 — Cybersecurity and Cyber Resilience Requirements.