Johan de Villiers CEO, First Technology Western Cape

The landscape of corporate risk has been irrevocably altered. Ransomware is no longer a peripheral IT concern, but the engine of a mature, industrialised cybercrime economy. The data from 2024 paints a stark picture: the average total cost of a ransomware attack has climbed to $5.13mn, a figure driven not by the ransom itself, but by crippling operational downtime, which now averages 24 days per incident. With attackers now routinely employing “double and triple extortion” tactics —stealing data before encrypting it and threatening public leaks — the stakes have never been higher. In 2024, an estimated 90% of ransomware attacks involved data theft, and even organisations with backups cannot escape the threat of extortion.

The 2024 attack on Change Healthcare serves as a chilling case study. A single compromised password on an account lacking multi-factor authentication allowed attackers to paralyse a core component of the US healthcare system. While a $22mn ransom was paid, the total financial damage from the incident is estimated to have reached $3.09bn.

Despite this escalating threat, a dangerous “Confidence Paradox” has taken root in executive suites. A 2025 report revealed that 81% of US executives believe they are well-prepared to counter cyber threats. This confidence is misplaced. A report from BeyondID found that while 74% of IT decision-makers rate their identity security posture as “Advanced”, these same organisations fail at implementing fundamentals. They follow, on average, only 4.7 out of 12 security best practices. Only 60% enforce multi-factor authentication (MFA) for all users, and a mere 27% enforce a “least privilege” access model.

Post-breach reviews reveal that traditional backup architectures are a primary target for modern ransomware. Attackers often achieve long “dwell times” within a network, for weeks or months, giving them ample time to map the infrastructure, escalate privileges, and systematically corrupt, delete, or encrypt the backups themselves.

Once attackers compromise backup administrator credentials, they can log into the software, delete recovery points, and ensure there is nothing left to restore. Many organisations have terabytes of backups, but when asked to perform a large-scale restore under pressure, they discover the data is corrupt, the process is untested, and the recovery time is measured in weeks, not hours.

To survive, organisations must shift from a reactive backup posture to a proactive cyber recovery strategy. This approach is built on the assumption that a breach is inevitable and is defined by three core principles: zero- trust, true immutability, and a logical air gap.

A vendor like Rubrik provides a compelling case study in this modern approach. Its platform was engineered from the ground up on these principles, using a proprietary, append-only fi le system to deliver true immutability; once written, data cannot be altered, encrypted, or deleted. This is protected by a logical air gap and a zero-trust model that enforces MFA and requires all operations to pass through a secure API gateway, rendering backups invisible to attackers.

The primary call to action for every leader is to challenge the assumptions underpinning their organisation’s resilience. This requires moving beyond paper walkthroughs to full-scale simulations in an isolated “clean room” environment to measure actual recovery times against theoretical objectives.

To truly bridge the confidence gap, organisations must engage third-party experts to facilitate and validate this testing. An objective partner, such as First Technology, brings experience from real-world breach responses and can design realistic attack scenarios that will genuinely test a company’s defences, processes, and people. It is time to move beyond subjective belief and earn true confidence through objective proof. The continuity of your business depends on it.

Candicel@firsttechnology.co.za