Treat cybersecurity risk events to your organisation as a given and prepare proactively

22 September 2021

One only needs to consider the cost of a data breach, to come to grips with this very real and costly threat. According to ITWeb, a data breach costs a South African organisation R46 million per incident – and these latest figures show the cost to be the highest in six years, and 15% more than in recent years.

The same report found that organisations who were able to contain a data breach in under 200 days (37 days less than the average timeline) saved R7 million by responding quicker. On the other hand, the trend also highlights the opportunity to prioritise preparation to manage cybersecurity risks, and other risks…while still having the luxury to do so.

Risk is informed by knowing what you are doing

In the event of any strategy formulation, it helps to know why a certain strategy to navigate change is necessary. Robert Kaplan and Anette Mikes in their Harvard Business Review article encapsulate the essence of risk management really well:

“…risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster…”

It is one thing to draft policies, create response plans and tick compliance boxes. It is another to invest real-time into considering possible risks based on their probability and impact with the aim of preparing a proactive approach.

However, the real question is why proactive preparation is now more important than ever before? 

Simply put, South Africa is a particularly vulnerable country in terms of cyber risk. Existing cybersecurity gaps became more evident when many organisations have started to consider a hybrid work approach.

Change management consultants are aware that talking about and preparing for potential risk events are typically met with discomfort. Some executives prefer to put their head in the sand, and believe ‘it will never happen at our company. We are a fortress’. Still, the necessity of a well-planned risk management strategy is more relevant now than ever before. A well-rehearsed plan will ultimately provide the blueprint to follow when it is time to spring into action.

Incorporate risk management into your organisation’s strategy

One of Kriel & Co’s speciality areas lies in assisting organisations, its staff and cybersecurity stakeholders in preparing for data privacy related risks, such as data breaches. The practice subscribes to following four widely known risk management strategies: avoidance, mitigation, acceptance and transfer.
Below, we have practically illustrated how the four general strategies can be combined to manage the different aspects of data privacy and cyber risks involved:


Practical Implementation

Desired Outcome



Conduct background checks and due diligence to ensure that systems and processes are sufficiently secure.

Identifying and eliminating (if possible) potential threats or vulnerabilities that exist through operators (such as Third Party Service Providers) who operate under sub-standard data privacy and cybersecurity best practices.

  • Revised operator agreements
  • Non-disclosure agreements
  • Regular audits of operators.


A risk response plan enables all staff in the organisation to respond appropriately to risk events.

Clearly indicate to team members the response to follow and who to contact in each situation, to mitigate worsening the risk by processes not being followed timeously or correctly. 

  • Risk response plan, categorised according to risk ratings and severity.
  • Risk response plan easily and centrally available to the organisation.


Regular system and process stress tests with employees and stakeholders.

Behavioural reinforcement of the risk response plan. It is also an opportunity to identify, address and rehearse any gaps in the response process safely.

  • Simulation of anonymous requests for personal information.
  • Simulation of cybersecurity events.


Insurance policies that provide adequate cover for those risk events that are applicable to the organisation.

The opportunity to involve legal counsel in insurance considerations to highlight the inclusions and shortcomings of cover which will ultimately assist the organisation with decision-making.

  • Reviewing existing insurance policy schedules and policy wording to identify gaps in cover.


An ounce of prevention is worth a pound of cure

Combining the elements of risk management strategically and proactively allows the organisation to follow a planned, and if needed, phased approach to setting risk management measures in place. A proactive approach gives teams enough time to adopt new policies, become familiar with system changes and perform stress tests on these policies and systems.

Granted, there is no one-size-fits-all approach to effective risk management. However, a range of approaches exist that if used in combination creates a bespoke plan suited to your organisation’s unique potential challenges, such as cybersecurity threats. 

Proactive risk management planning today could lessen the stressors of tomorrow for organisations. And as a result, it leaves management free to focus on growing or working on the business, and affords teams the opportunity to familiarise themselves with taking ownership of data privacy and risk prevention.