The new era of cyber risk

Skip to the sections you're most interested in

00:00 – Introduction 

Jeremy Maggs: Once, the world’s greatest threats came from armies, borders and rival economies. Today, they’re hidden in code written by people we’ll never meet, using machines that never sleep.

Artificial intelligence has rewritten the rules of cybersecurity. Attackers are using generative AI to craft deepfakes that deceive even the trained eye, to impersonate voices that sound impossibly real, and to execute phishing campaigns at a scale and sophistication never seen before. But defenders are fighting back using the same technology to detect, predict and neutralise these attacks faster than ever.

As 2025 draws to a close, the digital battlefield is expanding – from personal devices to national grids. Businesses are navigating tighter cyber regulations, while critical infrastructure faces relentless attacks. 

This is No Ordinary Wednesday, Investec’s flagship podcast that goes beyond the headlines into the ideas shaping business, technology and society. I’m Jeremy Maggs.

Joining me are Investec cybersecurity specialists Nomalizo Hlazo and Tash Van den Heever, to unpack the state of cyber resilience, the tightening of regulation, and the future of trust in a world where intelligence, both human and artificial, is under attack.

01:27 - AI on both sides – Attackers and defenders in the digital arms race

Jeremy: So, Noma, let me start with you... attackers, as we know, are now using generative AI for phishing, for social engineering and deep fakes, while defenders are using AI for detection and response. So certainly the battle lines are drawn here. How is this playing out in your opinion? 

Nomalizo: Hi, Jeremy. Yes, there's definitely increased use of AI for voice impersonations using conversational large language models that interact with victims over the phone. This is typically called vishing.

And there's the use of deep fake videos that closely impersonate people, and this is making it more difficult for victims to identify scams and attempted fraud.

As you mentioned, attackers use AI to generate very convincing emails and messages for phishing, and it is increasing their success rate, which is why personal vigilance is key.

Attackers are also using AI in multiple ways to scale, automate and improve the stealth and effectiveness of their attacks. They have an improved ability to scan for weak points across larger attack surfaces and create more sophisticated malware that can adapt to avoid detection. 

On the defensive side though, organisations are embedding AI into their security stack to improve detection, response and prevention. Using this technology to spot unusual user and system behaviour.

AI also provides improved threat intelligence and prediction with the ability to aggregate data from many more sources quickly, leading to more effective defence. 

 

02:52 - 2025: The year cyber risk went mainstream

Jeremy: So Tash, let's push this a little further. As Noma says, the risk quotient is increasing and increasing very quickly. So, as we come to the end of this year, in your opinion, what are the biggest cyber threats we've seen impacting businesses and individuals? 

Tash: Jeremy, you're right. 2025 has been the year cyber risk went fully mainstream. 

For businesses, the biggest hits have come from data theft, credential compromise and AI-driven fraud. Attackers aren't just breaching systems anymore; they're actually manipulating trust for individuals.

Scams are hyper-personalised. The message looks right, the voice sounds right, and that's exactly the problem.

If I had to summarise the year, I'd say the biggest threat isn't just malware, it's misplaced confidence. People trust what feels familiar and attackers know that better than anyone. 

03:46 - Why digital risk is compounding

Jeremy: So Tash, that's what it looks like in 2025, but obviously there's concern going into next year. So, you've got your finger on the pulse here.

What new or emerging cyber threats are you most concerned about, and maybe help us by sharing a few real-world examples as to how this is all playing out. 

Tash: Well Jeremy, what we see now is the convergence of actual multiple risks across technology, people and processes, all colliding at speed. It's no longer one neat category of an attack; it’s everything connected to everything else.

The weak points are increasingly found in the spaces between systems where APIs, cloud services and partners intersect. We're also seeing a sharp rise in credential theft, business email compromise and data extortion, driven by automation and human error.

Misinformation is emerging as a real cyber threat, especially where attackers are driving extortion using the media with old data because it undermines trust in system and entities.

So yes, AI is part of the story, but the real shift is how fast digital risk is compounding. Resilience now depends less on firewalls and more on situational awareness.

Knowing what's connected, what's critical and how quickly you can respond when something fails. 

05:05  - Building resilience through third-party and supply chain visibility

Jeremy : So, Noma, let's pick up on third-party vendors. Among other things, we've seen attackers exploit suppliers and third parties as weak links. So, the challenge is, I guess, for organisations to build resilience within these complex ecosystems?

Nomalizo: Well Jeremy, before resilience comes visibility, knowing who your suppliers are, what they access and how they connect to systems is key.

The first important aspect is maintaining an up-to-date supply inventory to keep track of suppliers and their associated risk. Organisations need to use continuous monitoring tools, of which there are quite a few in the market that track third-party cyber posture in near real-time, as well as advanced vendor risk management tools that use various externally available data to build a risk profile.

Of course, security and access control still remain key. Think zero-trust principles, least privilege access, network segmentation, monitoring of privilege activity, with additional focus on shared SaaS and cloud environments.

And from a governance perspective, security and resilience clauses must be added into contracts covering things like instant reporting timelines and the right to audit, as well as ensuring exit strategies are in place for high-risk suppliers.

Let's remember, resilience isn't only about prevention; it's also about response and recovery, and it is important to have an executable plan in the event of a third-party incident.

Jeremy: Noma and Tash, please hold those thoughts. We are going to continue this conversation in just a moment as we explore cybersecurity challenges and what defences to adopt in 2025 and next year to stay safe online. But first, a word from Investec.

AD: You can now enjoy the first fully international transactional account with award-winning private banking that enables you to create, grow, preserve and protect your wealth.

Unlock the power of global banking and seamlessly receive, spend, and keep money in rands, dollars, pounds and euros with a single account and a card that earns you unlimited rewards for traveling, shopping, and online spending.

The Investec Multicurrency Private Bank Account. A card as international as you are.

07:15  - Regulation tightens – balancing compliance and agility

Jeremy: Alright, let's continue the conversation. Tash, Europe and South Africa's cyber resilience-related regulations are tightening. We are aware of that, but I guess the question is how one balances compliance with agility, particularly where innovation has become so essential?

Tash: Jeremy, you're right. Regulations have tightened across the board. However, compliance should really be the starting point and not the finish line.

What's become clear is that cyber resilience is now a multi-jurisdictional challenge. Global businesses are trying to align with overlapping standards. 

We've also seen a move away from principle-based regulations in some regions to more prescriptive mandates. So, in short, it's complex, but not all bad news.

Stricter legislation is raising the global baseline, forcing visibility, accountability and investment in secure design principles; it's actually creating a common language between regulators, boards, and security teams, which is something the industry has needed for years.

The real opportunity lies in moving from reactive recovery to anticipatory resilience, which means building the ability to adapt before impact. We're already seeing some leading organisations run AI compromise simulations, post-quantum encryption pilots, and cross-border incident response exercises.

Not because compliance requires it, but because resilience has become a marker for leadership that extends beyond corporates, because in the end, trust and resilience are now two sides of the same coin. 

08:57- Critical infrastructure under threat

Jeremy: Now Noma, the real concern here in South Africa is that cyber criminals are increasingly targeting critical infrastructure. That is worrying, and it does create unique challenges. Does it not? 

Nomalizo: Yes, it does. Jeremy. Cyber criminals are targeting critical infrastructure more, but this concern is not a challenge only for South Africa. With the current geopolitical landscape, this threat is real for many nations.

Quite a few of the systems still rely on older industrial technology, where managing vulnerabilities is difficult, and where the priorities are to deliver services and keep systems operational over investing in cybersecurity. This leads to higher incidences of these systems being targeted by attackers.

There are a range of attackers from ransomware groups with targeted campaigns against utilities and municipalities, or hactivists and politically motivated groups that target for disruption rather than profit.

The issue is that compromise of infrastructure does not only disrupt businesses, Jeremy, they can also impact essential services.

Think loss of power due to part system breaches, hospitals losing access to patient data, ports and rail systems halting, affecting imports and supply chains. These service disruptions translate directly into social and economic impact, especially as an attack on a single utility can cascade through dependent sectors.

Repeated or prolonged attacks erode public trust in essential services and can affect investor confidence. Building resilience is therefore important. Critical infrastructure operators and regulators should continue to work towards implementing standards that have clear cyber resilience goals. 

10:32 - Building digital trust in a diverse and connected market

Jeremy: And Noma, so much of this is predicated on trust. I would contend that more and more people are moving their businesses and their individual lives online. This is very noteworthy in South Africa, where affordability, accessibility and awareness vary greatly, and we have to acknowledge that and perhaps build strategies around that. 

Nomalizo: Building digital trust in such a diverse market requires intentional use of technology Jeremy, users trust platforms that are consistently available and safe; therefore, prioritising secure by design infrastructure in both public and private digital services is paramount.

But let's remember, trust is not only about technology. We need to tackle awareness through digital literacy programs. Focusing on safe online behaviour, recognising scams and privacy hygiene, which can be done through partnering with schools and community groups to increase an understanding of cybersecurity basics at a grassroots level.

Strengthening cybercrime enforcement capabilities and an understanding of judicial processes for digital offenses is important, and we must have clear accountability for data breaches, misinformation and other incidents that can impact people and businesses.

11:48 - The future of cybersecurity: Integrity, speed and adaptability

Jeremy: Alright folks, as we come to the end of this conversation, let's look ahead. If we look five years into the future, and I suspect I want to change that to probably five minutes into the future, what do you both see as the most disruptive cybersecurity challenge that organisations need to start preparing for now?

Tash, maybe let's start with you. 

Tash: Jeremy, I like your analogy around five minutes. You are right. But if I had to look five years ahead, I think the real challenge isn't just about what's changing. It's actually about how fast it's changing, and it's going to be about whether leadership, governance and culture can keep pace.

We're entering an era where every business is effectively a digital business, and that means cyber risk has become enterprise risk and no longer a problem sitting in IT.

The organisations that succeed will be the ones that treat adaptability as a core skill, constantly testing, learning and evolving their defences as fast as these systems evolve.

And at the heart of all of that is the integrity of data, of decision making, and of intent, as automation and connectivity accelerate, trust in the integrity of what we build will define resilience itself.

The future of cybersecurity isn't about predicting everything. It's going to be about being able to absorb the impact, maintain trust and recover with confidence. In other words, resilience won't just be measured in uptime; it'll be measured in integrity. 

13:14 - Quantum computing, AI agents, and hyperconnectivity

Jeremy: Noma, what about you? What can you add to that 

Nomalizo: On top of everything Tash mentioned, increased reliance on AI is something we need to look at as a cybersecurity challenge in the next few years. We need to think about agents to age identities. The more we use AI and the agents, the more security we need around that.

And considering the exponential possibilities of quantum computing, the next five years may bring so much growth in that area that we need to keep a keen eye on what's happening in that space.

Lastly, I think our connectiveness is increasing impact across organisations and globally, so this is something that we need to look at. Tash mentioned it before, the more we connect, the more impact we have across all our industry sectors, and that's something that we need to look at over the next five years.

13:58 - Cybersecurity as a life skill

Jeremy: Tash, just a quick one, as I wrap this up for ordinary individuals like you and me, what are the most important habits or defences to adopt, to stay safe online? Is there one big thing that you might recommend? 

Tash: Jeremy, for individuals, the fundamentals still matter. Strong, unique passwords, multi-factor authentication, keeping your devices updated and being deliberate about what you share online.

But if there's one thing I'd leave listeners with, it's this: pause before you click. In 2025, awareness is your strongest first line of defence. Technology will protect you most of the way, but your judgment is still your baseline of defence.

Cybersecurity isn't just a technical discipline anymore. It's becoming a life skill and one that's as important as financial literacy or digital hygiene. It's about being alert and not afraid. 

14:56 - Closing remarks

Jeremy: I mean, that's such a good point, you know, 1,2,3,4, and your birth year are not great passwords. Noma and Tash, thank you for joining me on this episode of No Ordinary Wednesday. We're going to leave it there.

And as always, if you've enjoyed this episode, please follow Investec Focus Radio SA wherever you get your podcasts.

We'll be back in a fortnight with more analysis on the major economic trends shaping our markets. Until then, goodbye from me, Jeremy Maggs and the entire Focus Radio team.

Disclaimer: The views expressed are those of the contributors at the time of publication and do not necessarily represent the views of the firm and should not be taken as advice or recommendations. Investec Limited and subsidiaries authorised financial service providers, registered credit providers, and long-term insurer.

Disclaimer

Focus and its related content is for informational purposes only. The opinions featured on the site are not to be considered as the opinions of Investec and do not constitute financial or other advice. The information presented is subject to completion, revision, verification and amendment.

Although information has been obtained from sources believed to be reliable, Investec Securities Proprietary Limited (1972/008905/07) or its affiliates and/or subsidiaries (collectively “ISL”) does not warrant its completeness or accuracy. Opinions and estimates represent ISL’s view at the time of going to press and are subject to change without notice. Past performance is not indicative of future returns. The information contained herein is for information purposes only and readers should not rely on such information as advice in relation to a specific issue without taking financial, banking, investment or other professional advice. ISL and/or its employees and/or other Investec Companies may hold a position in securities or financial instruments mentioned herein. The information contained in this document alone does not constitute an offer or solicitation of investment, financial or banking services by ISL. ISL accepts no liability for any loss or damage of whatsoever nature including, but not limited to, loss of profits, goodwill or any type of financial or other pecuniary or direct or indirect or consequential loss howsoever arising whether in negligence or for breach of contract or other duty as a result of use of the reliance on information contained in this document, whether authorised or not. This document may not be reproduced in whole or in part or copies circulated without the prior written consent of ISL.

Full Investec Bank Limited disclaimer