Orange Cyberdefense’s Security Navigator 2026 opens with a provocation that boards cannot afford to dismiss: we are at war. Not metaphorically. The data supports the claim. Over the past year, the report documented more than 139,000 security incidents and nearly 19,000 confirmed cyber extortion cases — a number that has tripled since 2020.
The geography of this conflict has expanded dramatically. Cyber extortion victims in Africa increased by 47%, in Latin America by 60%, and in Asia by 82%. Healthcare was hit with a 69% increase, finance and insurance with 71%. The number of active threat actor groups nearly tripled, from 33 to 89, as the dissolution of syndicates like LockBit and Black Basta fragmented the ecosystem into a more distributed, more unpredictable threat landscape.
The Industrialisation of Cybercrime
What makes this escalation structurally different from previous cycles is the collapse in the cost of attack. Malware-as-a-service, initial access brokers, and cryptocurrency-enabled monetisation have industrialised cybercrime. The barriers that once required technical sophistication now require only access and intent. This is no longer a contest between security teams and individual adversaries. It is an asymmetric conflict between institutions and an industrialised criminal economy.
The economics are stark. A ransomware-as-a-service kit can be purchased for a few hundred dollars. An initial access broker can provide credentials to a corporate network for less than the cost of a business lunch. The attacker’s investment is trivial relative to the potential payoff. The defender’s investment is substantial and ongoing. This asymmetry is the structural condition that drives the relentless growth in attack volume.
“This is no longer a contest between security teams and individual adversaries. It is an asymmetric conflict between institutions and an industrialised criminal economy.”
Defensive Investment Alone Is Not Working
The report’s central argument is uncomfortable but necessary: defensive investment alone is not working. Despite years of focus and substantial spending on controls, the number of victims continues to rise. Organisations are spending more on cybersecurity than ever before, yet the threat curve continues to steepen.
This is not an argument against defensive investment. Controls, monitoring, incident response, and resilience planning remain essential. But the Security Navigator’s data suggests that a purely defensive posture is insufficient against an industrialised threat ecosystem. What is needed, the authors argue, is a wartime posture — a form of public-private collaboration that treats cyber extortion as the systemic societal hazard it has become, not a business-level inconvenience.
The analogy to physical security is instructive. No business is expected to defend itself against organised crime or terrorism using only its own resources. Those are treated as societal threats requiring coordinated government and private-sector response. The Security Navigator argues that cyber extortion has reached the same threshold — and the response must match.
The numbers: 139,000+ security incidents. 19,000 confirmed cyber extortion cases (tripled since 2020). Africa: +47% extortion victims. Healthcare: +69%. Finance & insurance: +71%. Active threat groups: tripled from 33 to 89.
Africa in the Crosshairs
The African data deserves particular attention. A 47% increase in cyber extortion victims is not a statistical blip — it reflects a deliberate targeting pattern. Africa offers expanding digital infrastructure with comparatively lower defensive maturity. Attackers perceive lower risk and weaker attribution capability. Methods are trialled on African targets and, when successful, scaled globally.
South Africa, with its sophisticated financial infrastructure and BRICS membership, sits squarely at the intersection. The country’s financial services sector is a high-value target, and the 71% increase in finance and insurance attacks documented by the Security Navigator has direct local implications.
This pattern has been described elsewhere as a form of digital colonialism — where advanced threat actors exploit the digital divide not for development, but for capability testing and monetisation. The digital gap that development policy seeks to close is the same gap that nation-state and criminal actors are deliberately exploiting.
What This Means for South African Boards
For South African boards, the implications are direct and unavoidable.
King V requires the governing body to set the direction for technology risk. The Security Navigator’s data demonstrates that the threat has evolved materially. If your board’s cybersecurity risk assessment was last updated before these numbers were published, it is already outdated.
ISO 27001 demands continual reassessment against evolving threats. The tripling of active threat groups and the industrialisation of attack infrastructure represent a fundamental shift in the threat environment. Organisations certified to ISO 27001 should be reassessing their risk treatment plans in light of this data.
POPIA Section 19 requires appropriate technical and organisational measures to secure personal information. “Appropriate” is not a static standard — it evolves with the threat landscape. What was appropriate in 2024 may not be appropriate in 2026, given the escalation documented in the Security Navigator.
Board Actions Required
- Update your threat assessment. The Security Navigator 2026 data represents a material change in the threat landscape. Ensure your board has been briefed on the current threat level, not last year’s.
- Reassess defensive adequacy. If your cybersecurity spend has not increased proportionally to the threat escalation, interrogate why. The 47% increase in African extortion victims is not a headline — it is a risk indicator for your organisation.
- Test your incident response. With threat actor groups tripling and attack methods diversifying, your incident response plan must be tested against current scenarios, not historical ones. Tabletop exercises should reflect the current threat landscape.
- Engage with industry and government. The Security Navigator’s call for a wartime posture implies public-private collaboration. Engage with industry bodies, CERTs, and information-sharing platforms. Isolated defence is increasingly insufficient.
- Report to the board in business terms. Cybersecurity is not an IT conversation. Present the Security Navigator data to your board as a risk management issue, alongside financial, operational, and reputational risk. The numbers justify board-level attention.
Key Takeaways
Key Takeaways for Governance Professionals
- Orange Cyberdefense’s Security Navigator 2026 documents 139,000+ incidents and 19,000 confirmed cyber extortion cases — tripled since 2020.
- African cyber extortion victims increased 47%, with South Africa’s financial sector squarely in the crosshairs.
- Cybercrime has been industrialised: malware-as-a-service, initial access brokers, and cryptocurrency monetisation have collapsed the cost of attack.
- Defensive investment alone is not stemming the tide — the report calls for a “wartime posture” with public-private collaboration.
- Active threat actor groups tripled from 33 to 89 as major syndicates fragmented into a more distributed, unpredictable ecosystem.
- King V, ISO 27001, and POPIA Section 19 all require governance responses proportional to the evolving threat — boards must update their assessments.
- Cybersecurity is a board-level governance conversation, not a technical IT discussion. The data justifies the elevation.
Sources
- The Hacker News — We Are At War
- Orange Cyberdefense — Security Navigator 2026
- Orange Press Release — Security Navigator 2026 Findings
- Disaster Recovery Journal — Security Navigator 2026 Data Points
Assess Your Cybersecurity Governance Posture
Priviso helps South African organisations align their cybersecurity governance with King V, ISO 27001, and POPIA requirements. Start with a free compliance assessment.
Start Free Trial Contact Us