Professor Danny Myburgh, MD of Cyanre. Many South African organisations believe they are prepared for a cyber attack, but their incident response plans often fall apart the moment a real crisis strikes.This was the warning from professor Danny Myburgh, managing director of cyber security and digital forensics firm Cyanre, speaking yesterday at ITWeb Security Summit 2026.Drawing on more than two decades of experience investigating cyber incidents, Myburgh said organisations frequently underestimate the likelihood and severity of cyber attacks.“We are involved in approximately 40 to 60 major breaches per year,” he said. “The strategy needs to be based on the concept that not if it happens to you, but when it happens to you, how will you manage it?”According to Myburgh, many organisations develop incident response plans in calm boardroom environments, while assuming any future cyber incident will be manageable.While companies may plan for the loss of a single server or payment system, Cyanre routinely encounters attacks in which dozens of servers are encrypted simultaneously. In some large listed companies, as many as 400 servers have been taken offline during a single incident, he said.One of the most common problems Cyanre encounters is that organisations have incident response plans but are unable to access them when they need them most.Myburgh noted that response plans are often stored on the same servers that become encrypted during ransomware attacks.He recounted one case where a company encrypted its backups as part of its security strategy but stored the decryption keys on the same compromised environment.“When the hackers came in, they encrypted the server. We couldn’t decrypt the client’s backups because it was encrypted with two sets of encryption.”He also criticised the way many organisations conduct cyber exercises, arguing that staff often prepare specifically for simulations rather than testing their ability to respond under genuine pressure.“During a simulation, everybody studies the incident response plan the night before,” he said. “You should actually do your incident response simulations under pressure.”Beyond the technical and financial damage, Myburgh highlighted the psychological impact cyber incidents have on IT teams and business leaders.He said organisations often underestimate the personal strain placed on employees tasked with managing major breaches.According to Myburgh, Cyanre has encountered multiple cases where IT professionals experienced severe personal consequences after dealing with prolonged cyber crises.He added that many staff members involved in major incidents later exhibit symptoms associated with post-traumatic stress disorder.Myburgh argued that high security spending does not automatically translate into better protection or faster recovery.Instead, preparedness, planning and basic cyber hygiene often determine how successfully an organisation responds.He cited the example of an auditing firm with 18 offices across South Africa that suffered a devastating ransomware attack. Despite having all systems encrypted, the company restored operations across all locations within 72 hours.The recovery was possible because the organisation maintained accurate data classification, healthy air-gapped backups and a pre-defined list of critical systems that needed to be restored first.By contrast, Cyanre has worked with organisations that were unable to identify what information was stored on compromised servers.Myburgh described an investigation at a major financial institution where top executives had been excluded from password rotation requirements and multi-factor authentication because they considered the controls inconvenient.He warned that attackers are increasingly targeting executive devices, including Apple computers, because they often belong to senior decision-makers with elevated access privileges.“We are picking up that more and more attacks are being done against the Mac users in an organisation.”Myburgh stressed that cyber incident response extends beyond IT and security teams.He shared an example of a receptionist who unknowingly became the source of a major information leak during a cyber incident after informing callers that the company had been hacked and embellishing details of the attack.In another case, a canteen computer that had been reconnected during lunch service triggered a fresh malware outbreak after security teams had worked to contain the incident.These examples illustrate why every employee must understand their role during a cyber crisis, he said.Myburgh also questioned why many organisations continue to operate without cyber insurance despite South Africa’s high cyber crime exposure.“I cannot understand in this day and age that organisations can actually function with the risk of not having something like cyber insurance.”However, he cautioned organisations not to store cyber insurance documents electronically alongside incident response plans, noting that attackers increasingly search compromised environments for insurance details to determine how much ransom victims may be willing to pay.