In our last issue, we looked at why generic IT scans are failing POPIA, and why risk-based vulnerability management is the only approach that holds up under regulatory scrutiny.

This issue, we are moving from your infrastructure to your people. Because while organisations are busy patching servers and updating software, attackers are simply sending an email.

Social engineering, manipulating people rather than exploiting systems, is now the dominant entry point for cybercrime in South Africa. And POPIA has something specific to say about what you are required to do about it. Here is what you need to know.

According to ESET's H2 2025 Threat Report, phishing alone accounts for 45.7% of all detected cyber threats in South Africa, well above the African average. That is not a rounding error. Approximately half of everything hitting South African organisations is getting in through a person, not a system.

Research indicates that in Africa, just over half of all security incidents, 52%, involve social engineering. The attack itself is rarely sophisticated. It does not need to be. A convincing email, a spoofed phone number, a WhatsApp message impersonating a supplier. One in three South African SMEs has already been the victim of a cyber attack. The frequency is not slowing down.

What POPIA Actually Requires

Most business owners read Section 19 of POPIA as a technology obligation. Install firewalls. Run scans. Keep software updated. That is part of it, but Section 19 goes further.

The Act requires organisations to take reasonable technical and organisational measures to protect personal information. The word "organisational" is doing significant work here. Employers are required to ensure reasonably foreseeable risks in respect of non-compliance with POPIA, and that these risks are regularly verified, including cybersecurity protocols. Staff behaviour is a reasonably foreseeable risk. It is, in fact, the most foreseeable risk in the threat landscape right now.

Ignoring staff training is one of the most common POPIA mistakes organisations make. Employees are often the weakest link, and training reduces accidental breaches significantly. That is not an opinion, it is the practical reality the Information Regulator will measure you against if your organisation suffers a breach and you cannot demonstrate what steps you took to prepare your people.

What Happens When Training Is Absent

Consider the scenario. An employee receives a phishing email impersonating your bank or a trusted supplier. They click the link. They enter credentials. Within hours, your client database is accessible to a third party you have never heard of.

Under POPIA, you are now required to notify the affected data subjects and the Information Regulator as soon as reasonably possible. The Regulator's first question will not be about your firewall configuration. It will be whether your staff knew how to identify and report a suspicious email, and whether you can prove it.

Under POPIA, security failures are taken seriously. Data breaches may lead to penalties of up to R10 million, along with reputational damage. If you cannot demonstrate that you took organisational measures, including documented staff training, your defence is significantly weakened before the conversation has started.

What Defensible Training Looks Like

There is a meaningful difference between sending your staff a PDF once a year and running a structured awareness programme. The Regulator is not interested in the PDF.

Defensible staff training has three components. First, it is regular, not a once-off event. Second, it is tested, your staff are exposed to simulated phishing attempts under controlled conditions so you know who is vulnerable before an attacker finds out. Third, it is documented, you have a record of who was trained, when, and how they performed.

Different people within an organisation need different kinds of training. Customer-facing employees who handle personal data daily need specific, role-relevant awareness. Information officers and compliance managers need a deeper level of understanding of the regulatory obligations themselves. A one-size training programme covers no one adequately.

Phishing simulations are particularly effective because they move training from the theoretical to the practical. When an employee clicks a simulated phishing email, they receive immediate, contextual feedback. That moment of recognition, "I almost fell for that," is worth more than any slide deck.

The Bottom Line

Your technical defences protect your systems. Your staff training protects everything that sits behind them. Under POPIA, the absence of a documented, tested awareness programme is not a gap in best practice, it is a legal exposure. Social engineering remains the dominant attack vector in South Africa precisely because it works, and because most organisations are still trying to solve a human problem with a technical solution. Train your people. Document it. Test it. Repeat.