By Gerald Naudé
COO / GM — Soteria Cloud
Recent reporting on the cyber incident affecting the National Credit Regulator has once again highlighted a reality many organisations are uncomfortable confronting:
Modern cyber incidents rarely begin with ransomware.
They begin with access, trust, and time.
By the time systems are encrypted or disrupted, attackers have often already gained a foothold, moved laterally, and exfiltrated sensitive information — sometimes over weeks or months.
This distinction matters, because it exposes a fundamental flaw in how cybersecurity is still widely approached: as a collection of tools, rather than a coordinated lifecycle.
The Cost of Collapsing Security Into One Phase
Many organisations unintentionally compress cybersecurity into a single question:
“Can we recover if something goes wrong?”
Backups, disaster recovery, and incident response planning are critical — but they address only one phase of the problem: recovery.
Cybersecurity, in practice, operates across multiple phases, each with a distinct purpose:
-
Prevention – reducing the likelihood of compromise
-
Detection – identifying malicious activity quickly
-
Response & Recovery – limiting damage and restoring operations
-
Learning – improving posture after each incident
Failure at any one phase weakens the entire system.
Prevention Starts Where Most Attacks Begin: Email and People
Email remains the most effective attack vector globally — not because organisations lack technology, but because email sits at the intersection of technology and human behaviour.
Email Security: Reducing Exposure at Scale
Effective email security is not basic spam filtering. It must actively disrupt modern attack techniques, including:
-
Phishing and business email compromise (BEC)
-
Domain and identity impersonation
-
Malicious attachments and weaponised links
-
Conversation hijacking and supplier fraud
Advanced email security reduces the volume and sophistication of threats that ever reach users, dramatically lowering organisational risk.
However, no email security platform is perfect.
Security Awareness: The Human Firewall
This is where the human firewall becomes critical — not as a slogan, but as a measurable control.
Security awareness must move beyond annual training to become a continuous behavioural programme, including:
-
Regular phishing simulations
-
Role-based awareness (finance, executives, HR)
-
Behaviour-driven reinforcement
-
Clear accountability and leadership participation
The key insight is this:
Email security reduces exposure.
Security awareness reduces susceptibility.
When deployed together, they reinforce one another. When separated, they both fail.
Identity Is the Control Plane Attackers Exploit
Even with strong email security and awareness, some attacks will succeed. At that point, identity controls determine whether an incident escalates or stalls.
Consistent enforcement of:
-
Multi-factor authentication (MFA)
-
Least-privilege access
-
Conditional access policies
-
Privileged account separation
can stop attackers from converting initial access into widespread compromise.
Many breaches do not succeed because controls are unavailable — but because they are inconsistently applied.
Detection: Seeing What Prevention Cannot
Once attackers are inside, speed of detection becomes decisive.
EDR and XDR platforms play an important role in identifying malicious activity on endpoints and across environments. However, they are most effective when detection is context-rich, not siloed.
Attackers increasingly:
-
Use valid credentials
-
Rely on built-in system tools
-
Operate slowly to avoid detection
-
Exfiltrate data quietly before disruption
This means detection must correlate signals across:
-
Email telemetry
-
Identity and access logs
-
Endpoint behaviour
-
Cloud and SaaS audit trails
-
Network activity
Detection is not about generating alerts — it is about recognising patterns of behaviour early enough to act.
Recovery: Resilience, Not Defense
Backups are often mistakenly described as a security control. They are not.
Backups are a resilience mechanism — essential for business continuity, but ineffective at preventing or detecting compromise.
A mature recovery strategy includes:
-
Immutable or air-gapped backups
-
Regular restoration testing
-
Clearly defined recovery objectives (RTO/RPO)
-
Incident response playbooks
-
Forensic readiness and evidence preservation
Backups answer one question only:
“How quickly can we restore operations?”
They do not answer:
“What data was accessed?”
“How long was the attacker present?”
“What trust was compromised?”
The Missing Layer: Orchestration and Accountability
Most organisations affected by serious incidents already had:
-
Email security
-
Security training
-
EDR/XDR
-
Backups
They failed not because tools were missing — but because those tools were not orchestrated into a single, accountable lifecycle.
A resilient cybersecurity posture requires:
-
Clear ownership across phases
-
Integration between people, process, and technology
-
Behavioural metrics alongside technical ones
-
Board-level visibility framed in risk, not IT jargon
-
A feedback loop where incidents improve prevention
Reframing the Human Firewall
People are not the weakest link.
They are the most targeted link.
When organisations combine:
-
Strong email security
-
Continuous awareness
-
Enforced identity controls
-
Contextual detection
-
Tested recovery plans
human risk becomes measurable, manageable, and defensible.
Closing Thought
Cybersecurity is not a product checklist.
It is a designed system, operating across time.
When prevention, detection, and recovery are deliberately aligned, organisations move from reacting to incidents — to absorbing and surviving them with confidence.
That is the difference between compliance and resilience.
This perspective is offered in the interest of constructive market dialogue. Soteria Cloud does not represent any government institution or third-party vendor referenced, nor does it seek commercial advantage from the views expressed above.
