Threat actors don’t hack in anymore – they log in. That, in a sentence, is the problem South African IT leaders are still not taking seriously enough.
That was the blunt assessment running through Defend Your Cloud, Fortify Your Future – a webinar hosted by Altron Digital Business and Microsoft South Africa last week, bringing together three practitioners who work in the space every day.
The session featured Tumelo Nkadimeng, business development manager at Altron Digital Business; Nick Keene, director for security at Microsoft South Africa; and Pieter LeRoux, head of technical pre-sales at Altron Digital Business. What followed was less a product pitch than a frank conversation about enterprise security in South Africa – and how far most organisations still have to go.
The threat landscape: 3 000 organised adversaries
Keene opened with a number that should focus any boardroom: Microsoft is currently tracking 3 000 threat actor organisations globally – not individuals, not “keyboard warriors”, but structured entities with HR departments, R&D functions and dedicated teams whose sole purpose is to penetrate enterprise environments.
That number has doubled in 12 months.
“In the 24 report, we were tracking about 1 500,” Keene said. “It’s now 3 000. And the sophistication is increasing alongside the scale.”
The data comes from Microsoft’s annual Digital Defence Report – a document Keene encouraged every security professional in the audience to read. Ransomware attacks are up 2.7 times year on year, though Microsoft’s own detection and disruption work has driven meaningful progress at the encryption stage.
Watch the webinar now
The motivations vary. Political threat actors have been particularly active, driven by the ongoing conflict in the Middle East and rising geopolitical tensions. Monetary actors continue to drive ransomware campaigns at scale. Increasingly, these organisations operate with a level of coordination and patience that few enterprises are equipped to match.
“They don’t hack in. They log in,” Keene said. It is the defining security reality of the current era: stolen credentials, compromised identities and lateral movement across the network once inside. Detection speed – measured in seconds, not minutes – has become the critical variable.
The attack surface is no longer a perimeter
LeRoux made the point that most resonated with the audience: the traditional notion of perimeter security is finished.
“It’s not just the firewall,” he said. “It’s the firewall attached to an operating system, attached to a database, attached to an identity that accesses SharePoint, OneDrive, Teams, your website. You’re not just protecting the front gate anymore. You’re protecting every room in the house.”
The multi-cloud reality compounds this. Most South African enterprises are now running workloads across Microsoft Azure, AWS and other hosted environments – each with its own configuration requirements, its own governance gaps and its own exposure profile.
Cloud security posture management – understanding what risks an organisation is actually carrying across a mixed cloud estate – is still a blind spot for many. Misconfigurations are the primary culprit. Role-based access control not enforced. Servers spun up with public IP addresses and no network security gateway. Admin privileges left open to anyone with a contributor role.
LeRoux offered an instructive example: organisations discovering that someone had quietly used their Azure subscription for bitcoin mining – not by breaching anything in the traditional sense, but by exploiting permissions that were never properly governed. The first sign? A bill three to four times higher than expected at month-end.
“You can’t wait 30 days to find out what changed,” he said. “By then the damage is done.”
Defender: the alarm system nobody armed
Here is a quiet reality about most Microsoft licensing environments: the security tools are already there. The problem is that nobody has switched them on properly.
LeRoux’s analogy: Defender is the sensor network of your alarm system. Beams on the lawn. Magnets on the windows. Motion detectors in every room. But if those sensors are not configured, not armed and not connected to a response unit, the alarm means nothing.
“Most of our customers – probably 99.9% – are on E3 or E5 licences that already include a Defender component,” LeRoux said. “The licences are there. The capabilities are there. We just need to enable them, configure them correctly and make sure there’s an appropriate response in place.”
The Defender suite spans Endpoints, Office 365, Identity, Cloud, SQL, Kubernetes and mobile devices. Each is a distinct module. Each needs to be tuned to the specific environment. The AI components – particularly Security Copilot – are now doing significant work on alert triage, filtering genuine threats from the white noise that causes security teams to stop paying attention.
Keene confirmed that Security Copilot is being incorporated into M365 E5 – a change announced at Ignite last year. The roll-out is currently in progress, with full availability expected imminently.
“If you’re on E5 and you don’t see Security Copilot yet, bear with us,” Keene said. “It’s coming.”
The practical value is significant. Instead of a security analyst sitting at a dashboard reading log files at two in the morning, Security Copilot summarises alerts in plain language, identifies patterns, executes runbooks automatically and escalates only what requires a human decision. Triage in seconds. Response without the bottleneck.
The identity debt nobody talks about
One of the more uncomfortable threads in the conversation was what LeRoux called technical debt in identity management.
It is a familiar pattern. Someone joins a company at reception, moves into IT, gets promoted several times, accumulates permissions at every step and eventually leaves – at which point their account is simply renamed and handed to the next person.
“Now that person has access to areas they should not have,” LeRoux said. “Technical debt is one of the biggest risks we see because people don’t know what they don’t know. I see a folder. I see a server. I assume I’m allowed there because I can get there.”
The principle Keene advocated is just-enough access: time-limited credentials, permissions that expire when the task is complete, governance that follows the employee lifecycle from onboarding through every role change to departure.
Microsoft’s E7 licensing tier – now commercially available – brings together E5, M365 Copilot, Agent 365 and the Entra Suite, which introduces identity governance and full joiner-leaver-mover lifecycle management. It is a meaningful step towards treating identity as a first-class security concern rather than an afterthought.
The AI security problem nobody has fully solved
The third major thread was AI – and it runs in two directions simultaneously.
Threat actors are using AI to research targets, identify vulnerabilities and execute intrusions with greater precision and speed than was possible before. That is the well-documented risk. But the less-discussed problem is the one building inside organisations right now.
Employees who are enthusiastic about AI – and there are many – are downloading agents, connecting personal tools and running their corporate data through LLMs that sit entirely outside the organisation’s governance framework. The intent is usually benign: make the job easier, process information faster. The risk is structural.
“Where is the data sovereignty?” LeRoux asked. “What are we exposing? And to whom?”
Microsoft’s response is Agent 365, released on 1 May and currently available in preview. It provides three things: observability (what agents are running across the enterprise), governance (what data they are learning from) and protection (the ability to identify and shut down misbehaving agents). Available as part of E7 or as a standalone offering, it is the first serious attempt to bring agentic AI inside the enterprise security perimeter.
The challenge is not technical. It is cultural. Most organisations have no idea how many agents their employees have already deployed.
Start with a workshop, not a product
The session closed with a practical pathway for organisations trying to work out where to begin.
Altron’s recommendation – and Microsoft’s – is to start with a funded envisioning workshop through the Microsoft Co-Investment (MCI) programme, rather than jumping straight to deployment. The workshops are structured, partially funded and scoped specifically for threat protection or data security, depending on the organisation’s most pressing exposure.
The process is phased: envisioning, assessment, design, proof of concept and only then full adoption. Each stage builds on the last. The goal is to understand the current state before prescribing a solution.
Organisations interested in checking their eligibility for MCI funding should reach out to Altron directly. Terms and conditions apply, and eligibility varies – but the programme is there specifically to lower the barrier to starting the conversation.
The conversation, as the webinar made clear, is overdue.
This webinar was hosted by Altron Digital Business in partnership with Microsoft South Africa. Tumelo Nkadimeng is business development manager at Altron Digital Business. Nick Keene is director for security at Microsoft South Africa. Pieter LeRoux is head of technical pre-sales at Altron Digital Business.
This webinar was hosted by Altron Digital Business in partnership with Microsoft South Africa. Tumelo Nkadimeng is Business Development Manager at Altron Digital Business. Nick Keene is Director for Security at Microsoft South Africa.
- This promoted content was paid for by the parties concerned