Threat actors no longer need to “break in” – they simply log in with stolen credentials, a reality that South African CIOs are still under‑estimating, warned experts during the “Defend Your Cloud, Fortify Your Future” webinar hosted by Altron Digital Business and Microsoft South Africa last week.
The session brought together Tumulo Nkadimeng, business development manager at Altron Digital Business; Nick Keene, director for security at Microsoft South Africa; and Pieter LeRoux, head of technical pre‑sales at Altron. Rather than a sales pitch, the trio delivered a stark assessment of the current threat landscape and the gaps in most enterprises’ security postures.
Microsoft Defender: the alarm system most organisations haven’t armed
Keene opened with a figure that should make any boardroom sit up straight: Microsoft now tracks 3 000 organised threat‑actor groups worldwide – a number that has doubled in the past twelve months. Those aren’t lone hackers; they are full‑fledged entities with HR, research and development teams whose sole purpose is to breach corporate environments.
| Metric | 12 months ago | Today |
|---|---|---|
| Tracked threat‑actor groups | 1 500 | 3 000 |
| Ransomware rise (YoY) | 1 × | 2.7 × |
| Average detection time | Minutes | Seconds |
The table shows the dramatic escalation in both the number of adversaries and the speed at which they can move once inside a network.
Keene stressed that stolen credentials and rapid lateral movement are now the norm. “They don’t hack in. They log in,” he said, underscoring how detection speed—measured in seconds, not minutes—has become the decisive factor in limiting damage.
LeRoux reinforced the point by dismissing the outdated notion of a single perimeter defence. “It’s not just the firewall,” he explained, “it’s the firewall attached to an OS, a database, an identity that accesses SharePoint, OneDrive, Teams, your website. You’re protecting every room in the house.”
The multi‑cloud reality of South African enterprises—most run workloads across Azure, AWS and other platforms—creates a patchwork of configuration gaps. Mis‑configured resources, lax role‑based access controls and publicly exposed servers are the primary culprits behind many breaches.
A vivid example came from LeRoux: a company discovered an unauthorised Azure subscription being used for Bitcoin mining, not because a hacker cracked a system, but because excess permissions were never pruned. The first clue? An invoice three to four times higher than expected. “You can’t wait 30 days to find out what changed,” he warned, “by then the damage is done.”
The identity debt that’s silently eroding security
LeRoux identified a pervasive form of technical debt: identity sprawl. Employees often accumulate permissions through multiple role changes, and when they leave, their accounts are merely renamed and reassigned. The result is a cascade of unnecessary privileges that linger unnoticed.
Keene advocated a “just‑enough” access model, where credentials are time‑bound and permissions expire once a task is complete. Microsoft’s new E7 licensing tier bundles E5, M365 Copilot, Agent 365 and the Entra Suite, delivering comprehensive identity governance and lifecycle management. Treating identity as a first‑class security asset, rather than an afterthought, could dramatically reduce the attack surface.
AI: the double‑edged sword in modern security
AI is reshaping both offence and defence. While threat actors exploit large‑language models to automate reconnaissance and craft phishing lures, insiders are also running unauthorised AI agents on corporate data, often out of sheer curiosity or a desire for efficiency.
LeRoux asked the hard questions: “Where is the data sovereignty? What are we exposing and to whom?” Microsoft’s answer is Agent 365, released on 1 May and available in preview. The tool offers observability, governance, and protection for AI agents, allowing enterprises to see which agents are active, what data they consume, and to shut down rogue behaviour.
A pragmatic pathway forward
Both Altron and Microsoft urged organisations to begin with a funded envisioning workshop via the Microsoft Co‑Investment (MCI) programme, rather than rushing into product deployment. The structured process—envision, assess, design, proof of concept, then full adoption—ensures that security solutions are tailored to the actual risk profile, not a generic checklist.
Eligibility for MCI funding can be confirmed by contacting Altron directly; terms apply, but the programme is designed to lower the barrier for South African companies to start the conversation about threat protection and data security.
The consensus was clear: most South African enterprises already have the tools—such as Microsoft Defender—within their licensing agreements, but they remain dormant. Activating, configuring, and integrating these tools with AI‑driven triage like Security Copilot can turn a silent alarm into an active defence.
If you’re on an E5 licence and haven’t seen Security Copilot in your tenant yet, expect it to roll out imminently. Once active, the AI‑powered assistant can summarise alerts in plain language, execute runbooks automatically, and surface only the incidents that truly require human intervention—compressing a night‑shift analyst’s workload from hours to seconds.
The takeaway is unequivocal: modern threats are credential‑centric, multi‑cloud, and AI‑enhanced. The only way to stay ahead is to arm the dormant sensors already embedded in Microsoft Defender, tighten identity governance, and bring AI agents under strict oversight. The webinar’s message was overdue, but it provides a clear, actionable roadmap for South African organisations ready to move from complacency to resilience.