Digital security isn’t a product – it’s a mindset

Anton van Rooyen, Microsoft Certified Trainer (MCT) & Cloud Solutions Expert, CTU Training Solutions.

---

At the end of November, CTU Training Solutions, in collaboration with the Leading Learning Partners Association (LLPA), hosted its annual Cyber Security Day, an online event that brought together global experts to unpack the evolving threat landscape and the practical habits individuals and organisations need to adopt to stay secure.

The virtual conference was presented by the Leading Learning Partners Association (LLPA), a global organisation with a presence in more than 55 countries of which CTU is the active South African member, together with their vendor partners, Microsoft, AWS and Skillable. According to Hanri Labuschagne, National Vendor Manager at CTU Training Solutions: “This day underlined the impact of the LLPA and showcased how its members contribute to a global audience with IT, cyber security and AI expertise.”

Across 10 sessions, attendees explored emerging threats, including phishing, ransomware, AI-powered attacks and zero-day vulnerabilities; discovered practical applications of AI in both offensive and defensive security; and gained insights to strengthen risk management, incident response and long-term resilience. While most sessions were delivered by expert LLPA members from around the world, CTU’s own Anton van Rooyen, Microsoft Certified Trainer (MCT) and Cloud Solutions Expert, presented a highly practical session focused on building a “digital defence toolbox” through everyday habits.

His message was simple: digital security starts with a mindshift.

“We don’t treat our digital lives the way we treat our physical lives,” said Van Rooyen. “You wouldn’t leave your house unlocked or leave your wallet unattended, but online, we often behave as if those rules don’t apply.” 

Successful attacks, he explained, rarely come from sophisticated hackers. Instead, they stem from basic poor digital hygiene: weak or reused passwords, ignored software updates, clicking on suspicious links, or delaying multi-factor authentication.

Van Rooyen emphasised the “two-minute rule”: if a security action takes less than two minutes, such as enabling MFA or applying an update, do it immediately. “If you don’t, you’re creating openings for threat actors,” he said.

His talk outlined four critical pillars that every individual and organisation can adopt to strengthen their security posture.

The problem, Van Rooyen said, is not necessarily weak passwords, it’s recycled ones. “Most people have a handful of passwords they use everywhere: banking, e-mail, shopping, streaming. That’s what makes credential-stuffing attacks so effective.”

Instead of creating complex passwords that are impossible to memorise, he recommends using three or four unrelated words to create a long, unique passphrase that computers struggle to guess but humans can easily remember. More importantly, never reuse these passphrases across accounts.

Password managers, he said, remain the single best defence. These encrypted digital vaults generate, store and autofill unique passwords for every site, meaning users only need to remember one master password.

The second line of defence is multi-factor authentication. “If someone gets your password, MFA stops them in their tracks,” he stressed. It’s essential for e-mail, banking and key social media accounts, preventing impersonation and identity theft.

Phishing remains the root cause of around 90% of successful cyber attacks, making it the biggest threat to individuals and organisations alike. Its effectiveness comes from exploiting two human weaknesses: urgency and curiosity.

“Phishers aren’t attacking computers, they’re attacking your brain,” Van Rooyen said.

He advised users to slow down and vet every e-mail or message that demands action. Signs of a phishing attempt include:

• Urgency or fear (“Your account will be locked”, “Overdue invoice”).
• Requests for sensitive information or unusual payment methods (QR codes, gift cards, crypto-currency).
• Suspicious senders or links with misspellings or odd domains.

The golden rule: never click the link. Instead, manually type the organisation’s website address into your browser to verify the message. If it claims to be from a colleague or family member asking for money, call them directly.

One of the simplest, and most neglected, security practices is installing updates immediately. Software updates patch known vulnerabilities, and attackers move quickly to exploit systems that have not been updated.

“Never defer a software update,” Van Rooyen warned. “The longer you wait, the longer you stay exposed.”

He also emphasised the importance of backup discipline, especially with the increase in ransomware attacks. He advocates the 3-2-1 backup rule:

• 3 copies of your data
• 2 stored on different media (eg, cloud and external drive)
• 1 stored offsite and air-gapped

An offline backup ensures attackers cannot encrypt both your device and your backup simultaneously.

Everything we do online leaves a trail: social posts, online shopping, newsletter sign-ups, and even the answers to common security questions. Attackers use this information to guess passwords, craft convincing phishing messages, or impersonate victims.

Van Rooyen advised users to audit their social media accounts, enforce the strictest privacy settings, and remove unknown “friends” or followers. Most importantly, avoid oversharing – holiday posts, real-time location check-ins and personal details can all be weaponised.

A powerful identity protection tactic is adopting an alias e-mail strategy. Instead of using one primary e-mail everywhere, users should create single-purpose addresses for shopping, forums or newsletters. Tools such as “Hide My E-mail” or “SimpleLogin” make this simple.

“If a site is breached, the attacker gets an e-mail address that isn’t linked to your bank accounts or core identity,” he explained. Breached aliases can simply be switched off without affecting any important services.

Four key takeaways emerged from Van Rooyen’s session:

1. Lock down accounts with a password manager and MFA.
2. Fight phishing using verification, not links.
3. Build resilience with the 3-2-1 air-gapped backup rule.
4. Control your identity using alias e-mails and reduced digital exposure.

“Security isn’t a product you buy, it’s a habit you develop,” he said. “Start small, stay consistent, and your safety increases dramatically.”

The threat landscape evolves rapidly, so continual learning is essential. Van Rooyen encourages users to subscribe to cyber security newsletters and blogs and to remain curious about emerging threats. 

All of the videos from CTU Training Solutions’ Cyber Security Day are available here.