A mature ransomware resilience strategy is built on a governance-driven, risk-based approach. (Image: Datacentrix)
If there’s one thing the current threat landscape has made clear, it’s that prevention and response readiness aren’t mutually exclusive – instead, you need both. Preventative controls are essential, but the uncomfortable truth is that they’re never a guarantee of protection.
Phishing is a good example – it’s no longer clumsy or obvious but instead is more sophisticated than ever. Threat actors understand the policies and tooling that organisations use, and they know how certain rules can be relaxed to gain access. Through obfuscation and other techniques, a threat can enter an environment quite legitimately and preventative controls alone won’t necessarily stop access.
Data breaches are real. In fact, based on what we’re seeing in the field, they’re happening more often than many organisations would like to admit. It only takes one click – one person – and if your response capability isn’t up to speed at that point, you’re not dealing with a minor issue but a potential catastrophe.
From there, every preventative control you’ve invested in can become irrelevant. Your incident response capability needs to kick in immediately: isolating the threat, containing it and choking off the oxygen before it can propagate further through the environment.
So, how do you balance prevention and response? The reality is that you don’t have a choice: one shouldn’t be prioritised over the other, but response is becoming increasingly critical in determining outcomes.
The discipline of response: Practise or pay the price
Response readiness isn’t something you design once and then forget. It needs to be tested regularly. Ideally, organisations should be running simulations at least monthly, especially against critical applications. It keeps risk top of mind, particularly for people who aren’t security-focused day to day. It also exposes how teams actually respond under pressure and whether your processes are efficient enough.
Many organisations work towards a four-hour response and resolution window. That means isolating the threat, stabilising the environment and resuming business operations within that timeframe – but you don’t get there by accident. If you don’t practise, you won’t perform when it matters. It’s the same principle as sport; training is what determines whether or not you hit the mark under pressure.
Ransomware: A clear test of resilience
Nowhere is the shift from prevention to response more visible than in ransomware attacks. These attacks have evolved rapidly, and they no longer fit neatly into categories like malware, worms or classic ransomware. Today, they’re often a combination of techniques, aimed at locking organisations out of their own information.
One of the primary attack vectors is still the user, because threats are delivered in ways that appear completely legitimate. Attackers understand the limits of security tools and how far automated scanning typically goes, and they exploit trusted communication channels, sometimes even accounts of colleagues that have been compromised.
Kyle Pillay, Security as a Service Manager at Datacentrix.
Attackers often begin with credential harvesting. Once they gain access, ransomware may follow, but it’s rarely the first or only stage. Platforms exist that scrape publicly available information from across the internet and social media, building profiles on individuals and organisations. That includes e-mails, phone numbers, images and employment details. Threat actors then use this information to impersonate people convincingly, sending e-mails or messages that appear authentic.
Corporate networks are generally secure, so attackers often target users on mobile devices, where controls are weaker. A seemingly innocent WhatsApp link can lead to credentials being exposed without the protections present on laptops. The moment something seems out of character, it’s critical to pause, verify and close the loop. A simple phone call can prevent compromise.
The key lesson here: ransomware highlights why preparedness and response matter more than prevention alone. Even the most advanced preventative controls can fail, but an organisation that is resilient, well-practised and ready to respond can isolate the threat quickly, contain it and resume normal business operations without needing to pay the ransom.
What resilience actually looks like
A mature ransomware resilience strategy is built on a governance-driven, risk-based approach. It requires due diligence across the organisation, not just within IT. That includes governance checkpoints, policy reviews and alignment with recognised frameworks and standards. It’s about becoming data-centric, understanding where your data resides and ensuring that everything supporting it is secure.
That means hardened infrastructure, closed ports, patched operating systems and effective vulnerability management to keep systems aligned with best practice and benchmark standards, but it also means something broader: a culture of resilience.
Ultimately, mature organisations understand the importance of business continuity planning, disaster recovery, regular simulations and ongoing policy reviews. Because resilience isn’t built in a single layer, cyber security must put equal focus on people, processes and technology working together. Each of those elements needs equal attention if an organisation wants to build real resilience.
If there’s a single shift organisations need to make, it’s to stop thinking purely in terms of prevention and start thinking in terms of preparedness. There’s no way to be 100% safe, but you can be ready and, in today’s environment, readiness is what determines whether an incident becomes a disruption or a full-blown crisis.
For more information on Datacentrix’s cyber security services offering, please visit https://www.datacentrix.co.za/cybersecurity-services.html.
