Three Pillar

The Hidden Cost of Incomplete Security

19 January 2026 · 0x1m3 · 5 min read

Every organisation believes its security is adequate — until it is tested. The uncomfortable truth is that most South African businesses operate with significant gaps in their defences. Not because they have done nothing, but because they have done *some things well* and assumed the rest would hold.

The incomplete security strategy risks are not theoretical. They cost real businesses real money, every quarter, across every industry. Here are three scenarios that show exactly what those gaps look like — and what they cost.

Scenario 1: The Fortress with Open Windows

The setup: A Johannesburg professional services firm invests in enterprise-grade firewalls and network segmentation. Perimeter security is strong. External penetration tests come back clean.

The gap: No endpoint detection and response (EDR) on user workstations. The firm relies on legacy antivirus with signature-based detection.

What happens: An employee opens a phishing attachment. The malware is a zero-day variant — no signature exists. Legacy antivirus does not flag it. The attacker gains a foothold on the workstation and moves laterally across the flat internal network. Over twelve days, they escalate privileges, access the document management system, and exfiltrate 40,000 client records.

The firewall never triggered. It was designed to stop threats at the perimeter. This one walked in through the front door.

<div style="border-left: 4px solid #2E5090; background: #F5F5F5; padding: 20px 24px; margin: 24px 0; border-radius: 0 8px 8px 0;"> <p style="font-style: italic; color: #1B2A4A; font-size: 18px; margin: 0;">"The perimeter is not the battlefield anymore. Endpoints are. If you are not watching every device, you are not watching at all."</p> </div>

The cost: - 14 days of undetected access to client data - POPIA breach notification to the Information Regulator - Potential administrative fine of up to R10 million - Client trust — unquantifiable, but devastating for a services firm

What was missing: The Protect pillar. Behavioural AI-based endpoint protection like SentinelOne would have detected the anomalous process behaviour within seconds — regardless of whether a signature existed — and quarantined the threat autonomously.

Scenario 2: The Alarm with No Fire Exit

The setup: A Cape Town financial services provider deploys comprehensive monitoring. Their IT team receives real-time alerts for unusual login activity, network anomalies, and policy violations. Detection is strong.

The gap: No tested, immutable backup strategy. Backups run to a local NAS device on the same network. Recovery has never been tested.

What happens: Monitoring detects a ransomware outbreak at 2:47 AM. Alerts fire. The IT team responds within thirty minutes — well within their SLA. They isolate the affected servers and begin containment.

Then they discover the backup NAS was encrypted along with everything else. The attacker targeted backup volumes first — a standard ransomware tactic. The last off-site backup is nineteen days old. Nineteen days of financial transactions, client communications, and regulatory filings — gone.

<div style="border-left: 4px solid #2E5090; background: #F5F5F5; padding: 20px 24px; margin: 24px 0; border-radius: 0 8px 8px 0;"> <p style="font-style: italic; color: #1B2A4A; font-size: 18px; margin: 0;">"They detected the attack in thirty minutes. They lost nineteen days of data. Detection without recovery is an alarm with no fire exit."</p> </div>

The cost: - 19 days of irrecoverable financial data - 11 days of operational downtime during manual reconstruction - FSCA regulatory scrutiny for inadequate business continuity controls - R2.4 million in direct recovery costs, excluding lost revenue

What was missing: The Recover pillar. Cloud-first backup with Cove Data Protection stores immutable backups off-network, encrypted with AES-256. Ransomware cannot reach them. Automated recovery testing every 14 days proves backups are bootable and complete — before disaster strikes.

Scenario 3: The Safety Net Under a Burning Building

The setup: A Durban manufacturing company takes backup seriously. Cloud backups run nightly. Microsoft 365 data is protected. Recovery procedures are documented and tested annually.

The gap: No continuous monitoring. No automated patching. The IT team checks systems reactively — when users report problems.

What happens: An attacker exploits a known vulnerability in an unpatched application. They establish persistent access and begin quietly exfiltrating intellectual property — product designs, supplier contracts, pricing models. The exfiltration continues for four months. No alerts fire because no monitoring exists.

When the breach is finally discovered — by a supplier who notices their confidential pricing appearing in a competitor's proposals — the damage is extensive and irreversible. Backups are intact, but the data was never lost. It was stolen.

<div style="border-left: 4px solid #2E5090; background: #F5F5F5; padding: 20px 24px; margin: 24px 0; border-radius: 0 8px 8px 0;"> <p style="font-style: italic; color: #1B2A4A; font-size: 18px; margin: 0;">"Backups protect against data loss. They do not protect against data theft. Without monitoring, you will not know your data is leaving until it is too late."</p> </div>

The cost: - 4 months of undetected intellectual property theft - Competitive advantage permanently compromised - Supplier and partner relationships damaged - Legal exposure from inadequate protection of third-party confidential information

What was missing: The Detect pillar. N-able N-central's 24/7 monitoring with automated patching would have closed the unpatched vulnerability before exploitation. Continuous monitoring would have flagged the unusual outbound data transfers within days, not months.

The Pattern Is Always the Same

Each scenario has a common thread: the business invested in security, but incompletely. One pillar was strong. The other two were absent or inadequate. And the attack found the gap — because attacks always find the gap.

This is why OAS built the Three Pillar methodology around three non-negotiable capabilities:

- Protect — SentinelOne autonomous endpoint detection and response - Detect — N-able N-central 24/7 monitoring and automated patch management - Recover — Cove Data Protection cloud-first immutable backup

All three managed from a single console. All three delivered by a single trusted partner with over 40 years of enterprise IT experience in South Africa.

The Cost Equation

The cost of incomplete security is always higher than the cost of doing it right. A per-endpoint monthly subscription for all three pillars is a fraction of what any one of these scenarios costs in downtime, data loss, regulatory fines, and reputational damage.

The question is not whether you can afford complete security. It is whether you can afford the gaps.

---

<div style="background: #F5F5F5; border-radius: 8px; padding: 32px; margin: 24px 0; text-align: center;"> <p style="font-family: Calibri, sans-serif; font-size: 18px; color: #1B2A4A; font-weight: 700; margin: 0 0 8px 0;">The cost of incomplete security is always higher than the cost of doing it right. Talk to OAS.</p> <p style="margin: 16px 0 0 0;"><a href="/contact/sales" style="background: #2E5090; color: #FFFFFF; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-family: Calibri, sans-serif; font-weight: 700;">Close Your Security Gaps →</a></p> </div>

---

Related Reading

- Cybersecurity & Endpoint Protection - Why Your Security Strategy Needs All Three Pillars - Three Pillar Security Assessment: How Does Your Business Score?

Related solution

Read more →

Want to Discuss This Further?

OAS's specialists are available to talk through how this applies to your organisation.

Request a Demo Explore Solutions