• Home
  • Opinion
  • Buying more security tools isn’t the same as building a defence

Buying more security tools isn’t the same as building a defence

Sophisticated attacks are specifically engineered to bypass individual security tools, and companies absorbing the damage are those who have confused procurement with protection, says Richard Frost, Head of Technology Solutions and Consulting at Armata Cyber Security
Richard Frost, Head of Consulting at Armata Cyber Security. (Image: Armata Cyber Security)
Richard Frost, Head of Consulting at Armata Cyber Security. (Image: Armata Cyber Security)

Cybercriminals have stopped trying to break into the business through security tools. The effective 2026 approach is to move around them entirely, exploiting the gaps between isolated controls because few security solutions have a complete picture of the whole system. 

The result is that companies with comprehensive, fully-functioning security stacks are being breached like a hot bread knife through butter because the architecture around them was never built to catch the modern attack.

The tools used to protect businesses from cyberattacks are being bypassed by intelligent threat actors penetrating the business with business email compromise or phishing emails that are 100% not malicious. 

The links in these emails, SMS messages or WhatsApp communications take users to websites that are also not malicious, but on those sites, they redirect users to malicious destinations that infect the business. 

This sophisticated re-routing approach makes it increasingly difficult for security solutions to catch the threats. An email security tool scanning for known malicious content won't flag a clean email directing a user towards a chain of legitimate-looking redirects. 

An endpoint protection platform won't catch a payload that's been deliberately engineered to look benign. The tools are working properly, but the attacks are slipping past their defences because no single layer of the stack has sight of the full picture.

URL redirection has become one of the most common phishing techniques and is used in around 54% of phishing attempts, with open redirects and legitimate-looking services hiding malicious URLs. 

Business email compromise (BEC) was listed at $2.77 billion in losses in 2024 in the IC3 2025 report, with the highest probability loss paths planning in 2026 still focused on identity theft and BEC challenges, respectively. 

These have become one of the most common attack patterns in the current threat environment, and they’re succeeding at scale because companies have built their defences around products that operate in isolation.

If an attacker gets past one layer, there needs to be redundancy behind it. No system is more than 99.99% effective, which means every individual control will eventually be bypassed. The only architecture capable of supporting this reality is one that ensures that when there is a failure on one layer, it is caught by the one behind it. 

A layered defence builds controls that compensate for limitations. Email security at the perimeter filters what it can, endpoint protection catches threats that reach the device, network monitoring identifies unusual behaviour and lateral movement that point solutions miss individually.

 Identity controls then close the credential and session abuse pathways that sit behind the majority of initial breach vectors, and each layer then narrows the window an attacker can use. Together, all these systems create a chain of visibility that no single tool can provide.

The Security Operations Centre (SOC) is the layer that makes the rest of the architecture function under pressure. Security teams managing isolated tools are saturated with alerts, the majority of which are noise, and the genuine threats that arrive during stretched periods are missed because there isn’t context to act on them. 

A SOC correlates the signals across the full environment, stripping out the noise and providing the intelligence layer that sees the full sequence of the attack rather than its individual components. It also operates continuously rather than during business hours when teams are fully staffed.

Awareness training is another key layer. Attackers target people because they are faster to exploit than a patched system. A user who can identify a redirect chain, who questions an unexpected payment instruction regardless of how convincing the sender appears, and who knows how to escalate before clicking, becomes a security control that no product can replace.

Finally, it comes down to translating security within the business as an architecture. It is a control, detection, and protection environment built around how attacks actually work today, and each layer is capable of detecting what was missed by the first, supported by human oversight that ensures context and capability. 

The attack that breaches a business in 2026 will almost certainly have passed through at least one security tool undetected. The question is whether there was anything behind that tool to catch it. For most South African businesses, the honest answer is no, and so closing that gap starts with understanding that a collection of tools is not the same thing as a defence.

Share

Read more
ITWeb proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website, www.presscouncil.org.za or email the complaint to enquiries@ombudsman.org.za. Contact the Press Council on 011 484 3612.
Copyright @ 1996 - 2026 ITWeb Limited. All rights reserved.