BUSINESS TECHNOLOGY MEDIA FOR AFRICA
  • Home
  • Opinion
  • Uncovering critical cyber security red flags must move beyond mere compliance

Uncovering critical cyber security red flags must move beyond mere compliance

Zakariyya Mehtar
By Zakariyya Mehtar, Certified Information Systems Auditor (CISA) and Director - IT Audit and Advisory, Forvis Mazars South Africa
Johannesburg, 16 Jul 2025
Zakariyya Mehtar, Certified Information Systems Auditor (CISA) and Director - IT Audit and Advisory at Forvis Mazars South Africa.
Zakariyya Mehtar, Certified Information Systems Auditor (CISA) and Director - IT Audit and Advisory at Forvis Mazars South Africa.

In the face of rapid digital transformation, cybersecurity has transcended its former status as a technical concern to become a paramount business imperative.

According to Cybercrime Magazine, cybercrime is projected to inflict damages totaling US$10.5 trillion globally by 2025, an increase from US$3 trillion a decade ago. 

Some projections even suggest it could reach US$13.82 trillion by 2028. According to Thomson Reuters, the average global cost of a data breach reached an all-time high of US$4.88 million in 2024, a 10% increase from the previous year.

For businesses, the challenge lies in evolving traditional methodologies to effectively pinpoint and mitigate the sophisticated cyber threats that continuously emerge. 

The effectiveness of cybersecurity policies hinge on their ability to identify the subtle yet significant indicators of cybersecurity weakness. This demands a dynamic approach, commencing with robust Vulnerability Assessments and Penetration Testing (VAPT).

Comprehensive internal and external VAPT simulates real-world attacks, revealing exploitable weaknesses in networks and applications. 

A company’s Chief Information Security Officer (CISO) must scrutinise the scope, frequency and the remediation efforts stemming from VAPT activities. 

A lack of regular, in-depth VAPT, or a failure to promptly address identified vulnerabilities, signals a significant red flag.

The human element remains the weakest link in the cybersecurity chain as even the most robust technology can be compromised by human error. A major red flag emerges when an organisation lacks ongoing, comprehensive security awareness programmes, particularly those that move beyond mere ‘tick-box’ online modules. 

Tick-box training, designed for compliance over education, won't stop phishing or social engineering. Businesses need to verify behavioural changes, not just completion rates, to ensure employees truly grasp and apply security principles.

Outdated password policies are a significant risk; access control demands a shift to biometrics and multi-factor authentication. CISOs must ensure these robust mechanisms are actively implemented across all critical systems.

Likewise, weak logging and monitoring are dangerous blind spots. Without detailed logs, tracking user activity and detecting threats is impossible. Policies must cover comprehensive event reconstruction, including managing dormant and shared accounts that compromise accountability

Furthermore, the integrity of an organisation's network is often undermined by outdated software and unpatched systems. Patch management is a continuous battle against known vulnerabilities. 

Auditors must assess the timeliness and completeness of patch application, particularly for critical vulnerabilities. The presence of legacy systems no longer receiving vendor support is a significant red flag, as they represent a perpetual security risk. 

Similarly, a flat network architecture, lacking proper network segmentation, poses an immediate threat. If an attacker gains access to one part of such a network, they can easily move laterally. 

Best practice dictates a ‘deny-all, permit-by-exception’ approach to firewall configurations. CISOs should examine firewall rules to ensure they are restrictive, regularly reviewed and align with the principle of least privilege.

The widespread adoption of remote work has introduced new vulnerabilities, making unsecured remote access a growing concern. 

While Virtual Private Networks (VPNs) are essential for secure remote access, their effectiveness is contingent on robust configurations, including strong authentication and granular access controls that restrict users to only necessary resources. 

CISOs should also verify that policies and controls are in place to ensure the security of devices used for remote access.

Another significant area of concern is incident response. An incident response plan is crucial, but its mere existence doesn't guarantee readiness. Security audits must go beyond documentation review to assess the practical readiness and effectiveness of an organisation's incident response capabilities. 

This includes evaluating the presence of regular, practical training for all relevant personnel, conducting simulated drills, and scrutinising the robustness of logging and monitoring of security incidents themselves.

While many organisations outsource their cybersecurity risk management, this too presents its own complexities. A major red flag is when a third-party provider offers a generic ‘one-size-fits-all’ solution rather than a tailored approach specific to an organisation's unique risk profile. 

Over-reliance on outsourcing can also lead to a decline in internal cybersecurity expertise. The growing trend of organisations bringing cybersecurity functions in-house, by appointing dedicated CISOs, reflects a recognition of the need for dedicated, specialised expertise and greater control over their security posture.

The rise of Shadow IT, where employees use unauthorised software or services, further complicates the security landscape. This practice introduces unvetted vulnerabilities into the network, as applications downloaded from unsecured websites can harbour malware or create unintended open ports. 

Businesses should examine their policies and technical controls designed to prevent unauthorised software installations, often by locking down devices to allow downloads only with administrator rights.

To provide true value, IT audits must transcend compliance. This necessitates risk-based auditing, where the audit approach is tailored to the organisation's specific risk profile and industry. Auditors should conduct comprehensive cyber risk assessments and evaluate the maturity of cybersecurity frameworks. 

Crucially, the goal is not merely to identify flaws but to provide actionable recommendations that empower organisations to proactively reduce risk, aligning with their unique security needs and safeguarding their critical assets in an increasingly interconnected and threat-laden world.

Share

ITWeb proudly displays the “FAIR” stamp of the Press Council of South Africa, indicating our commitment to adhere to the Code of Ethics for Print and online media which prescribes that our reportage is truthful, accurate and fair. Should you wish to lodge a complaint about our news coverage, please lodge a complaint on the Press Council’s website, www.presscouncil.org.za or email the complaint to enquiries@ombudsman.org.za. Contact the Press Council on 011 484 3612.
Copyright @ 1996 - 2025 ITWeb Limited. All rights reserved.