If your business has VPN for remote access and multi-factor authentication on your email and Microsoft 365, you are doing better than many. You have made sensible decisions, and the people who advised you were right to recommend them. The problem is that the threat landscape has moved, and those two controls, which were considered strong three or four years ago, are no longer sufficient on their own — and under POPIA, a breach that exposes personal information carries real regulatory and reputational consequences for South African businesses. Understanding where managed threat detection fits as the next layer is now a core part of any serious security posture.
What VPN and MFA actually do
A VPN creates an encrypted tunnel between your device and a service or network. Traffic moving through that tunnel cannot easily be intercepted or read by someone sitting between you and the destination. That is a real and meaningful protection, particularly for remote workers using public or unfamiliar networks.
Multi-factor authentication adds a second verification step on top of your password. Instead of a single credential that can be guessed, stolen, or reused, the person logging in must also prove their identity through a second channel: a code sent by SMS, a number generated by an authentication app, or a hardware key. The intention is that even if your password is compromised, it is not enough on its own to access the account.
Both controls work. The issue is what they do not cover.
What attackers are doing instead
Attackers have adapted. The techniques now being used against VPN and MFA are not theoretical. We have seen them affect clients in the SME market directly.
One of our clients was targeted in an attack where the criminals had compromised a mobile network provider’s systems. This gave them the ability to intercept SMS messages. The client received a text that appeared in the same conversation thread as genuine messages from their bank, complete with the bank’s phone number. The message warned of fraudulent transactions and asked the user to log in through a provided link. When they did, the attacker in the middle collected both the password and the MFA code in real time, using them immediately to access the real account. The user saw everything that a legitimate session should look like and had no reason to suspect otherwise.
This attack technique is called adversary-in-the-middle. The criminal does not need to break your MFA. They stand between you and the service, passing credentials back and forth in real time while you believe you are logging in normally.
A second technique is MFA fatigue. Attackers who have obtained a password will trigger repeated authentication requests, sending notification after notification to a user’s device at any hour of the day or night. Most people reject the first few. After twenty or thirty requests, often late at night when alertness is low, some users simply approve one to make the notifications stop. The attacker gets in.
A third is SIM swapping, where attackers convince a mobile provider to transfer a victim’s number to a SIM card they control, giving them access to any SMS-based authentication codes.
The common thread across all of these is that the attacker is not breaking the technology. They are going around it, exploiting the human element or the trust we place in familiar-looking interactions.
The human factor
More than 80% of successful breaches involve a human action: clicking a link, approving a request, entering credentials into a convincing fake page, or connecting to a network without verifying it is legitimate. Technology controls protect the infrastructure, but humans remain the most consistently exploited part of any security posture.
Training and awareness make a meaningful difference here, not by making users into security experts, but by helping them recognise the situations that carry risk. Understanding that a public Wi-Fi network might not belong to the venue it claims to. Knowing that a bank will not ask you to verify your identity by clicking a link in an SMS. Recognising that a flood of authentication requests at midnight is an attack, not a technical error.
These are not complicated lessons. They are simply lessons that most people have never been taught.
Why managed threat detection closes the detection gap
Even with VPN, MFA, and good user awareness in place, the question remains: what happens if something gets through anyway?
When malware reaches a device, it rarely announces itself. It begins quietly: accessing files, monitoring activity, preparing to spread. On a network without active monitoring, this can continue for days before anyone notices. The first sign is often a machine running slowly, or files that cannot be opened, or storage that has inexplicably filled. By that point, the malware has had significant time to move through the network.
This is the gap that detection fills. A threat detection and response service monitors device behaviour and file system changes continuously, looking for activity that falls outside normal patterns: new processes running at unusual times, files being accessed in unexpected sequences, changes to system configurations. When something suspicious is detected, the response is measured in minutes, not hours or days.
Huntress, the endpoint detection and response platform we deploy for clients, is able to assess a detected threat within three minutes. Depending on what is found, a compromised machine can be quarantined and isolated from the network while remaining accessible for investigation, stopping any spread before it reaches other devices. Remediation, rebuilding, or recovery can then happen on a controlled timeline rather than during an active crisis.
What managed threat detection catches is precisely what VPN and MFA leave unaddressed: the threat that has already arrived, is already on a device, and is working quietly toward something worse.
What to do next
There is no single upgrade that applies to every business. The right next step depends on your current environment, what you have already implemented, and where the gaps actually are. That is why the most useful starting point is visibility: understanding what your infrastructure looks like, whether your MFA configuration is as strong as it could be, whether there are mail forwarding rules or access permissions that have not been reviewed in years, and whether the controls you believe are in place are actually functioning as intended.
A security assessment does not require a major project or a significant budget. A structured review of your current environment will identify the things most likely to create exposure and will give you a clear picture of where your next investment should go. A managed cyber security partner should be able to provide that review and tell you clearly what they find.
VPN and MFA are worth keeping. They are good controls. But a business that believes those two things represent a complete security posture is not fully covered. The attackers know what those controls do, and they have built their techniques around them.
The question is whether you know what comes next.
