Employees, even the most loyal, hardworking and dedicated ones, could inadvertently be the source of your most dangerous security breaches, including data theft, industrial espionage, blatant hacks and viruses. They could be exposing you to non-compliance litigation without even realising it.

Exponant has launched its Security Risk and Compliance solution, which comprises an assimilation of the best technologies and methodologies that can be adopted by organisations to mitigate risk. We have adopted a three-pronged approach in our Security Risk and Compliance solution for risk reduction:

  • Security software;
  • Behavioural Solutions; and
  • A focus on compliance.


When it comes to data security, Microsoft follows a shared responsibility model. In this model, they differentiate between the processor role, which is that of Microsoft, the software vender and your IT team. The controller role, on the other hand, rests firmly with the user and herein lies your biggest risk.

Microsoft’s responsibilities include the prevention of hardware and software failure, uptime during natural disasters and power outages, as well as to respond to the required functionality based on it being an authorised user requesting the service. The IT team supports this responsibility by deploying security software such as e-mail protection and firewalls as well as configuring the software so it is secure, authenticated and impermeable by malicious parties.

The controller or user is responsible for not making human errors and preventing the system from hackers and phishing attacks, and it is these last two that are potentially the deadliest.

With everyone working from home these days and much of the software self-service, coupled with Microsoft’s frequent updates and automatic patch installations, even novice users are getting used to the concept of assisting themselves. Hackers and phishing attackers are exploiting the empowered user’s naivety to take control of their PCs and potentially the system. It is generally human error that results in security breaches of this nature. Remote workers also lack enterprise-level security measures when they are offsite.

While some fraudsters take the approach of using sensationalist news and conspiracies to lure users into opening an attachment or link, the more insidious angles tend to imitate everyday corporate communication.

The imitation of file-sharing platforms like Dropbox, OneDrive and SharePoint is a prime example, with fake notification e-mails that contain links to spoofed login pages. Others seek to replicate secure document delivery services, invoices, purchase orders or delivery service tracking updates.

These days, IT teams are deploying ever more secure e-mail software to combat this surge. Exponant has partnered with SYNAQ because of its advanced spam detection, 100% virus protection, Identity Threat Protection (ITP). It also has an excellent reputation for:

  • A secure, powerful and user-friendly administration interface;
  • Detailed reporting that true insight into e-mail usage, top threats and bandwidth savings across the organisation; and
  • No installations – businesses are set up and protected within 24 hours.


Behavioural solutions

But as we have noted, human error is so often responsible for the unintended damage. We need to look at behavioural solutions too. Exponant has investigated the ambit of risk containment and has identified three other major interventions to mitigate the damage.

The first is regular system audits and backup: Exponant provides this service on an SLA basis to our clients. The second, intense change management around creating awareness of the risks and security training beyond the usual organisational policies. And the third is a critical analysis of the legislative environment in South Africa. Exponant’s change management methodology is unique in that it not only provides the training and communication, but it manages security help desks as additional support for a change in behaviour.


The Protection of Personal Information Act (POPI Act) sets a standard for the processing of South Africans’ personal information by public and private bodies within and outside of the country’s borders. Organisations doing business in South Africa need to ensure their information security practices are updated to meet POPI compliance. Exponant has developed a POPI compliance methodology for helping our clients meet this challenge. They work very closely with Microsoft and use their state-of-the-art application of M365 as the technological backbone of compliance.

By adopting a holist three-pronged approach, Exponant is now offering this Security Risk and Compliance solution for risk reduction, which will enable their clients to focus on productivity.