Rupert Marais joins us to navigate the increasingly complex intersection of cybersecurity and operational resilience. As an in-house specialist with deep expertise in endpoint protection and network management, Rupert has witnessed firsthand how traditional defense perimeters are crumbling under the weight of sophisticated, AI-driven threats. He advocates for a holistic approach where prevention and recovery are no longer treated as separate departments, but as a unified strategy to keep businesses running in the face of inevitable breaches.
With AI-generated phishing lures and brand impersonation now bypassing traditional defenses, how specifically has the threat landscape shifted for MSPs?
The shift we are seeing is a move away from the “volume” approach toward terrifyingly accurate personalization. In the past, we could rely on identifying poor grammar or suspicious metadata, but AI now allows attackers to craft flawless lures that mimic the exact tone and style of a CEO or a trusted vendor. We evaluate the failure of current email security by looking at the bypass rate of traditional filters—specifically how many malicious lures reach an inbox despite having “green” security status. When an employee receives a perfectly phrased email that appears to come from a legitimate brand they interact with daily, the mechanical barrier of a gateway is essentially neutralized. It creates a high-pressure environment for MSPs where the “human firewall” is being tested by machine-precision deception every single hour.
Attackers are increasingly leveraging trusted infrastructure and legitimate SaaS platforms to gain access. What are the specific risks associated with this trend, and what step-by-step process should an MSP follow to detect an intruder who is using authorized tools to hide their movement?
The primary risk is what I call “living off the cloud,” where an attacker uses an organization’s own authorized SaaS tools to move laterally without triggering a single signature-based alarm. To combat this, an MSP must first establish a baseline of “normal” behavior across all SaaS environments to identify anomalies, such as an unusual sync of high-volume data to an external source. Next, they need to implement integrated monitoring that flags whenever administrative privileges are modified or when new, unauthorized integrations are added to the platform. Finally, the process involves cross-referencing login locations with known user profiles to catch “impossible travel” scenarios where a user appears to log in from two different continents within minutes. It is about moving from “who has the key?” to “what is the key-holder actually doing?”
Many organizations find that prevention alone is no longer enough to maintain uptime during a breach. Why do traditional security silos fail after an initial compromise, and what are the practical trade-offs when balancing immediate containment against the need for rapid operational recovery?
Traditional silos fail because the security team is focused entirely on killing the threat, while the recovery team is often left in the dark about which systems are actually clean and safe to restore. When a compromise occurs, the immediate reaction is often to “pull the plug” on everything, but this can lead to catastrophic downtime that is arguably more damaging than the breach itself. The trade-off involves making a calculated risk: do you isolate the entire network and stop all revenue-generating activity, or do you attempt surgical containment that allows some systems to remain online? We find that without a unified strategy, the recovery process is delayed by hours or even days because the teams are working with different sets of data and conflicting priorities. It is a stressful tug-of-war where the business’s survival hangs on how quickly these two disciplines can speak the same language.
Business email compromise and ransomware can lead to catastrophic data loss if recovery plans are not robust. Beyond simple backups, what specific elements must be included in a modern BCDR plan, and can you share an anecdote where a SaaS-specific backup saved a client from permanent disruption?
A modern Business Continuity and Disaster Recovery (BCDR) plan must include automated orchestration, immutable storage, and a clear “order of operations” for which applications come back online first. I remember a case where a client’s primary SaaS productivity suite was hit by a malicious third-party app integration that began encrypting their cloud-stored files in real-time. Because they had a SaaS-specific backup separate from the platform’s native “trash bin,” we were able to roll back their entire environment to the state it was in just minutes before the infection started. Without that dedicated backup layer, they would have been forced to negotiate with attackers or manually rebuild thousands of collaborative documents. It turned what could have been a business-ending week of data loss into a minor four-hour inconvenience.
Since cyber resilience now depends on combining detection with rapid recovery, how should MSPs restructure their service offerings to integrate these two disciplines?
MSPs need to stop selling “Security” and “Backup” as two different line items on a menu and start offering “Cyber Resilience” as a single, inseparable service. This means your Security Operations Center (SOC) must have a direct line to your recovery team, ensuring that the moment a threat is detected, the recovery playbooks are already being prepped for execution. The key performance indicators (KPIs) we use to prove success shift from “number of blocked threats” to “Mean Time to Recovery” (MTTR) and “percentage of data successfully restored within the RTO window.” When you show a client that you can reduce their downtime from forty-eight hours to just two following a destructive attack, you aren’t just a service provider—you are their business’s life insurance policy.
What is your forecast for the evolution of AI-driven cybercrime and MSP defense strategies?
In the coming years, we will see “autonomous attacks” where AI agents can probe a network, identify vulnerabilities, and execute a multi-stage breach faster than any human operator could ever react. To survive this, MSP defenses will have to pivot toward “automated response” where the system doesn’t just alert a technician, but proactively isolates compromised assets and initiates a recovery sequence instantly. We are moving toward a world where the battle is fought machine-versus-machine, and the winners will be the MSPs who have fully integrated their detection and recovery stacks into a single, lightning-fast response engine. The margin for human error is shrinking to zero, so our strategy must focus on building systems that can heal themselves before the admin even gets the notification on their phone.
