Published: 2 April 2026 | By AOLC
South Africa has one of the highest cybercrime rates in Africa. In 2025 alone, SA businesses lost an estimated R2.2 billion to cybercrime, with ransomware and business email compromise leading the charge. If you are running a small or medium business, these 10 measures are non-negotiable.
The good news is that most cyberattacks exploit basic weaknesses — weak passwords, unpatched systems, untrained staff. You do not need a massive budget to protect your business. You need the right foundations in place.
Enable MFA on every account — especially email, admin portals, VPN, and cloud services. MFA is the single most effective security measure you can implement. Even if a password is compromised, the attacker cannot get in without the second factor. Microsoft reports that MFA blocks 99.9% of automated attacks.
Action: Enable MFA on Microsoft 365, Google Workspace, banking, and any system that supports it. Use an authenticator app (not SMS where possible).
91% of cyberattacks start with a phishing email. Your email platform needs anti-phishing, anti-spoofing, and anti-malware protection. Configure DMARC, SPF, and DKIM records for your domain — these prevent attackers from sending emails that look like they come from your company.
Action: Verify your DNS records include SPF, DKIM, and DMARC. Enable advanced threat protection on your email platform. Review quarantined emails weekly.
Every device that connects to your network needs next-generation antivirus and endpoint detection and response (EDR). Standard Windows Defender is a starting point, but a managed endpoint solution gives you centralised visibility, threat hunting, and automatic response.
Action: Deploy a managed endpoint protection platform across all desktops, laptops, and mobile devices. Ensure it reports to a central console.
Follow the 3-2-1 rule: 3 copies of your data, on 2 different types of media, with 1 copy stored offsite (or in the cloud). Backups are your last line of defence against ransomware. But a backup you have never tested is not a backup — it is a hope.
Action: Automate daily backups. Store one copy offsite or in the cloud. Test your restores quarterly — actually restore a file and verify it works.
Unpatched software is one of the most common attack vectors. Keep operating systems, applications, firmware, and browser plugins updated. Automate patching where possible — manual patching simply does not happen consistently enough.
Action: Enable automatic updates on all devices. Use a patch management tool for servers and business applications. Review patch compliance monthly.
A business-grade firewall is not optional. Consumer routers from your ISP do not provide the inspection, logging, or segmentation your business needs. Segment your network so that a compromised device in reception cannot reach your accounting server.
Action: Install a business-grade firewall with intrusion prevention. Segment your network into VLANs (staff, guests, servers, IoT). Review firewall rules annually.
Your staff are your biggest security risk and your best defence. Train them to spot phishing emails, social engineering attempts, and suspicious activity. Do not just do this once — run quarterly training sessions with simulated phishing tests.
Action: Conduct quarterly security awareness training. Run simulated phishing campaigns. Recognise and reward staff who report suspicious emails.
Apply the principle of least privilege: every staff member should only have access to the systems and data they need to do their job. When someone changes roles or leaves, their access must be updated immediately. Shared accounts must be eliminated.
Action: Audit user permissions quarterly. Remove access for departed staff on the same day. Eliminate shared accounts and generic logins.
When (not if) a security incident happens, your team needs to know exactly what to do. Who do you call? What systems do you isolate? How do you communicate with clients? An incident response plan turns a potential catastrophe into a managed situation.
Action: Document your incident response plan. Include contact details for your IT provider, legal advisor, and insurance broker. Run a tabletop exercise annually.
The Protection of Personal Information Act is not just a guideline — it is the law. Every South African business that processes personal information must comply. Non-compliance can result in fines of up to R10 million or imprisonment. Beyond the legal risk, POPIA compliance is simply good data hygiene.
Action: Appoint an Information Officer and register with the Information Regulator. Conduct a data audit to understand what personal information you hold and why. Implement data protection measures and document your processes.
Count how many of the 10 items above your business has fully implemented. Be honest — partially implemented does not count.
8–10: You are in good shape. Keep it up and review annually.
5–7: You have gaps that attackers will find. Address the missing items within 90 days.
Below 5: Your business is at serious risk. You need professional help — today, not next quarter.
We help South African businesses implement every item on this checklist. Our Managed Security service covers ongoing protection, while our Security Assessments give you a clear picture of where you stand today.
We start with a free security assessment — no obligation, no sales pitch. We will review your current posture, identify the gaps, and give you a prioritised action plan. Whether you implement it yourself or ask us to help, you will know exactly what needs to be done.
Cybersecurity is not a product you buy once. It is an ongoing discipline. The businesses that treat it that way are the ones that survive.
Find out where your business stands. We will assess your security posture and give you a clear, prioritised action plan — completely free.
Book Your Free Assessment