Building a Cybersecurity Plan: Essential Steps for South African SMBs

“It Won’t Happen to Us”, — Said Every Small Business Before the Breach

You’ve heard it before: “Cyberattacks only happen to big companies.” Unfortunately, South African hackers didn’t get that memo. In fact, 43% of cyberattacks in South Africa target SMBs, not corporates. And they’re not even complicated. We’re talking phishing emails, weak passwords, remote workers using free Wi-Fi at Mugg & Bean, and unsecured backups chilling in a dusty storeroom.

So… now what?

We’re glad you asked.

Here’s your no-fluff, easy-to-follow, totally South African guide to building a cybersecurity plan that won’t leave your business hanging when it matters most.

Step 1: Get the Bosses On Board (Yes, That Includes You)

Before you buy anything fancy, get leadership buy-in. If your decision-makers don’t understand why cybersecurity matters, nothing else will stick. And no — asking someone in the IT team to “just sort it out” won’t cut it.

• Appoint someone to lead the plan (even if that’s you). They don’t have to be a cybersecurity expert, but they do need to care, coordinate, and communicate.

Pro tip: Align cybersecurity to business goals — protecting client data, avoiding downtime, and complying with POPIA are all boardroom-friendly talking points.

Step 2: Know What You’re Protecting

You can’t defend what you don’t know. Start by listing your digital assets:

• Business laptops, phones, and tablets

• Servers, routers, and printers

• Cloud accounts (Microsoft 365, Google Workspace, Xero, etc.)

• Customer databases and financial records

• Staff access to anything sensitive

Now, do a quick risk assessment:

• What happens if this device/data is hacked, stolen, or lost?

• Who has access — and do they really need it?

This step helps you prioritise what matters. You don’t need Fort Knox-level security for your newsletter logins. But your accounting system? Lock it down like eTolls used to lock your bank account.

Step 3: Write Down the Rules (Your Cybersecurity Policy)

Don’t panic — this isn’t a thesis. A simple document with cyber hygiene rules is enough to start. You’ll want to cover:

• Acceptable use of work devices

• Password and authentication guidelines

• Email and internet usage (no, you can’t torrent at work, Jonathan)

• Remote work rules (especially around Wi-Fi and device storage)

• What to do if something goes wrong

Keep it in plain English. Make it part of onboarding. Update it yearly (at least).

Step 4: Set Up Strong Technical Defences

Here’s where we separate the businesses from the breached.

Let’s talk basics — and we mean absolute must-haves:

• Antivirus & Endpoint Protection – Lightweight tools that detect, isolate, and stop threats on every device

• Multi-Factor Authentication (MFA) – Especially on email, accounting systems, and cloud storage

• Firewalls & VPNs – Block external threats and encrypt sensitive connections

• Encrypted Backups – Ideally, cloud-based and offline, stored securely

• Patch Management – Regular software updates, because unpatched apps are open doors

• Access Control – Employees should only have access to what they need

South African note: Load shedding ruins everything. Invest in UPS systems or inverters for routers and firewalls to avoid critical downtime.

Step 5: Train Your Team (Because Humans Click Stuff)

You can spend thousands on firewalls… and lose everything to one “Click here to claim your Woolworths voucher” email. Cybersecurity training isn’t a once-off slideshow. It’s a habit.

Teach your team to:

• Spot phishing and social engineering attacks

• Use strong, unique passwords (and how to store them)

• Avoid public Wi-Fi without VPNs

• Report suspicious activity immediately

Free tools like Breach Secure Now (we can help with this) or custom internal quizzes are great options.

Make it fun. Add coffee and snacks. Throw in prizes. Just make it stick.

Step 6: Build an Incident Response Plan

You hope it never happens. But hope is not a strategy. An incident response plan ensures that when things go sideways, your team knows exactly what to do.

Your plan should include:

• What counts as a security incident?

• Who do we notify (clients, vendors, legal)?

• Who investigates, who contains, who communicates?

• Where are the backups, and who has access to them?

• How quickly must we respond?

Test it twice a year. Have a “fire drill” so you’re not fumbling if disaster strikes.

Step 7: Stay POPIA-Compliant (Without Going Grey)

The Protection of Personal Information Act (POPIA) isn’t just red tape. It’s about protecting your clients’ and employees’ sensitive data — and avoiding fines or reputational damage.

At a minimum, POPIA requires:

• Knowing what personal data you collect

• Having permission to collect it

• Securing it with appropriate controls

• Notifying users (and the regulator) in the event of a breach

Yes, this overlaps with your cybersecurity policy — that’s a good thing. It means you’re doing it right.

Step 8: Review. Test. Improve. Repeat.

Cybersecurity isn’t a one-time project. It’s an ongoing discipline.

Schedule a quarterly review:

• What’s changed in the business?

• Any new tools or users?

• Any attempted breaches or red flags?

Do an annual audit — even if it’s internal — and adjust your policies and tools accordingly. Use a basic spreadsheet tracker. Or let a Managed Security Services Provider (hi there 👋) do it for you.

Common Pitfalls to Avoid

🚫 Thinking you’re “too small” to be hacked
🚫 Blaming everything on “bad Wi-Fi”
🚫 Not investing in staff training
🚫 Using personal devices without policies
🚫 Forgetting backups… until it’s too late

When to Call In the Pros (a.k.a. Yolo)

Let’s face it — building a cybersecurity plan from scratch can feel like trying to assemble IKEA furniture without the manual (or the screws).

If you're feeling overwhelmed, under-resourced, or unsure where to start, Yolo has your back.

Ready to Build a Cybersecurity Plan That Actually Works?

At Yolo, we help South African businesses lock down their systems without locking up their budgets. Our managed cybersecurity services include:

• Firewalls, endpoint protection, and network monitoring
• Staff training tools that actually teach
• Load-shedding-resistant backups and failovers
• POPIA compliance guidance made simple
• Real human support (no call centre scripts here)

Let’s get your business secure — before someone else gets in.