“It Won’t Happen to Us”, — Said Every Small Business Before the Breach
You’ve heard it before: “Cyberattacks only happen to big companies.” Unfortunately, South African hackers didn’t get that memo. In fact, 43% of cyberattacks in South Africa target SMBs, not corporates. And they’re not even complicated. We’re talking phishing emails, weak passwords, remote workers using free Wi-Fi at Mugg & Bean, and unsecured backups chilling in a dusty storeroom.
So… now what?
We’re glad you asked.
Here’s your no-fluff, easy-to-follow, totally South African guide to building a cybersecurity plan that won’t leave your business hanging when it matters most.
Before you buy anything fancy, get leadership buy-in. If your decision-makers don’t understand why cybersecurity matters, nothing else will stick. And no — asking someone in the IT team to “just sort it out” won’t cut it.
Pro tip: Align cybersecurity to business goals — protecting client data, avoiding downtime, and complying with POPIA are all boardroom-friendly talking points.
You can’t defend what you don’t know. Start by listing your digital assets:
Business laptops, phones, and tablets
Servers, routers, and printers
Cloud accounts (Microsoft 365, Google Workspace, Xero, etc.)
Customer databases and financial records
Staff access to anything sensitive
Now, do a quick risk assessment:
What happens if this device/data is hacked, stolen, or lost?
Who has access — and do they really need it?
This step helps you prioritise what matters. You don’t need Fort Knox-level security for your newsletter logins. But your accounting system? Lock it down like eTolls used to lock your bank account.
Acceptable use of work devices
Password and authentication guidelines
Email and internet usage (no, you can’t torrent at work, Jonathan)
Remote work rules (especially around Wi-Fi and device storage)
What to do if something goes wrong
Keep it in plain English. Make it part of onboarding. Update it yearly (at least).
Here’s where we separate the businesses from the breached.
Let’s talk basics — and we mean absolute must-haves:
Antivirus & Endpoint Protection – Lightweight tools that detect, isolate, and stop threats on every device
Multi-Factor Authentication (MFA) – Especially on email, accounting systems, and cloud storage
Firewalls & VPNs – Block external threats and encrypt sensitive connections
Encrypted Backups – Ideally, cloud-based and offline, stored securely
Patch Management – Regular software updates, because unpatched apps are open doors
Access Control – Employees should only have access to what they need
South African note: Load shedding ruins everything. Invest in UPS systems or inverters for routers and firewalls to avoid critical downtime.
Teach your team to:
Spot phishing and social engineering attacks
Use strong, unique passwords (and how to store them)
Avoid public Wi-Fi without VPNs
Report suspicious activity immediately
Free tools like Breach Secure Now (we can help with this) or custom internal quizzes are great options.
Make it fun. Add coffee and snacks. Throw in prizes. Just make it stick.
You hope it never happens. But hope is not a strategy. An incident response plan ensures that when things go sideways, your team knows exactly what to do.
Your plan should include:
What counts as a security incident?
Who do we notify (clients, vendors, legal)?
Who investigates, who contains, who communicates?
Where are the backups, and who has access to them?
How quickly must we respond?
Test it twice a year. Have a “fire drill” so you’re not fumbling if disaster strikes.
The Protection of Personal Information Act (POPIA) isn’t just red tape. It’s about protecting your clients’ and employees’ sensitive data — and avoiding fines or reputational damage.
At a minimum, POPIA requires:
Knowing what personal data you collect
Having permission to collect it
Securing it with appropriate controls
Notifying users (and the regulator) in the event of a breach
Yes, this overlaps with your cybersecurity policy — that’s a good thing. It means you’re doing it right.
Cybersecurity isn’t a one-time project. It’s an ongoing discipline.
Schedule a quarterly review:
What’s changed in the business?
Any new tools or users?
Any attempted breaches or red flags?
Do an annual audit — even if it’s internal — and adjust your policies and tools accordingly. Use a basic spreadsheet tracker. Or let a Managed Security Services Provider (hi there 👋) do it for you.
🚫 Thinking you’re “too small” to be hacked
🚫 Blaming everything on “bad Wi-Fi”
🚫 Not investing in staff training
🚫 Using personal devices without policies
🚫 Forgetting backups… until it’s too late
Let’s face it — building a cybersecurity plan from scratch can feel like trying to assemble IKEA furniture without the manual (or the screws).
If you're feeling overwhelmed, under-resourced, or unsure where to start, Yolo has your back.
At Yolo, we help South African businesses lock down their systems without locking up their budgets. Our managed cybersecurity services include:
Let’s get your business secure — before someone else gets in.