Cybercrime isn't only an enterprise problem. Small and medium businesses are targeted precisely because attackers assume their defences are weaker — and too often, they're right. The good news is that the security measures that stop the overwhelming majority of attacks are practical, affordable, and well within reach of any Cape Town SME.
This guide brings the fundamentals together in one place. Work through it as a checklist. Where a topic deserves more depth, we link to a dedicated article in our IT Insights hub.
1. Lock down access with multi-factor authentication (MFA)
If you do only one thing after reading this guide, do this. Microsoft reports that MFA blocks 99.9% of automated account-compromise attacks. A stolen or guessed password is no longer enough to get in, because the attacker also needs the second factor — a prompt on your phone or a code from an authenticator app.
Where to start
Turn MFA on for every Microsoft 365 account, your accounting software, and any system that holds client or financial data. It takes minutes per user and is usually free with the licences you already pay for.
2. Move beyond traditional antivirus
Signature-based antivirus can only catch threats it has seen before. Modern attacks — zero-days, fileless malware, ransomware — are built specifically to slip past it.
A modern Endpoint Detection and Response (EDR) tool watches for suspicious behaviour rather than known files, and can isolate a device the moment something looks wrong.
Want to go deeper?
Read our article: Why Traditional Antivirus Isn't Enough — and What to Use Instead.
3. Back up your data — properly
Microsoft 365 is not a backup. OneDrive and SharePoint sync your files and keep them for a limited retention window, but they will not save you from accidental deletion discovered months later, a compromised account, or ransomware that encrypts synced files.
The 3-2-1 backup rule
Three copies
Keep at least three copies of your important data
Two media types
Store on two different types of media or storage
One off-site copy
Keep one copy off-site or in a separate cloud
4. Train your team to spot phishing
The majority of breaches start with a person, not a server. Phishing emails are designed to trick careful, well-meaning staff.
Short, regular training — and a simple, blame-free way to report suspicious messages — does more to reduce risk than almost any piece of software.
Want to go deeper?
Read our article: How to Spot a Phishing Email Before It's Too Late.
5. Keep everything updated
Unpatched software is one of the most common ways attackers get in. Enable automatic updates on Windows, macOS, browsers, and business applications.
Enable auto-updates for
- • Windows and macOS operating systems
- • Web browsers (Chrome, Edge, Safari)
- • Microsoft 365 apps
- • Line-of-business software and plugins
Replace when support ends
- • Windows 10 (end of support: Oct 2025)
- • Any operating system showing end-of-life
- • Hardware running unsupported software
- • Legacy business applications with no patches
6. Meet your POPIA obligations
Under South Africa's Protection of Personal Information Act (POPIA), your business is legally responsible for safeguarding the personal information it holds. Good security and POPIA compliance go hand in hand.
- 1Appoint an Information Officer (required by law — even for small businesses)
- 2Know what personal data you hold and where it is stored
- 3Secure it appropriately: encryption, access controls, backups
- 4Have a clear plan for reporting a breach to the Information Regulator and affected individuals
7. Put the layers together
No single tool makes you secure. Real protection comes from layering sensible measures — strong access control, modern endpoint protection, reliable backups, an aware team, timely updates, and a clear compliance posture — so that if one layer is bypassed, others still stand.
Start with the basics above, then deepen each area over time. You don't have to get everything perfect at once.
Not sure where your business stands?
We offer a free security assessment for Cape Town SMEs. We'll review your current setup and give you a clear, prioritised action plan — no jargon, no obligation.
Book a security assessment