StormDotCom Logo
Back to Cyber Security & Compliance

Cyber Security & Compliance

The Essential Small Business Cybersecurity Guide

You don't need an enterprise budget — or a full-time IT team — to protect your business properly. This guide walks through the fundamentals every South African SME should have in place, in plain language.

Published: June 202612 min read

Cybercrime isn't only an enterprise problem. Small and medium businesses are targeted precisely because attackers assume their defences are weaker — and too often, they're right. The good news is that the security measures that stop the overwhelming majority of attacks are practical, affordable, and well within reach of any Cape Town SME.

This guide brings the fundamentals together in one place. Work through it as a checklist. Where a topic deserves more depth, we link to a dedicated article in our IT Insights hub.

1. Lock down access with multi-factor authentication (MFA)

If you do only one thing after reading this guide, do this. Microsoft reports that MFA blocks 99.9% of automated account-compromise attacks. A stolen or guessed password is no longer enough to get in, because the attacker also needs the second factor — a prompt on your phone or a code from an authenticator app.

Where to start

Turn MFA on for every Microsoft 365 account, your accounting software, and any system that holds client or financial data. It takes minutes per user and is usually free with the licences you already pay for.

2. Move beyond traditional antivirus

Signature-based antivirus can only catch threats it has seen before. Modern attacks — zero-days, fileless malware, ransomware — are built specifically to slip past it.

A modern Endpoint Detection and Response (EDR) tool watches for suspicious behaviour rather than known files, and can isolate a device the moment something looks wrong.

3. Back up your data — properly

Microsoft 365 is not a backup. OneDrive and SharePoint sync your files and keep them for a limited retention window, but they will not save you from accidental deletion discovered months later, a compromised account, or ransomware that encrypts synced files.

The 3-2-1 backup rule

3

Three copies

Keep at least three copies of your important data

2

Two media types

Store on two different types of media or storage

1

One off-site copy

Keep one copy off-site or in a separate cloud

4. Train your team to spot phishing

The majority of breaches start with a person, not a server. Phishing emails are designed to trick careful, well-meaning staff.

Short, regular training — and a simple, blame-free way to report suspicious messages — does more to reduce risk than almost any piece of software.

Want to go deeper?

Read our article: How to Spot a Phishing Email Before It's Too Late.

5. Keep everything updated

Unpatched software is one of the most common ways attackers get in. Enable automatic updates on Windows, macOS, browsers, and business applications.

Enable auto-updates for

  • • Windows and macOS operating systems
  • • Web browsers (Chrome, Edge, Safari)
  • • Microsoft 365 apps
  • • Line-of-business software and plugins

Replace when support ends

  • • Windows 10 (end of support: Oct 2025)
  • • Any operating system showing end-of-life
  • • Hardware running unsupported software
  • • Legacy business applications with no patches

6. Meet your POPIA obligations

Under South Africa's Protection of Personal Information Act (POPIA), your business is legally responsible for safeguarding the personal information it holds. Good security and POPIA compliance go hand in hand.

  • 1Appoint an Information Officer (required by law — even for small businesses)
  • 2Know what personal data you hold and where it is stored
  • 3Secure it appropriately: encryption, access controls, backups
  • 4Have a clear plan for reporting a breach to the Information Regulator and affected individuals

7. Put the layers together

No single tool makes you secure. Real protection comes from layering sensible measures — strong access control, modern endpoint protection, reliable backups, an aware team, timely updates, and a clear compliance posture — so that if one layer is bypassed, others still stand.

Start with the basics above, then deepen each area over time. You don't have to get everything perfect at once.

Not sure where your business stands?

We offer a free security assessment for Cape Town SMEs. We'll review your current setup and give you a clear, prioritised action plan — no jargon, no obligation.

Book a security assessment

Your SME cybersecurity checklist

Work through this checklist with your team. Tick each item off as you put it in place — then revisit quarterly to make sure nothing has slipped.

1

Enable MFA on all accounts

Prioritise Microsoft 365, accounting software, and anything that holds client or financial data.

2

Replace legacy antivirus with EDR

Behaviour-based tools catch modern threats that signature-based AV will miss entirely.

3

Apply the 3-2-1 backup rule

Three copies, two media types, one off-site. Test restores regularly — untested backups are not backups.

4

Train staff on phishing red flags

Keep it short and regular. Teach the pause-verify-report reflex, not just a list of rules.

5

Enable automatic updates everywhere

Windows, macOS, browsers, and business apps. Replace hardware and software that no longer receives security patches.

6

Appoint an Information Officer under POPIA

Know what personal data you hold, secure it appropriately, and have a breach-reporting plan ready.

7

Layer your defences

Access control + EDR + backup + trained staff + patching + POPIA. No single measure is enough on its own.

How to use this checklist

We have fewer than 10 staff — does this apply to us?

Yes. Attackers don't filter by company size. Even solo traders and micro-businesses are targeted, particularly through phishing and compromised Microsoft 365 accounts.

Where should we start if budget is limited?

MFA first — it's usually free with your existing licences. Then backups, then EDR. Staff training costs almost nothing and is highly effective.

How do we stay on top of this without a full-time IT person?

A managed IT provider can handle monitoring, patching, and backups on your behalf, at a predictable monthly cost. That's our bread and butter.

Want to know where your gaps are?

Book a free security assessment for your Cape Town business. We'll review your current setup and give you a clear, prioritised plan — in plain English, with no obligation.

Book a Free Security Assessment