29 Apr 5 Quick Cybersecurity Wins Every SME Can Implement This Month
43% of cyberattacks target small businesses. Most of those attacks succeed because of things that take less than an afternoon to fix.
The standard advice is wrong — not because it’s false, but because it frames cybersecurity as a project. Something to plan for next quarter. Something that needs a big budget and a dedicated IT team before you can start. That framing is why South African SMEs keep getting hit.
Ransomware doesn’t wait for your IT procurement cycle. Phishing doesn’t care that you’re a small firm in the Free State that’s never been a “real target.” The attackers are automated. They scan everything. They find open doors. And right now, your doors are probably open.
Here are five fixes. Each one takes less than a working day to implement. None of them require a budget line item. Do all five and you’ve just moved your business out of the easy-target category.
80%of breaches prevented by MFA
R2.1M avg SA breach cost in 2025
14 days avg SME downtime after ransomware
Multi-factor authentication (MFA)
A stolen password is useless if the attacker also needs your phone. MFA stops 80% of account takeover attacks dead. It costs nothing to enable on Microsoft 365, Google Workspace, or any modern SaaS platform.
The real threat: Credential stuffing. Attackers buy leaked password lists off dark-web markets and run them against your email login. If your staff reuse passwords — and statistically, 65% of them do — you’re already compromised and don’t know it.
This month’s action:
- Enable MFA on Microsoft 365 / Google Workspace for all users.
- Require app-based MFA (Microsoft Authenticator or Google Authenticator) — SMS MFA is better than nothing but SIM-swap attacks make it the weakest option.
- Apply MFA to your accounting software, CRM, and banking portal — not just email.
- Block legacy authentication protocols (basic auth) that bypass MFA entirely.
Secure, tested backups
Backups are your last line of defence against ransomware. The operative word is tested. An untested backup is a false sense of security — most SMEs discover their backup is broken the day they actually need it.
- Identify your critical data: accounting files, client records, operational configs.
- Set up automated daily backups to an offsite location — Backblaze B2 costs under R100/month for most SMEs.
- Disconnect backup drives from your live network after the backup runs (a mapped drive gets encrypted too)
- Do a test restore this week — pick one file and actually recover it to confirm the backup works
Password managers for every staff member
Your staff are not using weak passwords because they’re careless. They’re using weak passwords because remembering 40 unique 16-character strings is humanly impossible. A password manager solves this problem completely — it generates, stores, and autofills strong passwords so your people never have to remember them.
- Deploy Bitwarden (free) or ProtonPass across all staff devices this week.
- Require all business account passwords to be stored in the shared vault — no exceptions for “I’ll just remember it”
- Run a compromised password audit using Bitwarden’s built-in breach check — fix anything flagged
- Set a policy: minimum 16 characters, generated by the manager, not typed by a human
Staff awareness training
Phishing caused 91% of data breaches in 2024. The attacker didn’t break through your firewall — your bookkeeper clicked a link in an email that looked exactly like a Standard Bank notification. Your firewall was irrelevant. You need your staff to recognise three specific attack patterns: phishing emails, CEO fraud (“please EFT urgently, I’m in a meeting”), and fake login pages.
- Run a 30-minute phishing awareness session with all staff — show real examples of SA-targeted phishing (Standard Bank, SARS, Takealot impersonation are the current top three)
- Establish a verbal confirmation rule for any EFT request over a set threshold — one phone call stops CEO fraud completely
- Send a test phishing email using Google’s Phishing Quiz or KnowBe4’s free tools — see who clicks before the real attacker finds out
- Create a one-page “when in doubt” reference card — who to call, what not to click, how to report suspicious emails
- No shame in the click: When staff fail a phishing test, use it as a teaching moment, not a punishment. Shamed staff hide future incidents. Trained staff report them.
Software updates — all of them, now
The WannaCry ransomware attack infected 200,000 machines in 2017 using a Windows vulnerability that had been patched two months earlier. Every machine that got hit was running unpatched software by choice. That pattern repeats in every major attack campaign.
Attackers don’t find new vulnerabilities in your business — they exploit known ones that you haven’t patched. Security researchers publish proof-of-concept exploits within 48 hours of a vulnerability disclosure. After that, every unpatched machine is a countdown timer.
- Enable automatic updates on every Windows and macOS device in the business — schedule them for 02:00 so they don’t interrupt work
- Update your router firmware this week — most SOHO routers ship with known CVEs and never get patched
- Audit and update all browser extensions — malicious extensions have full access to everything you type in your browser
- Set a monthly calendar reminder: first Monday of every month, check that all updates applied successfully — auto-updates sometimes fail silently
The honest bottom line
None of this is advanced. None of it requires a security budget. These five wins eliminate the attack vectors that account for over 90% of SME breaches. The gap between a business that gets hit and one that doesn’t is almost never technology — it’s whether someone decided to spend one afternoon actually implementing the basics.
If you want to know where your business actually stands right now — what’s exposed, what’s misconfigured, what a real attacker would find in five minutes — run a Clarity snapshot. It’s free, it takes 2 minutes, and it gives you a prioritised list of what to fix first.