By: Faiez Hartley, Head of IT at Business Partners Limited

As small businesses in South Africa increasingly embrace digital transformation, the risk of cybercrime looms larger than ever. According to Accenture’s Cost of Cybercrime Study, 43% of cyberattacks globally target small businesses, which are often viewed as easy targets due to limited cybersecurity infrastructure.

Faiez Hartley, Head of IT at Business Partners Limited, warns that many small business owners in South Africa underestimate their vulnerability to cyberattacks. "Cybercriminals exploit gaps in defences, causing significant harm that can, in some cases, lead to business closure. It’s imperative that SMEs in South Africa recognise the urgency of investing in cybersecurity."

The cost of a cyberattack can be catastrophic for a small business. Research by IBM estimates that the average cost of a data breach in South Africa is around R53.1 million. Beyond the immediate financial losses, businesses must contend with operational downtime, a loss of customer trust, and potential legal ramifications.

“The direct financial implications are just one aspect of the damage,” Hartley explains. “What’s often overlooked is the long-term impact on customer relationships and brand reputation. A breach can lead to a loss of confidence from both consumers and business partners, which is often very hard to regain.”

For an SME, the consequences of a data breach can be devastating. Along with the costs of managing the incident – such as hiring forensic experts, notifying affected parties, and addressing reputational damage – businesses face the potential for fines, particularly under the Protection of Personal Information Act (POPIA). This act mandates stringent data protection measures for businesses, and non-compliance could result in heavy penalties and legal action.

Verizon’s 2023 Data Breach Investigations Report highlights that 74% of breaches involve human error, often stemming from a lack of employee training or awareness about cybersecurity best practices. Small businesses particularly, tend to overlook cybersecurity training, leaving them vulnerable to phishing attacks – one of the most effective methods hackers use to infiltrate organisations.

“Many SMEs believe they are too small to be targeted by cybercriminals, but this couldn’t be further from the truth,” says Hartley. “No business is too small to be affected. In fact, the smaller the business, the more devastating the impact of a cyberattack can be.”

Hartley stresses the importance of investing in cybersecurity, but also emphasises that effective defences don’t have to be expensive. “It is an investment, but basic measures such as firewalls, anti-virus software, and regular system updates can go a long way towards protecting a business from cyber threats.”

He further notes the importance of cultivating a strong culture of cybersecurity in the workplace. "One of the most critical aspects is employee training. Introducing multi-factor authentication instead of just a password and providing regular training sessions that teach staff to recognise phishing attempts and identify suspicious online activity can significantly reduce the risk of human error leading to cyber breaches."

In addition, every SME should have a well-defined incident response plan. This plan should outline the steps to take in the immediate aftermath of a cyberattack, including who to contact, how to reduce damage, and how to inform affected stakeholders. Having this plan in place ensures the business can respond swiftly and effectively in a crisis.

As October is Cybersecurity Awareness Month, there’s no better time for small business owners to take stock of their digital defences. “Cybersecurity is not just an IT issue – it’s a business issue. SMEs need to take proactive steps to protect themselves, their customers, and their future. While the costs of implementing proper cybersecurity may seem high, the cost of ignoring it could be far higher,” Hartley concludes.

‍