When it comes to cybersecurity in South Africa, many businesses overlook the basics. Companies often focus on complex tools or advanced systems, while foundational controls remain undone. Yet it is these simple measures that prevent the majority of avoidable incidents.
Cybersecurity is no longer optional. Data breaches, payment fraud, ransomware, and impersonation attacks are routine realities for South African organisations. Even small gaps can disrupt operations, damage reputation, and trigger regulatory or insurance consequences.
Fortunately, there are several basic measures companies can implement to significantly improve their cyber security posture. Here, we’ll break down five very basic practices that every business, from small start-ups to established enterprises, should prioritise.
1. HTTPS: The Secure Foundation of Online Transactions
At the most basic level, every business website should run on HTTPS (Hypertext Transfer Protocol Secure). HTTPS encrypts data transmitted between a website and a user’s browser, protecting login credentials, payment information, and personal data from interception.
Many organisations still operate unsecured HTTP websites. Modern browsers clearly flag these as “Not secure,” immediately undermining trust. For businesses handling payments, forms, or client information, this is no longer acceptable. Even a perception of weak security can affect customer confidence.
Implementing HTTPS is a relatively straightforward process for most businesses. Many web hosting providers offer simple one-click solutions for activating HTTPS on existing websites. The benefits are substantial. HTTPS builds trust with users, protects sensitive data, and fosters a secure online environment for business transactions.
2. Password Managers: Boosting Security and Saving Time
Weak or reused passwords remain one of the most common causes of business breaches. When employees reuse credentials across systems, one compromised account can quickly expose others. Password managers offer a practical solution to this problem. These software applications store and manage login credentials for various platforms securely.
Password managers offer a significant advantage over manually creating and remembering passwords. They enable users to generate complex, unique passwords for each account, significantly reducing the risk of unauthorized access. Additionally, features like auto-fill can save employees valuable time by automatically entering login credentials when accessing applications and websites.
Password managers generate long, unique credentials automatically and store them securely. This removes the human tendency to simplify or reuse passwords, dramatically reducing credential-based attacks. With password managers generating and storing complex passwords, businesses can significantly reduce the risk of data breaches stemming from weak passwords.
3. Two-Factor Authentication (2FA): Adding an Extra Layer of Protection
Multi-Factor Authentication (MFA) is one of the highest-impact security measures a company can implement. Even if login credentials are stolen, an attacker cannot access the account without the secondary verification step.
While 2FA might seem like an inconvenience, it is a vital security measure that offers significant protection against unauthorized access. The initial hurdle of adapting to 2FA is quickly outweighed by the peace of mind it provides. Additionally, many 2FA apps offer user-friendly features like the ability to edit and customize settings to rename and reorder accounts for easy access. Although websites/software may recommend different 2FA apps, you can use the same app for all!
MFA should be mandatory for email accounts, cloud platforms, finance systems, and administrative access. This single control significantly reduces account takeover risk.
4. Separate Work and Personal Email: Maintaining Boundaries and Preventing Breaches
Separating work and personal email accounts should be a fundamental cyber security best practice for businesses of all sizes. There are several reasons to maintain separate email accounts.
Most importantly, using your work email address for work only ensures that company communication and sensitive data remain much more secure (and organized).
Using a work email address for personal services increases exposure. That address becomes stored in multiple third-party databases worldwide. If one of those platforms is breached, attackers now have a verified corporate email address to target. This is because in our personal lives we sign up for all sorts of accounts and groups and we share our login credentials each time. This puts our details into multiple databases all around the world, which may themselves be hacked. In addition, receiving personal emails into your work inbox can create clutter and distraction with your day-to-day work.
For small business owners, the distinction between business and personal can be blurred. However, separating email accounts is an important aspect in the building of a stronger cyber security environment. Clear boundaries between work and personal email reduce profiling, phishing exposure, and long-term organisational risk.
5. DMARC: The Email Authentication Guardian
If your organisation owns a domain, DMARC (Domain-based Message Authentication, Reporting and Conformance) is foundational. Without it, attackers can send emails that appear to come from your business. It acts as an email authentication guardian, protecting your domain from attackers’ spoofing. Email spoofing is a tactic commonly used in phishing scams, where emails appear to originate from your company but actually come from a malicious source.
DMARC establishes a policy in your Domain Name System (DNS) that specifies how receiving email servers should handle messages claiming to be from your domain. This helps instruct servers to reject unauthorized emails, preventing them from reaching inboxes and potentially compromising sensitive information.
Implementing DMARC offers crucial benefits such as significantly reducing the risk of phishing attacks that leverage your domain name. DMARC reports also provide valuable insights into email activity associated with your domain, helping to identify unauthorized attempts to send emails on your behalf. As an added benefit, it helps ensure your emails land in inboxes instead of spam/junk. A properly enforced DMARC policy (p=reject) prevents domain spoofing and reduces impersonation risk. It also provides reporting visibility into how your domain is being used. For businesses concerned about payment fraud, phishing, or regulatory exposure, this control is essential. You can learn more about why this matters in our article on Email Spam Security: Anti-Spam is Not Enough.
Conclusion: Building a Strong Cyber Security Foundation
HTTPS, password managers, MFA, email separation, and DMARC form a practical baseline for cybersecurity in South Africa. These are not advanced controls. They are foundational safeguards.
Keep in mind that cyber security is an ongoing process, not a one-time set-up. Regularly updating software, educating employees about cyber threats, and staying informed about emerging security best practices are all crucial aspects of maintaining a strong cyber defence. For SMEs in particular, these measures are cost-effective and high-impact. The financial and reputational cost of a breach will always exceed the cost of implementing these basics.
