Lucas Molefe, Cybersecurity Expert at ESET Southern Africa, unpacks the value of cybersecurity and preparedness for Small and Medium Enterprises (SMEs) in South Africa.
The enterprise Goliath is worried about its suppliers. These SMEs are underprepared and disproportionately targeted, with 43% of cyber-attacks directed at their digital front door. In addition, the Protection of Personal Information Act (POPIA) holds large organisations legally responsible when a supplier breaches, meaning SME suppliers have effectively become one of the most important entry points and concentrations of risk in the corporate supply chain. A risk that’s growing increasingly expensive and challenging to manage.
The small accounting firm, the logistics provider, the IT support company - none of these companies would describe themselves as cybersecurity targets, and yet, this is precisely what makes them one. Unfortunately, it also makes them less attractive to the enterprise. There’s a growing body of evidence indicating that suppliers are responsible for a significant number of data breaches. In 2025, 17% of data breach incidents were due to third-party vendor and supply chain compromises, at an average cost of R29.6 million; the average price tag for a South African company is around R44.1 million, according to the IBM Cost of Data Breach Report. While this number has decreased from the R53.1 million in 2024, it’s still an expensive bill to pay for a poorly secured third-party supplier. In its 2025/26 Strategic Plan, South Africa’s Information Regulator reports that it received 1,727 security compromise reports in the 2024/25 financial year and expects nearly 2,500 breach notifications in 2025/26.
Then there’s the legal risk of a breach. Under POPIA Sections 21 and 22, the responsible party carries full liability to the Information Regulator in the event of a data breach, regardless of where in the supply chain that breach originated. An enterprise accepting a non-compliant SME into its ecosystem is absorbing a legal and financial risk it can’t control. And with third-party suppliers having access to corporate data, it’s easy to see why South African enterprises are tightening how they evaluate their suppliers’ cybersecurity posture. An SME’s level of investment into security is fast becoming an explicit procurement and contracting requirement.
For SMEs sitting at the other end of the supply chain, it is becoming increasingly important to demonstrate that their businesses are secure and POPIA compliant when an enterprise audits or retenders. Or else they must accept that their contracts won’t be renewed.
This new competitive reality reframes the entire conversation about what cybersecurity investment means for the small business. It is fast becoming a credential that determines whether or not the SME can keep the business because the cost of being the weakest link is too high.
The framing that’s long dominated SME thinking - that cybersecurity is a cost to be minimised or deferred - is now actively working against the companies that hold it. The alternative approach is far more commercially compelling. When an SME can demonstrate a clear security posture, it is now a differentiator in enterprise procurement. When you can walk into a procurement conversation with evidence of POPIA compliance, endpoint protection, tested incident response and trained staff, you’re already sitting ahead of companies that still aren’t thinking of security as a priority.
Compliance is also a signal of trustworthiness. If you can close the security gap as an SME, yes, you’re protecting yourself, but you’re also positioning yourself in a market where enterprise buyers are actively looking to reduce risk in their ecosystems. However, this investment in security needs to be balanced with resilience. You can’t guarantee that every attack will be stopped, so you need to know you have the policies in place to contain the incident, restore operations, and maintain continuity without significant losses.
For SMEs building that posture within the realities of constrained budgets, the approach is layered and sequential. Endpoint protection provides a technical foundation that needs to be supported by cybersecurity training (particularly for finance and operational staff at risk of exposure to phishing or payment fraud) and business continuity planning. Tested, regularly verified backups remove the leverage that ransomware operators depend on, and documented POPIA compliance turns your business into a visible and auditable asset.
Of course, security costs money, and yes, it will hit the budget bottom line, but today the real question facing the SME in South Africa isn’t whether cybersecurity is affordable, but whether the absence of it is.
