Small and medium enterprises (SMEs) are critical to economic growth. According to the World Economic Forum, they make up more than 90% of registered businesses in South Africa and provide employment to over half the labour force. SMEs matter, and they’ve become a target for cybercriminals. Accenture’s annual ‘Cost of Cybercrime’ study shows that nearly 43% of all cyberattacks happen to smaller businesses, yet only about 14% are prepared to face an attack. “The majority of SMEs don’t even think about cybersecurity,” says Richard Frost, head of consulting at Armata Cyber Security. “They mostly feel they aren’t big enough and don’t have enough valuable information people might want to steal, so it doesn’t warrant the investment.”
SMEs face the same cyber challenges as larger enterprises, but often lack the resources to build comparable resilience. Yet SMEs – collectively with small offices/ home offices (SOHO) – are the largest portion of the workforce around the globe, says Steve Flynn, chief sales and marketing officer of ESET Southern Africa. There are gaps. A lack of employee cybersecurity awareness is common. Without training on phishing, ransomware and other common threats, employees can unintentionally put company data at risk. Strong password practices are also often neglected.
This leaves systems open to unauthorised access, “especially without multi-factor authentication in place,” he says.
Another challenge, says Frost, is that every organisation uses email and this is where the major threat lies, especially for SMEs, which sometimes lack proper email security software and filtering systems. Instead of relying on traditional malicious software, like malware, threat actors are exploiting human error and trust using business email compromise (BEC) scams.
The Söze Syndicate, a notorious cyber threat group, has become a major player in BEC attacks targeting organisations worldwide. Todyl’s MXDR team reported a 558% rise in BEC incidents during 2024, with the syndicate taking centre stage. The Colorado-based security platform found that this cybercrime group mainly targets SMEs, taking advantage of their lack of identity threat detection and response solutions. The group uses email impersonation and account takeovers to bypass security measures, focusing on human error and weak identity defences rather than malware.
The entry point
SMEs may not use the same complex supply chains that bigger organisations operate, but they’re often a part of them. And that’s exactly what makes them a target – cybercriminals know SMEs often have weaker defences, so they use them as a way in. Smaller vendors with privileged access have become prime targets for cybercriminals looking for backdoors into larger organisations. When an SME is breached, there can be a cascade effect where each connected business becomes a potential new entry point. According to Vinay Hiralall, Liquid C2’s chief commercial officer, SMEs are targeted by cybercriminals because they fit into the supply chain of enterprise customers. This is particularly evident in sectors like banking and manufacturing, where SMEs often serve as suppliers or service providers to larger organisations. The risk becomes especially pronounced for digital native SMEs – companies developing software and handling integrations – as they need secure systems to operate effectively within broader business ecosystems.
Hiralall says that an example of this vulnerability lies in the independent software vendor (ISV) community across Africa. These SMEs build specialised applications for specific industries or market segments. When these vendors create compliance applications for the banking sector, they become potential weak points that cybercriminals can exploit to reach their ultimate enterprise targets. The compromise of an ISV not only threatens their immediate business, but also limits their ability to scale and serve larger customers. The interconnected nature of modern business means the distinction between SME and enterprise security is increasingly blurred. Both B2B and B2C components bring different risk profiles and security requirements. SMEs serving end-users need to be particularly vigilant about their security posture, as the potential reach and impact of a breach can be swift and far-reaching.
Security fusion
One of the ways Liquid C2 is removing the barrier to entry for SMEs is through the creation of SOC-as-a-Service centres across the continent. “SMEs can now have security services on top of their cloud infrastructure,” says Hiralall. Engaging with best-of-breed technologies, Liquid C2 has created a melting pot of cyber defence solutions.
But Hiralall says these aren’t traditional security operation centres. Instead, they function as cybersecurity fusion centres, combining network operating centre, security operating centre and cloud operating centre capabilities. This integration enables security coverage from the network layer through to applications and endpoint security, providing SMEs with comprehensive protection without the need for extensive inhouse expertise.
These centres serve both reactive and proactive functions. While they respond to immediate threats and alerts, they also monitor market trends and provide guidance to SMEs about emerging risks. This has proved particularly valuable as new technologies emerge – for instance, helping businesses navigate the security implications of AI adoption and managing associated shadow IT risks.
For SMEs, security can’t be thought of as a bolt-on solution. Because many small businesses have an IT manager, but lack dedicated security teams, Liquid C2’s strategy begins with a cloud migration process, incorporating security assessments before any system moves to the cloud. Hiralall says security isn’t just about technology; it’s about creating a culture of security awareness. This is why it helps SMEs develop appropriate governance policies, covering everything from device management to application usage. This includes comprehensive cyber training that extends to end-users, covering crucial aspects like device security and information handling.
This systematic approach helps prevent a common pitfall among SMEs: the accumulation of multiple, disconnected security products without a coherent strategy.
Instead of managing 10 to 15 different security solutions in silos, businesses get an integrated security framework that grows with them, supported by expertise they might not otherwise be able to access. This becomes particularly crucial as SMEs scale, ensuring their security posture remains robust even as their digital footprint expands.
THE COST OF BEING SHORT-SKILLED
In a report conducted by Bredin for Microsoft Security, it was found that SMEs are facing a critical talent shortage in cybersecurity at a time when attacks are becoming increasingly costly. Less than a third of small and medium businesses have the expertise to manage their security in-house, and 72% say the lack of cybersecurity professionals is a major business challenge. This skills gap is particularly concerning given the financial stakes. The average attack costs SMEs $254 445, but some businesses have faced damages as high as $7 million once you factor in investigation and recovery costs, regulatory fines, damage to their reputation, and missed business opportunities. Making matters worse, many SMEs lack the basic employee training needed to prevent attacks, with over 80% struggling to maintain adequate security awareness among their staff. This combination of inexperience and exposure helps explain why one in three SMEs experienced a cyberattack in the past year.
For many businesses, the answer lies in partnering with managed security service providers (MSSPs). “MSSPs offer specialised expertise and access to advanced security tools that many SMEs cannot afford independently,” says Nemanja Krstić, operations manager of managed security services at Galix. These providers don’t just offer security, they become an extension of the business, providing around-the- clock monitoring and rapid incident response tailored to smaller organisations. The business case is compelling. Rather than stretching resources to build and maintain an in-house security team, companies can leverage shared expertise and infrastructure. “SMEs can work with MSSPs that offer services made cheaper through the use of shared resources,” says Armata Cyber Security’s Richard Frost. “This also gives them access to a team of skilled individuals who work with different businesses across multiple industries.” It’s a strategic approach that puts enterprise grade security within reach of smaller businesses, without the overhead of building internal capabilities. The benefits extend far beyond cost savings.
With the cybersecurity landscape evolving daily, keeping up with new threats, compliance requirements and security standards has become a fulltime job. MSSPs specialise in monitoring emerging threats and can respond to security incidents around the clock – a big advantage given that cyberattacks often occur outside business hours. They also maintain up-to-date hardware and security infrastructure, ensuring businesses aren’t left vulnerable due to outdated technology. For SMEs focused on growing their core business, this managed approach to security makes strategic sense, but Stephen Kreusch, head of cybersecurity at Performanta, warns that not all MSSPs are created equal. “Every month, it looks like there’s a new MSSP popping up. It’s important to understand how long that MSSP has been in business, their technical skills, depth of staffing, and what their staff turnover is.” While some smaller providers may deliver excellent service to a limited client base, they often struggle to scale effectively. For Kreusch, the key is finding an MSSP with both the technical depth and operational stability to provide consistent, comprehensive security coverage as your business grows.
* Article first published on brainstorm.itweb.co.za
Share