2021 was a record year for data breaches, according to the Identity Theft Resource Center – but instead of building their defences, many companies are putting their heads in the sand.

Interpol estimates that nine out of every 10 African businesses are operating without the necessary cybersecurity protocols in place, putting themselves and their clients at risk of massive financial loss.

That’s why this year’s Safer Internet Day on 8 February takes on added significance, says Minnaar Fourie, the commercial director at insurer King Price. It’s never been more critical for businesses of all sizes to move rapidly to secure their key IT systems and company and customer information.

“Many smaller businesses that we talk to seem to think they won’t be targeted. They’re wrong. What we’re seeing clearly is a trend where businesses of all sizes, in all sectors, are potential targets for cybercriminals. In fact, SMEs are often the weakest link, as they don’t have the same level of protection as big companies,” says Fourie.

A cyberattack can literally put a small to mid-sized company out of business. The IBM 2019 Cost of a Data Study puts the average total cost of a data breach in South Africa at R43,3-million. Globally, an Inc.com study suggests that 60% of small businesses close their doors within six months of an attack.

Adding an extra layer of complexity is South Africa’s Protection of Personal Information Act (PoPIA), which fundamentally changed the way businesses deal with consumers’ personal information. If your business is hacked, and you don’t have the correct procedures and safeguards in place, you could get fined by the Regulator, says Fourie.

“On top of that, anyone who incurred damages as a result of the breach could take legal action against the company for damages. And we’re not even getting to the issue of reputational damage yet,” said Fourie.

So where do SMEs start to protect themselves and their customers? While cybersecurity insurance is becoming an increasingly common among local businesses, that’s just one element of the precautions that every company should be taking. But apart from the security basics – having a firewall and an enterprise-level anti-virus software, backing up data regularly – the biggest step companies can take is to create greater awareness amongst their employees.

“It’s no use spending millions on security solutions if you don’t educate your people. When it comes to security, your people are the weakest link. They click on dodgy links. They use weak passwords. They let other people use their devices at home. Your best defence is to create an active cybersecurity culture that gets everyone in the business following basic security habits,” says Fourie.