SMBs in South Africa – defined as companies with less than 250 employees – are highly vulnerable to cybersecurity attacks, a new study by Cisco reveals, stating that less than 4% of surveyed local SMBs are at a “mature” level of preparedness against cyberattacks – slightly lower compared to 6% of large companies.
One of the key reasons for this, Cisco says, is a shortage of skilled IT security professionals which affects 79% of SMBs and 76% of larger firms.
Whether phishing, ransomware, or AI-based attacks on company networks, cybersecurity threats in South Africa continue to intensify in sophistication. SMBs are particularly at risk, often lacking adequate resources to mitigate security risks. Many companies also underestimate the likelihood of becoming a victim of a cyberattack.
“This large gap in readiness makes small and medium-sized businesses prime targets for cybercriminals,” says Maritza van Wyk, leader of Sales for SMB at Cisco Africa. “Decision-makers need to look beyond basic protections as AI-driven attacks are becoming increasingly common and harder to detect. Cyberattacks can have disastrous consequences for small businesses disrupting daily operations, fracturing customer trust, legal liabilities and, in the most severe cases, forcing businesses into insolvency.”
According to data from the Cisco Cybersecurity Readiness Index 2025, 46% of South African SMBs surveyed suffered a cyberattack over the past one-to-two years (vs 63% percent of larger companies).
SMBs invest less in cybersecurity than larger companies
According to the survey, 28% of local SMBs reached the second-highest stage of cybersecurity readiness, compared to 47% of large companies.
This gap could persist unless smaller firms accelerate investment in their defences. While nearly all organisations recognise the need to modernise, fewer SMBs are moving decisively – with 61% planning to upgrade existing security solutions compared to 71% of larger companies. SMBs also show relative complacency in terms of investing in advanced AI threats, with only 48% intending to invest in AI-based systems compared to 58% of large companies.
SMBs overestimate their own cyberdefence capabilities
Despite having weaker defences, 72% of South African SMBs believe their current IT systems are strong enough to handle cyberattacks.
“This sense of confidence is misplaced and misleading,” says Van Wyk. “Many small businesses underestimate how sophisticated and targeted today’s cyberthreats have become. Without proactive preparation, a single successful attack can cause lasting financial and reputational damage.”
To compound the risk faced by SMBs, a persistent skills gap continues to affect their response capabilities, with 79% of SMBs and 76% of larger firms reporting a shortage of IT security specialists. Most businesses recognise the need to close this gap, with 96% of SMBs and 98% of larger companies planning to train or hire new talent.
At the same time, many are battling the growing complexity of their security environments. Among SMBs, 39% rely on between 11 and 40 different security solutions – and a small portion use as many as 70. Three in four companies say this fragmented approach weakens their overall defence.
“While many South African SMBs feel confident in their ability to withstand cyberattacks, their low levels of preparedness highlight a serious vulnerability – particularly given their vital role in the country’s economy,” says Van Wyk. “Building true resilience starts with understanding your risks, investing in the right skills, and simplifying your defences so they perform when it matters most.”