First actions
A small-team baseline
Choose controls that survive staff turnover, remote work and power interruptions.
Protect admin accounts
Turn on MFA for email, accounting, payroll, website admin, cloud storage and social media.
Separate payment approval
Confirm bank detail changes by voice using a known number, not a number from the email thread.
Make backups recoverable
Keep at least one backup disconnected or immutable, and test restore after load shedding or device failure.
Know your POPIA exposure
Map personal information you hold, who can access it and how you will notify people if it is compromised.
Sample guidance
Controls with high return
Stop business email compromise
Use MFA, disable automatic forwarding where possible and set a clear process for supplier bank detail changes.
Plan around unstable power
Protect routers and storage with UPS units, document shutdown steps and avoid backups that only run when power is stable.
Secure shared drives
Use named accounts, limit public links, review external shares and remove access when staff or contractors leave.
Run short scam drills
Brief staff on fake tenders, courier scams, SARS messages, payroll changes and urgent payment pressure.
Checklist
Quarterly business review
- Confirm MFA is active on every admin and finance account.
- Test one restore from backup and record who completed it.
- Review supplier, contractor and former employee access.
- Verify your incident contact list and cyber insurance conditions.
- Update your POPIA breach response note and evidence folder process.