• Rosanna Hayes

SMEs in South Africa and the Impact of Cybercrime


On May 20th 2021, we hosted an event to welcome the launch of our CyberCare service in South Africa and discussed with a leading panel of experts the growing concerns over rapidly increasing cyber threat in the region. Ahead of the launch, we surveyed business groups across the country, representing approximately 10’000 SMEs, to gain a more insightful panorama of the issues at hand.


An alarming 43% of cyberattacks target small businesses, particularly financial, healthcare, retail, insurance, and legal sectors; cybercrime is evidently not just problematic for large businesses. To delve a little deeper, firms in SA suffer 577 cyberattacks every hour costing over R2.2 billion every year. With SA falling victim to the third-highest number of attacks of any country, it was time the situation was investigated.


STORM Guidance ran the survey, ‘Cybercrime research: understanding the impact on small and medium-sized businesses in South Africa’, which was completed by 33 business groups who represented between 1 – 50, and 500+ business members each. The survey’s findings were compiled and the official STORM Guidance 2021 Report: Impact of Cybercrime on SMEs in South Africa, was created as a reference and educational paper on the topic. The following are highlights from the report, to name just a few.


To assess the general understanding of the topic, we asked: ‘How would you define cybercrime?’ Almost all respondents identified an answer not considered to be a cybercrime: ‘Phishing or Malspam via email’ was selected by 31 of the 33 respondents, followed closely by ‘business email compromise’ and ‘ransomware’. Although we can take reassurance from some knowledge here, it must also be noted that almost a quarter of the respondents answered, ‘laptop or mobile device theft’, and as many as 6 business groups chose ‘IT support problems’. It would be fair to say that more work is needed in the education of cybersecurity in the workplace.


When asked: ‘Do you consider cybercrime to be a problem to SMEs in South Africa?’, 28 of the 33 respondents answered with, ‘a significant problem’, ‘definitely a problem’, and ‘extremely serious problem’. There were no business groups who answered that cybercrime is not a problem in South Africa, and only 5 answered that it was ‘somewhat of a problem’, indicating the increasing concerns over the issue.


In response to ‘rate the cybercrime risk level that your members are exposed to’, 11 of the business groups surveyed expressed this level to be ‘serious risk’; 2 went as far as to say, ‘catastrophic risk’. 25 of the 33 business groups answered that cybercrime is either a medium risk or of greater severity.


We asked, ‘What do you consider the general level of cybersecurity to be across your membership?’. 9 of the 33 respondents declared it to be ‘very low’, 17 answered ‘moderate’, a further 6 stated they considered it to be ‘good’, with just one business group estimating their members to have an ‘excellent' level of cybersecurity.


In the hope of transparency between members and their business groups, we put the question to them: ‘As a percentage, how many of your members have suffered a cybercrime in the last 12 months?’ 14 of the 33 respondents were unable to answer, whilst a third claimed the figure to be above 10% of their members. Some went so far as to claim that as many as 50%, 65%, and 90% of their members had suffered a cyberattack in the last 12 months.


When asked, ‘Who do you think your members would contact for help if they fell victim to cybercrime?’, a variety of different answers were given which demonstrated the level of knowledge and how equipped businesses are to deal with a cyberattack. A third of those asked said that they would contact IT support. Following closely behind, the Police were named as the first point of call by 7 business groups. Whilst law enforcement is involved in dealing with cybercrime, the expectations victims have for immediate response is unreasonable. The police will not help organisations resecure their systems, or identify vulnerabilities.

It is hoped that the launch of CyberCare in South Africa will go some way to address the concerns in the findings of the survey and those raised by the respondents in their answers. Business groups who become members of the service will be able to offer access to some of the world’s leading cyber incident response professionals as part of their membership offering. For more information, support, or guidance, contact 0800 500 3055, or email contact@stormguidance.com.