Strategy, Legal & Operations

How small businesses can safeguard against cybersecurity risks

For small business owners who think effective cybersecurity costs a fortune, author and information security expert Kevin Beaver has affordable tips.

Cybersecurity has been in the spotlight in the last year, as many people working from home have been victims of cyberattacks. This is especially true for small businesses, many of which don’t invest properly in online security.

“We are all in business to acquire and keep customers,” says author and information security expert Kevin Beaver. “We do this so that we can earn a profit, grow the business, and make a living for ourselves and our families… So we need to do what’s right to keep our businesses on track and moving in a positive direction. Acknowledging and addressing the information security issues that are impacting all of us is an important part of that.”

But why is it important to safeguard your business against cyberattacks? According to the South African Banking Risk Information Centre, cyberattacks cost South Africa more than R2.2 billion a year, which is rising. So, if you don’t want to be the victim of a massive loss,  here are Beaver’s five steps to cybersecurity success:

1. Understand what’s needed

The first step in small business cybersecurity is to know what’s expected of you. This could either be specifically because you have clients or customers who contractually require it or more broadly because it relates to government law.

“You can figure this out on your own by doing independent online research, or you can hire somebody to do it,” Beaver says. “This could either be an employee who is responsible for it or a cybersecurity specialist or consultant to come in for a day or two and point you in the right direction. But you have to understand what’s needed. If you don’t understand, then how are you going to know which direction to go in?”

2. Evaluate the risks

In working with many small and medium-sized businesses, Beaver has seen many who wrongly believe that cybersecurity is just a case of answering self-assessment questionnaires online, downloading policies from the internet, and making a few changes implement technologies to minimise their risks. And while this might make them legally compliant in some cases, it won’t fully protect them.

“If you don’t fully understand the risks, how can you possibly know where to focus your efforts?” he asks. “What’s weak may be your users, your web applications, your internal network, or your vendor/partner connections. There are a lot of things. Unless or until you perform a proper security assessment, you’ll never know where your risks are.”

3. Create policies and standards

Once you fully understand how different risks could impact your business, you can create your cybersecurity policies and standards. This will involve implementing security technologies across your network to enforce your policies and support your standards.

“This could be all sorts of things in the context of web security, malware protection, denial of service protection, multifactor authentication, and more,” Beaver says. “But unless you do numbers one and two before you create your policies and standards, you’re not going to know how to roll them out effectively.”

4. Keep users in check and onboard

When it comes to implementing cybersecurity, it’s important to make sure everyone on your team understands what’s expected of them. If not, they will be your weak spot and will be a big problem when, for example, they click on a random online link that turns out to be malware that infects all your machines.

“You don’t want to get your entire network locked down just because your users haven’t been properly trained or because you don’t have the proper technologies to enforce it,” Beaver says. “That doesn’t just hurt them; it hurts you and your business. So keeping your users in check and onboard is important.”

5. Re-evaluate periodically

When your cybersecurity policies are in place, you can’t just sit back and forget about them. That’s why the final step is to fine-tune them over and over again.

“Re-evaluate at least once a year,” Beaver says. “You don’t have to do it more often unless you believe your network has become complex or you have specific requirements, in which case you may want to do quarterly vulnerability scans of your external environment. But for the annual security assessment, go back and get periodic reassurance that things are still okay. If they’re not okay, you need to make changes and pivot in terms of whatever technologies are creating a gap.”


Ultimately, cybersecurity is essential, but it doesn’t have to be complicated. Beaver sums it up in three steps: Know what you’ve got (understand what’s on your network), understand how it’s at risk (know where the focus needs to be), and do something about it (now rather than later).

“I know that sounds generic,” he admits. “But there are solutions out there that can solve a lot of problems in a quick way. You’ve got to rely on these solutions, rely on your own people, and rely on what you already have in place – what’s built right into your operating systems can help as well. Repeat that over and over again, and you’re probably going to be just fine.”