By Lucas Molefe, Cybersecurity Expert at ESET Southern Africa
19 May 2026 - The enterprise Goliath is worried about their suppliers. These SMEs are underprepared and disproportionately targeted, with 43% of cyber-attacks directed at their digital front door. Added to this, POPIA holds large organisations legally responsible when a supplier is breached, which means that SME suppliers have effectively become one of the most important entry points and concentrations of risk in the corporate supply chain. A risk that’s growing increasingly expensive and challenging to manage.
The small accounting firm, the logistics provider, the IT support company - none of these companies would describe themselves as cybersecurity targets, and yet, this is precisely what makes them one. Unfortunately, it also makes them less attractive to the enterprise. There’s a growing body of evidence pointing to how suppliers are responsible for a significant number of data breaches. In 2025, 17% of data breach incidents were down to third-party vendor and supply chain compromise at an average cost of R29.6 million, and the average price tag for a South African company is around R44.1 million, according to IBM. While this number has decreased from the R53.1 million in 2024, it’s still an expensive bill to pay for a poorly secured third-party supplier. In its 2025/26 Strategic Plan, South Africa’s Information Regulator reports that it received 1,727 security compromise reports in the 2024/25 financial year and expects nearly 2,500 breach notifications in 2025/26.
POPIA Compliance Is Reshaping Enterprise Procurement
Then there’s the legal risk of a breach. Under POPIA Sections 21 and 22, the responsible party carries full liability to the Information Regulator in the event of a data breach, regardless of where in the supply chain that breach originated. An enterprise accepting a non-compliant SME into their ecosystem is absorbing a legal and financial risk it can’t control. And with third-party suppliers having access to corporate data, it’s easy to see why South African enterprises are tightening how they evaluate their suppliers’ cybersecurity posture. An SME’s level of investment into security is fast becoming an explicit procurement and contracting requirement.
For SMEs sitting at the other end of the supply chain, the message is clear. Demonstrate that your business is secure and POPIA compliant when an enterprise audits or retenders, or accept that your contract won’t be renewed.
Cybersecurity Is Becoming a Competitive Advantage for SMEs
This new competitive reality reframes the entire conversation about what cybersecurity investment means for the small business. It is fast becoming a credential that determines whether or not the SME can keep the business because the cost of being the weakest link is too high.
The framing that’s long dominated SME thinking – that cybersecurity is a cost to be minimised or deferred – is now actively working against the companies that hold it. The alternative approach is far more commercially compelling. When an SME can demonstrate a clear security posture, it is now a differentiator in enterprise procurement. When you can walk into a procurement conversation with evidence of POPIA compliance, endpoint protection, tested incident response and trained staff, you’re already sitting ahead of companies that still aren’t thinking of security as a priority.
Building a Resilient Cybersecurity Posture on a Budget
Compliance is also a signal of trustworthiness. If you can close the security gap as an SME, yes, you’re protecting yourself, but you’re also positioning yourself in a market where enterprise buyers are actively looking to reduce risk in their ecosystems. However, this investment in security needs to be balanced with resilience. You can’t guarantee that every attack will be stopped, which means that you need to know you have the policies in place to contain the incident, restore operations and maintain continuity without significant losses.
Key Cybersecurity Investments for SMEs
For SMEs building that posture within the realities of constrained budgets, the approach is layered and sequential. Endpoint protection provides a technical foundation that needs to be supported by cybersecurity training (particularly for finance and operational staff at risk of exposure to phishing or payment fraud) and business continuity planning. Tested, regularly verified backups remove the leverage that ransomware operators depend on, and documented POPIA compliance turns your business into a visible and auditable asset.
Of course, security costs money, and yes, it will hit the budget bottom line, but today the real question facing the SME in South Africa isn’t whether cybersecurity is affordable, but whether the absence of it is.