Small businesses are now prime targets — not because the data is the most valuable, but because the defences are usually the weakest. A cyber security audit finds your gaps before an attacker does, and gives you a clear, prioritised plan to fix them. It’s also a practical step toward POPIA compliance.
A cyber security audit is a structured review of how exposed your business is to attack. For a small or medium business in South Africa, it answers a simple question: if a criminal targeted us tomorrow, where would they get in — and what would it cost us? Here’s what an audit covers, why SMEs are being targeted, and how it connects to your legal obligations under POPIA.
What a cyber security audit covers
A thorough audit examines every layer where an attacker could gain a foothold:
- Endpoints — are PCs and laptops patched and protected with proper endpoint security?
- Network and firewall — is your perimeter configured securely, with no risky open ports?
- Email — your single biggest attack surface; we check filtering, spoofing protection and phishing resilience
- Access and identity — is multi-factor authentication (MFA) enforced? Who has admin rights they shouldn’t?
- Backups — do they exist, are they offsite, and have restores actually been tested?
- Patching — are operating systems and software kept up to date automatically?
- Policies and people — password practices, staff awareness, and what happens when someone leaves
- POPIA readiness — do you have appropriate, documented safeguards for personal information?
Why small businesses are being targeted
It is a myth that attackers only chase big corporates. Automated attacks scan the entire internet looking for any easy target, and SMEs are attractive precisely because they tend to have fewer defences and less in-house expertise. The most common threats we see in South Africa are:
Ransomware
Your files are encrypted and held for payment. Without tested, offsite backups, many businesses are forced to pay — or close.
Phishing and business email compromise
Staff are tricked into handing over passwords or paying fake invoices. A single convincing email can drain a bank account.
Weak or reused passwords
One leaked password, reused across systems, can unlock your entire business if MFA isn’t in place.
The POPIA angle
South Africa’s Protection of Personal Information Act (POPIA) requires businesses to put in place “appropriate, reasonable technical and organisational measures” to protect the personal information they hold. If you experience a breach, you may be legally required to report it to the Information Regulator and to affected people. A cyber security audit gives you documented evidence that you have taken reasonable steps — which matters both for compliance and for limiting your liability if something goes wrong.
What you get from an InfiNET IT audit
We don’t hand you a 60-page report full of jargon and walk away. You receive:
- A clear findings report with each risk rated by severity — so you know what’s urgent and what can wait
- A prioritised remediation plan in plain language, with realistic timelines and costs
- A short executive summary you can show management or the board
- Practical quick wins you can action immediately — often at little or no cost
A 60-second self-check
Before you even book an audit, ask yourself honestly:
- Is multi-factor authentication switched on for email and every important system?
- Do you have offsite backups, and has anyone actually tested restoring from them?
- Would your staff recognise a convincing phishing email?
- Is every device running current, supported software with automatic updates?
- Do you know exactly who has access to what — and is it revoked when someone leaves?
If any answer is “no” or “not sure,” that’s exactly what an audit is for.
What does a cyber security audit cost?
An audit is usually scoped as a fixed-price project rather than an ongoing fee, sized to the number of users, devices and systems involved. We’ll give you a clear quote up front, and many of the fixes we identify are low-cost or simply a matter of configuration done correctly.