You don’t need a high-tech vault. You just need to stop being sloppy.
Most small businesses still think cybercrime is a big company problem. That’s why they’re the softest targets. Not because hackers are smart. But because owners are careless.
Here’s what I see every week. And what you must do.
a) No backups. Or backups connected to the same network
(i) When ransomware hits, your backups become useless if they’re on the same network.
(ii) Fix: Keep offline backups. Back up daily. Test weekly.
b) Weak passwords reused across accounts
(i) The receptionist uses “123456” for email, social media, and admin panel.
(ii) Fix: Enforce strong, unique passwords. Use a password manager like Bitwarden or 1Password.
c) No two-factor authentication (2FA)
(i) One password is never enough. Hackers can buy them off the dark web.
(ii) Fix: Turn on 2FA on all critical accounts email, finance, admin.
d) No cybersecurity training for staff
(i) Most attacks succeed because someone clicked something.
(ii) Fix: Train your staff quarterly. Teach them to spot phishing and fake invoices. Run simulated phishing tests. At Institute of Forensics & ICT Security, we provide affordable training solutions for enterprises. Visit www.forensicsinstitute.org to learn more.
e) Using pirated or outdated software
(i) Hackers exploit old software with known vulnerabilities.
(ii) Fix: Use licensed software. Enable automatic updates. Schedule patch management.
f) No firewall or antivirus monitoring
(i) Installing antivirus and never checking it is like locking a door and leaving the key outside.
(ii) Fix: Get active threat monitoring. At a minimum, use tools like Sophos or ESET.
g) Poor email security settings
(i) Attackers spoof your domain and trick your clients.
(ii) Fix: Set up SPF, DKIM, and DMARC records for your domain. Your hosting provider can help.
h) Shared accounts with admin rights
(i) Everyone uses one account. No logs. No accountability.
(ii) Fix: Give users only the access they need. Enforce role-based access control.
i) No incident response plan
(i) Something goes wrong and everyone panics. No one knows what to do.
(ii) Fix: Draft a simple cyber incident plan. Include contacts, steps to isolate threats, and recovery plans.
j) Ignoring mobile devices and Wi-Fi networks
(i) Staff connect personal phones to office Wi-Fi. No control.
(ii) Fix: Use guest networks. Secure mobile devices with screen locks, encryption, and remote wipe options.
In 2023 alone, over UGX 12 billion was lost in Uganda due to preventable cyber incidents most in small businesses.
You don’t need a cybersecurity budget of $100,000. You need discipline.
Start with backups. Then train your people. That alone stops 80% of attacks.
