n early 2025, a small but vital South African enterprise—supplying goods or services to local communities was struck by a crippling ransomware attack that rendered its systems unusable for days. Though not a household name, the firm’s operations ground to a halt: invoices stalled, client communications went dark, and manual processes couldn’t keep pace.

📉 When Size Isn’t Protection

Despite its modest footprint, the company became a target due to weak staff training, outdated software, and insufficient backups, common vulnerabilities cited in recent studies. According to a Sophos report, 58% of South African businesses pointed to a lack of expertise, and 53% admitted to unknown defense gaps, as root causes of successful ransomware attacks.

A ransom demand landed in cryptocurrency. With crucial files encrypted and no tested fallback, leaders faced a choice: pay up or potentially collapse.

💸 A Price Too High

The ransom request mirrored national averages, clocking in around R 17 million, while actual payouts averaged R 8 million—a burden devastating for a modest firm. The firm also incurred R 23–24 million in recovery costs: IT restoration, forensic experts, lost sales, and emergency staff hours

🧠 Legal and Regulatory Crosscurrents

Although SMEs aren’t often scrutinised as critical infrastructure, they’re still bound by POPIA obligations: safeguarding personal data and notifying the Information Regulator and affected individuals if a breach occurs. The company had to engage legal counsel and initiate forensic investigations to assess whether client data was compromised.

While South Africa’s Cybercrimes Act and data protection legislation gave investigators legal powers, fragmented enforcement means small businesses frequently navigate these obligations with limited support.

⚠️ The Human Toll

Behind the figures lies a human story: the IT team worked sleepless nights. Anxiety soared 47% of SA firms in Sophos surveys reported increased pressure and stress after ransomware hits. Customer trust frayed as service delays mounted, and reputation suffered.

🛡️ Lessons and a Stark Call to Arms

This small business saga underscores key failings and urgent priorities:

• 🛠️ Regular backups and resilience testing must be mandatory—not optional features.

• 👥 Staff training on phishing and credential security is essential.

• 📚 Legal preparedness—including breach protocols under POPIA and Cybercrimes Act—must be embedded in business culture.

• 🤝 SMEs should consider professional cybersecurity and incident-response support.

Small is no shield. Ransomware spares no business size, and the costs are rising. As Sophos reveals, 60% of SA firms had data encrypted, compared to a 50% global average, with ransom demands tripling year-on-year

Written by Mark Grunebaum – Entropisec