577 Attacks Per Hour: The Cybersecurity Crisis SA SMEs Are Ignoring

Right now, SA SMEs are being hit with 577 cyber attack attempts per hour. Most of them don't know it.

Not 577 per day. Per hour. Every hour. While you're in a client meeting, eating lunch, or lying awake worrying about cash flow — automated systems are probing your website, your email server, and your staff's credentials looking for a way in.

This isn't theory. This is the documented reality of operating a business online in South Africa in 2026. And the response from most SME owners, when they hear this number, is a shrug and something like: "We're too small. They're not coming for us."

That shrug is costing the South African economy R2.2 billion a year.

The Myth: "We're Too Small to Be a Target"

It sounds reasonable. Why would a sophisticated criminal operation waste time on a 12-person accounting firm in Centurion when there are banks and corporates sitting right there?

Because that's exactly backwards.

Cybercriminals are not targeting your business specifically. They're running automated scans across millions of websites simultaneously, looking for the path of least resistance. They don't care whether you turn over R2 million or R200 million. They care whether your WordPress admin panel has a default password. They care whether your SSL certificate expired. They care whether you're running plugins that haven't been updated since 2022.

Big companies have security teams. Government entities have compliance mandates. Banks have entire departments dedicated to nothing else.

You have a to-do list.

That's what makes you a target. Not your size. Your defences — or the lack of them.

What the Data Actually Says

577 cyber attack attempts per hour are directed at South African SMEs.

R2.2 billion is the estimated annual loss to South African businesses from cybercrime — ransomware payments, recovery costs, lost revenue during downtime, and reputational damage.

1 in 3 SA SMEs have been directly targeted by a cyber attack.

The specific attack types hitting SA SMEs right now:

• Ransomware — attackers encrypt your data and demand payment to restore access. Downtime runs from days to weeks.
• Phishing — employees receive emails that look legitimate and hand over credentials. One click, one compromised staff member, full network access granted.
• Credential theft — automated tools test millions of username/password combinations against login pages.
• Malware injection — malicious code embedded in your website that steals visitor data, redirects traffic, or turns your site into a spam launcher.

Why SMEs Are Actually the Preferred Target

Less security investment. Large enterprises spend millions on security infrastructure and dedicated staff. SMEs typically spend close to nothing. The attack surface is the same size — but the defences are incomparably weaker.

Genuinely valuable data. SMEs hold customer payment information, personal data, supplier contracts, and employee records. Under POPIA, you are legally responsible for that data.

Gateway to bigger targets. If your SME is a supplier or service provider to a larger enterprise, your compromised credentials become the backdoor that attackers use to reach the bigger organisation.

Easy entry points. Most SME websites are built on standard platforms — WordPress, Wix, Shopify — and run standard plugins. The vulnerabilities in these systems are publicly documented.

The Five Most Common Vulnerabilities in SA SME Websites

• Shared hosting with no isolation. Many entry-level hosting plans put hundreds of websites on the same server. If one site on that server gets compromised, it can spread.
• Outdated CMS plugins and themes. A plugin that hasn't been updated in six months is a documented vulnerability waiting to be used.
• No SSL/HTTPS. If your website still runs on HTTP, any data passing between your visitors and your site is transmitted in plain text.
• Weak admin passwords and no two-factor authentication. Credential-stuffing attacks test thousands of combinations per second. A weak password falls in minutes.
• No backup plan. If your site gets hit by ransomware and you have no recent backup, your options are pay the ransom (with no guarantee), rebuild from scratch, or accept the loss.

What Secure Web Development Actually Looks Like

We build security in from day one. Not bolted on after.

That distinction matters more than it might seem. Bolted-on security is reactive. It patches individual holes without addressing the underlying architecture. It's the equivalent of building a house and then installing a lock on the door as an afterthought, while leaving the windows unframed.

Built-in security starts from decisions made before a line of code is written: which hosting infrastructure to use, how the database is structured, how authentication is handled, what update cadence is built into the maintenance contract.

When you're evaluating a web developer or agency, ask these specific questions:

• "Do you provide HTTPS as standard?" If the answer is anything other than yes, walk away.
• "What's your update and patch cadence for CMS plugins?" A responsible developer will have a documented schedule — monthly at minimum, with critical patches applied immediately.
• "What does backup and recovery look like if we get hit?" Automated daily backups, stored off-server, with a tested restoration process.
• "How is admin access controlled?" Strong password requirements, two-factor authentication, and role-based access control should all be standard.
• "What happens if there's a breach?" A serious developer has a documented incident response process. An amateur has a shrug.

The right answer to all five of these questions is not expensive. It's built into a professional development process. If your current website can't answer these questions, you're operating with an open window.

Related reading

• Your Website Isn't a One-Time Project — the maintenance cadence that prevents most breaches
• Why R4,500 Is the Minimum for a Website That Actually Works — why the cheapest sites are the easiest targets

Every site we build includes HTTPS, a defined patch schedule, proper backup architecture, access controls, and an incident process — see our web development service or start a project.

Related reads