577 Attacks Per Hour: The Cybersecurity Crisis SA SMEs Are Ignoring

Right now, SA SMEs are being hit with 577 cyber attack attempts per hour. Most of them don't know it.

Not 577 per day. Per hour. Every hour. While you're in a client meeting, eating lunch, or lying awake worrying about cash flow — automated systems are probing your website, your email server, and your staff's credentials looking for a way in.

This isn't theory. This is the documented reality of operating a business online in South Africa in 2026. And the response from most SME owners, when they hear this number, is a shrug and something like: "We're too small. They're not coming for us."

That shrug is costing the South African economy R2.2 billion a year.

The Myth: "We're Too Small to Be a Target"

It sounds reasonable. Why would a sophisticated criminal operation waste time on a 12-person accounting firm in Centurion when there are banks and corporates sitting right there?

Because that's exactly backwards.

Cybercriminals are not targeting your business specifically. They're running automated scans across millions of websites simultaneously, looking for the path of least resistance. They don't care whether you turn over R2 million or R200 million. They care whether your WordPress admin panel has a default password. They care whether your SSL certificate expired. They care whether you're running plugins that haven't been updated since 2022.

Big companies have security teams. Government entities have compliance mandates. Banks have entire departments dedicated to nothing else.

You have a to-do list.

That's what makes you a target. Not your size. Your defences — or the lack of them.

What the Data Actually Says

Let's put the numbers on the table.

577 cyber attack attempts per hour are directed at South African SMEs. That figure comes from analysis of network traffic patterns across the local SME landscape, and it should stop you mid-sentence the first time you hear it.

R2.2 billion is the estimated annual loss to South African businesses from cybercrime. That number includes ransomware payments, recovery costs, lost revenue during downtime, and reputational damage that's harder to quantify but no less real.

1 in 3 SA SMEs have been directly targeted by a cyber attack. Which means if you haven't been hit yet, you're statistically in the minority — and that minority is shrinking.

The specific attack types hitting SA SMEs right now:

• Ransomware — attackers encrypt your data and demand payment to restore access. Downtime runs from days to weeks. Recovery, even with a ransom paid, is not guaranteed.
• Phishing — employees receive emails that look legitimate and hand over credentials. One click, one compromised staff member, full network access granted.
• Credential theft — automated tools test millions of username/password combinations against login pages. If your admin password is "admin123" or "Passw0rd", this takes seconds.
• Malware injection — malicious code embedded in your website that steals visitor data, redirects traffic, or turns your site into a spam launcher without you knowing.

And the final data point that should land hardest: despite all of this, only a fraction of SA SMEs treat cybersecurity as a core operational requirement — in the same category as accounting, legal compliance, or insurance.

Most treat it as an afterthought. Or they don't treat it at all.

Why SMEs Are Actually the Preferred Target

The logic here is straightforward, even if it feels counterintuitive.

Less security investment. Large enterprises spend millions on security infrastructure and dedicated staff. SMEs typically spend close to nothing. The attack surface is the same size — a website is a website, an email server is an email server — but the defences are incomparably weaker.

Genuinely valuable data. SMEs hold customer payment information, personal data, supplier contracts, and employee records. Under POPIA, you are legally responsible for that data. Under reality, that data is worth money to someone who wants to sell it or extort you with it.

Gateway to bigger targets. This one surprises people. If your SME is a supplier or service provider to a larger enterprise, your compromised credentials become the backdoor that attackers use to reach the bigger organisation. You're not the target. You're the door.

Easy entry points. Most SME websites are built on standard platforms — WordPress, Wix, Shopify — and run standard plugins and integrations. The vulnerabilities in these systems are publicly documented. An automated tool can run through a known vulnerability list in minutes. If you haven't patched, you're in.

The criminal calculus is simple: why spend resources cracking a vault when the SME next door left a window open?

The Five Most Common Vulnerabilities in SA SME Websites

These aren't obscure technical exploits. These are the basics that get businesses compromised every day.

1. Shared hosting with no isolation

Many entry-level hosting plans put hundreds of websites on the same server. If one site on that server gets compromised, it can spread to others. You have no control over your neighbours' security hygiene — but you share their exposure.

2. Outdated CMS plugins and themes

WordPress alone powers over 43% of websites globally. Its plugins are also among the most frequently exploited attack surfaces in existence. A plugin that hasn't been updated in six months is a documented vulnerability waiting to be used. Most SMEs don't know which plugins they're running, let alone when they were last updated.

3. No SSL/HTTPS

If your website still runs on HTTP rather than HTTPS, you're operating without a basic lock on the front door. Any data passing between your visitors and your site — including contact form submissions, login credentials, and payment information — is transmitted in plain text, readable by anyone positioned between the user and the server.

4. Weak admin passwords and no two-factor authentication

"Password123", the business name, or the owner's surname are consistently among the most common credentials found in breach analyses. Credential-stuffing attacks test thousands of combinations per second. A weak password falls in minutes. No two-factor authentication means a stolen password is sufficient for full access.

5. No backup plan

This is the one that turns an incident into a catastrophe. If your site gets hit by ransomware or malicious code injection and you have no recent backup, your options are pay the ransom (with no guarantee of recovery), attempt to rebuild from scratch, or accept the loss. Most SMEs discover their backup situation in the worst possible moment.

What Secure Web Development Actually Looks Like

There's a line we use at Partners in Biz that's worth understanding: we build security in from day one. Not bolted on after.

That distinction matters more than it might seem.

Bolted-on security is what happens when a website is built with no security framework and then handed a plugin or tool at the end to "handle" it. It's reactive. It patches individual holes without addressing the underlying architecture. It's the equivalent of building a house and then installing a lock on the door as an afterthought, while leaving the windows unframed.

Built-in security starts from decisions made before a line of code is written: which hosting infrastructure to use, how the database is structured, how authentication is handled, what update cadence is built into the maintenance contract.

When you're evaluating a web developer or agency, ask these specific questions:

• "Do you provide HTTPS as standard?" If the answer is anything other than yes, walk away. HTTPS is not optional in 2026. It is the floor.
• "What's your update and patch cadence for CMS plugins?" A responsible developer will have a documented schedule — monthly at minimum, with critical patches applied immediately. "We update them when we remember" is the wrong answer.
• "What does backup and recovery look like if we get hit?" You want to hear: automated daily backups, stored off-server, with a tested restoration process. You do not want to hear: "we can do that if you want."
• "How is admin access controlled?" Strong password requirements, two-factor authentication, and role-based access control (only the people who need access have it) should all be standard.
• "What happens if there's a breach?" A serious developer has a documented incident response process. An amateur has a shrug.

The right answer to all five of these questions is not expensive. It's built into a professional development process. If your current website can't answer these questions, you're operating with an open window.

Sources & Further Reading

• Lula — ICT Sector Growth SA 2026: Overview of South Africa's digital infrastructure expansion and SME technology adoption trends
• Globe Newswire — SA SME Trends Analysis 2025: Cybersecurity threat data and annual loss figures for the South African SME market
• HelloYes — Digital Statistics SA 2025: Internet penetration, mobile connectivity, and digital adoption metrics for South Africa
• South African Business Matters — Tech Trends for African SMEs: Practical technology adoption patterns and security readiness across the African SME landscape

The Only Acceptable Next Step

The 577 attacks per hour aren't going to stop because you decided not to think about it. The R2.2 billion in annual losses isn't going to reverse because your business is small.

What changes the picture is building websites and digital infrastructure that treat security as a first principle — not a feature request, not an add-on, not something to deal with later.

We build security in from day one. Not bolted on after.

Every site we build includes HTTPS as standard, a defined update and patch schedule, proper backup architecture, access controls, and an incident process. These aren't upsells. They're the baseline of professional web development.

If your current site was built without these foundations — or if you're not sure whether it was — that's the conversation to have before the 578th attempt gets through.

[Start a project](https://partnersinbiz.online/#contact)

Related reads