A Johannesburg logistics business. Twelve staff. A polished website. A healthy client roster. And, tucked inside the founder’s laptop, a folder called “Staff” containing every payslip, ID copy and banking detail the company had ever processed. No password. No encryption. No backup.
“I knew it was wrong,” the founder admits. “But we’d always done it that way. It was only when my laptop got stolen that I understood what we’d been sitting on.”
This is not an unusual story. It is, according to the Kantar Velocity Report commissioned in early 2026, the norm. The study – one of the most detailed examinations of South Africa’s SME connectivity and operational reality to date – found businesses across the size spectrum running on infrastructure that belongs in another decade. Paper files. Pay slips on desktops. Client records in unlocked shared folders. No VPN. No firewall. No cloud. And no clear sense of what it’s costing them – until something goes wrong.
The stakes are higher than most SMEs realise
The numbers are stark. South African SMEs face 143% more cyber attacks per user than larger firms – precisely because they are seen as softer targets. The average SME spends just R388 per employee on cyber security annually, against R3 195 at large companies. Seventy-eight percent of phishing attempts succeed against untrained staff. And 22% of SA SMEs hit by ransomware shut down entirely.
South Africa holds third position globally for cyber crime. The average data breach costs an estimated R43 million – a figure that would end most small businesses outright.
Then there is POPIA. The Protection of Personal Information Act entered a sharper enforcement phase in 2025, with random SME audits now under way and fines reaching up to R10 million. In 2024 alone, the Information Regulator issued over R4 million in fines to small businesses. The most dangerous misconception: 65% of South African SMEs wrongly believe POPIA applies only to digital records. It does not. Every paper payslip in an unlocked filing cabinet, every ID copy in a manila folder – all of it is in scope.
The commercial penalty compounds the legal one. Many larger South African companies now refuse to work with SME suppliers who cannot demonstrate a cyber security programme – meaning the filing cabinet problem does not just create legal exposure, it closes doors. “If the internet goes down, the business stops,” one SME leader reported.
This isn’t a discipline failure
It would be easy to frame South Africa’s SME ICT problem as a failure of intent. The Kantar Velocity Report argues otherwise. Most of these shortfalls are downstream of something more structural: unreliable connectivity that makes cloud tools unusable, forces data back onto local machines, and means security updates never get pushed. When the internet drops multiple times a day – and for many businesses, it does – the path of least resistance is the desktop folder.
The Velocity Report found that South African SMEs do not experience downtime as a technical inconvenience. They experience it as a business failure – a direct hit to sales, payments, bookings and credibility. One dropped signal. One failed card machine. One WhatsApp message that never arrived.
FinScope’s MSME 2024 survey reinforces how thin the margin is: over 55% of South Africa’s roughly 3 million SMEs may not survive 12 months without infrastructure support.
Critically, the report found that SMEs differ not by size but by digital maturity – a spectrum running from an informal trader whose entire operation runs through a single WhatsApp account, to the medium enterprise managing multiple sites and cloud-based systems. What every point on that spectrum shares, the research found, is the same three priorities: reliability above all, then simplicity, then affordability. Not features. Not bundles. Reliability, simplicity and a human being to call.
The confession is where the upgrade begins
Cell C Business has rebuilt its SME offering around exactly that insight – tiered solutions matched to where businesses actually are, from SOHO operators needing reliable fibre and mobile voice, to medium enterprises requiring cloud PBX and multisite connectivity. The underlying conviction: nothing should stop a South African business because of connectivity.
“SMEs cannot afford downtime, not even for a moment,” says Chris Lazarus, Cell C’s Chief Officer for Sales, Regions and Customer Care. “We’ve redesigned our entire SME offering around reliability, simplicity and human support – because that’s what businesses told us they actually need.”
The logistics founder has moved everything to a POPIA-compliant cloud platform. Staff use a VPN. The folder called “Staff” no longer exists. “It took something going wrong,” he says. “But it shouldn’t have to.”
By the numbers
143% – more cyber attacks per user targeting South African SMEs versus large firms.
R43 million – average cost of a data breach in South Africa.
22% – South African SMEs that shut down entirely after a ransomware attack.
65% – SMEs that wrongly believe POPIA applies only to digital records.
R10 million – maximum POPIA fine for non-compliance.
55%+ – South African SMEs that may not survive 12 months without infrastructure support.
Visit cellc.co.za/business to find the right solution for your SME.
Share
