Cisco report highlights cybersecurity readiness gap among South African SMBs

Limited digital skills and fragmented security systems are leaving smaller businesses exposed to evolving cyber risks.

Small and medium-sized businesses (SMBs) in South Africa continue to face significant cybersecurity challenges, according to new findings from Cisco’s Cybersecurity Readiness Index 2025. The report shows that fewer than 4% of local SMBs demonstrate a mature level of preparedness against cyber threats, a lower rate than the 6% recorded among larger enterprises.

The data indicates that a shortage of skilled cybersecurity professionals remains one of the main barriers to resilience. About 79% of SMBs and 76% of larger firms reported a lack of qualified personnel capable of managing and responding to digital threats.

Cyberattacks in South Africa are becoming more complex and diverse, ranging from phishing and ransomware to AI-driven intrusions targeting business networks. Many smaller companies lack the resources to implement comprehensive defences, and a large portion underestimate their exposure to cyber risks.

Maritza van Wyk, Leader of Sales for SMB at Cisco Africa, said that the widening gap in preparedness leaves smaller organisations particularly exposed.

“Decision-makers need to move beyond basic protection measures, as AI-powered attacks are increasingly sophisticated and harder to detect. The consequences of a successful breach can be operational, legal and financial,” she explained.

According to Cisco’s survey, 46% of South African SMBs experienced a cyber incident in the past two years, compared with 63% of large companies. Yet despite this exposure, many smaller organisations still invest less in security technologies. Only 28% of local SMBs reached the second-highest stage of cybersecurity readiness, compared to 47% of larger enterprises.

While most businesses acknowledge the importance of modernising their systems, fewer are taking concrete steps. About 61% of SMBs plan to upgrade existing security solutions, versus 71% among larger companies. Similarly, only 48% of smaller firms intend to invest in AI-based protection tools, compared to 58% of larger peers.

The report also found that 72% of SMBs believe their current defences are sufficient, despite evidence to the contrary. Van Wyk noted that such overconfidence can delay crucial improvements and increase the potential impact of attacks.

“Without proactive preparation, even a single incident can cause long-term disruption and reputational harm,” she said.

Cisco’s research highlights another structural issue: the growing complexity of security environments. Nearly four in ten SMBs operate between 11 and 40 different security solutions, and a smaller segment use more than 70. This fragmented landscape, according to Cisco, often reduces overall effectiveness and increases management burden.

Still, there are signs of progress. Most organisations , 96% of SMBs and 98% of larger firms, plan to recruit or train cybersecurity talent over the next year. For Cisco, the path to stronger resilience lies in aligning technology investments with skills development and system simplification.

“True resilience begins with understanding the risks, building the right capabilities, and ensuring that defences work cohesively when they are needed most,” van Wyk concluded.