There is a comforting belief among smaller businesses in Botswana that cybercriminals only go after banks, government and big corporations. It is wrong, and it is dangerous. The overwhelming majority of attacks are automated: software that scans the entire internet looking for a weak password, an out-of-date system, or a person who can be tricked into clicking the wrong link. That software does not know or care how big you are.
This guide cuts through the noise. It covers the threats that actually cause damage to businesses here, the small set of controls that stop most of them, and what your legal obligations are now that Botswana has a Data Protection Act. None of it requires an enterprise budget — most of it requires deciding it matters before something goes wrong.
The threats that actually hit businesses here
Forget the Hollywood image of a hooded hacker targeting you personally. The real risks are mundane and common:
- Phishing — a convincing email or message that tricks someone into handing over a password or approving a payment. Still the single most common way in.
- Ransomware — malicious software that encrypts your files and demands payment to unlock them. Devastating if your only backup is connected to the machine that gets hit.
- Account takeover — an attacker logs in with a stolen or reused password. If you reuse passwords across services, one breach elsewhere becomes a breach of your business.
- Lost and stolen devices — a laptop or phone taken in a break-in or left in a car. If it is not encrypted and password-protected, everything on it is exposed.
- Insider mistakes — by far the most frequent: someone emails the wrong file, falls for a scam, or misconfigures a setting.
Notice how few of these are sophisticated. They succeed because of missing basics, not genius attackers.
The handful of controls that stop most attacks
Security has a useful 80/20 rule: a small number of basic controls prevent the large majority of real incidents. Get these right before spending money on anything fancier.
1. Multi-factor authentication (MFA), everywhere
If you do one thing, do this. MFA requires a second proof of identity — usually a code from a phone app — on top of the password. It is free or near-free on every major platform and stops the great majority of account-takeover attacks, because a stolen password alone is no longer enough. Turn it on for email first (email is the master key that resets every other password), then every administrator account, then anything holding customer or financial data.
2. Strong, unique passwords — managed properly
Reused passwords are a gift to attackers. When one service is breached, criminals try the same email and password everywhere else. The fix is a password manager: it generates and remembers a strong, unique password for every account so your people do not have to. It is one of the highest-value, lowest-cost tools a business can adopt.
3. Keep everything updated
Most successful attacks walk through a door that a software update would have closed. Turn on automatic updates for operating systems, browsers and key applications. Unpatched software is the most reliable way in that attackers have.
4. Least-privilege access
Give each person the minimum access they need, and no more. When everyone is an administrator, a single compromised account becomes a company-wide breach. Review who can access what, and remove access the day someone leaves.
5. Back up — off-site and tested
Ransomware, theft, fire and simple mistakes all end the same way without a good backup. Keep an automated, off-site copy of your data that is isolated from your live systems, and — crucially — test that you can actually restore it. A backup you have never restored is a hope, not a safeguard. We cover this in depth in our cloud backup and disaster recovery guide.
6. Train your people
Technology stops most attacks; people stop the rest. The most common entry point is still a convincing message that persuades someone to hand over a password or approve a payment. A short, regular conversation about how to spot phishing and what to do if they slip up is one of the highest-value security investments a small business can make.
Security in the cloud is mostly your job
Many Botswana businesses now run email and core systems in the cloud, and assume that hands the security problem to the provider. It does not. The big platforms secure their infrastructure superbly, but how you configure access, who can reach what, and whether your accounts have MFA is entirely on you — and that is where almost every breach actually happens. We unpack this in cloud security best practices.
You now have a legal duty, too
Since the Botswana Data Protection Act, 2018, security is not only good practice — it is a legal obligation. If you hold personal information about customers, staff or suppliers, you are expected to keep it secure and use it responsibly. A breach is no longer just an operational problem; it is a compliance one. Our Data Protection Act compliance guide explains what that means in practice for a normal business.
Where to start
If this feels like a lot, start with the two that cost nothing and stop the most: turn on MFA everywhere, and get a password manager in use across the team. Then patch, tighten access, sort out tested backups, and talk to your staff. That sequence closes the doors that the vast majority of real-world attacks walk through.
If you would like a straight, jargon-free assessment of where your business actually stands — and a prioritised list of what to fix first — that is exactly what our security and compliance service is for.
Frequently asked questions
Is my small business really a target for cyberattacks?
Yes. The majority of attacks are automated and indiscriminate — they scan the internet for weak passwords, unpatched systems and people who can be tricked, regardless of company size. Small businesses are often hit precisely because they assume they are too small to matter and skip basic protections.
What is the single most valuable thing I can do for security?
Turn on multi-factor authentication (MFA) everywhere, starting with email and any administrator accounts. It is free or near-free and stops the large majority of account-takeover attacks, which rely on a stolen or guessed password alone.
Do I need expensive security software to be protected?
No. The controls that prevent most real-world incidents — MFA, strong unique passwords, patching, least-privilege access, backups and staff awareness — are mostly about configuration and discipline, not expensive tools. Spend on protection only after the free fundamentals are in place.
Does the Botswana Data Protection Act apply to my business?
If you hold personal information about customers, staff or suppliers — names, contacts, ID numbers, financial details — then yes, the Data Protection Act, 2018 applies to you. It expects you to keep that information secure and to use it responsibly. See our dedicated guide for what compliance involves in practice.