Skip to content
Infosencia

Cybersecurity & IT Risk

A Practical Cybersecurity Checklist for Kenyan SMEs

A no-jargon cybersecurity checklist Kenyan small and medium businesses can act on this week, covering accounts, backups, payments, data protection, and staff.

Business owners and operations teams13 min read2026-07-16

Most small businesses in Kenya are not breached by sophisticated hackers. They are breached by a reused password, an unmanaged admin account, a missing backup, or a staff member clicking a convincing link. The good news is that the fixes are mostly cheap, fast, and within reach of any team, no security department required.

This is a checklist you can start working through today. It is ordered by impact, so if you only do the first section, you have already closed the doors most attacks walk through. Everything here is the same practical standard behind our cybersecurity and IT risk advisory.

Why SMEs are targeted specifically

There is a myth that attackers only go after big companies. The opposite is true. Small businesses are targeted precisely because they tend to have weaker defences and less time to notice. Attacks are mostly automated and opportunistic; they find the unlocked door, not the famous name. Understanding this is also the difference between security and general IT help, which we cover in cybersecurity vs IT support.

1. Accounts and access (start here)

This section closes the most common entry points.

  • Turn on two-factor authentication on email, hosting, domain, banking, M-PESA, and social accounts. This single step blocks the majority of account takeovers.
  • Stop sharing passwords. Give each person their own login. Shared logins mean no accountability and no clean way to remove access.
  • Remove access when people leave, the same day. Ex-staff with live accounts are a serious and common risk.
  • Use a password manager so staff can have strong, unique passwords without memorising them.
  • Know who has admin rights to your website, systems, and accounts, and keep that list short.

If you cannot currently name everyone who can access your critical accounts, that is the first thing to fix.

2. Backups (the difference between an incident and a disaster)

  • Back up automatically, not "when someone remembers."
  • Keep a copy offsite or in the cloud, separate from the main system.
  • Test a restore. A backup you have never restored is a hope, not a backup. This is the step almost everyone skips.

Ransomware and simple human error are both survivable if you have a tested backup. Without one, either can end a business.

3. Website and data

  • Use HTTPS everywhere. A secure certificate is standard, not optional.
  • Keep the website and its plugins updated. Outdated software is the most common way sites are compromised. The full walk-through is in how to secure your business website in Kenya.
  • Protect the forms and data you collect. If you gather customer information, you are responsible for it under the Kenya Data Protection Act. Collect less, protect what you keep.
  • Separate admin from public. Your website admin panel should never be casually accessible or share a password with anything else.

4. Payments and money

  • Secure your payment credentials the way you would secure cash. Never share API keys over WhatsApp or email.
  • Reconcile regularly so a problem is caught in days, not months. Payment security is as much about process as technology, which is why a proper M-PESA integration designs for failure and exceptions, not just the happy path.
  • Confirm changes to payment details out of band. A huge share of business fraud is a fake email asking you to "update" bank or till details.

5. People (your strongest or weakest control)

  • Train staff to recognise phishing. Most incidents start with a human, not a machine.
  • Make it safe to report mistakes. Someone who clicked a bad link must feel able to say so immediately. Silence is what turns a small mistake into a breach.
  • Give a name to security. Someone should own it, even part-time, so it is not everyone's job and therefore no one's.

A short, practical training session does more for most SMEs than any single piece of software, which is why we run corporate training alongside technical work.

6. Plan for the bad day

  • Know who to call if something goes wrong, before it goes wrong.
  • Write down the basics: where systems live, who has access, where backups are.
  • Decide in advance how you would communicate with customers if their data were affected.

You do not need a thick binder. A one-page plan that a stressed person can follow at 9pm is worth more than a perfect document no one can find.

How to use this checklist

Do not try to do everything at once. Work top-down: finish accounts and backups first, because they close the biggest gaps for the least effort. Then move through website, payments, people, and planning over the following weeks. Security is a rhythm, not a one-time project, a point we make in the wider technology roadmap every growing business needs.

Frequently asked questions

What is the single most important thing to do first?

Turn on two-factor authentication on your email and financial accounts, then confirm you have a tested backup. Email is the master key to almost everything else, and a tested backup is what turns a disaster into an inconvenience. If you only do two things, do these.

Do small businesses in Kenya really get attacked?

Yes, and disproportionately. Most attacks are automated and target weak configurations, not famous brands. Small businesses are attractive precisely because they are easier. The scale of the business does not protect it; its security habits do.

How much should an SME spend on cybersecurity?

Less than most people fear. The highest-impact steps, two-factor authentication, unique logins, tested backups, and staff awareness, are cheap or free. The cost is attention and discipline, not expensive tools. A focused review to prioritise the real risks is usually the best first spend.

Is antivirus enough?

No. Antivirus is one layer, and not the most important one. The gaps that actually cause incidents are weak passwords, missing two-factor authentication, poor backups, and untrained staff. Software alone does not fix any of those.

Want a clear picture of your real risks and what to fix first? A focused Infosencia review gives you a prioritised, plain-language plan, not a 200-page report you will never read. Get in touch to start.