If you run a small business in Uganda, you're a target. Not because you're special — but because attackers know small businesses have weaker defenses than banks and telcos. In 2024, the Uganda National Computer Emergency Response Team (CERT.UG) reported a 60% increase in cyberattacks on SMEs, with the average incident costing UGX 18 million in downtime, data loss and recovery. The good news: 90% of attacks can be prevented with basic hygiene. This guide covers the 7 essentials.
1. Enable Multi-Factor Authentication (MFA) — everywhere
MFA is the single highest-ROI security control. It blocks 99.9% of automated account-takeover attacks, according to Microsoft. Enable it on every account that supports it: email, banking, accounting software, cloud services, social media. For your team, use an authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS — SIM-swap attacks are common in Uganda.
SMS-based MFA is better than nothing, but it's vulnerable to SIM-swap attacks. If an attacker convinces your telco to issue a new SIM with your number, they receive your MFA codes. Use an authenticator app or hardware key instead.
2. Back up your data — and test the restores
Ransomware is the #1 threat to Ugandan SMEs. If your data is encrypted by an attacker, the only reliable recovery is from a backup that the attacker can't reach. Follow the 3-2-1 rule:
- 3 copies of your data — production + 2 backups
- 2 different media — e.g., local NAS + cloud (AWS S3, Backblaze)
- 1 copy off-site — in a different physical location or cloud region
Crucially, test your restores. A backup you've never restored from is a hope, not a backup. We recommend a monthly restore test where you recover a random sample of files and verify they open correctly.
3. Train your staff — they're your weakest link
91% of cyberattacks start with a phishing email. No technical control can fully prevent a well-crafted phishing email from reaching your staff — but training can teach them to spot the signs. Run quarterly security awareness training covering:
- How to spot phishing emails (urgent language, mismatched URLs, unexpected attachments)
- Password hygiene — use a password manager (Bitwarden, 1Password) and never reuse passwords
- Safe browsing — avoid public Wi-Fi for work, use a VPN when travelling
- Social engineering — verify unusual requests (e.g., 'CEO asking for an urgent wire transfer') via a second channel
4. Patch your systems — automatically
Unpatched software is the #2 attack vector after phishing. Every piece of software you use — Windows, macOS, WordPress, your accounting software, your CMS — releases security patches regularly. Enable automatic updates wherever possible. For servers, set up a patching schedule (we recommend weekly) and stick to it.
The Equifax breach in 2017 — which exposed 147 million people's data — was caused by an unpatched Apache Struts vulnerability that had a fix available for 2 months. Don't be Equifax.
5. Use a firewall and antivirus — on every device
This sounds basic, but you'd be surprised how many Ugandan SMEs have no firewall and run Windows Defender only. At minimum:
- Hardware firewall at the office network edge (pfSense, Fortinet, Ubiquiti)
- Antivirus on every computer (Windows Defender is free and excellent; Bitdefender and ESET are good paid options)
- Endpoint Detection & Response (EDR) for any business with 20+ employees — CrowdStrike, SentinelOne, or Microsoft Defender for Business
6. Secure your website
If you have a website (and you should), it's a target. WordPress sites are particularly vulnerable — 90% of compromised websites we see are running outdated WordPress cores or plugins. essentials:
- HTTPS everywhere — free SSL certificate via Let's Encrypt
- Automatic updates for your CMS and all plugins
- Web Application Firewall (WAF) — Cloudflare's free plan is excellent
- Regular backups — daily, stored off-site
- Strong admin passwords + MFA on the admin panel
7. Have an incident response plan
When (not if) you get breached, you need to know what to do. A simple incident response plan should answer:
- Who do you call? — your IT provider, your bank, CERT.UG (cert.ug/report), the police
- What do you do first? — isolate affected systems, preserve evidence, don't pay ransoms
- How do you communicate? — to staff, customers, regulators (Uganda's Data Protection and Privacy Act requires breach notification)
- How do you recover? — restore from backups, rebuild compromised systems, change all passwords
Their penetration test found three critical issues we had no idea about. The remediation report was so clear our in-house team could fix most of them without help.
— Sarah Nantongo, Head of Security, Insurance Group
What does this cost?
Less than you think. For a 10-person SME in Kampala, a basic security setup costs roughly UGX 1.5-3 million per month (USD 400-800), including managed antivirus, backups, patching, and 24/7 monitoring. That's less than the cost of a single ransomware incident — which averages UGX 18 million.
Need help?
Bivic Solutions offers a free 30-minute security consultation for Ugandan SMEs. We'll review your current setup, identify your top 3 risks, and give you a prioritised remediation plan. No obligation, no sales pressure — just practical advice from a team that's been securing Ugandan businesses since 2017.