Cyber Security Checklist for Kenyan SMEs (12 Practical Steps)

Cyber attacks on Kenyan businesses are no longer a Nairobi-only enterprise problem. Last year, the CA-K reported a sharp rise in ransomware and phishing incidents targeting SMEs, schools, churches, and NGOs in every county. The single most common pattern: a small business loses control of its email, M-PESA till, or WordPress website overnight — and only realises it when customers start asking why they were asked to send money to a strange paybill.

This is a practical 12-point checklist. No jargon, no fearmongering, and nothing that needs a Nairobi consultant to implement. If your business completes 10 of the 12 below, you are ahead of 95% of Kenyan SMEs. The other 5% have been hit and learned the hard way.

1. Every account uses a unique, 16+ character password

If you reuse a single password across email, M-PESA business portal, Facebook, and your hosting account, the day one of those services gets breached is the day an attacker takes the others too. Use a password manager — Bitwarden (free) or 1Password (KES 400/month) — to generate and store unique 16+ character passwords for every account. Never type a password from memory again.

2. Two-factor authentication (2FA) on every critical account

2FA means your password alone is not enough to log in — the attacker also needs the 6-digit code on your phone. Enable it on:

• Email (Gmail, Outlook, Yahoo) — priority #1
• M-PESA business portal and Safaricom paybill admin
• KRA iTax
• WordPress admin (use Google Authenticator or Authy via Wordfence)
• Cloud hosting accounts (cPanel, Cloudways, AWS)
• Banking and financial accounts
• Social media admin (Facebook, Instagram, LinkedIn)

Use app-based 2FA (Authy, Google Authenticator) wherever possible — SMS 2FA can be bypassed via SIM swap, which is a documented attack in Kenya.

3. Your website runs HTTPS, with no expired certificate

Open your website. If the browser shows “Not secure” in the address bar, you are leaking customer data and Google is downgrading your search ranking. Fix it the same day. Most reputable Kenyan hosts (Truehost, Hostpinnacle, Cloudways) offer free Let’s Encrypt SSL with one click.

4. Daily backups, stored outside the production server

If your site is compromised tomorrow, the only thing that can save you is a recent off-site backup. Set up automated daily backups to Google Drive or AWS S3 — not just to the same server (an attacker who owns the server owns the backups).

For WordPress: UpdraftPlus or Solid Backups, scheduled daily, retention 30 days. For laptops: Google Drive Backup & Sync (already free if you have Gmail/Workspace).

5. Every plugin, theme, and OS auto-updates

Most successful attacks exploit a vulnerability that was patched 3, 6, or 12 months ago — in a plugin nobody updated. Turn on automatic updates for:

• WordPress core, plugins, and themes (use the auto-updates checkbox or a managed host that handles it)
• Windows / macOS / Android / iOS — set to install nightly
• Browser auto-update (Chrome, Edge, Firefox) — default on, do not disable
• Antivirus / endpoint protection definitions

Yes, an update occasionally breaks something. The cost of dealing with a broken plugin once a year is trivial compared to a ransomware incident.

6. Disable XML-RPC and limit login attempts on your website

If you run WordPress, two of the most common attack vectors are XML-RPC (an old API rarely needed today) and brute-force login attempts. Install Wordfence (free) and enable:

• Brute force protection (lock out after 5 failed attempts for 60 minutes)
• XML-RPC disabled (Wordfence option)
• 2FA enforced for administrators
• Block known-breached passwords
• Block author scan (URL ?author=N)

These five settings prevent 80%+ of automated WordPress attacks.

7. Your staff cannot install random software on work computers

Most malware enters a business via a staff member installing “free” software, a pirated tool, or a browser extension. On Windows, set user accounts to Standard (not Administrator) — staff can use the computer but cannot install software without an admin password. Same on macOS.

The owner / IT manager keeps an admin account separately for installs. Friction beats infection.

8. Train your team to recognise phishing

Most Kenyan business breaches start with a convincing email or WhatsApp pretending to be KRA, KPLC, M-PESA, your bank, or your CEO asking for a quick payment. Spend 30 minutes once a quarter with your staff covering:

• Never click links in unexpected emails — type the URL yourself
• Never send M-PESA based on instructions in an email without a verbal phone confirmation
• Look for misspelled domains: safarcom.co.ke, kra-tax.com, m-pessa.com
• If a sender pressures urgency or secrecy, that is the red flag itself
• When in doubt, forward the message to the IT lead or owner BEFORE acting

9. Encrypt every business laptop

If a laptop is lost on a matatu or stolen from your office, full-disk encryption means the data is unreadable without the password. On Windows Pro use BitLocker; on macOS use FileVault. Both are free and built-in.

Cost of encryption: 30 minutes of setup per device. Cost of unencrypted-laptop data breach: legal exposure under the Kenya Data Protection Act, plus customer trust loss that takes years to repair.

10. Lock down your Wi-Fi properly

Default router passwords (“admin / admin”, the SSID printed on the box) are public knowledge. Change:

• The router admin password (not the Wi-Fi password — the admin login)
• The default Wi-Fi password to a 16+ character one
• Encryption to WPA2 or WPA3 (never WEP, never open)
• Separate guest network for customers; your business devices live on the main network
• Disable WPS — it is a known vulnerability path

11. Have an incident response plan, even a simple one

When something goes wrong, panic costs more than the breach. Write a one-page incident plan that lives in your phone:

• Who decides (the owner)
• Who you call first (your IT partner or Mkufunzi support)
• How to disconnect compromised devices from the network
• How to change M-PESA and bank passwords from a clean device
• Who to notify (CA-K, your customers, your bank, the police)
• Where backups live and who can restore them

An ugly plan you can follow at 2am beats a polished plan filed somewhere you cannot reach.

12. Cyber insurance is now affordable enough to consider

Several Kenyan insurers (Britam, Jubilee, Old Mutual, AIG) now offer SME cyber insurance from KES 25,000–60,000/year. It typically covers data recovery, customer notification costs, regulatory fines, and sometimes ransomware ransom (although paying ransom is rarely advised). Worth quoting if you handle customer payment data, health records, or large transaction volumes.

Score yourself

• 11–12 / 12: you take security seriously. Quarterly review and you are in great shape.
• 8–10 / 12: solid. Fix the gaps within 30 days.
• 5–7 / 12: you are exposed. Schedule a security audit this week.
• Under 5 / 12: you are one phishing email away from a serious incident. Treat this as urgent.

Get a free ICT security assessment

Mkufunzi ICT Solutions runs a free 1-hour security assessment for Kenyan SMEs — we walk this checklist with you, identify the top 3 gaps, and quote any fixes. Bungoma, Nairobi, Kisumu, Eldoret, Kakamega in person; nationwide remote.

Cybersecurity FAQ

What is the most common cyber attack on Kenyan businesses?

Phishing emails impersonating KRA, KPLC, M-PESA, or a CEO requesting urgent payment. The second most common is credential-stuffing attacks on WordPress and email accounts using passwords leaked from other breaches.

Is SMS 2FA safe?

Better than no 2FA, but vulnerable to SIM swap attacks which have occurred in Kenya. Wherever possible use app-based 2FA (Google Authenticator, Authy, Microsoft Authenticator) or hardware keys.

If my website is hacked, what should I do first?

1) Change all admin passwords from a clean device. 2) Take the site offline (maintenance mode). 3) Restore from a clean off-site backup. 4) Run Wordfence and a malware scan. 5) Notify customers if personal data was exposed. Call your IT partner immediately — do not improvise.

Do small businesses really get targeted?

Yes. Automated attack bots scan the entire internet looking for unpatched WordPress sites, weak SSH passwords, and exposed databases. They do not care if you are a 3-person SME or a multinational — only that you are vulnerable.

How much should a small business spend on cybersecurity?

The bare-minimum stack for a Kenyan SME (password manager subscription, Wordfence free, Authy, basic cyber insurance) is under KES 6,000/month and prevents the vast majority of attacks. A serious managed IT security retainer ranges from KES 15,000 to KES 80,000/month depending on staff size and complexity.

Should I pay a ransomware demand?

Almost never. Payment does not guarantee data return, marks you as a paying target, and often funds further criminal activity. The right answer is robust backups so you can refuse, and notification to Communications Authority of Kenya (CA-K) and the National KE-CIRT/CC.

Related: ICT Support & Managed IT services | Best Business Laptops in Kenya | Get a Free Security Assessment