For SME boards, owners, and managers
Why Cyber Protection Is a Business Issue, Not an IT Issue
Cyber crime is not just a problem for banks and big tech. For a small business in Africa — a school, clinic, SACCO, law firm, or supplier — one fake invoice or one stolen password can cost months of revenue and hard-won trust.
Plain language
What "cyber protection" actually means for your business
Protect your money
Stop fake invoices, wrong payment details, and staff falling for scams that move cash out of your account.
Protect your reputation
Avoid the WhatsApp message or email that looks like it came from you and damages customer trust.
Protect your records
Keep customer, student, patient, and staff data safe from loss, leaks, or ransomware.
Prove you are protected
Show insurers, donors, procurement teams, and partners that you take protection seriously.
Real threats
The risks African SMEs actually face
The fake supplier invoice
An email that looks exactly like your supplier asks you to pay into a new mobile-money account or bank account. The money clears, and the real supplier never received it.
School fee fraud
Parents receive a message on WhatsApp with a forged school letterhead and a "new" payment number. Fees are sent to a fraudster while the school has no record of the payment.
The compromised WhatsApp Business
An employee clicks a link on their business phone. Within hours, your contacts are being asked for deposits, invoices, or sensitive files in your name.
The law
What Data Protection Act, 2019 means in plain language
Data Protection Act, 2019 applies to any business that collects personal information — customer names, phone numbers, ID numbers, staff records, or parent contacts. Here is what it boils down to:
- You must collect only the personal information you actually need.
- You must tell people what you are doing with their data, in clear language.
- You must keep that information safe from loss, leaks, and unauthorised access.
- You must not keep data forever; delete it when you no longer need it.
- If something goes wrong, you may need to report it to the regulator and to the people affected.
What is at stake
What happens if you can't prove you're protected
Lost tenders
Buyers, partners, and donors increasingly ask for proof of data and security controls. Without it, your bid can be disqualified before price is even discussed.
Insurance issues
Insurers may refuse cyber cover, impose higher premiums, or reject claims if your business cannot show basic controls were in place.
ODPC penalties
Office of the Data Protection Commissioner can investigate complaints and impose fines for failing to protect personal data.
Coverage
Built for African businesses — live in Kenya and 5 more markets
The Business Protection Check works the same way across every country we serve. The questions are about how your business handles money, accounts, staff, and data — not about any one country's regulator. Verification of payment details, emails, and suppliers varies by country because the underlying networks differ.
Nigeria
NGN · Nigeria Data Protection Act, 2023
South Africa
ZAR · Protection of Personal Information Act
Ghana
GHS · Data Protection Act, 2012
Uganda
UGX · Data Protection and Privacy Act, 2019
Tanzania
TZS · Personal Data Protection Act, 2022
The fix
How the Business Protection Check helps
The Codec8 Business Protection Check is a free, 3–5 minute assessment designed for busy SME owners and managers. It:
- Asks plain questions about how your business handles accounts, payments, backups, and staff access.
- Maps your answers to recognised standards like Kenya's Data Protection Act, 2019, CIS Controls, and CIS Controls.
- Gives you a clear Business Protection Score, your top five gaps, and a 30-day fix plan you can act on immediately.
- Produces a shareable report you can show partners, insurers, and procurement teams.