Finding out your business has been breached is one of the worst feelings a business owner ever has. Customer data exposed. Systems locked. No idea how deep the damage goes.
If that is where you are right now, take a breath. You can recover.
The average cost of a data breach in South Africa is nearly R49 million, according to IBM's most recent research. The majority of that figure comes from poorly managed responses, not the breach itself. What you do in the first hours and days decides whether this is a six-figure problem or a seven-figure one.
Here is the playbook, in order.
The first 24 hours: contain the damage
Do not try to fix everything at once. Focus on stopping the bleeding.
Do not turn off or wipe any affected systems. This is the most common mistake businesses make. Shutting down or reformatting destroys the forensic evidence that you and any investigators will need to understand what really had happened. Leave the devices powered on. Disconnect them from the network instead.
Disconnect affected devices from the network. Unplug the ethernet cables. Disable Wi-Fi on any device you suspect is compromised. This stops the attacker spreading sideways into the systems they have not reached yet. If you are not sure which devices are affected, start with the ones showing symptoms and work outwards.
Change critical passwords immediately. Start with your email admin accounts, banking credentials, and any cloud platform admin accounts (Microsoft 365, Google Workspace). Use a clean device to do this, not one that may be compromised. Enable two-factor authentication on these accounts if it is not already active. For a step-by-step walkthrough, see our 2FA setup guide.
Document everything. Photograph ransom messages, error screens, and suspicious emails using your phone. Write down the exact time you first noticed the problem, the symptoms, and which devices or accounts are affected. This timeline will be essential for your forensic investigators and for your POPIA notification.
Contact a cybersecurity incident response team. If you do not have internal security expertise, you need external help. The longer you wait, the more it costs. Ubuntu Guard provides incident response across Durban and the rest of South Africa. Remote triage usually begins within hours of first contact.
Days 2 to 7: investigate and understand
Once the immediate bleeding is contained, you need to understand what happened.
Determine the scope. What data was accessed or stolen? Customer personal information. Financial records. Employee data. Intellectual property. Maybe all of it. The scope determines your legal obligations, your notification requirements, and your recovery path.
Identify the entry point. How did the attacker get in? The usual suspects in South Africa are a phishing email someone clicked, a compromised password that was reused and had no 2FA, an unpatched system, or a weak remote access setup. Until you know how they got in, you cannot stop them coming back.
Check for ongoing access. Attackers create backdoors. New user accounts you did not create. Scheduled tasks or scripts that should not be there. Remote access tools your team did not install. Email forwarding rules that quietly copy your inbox to an outside address. All of these survive a password reset. They have to be found and removed.
Preserve evidence. If you may involve SAPS or file an insurance claim, do not clean or reformat affected systems until forensic analysis is complete or you have been advised in writing that evidence has been collected.
Your POPIA obligations
If personal information was compromised, you have a legal obligation to report. This is not optional.
Who you must notify. The Information Regulator and every individual whose personal information was affected. Since April 2025, notifications to the Regulator must be submitted through their online eServices Portal.
When you must notify. POPIA requires notification "as soon as reasonably possible" after the breach has been discovered. There is no specific hour or day deadline in the Act. In practice, aim for within 72 hours of confirming personal information was compromised. Longer than that and you should be able to justify the delay.
What the notification must include. The nature of the breach. The categories of personal information affected. The estimated number of individuals affected. The measures you have taken or plan to take. Recommendations for individuals to protect themselves.
Penalties for non-compliance. Up to R10 million in administrative fines, or up to 10 years imprisonment for serious offences. The reputational damage when an undisclosed breach later becomes public is usually worse than the fine. For a plain-language walkthrough, see our POPIA breach notification guide.
Weeks 2 to 4: recovery and rebuilding
Restore from clean backups. If you have recent, uncompromised backups, this is your fastest path back. Test the backup before restoring so you do not reinfect the network. With ransomware specifically, the malware has to be fully eradicated before restored data goes anywhere near production.
Patch and update everything. Before bringing systems online, every operating system, application, and piece of firmware needs the latest security updates. If a known vulnerability was the entry point, this is when you close it permanently.
Reset all credentials. Not just the ones you changed in the first 24 hours. Every user. Every account. Enforce strong, unique passwords and require 2FA on all business-critical accounts.
Communicate with affected parties. Beyond the legal notification, think carefully about how you communicate with customers and partners. Be transparent. Tell them what happened, what you are doing, and what they should do. Honesty builds trust. Hiding a breach destroys it.
Month 2 and beyond: harden your defences
A breach is a painful teacher. The lesson is worth the price only if you learn from it. Most businesses that suffer a breach and do not improve their defences get hit again inside 12 months.
Get a professional security assessment. A cybersecurity assessment finds the gaps that are still open in your network, devices, and policies. Think of it as the post-breach health check.
Train your staff. If the breach started with a phishing email or a weak password, your people are part of the solution. Cyber awareness training turns the team from your biggest vulnerability into your strongest defence.
Implement monitoring. Alerts for unusual login activity, failed access attempts, and changes to critical files. You do not need enterprise software for this. Microsoft 365 and Google Workspace both have built-in alerting that just needs to be turned on.
Create an incident response plan. Document what you learned from this breach. Assign roles. Write the procedure. The next incident is not a question of if, it is when. Your team needs to know what to do in the first hour without a meeting.
Review your backup strategy. Implement the 3-2-1 rule. Three copies of your data, on two different types of storage, with one copy offsite or in the cloud. Test the backups every quarter. A backup that has never been restored is not a backup, it is a hope.
If you are in a breach right now
Do not try to handle it alone. Ubuntu Guard provides fast incident response for businesses in Durban and across South Africa. Call 079 159 5040 or reach us at [email protected]. The sooner you act, the less it costs. Every hour an attacker has access is another hour of additional damage.
Sources
- IBM Security: Cost of a Data Breach Report (Published: 2025)
- Information Regulator South Africa: POPIA Section 22 Breach Notification Guidance and eServices Portal (Published: 2024-2026)
- South African Government: Protection of Personal Information Act 4 of 2013 (Published: 2013)
- SABRIC: 2025 Annual Crime Statistics (Published: 2026)
© 2026 Ubuntu Guard Cybersecurity | Durban, South Africa
ubuntuguard.co.za