Backups and endpoint protection: the boring controls that keep businesses open

Business continuity is often discussed as if it is one product. It is not. For an SME, continuity usually depends on a mix of power, internet, laptops, Microsoft 365, backups, endpoint protection, supplier response, and staff knowing what to do.

South African businesses understand this better than most. Even when electricity supply improves, infrastructure risk does not disappear. Connectivity fails. Devices age. Staff work remotely. Cloud accounts get targeted. A server, laptop, or mailbox can still become the weak point.

The useful question is simple: if this system is unavailable tomorrow morning, what happens to the business?

Many businesses have backups. Fewer have tested recovery.

That distinction matters. A backup dashboard can show green ticks while nobody knows whether the accounts data, SharePoint files, email, or server workload can be restored in the time the business needs.

A proper backup conversation should define what is protected, how often it is protected, how long it is retained, who can restore it, and how long recovery should take. Without those answers, the business is hoping.

Traditional antivirus still has a place, but the operating model matters more than the label. If protection is installed and then ignored, the business may not know when a device is out of date, disconnected, infected, or missing protection entirely.

Managed endpoint protection gives better visibility. It should show which devices are covered, which need attention, which users are affected, and whether threats were blocked or still require action.

This is especially important in small businesses where one laptop may hold accounting access, client files, email, and saved browser sessions. A single unmanaged device can create a bigger incident than expected.

The 2025 INTERPOL Africa Cyberthreat Assessment identifies ransomware and business email compromise as major threats across the continent, with South Africa among the countries most affected. Microsoft also reported that extortion and ransomware drove more than half of cyberattacks with known motives in its 2025 Digital Defense Report.

That does not mean an SME should panic. It does mean recovery has to be part of the security plan.

If files are encrypted, mailboxes are compromised, or a device needs to be rebuilt, the business needs a tested path back to work. Security reduces the chance of an incident. Backups and recovery reduce the damage if one happens.

A small business does not need an enterprise disaster recovery manual that nobody reads. It needs a practical plan.

The plan should say who contacts IT support, who can approve emergency spend, which systems must come back first, where emergency contacts are stored, and how staff will work if the office internet or a core device is unavailable.

This plan should be short enough that management can actually use it during a bad morning.

The controls that protect SMEs are rarely exciting. MFA, endpoint protection, patching, tested backups, access reviews, and documented support processes do most of the work.

They also fit the current South African climate. Businesses need reliability without waste. They need predictable support costs. They need systems that keep running when staff are busy, clients are waiting, and margins are tight.

If you are not sure where to start, start with backup recovery, endpoint visibility, and Microsoft 365 access. Those three areas usually tell you very quickly whether the environment is under control.