Over the past three issues we have covered POPIA's technical requirements, the threat of social engineering, and the specific obligations that landed on financial services businesses in June last year. The thread running through all of them is the same: most South African businesses are more exposed than they realise, and the gap is rarely where they expect it to be.

This issue is about the most common misconception we encounter when speaking to SME owners. It is not about a specific regulation or threat. It is about a fundamental misunderstanding of what the company managing your computers is, and is not, responsible for.

Ask most small business owners whether they have cybersecurity in place, and the answer is yes. They have an IT provider. Someone manages their computers, sorts out their network when it goes down, installs new machines, and makes sure the office printer works.

That arrangement gives business owners a reasonable sense of confidence. And for the day-to-day running of technology, it should. But it does not mean the business is secure, and the difference between those two things is significant.

IT support and cybersecurity are not the same function. Conflating them is one of the most consistent and costly mistakes South African SMEs make.

What IT Support Actually Covers

A managed IT services provider keeps your technology running. Their mandate is operational: devices are set up, software is installed, connectivity is maintained, and problems are resolved when they arise. The best ones are responsive, reliable, and genuinely valuable to the businesses they serve.

What they are typically not doing, unless it has been explicitly contracted and scoped, is monitoring your environment for threats, assessing your vulnerabilities, testing whether your defences hold up under attack, or producing documentation that satisfies a regulator's definition of reasonable security measures.

South African small businesses experienced an estimated 577 cyber attack attempts every hour in 2025, with reported losses of up to R2.2 billion annually. The businesses absorbing those losses were not all unprotected. Many had IT providers. What they lacked was a security function operating independently of the people keeping their systems running.

The Gap Nobody Talks About

There is a structural reason this confusion exists. IT support is reactive by nature, something breaks, someone fixes it. Cybersecurity is proactive by nature, it looks for problems before they become incidents. These are different mindsets, different skill sets, and in most cases different businesses entirely.

Many SMEs lack time to maintain policies, patch cycles, and security reviews. The assumption is that these things happen as a byproduct of having IT support, but without explicit scope and accountability, they do not happen on schedule. They happen when there is time, which means they often do not happen at all.

The practical consequence is that most SMEs have a significant blind spot between what their IT provider covers and what POPIA requires them to have in place. An IT provider who sets up your network and manages your devices is not, by default, conducting vulnerability assessments, running phishing simulations on your staff, monitoring the dark web for your credentials, or producing the kind of documented security posture that holds up under regulatory scrutiny.

What POPIA Expects

Section 19 of POPIA requires responsible parties to take appropriate technical and organisational measures to prevent loss, damage, or unauthorised access to personal information. The word appropriate is deliberate. It means proportionate to the risk, and documented well enough that you can demonstrate it.

A working network and up-to-date antivirus software does not satisfy that standard on its own. What satisfies that standard is a structured programme: regular vulnerability assessments, documented findings, evidence of remediation, staff training records, and a tested incident response plan. These are security functions. They sit outside the typical scope of IT support, and the responsibility for ensuring they exist sits with the business owner, not the IT provider.

The Practical Test

Here is a simple way to assess whether the gap exists in your business. Ask your IT provider for the following:

A report showing which of your systems have known vulnerabilities and what their risk rating is. A record of when your staff last completed phishing awareness training and how they performed. Documentation of what would happen, step by step, in the first 24 hours after a breach was detected.

If those documents exist and are current, you are in better shape than most. If they do not, you have IT support. You do not have security.

The Bottom Line

In 2026, business leaders can no longer view cybersecurity as an IT function alone, it is a business-critical priority. The businesses that understand this distinction are not the ones making headlines for the wrong reasons. Your IT provider keeps the lights on. A security partner makes sure the doors are locked. Both matter. Only one is optional.