Why your SME is a target in 2026
You think hackers go after Orange or Sonatel? Wrong. Cybercriminals automate attacks on thousands of small companies at once. A Senegalese SME with a poorly patched WordPress site = 15 minutes to take over, encrypt your files and demand 2 to 5 million FCFA in ransom. The worst: 84% of affected SMEs close within 18 months.
TL;DR :
- 10 free measures cut 80% of a Dakar SME's cyber risk.
- Absolute priority: 2FA everywhere, offline backups, unique passwords.
- Law 2008-12 requires you to report any personal data breach to the CDP within 72h.
The numbers in 2026
- Senegal ANSSI (2025 report): +43% cyber incidents reported by SMEs in 12 months.
- INTERPOL CBIT West Africa: Senegal is the 3rd most targeted West African country after Nigeria and Ghana.
- Phishing: 67% of successful attacks start with a trapped email (ANSSI SN 2025).
- Ransomware: average ransom demand on a Dakar SME = 3.2 million FCFA (Kolonell + Dakar IT partners data, 2025).
- Law 2008-12 on personal data protection: fine up to 100 million FCFA for unreported breach to the CDP (Personal Data Commission).
- Legal deadline: 72h to notify any data breach to the CDP.
The 3-step process
Step 1 — Quick audit (⏱ 2h)
- List all accounts: work emails, Google Workspace, hosting, Facebook Ads, Wave Business, online banking, CRM.
- Write down who has access to what (including ex-employees!).
- Check if 2FA is enabled on each.
Concrete example: *Fatou Diouf*, owner of a fashion store in Sacre-Coeur, discovered that her ex-graphic designer still had Facebook Ads Manager access 8 months after leaving. 400K FCFA budget siphoned in 72h.
Step 2 — Implement the 10 measures (⏱ 1 day)
See the section below: the 10 free measures.
Step 3 — Monthly routine (⏱ 30 min/month)
- Access review (who left? cut access).
- Backup restoration test.
- WordPress, plugin, OS updates.
The 10 zero-cost measures
1. 2FA everywhere (Google Authenticator, free)
Work email, Facebook Business, Wave Business, banking: 2FA mandatory. Blocks 99% of stolen-password attacks.
2. Unique passwords via Bitwarden (free)
One reused password = entire company compromised in a single leak. Bitwarden free tier is enough.
3. 3-2-1 backups
3 copies, 2 supports, 1 offline. Google Drive + external disk + monthly encrypted USB export = free.
4. Weekly WordPress + plugin updates
60% of WordPress hacks come from unpatched plugins. Enable auto-updates.
5. Deactivate ex-employee accounts immediately
On departure day, not a week later. Email, Slack, WhatsApp Business, Facebook Business Manager.
6. Phishing email: 3-check rule
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Real sender? Real link (hover)? Expected attachment? If no to all 3: delete.
7. HTTPS everywhere (Let's Encrypt, free)
No HTTPS = Google Chrome shows "Not Secure". Customer flees. Let's Encrypt = 0 FCFA, 5-min setup.
8. Separate admin account and daily account
Never use the WordPress admin account to publish an article. "Editor" account for daily use.
9. Encrypt your disks (BitLocker / FileVault, free)
Laptop stolen in Almadies? Without encryption, all your customers are exposed. BitLocker (Windows Pro) and FileVault (Mac) = native, free.
10. Clear WhatsApp Business policy
A lost work phone = massive leak. WhatsApp Business with lock screen + fingerprint + 2-step verification PIN enabled.
The 5 mistakes that kill it
- "We're too small to be targeted": false. Attacks are automated, not targeted.
- Online-only backup: ransomware that reaches your Google Drive destroys everything. You need offline.
- Password shared in WhatsApp: forbidden. Use Bitwarden Send (ephemeral).
- Ignoring updates: 80% of hacks exploit a 6-month-old patched flaw.
- No incident plan: without written procedure, you lose 3 days panicking instead of 1h acting.
Threat / impact / zero-cost mitigation table
| Threat | Average SME impact | Zero-cost mitigation |
|---|---|---|
| Email phishing | 800K-3M FCFA siphoned | 3-check rule + 2FA |
| Ransomware | 3.2M FCFA ransom + 2w downtime | 3-2-1 offline backup |
| Admin account stolen | Full system control | Bitwarden + 2FA + separate account |
| Toxic ex-employee | Ads hijacked, data stolen | Day-one offboarding procedure |
| Customer data leak | 100M FCFA CDP fine | HTTPS + disk encryption |
| WordPress site hacked | 6 months SEO destroyed | Auto-updates + backups |
| Work phone lost | WhatsApp + email leak | Lock screen + 2-step PIN |
| Public Wi-Fi hijacked | Stolen sessions | ProtonVPN free tier |
How we do it at Kolonell
Our SME Cyber Hygiene Pack (250K FCFA flat rate, 5 days) covers:
- Full audit of the 10 points above
- 2FA, Bitwarden, 3-2-1 backup setup
- 2h team training (phishing, passwords, work WhatsApp)
- Custom incident playbook
- Prepared CDP filing if needed
"After a ransomware that nearly killed the business, we took the Kolonell pack. In 5 days, everything was locked. We finally sleep." — Mame Diarra Fall, director of a real estate agency in Ngor Dakar.
Quick FAQ
I'm a 3-person shop, is this really necessary? Yes. Automated attacks don't look at your size.
How long to implement the 10 measures? One workday for the owner or IT, then 30 min/month.
Does Law 2008-12 apply to me? As soon as you collect a customer email or phone number, yes.
What to do if I'm a victim right now? 1) Unplug network, 2) call a pro, 3) notify the CDP within 72h.
---
Want a free cyber audit for your SME?
Request it at kolonell.com/en/devis-gratuit or WhatsApp: +221 77 596 93 33.
Mohamed Ba
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
