One Dakar SME in three suffered a successful cyberattack in 2025 (Africa Cyber Index study). Median cost of a successful attack: XOF 8.4M (EUR 12,800) — six months of a senior developer's salary. Yet 80% of these incidents would have been prevented by 10 baseline measures costing less than XOF 200,000. Here is Kolonell's auditable checklist for Dakar SMEs in 2026.
TL;DR
- 30 audit points across 5 categories
- Target SME score: 24/30 minimum for an acceptable risk
- Compliance cost: XOF 200,000 to 800,000 (EUR 305 to 1,220)
- Recommended timeline: 30 days
- Free Kolonell audit online via /audit-gratuit
Category 1 — Authentication (6 points)
- Unique passwords per service: every tool (mail, CRM, bank) has a different password. Bitwarden or 1Password manager required.
- MFA on critical accounts: email, banking, hosting, GitHub, site admin. Authy or Google Authenticator, not SMS.
- Long passwords (16+ characters): randomly generated, no birthday or kid's name.
- No shared passwords in clear: Slack, WhatsApp, email — banned. Share via Bitwarden Send vault.
- Admin accounts separated from regular ones: a manager runs two Google Workspace accounts, admin used only for configuration.
- Password rotation after employee departure: mandatory offboarding checklist.
Category 2 — Infrastructure and servers (6 points)
- HTTPS everywhere (Let's Encrypt): not a single subdomain on raw HTTP, HSTS enabled.
- OS and CMS up to date: Ubuntu LTS, WordPress core plus plugins on latest minor, patches under 14 days.
- Server firewall configured: ufw or nftables, ports 22/80/443 open, SSH by key only.
- Fail2ban active: auto-ban IP after 5 SSH or WordPress failed logins.
- Daily backups tested: Wasabi or OVH, AES-256 encryption, monthly restore drill.
- Uptime and error monitoring: UptimeRobot, Sentry, BetterStack — email plus WhatsApp alert if downtime > 2 min.
Category 3 — Application and code (6 points)
- Server-side input validation: not client-only, against SQL injection and XSS.
- CSRF tokens on forms: Next.js, Laravel, Django ship this by default.
- HTTP security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
- Dependencies scanned: npm audit, dependabot, Snyk — no high or critical vulnerability left open.
- Secrets never in Git: .env gitignored, git-secrets or trufflehog scan before every push.
- Rate limiting on sensitive endpoints: login, reset password, public API — max 10 req/min per IP.
Category 4 — Data and CDP compliance (6 points)
- Up-to-date processing register: every activity documented, Notion or Excel source of truth.
- Published privacy policy: /confidentialite page accessible from the footer.
- CDP-compliant cookie consent: opt-in banner for Google Analytics, Meta Pixel.
- Sensitive data encrypted at rest: IBAN, NINEA, health — application encryption via libsodium or bcrypt.
- Retention period defined: 3 years prospects, 10 years customers (accounting), automated deletion.
- CDP rights procedure: dpo@example.sn email plus web form for access, rectification, erasure.
Category 5 — People and phishing (6 points)
- Quarterly phishing awareness: 2h workshops or KnowBe4/Conscio modules, role-play.
- Incident escalation procedure: who to call on suspicion, runbook accessible outside main infra.
- No guest Wi-Fi on corporate network: separate SSID, distinct VLAN, internet-only access.
- VPN for remote work: WireGuard or OpenVPN, no RDP exposed on the internet.
- Signed IT charter: all employees and freelancers signed an acceptable use charter.
- Annual simulated phishing test: GoPhish or external tool — measure click rate, train the most vulnerable.
Scoring and interpretation
| Score | Level | Action |
|---|---|---|
| 28-30 | Excellent | Maintenance plus annual audit |
| 24-27 | Good | Close 3-6 gaps within 30 days |
| 18-23 | Average | 60-day remediation plan |
| 12-17 | Weak | High risk — 90-day program |
| 0-11 | Critical | Stop business, urgent external audit |
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
Cost and timeline for compliance
For a 5 to 15-person SME starting at score 15/30:
| Phase | Duration | XOF cost | Deliverable |
|---|---|---|---|
| Initial audit | 3 days | 250,000 | 30-point scoring report |
| Quick wins | 7 days | 80,000 | MFA, backups, HTTPS |
| Infra hardening | 14 days | 350,000 | Firewall, fail2ban, monitoring |
| CDP compliance | 14 days | 200,000 | Register, policy, procedures |
| Awareness | 2 days | 120,000 | Workshop plus signed charter |
| 30-day total | XOF 1,000,000 (EUR 1,525) | Target score 26/30 |
FAQ
Q: Is this checklist enough for ISO 27001?
A: No — it covers the basics for SMEs. ISO 27001 requires a fully documented ISMS (security policy, EBIOS risk analysis, treatment plan, internal audit, management review). Plan 18 to 24 months for certification.
Q: Does a 10-person SME need a dedicated CISO?
A: Not in 2026 — an outsourced CISO (Kolonell, Dakar firms) at XOF 200,000 to 400,000/month is enough. Internal CISO from 50 employees or in regulated industries.
Q: How to test my security without paying for a pentest?
A: Free tools: Mozilla Observatory (headers), SSL Labs (TLS), GTmetrix (perf), OWASP ZAP (light app scan). For a real pentest count XOF 1.5 to 4M depending on scope.
Q: Is my antivirus enough for employee endpoints?
A: Not in 2026 — antivirus alone covers 40% of threats. Add EDR (Microsoft Defender for Business, SentinelOne) plus DNS filtering (Cloudflare for Teams free) plus MFA on every pro account.
Conclusion
Cybersecurity for a Dakar SME does not need an enterprise budget — it needs discipline and a maintained checklist. XOF 1,000,000 and 30 days are enough to move from critical risk to an acceptable level. Kolonell offers the full 30-point audit online, for free. Request your free audit or message WhatsApp +221 77 596 93 33.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
