Security is a business risk, not just an IT task
Many founders treat cybersecurity as something technical that gets delegated to whoever handles the computers. That framing is the first mistake, because the decisions that actually determine your exposure are business decisions: who can access what, how money moves, how staff are trained, what data you hold and how carefully.
As a leader you do not need to understand encryption algorithms. You need to understand that a breach can drain your accounts, expose your customers, break the law and destroy trust, and that preventing it is mostly about discipline rather than technology. The businesses that get hurt are rarely outmatched by genius hackers. They are usually undone by basics nobody took ownership of, which is exactly the kind of problem a leader is meant to solve.
Passwords and two-factor authentication
The humble password remains the front door to almost everything, and in most businesses that door is barely locked. People reuse the same password everywhere, so one leak elsewhere unlocks your business too, and they choose passwords weak enough to guess.
Two fixes carry enormous weight. First, use long, unique passwords for every account, made manageable by a password manager so nobody has to memorise them. Second, and most important, turn on two-factor authentication everywhere it is offered, especially email, banking and your business systems. With 2FA, a stolen password alone is not enough to get in. If you do only one thing after reading this, enable 2FA on your email today, because whoever controls your email can reset the passwords to everything else.
Your people are the real front line
The most common way attackers get in is not through your software, it is through your staff. A convincing phishing message, an email pretending to be you asking for an urgent payment, a WhatsApp from a fake supplier changing their bank details, exploits human trust and haste, not technical flaws.
That makes awareness a core control, not a soft extra. Teach your team a few reflexes: be suspicious of urgency, because attackers manufacture panic to stop people thinking; verify any unusual request, especially about money or credentials, through a separate channel like a phone call to a known number; and never enter a password after clicking a link in a message. A staff member who pauses and checks is worth more than most security software.
- Treat urgency and pressure as warning signs, not reasons to hurry.
- Verify payment and password requests through a second, known channel.
- Never enter credentials via a link in an email, SMS or WhatsApp.
- Confirm any change to supplier bank details before paying.
- Make it safe to report a mistake fast, because speed limits the damage.
Control who can access what
A quiet but serious risk is that everyone in the business can reach everything. Shared logins, blanket admin rights and passwords stuck to monitors mean a single compromised account, or a single disgruntled person, can touch your whole operation.
The principle here is least privilege: each person has their own login and can access only what their role genuinely needs. A cashier does not need the payroll, a salesperson does not need the bank reconciliation. This limits the blast radius when an account is compromised, because the attacker inherits only that person's narrow access, not the keys to everything. It also creates accountability, since every action ties to a named person rather than an anonymous shared account. Access control is where security and anti-fraud become the same discipline.
Backups and updates: boring, essential, decisive
The least glamorous controls are the ones that save you. Ransomware, where attackers encrypt your data and demand payment, is devastating only if you have no backup to restore from. With good backups it becomes an inconvenience; without them it can end a business.
So keep backups that are automatic, stored off-site or in the cloud, and actually tested by restoring them. Separately, keep software updated, because most attacks exploit known flaws that a patch already fixed, and running outdated systems is like leaving a repaired lock unfitted. Neither of these is exciting, and that is precisely why they get neglected until the day they would have mattered. Leaders who insist on boring backups and boring updates are the ones who sleep through the incidents that wreck their competitors.
Cybersecurity is also a legal duty in Kenya
Security is no longer only a matter of protecting yourself, it is a matter of protecting the people whose data you hold. The Kenya Data Protection Act sets out how businesses must handle personal data about customers and staff: collecting it lawfully, using it for legitimate purposes, keeping it secure, and respecting individuals' rights over their own information.
In practice this means holding customer data carelessly is now a legal exposure as well as a reputational one. Leaking a customer database is not just embarrassing, it can carry consequences under the law. The upshot for a leader is reassuring in one sense: the same basics that protect your business, controlled access, encryption, backups, careful handling, are also most of what compliance asks for. Doing security well and meeting your legal duty are largely the same work.
A secure system is easier than a pile of tools
Trying to bolt security onto a sprawl of spreadsheets, personal devices, WhatsApp groups and disconnected apps is exhausting, because every one of them is a separate door to watch. Security gets dramatically easier when your business runs on a single, well-built system of record instead.
In a proper system, access is controlled per person from one place, data is backed up automatically, updates are managed centrally, and every action leaves an audit trail so you can see what happened if something goes wrong. You are defending one well-built house rather than a scattering of unlocked sheds. Consolidating how your business operates is not only about efficiency; it quietly removes most of the surface an attacker would otherwise exploit.
How Upeosoft helps
Upeosoft builds Kenyan businesses on ERPNext and Frappe with security and access control designed in, so protecting your business is part of how the system works rather than a scramble of add-ons. Each person gets an individual login with role-based access, data is backed up automatically, and a complete audit trail records who did what.
We help you consolidate scattered spreadsheets and apps into one system that is genuinely defensible, and we build with the Kenya Data Protection Act in mind so that protecting customer data supports your compliance rather than fighting it. You do not need to become a security expert. You need the basics enforced by the system your business runs on. If that is not the case today, talk to us about getting there.
