Abstract
This study examines the cybersecurity vulnerabilities of Small and Medium-sized
Enterprises (SMEs) in South Africa from a Systems Engineering perspective. The
Saunders Research Onion methodology was used to guide the research process, with the
philosophies of Systems thinking and Interpretivism adopted. The approach was
inductive, and a typical SME was modelled as a system, with data flow and handling
being broken down to expose cybersecurity vulnerabilities within the system architecture.
The investigation revealed significant vulnerabilities in email communication,
interactions with external systems and platforms, and data storage points. These findings
underscore the importance of SMEs adhering to the South African Cybersecurity Act 19
of 2020, as well as adopting current cybersecurity practices and standards such as the
NIST framework and ISO 27001 to protect their systems from cyber threats.