According to PwC Global Digital Trust Insights 2024, 36% of companies worldwide experienced significant losses from cyber incidents in the past year. For small businesses, the stakes are often not in the millions, but in survival: up to 60% of small companies close within six months of a major data breach.

In Kazakhstan, the share of digital services in the business processes of small companies has grown exponentially over the past five years: online banking, marketplaces, cloud CRM, electronic documents have become the norm. At the same time, the interest of cybercriminals in local companies, including very small ones, has also grown. In 2025, the country recorded more than 14 thousand incidents related to computer incidents and online fraud, and the actual number of attacks is always higher than the official statistics. This material explains without technical jargon what threats are most dangerous for small businesses, what basic measures need to be implemented now, and what solutions are budget-friendly. Separately, we will look at the requirements of Kazakhstani legislation and how small businesses can build a simple but working cybersecurity system with the support of companies like Alashed IT (it.alashed.kz).

Main Cyber Threats for 2026 for Small Businesses in Kazakhstan

For small businesses in Kazakhstan in 2026, the greatest danger is posed by three classes of threats: phishing, ransomware, and data leaks. According to international reviews of cyberattacks in 2025, up to 90% of successful attacks on companies began with a simple phishing email. In local practice, these are emails supposedly from a bank, tax committee, popular marketplaces, and delivery services. Attackers forge domains and logos, offer to 'urgently update credentials' or 'confirm payment', lead to a fake site, and steal logins and one-time codes.

The second growing problem is ransomware. A typical scenario for a Kazakhstani company: an accountant or sales manager opens an attachment 'invoice', 'act', or 'contract', after which within minutes all files on the server and workstations are encrypted, and a ransom demand in cryptocurrency appears on the screen. Amounts can start from $1–2 thousand for small businesses and reach tens of thousands if attackers see that the company is dependent on data. Without backup copies, it is almost impossible to restore information, and paying the ransom does not guarantee file recovery.

The third acute issue is data leaks. In 2025, the average cost of a single leak for a small company worldwide was estimated by researchers at $120–200 thousand, taking into account downtime, fines, and reputational losses. For Kazakhstan, the amounts are lower, but the ratio is similar: the loss of customer base, passport data, TIN, and financial information leads to complaints to the personal data protection authority, fines, and customer outflow. Often, the source of the leak is the banal lack of access rights segregation, a backup storage open on the internet without a password, or an employee's mistake in sending a file 'to the wrong recipient'.

Separately, attacks on corporate messengers and social networks are gaining momentum. Taking over a company's Instagram or TikTok page, changing payment methods in a marketplace profile, replacing credentials in a sales ad — all these are direct financial losses and a blow to reputation. Attackers only need to pick up the password to the owner's email or use a stolen token from an infected phone. Therefore, cybersecurity in 2026 is no longer a question of 'large corporations', but a basic element of survival for any business operating in the digital environment.

Passwords, 2FA, and Basic Hygiene: The Foundation of Cybersecurity

The simplest and most ignored level of protection is password management and two-factor authentication (2FA). Most successful account breaches in small businesses occur due to weak passwords like qwerty123, reusing the same password for email, CRM, banks, and cloud storage, as well as the lack of 2FA. However, transitioning to a more secure model does not require significant investment and is accessible to any company with 5–20 employees.

The minimum standard for 2026: a unique password of at least 12–14 characters for each service, a combination of letters, numbers, and symbols, a ban on using personal data (name, date of birth, car number), and mandatory storage in a password manager, not in a notebook or Excel. For small businesses, solutions like Bitwarden (with a free plan for individual users and affordable business plans), 1Password, or Keeper are suitable. Companies like Alashed IT help set up a corporate password manager, distribute access by roles, and train employees to use it without complicating their lives.

Two-factor authentication should be enabled wherever possible: corporate email, Microsoft 365 or Google Workspace, online banking, CRM, messengers, and social networks. In practice, this means that after entering a password, the system requests a one-time code from an app-generator (Google Authenticator, Microsoft Authenticator, Authy) or sends a notification to a linked smartphone. This reduces the likelihood of a breach by tens of times even if the password is leaked. For business-critical systems, especially those with payment access, consider hardware security keys (like the YubiKey family).

Basic cyber hygiene also includes regularly updating operating systems and programs. Windows, macOS, and popular office and accounting software manufacturers close dozens of vulnerabilities monthly. According to international reports, a significant portion of attacks on small businesses in 2024–2025 used vulnerabilities for which patches were already available, but companies did not install updates. Therefore, it is important to enable automatic updates and check once a month that critical patches are indeed installed. Companies like Alashed IT take this routine on themselves as part of outsourced IT support services, centrally updating clients' workstations and servers.

Backup and Data Protection for Small Businesses

Reliable backup is the only real way to survive a ransomware attack, equipment failure, or human error without catastrophic losses. For small companies in Kazakhstan, three types of data are often critical: accounting (1C, ERP, electronic invoices), customer base (CRM, payment history, correspondence), and documents (contracts, acts, commercial offers). Loss of any of these blocks can stop a company's work for weeks. International practice recommends the 3-2-1 rule: at least three copies of data, at least on two different types of media, at least one copy — outside the office and outside the main infrastructure.

For small businesses, a typical scheme might look like this: daily automatic backup of 1C and CRM databases to a separate local NAS server in the office, plus nightly encrypted upload to the cloud (e.g., cloud storage from major international or regional providers). Additionally, once a week, important documents can be saved to removable media (SSD/USB) and stored separately from the office premises. The main condition is that backup copies must be inaccessible from ordinary employee accounts so that in the event of a ransomware infection, the attacker cannot encrypt them.

The cost of a basic backup system for an office with 10–20 workstations can be around 150–300 thousand tenge: a desktop NAS with disks, backup software licenses, setup, and testing. Cloud services often offer free limits (e.g., up to 10–15 GB), but for real business, this is not enough, so it is worth considering paid plans in the range of 2–5 thousand tenge per month for 100–200 GB and above. Companies like Alashed IT help choose a combination of local and cloud solutions, set up automatic schedules, and regularly test recovery to ensure that backup copies are truly functional.

A separate aspect of data protection is encryption and access control. But even simple segregation by the principle of'minimum necessary access' already significantly reduces the risk of leakage. Not all employees need the entire customer base or access to all financial documents. It is worth setting up permissions so that a manager sees only their clients, and access to the general archive is only for managers. For working outside the office, it is important to use disk encryption on laptops (BitLocker in Windows, FileVault in macOS) and secure channels (VPN) for accessing internal systems.

Employee Training and Cybersecurity Checklist for Business Owners

According to international research statistics, up to 80–85% of successful attacks are somehow related to the human factor: an employee clicked on a link, installed malware, forwarded a confidential file, or provided data over the phone. Therefore, employee training is not an 'option for large corporations', but a mandatory element for any business with at least one computer with internet access. In Kazakhstan, this topic is coming to the fore: at regional cybersecurity and data localization meetings in Central Asia organized by international business associations, the focus is on improving the digital literacy of employees.

The minimum training standard for small businesses: an introductory course for all new employees (30–60 minutes), refresher training at least once a year, short reminders, and case studies when new fraud schemes appear. This can be an internal training session, an online course, or an invited expert. Companies like Alashed IT conduct practical sessions for staff, where they show typical phishing emails, 'sign a contract urgently' schemes, fake bank and marketplace pages, and practice skills: how to check a website address, how to act on a suspicious email, who to notify immediately.

To make it easier for business owners to control the situation, it is useful to have a short cybersecurity checklist. An example of a simple cybersecurity checklist for small businesses:


1. Accounts

- All employees have unique corporate emails

- 2FA is enabled for email, banks, CRM, social networks

2. Passwords

- A password manager is used (corporate)

- Storing passwords in Excel, notebooks, messengers is prohibited

3. Updates and Antivirus

- Auto-update of OS and software is enabled on all computers

- Licensed antivirus is installed, and real-time scanning is enabled

4. Backups

- Automatic daily backups of critical systems are available

- Backups are stored separately, and their recovery is periodically checked

5. People and Processes

- Training on phishing and safe internet use has been conducted

- A cybersecurity officer is appointed or an external contractor is engaged

6. Incidents

- There is a simple action plan for an attack (who to notify, how to isolate the system)

- IT support and security contractor contacts are available to everyone.

Passing this checklist every quarter gives the business owner a transparent picture: where the 'weak spots' are and what needs to be tightened in the coming weeks. If necessary, these points can be expanded according to the specifics of the industry: retail, online services, medical or educational business.

Tools, Incident Response, and Kazakhstani Data Law

Technical protection tools for small businesses in Kazakhstan in 2026 are no longer limited to antivirus software. It is important to combine free and paid tools. The basic set includes: modern antivirus/EDR (e.g., enterprise-level solutions from international vendors with behavioral analysis features), email filters (often included in Microsoft 365 and Google Workspace packages), cloud backup services, and a password manager. For companies with access to citizens' personal data, additional tools are useful: entry-level DLP systems, centralized access log auditing, and systematic monitoring of suspicious activities. Companies like Alashed IT help choose a minimal but effective set of solutions within the budget of a specific company and take over their maintenance.

Incident response should be described in advance, not devised at the moment of an attack. A basic plan for small businesses includes four steps: detection, isolation, analysis, and recovery. Detection is when an employee notices a strange email, unusual activity, an unknown window on the screen, and knows where to report it. Isolation is the immediate disconnection of a suspicious computer from the network (pull out the cable, turn off Wi-Fi), prohibiting the use of flash drives for file transfer, and temporarily changing passwords for key services. Analysis is often entrusted to external specialists: it is necessary to understand which systems were affected, whether data was stolen, and what actions the attacker took. Recovery involves loading clean backups, checking the infrastructure, and an additional training session to help employees recognize such an attack faster in the future.

Separately, Kazakhstani legislation on personal data and its protection imposes additional requirements. The Law of the Republic of Kazakhstan 'On Personal Data and Their Protection' establishes that personal data operators must ensure their protection from unauthorized access, leakage, alteration, and destruction. This applies not only to banks and large corporations but also to any small business that stores customer data: names, phones, TINs, addresses, order history. In practice, this means the need to formalize a personal data processing policy, limit the number of employees with access, provide technical protection (passwords, encryption, backup, antivirus, physical access restriction), and inform competent authorities in the event of significant incidents. Failure to comply with the law can result in administrative fines and orders to rectify violations, which for small businesses translates into direct financial and reputational losses.

Companies that are not ready to maintain an in-house information security specialist increasingly turn to outsourcing services: external SOC centers, incident response services, and compliance audits. In the Kazakhstan market, companies like Alashed IT offer comprehensive services: from basic express audits and implementation of a minimum set of measures to ongoing support, including interaction with communication providers and government agencies in the event of serious incidents.

Что это значит для Казахстана

Kazakhstan and Central Asia as a whole have been actively promoting digitalization in recent years: e-government, online banking, marketplaces, fast payment systems. According to industry associations, the share of small and medium businesses using online services has exceeded 70%, which means that cyber risks for SMEs have become systemic. National cybersecurity agencies record an annual increase in the number of incidents related to phishing, account compromise, and online payment fraud. In parallel, requirements for personal data protection are tightening, and new approaches to localizing critical data are being discussed.

For entrepreneurs in Kazakhstan and neighboring Central Asian countries, this means that ignoring cybersecurity is simply dangerous: attacks have moved from government structures and large corporations to regional and small companies, which often turn out to be the weak link in the supply chain. Service providers, banks, and international partners increasingly include cybersecurity requirements in contracts: the presence of minimum technical measures, employee training, and incident response plans. Access to partner programs, acquiring, and API integrations depends on this.

Against this backdrop, the demand for local specialists and companies that understand the market's specifics, legislation, and real infrastructure in Kazakhstan and Central Asia is growing. Companies like Alashed IT (it.alashed.kz) take into account the requirements of the Kazakhstani law on personal data, the specifics of working with local communication operators and data centers, and help small companies not only protect against typical threats but also prepare for audits and requirements from large clients.

Up to 90% of successful cyberattacks on companies in 2024–2025 began with phishing emails, which employees clicked on links or opened attachments.

Cybersecurity for small businesses in Kazakhstan in 2026 is no longer a technical luxury but a necessary condition for stable operation and customer trust. Most critical measures are affordable for any entrepreneur: correct passwords, 2FA, regular updates, backups, and basic employee training. A systematic approach, supported by a clear checklist and a simple incident response plan, allows for a significant reduction in the risk of serious consequences even in the event of an attack attempt. And cooperation with specialized contractors, such as Alashed IT, helps close complex issues and comply with legal requirements without excessive burden on the in-house staff.

Часто задаваемые вопросы

How much does basic cybersecurity cost for a small business in Kazakhstan?

For a small office with 10–20 employees, a basic cybersecurity package can start at around 30–50 thousand tenge per month using subscription models. This includes licensed antivirus, a password manager, minimal cloud backup, and basic IT support. One-time expenses for setting up infrastructure and backup usually amount to 150–300 thousand tenge. When using services from companies like Alashed IT, the package is tailored to the specific budget and industry of the business.

When does a small business in Kazakhstan need a full-time cybersecurity specialist?

A full-time cybersecurity specialist is usually needed when a company has more than 50–100 employees, its own IT infrastructure (servers, corporate systems), and processes a large volume of personal data or financial transactions. Before reaching this threshold, it is often sufficient to engage an external contractor for auditing and regular support. Thus, it is more beneficial for small companies to pay 100–300 thousand tenge per month for outsourced security services than to maintain a separate in-house position. Companies like Alashed IT help determine when it is justified to transition to a more complex model.

What risks does a small business face when violating the personal data law in Kazakhstan?

Violation of Kazakhstan's personal data law threatens small businesses with administrative fines, orders to rectify violations, and reputational losses. The specific amounts of fines depend on the nature of the violation, but even a few hundred thousand tenge for a microbusiness can be critical. Additionally, temporary restrictions on data processing may be imposed until violations are rectified, which can halt online services and sales. It is important to establish data processing and protection processes in advance, which helps with audits involving companies like Alashed IT.

How long does it take to implement basic cybersecurity measures in a small company?

Implementing basic cybersecurity measures in a company with up to 20 employees, with good planning, takes from one to three weeks. In the first 2–3 days, you can set up antivirus, updates, a password manager, enable 2FA, and start backup. Over the next 1–2 weeks, employee training, access rights adjustment, and test data recovery from backups are carried out. If a professional contractor like Alashed IT is involved, the entire basic cycle often fits within 5–7 working days.

How to save on cybersecurity for a small business without losing protection?

Savings are achieved by correctly prioritizing and combining free and low-cost solutions. For example, you can start with free versions of password managers and built-in protection in Microsoft 365 or Google Workspace, and purchase paid licenses only for critical users. It is important not to skimp on backup and 2FA: the cost of cloud backups at 2–5 thousand tenge per month is incomparable to the losses from data loss. Companies like Alashed IT help choose a minimal but balanced set of tools that covers the main risks without excessive spending.

Читайте также

Источники

Фото: Claudio Sanabria / Unsplash