Resilience is the new innovation: A how to for SMEs

Leonie Stanley, Operations Director, Euphoria Telecom.

---

November 2025: A single fibre break in Elsies River severed the link between two Cape Town data centres, pulling Discord, OpenAI, and YouTube offline for South African users for an entire morning. 

The culprit? Both of the providers’ redundancy routes had been leased from the same vendor. When the primary link collapsed, the redundant link died with it.

July 2024: A faulty CrowdStrike update grounded airlines, knocked out banking services, and forced contact centres into manual workarounds.

Add to these two incidents the undersea cable cuts of 2024 and a decade of rotational load shedding, and a clear picture emerges. South African businesses have endured more ‘unprecedented’ disruptions in five years than most economies face in a generation.

Compounding this is a predatory ransomware landscape.

Average demands on local organisations spiked from R2.9 million in 2024 to R17 million in 2025 according to the Sophos State of Ransomware in South Africa 2025 report. Total recovery costs, factoring in downtime and lost opportunity, now hover closer to R23 million per incident.

Only half of local companies recover from such an attack within a week. Yet, when I speak with SME owners, disaster recovery (DR) and business continuity planning (BCP) are still viewed as “enterprise problems” involving massive budgets and impenetrable consultant-speak.

Having written these plans for mines and banks in a previous life, and now seeing them from inside a telco where uptime is the product, I can tell you one thing: resilience has quietly become the ultimate innovation. The winners are the ones still answering the phone while their competitors are staring at a ‘Service Unavailable’ screen, not the ones with the flashiest AI.

The regulatory landscape is daunting for smaller businesses. ISO 22301 (BCM), ISO 27031 (ICT readiness), and King V make resilience a board-level fiduciary duty. POPIA adds the legal sting, demanding you not only protect data but recover it.

However, even the largest enterprises don't try to tackle it all in one fell swoop. They start with one room, one whiteboard, and one question: “If this part of the business stopped working tomorrow, what would actually happen?”

You do not need a six-figure consulting fee to start working on disaster recovery and business continuity. You need a few hours and the willingness to be uncomfortable.

1. The quick business impact analysis (BIA): List your revenue-generating activities. Write down how fast things die if they stop working. One hour of no email is a nuisance; one week is existential. This is your priority list.
2. Hunt the single points of failure: One internet line. One person who holds the keys to the billing system. One backup that has never been tested. These are usually cheap to fix once you find them.
3. Document, briefly: Five pages beats fifty. Who declares the incident? Who calls the customers? Where are the keys? A plan that lives only in a founder’s head isn’t a plan; it’s a liability.
4. The tabletop exercise: Block 90 minutes. Gather your stakeholders and pose a scenario: "The fibre is cut and the main email tenant is down." Walk through it minute-by-minute. You will discover exactly which of your assumptions are wrong in the safety of a boardroom rather than the chaos of a crisis.
5. Fail, fix, repeat: At Euphoria, we’ve run multiple DR tests. Some failed. We diagnosed the gaps, remedied them, and re-tested. A ‘failed’ test isn’t a sign of a weak plan; it’s a sign of a maturing one.

The point of a DR test is to fail in private so you don’t fail in front of your customers. A plan that hasn't been tested is a hope documented in Word.

During a simulation, you’ll find the IVR no one updated or the admin password held by an employee who left in 2023. This is good. You are building a culture of recoverability. People who have practiced the moves once, recover ten times faster than those reading a runbook for the first time at 2:00 AM.

Treat ISO standards and King V as scaffolding. They are there to help you ask the right questions: What is our Recovery Time Objective (RTO)? Where does personal data live? Since the Information Regulator’s e-Services Portal launched in April 2025, breach notifications have jumped 40%. With fines ranging from R100,000 to R5 million already being issued, the cost of an untested recovery plan is currently officially higher than the cost of a tested one.

In the telco world, we live with the reality that things will fail. The differentiator is how fast you recover and how clearly you communicate. Customers can forgive an outage, but they rarely forgive silence.

SMEs pulling ahead treat resilience as a competitive feature. They stay online when upstream providers wobble. Their customers feel held, not abandoned.

Start this quarter. Pick your most vulnerable point, get five people in a room, and walk through a ‘Tuesday morning disaster’. Fix the easiest thing first. You won't have a perfect plan, but you will have a business that has decided to survive.

It’s not about how many times you fail. It’s about how quickly you stand back up, and whether your customers even noticed you stumbled.