By May, new employees have joined the business, while others have left. Roles might have changed, and suppliers may have been added. Devices have moved between offices, homes, and sites. Teams have found quicker ways to get work done, some of them approved, some of them a bit more informal.
That is normal, but it also means that cybersecurity and POPIA controls that looked right in January may no longer reflect how the organisation is operating. In my view, this is the right time for businesses to run a practical post-Q1 security check.
This should not be a scare exercise or become a massive audit. It is simply a disciplined way to ask whether the basics are still in place, whether responsibility is clear, and whether the business can respond properly if something goes wrong.
Start with access
It all starts by examining who still has access to what. Businesses should check whether users who have left the business have been removed from systems. They must also review employees who changed roles during the first quarter and make sure their access rights still match their responsibilities. This is especially important for administrator rights, shared mailboxes, finance systems, HR information, cloud platforms, and remote access.
From a cybersecurity perspective, unnecessary access increases exposure. And from a POPIA perspective, personal information should be available only to those who need it for a legitimate business purpose.
Test recovery before you need it
Backups are useful only if recovery works. Many businesses can say that backups are running. Fewer can say with confidence when they last tested whether critical data, systems, or email records could actually be restored.
If ransomware, accidental deletion, or a system failure affects the business, the question will be how quickly the business can recover and what information can be restored. A simple restore test gives leadership a much clearer view of operational resilience.
Check devices and patching
Every business has devices that can fall through the cracks. It may be a laptop used by a remote employee, a spare machine given to a contractor, or an older server that still supports an important process. These devices often become weak points because they are no longer visible in the same way as the main environment.
A post-Q1 review should check which devices are managed, whether patching is up to date, and whether endpoint protection is active.
Hybrid work has made this more important. The office is no longer the only place where work happens, so security controls must follow the way people actually work.
Review email and phishing behaviour
Email remains one of the easiest ways to reach employees, which means it is one of the easiest ways to introduce risk. Security awareness should therefore be treated as an operating discipline rather than a one-off training requirement.
By May, businesses should know whether employees are completing awareness training, whether repeated phishing risks are being addressed, and whether staff understand how to report suspicious emails.
Completion rates are useful, but they do not tell the whole story. The real question is whether behaviour is improving.
Revisit personal information
POPIA compliance is not only about having policies in place. It is about understanding how personal information is collected, stored, accessed, shared, and retained in day-to-day business operations.
Customer records, employee information, supplier documents, and project files may have moved into new folders, systems, or collaboration spaces. The business should be able to answer basic questions. For example, where is personal information stored? Who has access to it? Is it being shared externally? Is it being retained for a valid reason?
Look at third-party access
Suppliers, consultants, and service providers often need access to systems or data. That access should not continue indefinitely without review. Check which third parties still have access. Confirm whether they still need it. Review whether the level of access matches the work being done.
Third-party access is often granted quickly during a project or in response to an urgent request. The discipline is in reviewing it afterwards.
Confirm incident visibility
Finally, ask what would happen if something went wrong today. Would the right people know quickly? How are incidents logged? Who communicates with leadership? What information would be needed if personal data were involved?
If the answer depends on one person remembering what to do, the process is not strong enough. A post-Q1 security check will not solve every risk. The point is to identify where attention is needed before small gaps become larger problems.
Cybersecurity and POPIA compliance are not annual events. They are operating disciplines. The businesses that manage them well are the ones that keep checking whether their controls still match how the business works.
