Over the past months we ran passive, no-touch security assessments of 17 businesses across Harare — hospitality, healthcare, legal, education and the NGO sector. We never logged in, scanned ports, or touched a live system. Everything below comes from publicly available information any attacker could see. The picture is consistent, and it's fixable.
What we found
The most common issues, by share of the businesses assessed:
Sectors we looked at
What it means
None of these are exotic, nation-state problems. They're the basics — security headers, software updates, a privacy policy, email anti-spoofing — and the overwhelming majority of the businesses we assessed were missing at least one. Each is cheap to fix once you know it's there, and each is something a motivated attacker (or an automated bot) finds in minutes.
The privacy-policy gap matters twice over: it's a Data Protection Act (2021) compliance exposure as well as a trust signal. And the email anti-spoofing gap means a stranger can send mail that looks like it came from these businesses — a direct phishing risk to their own customers.
What to do about it
- Add the core security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options).
- Update your CMS, plugins, and server software — and keep them updated.
- Publish a privacy policy and make sure HTTP redirects to HTTPS.
- Set SPF and DMARC records so no one can spoof email from your domain.
- Get a passive assessment so you know exactly where you stand — it's free.
Methodology: passive assessment only — public DNS, certificate transparency, HTTP response headers, and open-source reconnaissance. No authentication, port scanning, or exploitation. Figures are aggregated and anonymised; no individual business is identified.