Why Nigerian businesses are in the crosshairs right now
Cyberattacks on Nigerian financial institutions surged 153% from 2020 to 2024. In Q3 2022 alone, data breaches jumped 1,616%, reaching 608,765 incidents in a single quarter. Nigeria now ranks among the global top 20 for cybercrime complaints. For a data-driven analysis of why these attacks are escalating, see our article on why Nigerian fintechs are prime targets.
Why SMEs are the softest targets
Businesses with under 200 employees lose an average of $2.5 million per incident. Limited staff awareness, weak password practices, and no incident response plan create the exact entry points that phishing and ransomware campaigns exploit. For a broader analysis of these vulnerability patterns, see top security vulnerabilities facing Nigerian companies.
Steps 1-3: People
1. Run phishing awareness training that actually sticks
Phishing causes approximately 90% of data breaches in Nigeria, making employee awareness the single most cost-effective defence. Regular simulated phishing tests, real examples of business email compromise scams, and clear escalation protocols staff know to follow. Training programs for small teams can start from as little as ₦100,000 annually.
2. Set a password policy that has teeth
A solid password policy based on NIST standards requires a strong character minimum, prohibits password reuse, and sets a regular expiry schedule. Pair it with a password manager like Bitwarden (free) or 1Password. Fixing weak passwords costs nothing beyond a policy document and a short staff briefing.
3. Enable MFA on every business account
MFA is the single control that most dramatically reduces account takeover risk. Google Authenticator and Microsoft Authenticator are both free and can typically be deployed across a small team in one to two weeks. There is no technical reason any Nigerian SME should be running business email or accounting software without MFA.
Not sure where your security gaps are? Get an honest assessment.
Talk to an EngineerSteps 4-5: Network and endpoint security
4. Secure your Wi-Fi, firewall, and office network
Separate staff and guest networks, disable remote router access, enable WPA3 encryption, and install a firewall. For budget-conscious businesses, open-source options like pfSense or OPNsense deliver genuine perimeter protection at hardware-only cost. Remote workers should connect through a VPN.
5. Patch devices and protect every endpoint
Apply critical patches immediately, update operating systems and browsers on a weekly cycle, and schedule all other software monthly. Pair with endpoint antivirus on every device. Also address bring-your-own-device risk directly. For an engineering-level checklist covering these technical controls in fintech environments, see our fintech security checklist.
Steps 6-7: Data access and backups
6. Implement least-privilege access control
Define access by role. Audit who currently has access to what, revoke unused accounts (especially for former employees), and restrict admin privileges. This least-privilege principle limits the blast radius of any breach and directly supports your compliance obligations under the NDPA 2023.
7. Build a backup plan that actually works
The 3-2-1 backup rule: three copies of your data, on two different media types, with one stored offsite or in the cloud. A backup you never test is a backup you can't trust. Schedule monthly restore tests. Cloud backup costs for small teams typically run between ₦100,000 and ₦500,000 annually.
Steps 8-10: Incident response, vendor risk, and compliance
8. Create a basic incident response plan
Answer four practical questions: who do you call first, how do you contain the damage, what do you communicate to affected customers, and how do you report the breach to regulators? Under Nigeria's NDPA 2023, businesses must notify the NDPC within 72 hours of a confirmed breach. For guidance on building your response plan, see our guide on what to do after a breach.
9. Manage the security risk from third-party vendors
Ask whether vendors encrypt data in transit and at rest, carry cyber insurance, demonstrate NDPA compliance, and have experienced recent breaches. Make vendor security reviews an annual process, not a one-time exercise at onboarding.
10. Stay compliant and review your posture regularly
The NDPA 2023 imposes explicit data protection and risk assessment duties. Fines for non-compliance can reach ₦10 million. Build a quarterly review into your calendar. For a practical deep-dive into these requirements, see our NDPR data privacy checklist for fintechs.
When expert help makes more sense
A qualified local cybersecurity partner can accelerate implementation, handle technical configuration, and build staff training programmes that change behaviour. If your business processes customer payments or operates in a regulated sector, working with an expert is the most efficient path. Our vulnerability assessment and penetration testing services are built for this exact situation.
Pick one section and act on it
Start with MFA on your email accounts. It takes an afternoon and immediately closes one of the most common attack vectors. Each step you complete makes your business meaningfully harder to attack.
Related reading
Blog: How to protect your business from hackers and data breaches · Why Nigerian fintechs are prime targets · Top security vulnerabilities facing Nigerian companies
Guides: Fintech security checklist · After a breach · NDPR/NDPA compliance
Services: Vulnerability assessment · Penetration testing
Frequently asked questions
What is the most important cybersecurity step for a Nigerian SME?
Enable multi-factor authentication (MFA) on every business account. It's free, takes an afternoon, and immediately closes one of the most common attack vectors. Pair it with a strong password policy and a password manager like Bitwarden.
How much does cybersecurity cost for a small Nigerian business?
The baseline controls, MFA, password policy, and staff training, cost nothing beyond time. Endpoint protection runs ₦50,000-₦150,000 per year for a small team. Cloud backups start around ₦100,000-₦500,000 annually depending on data volume.
What are Nigeria's data breach notification requirements?
Under the NDPA 2023, businesses must notify the Nigeria Data Protection Commission within 72 hours of a confirmed breach. Under the Cybercrimes Act, incidents must be reported to ngCERT within seven days. Both obligations apply simultaneously.