Nigerian Small and Medium-sized Enterprises (SMEs) stand at a critical crossroads. Currently accounting for approximately 96% of businesses and 84% of employment in the country (SMEDAN, 2022), they face an unprecedented surge in cyber threats while lacking the resources and expertise to defend themselves effectively (Falowo et al., 2022; Musabayana et al., 2023). This article summarises key findings and recommendations from a comprehensive report on cybersecurity risk management for Nigerian SMEs.
The Crisis in Numbers
The threat landscape has escalated dramatically in recent years. In the first quarter of 2025 alone, Nigeria recorded over 119,000 data breaches, ranking among the top ten countries globally for cyber incidents (Profiled Nigeria, 2025). The first half of 2025 saw 1.46 million cyber-attack attempts blocked, while 2024 witnessed a 150% surge in AI-driven attacks targeting Nigeria's financial sector (Deloitte, 2025). Compounding these concerns, more than 60 million Nigerian records have been discovered for sale on dark web marketplaces (CYFIRMA, 2025). The economic impact is staggering, with an estimated ₦288 billion ($800 million) drained annually from Nigeria's economy by cybercrime, while African businesses lose over $4 billion each year (Serianu, 2023).
Despite high levels of cybersecurity awareness, which stands at 89.8% according to recent research (Pereye et al., 2025), implementation of fundamental protective measures remains critically low. A comprehensive 2025 study conducted in Edo State revealed that only 9.1% of SMEs have received formal cybersecurity training, a mere 7.95% have written cybersecurity policies, and just 5.68% conduct regular risk assessments (Pereye et al., 2025). Over a third of SMEs, representing about 36.36%, have experienced at least one cybersecurity incident, with phishing identified as the most critical vulnerability by 89.8% of respondents (Pereye et al., 2025). This vulnerability stems from the absence of practical guidance, the lack of a simplified national cybersecurity baseline, and the dangerous misconception that small businesses are too insignificant to be targeted (Junior et al., 2023).
Why Nigerian SMEs are Targeted
A dangerous myth persists among many small business owners—the belief that their businesses are too small to attract the attention of cybercriminals. Research by Junior et al. (2023) found that this misconception is widespread and significantly contributes to inadequate defences. The reality, though, is fundamentally different. SMEs are deliberately targeted because they typically have weaker defences yet possess valuable data including customer information, financial records, and intellectual property (Kandpal et al., 2023). They also often serve as entry points to larger corporate partners through supply chain relationships, making them attractive targets for attackers seeking access to more secure organisations (Foli et al., 2022).
Several interconnected factors contribute to the vulnerability of Nigerian SMEs. Resource constraints, including limited financial and human capital, restrict investment in robust security measures (Junior et al., 2023). Many SMEs operate under tight budgets that force reliance on less effective, cost-constrained solutions rather than comprehensive security programmes. The cybersecurity literacy gap means many SME leaders and employees lack fundamental understanding of cyber threats and protective measures, creating exploitable human vulnerabilities that technical controls alone cannot address (Chaudhary et al., 2023). Infrastructure challenges compound these issues, as Nigerian businesses struggle with basic cybersecurity practices due to infrastructural limitations and limited access to affordable solutions (Ewuga et al., 2023). Nigeria's international reputation for cybercrime creates a paradoxical situation where legitimate SMEs face heightened international scrutiny while being targeted by sophisticated criminal networks operating both within and outside the country (Lazarus & Button, 2022).
Key Threat Vectors
Ransomware remains one of the most destructive threats facing Nigerian SMEs. This malicious software encrypts business data and demands payment for decryption keys, often crippling operations for weeks or months (VPN Alert, 2026). About 71% of Nigerian firms experienced ransomware attacks in 2021, significantly above the 66% global average (VPN Alert, 2026). The average recovery cost reached $3.43 million, representing a staggering 644% year-over-year increase (Nairametrics, 2023). According to research by Carias et al. (2020), the impact extends far beyond the ransom payment itself to include operational downtime, reputational damage, and substantial recovery costs that many small businesses struggle to absorb. SMEs are particularly vulnerable to these attacks because they frequently lack the backup systems and incident response capabilities that larger organisations maintain (Haastrecht et al., 2021).
Phishing attacks continue to evolve in sophistication and prevalence. These fraudulent emails, messages, or websites are designed to steal credentials or install malware, exploiting human psychology rather than technical vulnerabilities (Benjamin et al., 2024). Phishing attacks surged by 87% in 2022 and remain the most critical vulnerability identified by SMEs (Nairametrics, 2023). These attacks are particularly effective when employees lack security awareness training and cannot recognise the subtle indicators of fraudulent communications. Password-stealing malware, often delivered through trojans that capture login credentials for banking, email, and business systems, has seen detections more than double in recent years (Guardian Nigeria, 2022). These attacks specifically target SMEs because they often lack advanced threat detection capabilities and may not have implemented basic protections such as multi-factor authentication (Shojaifar & Fricker, 2023).
Insider threats, whether malicious or accidental, represent a significant and often overlooked threat vector. Security risks posed by employees, contractors, or business partners who have authorised access but use it maliciously or negligently can be particularly damaging due to the trusted nature of their access (Haastrecht et al., 2021). Whether through deliberate data theft or accidental exposure, insider incidents often evade traditional security controls designed to detect external threats. Remote Desktop Protocol attacks increased by 89% as remote work proliferated during the COVID-19 pandemic, with attacks targeting poorly secured remote access systems growing from 161,000 incidents to over 303,500 (Guardian Nigeria, 2022). SMEs adopting hybrid work models remain particularly vulnerable to these attacks.
The Governance Challenge
The belief that cybersecurity is fundamentally a technology problem solvable through the purchase and deployment of security software is another misconception plaguing the sector (Corradini, 2020). While technology is essential, research consistently demonstrates that the most significant vulnerabilities are organisational in nature, rooted in poor governance, unclear accountability, and ineffective communication rather than technical deficiencies alone (Sutton & Tompson, 2023).
Structural deficiencies in governance are widespread among Nigerian SMEs. For Nigerian SMEs, effective governance translates directly to positive business outcomes. It enhances customer trust by demonstrating that the organisation takes data protection seriously and improves operational resilience by ensuring that security considerations are integrated into business processes rather than treated as afterthoughts (Abdul-Azeez et al., 2024; Carias et al., 2020). It facilitates regulatory compliance with frameworks such as the Nigeria Data Protection Act, reducing legal and financial risks (Ardo et al., 2023). Unclear accountability represents perhaps the most fundamental governance deficiency, as without designated security officers or teams, responsibility for cybersecurity is diffused across the organisation or entirely unassigned (Neri et al., 2023). When incidents occur, there is no clear leader to coordinate response, make critical decisions, or communicate with stakeholders. This diffusion of responsibility leads to delayed responses, inconsistent security practices, and finger-pointing rather than problem-solving when incidents inevitably occur.
The reactive posture adopted by many businesses compounds these problems. Organisations operating in perpetual reactive mode address security only after breaches occur, focusing on immediate damage control rather than long-term prevention (Carias et al., 2020). This approach is both more costly and less effective than proactive risk management, yet it remains the default for many SMEs that lack the resources or expertise to implement preventive measures. The result is a vicious cycle where limited resources are consumed by incident response, leaving even fewer resources available for prevention, which in turn leads to more incidents.
Framework adoption barriers further complicate the governance landscape. International cybersecurity frameworks such as NIST, ISO 27001, and COBIT represent the gold standard for enterprise security governance (Özkan & Spruit, 2020). However, their complexity, resource requirements, and enterprise focus create significant adoption barriers for SMEs in developing economies (Perozzo et al., 2022). Business owners and managers faced with hundreds of pages of detailed controls and requirements often experience confusion, leading to ineffective implementation and, in many cases, complete abandonment of structured governance approaches.
The Risk Communication Challenge
The knowledge-action gap represents a persistent challenge in cybersecurity communication. Many awareness campaigns successfully impart knowledge about threats and protective measures, but this knowledge frequently fails to translate into consistent, secure behaviours (Khan & Muntaha, 2024). This gap persists because training content often lacks relevance to employees' actual work contexts, one-time sessions create only temporary awareness that quickly fades, technical jargon alienates non-technical staff, consequences seem abstract and unlikely, and secure behaviours are perceived as inconvenient impediments to productivity (Corradini, 2020).
Leadership involvement is the single most critical factor in bridging this gap. When senior management visibly prioritises security through their words and actions, employees perceive cybersecurity as organisationally important and adjust their behaviours accordingly (Antunes et al., 2022). Conversely, when leadership relegates security to an "IT problem" and demonstrates through their actions that security is secondary to other concerns, security initiatives suffer, regardless of how well they are designed or communicated.
Nigerian cultural factors add additional layers of complexity to risk communication. Effective communication must navigate the country's rich linguistic diversity, with employees speaking different languages and coming from different cultural backgrounds (Kori-Siakpere et al., 2024). Hierarchical organisational structures affect how information flows and who feels empowered to raise security concerns. Infrastructure constraints limit the communication channels available, particularly for SMEs operating outside major urban centres. Cultural communication norms, including preferences for oral rather than written communication and the importance of personal relationships in business contexts, must be understood and accommodated for security messages to resonate effectively (Iguodala-Cole, 2024).
Research Findings
A mixed-methods study combining quantitative surveys of 106 SME owners and employees with qualitative document analysis, following established research practices in cybersecurity studies (Cremer et al., 2022), revealed several critical insights about the current state of cybersecurity in Nigerian SMEs. Data collection was conducted through field surveys using questionnaires distributed to selected SMEs, with a total sample size consistent with comparable studies (Ogbeide et al., 2023).
The analysis revealed that communication and awareness efforts are currently limited, with a reliance on informal methods and infrequent updates (Ikuero & Zeng, 2022). Critically, 55% of respondents indicated that they use no method at all for cybersecurity communication, highlighting a fundamental gap in awareness efforts (Author's survey data, 2025). Among those who do communicate, emails and staff meetings predominate, while structured approaches such as dedicated programmes or intranet portals remain rare, with only 3% using intranet portals and 2% implementing dedicated programmes. Even when communication occurs, its infrequency impedes the development of a proactive cybersecurity culture where security considerations become embedded in daily operations.
The distribution of responses for communication effectiveness leans towards the lower end of the scale, with a median value of 3 out of 5 (Author's survey data, 2025). This indicates that current strategies are perceived as only moderately effective at best, with substantial room for improvement in how security information is conveyed and received (Pereye et al., 2025). Similar to communication effectiveness, the perceived effectiveness of governance structures is also skewed towards the lower end, with a median of three (Author's survey data, 2025). This suggests that employees and managers recognise significant gaps in how cybersecurity decisions are made and how accountability for security outcomes is assigned. The similarity between communication and governance effectiveness distributions suggests these two dimensions are closely linked, with deficiencies in one area often reflected in the other.
Approximately 55% of organisations have no formal cybersecurity awareness programmes or employee training, representing a critical deficiency in proactive risk mitigation (Author's survey data, 2025). This finding is consistent with research by Bada and Nurse (2019), who found that SME training programmes are often inadequate or non-existent across developing economies. This finding is particularly concerning given that formal training programmes were significantly associated with higher effectiveness scores in both communication and governance. Organisations with formal training report substantially higher effectiveness ratings for communication, with a mean of 3.8 compared to 2.9, and governance, with a mean of 3.7 compared to 2.8 (Author's survey data, 2025).
Cybersecurity decisions are predominantly made by IT departments in half of the surveyed organisations, with management making decisions in another third (Author's survey data, 2025). Limited involvement from dedicated cybersecurity personnel, representing only 16.7%, suggests a potential gap in specialised expertise, as those making security decisions may not have deep security knowledge (Neri et al., 2023). Only 33.3% of SMEs conduct regular risk assessments, implying that many lack a clear understanding of their cybersecurity risk profile (Author's survey data, 2025). The remaining organisations either assess occasionally (representing 41.7%) or never (representing 25.0%), meaning most cannot effectively prioritise security investments or identify emerging vulnerabilities before they are exploited (Sukumar et al., 2023).
Governance effectiveness was generally higher when risk assessments were conducted more frequently, underscoring the importance of assessment as a foundation for effective governance (Haastrecht et al., 2021). Communication effectiveness was also higher with more frequent communication, but the relationship was not strictly linear, indicating that frequency alone is not sufficient and that the quality and relevance of communication matter significantly (Corradini, 2020). Notably, there appears to be no significant correlation between the age of an organisation or its annual revenue and any of the cybersecurity practices examined (Author's analysis, 2025). This suggests that factors such as organisational culture, leadership commitment, and industry-specific risks play more significant roles than size or age alone, challenging the assumption that older or wealthier organisations are automatically more secure (Onumo et al., 2021).
A Phased Implementation Approach for SMEs
Every SME begins at a different maturity level, with different resources and risk profiles (Shojaifar & Järvinen, 2021). The following phased approach allows businesses to start with immediate, low-cost actions and progressively build capability over time. The goal should be steady progress, not perfection.
Phase 1: Foundation (0-3 Months)
In the first 30 days, SMEs should focus on foundational steps that require minimal investment but deliver significant risk reduction. Every organisation should designate a security point person, assigning cybersecurity responsibility to a specific individual even as a part-time duty added to existing roles (Neri et al., 2023). This person becomes the focal point for security decisions, incident response coordination, and liaison with external resources, establishing clear ownership as the first step toward accountability.
Multi-factor authentication should be implemented on all critical accounts, including email, banking, cloud services, and administrative access to business systems, as MFA prevents the vast majority of credential-based attacks even when passwords are compromised (CISA, 2023). Free tools like Google Authenticator make this protection accessible to all SMEs regardless of budget. Backup procedures should be established immediately, creating regular, automated backups of all critical business data stored separately from primary systems, ideally in cloud storage or offline media (CISA, 2023). Testing restoration procedures ensures that backups actually work when needed, making this single measure the most effective defence against ransomware and data loss. Basic awareness sessions should be conducted with all staff to discuss the most common threats facing the business, including phishing, password security, and mobile device safety (Bada & Nurse, 2019), with clear policies established such as never sharing passwords, verifying requests for money transfers by phone, and asking before clicking when in doubt about an email.
In the 30 to 90-day timeframe, core security policies should be developed that cover password requirements, acceptable use of company devices, data handling procedures, mobile device security, and incident reporting protocols (NIST, 2018). These policies should be simple and clear, written in plain language that all employees can understand, and distributed to everyone in the organisation. Before purchasing expensive security solutions, organisations should maximise the security features already available by activating tools such as Microsoft Defender, using free antivirus software, implementing free password managers, and enabling automatic security updates for all software; all of which can provide substantial protection at no additional cost (Shojaifar & Fricker, 2023). Self-assessment using free, simplified tools can also help organisations identify security gaps and prioritise remediation efforts, with the UK's Cyber Essentials scheme providing an accessible checklist that Nigerian SMEs can adapt to their context (NCSC, 2023).
Phase 2: Structure (3-12 Months)
Organisations should formalise their governance structure by clearly defining roles and responsibilities for security, establishing simplified governance frameworks based on NIST CSF principles, creating decision-making processes for security investments, and implementing regular reporting of security posture to leadership (Antunes et al., 2022). Structured training programmes should move beyond one-off awareness sessions to ongoing security education with quarterly refresher training, interactive methods, and multilingual delivery (Taherdoost, 2024). Training should be relevant to employees' actual work contexts and include practical exercises that build skills rather than just conveying information.
Regulatory compliance should be addressed by reviewing obligations under the Nigeria Data Protection Act 2023 and implementing baseline controls for compliance (Ardo et al., 2023). While full compliance may take time, understanding requirements and beginning implementation demonstrates commitment to data protection. Incident response plans should be created covering preparation, detection, containment, eradication, recovery, and post-incident review (Ikuero & Zeng, 2022), ensuring that when incidents occur, response is coordinated and effective rather than improvised under pressure. Cyber insurance options available in the Nigerian market should be investigated, as while insurance does not prevent attacks, it can provide critical financial support for recovery when prevention fails (Adriko & Nurse, 2024).
Phase 3: Maturity and Excellence (1+ Years)
Beyond one year, organisations should develop a continuous improvement culture through annual comprehensive security assessments, regular vulnerability scans and penetration testing, systematic review and updating of policies and procedures, staying informed about emerging threats, and participating in industry threat intelligence sharing (Carias et al., 2020). Advanced capabilities appropriate to organisational needs may include security information and event management systems, threat intelligence services, regular penetration testing by qualified professionals, and advanced employee testing including social engineering assessments (Saeed et al., 2023). Certification pursuit should be considered for organisations with appropriate needs, including ISO 27001 for internationally recognised information security management, sector-specific certifications such as PCI DSS for payment processing, and Nigerian national cybersecurity baseline certification when it becomes available (Alfaadhel et al., 2023).
Industry leadership represents the final stage of maturity, where organisations share lessons learned to help other SMEs, mentor less mature businesses in their supply chains, participate in the development of industry standards, and advocate for SME-supportive cybersecurity policies.
Cost-Effective Security
Research consistently shows that basic security hygiene prevents the majority of successful attacks (CISA, 2023). Nigerian SMEs can achieve substantial risk reduction with minimal investment by prioritising free or low-cost technical controls such as MFA, backups, and built-in security features. Behavioural and organisational measures including training, policies, and accountability, as well as existing tools and platforms can also be leveraged rather than purchasing new solutions (Shojaifar & Fricker, 2023). Collaborative approaches such as shared security services and industry partnerships are also worth exploring. The most expensive security breach is the one that could have been prevented by basic measures.
Policy Recommendations
While SMEs must take ownership of their security posture, market forces alone present significant challenges to solving the cybersecurity crisis facing Nigeria's SME sector (Ardo et al., 2023). The resource constraints, knowledge deficits, and systemic challenges that characterise this sector require strategic government intervention to create an enabling environment where SMEs can thrive securely (Ibrahim et al., 2024). Without such intervention, the gap between threat levels and SME capabilities will continue to widen with negative consequences for the entire economy.
Dedicated SME Cybersecurity Support Infrastructure
A dedicated SME Cybersecurity Support Office should be established within existing agencies such as SMEDAN, NITDA, or NDPC to serve as a central resource hub, coordination centre, knowledge repository, and help desk for SMEs seeking guidance, tools, and support (Oyedeji et al., 2024). This office would coordinate cybersecurity initiatives across government agencies, private sector organisations, and international partners, ensuring that efforts are aligned rather than fragmented. A comprehensive National SME Cybersecurity Toolkit should be developed and distributed, providing simplified risk assessment templates, policy and procedure templates for acceptable use, incident response, and data protection (NCSC, 2023). Training materials in multiple Nigerian languages, step-by-step implementation guides for foundational controls, directories of vetted affordable security service providers, and incident response playbooks should also be developed and made available.
National SME Cybersecurity and Regulatory Frameworks
Building on NITDA's existing cybersecurity initiatives, a Nigeria Cyber Essentials Framework should be created as a simplified, practical, technical baseline adapted to Nigerian SME contexts (NITDA, 2023). This framework should be accessible, providing plain-language guidance free of technical jargon that might alienate non-specialist readers. It should be affordable, emphasising low-cost and no-cost controls that SMEs can implement regardless of budget constraints. It should be tiered, offering multiple levels such as Bronze, Silver, and Gold that allow progressive maturity over time. It should also be certifiable, providing certification options including self-assessment and third-party verification to create market recognition for compliant businesses. It should be adaptable, offering sector-specific guidance for high-risk industries such as finance, healthcare, and education.
Additionally, the Nigeria Data Protection Commission should publish a comprehensive SME Compliance Handbook based on the Nigeria Data Protection Act 2023 that provides clear, actionable guidance tailored to SME contexts (NDPC, 2023), translating regulatory requirements into practical steps that small businesses can understand and implement. Proportionate, tiered compliance frameworks should recognise the diversity of the SME sector, with requirements scaled to organisational capacity and risk exposure (Ardo et al., 2023), ensuring that micro enterprises do not face the same compliance burden as medium enterprises. A support-first enforcement approach with appropriate grace periods should prioritise education and assistance over immediate penalties (Ikuero & Zeng, 2022), recognising that many SMEs want to comply but lack the knowledge and resources to do so. Punitive enforcement should be reserved for wilful negligence, repeat violations, or cases causing significant harm, creating a regulatory environment that encourages improvement rather than punishing inevitable initial gaps.
Economic Incentives
Tax incentives including credits for qualifying cybersecurity expenditures, accelerated depreciation of cybersecurity infrastructure investments, and enhanced deductions for employee cybersecurity training and certification would make security investments more affordable for cash-constrained SMEs (PwC, 2023). Grant and subsidy programmes including cybersecurity improvement grants with matched funding models, sector-specific programmes for high-priority sectors, and government co-funding of ISO 27001 or national baseline certification costs would directly address the resource constraints that prevent many SMEs from implementing adequate security (World Bank, 2022). Subsidised cyber insurance through partnerships with the insurance industry for SME-focused products, with government-subsidised premiums for businesses meeting national baseline requirements, would create market mechanisms that reward good security practices (Adriko & Nurse, 2024). Preferential government procurement requiring contractors to meet national cybersecurity baseline would also create market incentives for certification while protecting government systems from supply chain risks.
Build National Cybersecurity Capacity
Cybersecurity awareness should be integrated into primary and secondary school curricula (NITDA, 2023). Cybersecurity tracks should be established in polytechnics and universities with accompanying support for faculty development and research capacity, building awareness and skills at all educational levels to create a pipeline of talent for the future while improving general cybersecurity literacy across the population. A national cybersecurity training centre providing affordable professional certifications including CISSP, CEH, and Security Plus, specialised SME security practitioner training, and train-the-trainer programmes would multiply the impact of training investments by building local capacity to deliver ongoing education (ISC2, 2023). Scholarship and retention programmes providing cybersecurity scholarships with service commitments to work in Nigeria, support for internationally recognised certifications, and competitive public sector cybersecurity career pathways would help retain talent that might otherwise seek opportunities abroad.
Policy Impact Potential
Research from comparable contexts suggests that comprehensive policy interventions combining regulation, economic incentives, capacity building, and public-private collaboration can achieve 40 to 60% improvement in SME cybersecurity posture within three to five years (ENISA, 2021). For Nigeria, this could translate to thousands of businesses better protected, billions of naira in avoided losses, and strengthened national economic security. The investment required to achieve these outcomes is modest compared to the economic costs of continued vulnerability and escalating losses.
Conclusion
There is a pressing need for Nigerian SMEs to enhance their cybersecurity risk communication and governance practices. The lack of formal training programmes, infrequent communication, and limited cybersecurity expertise documented in this research contribute directly to the heightened vulnerability that characterises the SME sector (Pereye et al., 2025; Benjamin et al., 2024). Addressing these challenges requires a proactive approach that prioritises regular risk assessments, diverse communication strategies, tailored training programmes, and the establishment of robust cybersecurity governance structures.
By adopting the phased framework and implementing the recommendations outlined, Nigerian SMEs can cultivate a proactive cybersecurity culture that empowers employees at all levels to identify and mitigate risks effectively (Corradini, 2020; Carias et al., 2020). The path forward is clear, but it requires commitment from business owners, support from government, and collaboration across the entire business community. Securing Nigeria's SME sector is not merely a business imperative but a matter of economic and national security (Ibrahim et al., 2024). A collaborative, multi-stakeholder approach can transform Nigeria's cybersecurity posture from a position of vulnerability into a competitive advantage in the global digital economy. This vision is achievable with commitment, investment, and sustained effort from all stakeholders, with the alternative of continued vulnerability and escalating losses being far costlier.
References
Abdul-Azeez, O., Ihechere, A. O., & Idemudia, C. (2024). Digital access and inclusion for SMEs in the financial services industry through Cybersecurity GRC. Finance & Accounting Research Journal, 6(7), 1134-1156.
Adriko, R., & Nurse, J. R. C. (2024). Cybersecurity, cyber insurance and small-to-medium-sized enterprises: A systematic Review. Information & Computer Security.
Akpan, I. J., Udoh, E. E., & Adebisi, B. (2020). Small business awareness and adoption of state-of-the-art technologies in emerging and developing markets. Journal of Small Business & Entrepreneurship, 34(2), 123-140.
Alfaadhel, A., Almomani, I., & Ahmed, M. (2023). Risk-Based Cybersecurity Compliance Assessment System (RC2AS). Applied Sciences, 13(10), 6145.
Antunes, M., Maximiano, M., & Gomes, R. (2022). A Client-Centered Information Security and Cybersecurity Auditing Framework. Applied Sciences, 12(9), 4102.
Ardo, A. A., Bass, J. M., & Gaber, T. (2023). Implications of regulatory policy for building secure agile software in Nigeria. The Electronic Journal of Information Systems in Developing Countries, 89(6), e12285.
Bada, M., & Nurse, J. R. C. (2019). Developing cybersecurity education and awareness programmes for small and medium-sized enterprises. Information & Computer Security, 27(3), 393-410.
Benjamin, L. B., Adegbola, A. E., Amajuoyi, P., Adegbola, M. D., & Adeusi, K. B. (2024). Digital transformation in SMEs: Identifying cybersecurity risks and developing effective mitigation strategies. Global Journal of Engineering and Technology Advances, 19(2), 134-153.
Carias, J. F., Borges, M. R. S., Labaka, L., Arrizabalaga, S., & Hernantes, J. (2020). Systematic Approach to Cyber Resilience Operationalization in SMEs. IEEE Access, 8, 174200-174221.
Chaudhary, S., Gkioulos, V., & Katsikas, S. (2023). A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprises. Computer Science Review, 50, 100592.
CISA. (2023). Cyber Essentials Toolkit. Cybersecurity and Infrastructure Security Agency.
Corradini, I. (2020). Building a cybersecurity culture. In I. Corradini, Building a Cybersecurity Culture in Organizations (pp. 63-86). Springer.
Cremer, F., Sheehan, B., Fortmann, M., Kia, A. N., Mullins, M., Murphy, F., & Materne, S. (2022). Cyber risk and cybersecurity: A systematic review of data availability. The Geneva Papers on Risk and Insurance, 47(3), 698-736.
CYFIRMA. (2025). Dark web monitoring report: Nigerian data exposure. CYFIRMA Research.
Deloitte. (2025). Financial services cybersecurity outlook: Africa region. Deloitte Insights.
ENISA. (2021). Cybersecurity for SMEs: Challenges and recommendations. European Union Agency for Cybersecurity.
Ewuga, S. K., Egieya, Z. E., Omotosho, A., & Adegbite, A. O. (2023). Comparative review of technology integration in SMEs: A tale of two economies. Engineering Science & Technology Journal, 4(6), 555-570.
Falowo, O. I., Popoola, S., Riep, J., Adewopo, V. A., & Koch, J. (2022). Threat actors' tenacity to disrupt: Examination of major cybersecurity incidents. IEEE Access, 10, 134038-134051.
Foli, S., Durst, S., Davies, L., & Temel, S. (2022). Supply Chain Risk Management in Young and Mature SMEs. Journal of Risk and Financial Management, 15(8), 328.
Guardian Nigeria. (2022, July 11). Cyber attack on Nigerian SMEs up by 89% in 2022. The Guardian.
Haastrecht, M., Sarhan, I., Shojaifar, A., Baumgartner, L., Mallouli, W., & Spruit, M. (2021). A threat-based cybersecurity risk assessment approach addressing SME needs. Proceedings of the 16th International Conference on Availability, Reliability and Security, 1-12.
Ibrahim, Y. A., Ishaya, A. O., Yusuf, M., Nancy, I., Bijik, H. A., & Aiyedogbon, S. F. (2024). Cybersecurity and Cybercrimes in Nigeria: An Overview of Challenges and Prospects. 2024 International Conference on Science, Engineering and Business, 1-7.
Iguodala-Cole, H. I. (2024). Navigating Cultural Norms and Sustainable Development in the Nigerian Workplace. The Nigerian Journal of Sociology and Anthropology, 22(1), 52-74.
Ikuero, F. E., & Zeng, W. (2022). Improving cybersecurity incidents reporting in Nigeria: Micro and small enterprises perspectives. Nigerian Journal of Technology, 41(3), 512-520.
ISC2. (2023). Cybersecurity workforce study. International Information System Security Certification Consortium.
Junior, C. R., Becker, I., & Johnson, S. (2023). Unaware, unfunded and uneducated: A systematic review of SME cybersecurity. arXiv preprint.
Kandpal, S., Bhatt, S., Mohan, L., Patwal, A., & Kumar, P. (2023). Cyber Security Implementation Issues in Small to Medium-sized Enterprises. 2023 14th International Conference on Computing Communication and Networking Technologies, 1-5.
Khan, M. H., & Muntaha, S. T. (2024). Evaluating the effectiveness of cybersecurity awareness programs in reducing phishing attacks. World Journal of Advanced Research and Reviews, 23(2), 1663-1673.
Kori-Siakpere, U., Gokeme, O., Omale, R. O., Aniah, A. R., Ojukwu, P. M., & Okache, M. O. (2024). The Impact of Linguistic Diversity on Intercultural Communication in Nigerian Organizations. Journal of Innovative Research, 2(2), 25-33.
Lazarus, S., & Button, M. (2022). Tweets and reactions: Revealing the geographies of cybercrime perpetrators and the North-South divide. Cyberpsychology, Behavior, and Social Networking, 25(8), 504-511.
Musabayana, G. T., Mutambara, E., & Ngwenya, T. (2023). Establishment of a Zimbabwe National SME sector. Journal of Innovation and Entrepreneurship, 12(1), 65.
Nairametrics. (2023, July 12). SMEs in Nigeria were major victims of cyber-attacks in 2022. Nairametrics.
NCSC. (2023). Cyber Essentials: Requirements for IT infrastructure. National Cyber Security Centre.
NDPC. (2023). Nigeria Data Protection Act 2023: Implementation guidance. Nigeria Data Protection Commission.
Neri, M., Niccolini, F., & Martino, L. (2024). Organizational cybersecurity readiness in the ICT sector. Information & Computer Security, 32(1), 38-52.
NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology.
NITDA. (2023). National Cybersecurity Policy and Strategy. National Information Technology Development Agency.
Ogbeide, V. O., Omorogiuwa, O., & Salami, E. E. (2023). An empirical survey to substantiate the need for a cyber security framework for SMEs in Nigeria. International Journal of Research Publications, 128(1).
Okundaye, K., Fan, S. K., & Dwyer, R. J. (2019). Impact of information and communication technology in Nigerian small-to medium-sized enterprises. Journal of Economics, Finance and Administrative Science, 24(47), 29-46.
Onumo, A., Ullah-Awan, I., & Cullen, A. (2021). Assessing the Moderating Effect of Security Technologies on Employees Compliance. ACM Transactions on Management Information Systems, 12(2), 1-29.
Oyedeji, O. C., Moronkunbi, M. A., Victor, A. A., & Victor, P. O. (2024). Assessing the Efficiency of Contemporary Cybersecurity Protocols in Nigeria. International Journal of Latest Technology in Engineering Management & Applied Science, 13(7), 52-58.
Özkan, B. Y., & Spruit, M. (2020). Cybersecurity Standardisation for SMEs: The Stakeholders' Perspectives. In Research Anthology on Artificial Intelligence Applications in Security (pp. 1252-1278). IGI Global.
Pereye, A., et al. (2025). Cybersecurity awareness and practices among small and medium-sized enterprises (SMEs) in Edo State, Nigeria. International Journal of Scientific Research and Analysis, 2(4), 81-95.
Perozzo, H., Zaghloul, F., & Ravarini, A. (2022). CyberSecurity Readiness: A Model for SMEs based on the Socio-Technical Perspective. Complex Systems Informatics and Modeling Quarterly, 33, 53-66.
Profiled Nigeria. (2025). Q1 2025 Cybersecurity Threat Report. Profiled Nigeria Research.
PwC. (2023). Global Digital Trust Insights Survey. PricewaterhouseCoopers.
Reis, O., Oliha, J. S., Osasona, F., & Obi, O. C. (2024). Cybersecurity dynamics in Nigerian banking: Trends and strategies review. Computer Science & IT Research Journal, 5(2), 336-364.
Saeed, S., Suayyid, S. A., Al-Ghamdi, M. S., Al-Muhaisen, H., & Almuhaideb, A. M. (2023). A Systematic Literature Review on Cyber Threat Intelligence. Sensors, 23(16), 7273.
Serianu. (2023). Africa Cybersecurity Report. Serianu Limited.
Shojaifar, A., & Fricker, S. A. (2023). Design and evaluation of a self-paced cybersecurity tool. Information & Computer Security, 31(2), 244-262.
Shojaifar, A., & Järvinen, H. (2021). Classifying SMEs for Approaching Cybersecurity Competence and Awareness. Proceedings of the 16th International Conference on Availability, Reliability and Security, 1-7.
SMEDAN. (2022). National Survey of Micro, Small and Medium Enterprises. Small and Medium Enterprises Development Agency of Nigeria.
Sukumar, A., Mahdiraji, H. A., & Jafari-Sadeghi, V. (2023). Cyber risk assessment in small and medium-sized enterprises: A multilevel decision-making approach. Risk Analysis, 43(10), 2082-2098.
Sutton, A., & Tompson, L. (2023). Towards a Cybersecurity Culture-Behaviour Framework: A Rapid Evidence Review.
Taherdoost, H. (2024). Towards an Innovative Model for Cybersecurity Awareness Training. Information, 15(9), 512.
VPN Alert. (2026). Ransomware statistics and trends for Nigeria. VPN Alert Research.
World Bank. (2022). Digital Development Partnership Annual Report. World Bank Group.
About the Author
Terdoofan Agber is a Digital Policy and Cyber Resilience professional
dedicated to securing Africa's digital future. With experience spanning
mission-critical support for the Nigerian Air Force to engineering global
intelligence systems at GASA and Gogolook, she is a leading voice for
socio-cognitive security. She argues that effective cyber policies must root
themselves in local contexts, languages and indigenous knowledge, rather than
remaining abstract technical requirements. A rising figure in Nigeria's digital
diplomacy, she works at the intersection of anti-scam intelligence and data
governance, ensuring global standards are harmonised with African
socio-technical realities.
This article is based on the full report - Cyber
Risk Management Insights for Nigerian SMEs: Practical Strategies for Risk
Communication and Governance (March 2026). Full references and detailed
research methodology are available in the complete document.