Let's start with something that most cybersecurity articles don't say clearly enough: the businesses getting attacked right now are not the ones that were obviously careless. Many of them had antivirus software. Some had IT teams. A few had dedicated security budgets. They got hit anyway, because the threat landscape has changed faster than most organisations' defences have kept pace with, and because the attackers have become genuinely sophisticated in ways that make old assumptions about what "secure enough" means dangerously outdated.

Global cybercrime is projected to cost over $10.5 trillion annually by 2026. To put that number in context: it exceeds the GDP of every country in the world except the United States and China. It is larger than the global trade in illegal drugs. It is the most significant economic transfer of wealth in human history, and most of it happens not through dramatic Hollywood-style hacking scenes but through mundane, systematic exploitation of human mistakes, software vulnerabilities, and organisational gaps that businesses haven't yet fixed. The reality is that cybersecurity threats for businesses are no longer theoretical; they are already impacting companies daily, including thousands of businesses across Nigeria.

For Nigerian businesses specifically, the numbers are stark in a different way. Nigerian organisations face over 4,000 cyberattacks weekly, the highest rate anywhere in Africa. This isn't because Nigerian businesses are uniquely careless. It's because Nigeria has rapidly digitised significant economic activity, while cybersecurity infrastructure and awareness have lagged significantly behind. That gap is an opportunity that attackers are exploiting systematically and aggressively.

The purpose of this piece isn't to frighten you into paralysis. It's to give you a clear, honest understanding of what you're actually facing, the specific threats, how they work in practice, why they're effective, and what concrete steps you can take to make your business meaningfully harder to attack. Let's go through all of it properly.

1. Cybersecurity Threats for Businesses: Ransomware and What It Means for You

There is a particular cruelty to ransomware that makes it different from most other cybersecurity threats. It doesn't just steal from you quietly. It announces itself loudly, usually on a Monday morning when the first person to arrive at the office discovers that every file on every computer is encrypted, the servers are locked, and a message on screen explains that you have 72 hours to pay a specified amount in cryptocurrency to receive the decryption key. If you don't pay, the data will be published publicly or sold to competitors.

The businesses that have gone through this describe it as one of the most traumatic experiences in their professional lives, worse, in some ways, than physical robbery, because the violation is invisible until the damage is complete, and the recovery process can take weeks or months, even in the best-case scenario.

Understanding how ransomware actually works, not at a technical level, but at a conceptual level, is the foundation of defending against it effectively.

1.1 How ransomware gets in

The entry point for most ransomware attacks is embarrassingly mundane. Someone clicks a link in an email. Someone opens an attachment that looks legitimate. Someone uses a password that was leaked in a previous data breach on a system that didn't require two-factor authentication. Someone remotes into the company's systems using a poorly secured remote desktop connection.

Sophisticated ransomware groups don't typically launch their encryption payload immediately after gaining initial access. They spend time, days, weeks, sometimes months, moving laterally through the victim's systems, escalating their privileges, mapping the network, and most importantly, identifying and either deleting or encrypting the backups. This is the move that turns ransomware from a serious inconvenience into a business-ending crisis: by the time the encryption notice appears, the attackers have already ensured that your recovery options are compromised.

The evolution to triple extortion has made the calculus even more brutal. In the original ransomware model, the threat was simply: pay us or lose your data. As organisations became better at maintaining offline backups, attackers adapted. Now the standard playbook is to encrypt your operational data, steal a copy of your most sensitive data, customer records, financial information, employee data, trade secrets, and threaten to publish or sell that data even if you recover from your backups. This means that even organisations with perfect backup hygiene face extortion pressure, because the data exposure liability exists independently of whether they can restore operations.

Over 50% of ransomware costs fall on small and medium-sized businesses. This isn't because attackers particularly prefer SMEs; it's because SMEs typically have less security infrastructure, less incident response capability, and often more at stake proportionally from an extended operational shutdown. A large enterprise can absorb a week of disruption and the associated costs; a small business often cannot.

1.2 What makes Nigerian businesses particularly exposed

Several characteristics of the Nigerian business environment create specific ransomware vulnerabilities.

Remote desktop protocol (RDP) exposure is widespread. Many Nigerian businesses implemented remote access capabilities rapidly during and after COVID, often without the security controls, VPN requirements, network-level authentication, and IP whitelisting that make RDP reasonably safe. RDP exposure is one of the primary initial access vectors for ransomware groups globally.

Unpatched systems are common. Maintaining current software patches requires both organisational discipline and, sometimes, licensed software. In an environment where software piracy is prevalent, pirated software typically doesn't receive security updates, creating persistent vulnerabilities that attackers exploit routinely.

Password hygiene is poor across most organisations. Weak passwords, password reuse across multiple systems, and the absence of multi-factor authentication mean that credential-based attacks, using passwords stolen in previous breaches or obtained through phishing, are highly effective.

Backup practices are often inadequate. Many businesses that believe they have backups discover, at the worst possible moment, that their backups haven't been running reliably, aren't stored in a way that protects them from the same attack that hit the primary systems, or haven't been tested recently enough to confirm they actually work.

1.3 Building genuine resilience against ransomware

The air-gapped backup concept is central to ransomware resilience and worth understanding clearly. An air-gapped backup is physically disconnected from your network, either an offline drive that is connected only during backup runs and then physically removed, or a cloud backup service that uses write-once storage that cannot be overwritten or deleted even by someone with administrative credentials. The principle is simple: if your backup can be reached by an attacker who has compromised your network, it can be encrypted or deleted. If it genuinely cannot be reached, it survives the attack and enables recovery.

Endpoint Detection and Response (EDR) tools represent a significant improvement over traditional antivirus software. Where antivirus works by matching files against a database of known malicious software, EDR monitors behaviour, what processes are doing, how they're interacting with the file system, what network connections they're making, and flags anomalous activity that might indicate an attack in progress. This behavioural approach means EDR can detect novel ransomware variants that antivirus software would miss, and can sometimes catch an attack early enough to contain the damage before encryption completes.

The zero-trust security model is a broader architectural principle rather than a specific product. It starts from the assumption that no user, device, or system should be trusted by default, even those inside your network perimeter. Every access request must be authenticated, every connection must be authorised, and privileges must be limited to exactly what is needed for the specific task. This makes lateral movement, the attacker's technique of using one compromised system to access others, significantly more difficult, because compromising one account or device doesn't automatically grant access to everything else.

2. AI-Powered Phishing and Deepfakes: When You Can't Trust What You See and Hear

Phishing has existed as long as the internet has. The classic form, an email pretending to be from a bank, asking you to click a link and enter your login credentials, is so well-known that most people feel confident they would recognise it. And they would, because classic phishing is genuinely obvious to anyone paying attention. Poor grammar. Generic greeting. Suspicious link. Easy to spot.

The reason phishing remains the most successful initial attack vector in the world, responsible for the majority of data breaches globally, isn't that the classic form is particularly deceptive. It's that the classic form has evolved into something fundamentally different, and most people's defences haven't evolved with it.

2.1 What AI-powered phishing actually looks like

Imagine receiving an email that appears to be from your CEO. The email address matches exactly. The writing style matches how your CEO actually writes, the specific phrases they use, the level of formality, and the way they structure requests. The email references a specific deal that was discussed in last week's board meeting. It asks you to urgently process a payment to a new supplier, explaining that the normal approval process is being bypassed because the deal needs to close today.

This is a spear phishing attack, and every element of it, the personalised writing style, the contextual detail, the urgency, the bypass of normal controls, is now achievable at scale using AI tools that aggregate publicly available information about individuals and organisations, learn writing styles from email archives, and generate convincing, contextually appropriate fake communications automatically.

The deepfake dimension adds another layer entirely. Audio deepfakes, synthetic voice recordings that sound indistinguishable from a real person, are now achievable with just a few minutes of sample audio, which, for any public-facing executive or business owner, is trivially easy to obtain. A finance team that receives what sounds like a phone call from the CEO asking them to process an urgent international transfer, followed by a confirming email, is facing a multi-channel attack that is genuinely difficult to detect in the moment.

Video deepfakes are more resource-intensive but increasingly accessible. There have been documented cases of video conference fraud, where an employee joins what they believe is a call with a colleague or executive, and everyone they're seeing on screen is deepfake-generated, resulting in significant financial transfers.

In Nigeria's financial sector, where Business Email Compromise (BEC) attacks have long been a significant threat, the AI enhancement of these attacks represents a qualitative escalation. BEC attacks already cost billions annually globally. AI-powered BEC, more personalised, more contextually accurate, faster to deploy, and more difficult to detect, represents a significant increase in the threat level.

2.2 Why is human training necessary but not sufficient

The standard response to phishing threats is employee training, teaching people to look for suspicious indicators, to verify unusual requests through alternative channels, and to be sceptical of urgency. This training is genuinely valuable and should be a baseline requirement for every business.

But it's important to understand its limitations in the AI-powered phishing era. Training people to spot classic phishing indicators, poor grammar, mismatched email domains, and suspicious links doesn't help much when the phishing email is grammatically perfect, the email domain is genuinely correct, and the link goes to a convincing replica of a legitimate website. The cognitive load of maintaining constant scepticism about every communication is unrealistic to sustain, and attackers specifically target moments when attention is divided and pressure is high.

This means that technical controls, AI-powered email security that analyses patterns beyond simple signature matching, behavioural analytics that flag unusual transaction requests or access patterns, and multi-person approval requirements for high-risk actions like large financial transfers, need to exist alongside human training rather than relying on human vigilance alone.

The process control that is most effective against BEC and deepfake attacks is simple but must be consistently enforced: any instruction to transfer money or change payment details received via email or phone must be verified through a separately established contact method, not replying to the email, not calling back a number provided in the email, but calling a number that was established before the attack began. This verification step, applied without exception regardless of the apparent urgency or authority of the request, stops the majority of BEC attacks dead.

2.3 Building AI-powered defences against AI-powered attacks

The asymmetry of the current threat landscape, where attackers are using AI to scale and improve their attacks while many defenders are still using rule-based tools, is a significant vulnerability that forward-thinking businesses are addressing by deploying AI-powered security tools on the defensive side.

AI-powered email security tools go beyond spam filtering to analyse the full context of each email, the relationship between sender and recipient, the typical communication patterns, the content of the email, the links and attachments it contains, and assign risk scores that reflect genuine threat probability rather than simple keyword matching. Tools like this catch sophisticated spear phishing that would sail past traditional filters.

Behavioural analytics, applied both to email and to network activity more broadly, establishes baselines for normal behaviour and flags deviations that might indicate compromise. An employee whose account suddenly accesses a large number of files it has never accessed before, or who logs in from an unusual location, or who initiates an unusual financial transaction, triggers an alert that enables investigation before significant damage occurs.

3. Supply Chain Attacks: The Threat That Comes Through Your Trusted Partners

There's a particular elegance, from the attacker's perspective, to supply chain attacks, and understanding that elegance helps explain why they've become so prevalent and so difficult to defend against.

The fundamental insight is simple: the most secure door is often not the front door of the organisation you want to attack, but the service entrance used by a trusted supplier. Every business relies on third-party software, services, and vendors. Those third parties have access to your systems, your data, and your infrastructure, so that they can do their job. If an attacker can compromise the third party rather than attacking you directly, they inherit that access along with all the trust that comes with it.

The SolarWinds attack of 2020 demonstrated the global scale of what supply chain attacks can achieve. By compromising a software update mechanism used by tens of thousands of organisations, attackers gained access to hundreds of high-value targets simultaneously through a single point of compromise. The principle applies at every scale, including to Nigerian SMEs whose vendors may have much less sophisticated security than the software companies targeted in high-profile supply chain attacks.

3.1 How supply chain attacks play out for Nigerian businesses

The third-party risk landscape for a typical Nigerian business is broader than most owners appreciate. Cloud software providers, accounting tools, CRM systems, and HR platforms have access to business data. IT service providers may have remote administrative access to company systems. Payment processors handle financial transaction data. Marketing platforms have access to customer contact information. Each of these relationships represents a potential supply chain attack vector.

The specific vulnerabilities that make Nigerian businesses particularly exposed in this area are real and worth confronting directly. Vendor security vetting is rare; most Nigerian businesses choose vendors based on functionality and price, with little or no assessment of the vendor's security practices. Third-party access is often poorly managed; vendors given access for a specific project frequently retain that access long after the project ends. Monitoring of third-party integrations is typically limited or absent; businesses don't have visibility into what their vendors are actually doing with their access.

Software piracy adds a supply chain vulnerability that is rarely discussed in this context. Pirated software doesn't receive legitimate updates and patches. It may contain malware embedded at the source. It often comes through informal channels that have no security verification. A business running significant amounts of pirated software is exposed to supply chain risk through every piece of that software, and has no recourse when vulnerabilities are discovered and patched by the legitimate vendor.

3.2 Building a vendor security programme

Vendor security assessment doesn't require a dedicated security team or a large budget. It requires a systematic approach and the discipline to apply it consistently.

The starting point is a vendor inventory, a list of every third party that has access to your systems, data, or infrastructure, and the specific nature of that access. Many businesses are surprised by how long this list is when they actually construct it. The next step is tiering that inventory by risk: a vendor with read-only access to a limited dataset presents a different risk than a vendor with administrative access to your core systems.

For high-risk vendors, a basic security assessment should be a prerequisite for continued engagement. This doesn't require a formal security audit; it can begin with asking the vendor about their security practices: Do they have a written information security policy? Do they encrypt data in transit and at rest? Do they conduct background checks on employees with access to client systems? Do they carry cyber liability insurance? How do they notify clients of security incidents? The answers to these questions, even when they can't be fully verified, provide a meaningful signal about how seriously a vendor takes security.

Access management is the operational practice that limits the blast radius when a vendor is compromised. Vendors should have access only to what they genuinely need, for only as long as they need it. Access should be revoked immediately when a relationship ends or when a vendor's role changes. This is basic hygiene that most businesses don't apply consistently, and it's the difference between a vendor compromise that exposes one limited dataset and one that exposes your entire system.

The Software Bill of Materials (SBOM) concept, a formal inventory of the components in any software your business uses, is becoming more important as regulatory expectations evolve. For most Nigerian SMEs, this is a future-facing consideration rather than an immediate requirement, but understanding the principle helps you think clearly about what you're trusting when you adopt any software product.

4. Insider Threats: The Risk That Comes From Within Your Own Team

This is the category of cybersecurity threat that organisations find most uncomfortable to discuss, because acknowledging it means acknowledging that people you employ, trust, and pay represent a significant component of your security risk. But the discomfort of the conversation is not a reason to avoid it. Over 40% of data breaches involve an insider component, and organisations that pretend this risk doesn't exist tend to have significantly less visibility into how their data is actually being handled.

4.1 The spectrum of insider threat

Insider threats exist on a spectrum from deliberate to entirely accidental, and understanding this spectrum is important for building proportionate responses.

At one end is the malicious insider, an employee who deliberately steals data, sabotages systems, or facilitates external attacks for financial gain, competitive advantage, or personal grievance. In the Nigerian context, this risk is amplified by economic pressure; employees who are underpaid relative to market rates, who have been passed over for promotion, or who are aware that their employment is at risk may be more susceptible to approaches from external criminal groups offering payment for system access or data.

At the other end, and statistically far more common, is the accidental insider: an employee who clicks a phishing link, who sends an email containing sensitive data to the wrong recipient, who misconfigures a cloud storage bucket to be publicly accessible, who uses their personal device for work without appropriate security controls, or who uses the same weak password for work systems that they use for personal accounts that have already been compromised.

Between these extremes sits the negligent insider: someone who is aware of security policies but doesn't follow them consistently, who finds security controls inconvenient and finds workarounds, or who has developed bad habits that create security risks without any malicious intent.

The organisational response to each of these requires different tools and different approaches, but there's significant overlap in the technical controls that address all three.

4.2 Zero-day vulnerabilities and why they matter for insider threat

Zero-day vulnerabilities, software flaws that are unknown to the developer and therefore unpatched, are relevant to insider threats in a specific way. An insider with knowledge of an unpatched vulnerability in your systems can exploit it in ways that bypass normal access controls, creating attack paths that wouldn't exist if your systems were fully patched. More broadly, zero-days represent the most challenging category of cybersecurity threat because they cannot be blocked by signature-based defences, and they exploit flaws that the defence tools haven't been told to look for.

The patch management discipline, systematically keeping all software and systems updated with security patches as they're released, reduces your zero-day exposure by eliminating the vulnerabilities that patches address. It doesn't eliminate zero-day risk, because zero-days by definition are unknown until they're discovered and disclosed. But it dramatically reduces the attack surface by ensuring that known vulnerabilities are addressed promptly rather than leaving them open indefinitely.

For Nigerian businesses running pirated or unlicensed software, patch management is either impossible, pirated software doesn't receive legitimate patches, or requires a fundamental change in software licensing approach. This is one of the most practically important arguments for moving to legitimate, licensed software: not the legal or ethical argument, though those are real, but the security argument that patched, updated legitimate software is significantly more secure than the unpatched, potentially compromised pirated alternative.

4.3 Implementing effective insider threat controls

The principle of least privilege is the foundational control for insider threat management. It means that every user, system, and application has access only to the specific resources required to perform their specific function, nothing more. An accounts receivable employee needs access to the accounts receivable system. They probably don't need access to payroll data, HR records, or the CEO's email. Limiting access systematically means that when an account is compromised, through phishing, through credential theft, or through an insider acting maliciously, the damage is contained to what that account can actually reach.

Implementing least privilege in an organisation that has grown without applying it consistently is a significant project, because historical access accumulation means most organisations have employees with far more system access than their current role requires. But it's worth doing systematically over time, starting with the highest-risk access categories: administrative access to core systems, access to sensitive financial and customer data, and remote access capabilities.

User and Entity Behaviour Analytics (UEBA) represents the monitoring dimension of insider threat management. UEBA tools establish behavioural baselines for each user and device, what systems they typically access, when they typically work, what they typically do with data, and flag significant deviations that might indicate account compromise or malicious activity. An employee who normally accesses 50 documents per day and suddenly accesses 5,000, or who logs in at 3 am from an unusual location, or who begins exporting large amounts of data to external storage, these patterns trigger alerts that enable investigation.

The cultural dimension of insider threat management is as important as the technical one, and it's often neglected in favour of purely technical controls. Employees who understand why security matters, who have clear and accessible channels for reporting suspicious behaviour, who feel that the organisation treats them fairly and with respect, and who don't experience security controls as an expression of mistrust are significantly less likely to become insider threats, whether malicious or negligent. Security culture is built slowly, through consistent behaviour from leadership and genuine engagement with why security matters for the business, not through annual compliance training that nobody takes seriously.

5. Cloud and Identity Attacks: When Your Login Credentials Are the Keys to Everything

There's a useful way to think about how cybersecurity has changed as businesses have moved to cloud infrastructure: in the old model, your security perimeter was your network, the physical and virtual boundary between your systems and the internet. You protected that perimeter with firewalls and other network controls. If someone was inside the perimeter, they were assumed to be trusted. If they were outside, they were assumed to be untrusted.

Cloud computing dissolved this model. Your employees now access your systems from anywhere, from home, from cafes, from client offices, from their phones. Your data lives on servers in data centres you don't control. Your applications run in cloud environments that your own team might not fully understand how they're configured. There is no meaningful perimeter anymore.

In this environment, identity, who you are, as verified by your credentials, becomes the new perimeter. The question that determines access is no longer "are you inside our network" but "can you prove you are who you claim to be." And the question that determines what an attacker can do when they compromise a system is "what identity do they have access to, and what can that identity do?"

5.1 Business Email Compromise in the Nigerian context

Business Email Compromise deserves particular attention in the Nigerian context because it is both the most financially damaging form of identity-based attack and one where Nigerian businesses have specific vulnerabilities.

BEC works by compromising or spoofing the email account of a trusted person, typically an executive, a financial officer, or a vendor, and using that compromised identity to authorise fraudulent financial transactions or redirect legitimate payments to attacker-controlled accounts. The financial losses are direct and often immediate. And because the fraud is conducted through what appear to be legitimate channels by a trusted identity, by the time it's discovered, the money is often already gone.

Nigerian businesses face BEC risk in two directions simultaneously. Outward-facing: your business could be targeted by attackers pretending to be your vendors, your clients, or your own executives. Inward-facing: Some of the largest BEC operations globally have historically had Nigerian components, which means that Nigerian businesses may face particular scrutiny from international partners and financial institutions, and also that there is a well-developed criminal ecosystem with deep expertise in these attacks operating in the same environment.

The specific vulnerabilities that make cloud and identity attacks effective are largely addressable with existing tools and processes. Multi-factor authentication, requiring a second form of verification beyond a password to access systems, defeats the majority of credential-based attacks, because even if an attacker obtains your password, they still can't log in without the second factor. Despite this, MFA adoption remains surprisingly low among Nigerian SMEs, largely because it introduces a small amount of friction into the login process that organisations haven't decided is worth the security benefit.

5.2 Cloud misconfiguration: the threat you created yourself

One of the most common and least discussed sources of cloud security incidents is misconfiguration, accidentally making data or systems accessible that were intended to be private. Cloud platforms are powerful and flexible, but that flexibility means there are many ways to configure them, and many of those configurations create unintended security exposures.

A cloud storage bucket set to public access instead of private access exposes every file in it to anyone who discovers the URL. An administrative interface exposed to the internet without IP restrictions gives attackers the ability to attempt brute-force login attacks indefinitely. An overly permissive access policy gives cloud services access to far more than they need, amplifying the blast radius of any compromise.

These misconfigurations are so common that there are automated tools that continuously scan cloud environments for them, both defensive tools that organisations use to find their own misconfigurations, and attack tools that adversaries use to find misconfigured resources belonging to others. The businesses that are found by the attack tools before they're found by the defensive tools are the ones that end up in incident response scenarios.

Privileged Identity Management, the systematic control of which accounts have elevated access to cloud resources and systems, is the organisational control that limits the damage of cloud compromises. When an account with broad administrative privileges is compromised, the attacker inherits those privileges. When administrative access is limited to accounts that are used only for administrative tasks, monitored more intensively, and require additional authentication steps, the blast radius of a compromise is significantly reduced.

6. Building a Cybersecurity Posture That Actually Protects Your Business

Everything discussed above can feel overwhelming, a long list of sophisticated threats that require sophisticated responses, against a background of limited budgets, limited technical expertise, and limited time. The temptation is to either do nothing because the problem seems too large, or to buy a comprehensive security product based on a vendor's promises without really understanding whether it addresses the actual risks your business faces.

Neither response is adequate. What Nigerian businesses need is a prioritised, practical approach, one that addresses the highest-risk vulnerabilities first, builds capability progressively over time, and is realistic about the constraints of the Nigerian business environment.

6.1 Start with the highest-return basics

There is a set of security controls that are relatively easy to implement, relatively inexpensive, and disproportionately effective against the majority of common attacks. Getting these basics right should be the priority before investing in more sophisticated tools.

Multi-factor authentication, deployed across all systems that have external access, email, cloud storage, remote desktop, and banking, defeats the credential-based attacks that initiate the majority of serious incidents. It costs very little to implement and requires only that employees complete one additional step when logging in. The friction is real but small. The security benefit is substantial.

Patch management, the discipline of applying security updates to all software promptly when they're released, eliminates the vulnerabilities that a large proportion of automated attacks exploit. Organisations that patch promptly close the window of opportunity that attackers rely on between vulnerability discovery and exploitation.

Backup discipline, maintaining regular, tested, off-site or offline backups, doesn't prevent attacks but dramatically changes their consequence. A business that can restore operations from a recent backup after a ransomware attack faces disruption and recovery costs. A business without adequate backups faces potentially business-ending data loss.

Email security, deploying tools that go beyond basic spam filtering to analyse the content and context of emails, reduces the success rate of phishing attacks significantly. This is one area where investment in better tools is clearly justified by the volume and sophistication of phishing activity.

Access control, implementing least privilege across your systems, reviewing and revoking access when it's no longer needed, and maintaining an inventory of who has access to what, limits the blast radius of any compromise and makes insider threats easier to detect.

6.2 Training that actually changes behaviour

Security awareness training has a reputation, often deserved, for being the kind of thing organisations do to tick a compliance box rather than to genuinely change behaviour. Annual online training modules that employees click through as fast as possible, trying to remember the right answers to the final quiz, produce compliance documentation and very little actual behavioural change.

Training that actually works is continuous, practical, and consequence-connected. Simulated phishing exercises, where the security team sends fake phishing emails and tracks which employees click, provide real data on vulnerability and create a training moment at the exact instant when an employee makes a mistake. Regular, short security briefings that discuss real incidents (anonymised as needed) and explain specifically what went wrong and what should have happened instead connect security training to reality in a way that abstract principles don't.

The most important single behaviour change that security training should produce is the verification habit for high-risk actions, particularly any financial transaction, any change to payment details, and any request that bypasses normal approval processes. Building a culture where it is expected to verify unusual requests through alternative channels, regardless of the apparent authority of the requester, stops BEC attacks and social engineering attacks at the point of execution.

6.3 Incident response planning: when, not if

Every business that uses computers and internet connectivity will experience a security incident of some kind. The question is not whether but when and how serious. Organisations that have thought through their incident response before an incident occurs are dramatically better positioned than those that have to figure it out in the middle of a crisis.

A basic incident response plan answers a small number of critical questions. Who is responsible for leading the response when an incident is suspected? Who needs to be notified, internally and externally? What are the immediate containment steps for the most likely incident types? Who are the external resources, legal counsel, incident response specialists, and insurance providers that might need to be engaged? What are the regulatory notification requirements, the NDPA's 72-hour breach notification window, for example, and how will they be met?

Writing this plan down, reviewing it annually, and making sure the relevant people know it exists and where to find it takes a few hours. That investment looks very different in retrospect from an organisation that had to improvise every aspect of its response while already in crisis.

7. The Honest Bottom Line

Cybersecurity is not a problem you solve once. It's a risk you manage continuously, in an environment that changes faster than most organisational defences adapt. The attackers are motivated, systematic, and increasingly sophisticated. The tools available to defenders are also improving, but they require deliberate adoption and consistent application to be effective.

For Nigerian businesses, the urgency is genuine. The 4,000 weekly attacks that Nigerian organisations face aren't hypothetical or future threats. They're happening right now, to businesses that made the same assumption many businesses still make: that they're too small to be worth targeting, or that their existing protections are sufficient, or that a breach is unlikely enough that the investment in prevention isn't justified.

None of these assumptions holds up to scrutiny. Small businesses are actively targeted because they're easier to compromise. Existing protections built for yesterday's threat landscape are insufficient against today's AI-powered attacks. And the cost of a serious breach, lost data, operational disruption, regulatory penalties, reputational damage, customer loss, almost always exceeds, often by a significant multiple, the cost of the security investment that would have prevented it.

The businesses that will scale successfully in Nigeria's increasingly digital economy are those that treat cybersecurity not as an IT cost centre but as a foundation of operational resilience, as essential to running a serious business as having a reliable power supply, a trustworthy banking relationship, or a capable team.

Because a single serious breach can undo years of growth. And in an environment where 4,000 attacks happen every week, the probability that your business will face a serious attempt is not small. It's a certainty. The only question is whether you'll be ready.