There is a particular kind of confidence that comes from not yet experiencing a disaster. Nigerians have a name for it, we call it "managing." The generator is old but it's still running. The roof leaks but only when it rains heavily. The company's entire customer database sits on an unencrypted Excel sheet on someone's laptop, but nothing has happened yet, so why worry?
This is the cybersecurity conversation in most Nigerian companies in 2024. And honestly? It's fascinating, not in a good way, the same way a car accident on the Third Mainland Bridge is fascinating.
First, some numbers that should make you uncomfortable
The Nigerian Inter-Bank Settlement System (NIBSS) reported that Nigerian banks lost over β¦9.5 billion to fraud in 2023 alone. The Centre for Strategic and International Studies (CSIS) has tracked Nigeria as one of the most targeted countries in Africa for cyberattacks, particularly in the financial services sector. A 2023 report by Sophos found that 71% of Nigerian organisations surveyed had been hit by ransomware, higher than the global average of 66%.
And yet, walk into most Nigerian SMEs and ask to see their security policy. You will be met with a look usually reserved for people who bring up NEPA bills at a wedding.
"We have antivirus." β Every Nigerian company, moments before getting breached.
So why does this keep happening?
I've thought about this a lot. It's not that Nigerian business owners are careless people, many of them are sharp, hardworking, and incredibly resourceful. The same person who will negotiate a lease agreement line by line will approve a β¦500,000 IT budget that includes zero naira for security. Why?
Security is invisible until it fails. Nobody throws a party when the firewall blocks an intrusion attempt. There's no press release that says "we didn't get hacked this quarter." ROI on security is measured in things that didn't happen, and humans are notoriously bad at valuing things that didn't happen. You see your new generator every day. You don't see the SQL injection attack that got blocked last Tuesday.
The threat feels abstract and foreign. There's a widespread belief that hackers are bored teenagers in Eastern Europe who target banks and governments, not a local logistics company in Lekki Phase 1. This is dangerously wrong. Business Email Compromise (BEC) attacks, where attackers impersonate executives or suppliers to redirect payments, cost Nigerian businesses hundreds of millions annually, and the targets are overwhelmingly SMEs, not multinationals. Attackers go where the defenses are weakest, not where the biggest logos are.
There's no immediate regulatory consequence. In some sectors, this is changing, the CBN and NITDA have started taking compliance more seriously. But for the average trading company or law firm, there is no external pressure to improve until the breach makes the news. And even then, most breaches in Nigeria are quietly swept under the carpet, so the social deterrent barely exists.
The talent gap is real. Good cybersecurity professionals in Nigeria are expensive, in high demand, and often leave for better-paying opportunities abroad. A company that can't afford or find the right person will default to "IT support guy also handles security", which is like asking your accountant to also be your lawyer because they both went to university.
What a breach actually costs
The companies that resist cybersecurity investment usually do so on cost grounds. "We can't afford it." Fair enough, budgets are real constraints. But consider what a breach actually costs.
IBM's 2023 Cost of a Data Breach Report puts the global average at $4.45 million. That figure is skewed by large multinationals, but the proportional damage to an SME is often worse, because SMEs don't have the reserves to absorb it. A ransomware attack that locks a company's files and demands $50,000 to release them doesn't care whether the company's annual revenue is $50 million or $500,000. The attacker sets the price based on what they think you'll pay, not what you can afford.
Beyond direct financial loss, there's reputational damage. In a market where trust is everything and news spreads faster than LASMA on social media, a company that loses customer data doesn't just lose money, it loses clients, partnerships, and sometimes entire contracts. There are companies that did not survive their first serious breach.
"The cost of security is always less than the cost of a breach. Always. No exceptions."
The shift that needs to happen
Cybersecurity needs to stop being seen as an IT problem and start being treated as a business continuity problem. Because that's what it is. You buy insurance for your office. You have locks on your doors. You vet new employees before giving them access to the accounts. Security is just that, but for the systems your business now depends on completely.
The encouraging part is that most of the high-impact, low-cost security measures are genuinely not expensive. Multi-factor authentication costs nothing to enable. Staff training on phishing, the entry point for 91% of cyberattacks according to Deloitte, costs a few hours and an honest conversation. Regular data backups, proper access controls, keeping software updated. None of this requires a β¦10 million budget. It requires decision-makers who take it seriously.
The companies that are doing this well in Nigeria, and there are some, treat security as infrastructure, the same way they treat electricity and internet access. Not glamorous, not optional, not something to revisit "when things settle down." Essential.
One last thing
If you're reading this and you work at or run a Nigerian company, I'm not here to alarm you, I'm here to be honest with you. The question is no longer whether your organisation will be targeted. The question is whether you'll be prepared when it happens. Because unlike your generator, this is one problem that won't give you a warning cough before it dies completely.
Sort it out before someone else sorts you out :)