Small and medium-sized businesses play a key role in Nigeria’s economy, but as they benefit from digitalisation, they also face higher risks of cyberattacks.
Across Africa, cybercriminals are actively exploiting web and email channels, including in ransomware and phishing attacks. In fact, Kaspersky data shows 66 million phishing link clicks recorded in the region in 2024.
Phishing emails and fake websites that trick users into revealing sensitive information (e.g., passwords, banking details) or downloading malware by mimicking trusted sources, are among the biggest risks to SMBs.
Last year, Kaspersky recorded over 14.8 million phishing link clicks by corporate users in Africa, a clear sign of how widespread these scams are.
Criminals impersonate banks, suppliers or officials to trick staff into sharing credentials or clicking malicious links. Even one wrong click (for example, opening a malicious PDF file) can let cyber attackers into your network.
The good news is that SMBs can significantly improve their security posture by prioritising cybersecurity across several key areas.
Reduce phishing risks
Some of the key steps to reduce phishing risk include:
- Train employees. Teach staff to double-check sender addresses, hover over links to check for spelling mistakes or anything that looks unusual, and be skeptical of urgent requests.
- Use email filters. Deploy spam filters or secure gateways that block known phishing domains and suspicious attachments.
- Keep systems updated. Apply security patches to operating systems, browsers and email clients promptly.
- Deploy all-in-one security. Use integrated solutions (such as Kaspersky Small Office Security) that include anti-phishing features. These tools automatically scan and block scam emails or infected websites.
Cultivating a security-aware culture is crucial. Run simulated phishing tests and encourage everyone to report any suspicious message. Together, these steps make it far less likely that a scam will succeed.
Protect against ransomware
Ransomware encrypts company files and demands payment for decryption keys. Such attacks can be crippling for SMBs, causing financial losses, and disrupting business operations. Preventing that first breach (often through phishing or unpatched software) is essential.
To defend against ransomware:
- Maintain offline backups. Back up critical data regularly to a location not connected to your main network (such as an external drive or secure cloud). Always verify that backups can be restored.
- Keep software patched. Ransomware often exploits known vulnerabilities. Keep all operating systems and applications up-to-date to close those holes.
- Use advanced endpoint protection. Deploy modern security software on every computer. For example, Kaspersky Next provides cloud-based EDR (Endpoint Detection and Response) and vulnerability scanning to detect ransomware behaviour before it encrypts files.
- Restrict privileges and respond quickly. Give users only the rights in the IT system that they need.
With these steps, most ransomware attacks can be prevented. Independent tests of Kaspersky’s security products show that they block most of tested ransomware samples, underscoring the value of good defenses.
Enforce strong passwords and access control
Weak or reused passwords make it easy for hackers to break in. Without multi-factor authentication and strong passphrases, cybercriminals can quickly harvest credentials.
Best practices for password and access security:
- Use strong, unique passwords. Every account should have its own long passphrase or complex password. Consider a password manager to generate and store them.
- Enable multi-factor authentication (MFA). Wherever possible, require a second factor (such as an SMS code or app authenticator) in addition to the password. MFA blocks nearly all automated login attacks.
- Restrict administrative access. Remove admin rights from ordinary users and restrict admin privileges to trusted IT staff. Deactivate any unused user accounts and change any default passwords immediately.
Enforcing these rules prevents credentials leakage and cybercriminals from getting into your network.
Keep systems and devices updated
Outdated software is an open invitation to cyber attackers. To keep systems secure:
- Enable automatic updates. Configure your operating systems and major applications to install security patches automatically.
- Maintain an asset inventory. Keep track of all devices and software in use. Retire or isolate any equipment that can no longer be updated.
- Scan for vulnerabilities. Use network scanning tools to find unpatched machines and missing security fixes.
Patching promptly removes the vulnerabilities that many malware families exploit, dramatically reducing the overall risk of infection.
Secure your data and backups
Data is often an SMB’s most valuable asset – customer records, financial logs, designs, etc. Protect it by:
- Encrypting data. Use full-disk or file-level encryption on laptops, servers and backups. If a device or backup is stolen, encrypted data remains safe.
- Keeping reliable backups. Maintain both local and off-site backups of critical data. Automate regular backups and periodically test that you can restore data.
- Implementing strict access controls. Grant file permissions based on roles. Store very sensitive files (like financial spreadsheets) on secure, isolated servers or folders.
Encrypting and backing up data also helps meet regulatory requirements (for example, Nigeria’s NDPR). Even if cyber attackers breach a system, they won’t get usable data.
Train employees and build awareness
Even the best technology can be undone by human error. Regular training and awareness are essential:
- Provide ongoing training. Conduct short sessions on how to spot phishing and practice safe browsing habits. Use examples relevant to Nigeria (like common scam texts or phishing emails).
- Simulate phishing attacks. Send test phishing emails to staff periodically. Those who click should get informative feedback. Over time, the click rate should drop.
- Encourage easy reporting. Make it simple for employees to report suspicious emails or incidents (for example, by emailing a designated IT person).
- Use automated training platforms. For example, Kaspersky’s Automated Security Awareness Platform delivers brief interactive lessons and simulated attacks.
A vigilant team is an extra line of defense. In practice, employees who recognise a cyberattack can stop it before it spreads.
Adopt comprehensive security solutions
Use professional security tools to tie everything together. For example, Kaspersky Small Office Security protects up to 25 devices with antivirus, backup and management – all from one console.
Kaspersky Next provides on-premises or cloud-based endpoint protection and EDR for larger SMBs.
Additional best practices:
- Enable device firewalls. Turn on the built-in firewall on every PC and network router. This blocks many external attacks.
- Segment your network. Put guest Wi-Fi and IoT gadgets (like cameras or printers) on separate network segments from your core systems. This limits the spread if one segment is breached.
- Use VPNs for remote work. Require that any employee working off-site connects through a secure VPN or remote desktop.
- Secure IoT devices. Change default passwords on any Internet-connected device when you start using it and disable unused features. IoT devices often have weak security out of the box.
By combining user practices with these technical defenses, SMBs can greatly reduce their cyber risk. They say that in cybersecurity, ‘an ounce of prevention is worth a pound of cure’ – even small businesses can protect themselves effectively by following these suggested measures.
