Nigerian small and medium-sized enterprises remain highly vulnerable to cyberattacks because many business owners still view cybersecurity as an issue that primarily affects large corporations, government institutions, and banks.

This is according to a report by Cybersecurity Consultant and Founder of UltEnterprise, Bolaji Edu.

In the report, “Why Nigerian SMEs Keep Getting Hacked and What the Owners Will Not Admit,” Edu noted that while many SME owners are hardworking and committed to growing their businesses, they often underestimate the cyber risks they face.

He challenged the notion that cybersecurity should be reserved for large organisations, arguing that businesses of every size are potential targets. “The question is not whether your business is big enough to be targeted,” he said.

Edu said his interactions with small business owners consistently highlight significant gaps in cybersecurity awareness and preparedness.

“There is a conversation I have had many times with small business owners, and it follows a predictable pattern.

“I ask about their cybersecurity. They tell me they have antivirus software. I ask about their staff. They tell me their people are sensible. I ask about their backups. There is a pause. Then they change the subject,” he stated.

According to Edu, SMEs are the backbone of Nigeria’s economy, employing the majority of the workforce and contributing significantly to the country’s gross domestic product, yet they remain among the least protected organisations against cyber threats across Africa.

He explained that cybercriminals typically deploy automated tools to scan thousands of businesses for security weaknesses, exploiting any vulnerabilities they find rather than deliberately targeting specific companies.

“They run automated tools that scan thousands of businesses simultaneously, looking for weaknesses. When a weakness is found, they exploit it. The size of the company is irrelevant. What matters is whether there is something worth taking and whether the door is unlocked,” he said.

Edu said SMEs often possess valuable digital assets, including customer databases, supplier records, employee information, banking credentials, and email accounts, making them attractive targets for cybercriminals seeking to commit fraud.

“Customer data, including names, phone numbers, and payment information. Supplier relationships and pricing information. Employee records. Banking credentials. Email access that can be used to redirect payments or impersonate the business owner in fraud schemes.

“Business email compromise, where an attacker gains access to a company email account and uses it to redirect payments or conduct fraud, is one of the most financially damaging cybercrimes affecting Nigerian businesses. It does not target large corporations primarily,” he said.

He identified password reuse, outdated and unpatched software, the lack of regular data backups, and weak access controls as some of the most common security gaps SMEs need to address. According to Edu, the consequences of a cyberattack go far beyond immediate financial losses, often affecting business operations, customer trust, and long-term growth.

“The money stolen in a fraud, the ransom paid to recover data, these are real costs, and they can be devastating. But the full cost of a breach extends further and deeper than most owners realise until they are living through it. There is an operational disruption.

“A business that has been hit by ransomware does not just lose data. It loses the ability to function. Systems are offline. Employees cannot work. Orders cannot be processed. Deliveries cannot be tracked. For every day of disruption, revenue is lost, and relationships are damaged,” he added.