‘SMEs Vulnerable To Cyber Threats Amid Absence Of Recovery Plans’

A cybersecurity expert, Olatunde Olasehan, has lamented that small and medium-sized enterprises (SMEs) across Africa are increasingly vulnerable to cyberattacks, due to absence of proper cyber incident response and recovery planning.
Olasehan, in an interview with NATIONAL ECONOMY said in today’s digital landscape, it is no longer a matter of if businesses will be targeted by cybercriminals, but when.
“The problem is that too many African SMEs are completely unprepared for what comes next,” Olasehan added.
He narrated an ordeal of one Lagos-based logistics firm who recently lost its entire network to ransomware, adding that, “With no data backups, no recovery strategy, and no contingency plan, the company collapsed within three weeks. Trucks went idle, customers fled, and the business shut its doors for good. This is not an isolated case. These stories are becoming alarmingly common across Nigeria, Kenya, Ghana, South Africa, and other rapidly digitising economies.”
The rapid adoption of cloud computing, mobile payments, and digital supply chains across Africa has outpaced the region’s investment in cybersecurity and disaster recovery. According to recent estimates, Nigeria alone has lost over $500 million to cybercrime in recent years, with weekly incidents up by more than 20 per cent.
“Many African SMEs operate on tight budgets with limited technical capacity. As a result, even small cyber incidents, like phishing emails, malware infections, or website takeovers, can spiral into a full-blown crisis. Most SMEs don’t have the luxury of dedicated cybersecurity teams or expensive software. But that doesn’t mean they can’t be resilient.
What’s missing is a practical, affordable plan for when things go wrong,” Olasehan explained.
Traditionally, the cybersecurity expert averred that incident response frameworks are modeled after Western corporate environments, environments with ample resources, deep expertise, and redundant systems, even as he argues, that this model is a poor fit for most African businesses. “The key is shifting the mindset from technical recovery to business continuity. You don’t need perfect security. You need a way to continue operating, even if that means using paper receipts, SMS alerts, or manual processes temporarily,” he said.
Contrary to popular belief, cybersecurity resilience does not have to come with a hefty price tag, Olasehan averred, while urging African SMEs to take meaningful action with modest investments, including simple data backups stored on USB drives, external hard drives, or in low-cost cloud environments can protect critical records from ransomware; teaching employees how to spot phishing attempts or respond to unusual system behavior can stop threats before they escalate and when networks fail, having alternate communication systems, such as phone trees, WhatsApp groups, or even radio, can keep teams coordinated.
“Cybersecurity is not just about software, it is about people, processes, and relationships. It is about thinking ahead, not reacting too late,” Olasehan noted.