Your business just opened a Lenco account. Digital banking is live. Transactions are flowing. Staff are using the platform. Life is good.

Then your account gets hacked. Someone accesses your account, transfers ₦500,000 out, and vanishes. Your bank says, “You’re liable for unauthorized access from your account.” The police aren’t interested in a ₦500,000 case. You’ve lost money, trust, and your digital confidence.

This isn’t hypothetical. This happens regularly to Nigerian SMEs. And what’s shocking is how often these compromises happen not because the bank’s security failed, but because the business owner’s security was nonexistent.

A business owner in Lagos was shocked when his account was compromised. Investigation showed the employee with access to the account was using the same password for Lenco that she used for her Instagram. Someone cracked the Instagram password in a common breach, tried it on the email associated with her account, and got access.

Simple. Preventable. Devastating.

Most SME owners think cybersecurity is about preventing hackers from “getting in.” The reality is far broader.

Cybersecurity risks for SMEs include:

Account compromise — Someone gains access to your business banking account and steals money or transfers funds fraudulently.

Data theft — Customer information, payment data, or business secrets are stolen and sold. This exposes you to regulatory fines and customer lawsuits.

Ransomware — Malware encrypts your files and demands payment for the decryption key. A Nairobi business lost access to all its financial records and customer database for two weeks, crippling operations.

Business email compromise — Attackers compromise your email and send convincing requests to suppliers asking them to change payment details. Vendors pay to the attacker’s account instead of yours.

Supply chain attacks — You’re hacked through a third-party vendor (accountant, software provider) who had access to your systems.

Staff social engineering — An attacker calls claiming to be from your bank, IT support, or regulatory body and tricks staff into revealing passwords or access codes.

For businesses operating in Nigeria, where cash transactions are common and digital adoption is still relatively new, the risks are compounded. Your staff might not understand digital security norms. Your customers might not expect rigorous data protection. Your vendors might have weak security standards.

Most SME owners calculate the cost of cybersecurity failures as direct loss: “If someone steals ₦500,000, I lose ₦500,000.” This is wrong. The costs are far broader:

Direct theft: If attackers access your account, they can transfer funds immediately.

Operational disruption: If systems are compromised or encrypted (ransomware), you can’t do business. A service business might have ₦0 revenue for a week.

Data protection liabilities: If customer data is compromised, you might face regulatory fines from CBN or FIRS. You might face lawsuits from affected customers.

Reputational damage: Customer trust evaporates. A digital business that gets hacked faces immediate loss of customers.

Recovery costs: Professional cybersecurity incident response is expensive: forensics, legal counsel, notification costs, credit monitoring services for affected customers.

Research suggests that the average cost of a cybersecurity breach for an SME is 10–100 times the direct theft amount. A ₦500,000 theft might cost ₦5–50 million in total impact (downtime, recovery, reputation, regulatory fines).

Cybersecurity can feel complicated. Enterprise security is complicated. SME security can be simple if you focus on the right fundamentals.

1. Strong, Unique Passwords

This isn’t sophisticated. It’s foundational. Every person who accesses your business systems should have passwords that are:

At least 16 characters

Combination of uppercase, lowercase, numbers, and symbols

Completely unique (not reused across platforms)

Changed every 90 days for critical systems

An SME owner groaned when told about this requirement: “My staff can’t remember complex passwords.” Exactly. They shouldn’t try. Use a password manager (Bitwarden, 1Password, LastPass). The password manager remembers complicated passwords; the staff member only remembers one master password.

Cost: ₦2,000–5,000 per person annually. This is your most important security investment.

2. Multi-Factor Authentication (MFA)

This is non-negotiable for any critical system. If someone has your password, they can’t access your account without also having your phone or authenticator app.

For your Lenco account:

Enable phone-based MFA (code sent via SMS)

Or app-based MFA (like Google Authenticator)

Or hardware security keys (most secure but more complex)

For your email (which is the gateway to everything):

Enable MFA immediately

Use an authenticator app, not SMS (SMS can be intercepted)

For staff email accounts that have access to sensitive systems:

MFA is mandatory

Cost: Free to $20 per person annually for hardware keys.

3. Email Security

Your email is the gateway to your identity. If attackers compromise it, they can reset passwords, access banking portals, and impersonate you.

Practical steps:

Use a strong, unique password for your email account

Enable MFA on email

Set up email forwarding alerts (if someone sets up email forwarding to exfiltrate messages, you’ll know)

Use an email provider with decent security (Gmail is better than many free options)

For business email, use a platform with security features (Gmail Business, Office 365)

4. Device Security

The device you use to access banking and sensitive systems matters:

Install security updates as soon as they’re available

Use antivirus software (Windows Defender is fine for SMEs)

Don’t use the same device for banking and casual browsing/downloading

If possible, use a dedicated device for sensitive activities (transfers, account access)

Encrypt your laptop hard drive (Windows BitLocker, Mac FileVault)

5. Network Security

If you have an office network:

Use a password-protected WiFi network (not open public WiFi for business)

Change the default password on your router

Keep router firmware updated

Don’t use WiFi for sensitive activities (banking, password changes) on public networks

A common scenario: a business owner accesses their bank account from a coffee shop’s WiFi. An attacker on the same network intercepts the traffic. Bang — compromised account. Cost to prevent: connect to a VPN service (₦5,000–15,000 annually) or avoid public WiFi for sensitive activities.

6. Access Control and Segregation

Not all staff need access to all systems.

Only finance staff should have access to banking systems

Only authorized individuals should approve transfers

No single person should have complete control over banking (implement approval workflows)

Use Lenco’s features: multi-user access, approval requirements, spending limits

A printing business had their account hacked. Investigation showed that the owner had shared login credentials with his accountant and bookkeeper (six people total had the same login). One person’s device got malware, attackers accessed the shared credentials, and they had full access.

The solution: unique logins, approval workflows, and segregation of duties.

7. Regular Backups

If your business relies on digital files (customer lists, invoices, financial records), they must be backed up:

Never stored only on one device

Backed up to cloud storage (Google Drive, Dropbox, OneDrive) daily

Backed up to external drive stored offsite weekly

Tested regularly (verify you can actually restore from backup)

A graphic design business lost everything when their computer was stolen. No backup. Total loss: ₦2.5 million in active projects and archives. They went out of business. Cost to prevent: ₦50/month for cloud storage.

Studies consistently show that the biggest cybersecurity vulnerability for SMEs is staff. Not sophisticated attacks. Not advanced persistent threats. Staff making simple mistakes:

Using weak passwords

Reusing passwords across platforms

Opening phishing emails

Clicking malicious links

Sharing credentials

Using personal accounts for business

An Abuja business experienced a social engineering attack. Attacker called claiming to be from the bank, said there was an issue with the account, and asked the staff member to provide the password to “verify.” Staff provided it. Attacker gained access. ₦800,000 stolen in two hours.

The staff member wasn’t stupid. She just didn’t know that banks never ask for passwords, and she trusted the caller.

Basic staff training should cover:

Passwords: Unique, strong, use password manager, don’t share

Phishing: How to identify phishing emails (requests for passwords, urgent language, suspicious links)

Social engineering: Banks don’t call asking for passwords; legitimate callers can verify through official channels

Data handling: Customer data is not theirs; don’t store it on personal devices; don’t email confidential information

Reporting: How to report suspected security incidents

This training doesn’t need to be expensive or complicated. Fifteen minutes per quarter is sufficient. The goal is to build a security-conscious culture.

Immediately:

Create strong, unique passwords for all critical accounts (banking, email, admin accounts)

Enable MFA on your main email account

Enable MFA on your banking account (Lenco)

Check if any of your passwords were compromised (haveibeenpwned.com)

This month:

Implement MFA across all staff accounts that access sensitive systems

Set up access controls on your Lenco account (multi-user access, approval requirements)

Conduct a basic security audit: which staff have access to what? Is it necessary?

Set up device and network security (router password, WiFi security, software updates)

This quarter:

Implement a password manager for staff

Brief staff on phishing and social engineering

Set up regular backups of critical data

Review and update your incident response plan (what do you do if you get hacked?)

Ongoing:

Monthly: Review access logs if your system provides them

Quarterly: Update staff security training

Annually: Review and update security policies

The businesses that get hacked aren’t necessarily the ones attacked most frequently. They’re the ones whose security is weakest. And the good news is that SME-level security isn’t complicated. It’s just disciplined.