Businesses today invest millions in cybersecurity. They acquire the most advanced antivirus software, firewalls, implement modern physical controls, install intrusion detection system (IDS) and intrusion prevention systems (IPS) for both real-time protection and passive monitoring of alerts, and hire professionals to protect their networks. From the business senior leadership’s view, the implementation of these controls offers enough defense against any form of intrusion from a malicious attacker.
However, the most biggest threat is not always the hacker attempting to breach the defenses; instead, it is the employee sitting behind the keyboard. In my opinion, no matter how advanced the technology, a single careless click can undo everything. Many Nigerian businesses think they are able to relax after the firewall and antivirus software are installed. While antivirus software is capable of scanning files, it is powerless to prevent employees from downloading malicious attachments.
Although suspicious traffic can be blocked by firewalls, a staff member entering their password into a phishing website cannot be prevented by firewall, IDP or an IPS. Human error can take many different forms. An employee can click on a phishing email that seems like it came from a trusted source.
A staff member can share confidential business data or documents over a private WhatsApp group or Telegram channel. Ransomware may even be distributed throughout the network by an employee who carelessly connect an infected USB to any device on the organization’s network.
These are common human errors rather than sophisticated technical attacks. Hackers are aware of this, which is why they focus on individuals within a target organization rather than systems. Even knowledgeable employees can be fooled by a well-written email with a subject line like “Urgent Payroll Update” or “BVN Verification Required.”
Hackers exercise authority, or urgency by threatening to suspend accounts or take legal action if a link is not clicked right away. Social engineering continues to flourish around the world because the messages are crafted well, such that it may be hard to realise that this is phishing in progress.
When the attacker is successful in convincing you to click on the link, either in the text message or email, they don’t have to battle through firewalls or hack into the system.
Millions of naira can be lost with one poor decision. An entire company may lose access to its data due to a ransomware attack. Sensitive business data may be exposed by a leaked email.
According to the Nigeria Data Protection Act (NDPA 2023), a lost laptop containing unencrypted data may result in regulatory penalties. One hack could spell disaster for small firms. Cybersecurity breaches, no matter how small they might be, usually have dire consequences on the business leading to damage reputation, reduce customer trust and confidence, and millions of naira in fine.
For this reason, I think Nigerian companies need to rethink their cybersecurity investment strategy. Too much money is spent on purchasing new equipment and not enough on employee training. Just as crucial as antivirus software are security awareness training, phishing simulations, and a culture of reporting suspicious activities.
NDPA 2023, has made organization accountable for their data handling practices. However, compliance requires more than just acquiring software; it also includes employee actions.
No firewall, IDS or IPS can undo the harm caused if an employee transmits client information via an unprotected channel.
An organization’s security posture can be improved by taking easy measures like training employees to recognize malicious links, requiring employees to confirm requests before responding, and rewarding staff members who report phishing efforts.
Even brief, hands-on workshops on information security might help businesses avoid expensive breaches. The most advanced antivirus can detect threats, but it cannot prevent an employee from clicking a malicious phishing link in an email.
In my opinion, the employees will remain the weakest link in network defense against threats until we intentionally make it the strongest defense. The best investment any business can make is in what I call a human firewall; employees must be trained and equipped enough to detect threats before it become security incident.
Adesola is a cybersecurity specialist with an MSc in Cyber Security. He holds SSCP and Security+ certifications. Email: yemiadesola@gmail.com
