Nigerian SMEs face increasing cyber threats due to unpatched vulnerabilities and limited security resources. Human and technical constraints contribute to weak cybersecurity defences, exposing businesses to malware, ransomware, and social engineering attacks. Understanding these risks is essential for enhancing cybersecurity resilience. This study aims to determine the prevalence and severity of unpatched vulnerabilities among 100 Nigerian SMEs, considering human and technical limitations. An anonymous web-based survey was conducted, targeting 100 government-registered SMEs across various industries in Nigeria. The survey explored patch management practices, exposure to cyber threats, and existing security gaps. Responses were analysed using thematic analysis to identify recurring patterns and systemic weaknesses related to human factors, technical constraints, and organizational practices based on participants’ answers and comments. Among the SMEs surveyed, 78% reported experiencing at least one cybersecurity incident in the past year, with many remaining vulnerable to social engineering and other IT infrastructure-related threats. Social engineering and impersonation scams (42%), along with unpatched software vulnerabilities (38%), emerged as the most common threats. A thematic analysis of open-ended responses (n = 65) highlighted ineffective security practices (n = 25), low cybersecurity awareness (n = 22), and resource constraints (n = 18) as key challenges. Despite these risks, only 29% of SMEs reported having a dedicated cybersecurity budget. Nigerian SMEs acknowledge that vulnerabilities stem from human and technical constraints, often influenced by financial, social, and security limitations. Sector-specific, cost-effective cybersecurity training and affordable safeguards are essential to enhance resilience. Furthermore, policies that simplify compliance and remain practical for resource-constrained SMEs could help bridge the existing security gap.
Aminu Muhammad Auwal (Sun,) studied this question.