Building Cybersecurity Capacities in Zambia’s Business Sector: Guideline for SMEs

Abstract

This research explores cybersecurity awareness and implementation within Zambia’s small and medium-sized enterprises (SMEs), a sector increasingly targeted by cyberattacks that lead to substantial financial losses. The study’s primary aim was to enhance cyber awareness and develop actionable guidelines for SMEs in Zambia. Utilising an interpretivist philosophy and inductive approach, the methodology encompassed semi-structured interviews, cross-sectional analysis, and a comprehensive review of CISA, ENISA guidelines, and Zambia’s Data Protection Act. Findings indicate a notable deficit in cybersecurity training and awareness among SMEs. Key concerns include inadequate data security measures, a lack of formal cybersecurity policies, and a reliance on basic tools like antivirus software. In response, the study formulated targeted guidelines, emphasising the integration of cyber awareness into SME governance and risk management. These guidelines have garnered significant interest from Zambian government entities, highlighting their potential influence on national cybersecurity policy. The study contributes theoretically by contextualising international cybersecurity standards within Zambia’s unique SME landscape. Methodologically, it pioneers a Cyber Awareness Framework tailored to Zambian SMEs, underscoring the critical role of human factors in cybersecurity. Practically, the research has sparked engagement among SMEs and government bodies, demonstrating its applicability and potential for shaping policy. However, limitations include reliance on outdated demographic data and a focus on digitally enabled SMEs, potentially overlooking broader IT governance aspects and less digitized businesses. Future research should aim for comprehensive, up-to-date analysis across all SME sectors, contributing to a more inclusive and resilient cybersecurity landscape in Zambia.