Bridging the Cybersecurity Gap: Tailored Strategies for Zambia’s SMEs

Rabelani Dagada; Goni Saar

doi:10.25159/3005-4222/15713

Authors

Rabelani Dagada University of South Africa
Goni Saar The DaVinci Institute https://orcid.org/0009-0003-9582-5864

DOI:

https://doi.org/10.25159/3005-4222/15713

Keywords:

cybersecurity awareness, SMEs, Zambia, data protection, cybersecurity, financial impact of cyberattacks

Abstract

This research examines cybersecurity awareness and implementation within Zambia’s small and medium-sized enterprises (SMEs), a sector increasingly targeted by cyberattacks that cause substantial financial losses. The study aimed to enhance cyber awareness and develop actionable guidelines for SMEs in Zambia. Utilising an interpretive philosophy and inductive approach, the methodology encompassed semi-structured interviews, cross-sectional analysis, and a comprehensive review of CISA, ENISA guidelines, and Zambia’s Data Protection Act. Findings indicate a notable deficit in cybersecurity training and awareness among SMEs. Key concerns include inadequate data security measures, a lack of formal cybersecurity policies, and a reliance on basic tools like antivirus software. In response, the study formulated targeted guidelines that emphasise integrating cyber awareness into SME governance and risk management. These guidelines have garnered significant interest from Zambian government entities, highlighting their potential influence on national cybersecurity policy. The study contributes theoretically by contextualising international cybersecurity standards within Zambia’s unique SME landscape. Methodologically, it pioneers a cyber awareness framework tailored to Zambian SMEs, underscoring the critical role of human factors in cybersecurity. In practice, the research has sparked engagement among SMEs and government bodies, demonstrating its applicability and potential to shape policy. However, limitations include reliance on outdated demographic data and a focus on digitally enabled SMEs, potentially overlooking broader IT governance aspects and less digitised businesses. Future research should aim for comprehensive, up-to-date analyses across all SME sectors, contributing to a more inclusive and resilient cybersecurity landscape in Zambia.

References

Akamai Technologies. 2021. State of the Internet / Security: A Year in Review. Akamai Technologies.

Aliyu, A. A., and Adamu, H. 2015. "Ontology, Epistemology and Axiology in Quantitative and Qualitative Research: Elucidation of the Research Philosophical Misconception." Proceedings of the Academic Conference: Mediterranean Publications and Research International on New Directions and Uncommon 2(1).

Banda, F., and Hapompwe, C. 2023. "An Assessment of Informal Sector's Business Registration Patterns: Nature and Size among Micro, Small and Medium Enterprises in Lusaka." Journal of Economics, Finance and Management Studies 6(1):342-357.

https://doi.org/10.47191/jefms/v6-i1-39 DOI: https://doi.org/10.47191/jefms/v6-i1-39

Baskerville, R., Rowe, F., and Wolff, F. C. 2018. "Integration of Information Systems and Cybersecurity Countermeasures: An Exposure to Risk Perspective." ACM SIGMIS Database: The Database for Advances in Information Systems 49(1): 33-52.

https://doi.org/10.1145/3184444.3184448 DOI: https://doi.org/10.1145/3184444.3184448

Berry, C. T., and Berry, R. L. 2018. "An Initial Assessment of Small Business Risk Management Approaches for Cybersecurity Threats." International Journal of Business Continuity and Risk Management 8(1):1-10. https://doi.org/10.1504/IJBCRM.2018.090580 DOI: https://doi.org/10.1504/IJBCRM.2018.10011667

Boyce, M. W., Duma, K. M., Hettinger, L. J., Malone, T. B., Wilson, D. P., and Lockett-Reynolds, J. 2011. "Human Performance in Cybersecurity: A Research Agenda." In Proceedings of the Human Factors and Ergonomics Society Annual Meeting 55(1):1115-1119.

https://doi.org/10.1177/1071181311551233 DOI: https://doi.org/10.1177/1071181311551233

Bwenbya, J. 2022. "Addressing Challenges in Accessing Finance by Small and Medium Enterprises (SMEs) in Zambia: A Pragmatic Approach." Master's Thesis, University of Zambia.

Cassim, F. 2017. "Formulating Specialised Legislation to Address the Growing Spectre of Cybercrime: A Comparative Study." PER 12(4):35-79. https://doi.org/10.17159/1727-3781/2009/v12i4a2740 DOI: https://doi.org/10.17159/1727-3781/2009/v12i4a2740

Chen, Y. He, W. 2013. Security Risks and Protection in Online Learning: A Survey." The International Review of Research in Open and Distributed Learning 14(5). https://doi.org/10.19173/irrodl.v14i5.1632 DOI: https://doi.org/10.19173/irrodl.v14i5.1632

Chesebro, J. W. and Borisoff, D. J. 2007. "What Makes Qualitative Research Qualitative?" Qualitative Research Reports in Communication 8(1):3-14. https://doi.org/10.1080/17459430701617846 DOI: https://doi.org/10.1080/17459430701617846

Clough, J. 2014. "A World of Difference: The Budapest Convention on Cybercrime and the Challenges of Harmonisation." Monash University Law Review 40(3): 698-736.

Constantinou, C. S., Georgiou, M., and Perdikogianni, M. 2017. "A Comparative Method for Themes Saturation (CoMeTS) in Qualitative Interviews." Qualitative Research 17(5): 571-588. https://doi.org/10.1177/1468794116686650 DOI: https://doi.org/10.1177/1468794116686650

Creswell, J. W. 2011. "Controversies in Mixed Methods Research." The Sage Handbook of Qualitative Research 4(1):269-284.

Creswell, J. W. 2014. Research Design: Qualitative, Quantitative and Mixed Methods Approaches (4th ed.). London: Sage Publications Ltd.

Dagada, R. 2013. "Digital Banking Security, Risk and Credibility Concerns in South Africa." In The Second International Conference on Cyber Security, Cyber Peacefare and Digital Forensics (CyberSec2013)

Dagada, R. 2014. "Legal and Policy Aspects to Consider When Providing Information Security in the Corporate Environment." Doctoral thesis, University of South Africa.

Dagada, R. 2021. Digital Commerce Governance in the Era of Fourth Industrial Revolution in South Africa. Pretoria: Unisa Press.

Demchyshak, N., and Shkyria, A. 2021. "Risk Management in the Financial Sector of Ukraine in the Context of Cyber Threats and Post-Pandemic Economic Recovery." Innovative Economy 3-4.. https://doi.org/10.37332/2309-1533.2021.3-4.3 DOI: https://doi.org/10.37332/2309-1533.2021.3-4.3

Eaton, C., and Dustin, V. 2021. "Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom." May 21, 2021. https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636

ENISA. 2021. Cybersecurity for SMEs: Challenges and Recommendations. Athens: European Union Agency for Cybersecurity, ENISA.

European Commission. 2016. "Regulation (EU) 2016/679 of the European Parliament and of the Council." Official Journal of the European Union.

Federal Bureau of Investigation. 2020. "2019 IC3 Annual Report." Federal Bureau of Investigation.

Federation of Small Businesses. 2019. Cyber Threat Assessment. Blackpool:: Federation of Small Businesses.

Government of Zambia. 2009. The Information and Communication Technologies Act No. 15 of 2009. Government of Zambia.

Government of Zambia. 2021. The Cyber Security and Cyber Crimes Act No. 2 of 2021. Lusaka: Government of Zambia.

Government of Zambia. 2021. The Data Protection Act No. 3 of 2021. Lusaka: Government of Zambia.

Guest, G., Bunce, A., and Johnson, L. 2006. "How Many Interviews Are Enough? An Experiment with Data Saturation and Variability." Field Methods 18(1):59-82. https://doi.org/10.1177/1525822X05279903 DOI: https://doi.org/10.1177/1525822X05279903

Gundu, T. 2019. "Acknowledging and Reducing the Knowing and Doing Gap in Employee Cybersecurity Compliance." In ICCWS 2019 14th International Conference on Cyber Warfare and Security, 94-102. Stellenbosch University.

Hadlington, L. 2018. "Employees Attitude towards Cyber Security and Risky Online Behaviours: An Empirical Assessment in the United Kingdom." International Journal of Cyber Criminology 12(1):262-274.

Halubanza, B., Kunda, D., and Musonda, Y. 2016. "An Assessment of Information Security Awareness among Employees in the Higher Education Sector in Zambia." Kabwe: Mulungushi University.

Hunter, D., and Howes, D. 2019. "Defining Exploratory-Descriptive Qualitative (EDQ) Research and Considering Its Application to Healthcare." Journal of Nursing and Health Care 4(1).

Ifinedo, P. 2023. "Effects of Security Knowledge, Self-Control, and Countermeasures On Cybersecurity Behaviors." Journal of Computer Information Systems 63(2):380-396. https://doi.org/10.1080/08874417.2022.2065553 DOI: https://doi.org/10.1080/08874417.2022.2065553

Imsand, E., Tucker, B., Paxton, J., and Graves, S. 2020. "A Survey of Cybersecurity Practices in Small Businesses." In Intelligent Systems and Applications (Advances in Intelligent Systems and Computing, edited by K. Arai, S. Kapoor, and R. Bhatia, 44-50. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-030-29513-4_4 DOI: https://doi.org/10.1007/978-3-030-31239-8_4

ITU. 2020. Global Cybersecurity Index. Geneva: International Telecommunication Union- ITU.

Jackson, R. L., Drummond, D. K., and Camara, S. 2007. "What is Qualitative Research?" Qualitative Research Reports in Communication 8(1):21-28. https://doi.org/10.1080/17459430701617879 DOI: https://doi.org/10.1080/17459430701617879

Johansson, K., Paulsson, T., Bergström, E., and Seigerroth, U. 2022. Improving Cybersecurity Awareness Among SMEs in the Manufacturing Industry. IOS Press. https://doi.org/10.3233/ATDE220140 DOI: https://doi.org/10.3233/ATDE220140

Kaspersky. 2021. Spam and Phishing in Q3 2021. Moscow: Kaspersky.

Kesmodel, U. S. 2018. "Cross-Sectional Studies - What Are They Good For?" Acta Obstetricia et Gynecologica Scandinavica 97(4):388-393.

https://doi.org/10.1111/aogs.13331 DOI: https://doi.org/10.1111/aogs.13331

Khunga, B., and Kunda, D. 2017. "Impact of NRENs in Universities - The ZAMREN Experience." MANAS Journal of Engineering 5(2):13-23.

Kiger, M. E., and Varpio, L. 2020. "Thematic Analysis of Qualitative Data: AMEE Guide No. 131." Medical Teacher 42(8):846-854.

https://doi.org/10.1080/0142159X.2020.1755030 DOI: https://doi.org/10.1080/0142159X.2020.1755030

Kortjan, N., and von Solms, R. 2014. "A Conceptual Framework for Cyber-security Awareness and Education in SA." South African Computer Journal 52(1):29-41. https://doi.org/10.18489/sacj.v52i0.201 DOI: https://doi.org/10.18489/sacj.v52i0.201

Koshy, V. 2010. Action Research for Improving Educational Practice: A Step-by-Step Guide (2nd ed.). London: Sage Publications Ltd.

Kozak, S. 2017. "The Role and Importance of the Small Business Sector in the Economic Development of the Mazowieckie Province." Scientific Journals of the University of Natural Sciences and Humanities, Series Administration and Management 41(114):61-70.

Lambech, M., and Høglo, K. S. 2020. "Assessing Different Levels of Time Retention for Business Interruption Coverage on Cyber Insurance." Master's thesis, Handelshøyskolen BI.

Levin, K. A. 2006. "Study Design III: Cross-Sectional Studies." Evidence-Based Dentistry 7: 24-25.

https://doi.org/10.1038/sj.ebd.6400375 DOI: https://doi.org/10.1038/sj.ebd.6400375

Lindlof, T. R., and Taylor, B. C. 2002. Qualitative Communication Research Methods (2nd ed.). Thousand Oaks, CA: Sage Publications Ltd.

Lusaka Times. 2019. "ZANACO Xapit Suffers Major Hack, Thousands Lose Savings." July 5, 2019. https://www.lusakatimes.com/2019/07/05/zanaco-xapit-suffers-major-hack-thousands-lose-savings/

Lusaka Times. 2022. "BoZ Says Hackers Attacked Its Computer System." May 17, 2022. https://www.lusakatimes.com/2022/05/17/boz-says-hackers-attacked-its-computer-system/ (Accessed August 6, 2023)

Mason, M. 2010. "Sample Size and Saturation in PhD Studies Using Qualitative Interviews." Forum Qualitative Sozialforschung/Forum / Qualitative Social Research 11(3).

Minnaar, A. 2019. "Cybercriminals, Cyber-Extortion, Online Blackmailers and the Growth of Ransomware." Acta Criminologica: African Journal of Criminology and Victimology 32(2).

Morgan, S. 2022. Official Cybercrime Report. Northport: Cybersecurity Ventures.

Morse, J. M. 2015. "Critical Analysis of Strategies for Determining Rigor in Qualitative Inquiry." Qualitative Health Research 25(9):1212-1222. https://doi.org/10.1177/1049732315588501 DOI: https://doi.org/10.1177/1049732315588501

Mukubesa, M. 2021. Broadening the Tax Base and Enhancing Revenue Collection: A Case Study for the Small and Medium Enterprises in the Informal Sector in Zambia. Lusaka: Cavendish University.

Mwila, K. A. 2020. "An Assessment of Cyber Attacks Preparedness Strategy for Public and Private Sectors in Zambia." Master's Thesis, The University of Zambia.

Myers, M. D. 2008. Qualitative Research in Business and Management. London: Sage.

https://doi.org/10.4135/9781036208417 DOI: https://doi.org/10.4135/9781036208417

National Assembly of Zambia. 2022. "Information Brief on Cyber Security and Cybercrime Trends in Zambia."Lusaka: Research Department. National Assembly of Zambia.

Nifakos, S., Chandramouli, K., Nikolaou, C. K., Papachristou, P., Koch, S., Panaousis, E., and Bonacina, S. 2021. "Influence of Human Factors on Cybersecurity within Healthcare Organisations: A Systematic Review." Sensors 21(15): 5119.

https://doi.org/10.3390/s21155119 DOI: https://doi.org/10.3390/s21155119

Nuwagaba, A. 2015. "Enterprises (SMEs) in Zambia." International Journal of Economics, Finance and Management 4(4).

Ofori-Sarpong, E. K. and Adomako, F. D. 2020. Cybersecurity Awareness and Practices: A Study of Mobile Money Users in Ghana. International Journal of Computer Applications Technology and Research, 9(6), 239-244. https://doi.org/10.7753/IJCATR0906.1001.

https://doi.org/10.7753/IJCATR0906.1001 DOI: https://doi.org/10.7753/IJCATR0906.1001

Palinkas, L. A., Horwitz, S. M., Green, C. A., Wisdom, J. P., Duan, N., and Hoagwood, K. 2015. "Purposeful Sampling for Qualitative Data Collection and Analysis." Administration and Policy in Mental Health 42(5):533-544.

https://doi.org/10.1007/s10488-013-0528-y DOI: https://doi.org/10.1007/s10488-013-0528-y

Patton, M. Q. 2015. Qualitative Research and Evaluation Methods (4th ed.). Thousand Oaks, CA: Sage Publications.

Paul, C. L., and Whitley, K. 2013. A Taxonomy of Cyber Awareness Questions for the User-Centered Design of Cyber Situation Awareness. Berlin: Berlin Heidelberg. https://doi.org/10.1007/978-3-642-39345-7_16 DOI: https://doi.org/10.1007/978-3-642-39345-7_16

Plėta, T., Tvaronavičienė, M., Della Casa, S., and Agafonov, K. 2020. Cyber-attacks to Critical Energy Infrastructure and Management Issues: Overview of Selected Cases. Insights into Regional Development. Vilnius: Entrepreneurship and Sustainability Center 2(3).

https://doi.org/10.9770/IRD.2020.2.3(7) DOI: https://doi.org/10.9770/IRD.2020.2.3(7)

Ponemon Institute. 2020. Cost of a Data Breach Report 2020. New York: IBM Security.

Rajasekharaiah, K. M., Dule, C. S., and Sudarshan, E. 2020. "Cyber Security Challenges and its Emerging Trends on Latest Technologies." IOP Conference Series: Materials Science and Engineering 2(981): 022062.

https://doi.org/10.1088/1757-899X/981/2/022062 DOI: https://doi.org/10.1088/1757-899X/981/2/022062

Robles-Carrillo, M. and García-Teodoro, P. 2022. "Ransomware: An Interdisciplinary Technical and Legal Approach." Security and Communication Networks 2022: 1-17. https://doi.org/10.1155/2022/2806605 DOI: https://doi.org/10.1155/2022/2806605

Sangani, N. K. and Vijayakumar, B. 2012. "Cyber Security Scenarios and Control for Small and Medium Enterprises." Informatică economică 16: 58-71. https://doi.org/10.1109/ICCCTAM.2012.6488064 DOI: https://doi.org/10.1109/ICCCTAM.2012.6488064

Schatz, D., Bashroush, R., and Wall, J. 2017. "Towards a More Representative Definition of Cyber Security." The Journal of Digital Forensics, Security and Law 12(2): 8. https://doi.org/10.15394/jdfsl.2017.1476 DOI: https://doi.org/10.15394/jdfsl.2017.1476

Sehularo, L. A., Du Plessis, E. and Scrooby, B. 2012. "Exploring the Perceptions of Psychiatric Patients Regarding Marijuana Use." Health SA Gesondheid 17(1):1-13. https://doi.org/10.4102/hsag.v17i1.608 DOI: https://doi.org/10.4102/hsag.v17i1.608

Senarathna, I., Wilkin, C., Warren, M., Yeoh, W., and Salzman, S. 2018. "Factors That Influence Adoption of Cloud Computing: An Empirical Study of Australian SMEs." Australian Journal of Information Systems 22. https://doi.org/10.3127/ajis.v22i0.1603 DOI: https://doi.org/10.3127/ajis.v22i0.1603

Serianu LTD. 2020. Africa Cybersecurity Report 2019-2020. Nairobi: Serianu Ltd.

Shafqat, N., and Masood, A. 2016. "Comparative Analysis of Various National Cyber Security Strategies." International Journal of Computer Science and Information Security 14(1): 129.

Shaw, R. S., Chen, C. C., Harris, A. L., and Huang, H.-J. 2009. "The Impact of Information Richness on Information Security Awareness Training Effectiveness." Computers and Education 52(1): 92-100.

https://doi.org/10.1016/j.compedu.2008.06.011 DOI: https://doi.org/10.1016/j.compedu.2008.06.011

Slusky, L. 2020. "Cybersecurity of Online Proctoring Systems." Journal of International Technology and Information Management 29(1):56-83. https://doi.org/10.58729/1941-6679.1445 DOI: https://doi.org/10.58729/1941-6679.1445

Stephanou, T., and Dagada, R. 2008. "The Impact of Information Security Awareness Training on Information Security Behavior: The Case of Further Research." ISSA University of Johannesburg, 2 to 4 July 2008.

Tam, K., Moara-Nkwe, K., and Jones, K. 2020. "The Use of Cyber Ranges in the Maritime Context: Assessing Maritime-cyber Risks, Raising Awareness, and Providing Training." University of Plymouth. https://doi.org/10.33175/mtr.2021.241410 DOI: https://doi.org/10.33175/mtr.2021.241410

Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., and Bailey, M. 2016. "Users Really Do Plug in USB Drives They Find." IEEE Symposium on Security and Privacy (SP), 306-319.

https://doi.org/10.1109/SP.2016.26 DOI: https://doi.org/10.1109/SP.2016.26

Tran, V.-T., Porcher, R., Tran, V.-C., and Ravaud, P. 2017. "Predicting Data Saturation in Qualitative Surveys with Mathematical Models from Ecological Research." Journal of Clinical Epidemiology 82:71-78.

https://doi.org/10.1016/j.jclinepi.2016.10.001 DOI: https://doi.org/10.1016/j.jclinepi.2016.10.001

Williams, M., and Moser, T. 2019. "The Art of Coding and Thematic Exploration in Qualitative Research." International Management Review 15(1): 45-55.

World Bank. (n.d.). Small and Medium Enterprises (SMEs) Finance. https://www.worldbank.org/en/topic/smefinance (Accessed April 6, 2023).

World Economic Forum. 2018. Cybersecurity: The $1 Trillion Opportunity. World Economic Forum.

Yildirim, E. 2016. "The Importance of Information Security Awareness for the Success of Business Enterprises." In Advances in Human Factors in Cybersecurity: Proceedings of the AHFE 2016 International Conference on Human Factors in Cybersecurity, July 27-31, 2016, Walt Disney World®, Florida, USA, 211-222. https://doi.org/10.1007/978-3-319-41932-9_17 DOI: https://doi.org/10.1007/978-3-319-41932-9_17

Yokohama, S. 2016. Cybersecurity for Business Executives: An NTT Publication for Top Management. https://group.ntt/en/topics/CfBE/pdf/Cybersecurity_for_Business_Executives2.pdf (Accessed on June 13, 2023).

Yudhiyati, R., Putritama, A., and Rahmawati, D. 2021. "What Small Businesses in a Developing Country Think of Cybersecurity Risks in the Digital Age: Indonesian Case." Journal of Information, Communication and Ethics in Society 19(4):446-462.

https://doi.org/10.1108/JICES-03-2021-0035 DOI: https://doi.org/10.1108/JICES-03-2021-0035

Zambia Development Agency. 2020. Promoting SME Competitiveness in Zambia. Lusaka: Zambia Development Agency.

Zambian Observer. 2023. "The Official Bank of Zambia Facebook Page Has Been Hacked." July 24, 2023. https://zambianobserver.com/the-official-bank-of-zambia-facebook-page-has-been-hacked/ (Accessed on July 25, 2023)

ZICTA. 2021. 2020 Annual Report. Lusaka: ZICTA.

ZICTA. 2022. Collaborative Framework For the Oversight of Digital Financial Services in Zambia. Lusaka, Zambia: Zambia Information and Communications Technology Authority (ZICTA), Bank of Zambia (BoZ) and the Rural Finance Expansion Programme (RUFEP).