The Cybersecurity Posture Every Nigerian Startup Should Have by Day 30

Most early-stage Nigerian startups treat cybersecurity the way they treat insurance: an abstract good they will get to when they have time. Then a co-founder loses a laptop in a Bolt, or a junior engineer pushes an AWS key to a public GitHub repo, or a customer asks for a SOC 2 letter ahead of a contract — and the conversation suddenly has a deadline. The good news is that the first thirty days of a serious security posture do not require a CISO, a budget or a consultant. They require nine controls, shipped in order.

Day 1 to 5 — identity. Turn on enforced MFA across Google Workspace or Microsoft 365 for every account, including service mailboxes. Move every shared password into a real password manager (1Password or Bitwarden Business — not a Notion page, not a WhatsApp chat). Disable legacy mail protocols (IMAP, POP3, SMTP auth) that bypass MFA. This single week eliminates more than half of the practical attack surface that targets startups in our market.

Day 6 to 12 — devices. Enrol every laptop in a basic MDM (Google Endpoint, Microsoft Intune, or Kandji if you are mostly Mac). Enforce full-disk encryption, automatic OS updates, and a screen-lock timeout under five minutes. Require Chrome and Slack to be installed via the MDM. The point is not to spy on staff. The point is that when the laptop walks out of a co-working space, the data does not.

Day 13 to 20 — code and cloud. Turn on branch protection and required reviews on your main branch. Add GitHub secret scanning and Dependabot. In AWS or GCP, separate prod from dev into two accounts/projects, enable CloudTrail / Cloud Audit Logs, and rotate the IAM root credentials into a hardware key locked in a safe. Most early-stage breaches I have responded to in Lagos started with a leaked long-lived access key, not a sophisticated attacker.

Day 21 to 30 — people and paper. Write a one-page acceptable-use policy and have every employee sign it. Write a one-page incident response runbook — who to call, in what order, what to say to customers, who decides to notify regulators. Run a 30-minute tabletop exercise with the founders walking through 'a customer just told us their data is on Telegram.' You will discover gaps. That is the entire point.

Nine controls, thirty days, no full-time security hire. This is not SOC 2. It is not ISO 27001. It is the posture that lets you survive the first incident without losing the company, and the posture that makes the eventual compliance project a documentation exercise rather than a rebuild.