top of page
  • Writer's pictureAshley Woodhall

How to Develop a Cybersecurity Toolkit for African SMEs: A Case Study

During 2023, we worked on one of our favourite projects to date! We helped Africa’s Climate Venture Builder, Persistent, develop a cybersecurity toolkit for its portfolio companies under the Energy Entrepreneurs Growth Fund (EEGF). 

We helped Persistent understand some of the security risks faced by small and medium-sized enterprises (SMEs) in Africa. We then designed tools to protect these companies from security incidents, ultimately helping them secure their investments and future.

And now, we’re publishing a Q&A style testimonial transcript with Peter Huisman, Lead Tech Venture Builder at Persistent, to discuss his experience working with us.  

Who is Persistent?

Persistent is an early stage impact investor and venture builder across Africa’s climate tech sector. They are a fund advisor to the EEGF, a growth stage fund for energy access and productive use of energy, managed by Triple Jump. The fund has invested debt, equity and mezzanine finance in about a dozen companies to date, all operating in sub-Saharan Africa.

Persistent invests both financial and human capital in companies that are actively developing and implementing climate change mitigation and transition.

What was the project about? 

Persistent works with many climate-tech companies, mostly small and medium-sized enterprises (SMEs) from ideation to series A, as well as growth stage businesses for EEGF. These companies all heavily utilise technology and/or collect a significant amount of data. While cybersecurity is key to protecting technology and data, some of these companies lack the in-house security expertise to adequately protect themselves. 

Persistent partnered with Practical Infosec to develop a security toolkit, ensuring the companies in their EEGF portfolio were well-equipped for their cybersecurity needs. This empowers them to stay safe online now and in the future.

What did the project achieve?

As part of this awesome project, we achieved the following outcomes by developing a cybersecurity toolkit for African SMEs:

  1. Created a state of affairs report for the African SME landscape on 5+1 ways African SMEs can improve their cybersecurity (+1 refers to software development which not all companies do in-house).

  2. Carried out an in-depth Security Health Check for one of Persistent’s portfolio companies to help them understand how secure they are, whilst also getting more insight for Persistent on how secure a typical climate-tech African SME is. 

  3. Created a set of 3 x security policy templates which can be put in place quickly and easily. 

  4. Created a security self-assessment tool which Persistent could share with their portfolio companies to understand their cybersecurity score.

  5. Created a deep-dive security checklist that  Persistent can use to better understand how secure a portfolio company or potential investment opportunity is.

  6. Reviewed and improved Persistent’s security training and awareness materials. 

Post project Q&A with Peter Huisman, Lead Tech Venture Builder at Persistent. 

Ash: What situation or circumstances prompted you to seek support from us?

Peter: We noticed the growth stage companies in our portfolio don’t focus much on cybersecurity and yet a lot of these companies store a lot of customer data. Many of them also develop their own software and attract quite a bit of investment. So we figured this was a topic that we should bring to the surface but we didn't have the expertise in-house.

The security toolkit 

Ash: How has the cybersecurity toolkit for African SMEs helped so far? And how do you think it will continue to add value in the future?

Peter: It has deepened our own understanding of cybersecurity. The discussions that we had with companies have really helped put this on the radar with those companies, beyond just telling them they should act because their investment is at risk. And it has caused them to start thinking about how to address some of these issues as well. With this toolkit, we're actually able to help them move this forward straight away. And we have been able to train EEGF and Persistent staff to raise awareness internally.

We’ve had portfolio companies telling us they knew they should do something with this but they don't really know where to start, they know it's important but it's never really urgent until something happens, right? The fact that we are able to go to those companies with really concrete questions and concrete tools allows them to put it on the agenda and actually do something about their cybersecurity. 

Ash: Which of the security toolkit deliverables was most valuable, and which was least valuable? 

Peter: The self-assessment tool has been very useful. It's easy to push it out to the company and get the feedback from the companies on what their cyber security posture looks like. We’ve been able to build a report around that which allows us to quickly send feedback to the companies. It allows us to assess companies but also creates a lot of awareness with companies as well around what topics they really should be thinking about. It's so focused around essential cybersecurity and what topics really should be on the radar or should be covered. So I think that's probably the most useful one.

But I would not say there isn't a tool that's not useful. It depends a bit on the situation, the company and what they need. The toolkit gives us quite a few tools that help us assess companies and identify risk, which is great for EEGF prior to making an investment. And it provides us with tools that we can offer to companies post investment. We can actually help companies implement these tools through what we call Engine Room projects, which are effectively technical assistance projects. These form a key element of investments done by EEGF. 

Companies so far have expressed most interest in the general information security policy and the acceptable usage policy. But there’s also been interest in the policies, the report write-up, and the staff training. 

Ash:  One of the other security toolkit deliverables I wanted to ask about was the deep dive Security Health Check for one of EEGF’s portfolio companies. Can you talk a little bit about what value that's been to them?

Peter:  The Health Check and consequently the concrete set of recommendations have been very valuable to the company. It was very clear that the company as a result of the Health Check became a lot more aware where the gaps were and the things they really needed to address.  

Also, they got a clear buy-in from even the CEO on actually putting actions in place to address those gaps. 

I think the company itself, without your help, would have not been able to kind of come up with a very concrete action plan toward improving their cybersecurity.

I think it is very beneficial to the company and in protecting themselves, but also for them to understand where they're risks are and being able to discuss those with other potential funders and partners as well. And so we're generally very happy with how that went.

Your experience working with us

Ash:  You gave us a score of 9 out of 10 for your overall experience working with us. Would you mind giving us a bit of background on why you gave that score?

Peter:  The quality of the work has been great. There's been a lot of positive communication back and forth in kind of working towards the right deliverables. There were a few delays not purely from your side obviously just as much from our side but overall we ended up finishing a bit later than we had initially planned. That's why we didn't go for a full ten. 

But overall being able to finish everything and having a very concrete set of materials that are very usable and applicable. And I liked the fact that we also didn't go overboard. Something that's very detailed quickly becomes unusable and this prevents it from being adopted rather than actually helping companies. So thank you for finding the right sweet spot. 

Ash: What would you tell somebody who was considering working with us about your experience?

Peter: For others operating this SME space and the social impact space, I think your ability to design solutions for what we really need has been very useful.

Ash: Is there anything that surprised you about working with us?

Peter: We had a good contracting phase in which we really clarified expectations on the deliverables and then we executed as agreed so in the end no unexpected surprises. The one thing that positively stood out were the extras like the phishing test, the additional consultancy beyond the project.  That for us was greatly appreciated because it shows that you go beyond just executing the assignments then saying goodbye as a customer. 

Your commitment to the project showed active involvement and willingness to contribute beyond what we originally set out as the scope. That was just a positive surprise.

Ash: If you believe our services were great, what would make them amazing?

Peter: We had a bit of back and forth on the technical scoring, so I think it was a relatively minor issue. If it required a little bit less effort on our end in terms of review and back and forth and it obviously would have left us with a ten instead of a nine. 

We don't mind, it was not a big issue. We actually like the fact that you were open to feedback, and worked with the feedback to implement the improvements. I would say that that's one obviously and that the slight extension on the timeline, which was just as much on our end as it was on your end.

We're happy that we could work so flexibly and still just get the work done.

Ash:  What other feedback would you like to provide to improve our approach and/or materials?

Peter:  The one thing that we had mentioned is the cybersecurity report for the company that we just spoke about. And, to have that in a slightly more formal formatting so it really becomes a report that they can share with investors. 

All of the information and the data in and presented and the actions presented are extremely valid, but if it's clearly presented as a report by a service provider and presented a bit more quote unquote professionally, with kind of a front page Etc. So it's a very small thing right but particularly in this industry where companies are constantly fighting for funding, talking to support partners and being able to really present a professional looking independent verification of a cybersecurity posture. 

The focus for this particular company was to provide them with an internal tool. So during this particular case there was no need to push much harder on the report. 

Tell us more about Persistent 

Ash: And lastly, would you be able to give us a more detailed overview of Persistent?

Peter: Persistent is an early stage impact investor and venture builder across Africa’s climate tech sector. 

We are a fund advisor to the EEGF, a growth stage fund for energy access and productive use of energy, managed by Triple Jump

Persistent invests both financial and human capital in companies that are actively developing and implementing climate change mitigation and transition. 

We have invested in a number of different sectors and originally focused on energy access and companies that provide solar home systems to off grid areas in Sub-Saharan Africa, but also commercial and industrial solar systems.

We have since moved on to invest in e-mobility. So companies that bring electric motorcycles, electric tricycles or even electric cars to African markets. 

And then we've invested in enablers such as carbon credit companies or software companies that improve energy efficiency of grids. 

Our investments are across the continent anywhere from Eastern Africa, Southern Africa, as well as West Africa. 

With EEGF we are still expanding our portfolio and will continue to invest in energy access, e-mobility and productive use of energy. And with Persistent we're currently expanding our efforts by raising for a new climate impact fund called Africa Climate Venture Builder Fund that  we hope to launch during 2024. This will be a $100m fund to continue our venture building activities across the continent, predominantly with local entrepreneurs. 

And through those local entrepreneurs who really understand the local context, we believe by helping them with building their ventures through technical support, legal support, financial support, fundraising support, we create a genuine impact on these businesses and ultimately the climate. 


bottom of page