Why Nigeria Must Prioritize Cybersecurity

No photo availableCIO Africa authorBySteve Mbego
5 min read
The digital age offers Nigeria immense opportunities, which come with corresponding risks.

In April 2025, a notorious threat actor known as Ghudra posted an advert on a dark web forum, offering administrator access to the Gombe State Internal Revenue Service (IRS) web application for sale. For just $500, cybercriminals could purchase access to the agency’s backend systems, gaining control of sensitive financial data, including digital wallets and taxpayer payment records.

This is the sobering reality of Nigeria’s cybersecurity crisis.

At a time when the country is pushing forward with digital transformation, expanding e-government services, streamlining tax systems, and digitising citizen records, this breach is a glaring reminder that the security of our digital infrastructure is precarious. The Gombe IRS hack is not an isolated incident but a symptom of a deeper problem: chronic underinvestment in cybersecurity infrastructure, a lack of skilled personnel, and a culture that deprioritises security in favour of speed and cost-cutting.

Across federal, state, and local levels, Nigeria’s public institutions are digitising rapidly. Online platforms now power tax collection, national identity registration, land administration, public procurement, and even electoral processes. This transformation has been hailed as a leap forward in transparency, efficiency, and service delivery. However, while we have been busy building digital systems, we have neglected to secure them.

In many agencies, critical systems are running on outdated software. Default passwords are left unchanged. Multi-factor authentication is non-existent or ignored. Cybersecurity awareness among civil servants is low to non-existent, and training programs are either outdated or missing entirely. Routine practices such as patch management, log monitoring, and vulnerability assessments are rarely implemented. Most state and federal IT teams are understaffed and underequipped. Where cybersecurity budgets exist, they are often lumped together with general IT expenses and deprioritised when the time for fund disbursement arrives.

This situation creates fertile grounds for cybercriminals. It is not just the well-known ransomware groups nation-state actors we need to worry about anymore. Today, amateur hackers with basic skills can exploit these vulnerabilities and either launch attacks themselves or sell access to more sophisticated actors on the dark web.

Breaches like the Gombe IRS incident not only compromise digital information but erode trust. When taxpayers submit personal and financial data to government portals, they do so with the expectation that their data are protected. When that trust is broken, it weakens confidence in public institutions, reducing citizens’ willingness to embrace these new systems, thereby undermining the digital transformation efforts of the same government.

The implications go even further. If a state revenue service can be breached so easily, what does that say about the security of our voter databases, law enforcement systems, or health records? What about the integrity of our national infrastructure—electric grids, transport systems, defence communications, etc.?

Cybersecurity is no longer simply a technical issue; it is a national security issue. Left unaddressed, today’s breaches could lead to tomorrow’s crises, ranging from massive financial fraud to election interference, or even sabotage of critical infrastructure.

Nevertheless, Nigeria is not without guidance on cybersecurity. The National Cybersecurity Policy and Strategy (NCPS) lays out clear directives for securing digital assets. We also have the Nigeria Data Protection Act (NDPA), the National Digital Economy Policy and Strategy, and guidelines from institutions like NITDA and the Office of the National Security Adviser. But having policies is one thing; implementing them is another.

Many public sector institutions lack the technical knowledge or organisational will to adopt these policies effectively. Cybersecurity roles are often not clearly defined. Audits are rare. There are no concrete consequences for non-compliance. Incident response plans are either outdated or non-existent, and in many cases, breaches go unreported, swept under the rug to avoid scrutiny.

This gap between policy and practice creates a situation where we look secure on paper but are exposed in reality. And cybercriminals are exploiting that reality every day.

As a cybersecurity educator and threat intelligence analyst, I witness time and again how preventable most data breaches are. Many of the attacks we investigate could have been prevented with simple, foundational controls: strong passwords, timely software updates, proper network segmentation, and real-time monitoring.

But these controls do not implement themselves. They require leadership at the highest levels of government. Ministers, governors, agency heads, and permanent secretaries must treat cybersecurity as a strategic priority, not just a technical issue delegated to their IT departments.

Leadership must be accountable for digital risks just as they are for financial, political, or legal ones. Without that top-level buy-in, no amount of technical advice or policy paper will make a notable difference.

To secure Nigeria’s digital future, the following actions must be taken urgently and decisively:

  • Mandate cybersecurity compliance for all government institutions, with regular independent audits and publicly disclosed results.
  • Build internal capacity by hiring skilled cybersecurity professionals into government agencies and offering continuous training to civil servants.
  • Fund cybersecurity properly. Each agency should have a clear cybersecurity budget, not vaguely included in general IT budgets or overlooked entirely.
  • Develop and test incident response plans. Every institution must know what to do in the event of a breach, and tabletop exercises should be conducted regularly.
  • Partner with the cybersecurity community. Ethical hackers, researchers, and threat intelligence analysts can offer invaluable insights if the government is willing to listen.
  • Hold leadership accountable. When breaches happen due to negligence, there must be consequences, not just press releases.

The digital age offers Nigeria immense opportunities, which come with corresponding risks. As we continue to build our digital governance infrastructure, we must remember that every system we create is a potential target. The solution is not to slow down digital transformation but to embed cybersecurity at every stage from planning and procurement to deployment and maintenance.

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co