THE TRAJECTORY OF CYBERSECURITY IN NIGERIA: WHY A NATIONAL CYBERSECURITY COUNCIL CAN NO LONGER WAIT
THE TRAJECTORY OF CYBERSECURITY IN NIGERIA: WHY A NATIONAL CYBERSECURITY COUNCIL CAN NO LONGER WAIT
By Professor Ojo Emmanuel Ademola
Nigeria’s digital transformation has been swift and sweeping. In a single generation, the country has moved from an analogue economy to a mobile‑first society where banking, commerce, education and public services run on data networks. A population surpassing 250 million, driven by a median age under 20 and rapid urbanisation around Lagos and Abuja, has created one of Africa’s most vibrant digital markets. Yet this same hyper‑connectivity has exposed Nigeria to escalating and unprecedented cyber threats.As connectivity expands, so does the attack surface. The digital systems powering innovation now also carry intrusion, fraud and large‑scale disruption. By early 2026, Nigerian organisations were experiencing some of the highest weekly cyber‑attack volumes in Africa, with incidents rising into the thousands. Cybersecurity has therefore become a national priority, touching elections, financial stability, critical infrastructure and public trust. It is no longer a technical issue; it is a strategic one.
READ ALSO: Young Boy Arrested in Kebbi for Allegedly Posing as Deaf to Spy for Kidnappers
Nigeria’s Cybercrime Advisory Council (CAC), created under the Cybercrimes Act 2015 and chaired by the National Security Adviser, operates alongside the National Cybersecurity Coordination Centre (NCCC). While this framework served an earlier era, it is no longer adequate for today’s threat landscape. The CAC was built for policy guidance within a narrow cybercrime context, not for the integrated, whole‑of‑nation cybersecurity governance now required. Modern threats—ransomware, AI‑driven fraud, deepfakes, synthetic identities and attacks on critical infrastructure—demand an institution with real authority, technical depth, rapid coordination capability and a mandate far beyond advisory functions.
The scale and sophistication of current cyber risks have outpaced Nigeria’s existing governance model. The issue is no longer whether Nigeria is being targeted; it is whether the nation can respond with the speed, unity and competence required to secure its digital future. The answer is clear: Nigeria urgently needs a National Cybersecurity Council, established by law, fully empowered and transparently accountable, to coordinate national policy, enforce standards and lead incident response across the federation.
From nuisance to national risk
Cybercrime in Nigeria has evolved from opportunistic scams into a professionalised, globally networked ecosystem. Today’s threat actors range from transnational syndicates to ransomware crews, exploiting leaked credentials, weak identity controls and the growing use of artificial intelligence. A new frontier has emerged in human‑AI fraud: phishing written in near‑perfect English; deepfake audio and video used to authorise payments; synthetic identities blending stolen data with plausible digital personas; and social engineering that targets not only individuals but entire business processes.
Ransomware has matured into a full‑scale industry. Attackers increasingly exfiltrate data before encrypting systems, threatening public release and using operational disruption as leverage. Financial services, telecommunications and government agencies—because they concentrate sensitive data and deliver essential services—remain prime targets. As the cashless economy expands and fintech becomes the default interface for everyday transactions, the incentives for cybercriminals grow in parallel.
The financial and societal cost is sobering. Loss estimates over recent years run into billions of dollars, but the wider shadow cost is even greater: downtime, legal exposure, reputational damage, higher insurance premiums and—most damaging of all—erosion of trust that slows digital adoption and investment.
Nigeria’s posture: progress, yet fragmentation
Nigeria has made real progress. Regulators in banking and telecommunications have raised baseline security, and many major organisations now run security operations centres, use stronger authentication and maintain incident‑response playbooks. The professional cybersecurity community is also growing, with more training and certifications than a decade ago.
Yet national readiness still lags far behind. Governance remains fragmented, with responsibilities scattered across agencies, creating overlaps, gaps and inconsistent capacity. The Cybercrime Advisory Council, though useful in its time, was never built to function as Nigeria’s central cybersecurity command. Its advisory mandate, limited enforcement power and narrow statutory scope leave the country without a unified authority to set national standards, coordinate crises or enforce minimum controls across critical sectors. In a major incident, unclear leadership can be as damaging as the attack itself.
The talent gap is equally severe. Nigeria’s cyber workforce cannot meet national demand, and experienced professionals continue to be recruited abroad. Smaller institutions—SMEs, hospitals, schools and state governments—struggle to maintain dedicated security teams, relying heavily on external providers with uneven quality and oversight. Weak cyber hygiene persists nationwide, with delayed patching, misconfigured cloud systems, poor backup practices and low user awareness giving attackers predictable entry points.
A growing market needs stronger national coordination
Nigeria’s cyber risk is rising even as its cyber market expands. Cloud adoption, fintech growth and regulatory pressure are driving rapid investment, with national spending expected to reach hundreds of millions of dollars by 2026. Government is demanding faster breach reporting, stronger intelligence sharing and clearer expectations for minimum security controls. These shifts are positive, but they will fail without coordinated implementation across ministries, regulators and the private sector. Without a central authority, reforms become fragmented, costly and inconsistently enforced.
Global north examples show what effective coordination requires. The United States built CISA as a national hub for threat intelligence, incident response and critical infrastructure protection. The United Kingdom’s NCSC has become a global benchmark for public guidance, rapid crisis coordination and industry partnership. Canada’s Cyber Centre and the EU’s ENISA demonstrate how centralised institutions harmonise standards, strengthen national resilience and drive cross‑sector preparedness. These models prove that modern cybersecurity governance must be centralised, empowered and technically capable. Nigeria cannot afford to fall behind.
Why a National Cybersecurity Council?
Nigeria needs an institutional centre of gravity for cybersecurity—one that is more than advisory. A National Cybersecurity Council should set coherent national direction by owning an actionable strategy with measurable outcomes and harmonising minimum standards across sectors, including identity, incident reporting, encryption, backup, vulnerability management and third‑party risk. It should build shared situational awareness by strengthening threat intelligence exchange between government and industry, developing national fusion capability and ensuring actionable alerts reach the right organisations quickly.
The Council must coordinate incident response so that when critical services are attacked, the national response is rapid, united and rehearsed. It should maintain clear escalation protocols, support state governments and run cross‑sector exercises for power, telecommunications, finance, transport and healthcare. It must also grow national capacity, recognising that cybersecurity is ultimately a people capability. This includes leading a talent plan covering curriculum standards, apprenticeships, scholarships and a viable public‑service cyber career path, while establishing accreditation standards for Managed Security Service Providers. Finally, the Council should protect citizens and strengthen trust by serving as the public face of cyber resilience—publishing scam alerts, promoting safer digital identity practices and driving awareness campaigns. In a mobile‑first society, citizens are the first firewall.
Design principles that prevent ‘another committee’
For the Council to be effective, it must be anchored in law, sustainably funded and capable of convening decision‑makers quickly. It should be chaired at the highest level to cut through bureaucratic silos, supported by a professional secretariat and empowered to issue binding directives on minimum controls for systems that hold sensitive citizen data. Membership should include key security and technology agencies, sector regulators and representatives of state governments, with a structured interface to industry and academia. Crucially, the Council must maintain an independent technical advisory panel of practising experts to review standards, evaluate emerging threats and challenge institutional complacency.
Transparency is essential. While operational details must remain secure, the Council should publish annual national cyber risk assessments, anonymised incident statistics and progress metrics on readiness. This is how citizens, investors and international partners gain confidence that cyber governance is substantive rather than rhetorical.
A pragmatic agenda for 2026 and beyond
Nigeria must avoid paper compliance and pursue genuine risk reduction. Zero Trust should become the national baseline: never trust, always verify, with strong identity controls, least‑privilege access and continuous monitoring, especially for cloud and remote environments. Security operations should be modernised through human‑AI hybrid defence, where AI accelerates detection and triage while humans provide judgement and manage adversarial manipulation. The cashless economy must be secured through robust authentication, secure APIs and rapid fraud‑intelligence sharing among banks, fintechs and telecoms. Critical infrastructure resilience should be treated as national resilience, with mandatory assessments, continuity planning and regular exercises. Progress must be measured through meaningful indicators such as faster patching cycles, reduced incident dwell time and demonstrably improved recovery capability.
Cybersecurity diplomacy is equally important. Nigeria should deepen cooperation with regional and global partners on cybercrime investigations, information sharing and capacity building, while aligning domestic practice with data protection and digital trade expectations. A credible National Cybersecurity Council becomes the natural platform for such engagement.
A national call to action
Nigeria’s digital expansion is irreversible—and profoundly welcome. But without coherent cyber governance, the nation risks building its future on fragile foundations. A National Cybersecurity Council is not a luxury; it is the architecture of trust for a modern, resilient and competitive digital economy.
The question is not whether Nigeria will be targeted. It already is. The real question is whether the country will respond with unity, competence and foresight. If it does, Nigeria can become not only Africa’s largest digital market, but also one of its most secure.
By Professor Ojo Emmanuel Ademola, is the first African Professor of Cybersecurity and Information Technology Management, Global Education Advocate, Chartered Manager, UK Digital Journalist, Strategic Advisor & Prophetic Mobiliser for National Transformation, and General Evangelist of CAC Nigeria and Overseas