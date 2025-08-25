Cybersecurity expert, Adebowale Adetunji, in this interview with Abolaji Adebayo, speaks on Nigeria’s cyber threat landscape, the role of AI in both attack and defense, and why a coordinated national strategy is nonnegotiable for survival, and future outlook of cybersecurity in Nigeria’s financial sector

How would you describe the current state of cybersecurity in Nigeria’s financial sector?

The Nigerian financial ecosystem has made significant strides in digital transformation, but cybersecurity maturity is still uneven across institutions. While Tier 1 banks have invested heavily in layered defenses, such as SIEM systems, endpoint detection and response (EDR), and even early-stage threat intelligence platforms, smaller institutions and fintechs often lack robust threat modeling or real-time detection capabilities.

We are seeing a surge in credential stuffing, business email compromise (BEC), and increasingly targeted ransomware attempts. Cybercriminals are becoming more organized, often exploiting third-party vulnerabilities, legacy infrastructure, and insufficient security operations center (SOC) capabilities. The truth is, Nigeria’s cybersecurity framework is reactive in many quarters.

Many institutions still prioritize compliance-based security rather than risk-based and intelligence-driven defense strategies. The Nigerian financial sector is under significant cyber threat, with attacks growing in both frequency and sophistication. Banks, fintech firms, and payment platforms are prime targets due to the high volume of digital transactions.

Cybercriminals exploit vulnerabilities such as weak authentication systems, poor employee awareness, and outdated infrastructure. While some institutions have invested in cybersecurity measures, many still lag behind, making the sector a soft target for hackers. The Central Bank of Nigeria (CBN) and other regulators have introduced guidelines, but implementation remains inconsistent across the industry.

What are the most common types of cyberattacks affecting financial institutions in Nigeria?

The most prevalent attacks include phishing, where criminals trick employees or customers into revealing sensitive information through deceptive emails or fake websites. There’s also a surge in ransomware attacks, where hackers encrypt critical systems and demand payment for decryption. Banking trojans like Emotet and SpyEye have been used to steal login credentials and siphon funds.

Additionally insider threats, where disgruntled employees or negligent staff compromise security, are a growing concern. SIM swap fraud, where attackers hijack mobile numbers to bypass twofactor authentication, is another major issue.

How prepared are Nigerian financial institutions to defend against these threats?

Preparedness varies widely. Larger banks and fintech companies with robust IT budgets have deployed advanced security tools like intrusion detection systems, encryption, and multi-factor authentication. However, smaller institutions often lack the resources and expertise to implement strong defenses.

A major gap is the shortage of skilled cybersecurity professionals in Nigeria. Many organizations also fail to conduct regular penetration testing and security audits, leaving them unaware of vulnerabilities until an attack occurs. While the CBN’s Risk-Based Cybersecurity Framework is a step in the right direction, enforcement and compliance need to be stricter.

What are the biggest cybersecurity myths in Nigeria’s financial sector?

One major myth is that cybersecurity is purely a technical issue. In reality, human error accounts for over 80 per cent of breaches. Another misconception is that compliance equals security, just because a bank meets regulatory requirements doesn’t mean it’s truly secure.

There’s also a false belief that only large institutions are targeted. Small fintechs and microfinance banks are increasingly attacked because they often have weaker defenses. Cybercriminals look for the weakest link, not just the biggest prize.

What role do customers play in cybersecurity breaches, and how can they be better protected?

Customers are often the weakest link in cybersecurity. Many fall victim to phishing scams, use weak passwords, or share sensitive information carelessly. Financial institutions must invest in continuous customer education, teaching users how to recognize scams and secure their accounts.

Implementing stronger authentication methods, such as biometric verification and one-time passwords (OTPs), can help. Banks should also monitor transactions in real-time and alert customers to suspicious activities. However, customers

must also take responsibility by using secure networks, avoiding suspicious links, and regularly updating their passwords.

How effective are Nigeria’s cybersecurity laws and regulations in combating financial cybercrime?

Nigeria has made progress with laws like the Cybercrimes Act of 2015 and the Nigeria Data Protection Regulation (NDPR), but enforcement remains weak. The legal framework criminalizes cyber offenses, but prosecutions are rare due to challenges in tracking cybercriminals and gathering digital evidence.

Collaboration between financial institutions, law enforcement, and regulators needs improvement. The Economic and Financial Crimes Commission (EFCC) and the Nigerian Communications Commission (NCC) have taken steps to address cybercrime, but more specialized cyber policing units and faster judicial processes are needed.

Additionally, penalties for non-compliance with cybersecurity regulations should be stricter to compel institutions to prioritize security.

What emerging cyber threats should Nigeria’s financial sector be most concerned about?

Artificial intelligence (AI)-driven attacks are a looming threat, where hackers use machine learning to bypass security systems. Deepfake technology could also be weaponised to impersonate executives and authorize fraudulent transactions. The rise of quantum computing poses a future risk, as it could break current encryption methods.

Another concern is supply chain attacks, where hackers target third-party vendors to infiltrate larger financial institutions. As Nigeria’s cashless policy expands, more attack surfaces will emerge, making continuous threat assessment and proactive defense strategies essential.

What steps should financial institutions take to strengthen their cybersecurity posture?

First, they must adopt a risk-based approach, identifying critical assets and prioritising their protection. Regular employee training is crucial to reduce human error, which is a leading cause of breaches. Investing in advanced technologies like AI for threat detection and blockchain for secure transactions can enhance security.

Collaboration with other institutions and cybersecurity agencies for threat intelligence sharing is also vital. Institutions should conduct frequent penetration tests and establish incident response plans to minimize damage in case of an attack. Finally, fostering a cybersecurity culture from leadership down to entry-level staff ensures that security remains a top priority.

What role do you believe emerging technologies like AI can play in strengthening cybersecurity?

Artificial intelligence is a game-changer. AI and machine learning can provide predictive insights into abnormal behavior before attacks happen. For example, anomaly detection engines can flag unusual login patterns or transaction flows—even if they haven’t been previously classified as threats.

In Security Operations Centers, AI can accelerate Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), reducing manual triaging and enabling analysts to focus on high-value threats. Natural language processing (NLP) models can process thousands of threat intel feeds in real-time to deliver actionable insights. However, AI is a double-edged sword.

Threat actors are already using generative AI to craft hyper-realistic phishing attacks and automate vulnerability scans. Hence, it’s not about using AI in isolation but embedding it in a broader cyber defense lifecycle—from attack surface management to post-incident forensics.

How can Nigeria develop a stronger cybersecurity workforce to combat these threats?

The government and private sector must invest in cybersecurity education, partnering with universities to offer specialized programs. Professional certifications like Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH) should be encouraged. Internship programs and hands-on training can bridge the gap between theory and practice.

Financial institutions should also offer competitive salaries to attract and retain cybersecurity talent. Public-private partnerships can facilitate knowledge exchange, and initiatives like hackathons and cybersecurity awareness campaigns can inspire more young Nigerians to pursue careers in this field.

Looking ahead, what is the future of cybersecurity in Nigeria’s financial sector?

The future will be shaped by how well Nigeria adapts to evolving threats. With increased digitalization, cybersecurity must become a core business function rather than an afterthought. Regulatory bodies will likely impose stricter compliance requirements, and institutions that fail to comply may face severe penalties. The adoption of advanced technologies like AI and blockchain will play a key role in defense strategies.

However, cybercriminals will also innovate, meaning continuous vigilance is necessary. If Nigeria can build a robust cybersecurity ecosystem—combining strong regulations, skilled professionals, and public awareness—the financial sector can better withstand cyber threats and maintain trust in the digital economy. This discussion highlights the urgent need for Nigeria’s financial sector to prioritize cybersecurity.

While challenges persist, a combination of regulatory enforcement, technological investment, and workforce development can help secure the sector against growing cyber threats.

What are your thoughts on building resilience in Nigeria’s financial sector?

Resilience means ensuring continuity under stress. For financial institutions, this requires embedding cybersecurity into operational resilience frameworks. We need to adopt a zero-trust architecture— where access is continually verified, not assumed. Moreover, disaster recovery and cyber incident playbooks must evolve.

Many institutions still treat cybersecurity as an IT issue rather than an enterprise risk. The board must be cyber-literate. Recovery time objectives (RTO) and recovery point objectives (RPO) should now factor in not just business continuity, but data integrity and threat containment.

One key area is the simulation of real-world attack scenarios using red team/blue team exercises. These stresstest not just the technology but the people and processes as well.

How can Nigeria position itself better for the future?

First, we need to invest in talent. The cybersecurity skills gap in Nigeria is real. We must incentivize cybersecurity certifications, create a national cyber talent registry, and encourage knowledgesharing platforms. Second, there must be regulatory modernization. The Central Bank of Nigeria’s Risk-Based Cybersecurity Framework was a good start, but it needs teeth.

Regulations should include sector-wide cyber maturity assessments, mandatory breach disclosures, and stricter third-party vendor risk oversight. Lastly, public-private collaboration must move beyond memorandums. We need active threat-sharing consortiums, periodic cybersecurity drills, and coordinated national incident response strategies. If we can secure Nigeria’s financial sector, one of the most digitized on the continent, we can set a benchmark for all of Africa.

Should Nigeria consider a cybersecurity levy or national cyber insurance fund for financial institutions?

Absolutely. A cybersecurity levy, pooled into a national cyber resilience fund, could help smaller institutions afford advanced defenses. Similarly, mandatory cyber insurance would ensure that businesses can recover financially after an attack. However, such measures must be structured carefully to avoid becoming just another tax. The funds should directly support threat intelligence sharing, SOC enhancements, and cybersecurity training programs.

With the rise of mobile banking, how vulnerable are Nigerian users to cyber threats?

Extremely vulnerable. Mobile banking adoption has skyrocketed, but security awareness hasn’t kept pace. Many users still fall victim to SIM swap fraud, fake banking apps, and SMS phishing (smishing). Cybercriminals exploit weak authentication methods, such as relying solely on OTPs (onetime passwords), which can be intercepted.

Banks must enforce multifactor authentication (MFA) and behavioral biometrics, like keystroke dynamics and swipe patterns, to verify legitimate users. Additionally, consumer education campaigns should be as aggressive as marketing campaigns for new banking products.