A cybersecurity expert, Wale Adewale Edun, has stated that incidents of data breaches across Nigeria's public and financial institutions are exposing deep weaknesses in the country's data protection framework. Edun, a senior information security consultant with over three decades of experience in data protection, cybersecurity, and corporate governance, warned that weak enforcement of existing laws leaves both institutions and individuals vulnerable, despite growing awareness of digital risks.
Speaking in an interview with The Guardian, he noted that recent cyberattacks targeting key organizations point to a growing and largely unchecked threat to national security and personal data safety. "In recent months, there has been a surge in attacks on Nigerian organizations," he said. "These actors are not just targeting one sector. They are going after government agencies, financial institutions, telecoms companies, and private organizations."
According to him, the limited disclosure of breaches reflects a wider problem within Nigeria's cybersecurity landscape: a lack of transparency and accountability. "Very few of these breaches are properly reported," he said. "And when they happen, the public is often left in the dark."
Global challenge, local concern
While cyberattacks are a global challenge, Edun warned that Nigeria's current situation is particularly concerning because of the scale of data exposure and the country's weak enforcement mechanisms. He stressed that the implications go beyond financial loss, extending into national security risks and long-term economic consequences. "The global environment today shows that access to data is a major tool in modern conflict," he said. "When sensitive personal and institutional data is exposed, it creates vulnerabilities that go far beyond the individual."
Personal identifiable information, including names, addresses, dates of birth, phone numbers, and financial details, can be exploited for fraud, identity theft, and other forms of cybercrime. In Nigeria, where digital adoption has grown rapidly across banking, telecommunications, and government services, the volume of such data in circulation has increased significantly. Edun warned that many Nigerians may already be at risk without fully realizing it. "If critical data from institutions is compromised, the damage is not limited to those organizations," he said. "It affects everyone connected to them."
Superficial compliance
Despite the risks, many organizations continue to present themselves as compliant with data protection standards. However, Edun argued that this compliance is superficial. "There is a difference between being compliant on paper and actually being secure," he said. According to him, many organizations treat cybersecurity as a "tick-box exercise," focusing on obtaining certifications rather than implementing continuous protection measures. In practice, this means policies and procedures may exist on paper but are not consistently applied in day-to-day operations. "An organization can pass an external audit today and still be breached tomorrow," he explained. "Certification does not guarantee security."
He noted that external audits are often scheduled in advance, giving organizations time to prepare and present ideal conditions that may not reflect their usual practices. "The auditor sees what the organization wants them to see," he said. "That does not mean the systems are secure at all times." This gap between compliance and actual readiness, according to him, is one of the most critical weaknesses in Nigeria's cybersecurity framework.
Weak enforcement of existing laws
Nigeria already has legal frameworks designed to protect data, including the Nigeria Data Protection Act and oversight by the Nigeria Data Protection Commission. However, Edun argued that the problem lies not in the absence of laws but in their enforcement. "The regulation is there," he said. "What is missing is enforcement." He criticized a pattern of delayed investigations and a lack of visible sanctions against organizations that suffer breaches. "With the number of incidents we have seen, there should have been clear outcomes by now," he said. "Investigations should be concluded, findings published, and penalties applied where necessary."
According to him, the absence of consequences has allowed organizations to continue operating without prioritizing data protection. He added that organizations are more likely to take cybersecurity seriously when there are financial implications. "When businesses know they will face significant penalties, they respond," he said. "Without that, there is little incentive to change behavior."
Lack of communication after breaches
One of the most troubling aspects of Nigeria's data protection environment, according to Edun, is the lack of communication following breaches. Under existing regulations, organizations are expected to notify both regulators and affected users when a breach occurs. However, he said this requirement is rarely enforced in practice. "Customers are supposed to be informed if their data is compromised," he said. "But in Nigeria, that almost never happens."
As Nigeria continues to expand its digital economy, the risks associated with weak data protection are becoming more pronounced. From banking to business registration and telecommunications, large volumes of sensitive data are being collected and stored daily. Edun warned that without urgent reforms, the country risks undermining both public confidence and investor trust. "When organizations cannot demonstrate that they can protect data, it raises concerns for anyone looking to do business," he said. He added that credibility in the digital space is increasingly tied to how well countries protect information. "It is not enough to claim compliance," he said. "What matters is whether systems are truly secure."
Internal threats and training gaps
Beyond weak enforcement and superficial compliance, Edun said another critical gap in Nigeria's cybersecurity landscape lies in the failure to understand the nature of threats facing organizations. According to him, many institutions focus heavily on external attacks while underestimating risks within their own systems. He explained that employees with access to sensitive systems can unintentionally expose data through poor practices such as weak password management, mishandling of information, or falling victim to phishing attacks. In more severe cases, insiders may deliberately compromise systems for financial gain. This, he noted, reinforces the need for continuous training and awareness within organizations, rather than a one-off compliance exercise. "Cybersecurity is not just about technology. It is about people and processes," he said. "If the people handling the systems are not properly trained, the system itself becomes vulnerable."
He added that many Nigerian organizations fail to invest adequately in building internal capacity, often prioritizing certification over competence. In contrast, he said organizations in more advanced markets treat cybersecurity as an ongoing operational priority, integrating it into daily business processes and decision-making. "In other environments, security is part of the culture," he said. "It is not something you remember once a year when auditors are coming." He pointed to international best practices such as continuous risk assessment, real-time monitoring, and incident response planning as areas where Nigerian institutions still lag behind. According to him, while some organizations adopt global standards such as ISO certifications or industry-specific frameworks, these are often implemented only to meet regulatory or contractual requirements. "They do what is necessary to get the certificate, especially if it is required to bid for projects," he said. "But the actual implementation, which is the day-to-day discipline, is where the gap is." He stressed that effective cybersecurity requires sustained investment, not only in technology but also in skilled personnel. "Security is not cheap," he said. "But the cost of not securing your systems is far greater."
Economic implications and opportunities
Edun also highlighted the economic implications of Nigeria's current cybersecurity posture, noting that weak data protection could discourage foreign investment. According to him, investors increasingly assess data security standards when deciding where to operate, particularly in sectors that rely heavily on digital infrastructure. "If you are asking investors to bring their business into your environment, they need to be confident that their data will be protected," he said. "If that confidence is not there, they will look elsewhere." He warned that repeated reports of data breaches, coupled with a lack of visible accountability, could damage Nigeria's credibility in the global digital economy. However, he noted that the situation also presents an opportunity for growth if addressed properly. According to him, strengthening cybersecurity across sectors could create significant employment opportunities, particularly for young Nigerians. "With the number of organizations that need to improve their systems, there is potential to create tens of thousands of jobs in cybersecurity and related fields," he said. He explained that every organization handling sensitive data would require trained professionals to manage risk, monitor systems, and respond to incidents. "This is not just about solving a problem," he said. "It is also about building capacity and creating an industry."
Call for enforcement and leadership
Despite the scale of the challenge, Edun maintained that the solution does not lie in creating new laws but in enforcing existing ones and ensuring organizations take responsibility for protecting data. He reiterated that regulators must move beyond issuing guidelines to demonstrating visible action. "What is needed now is not more policy statements," he said. "It is enforcement." He called for faster investigations into reported breaches, clearer communication of findings, and the application of sanctions where necessary. He also emphasized the role of organizational leadership, noting that boards and top management must take greater responsibility for cybersecurity. "Security should not be left only to IT departments," he said. "It is a governance issue." According to him, decision-makers must demand evidence of effective data protection measures, rather than relying on assurances or documentation. "The board must ask questions," he said. "They must want to see proof that systems are secure, not just hear that they are." He added that data protection officers within organizations should be empowered to carry out their responsibilities effectively, rather than being treated as a formality.
As digital services continue to expand across sectors, Edun warned that failure to address these structural issues could lead to more frequent and more damaging breaches. "The risk is increasing every day," he said. "And the longer we delay action, the more difficult it becomes to manage the consequences."
Individual rights and awareness
For many Nigerians, the scale of data breaches and the complexity of cybersecurity threats can create a sense of helplessness. However, Edun said individuals are not entirely without agency, even within a system that is still evolving. According to him, one of the biggest gaps in Nigeria's data protection landscape is not just institutional failure but public unawareness of rights. "The average Nigerian does not know that they have rights over their data," he said. "And if you don't know your rights, you cannot enforce them." He explained that individuals are entitled to ask organizations how their personal information is being collected, used, and stored, as well as how long such data will be retained. "Any time an organization asks for your information, you have the right to question it," he said. "What do you need it for? How will you use it? How long will you keep it?" He noted that in many cases, Nigerians provide sensitive personal details without hesitation because such requests have become routine across banks, telecommunications firms, government agencies, and private businesses. "That culture needs to change," he said. "People must begin to ask questions."
Edun also stressed that individuals have the right to request access to the data organizations hold about them, as well as the right to demand corrections or deletion in certain circumstances. "If you close an account with an organization, you should be able to ask what happens to your data," he said. "These are rights that people need to start exercising." Beyond awareness, he advised Nigerians to adopt basic digital safety practices, including the use of strong passwords, regular updates of account credentials, and caution when sharing personal information online. While these measures may not prevent large-scale institutional breaches, he said they can reduce personal exposure and limit the damage in the event of a compromise. Still, he maintained that the primary responsibility for data protection lies with organizations and regulators, not individuals. "You cannot shift the burden entirely to the user," he said. "The systems themselves must be secure."
Urgent need for action
Edun returned to his central argument that Nigeria's challenge is not a lack of frameworks but a lack of decisive action. He said the country has reached a point where continued inaction could have far-reaching consequences for its digital future. "This is a critical moment," he said. "We have the opportunity to address this problem now, or allow it to grow into something much more difficult to manage." He called on regulators to take more visible and decisive steps in enforcing data protection laws, including concluding ongoing investigations and making their findings public. "People need to see that something is being done," he said. "Transparency is important, not just for accountability, but for restoring confidence." He also reiterated the need for sanctions where organizations are found to have failed in their responsibilities. "Without consequences, nothing will change," he said. "There has to be a clear message that data protection is not optional." According to him, such actions would not only improve compliance but also strengthen trust in Nigeria's digital ecosystem.
