Oriyomi Badmus, a DevOps-focused cybersecurity engineer, believes Nigeria stands at a dangerous crossroads.

Though the country is one of Africa’s technological giants, it remains acutely vulnerable to rising digital threats. The laws exist, he says, but enforcement is weak, and key systems remain exposed.

To demonstrate the scale of the issue, he points to a string of high-profile failures.

In April 2024, thousands of micro-payments began flooding dormant bank accounts. By dawn, Flutterwave confirmed that roughly ₦11 billion had disappeared through a maze of low-value transfers, each small enough to avoid tripping fraud-monitoring systems.

Two days later, the digital rights group Paradigm Initiative uncovered AnyVerify.com.ng, a website selling sensitive personal data like Bank Verification Numbers, passport details, and driver’s licences for just ₦100. The NDPC launched a formal investigation following public outrage.

Around the same time, a public agency suffered a similar lapse. At the Plateau State Contributory Healthcare Management Agency (PLASCHEMA), an AWS console revealed 45 GB of unprotected personal health and ID records for over 37,000 patients. The data sat open for nearly four months before being secured. Despite official denials, forensic logs confirmed the breach.

“These three incidents from different sectors: one fintech heist, one data-for-sale site, and one public health leak, show just how porous our systems have become,” Badmus says. “We guard the centre of town but leave the backstreets wide open.”

On the surface, Nigeria’s legal framework seems robust. The Nigeria Data Protection Act (NDPA) 2023 mandates breach reporting to the NDPC within 72 hours, and the Central Bank’s Risk-Based Cybersecurity Framework enforces annual pen tests and rapid incident disclosure among financial institutions.

But he highlights a quiet loophole in the NDPA. Only organisations classified as “Data Controllers or Processors of Major Importance” are legally required to appoint a Data Protection Officer. The rest are only encouraged. The result, he argues, is a two-tier internet: secure for the giants, fragile for everyone else.

Further complicating matters is regulatory fragmentation. Banks report to the Central Bank of Nigeria (CBN), telcos to the Nigerian Communications Commission (NCC), and energy firms to the Nigerian Electricity Regulatory Commission (NERC). There’s no unified threat picture. “It’s like trying to watch the same storm on three different radar screens,” he says.

Meanwhile, the talent pipeline isn’t keeping pace. With fewer than 8,300 certified cybersecurity professionals, Nigeria struggles to secure a digital ecosystem that serves over 107 million users and more than 140 million active data subscriptions.

By contrast, Badmus notes that countries like the United States, United Kingdom, and Singapore treat cybersecurity as critical infrastructure which is audited, standardised, and publicly funded. Breaches of this magnitude would trigger swift, coordinated responses across agencies.

In response to Nigeria’s growing exposure, he has drafted a Cyber Hygiene Playbook, which is a six-point policy proposal designed to convert legislation into day-to-day resilience. It blends international best practices with Nigeria’s unique realities.

Publish breach metrics responsibly.

Convert the NDPC portal into a quarterly anonymised dashboard by sector, breach vector, and remediation status. Companies should be named only after investigations close.

Adopt a national Minimum Cybersecurity Standard.

Extend CBN-level requirements which includes performing asset inventories, annual pen testing, and 24-hour incident reporting to all critical sectors, including healthcare and cloud services.

Launch a “Cyber 30-30” workforce pledge.

Train 30,000 certified cybersecurity specialists and upskill 300,000 IT professionals by 2030 via scholarships, apprenticeship tax credits, and subsidised exams.

Mandate secure-by-design procurement.

Require software vendors selling to government to submit OWASP Top 10 reviews, SBOMs, automated code scans, and signed commits, following the U.S. Executive Order 14028 model.

Create ngCERT+, a federated national CERT.

Integrate sectoral CERTs (NigFinCERT, NCC-CSIRT, Energy-CERT) into one 24/7 national hub, with shared STIX/TAXII threat feeds and a unified public advisory platform.
Reward and insure good behaviour.

Offer licence fee discounts or tax incentives for SMEs that meet minimum cybersecurity standards. Launch a cyber-insurance pool with lower premiums for verified compliance.

“The laws are young but solid,” Badmus says. “But discipline will decide the rest. Either we all practise it or we all anticipate the fallout.”

Having worked at the intersection of engineering and policy, he’s seen what happens when good laws go unenforced and what’s possible when collective action builds security into the fabric of a system. For him, this is not just a policy debate. It’s a hinge moment for the country’s digital future.