Nigeria has made giant strides in how it thinks about cybersecurity. In recent times, there have been National strategies, awareness campaigns, and institutional frameworks which did not exist before.
The progress is applaudable but it has also created a dangerous assumption: that stopping attacks is the same as being ready for them; which points to being more reactive than proactive.
Modern cyber incidents are not rare events and occur more often than is reported. No matter the tools or control put in place, the salient question is no longer whether an organisation or a country will be breached, but when and what happens following this.
Prevention is Necessary, but it is Not the Test
Cybersecurity policy in Nigeria has understandably leaned toward prevention. Protect systems – Raise awareness – Reduce exposure. Noticeable examples of this can be seen in the way Nigerian banks and fintechs approach this as I get awareness emails nearly every week about protecting my account and scammer tactic awareness.
These are sensible goals, and they remain important but prevention only answers one question: can an attack be stopped?
Incident response on the other hand addresses the bigger elephant in the room: when an attack succeeds, can the damage be contained?
In practice, the second question is where the greatest national risk lies.
How Modern Cyber Incidents Actually Unfold
Today’s most damaging cyber incidents are rarely the result of exotic technical exploits. Business email compromise, ransomware, insider attacks, and supply chain attacks routinely bypass preventive controls, especially as AI is now being used to coordinate these attacks.
When these incidents occur at scale, they do not respect organisational boundaries as they transcend sectors, disrupting services, forcing decision makers to take actions under pressure often with incomplete information.
At this point, leadership, coordination, and clarity are significantly more important than shiny cybersecurity tools.
What Happens During a Major Incident in Reality
During large cyber incidents, organisations often face the same problems, regardless of sector.
- Who is in charge of response decisions?
- What steps are to be followed? Do the steps include guidance if on a weekend?
- Who is authorised to communicate externally?
- When should regulators be notified, and how?
- How does information move between affected organisations?
In many cases, the answers are unclear or improvised. Response efforts become fragmented and all over the place as panic sets in.
Each organisation operates in isolation, even when the threat is shared cross sector as in the case with banks.
Delays compound damage often because actual response capabilities have never been tested in table top exercises nor under pressure.
These are gaping operational gaps that need to be filled.
Why Incident Response Capability Has Lagged
There are several reasons incident response has not received the same policy attention as prevention. First, the response bores some uncomfortable truths executives are not willing to admit. It forces acknowledgement that controls will fail and even IT auditors rarely acknowledge this to be true.
Many organisations and institutions are still culturally oriented toward avoiding that admission with the “God forbid” mindset and often believe that IT Audits solve the majority of their cybersecurity problems.
Second, a good incident response is hard to measure. It cannot be reduced to checklists or procurement milestones. It requires people, rehearsals, spending in cases of failovers to alternate infrastructure and decision-making authority.
Third, policy frameworks often treat cyber incidents as exceptional events rather than inevitable ones. As a result, readiness is documented, and not tested either.
Finally, there is an over-reliance on technology. Tools are acquired, fancy dashboards are deployed and displayed, but the human systems required to use them effectively during crises are underdeveloped and sometimes, ill trained.
Executives are often content with seeing and displaying fancy SOC metrics on large screen TVs in their offices than actually carrying out incident response tests with those tools.
What Policy Needs to Prioritise Next
If Nigeria is serious about cyber resilience, policy emphasis must evolve. Incident response capability should be treated as a core national competency with clear expectations and practical mechanisms, not an organisational afterthought.
High-risk sectors such as banks should be required to demonstrate incident response readiness, not just compliance and audits. This includes defined leadership roles, tested escalation paths, testing security tooling for recovery purposes and realistic recovery timelines. National and sector-level cyber incident simulations should be routine, not symbolic and must be made in ways that expose weaknesses that policies cannot predict.
Coordination responsibilities between government bodies, regulators, and private organisations should be explicit.
Ambiguity is a liability in time sensitive cyber incidents and every one who is part of the incident response process should know exactly what their roles entail and what to do.
Finally, reporting obligations should support rapid response and learning, not fear of penalty. When organisations delay disclosure to protect themselves, or try to downplay the situation, everyone becomes less safe.
The Cost of Ignoring the Response Gap
Weak incident response capability carries real consequences especially in Nigeria where consumers rarely have brand loyalty following years of distrust of corporations. Businesses suffer prolonged disruption and customers lose trust in digital services which was especially seen when crypto Fintech, Patricia, suffered a cyber attack in January 2022.
Investors quickly question the resilience of the digital economy and consumers quickly look to pivot from the company. Public confidence erodes as recovery is often slow, chaotic and communication often leaves the public in a limbo with social media influencers quickly leading the charge and driving the narrative.
Cybersecurity maturity is not defined by the absence of incidents but by how effectively they are handled when they do occur
From Paper Readiness to Real Readiness
Nigeria’s cybersecurity journey has reached a critical point as she prepares for a digital future. The limiting issue is now operational readiness rather than strategic desire.
Although it is no longer the deciding factor, prevention will always be important. The countries and organisations that embrace failure as inevitable and are ready to act decisively when it occurs are the ones who will “prosper” digitally.
Oludolamu Onimole is a Cyber Operations Analyst.
