The Current State of Cybersecurity Readiness in Nigeria Organizations – Adamu A. Garba and Aliyu M. Bade

15 min read

Summary: Cybersecurity awareness is becoming increasingly important in today’s environment, as cyberattacks are increasing at an unprecedented rate. This attack manifests itself in a variety of ways. Any sector can be a prime target of an attack, hence precautions must be taken to reduce the impact of any attack.


The emergence of cybersecurity is mature as the transition of the computer, any information that is transmitted
through the internet is at risk of getting compromised without the knowledge of the sender. The emergence of
cybersecurity is subjected to the advancement of the cyber domain in the 1950s (Tikk-Ringas, 2015). Any
information stored in cyber-space is subjected to intrusion, it includes financial, military, government, and
individual. Security breaches occur as a result of the new development of either hardware or software. This new
device results in new vulnerabilities. (Garba A.A. et al., 2020). Cybersecurity is a method of protecting
organization assets, through the identification of threats that can compromise the critical information stored in
the organization systems, it also involves the protection, identification, and responding to threats The use of
cyber as cyber power as weapon has also been used by the Russian in 1980s when it attaches 400 military
computers include the pentagon computers, this resulted to new demission being added to the research of
cybersecurity (Dunn Cavelty 2012; Rueter 2011; Taylor et al., 2014). The field of cybersecurity emerged as a
result of Robert Morris testing the worlds’ network vulnerability in 1980 when he uses a virus he created to test
the size of the internet. His work leaves or indicates major loopholes of cybersecurity in the world of the internet
(Healy & Grindal, 2013).

The 21century is regarded as the saturation stage of cybersecurity because it provides solid premises for the
development of new theories in cybersecurity as the world becomes more connected. Sometimes the world
cyber is not only refers to as technology but also a political idea that is cantered in the numerous technologies.
Cyberspace has been functioning as a financial marketplace, political background, and also as social scene by
utilizing the potential of the sector (Moody et al, 2018: Weishaupl, et al., 2018). Today, the world is so
connected that a person from one continent can see or video chat with another person in another continent, also
people connect to the internet using their phones, computers, cars, etc., even employees come to connect with
the outside world as their workplaces. Some organizational operations are performed remotely nowadays as
contractors or stakeholders can communicate a thousand miles away from the location of the company. All these
are possible and it makes life more easy and enjoyable but at the same time if there is no control over the
devices the infrastructure of the workplace is in danger of any cyber-attacks. People now connect to public WiFi to do their business anytime and a huge amount of personal data are being processed over the unprotected
medium. The organization is most vulnerable to cybersecurity attacks because employees can compromise the
network of the organization through the connection to the internet. According to Langer (2017). Stated that
organizations are required to adopt an optimized security measure that works within and outside the network to
protect their sensitive information. Also, the organization needs sophisticated machines to detect infrequent
behaviors’ from employees and security levels that protect all access points or control the access point (Taylor et
al., 2014).

The existing communications channels or mediums mostly use are not that secure as well thought, therefore,
extra measures are required by any organization to protects their information, and also employees’ behavioral
patterns bust be monitored as well. Cybersecurity has become a necessity for all to learn the basic tricks on how
to protect their personal information (Garba et al., 2020). This paper aims to identify how readiness Nigeria is when it comes to cybersecurity and the current world cybersecurity index. This paper is further subdivided into
the following: section II as an evolution of cybersecurity, Section III Worldwide Index in Cybersecurity, Section
IV as Existing Research in the field of Cybersecurity in Nigeria, Section V Commonly Cyber-Attacks on
Organizations, section VI as Nigeria Main Cybersecurity Issue Reports and finally Section VII as Conclusion.

Evolution of Cybersecurity

Cybersecurity has undergone profound changes in recent years, huge investment has been putting in place to see
how to strengthening security to ensure that the organization’s sensitive information, data, and other assets are
properly secured. Initially, in the 1980s and the beginning of the 1990s security is highly focused on protecting
users’ computers and operating systems, it focuses on protecting the devices against malicious code or viruses
which can affect the working of the computer. After the emergence of the internet, organizations’ enterprises
started to work on how to secure network connectivity. The idea of being connected makes the emergence of
many vulnerabilities that could be misused by an attacker. An attacker aims to access vital information via a site
or system or channel where no one had thought of protecting to reach or infect a system through the use of
malware or any other mechanisms. This attacker can attack individuals, organizations, state, and a nation just to
get access to critical information using a sophisticated method or by buying a program on the deep web for the
exploitation of vulnerabilities to obtain that information. Many organizations have tried to protect their
information using technological approaches as Peppard &Ward (2016) states, those technologies are as follows:

• Intrusion Detection System (IDS): these systems are used to monitor and detect accesses that are not allowed in a network ( Effendy et al., 2017)
• Intrusion Prevention System (IPS): these systems are used to monitor traffic to detect attack vectors in a network by blocking them. Honeypot is the best example, where venerable computers that do not have
critical information are designed to attract and detect attackers (Jin et al., 2013)
• Security Information in Event Management (SIEM): this system is used for event correlation and alert generation, by integrating different devices, launching actions according to the set alerts, and keeping the
record for further analysis.

There are always new attackers’ vectors, therefore organizations must make a concept to protect their assets as
information security evolves. Organizations must invest in information security so that to have security policies
designed and integrated into the strategic plans of the organization’s operations (Moody et al., 2018).
Organizations should always understand or know how much their critical assets worth, business processes, and
the kind of likely security breaches that could lead to an attack. Threats cannot be stopped but rather be
minimize, therefore the organization must know the state of all their security stand at all times to know how to
minimize it to bring it to a residual level. Moreover, the organization must define and integrate security policies
into strategic plans, a risk to critical assets must be quantified, and business continuity must be identified in the
event of an attack as well as disaster recovery plans. Today, there are major four threats identified to cyberspace,
According to Tagarev and Stoianov, (2017). Which are
• Threats to people’s assets
• Threats to organization assets
• Threats to virtual goods
• Threats to infrastructures

Computer networks developed in the 1960s by the Agency of Research and Advanced Project (ARPA) and the
evolution of the third generation of computers in 1965 made the computer more compatible and popular when
the internet is developed during the ARPA project interconnecting large computers in the US, from there the
knowledge of the internet get popular. In the 1980s, due to the complexity of the computer, the UK government
created a best practice model for information management which is the Information Technology Infrastructure
Library (ITIL), subsequently, HP company adopted the best practice and made it popular, in 1995, the term
computer security become popular as the US release control of the internet act and by 1997 Charles Plefeer
generated a classification of information security properties, which are Confidentiality, Integrity, and
Availability (C.I.A). The beginning of policies and standard designs started from 2005 when the ISO/IEC 27000
family of the standard was created for the information security management system, followed by the
International Telecommunication Union of the US generated the ITU-T X.1205 standard as Data Networks for
Communication of Open System and Telecommunications Security in 2008 and many others follow like the
ISO/IEC 27032 in 2012. These standards make it easy by providing an overview of cybersecurity defined as a set of tools, policies, security concepts, security safeguards, guides, risk management, action, best practices, and
technology that can be used to protect the assets of an organization and also the use of cyberspace. The growing
recognition of the internet as one of the basic infrastructures for economic and social development in many
organizations has made researchers focus on how to deals with this emerging technology. Cybersecurity is more
technical perceptions that cover the challenges of securing the organizational infrastructures by offering a
solution to the internet security problems, routing, system authentications, and DNS (Denardis & Raymond,
2013). According to Dunn, (2016), stated that most academic production in the discipline can be divided into the
following groups’ Formulation of policies, generally in the field of the “think- tanks”. Studies focused on the
relationship between information and power (Day, 2001) Production of insecurity on the internet on the internet
based on surveillance practice and censorship (Deibert and Rohozinki, 2010) Studies on the creating of threats
in cyberspace (Hansen & Nissenbaum 2009). Recently, attention has been given to the link between internet
governance and cybersecurity, because cybersecurity problems have challenged internet governance institutions
like jurisdictional conflicts (Mueller & Klein, 2014). Therefore, it is important to establish the link between
cybersecurity and the level of awareness regarding it, firstly, are there any policies or strategies regarding
cybersecurity and cyber law in Nigeria, this is a good starting point so that it will help the researcher to find out
their such documents exist and are familiar to all organizations in the country.


The growth of the internet has allowed for the development of technical structures, cyberspace has been part of
everyday life and therefore information technology has become an essential factor for advancement.
Cybersecurity is nowadays a concern to companies due to the continuous breaches which result in the theft of
data and destroying critical assets (Johnson, 2016). These attacks can cripple the financial institution and the
economy as well. Africa is growing in consumer credits, but lack of data protection serves as a major problem
(Makulilo, 2016). Out of 54 or 55 countries as African Union recognizes 55 while the UN recognizes 54, only
16 countries have data protection and the most unfortunate Nigeria is not one of those countries and also Nigeria
is part of the top 10 leading countries in the world leading in reported cybercrimes. Cybercrime refers to any
unlawful activity by using the internet as means and additionally any illegal activity that uses a computer to gain
improper benefits. Cybercrimes have long lowered the reputation of Nigerians worldwide (Ibikunle & Eweniyi,
2013) these threats have increased exponentially as the dramatic rise of mobile communication, the drive of the
banks in the country to introduce careless economy, using internet technology in the government and online

According to Andoh et al., (2014), they suggested that elected and state governments, the public organization
well as privates all have parts to play through the enactment, the reception of international standards, creating
awareness, and information and intrusion crusade in other to deal with cyber threats and ensure zero resilience
in the misuse of the internet. Right now, the most used cybercrime that goes unchecked is electronic fraud where
is equipped for taking all individual or cooperate bank account and sent a wrong flag against the monetarily
related incorporate drive (Orji, 2012). The word “419” is associated with Nigerian Computer Advanced Fee
Fraud. The CBD recent introducing of Bank Verification Number (BVN), to reduce the number of account
individual or organization can manage, and the creation of the Nigerian Electronic Fraud Forum, Nigerian
Interbank Settlement System (NBISS), and Deposit Money Banks(DBM) all in the name of protecting
customers financial transactions, but scammers turn out to be faster in reaching their goals by defrauding the
clueless customer of banks and other financial instruction in the country billions of naira. A critical part of
cybersecurity is communication, which is lacking in Nigerian organizations. the power of cybercrime hacking
networks depends on their need to share privileged data by exposing or selling to organizational rivals who
restrict correspondence with their companies due to fear of rivalry. The next section will explain more on the
issues reported regarding cybercrime activities and how much losses they cost to both government and


According to Korte, (2017), $500 billion was lost annually by cybercrime and the numbers keep on increasing
as institutions continue to adopt the internet in carrying their business processes. The most wieldy attacks are the
return of Ransomware, According to Wueest, (2017): Richardson and North, (2017), states that Ransomware is
a style of cyber-attack that is known as information hijacking, where the attacker uses a code to get access to the
organization’s server and then demand a payment to give access back to the data if payment is not made the
attacker destroyed the data or sell it online. Other attacks include Advanced Persistent threats. Nigerian
financial organizations have used these chances to grow their e-business through the use of the internet and
mobile applications, which has also lead to an increase in cybercrimes. The most recent cybercrime using
mobile devices in Nigeria is the SMS sim splitting or swapping technique, where a hacker takes over users’
identity after gaining access to their cell phones. The hacker then downloads financial applications and log in
using stolen credentials through a social engineering approach.

The following attacks mostly are aimed at the customers especially those that have less knowledge of the cyber
world or the financial institutions with sole to sell or distrust transactions.

• Viruses: A virus is a malicious program that is designed to infect other files on the system to change or
make them useless, for this virus to work the user must activate it by clicking on the file, some of its
purposes include: getting the password, deleting all computer files and denial of service attack.
• Malware: Malware is a malicious code designed, where it is installed and executes without the knowledge
of the owner. The most common usage of this attack is to get personal data and electronic benefits, it can be
operated automatically or remotely control.
• Worm: the worm is a malicious program that can replicate itself and can spread over a network. The worm
has the same agenda as the virus
• Trojan: A Trojan is a small hidden program in another program. The program gets installed by the user
without noticing it and it can perform various activities without the consent of the user (Aliyu, et al, 2014).
• Browser Hijacker: Browser Hijacker is a program that is designed to make changes to the configuration of
the web browser e.g. changing the normal home page of a website to an advertising page
• Dialer: Dialer is a hidden program designed to connect to the internet through a modem thereby allowing
the hacker to make calls to phones at a special rate.
• Backdoor: backdoor is a program whose main intention is to open computer access to the malware
developer, ignoring the main or genuine process of authentication. The program makes it easier for the
attacker to control the attacked device remotely
• Spyware: spyware is an application designed purposely to collect personal or organizational data. This
application aims to get information and sell it to a third party
• Keylogger: Keylogger is an application that is used to store all keystrokes so that hackers can capture
sensitive information like banking details or passwords.
• Masquerading: Masquerading is a cyber-attack where a hacker overrides the identity of any system to gain
access to the resource stored in the system. An attacker can impersonate a base station network by emitting
a signal of more power than the actual legitimate user.
• Denial of service / Distribute Denial of Service( Dos/DDoS): Dos/DDoS is one of the most used cyberattacks, in this attack the hacker or attacker makes network service unreachable or unavailable to the
legitimate users, or service interruption. This attack mostly is used to attack financial organizations, airlines,
and other reputable organizations. This attack makes a normal site temporary out of service by sending
many requests to the server, which makes it busy, zombies’ term is used where a non-stop request is sent to
the server and makes other systems act like zombies.
• Phishing: Phishing is used by an attacker to deceiving the user to provide their access keys to a malicious
site, thinking is a legitimate site. According to Miedema (2018) stated that phishing is a much more
elaborate attack and is often exposed as a clear example of so-called social engineering.
• Eavesdropping: Eavesdropping is an attack where the attacker obtains information from the
communication channel, where he is neither the emitter nor the receiver. It is referred to as a passive attack. The
information obtained can be used to perform another attack called masquerading. The above-explained attacks
are not the only cyber-attacks, but those are the most frequently used by most attackers in attacking financial
organizations and also other organizations as well. Even though organizations may focus on protecting their
networks and critical assets, employees or customers especially financial institutions are being left out of the
loop or often neglected unknowingly they might be the weakest link to the organization networks. Today as
everything mostly depends on the internet it is therefore responsible for everyone to try to protect their data,
organizations need to educate consumers and employees about the risk and the measure they can take to protect
their personal information and to be familiar with the recent cyber-attacks.


Based on the Nigeria n cyber Security report 2016 by Serianu agency, Nigeria has a total number of 97,210,000
internet users and subscribers as of 2016 with the increase of users’ cyber threats and attacks also increases, the
estimated cost of cybercrime is $550M and with less than 1550 estimated No. of Certified professionals and
122,292,079 i.e. 60.9% as of June 2019 is the top 6 countries in top 20 internet users in the world (Internet
World Stats, 2019). Among the top 5 priorities from 2016 regarding cyber Security challenges in Nigeria are:
Awareness and training, continuous monitoring and log analysis, vulnerability and patch management,
continuous risk assessment and treatment, and managed service, and independent review (Serianu, 2016).
Besides, among the top 10 Africa’s cybersecurity challenges in 2018 is lack of Employee Security awareness as
the survey shows, were Over 300 respondents across organizations in Africa precisely in Nigeria participated in
the survey which includes: academic, government, banking, healthcare, cybersecurity service sector, financial
services, legal advisory, telecommunication, private sector. based on the survey many expert answers similar to
a particular question.

Table 1.3 Nigerian Cybersecurity Issue Survey Result

Aashiq Shariff
Raha –Liquid telecom Ltd,
what should African countries/
universities focus on to inspire
innovation in the development of
cybersecurity solution
Conduct the awareness and ready with
a solution, the solution depends on the
In African what are the top 2018
cybersecurity priorities for African
countries and organization
Awareness and information sharing.
Also collaboration between
government and private companies in
addressing cybersecurity issues
Henry Kaya
Assistant Commissioner of
Cyber Security Unit
What would be the top priority to
address cybercrime across the
African continent?
Public and private organization to
intensify awareness campaigns, also
investment should be increased in
securing IT system
John Ayora
Director, Information Systems
Bank of Africa Group
what are the top 2018 cybersecurity
priorities for African countries and
Invest in user training and awareness
programs, also invest in effective
cybersecurity product and solution
Brady S
Associate Director,
Digital transformation and
cybersecurity led by Finetech
Groupe (Senegal)
Considering the shortage of skilled
resources in Africa, How can we
limit the impact of the Ransomware
Investing more in raising awareness
and training end-user who is, as
always the weakest link of the chain.
from the African context, what are
the top 2018 cybersecurity
priorities for African countries and
Set up a national CERT. Awareness
and training

From the above table 1.3. it shows some response of security experts, the almost same question was ask
regarding the best approach to tackle or minimize cyber Security issue from an African point of view and up to
Nigeria n context, from the above responds its shows almost 95% of the respondents have the opinion that:
Awareness training is the main driving force that will make everyone familiar with the issues and danger of
cyber-attacks to their companies. Some respondents also have the view of an increase in budget to IT so
technical measures will be included too. Respondents from Nigeria in context also have the opinion that the best
approach in dealing with cybersecurity issue in Nigeria is “Education and awareness is the best approach,
once a common man is aware of this, he will be careful.” from this, we will see that the first step in dealing

with cyber Security is by educating both public and private personal on the danger of cyber-attacks, before
applying any technical measures, because if only technical is visible if the knowledge of cyber-attacks are
limited then the user themself will pose a threat to the organizational asset. Therefore, according to Ben Robbert
the Chief Technical Officer, Liquid Telecom Group, Kenya says in responding to the question what are the top
2018 cybersecurity priorities for African countries and organizations he answered “My top3 priorities are
education, education, and education. All organization needs to make sure all employees are aware of
cybersecurity risk. Many organizations are vulnerable to cybersecurity attacks because students might
compromise the network of the university by connecting to the internet(Garba et al., 2020).


In conclusion, from the above literature, it indicated how cybersecurity knowledge is essential in all aspect of
life, precisely in Nigeria from the above opinions by various experts in the field, its shows that Nigeria has
policy and strategy to combat cyber Security but most organization are not following it, due to lack of proper
awareness to the employees on the issue of a cybersecurity threat, also the general public as a whole are less or
have no knowledge on the dangers of cyber-attacks and tend to ignore it. This research also indicated the way
forward is “education on cybersecurity” i.e. proactive cybersecurity awareness programs are needed to be
implemented all over the section to increase the awareness level and minimize basic cybersecurity attacks.

Recommendation(s) To minimize basic cybersecurity attacks, proactive cybersecurity awareness programs are needed to be implemented all over the section to increase the awareness level.

Source: International Journal of Multidisciplinary and Current Educational Research

Keywords: cybersecurity, Awareness level, Nigeria, cyberattacks, cybersecurity index.

Leave a Comment

Your email address will not be published. Required fields are marked *