Nigeria: Nigeria faces N12bn annual cybercrime losses as 4,000 attacks hit weekly

By Zuleihat Owuiye, Mamos Nigeria

Nigeria’s digital economy is expanding rapidly, but its security defenses are lagging behind, leaving the country increasingly vulnerable to cybercrime. According to new data from the Nigeria Data Protection Commission (NDPC), the nation now records more than 4,000 cyberattacks every week, with estimated financial losses reaching N12 billion in 2024 alone.

The figures were presented at the IoT West Africa Conference 2026 in Lagos, where regulators and cybersecurity experts highlighted the growing gap between digital innovation and infrastructure protection. Officials warn that without urgent investment in local data infrastructure and stronger compliance frameworks, Nigeria risks both economic leakage and compromised national security.

Nigeria’s digital economy is currently valued at $18.3 billion and contributes nearly 20 percent to the country’s GDP. Growth is being driven by widespread mobile connectivity, the rise of artificial intelligence, and the adoption of Internet of Things (IoT) systems across sectors such as finance, telecommunications, and public services.

But this expansion has also made Nigeria one of Africa’s most targeted cyber environments, accounting for about 45 percent of reported cybercrime incidents on the continent. Attack patterns range from phishing and ransomware to business email compromise, distributed denial-of-service (DDoS) attacks, and identity theft.

“Cyberattacks are now occurring every 39 seconds globally. No economy that depends on digital infrastructure can afford to ignore this reality,” said Dr. Vincent Olatunji, National Commissioner and CEO of the NDPC.

He stressed that data has moved beyond being a mere asset to becoming critical national infrastructure. “Regulatory and physical infrastructure must evolve to match the pace of digital growth,” he said, pointing to the need for stronger protections as the global digital economy is projected to reach $28 trillion by 2026.

The NDPC report revealed that nearly 90 percent of the country’s data is hosted outside Africa, forcing Nigeria to spend an estimated $850 million annually on offshore cloud services.

This reliance creates multiple risks, from reduced regulatory control and increased latency to national security exposure. It also represents a significant outflow of foreign exchange at a time when the government is pushing for greater digital self-reliance.

“Data sovereignty is not optional. It determines who controls national information, who profits from it, and how secure citizens are in the digital space,” Olatunji said.

The issue is compounded by Nigeria’s limited domestic data centre capacity. The country currently operates about 26 data centres with a combined capacity of 136.7 megawatts. While this is projected to rise to 279.4 megawatts by 2030, regulators say it remains insufficient to support the demands of emerging technologies such as AI, cloud computing, and large-scale IoT deployments.

Key players in the sector include Africa Data Centres, Open Access Data Centres, Rack Centre, MDXi (Equinix), MTN Nxtra, and 21st Century Technologies. However, scaling up capacity will require substantial investment and policy support.

In response to the growing threats, the NDPC has introduced stricter compliance obligations under the Nigeria Data Protection Act (NDPA) 2023 and the Global Artificial Intelligence and Data Governance (GAID) 2025 framework. These include mandatory breach reporting within 72 hours, ISO certification requirements, and regular audits for data controllers and processors.

Olatunji said the new rules are designed to raise the bar for data protection and cybersecurity across both public and private sectors. “Compliance is no longer optional. Organizations that handle personal data must demonstrate that they have adequate safeguards in place,” he said.

The commission is also pushing for greater localization of data storage to reduce dependence on foreign infrastructure and improve regulatory oversight. This aligns with broader government efforts to strengthen digital sovereignty and retain economic value within the country.

Cybersecurity expert Dr. Peter Obadare warned that Nigeria’s rapid pace of digital innovation is inadvertently widening system vulnerabilities, particularly in the financial and payments sector.

“When we talk about regulation, innovators often think it is too much. But in cybersecurity, regulation is not excessive, it is necessary,” Obadare said. “Many systems remain exposed due to weak design and poor security implementation. Attackers are increasingly exploiting structural flaws rather than relying on sophisticated techniques.”

He noted that while startups and tech firms are focused on speed and scalability, security is often treated as an afterthought. This has left critical infrastructure exposed to relatively simple but damaging attacks.

Industry analysts agree that cyber threats are evolving from basic fraud to more complex and targeted operations. In many cases, weak system controls and poor user awareness remain the primary enablers, rather than advanced hacking methods.

The N12 billion in annual losses represents more than just financial damage. It undermines consumer confidence, disrupts business operations, and deters foreign investment in Nigeria’s tech sector. For small and medium enterprises, a single cyber incident can be enough to force closure.

At the national level, the outflow of $850 million annually for offshore cloud services represents a missed opportunity for local job creation and infrastructure development. Experts argue that building domestic data capacity could help retain this capital while improving service reliability and security.

There is also a reputational risk. As Nigeria positions itself as a leading digital hub in Africa, persistent cybersecurity incidents could weaken its standing among global investors and partners.

Experts say addressing the crisis will require a multi-pronged approach. First, there must be increased investment in local data infrastructure to reduce dependence on foreign cloud providers. This includes both public and private sector funding, as well as incentives for local operators to expand capacity.

Second, cybersecurity must be embedded into the design of digital systems from the outset, rather than added as an afterthought. This means adopting secure coding practices, conducting regular security audits, and training staff on cyber hygiene.

Third, regulatory enforcement needs to be strengthened. While the NDPA 2023 provides a solid legal framework, effective implementation will depend on the capacity of the NDPC to monitor compliance and penalize violations.

Finally, public awareness and digital literacy must be improved. Many cyberattacks succeed because users fall for phishing scams or use weak passwords. Educational campaigns targeting both individuals and businesses can play a key role in reducing exposure.

As Nigeria continues to digitalize its economy, the balance between innovation and security will become increasingly important. The NDPC has signaled that it will take a firmer stance on compliance, but industry players say collaboration between government, private sector, and civil society will be essential.

For now, the message from regulators is clear: Nigeria’s digital future depends not just on connectivity and innovation, but on building a secure and resilient infrastructure to protect it.