Nigeria Faces 12 Million Cyberattacks in 2024 — Businesses Count the Cost

Cybercriminals launched more than 12 million attacks against Nigerian businesses in the first three quarters of 2024, according to data from the Nigeria Communications Commission. The surge has exposed deep vulnerabilities in the country's digital infrastructure and raised alarms among regulators, banking executives, and foreign investors counting on Africa's largest economy to deliver growth. In Lagos alone, financial institutions reported a 37.8 percent rise in attempted breaches compared to the same period last year.

The anatomy of an outbreak

The attacks span multiple vectors: phishing emails designed to trick employees into handing over credentials, ransomware that locks systems until a payment is made, and distributed denial-of-service strikes that overwhelm servers with traffic. The Financial Institutions Training Centre, a body that works with banks on staff development, warned in an October report that organised groups operating from abroad were increasingly targeting Nigerian firms as they modernised their operations without matching security upgrades.

"The acceleration of digital adoption during and after the pandemic created a much larger attack surface," said Dr. Aminu Aliyu, director of the Cyber Security Experts Association of Nigeria. "Many organisations went digital quickly, but their defenses did not keep pace."

Banking sector bears the brunt

Nigeria's commercial lenders have become the primary targets. The Central Bank of Nigeria recorded 2,841 confirmed cyber incidents among deposit money banks between January and September, up from 1,534 in the full year 2023. Attackers focused heavily on payment infrastructure, knowing that disruption to mobile banking and USSD channels — used by tens of millions of Nigerians who lack smartphone access — would cause maximum damage and extract the highest ransoms.

One major Lagos-based bank, which requested anonymity to avoid further exposure, confirmed it had set aside an additional 15 percent of its annual IT budget for incident response and system hardening. Industry insiders estimate the sector as a whole has spent more than $180 million on emergency security measures this year.

The Central Bank issued new guidance in August requiring all licensed financial institutions to maintain minimum cybersecurity baselines, conduct quarterly penetration tests, and report breaches within 24 hours. Institutions that fail to comply face fines and potential licence suspension.

Small businesses pay a hidden price

While headlines focus on bank heists, smaller enterprises bear a disproportionate burden. The Nigeria Association of Small and Medium Enterprises estimates that more than 60 percent of businesses with fewer than 50 employees have no dedicated IT staff. When ransomware strikes, many simply pay the demand to retrieve customer records and operational data — or shut down entirely. The association recorded a 22 percent increase in business closures attributed to cyber incidents in the second quarter.

In Abuja, a software company with 12 employees told reporters it lost three weeks of work after attackers encrypted its client billing system. The founders paid the equivalent of $8,000 in cryptocurrency to regain access, a sum that nearly bankrupted the firm. "We had no insurance, no backup plan," said co-founder Chinedu Eze. "We were lucky to survive."

Regulatory patchwork and enforcement gaps

Nigeria's data protection law, passed in 2019 and administered by the National Information Technology Development Agency, was designed to create accountability for breaches. But critics argue enforcement remains weak. The agency levied fines totaling just 340 million naira — roughly $220,000 — against offending organisations last year, a fraction of what compliance failures ultimately cost the economy.

The Senate Committee on ICT and Cybersecurity held a public hearing in November where officials from the Ministry of Communications called for stronger penalties and expanded funding for the Nigerian Cyber Security Response Team. Committee chair Oluremi Tinubu acknowledged that the country was operating with outdated laws that predated many of the attack techniques now in use.

International dimensions

Nigeria's exposure reflects a continent-wide problem. The African Union's 2024 Cybersecurity Report ranked Nigeria third on the continent for recorded incidents, behind only South Africa and Kenya. Cross-border cooperation on cybercrime investigations remains limited, and many Nigerian threat actors face prosecution only if they travel to countries with extradition treaties.

Western governments have taken notice. The United States embassy in Abuja issued a security advisory in September warning American companies operating in Nigeria to review their incident response plans. The UK Foreign Office updated its travel guidance to include cybersecurity advice for business visitors for the first time.

International firms considering Nigerian investments cite cyber risk as a growing concern in due diligence surveys. A January report by the African Development Bank listed digital infrastructure weakness among the top five factors deterring foreign direct investment in West Africa.

The path forward

The government has proposed a National Cybersecurity Act that would centralise incident reporting, establish a fund for critical infrastructure protection, and create a dedicated cybercrime tribunal to speed prosecutions. The bill cleared the House of Representatives in October and awaits a Senate vote scheduled for February 2025.

Industry groups are pushing for mandatory cyber insurance, which remains rare in Nigeria outside the largest financial institutions. The Nigerian Insurers Association reported that fewer than 3 percent of SME policies include cybersecurity coverage. Without a financial backstop, experts warn that the next major wave of attacks could wipe out thousands of businesses and erode trust in the digital economy the country is trying to build.

What happens next will depend on whether regulators can move faster than attackers. The February vote on the cybersecurity bill is the immediate test. If it passes, observers say, Nigeria will have a chance to close some of the gaps that 12 million attacks have laid bare. If it stalls, the cost will be measured not just in naira, but in the credibility of Africa's digital future.