In recent months, reports of cyberattacks across Nigeria have become almost routine. From financial institutions to universities and government systems, breaches and data leaks are no longer rare headlines. According to a survey by TechAfrica News, the country experiences 4,090 attacks per organisation per week, the highest of any African country in its survey.
Just weeks ago, a threat actor known as ByteToBreach claimed to have breached systems at Sterling Bank, prompting regulatory scrutiny. More recently, Lagos State University was allegedly hit by a cyber incident involving sensitive staff and academic data. These events, combined with figures showing Nigeria has lost over ₦1.1 trillion to cybercrime in three years and ₦53.4 billion in 2024 alone, make the urgency behind the guidelines easier to understand.
Against this backdrop, the Lagos State Government, on Sunday, introduced a set of cybersecurity guidelines, not new laws, but practical recommendations – designed to help businesses and public institutions reduce their exposure to cybercrime and respond better when incidents occur. This announcement was made by Gbenga Omotoso, the Commissioner of Information & Strategy, via the Lagos State official X handle.
LAGOS STATE GOVERNMENT UNVEILS COMPREHENSIVE CYBERSECURITY GUIDELINES TO STRENGTHEN DIGITAL SAFETY
— The Lagos State Govt (@followlasg) April 19, 2026
The Lagos State Government has released a set of Cybersecurity Guidelines, a strategic framework designed to enhance digital safety for businesses, public institutions, and… pic.twitter.com/q3dxBPxtE7
Per the post on X, the goal is to provide “clear, practical, and scalable cybersecurity best practices for small businesses, medium and large enterprises, and MDAs.” In other words, this is about giving organisations a playbook they can actually follow, regardless of size.
Jeminipe Fasheun-Motesho
For small businesses, especially, the document focuses on foundational steps that cost little but offer significant protection. One key recommendation is regular cybersecurity awareness training. The goal, as the guidelines note, is “to empower your employees to be your first line of defence." This practice educates your team on how to recognise and avoid common digital threats.”
There is also a strong emphasis on password management and multi-factor authentication (MFA). It recommends “mandate MFA on all business applications, email, and cloud services." Equally important is data backup, specifically the "3-2-1" rule. It recommends businesses to "keep three copies of your data, use at least two different storage types (like a local hard drive and a cloud service), and keep one copy offsite. Regularly test your backups to make sure you can actually restore your data when needed." Automatic software updates are also flagged as essential to prevent attackers from exploiting vulnerabilities in outdated systems.
For medium to large enterprises, the tone becomes more strategic. Organisations are advised to adopt established security frameworks like the NIST Cybersecurity Framework or ISO 27001 as a structured way to assess and improve their security posture. Alongside this, they should conduct regular risk assessments to identify their most significant threats and most valuable assets.
The guidelines repeatedly stress reporting obligations, reminding organisations to notify the Nigeria Computer Emergency Response Team (ngCERT) within 72 hours of discovering an incident and, where personal data is involved, to inform the Nigeria Data Protection Commission (NDPC) and affected individuals as well.
The release of these guidelines also comes at a telling time.
Jeminipe Fasheun-Motesho
