Cybersecurity and Digital Trust for State Governments

Cybersecurity at the state government level in Nigeria is a governance gap that deserves far more attention than it currently receives. While national-level cybersecurity receives policy attention — through NITDA, the Office of the National Security Adviser, and ngCERT — the cybersecurity posture of the 36 states and the FCT is highly variable, largely unmonitored, and in many cases dangerously inadequate relative to the digital systems these states are now deploying.

State governments collect tax data, maintain land records, process payroll for tens of thousands of civil servants, and increasingly deliver health, education, and social protection services through digital platforms. Each of these systems holds sensitive citizen information and represents a potential attack surface. Understanding the specific cybersecurity challenge for state governments — and how to address it — is an urgent governance priority.

Why State Governments Are Increasingly Targeted

Cybercriminals and state-sponsored attackers follow incentives. State government systems have become attractive targets for several reasons: they hold valuable personal data that can be monetised through identity theft and fraud; they control financial flows — payroll, procurement, revenue collection — that represent extraction opportunities; and they typically have weaker security postures than federal agencies, making them easier to breach. Understanding this threat reality is the starting point for any state government security strategy. For context on Nigeria’s broader threat landscape, the analysis in the current state of cybersecurity in Nigeria is directly relevant to state government planning.

Building State-Level Cybersecurity Capacity

Dedicated Security Leadership

State governments need a named senior official responsible for cybersecurity — not as an afterthought to an IT director’s role, but as a dedicated accountability assignment. This official sets security standards, manages risk reporting to executive leadership, coordinates with federal security bodies, and ensures that cybersecurity considerations are embedded in every significant digital project. Without this leadership accountability, security remains everyone’s nominal responsibility and no one’s actual priority.

Baseline Technical Controls Across Agencies

State governments must enforce a minimum security baseline across all agencies — consistent with the broader argument that cybersecurity and digital trust require systemic rather than piecemeal approaches. This baseline should include: multi-factor authentication for all government systems holding sensitive data; a managed patching programme with defined timelines; role-based access controls; and regular data backups that are tested for recoverability.

A State-Level Incident Response Capability

State governments cannot assume that federal response capacity will be available or timely when a state-specific incident occurs. Each state should have a documented incident response plan, at least one staff member with formal incident response training, and pre-established relationships with ngCERT and relevant law enforcement that enable rapid coordination when needed.

Building Digital Trust With Citizens

Cybersecurity at state level is not only about protecting systems — it is about building the citizen trust that digital government services require. Citizens who believe their data is protected are more willing to use digital services, provide accurate information, and engage with e-government platforms. States that communicate proactively about their security commitments — publishing their data protection policies, reporting on compliance, and responding transparently to incidents — build the digital trust that makes digital government viable.

Key Takeaways

• State governments are attractive cyberattack targets because they hold sensitive data and control financial flows, often with weaker security than federal agencies.
• Dedicated security leadership — a named accountable official — is the foundational governance requirement for state cybersecurity.
• A minimum security baseline enforced across all agencies is more impactful than advanced security in some agencies and none in others.
• State-level incident response capability cannot depend on federal availability — states need their own plans and trained staff.
• Proactive transparency about security commitments builds the citizen digital trust that state e-government requires.

Frequently Asked Questions

Should Nigerian state governments have their own CISOs?

Larger states with significant digital infrastructure — including states deploying digital revenue systems, health records, and social protection platforms — should have a dedicated Chief Information Security Officer or equivalent. Smaller states can share security leadership across a small cluster of states or embed a security leadership function within a state digital agency.

How should state governments work with ngCERT?

State governments should register with ngCERT, establish a named point of contact for coordination, and participate in the threat intelligence sharing that ngCERT provides. In a significant incident, ngCERT can provide technical response support, but this support works best when the relationship is established before the crisis, not during it.

About the Author

Suleiman Isah is the Director General of NSITDEA, an MSc holder in Information Security and Digital Forensics, and a specialist in cybersecurity governance for Nigerian state governments. Read more about his work.