News Highlights:
- Most Breaches Stem from Basic Security Failures, Not Advanced Cyberattacks
- Organizations Urged to Take Immediate Remediation Measures
As cybersecurity incidents continue to hit financial institutions, fintech companies, government agencies, and other organisations across Nigeria, Digital Encode, a leading information security firm, has identified weak security practices—not sophisticated hacking techniques—as the primary cause of most recent breaches, reports Digital TimesNG.
Digital Encode Limited, a leading information security and Governance, Risk and Compliance (GRC) advisory firm, said many of the cyber incidents making headlines across the country could have been prevented through better security controls, stronger credential management, and improved system configurations.
The company issued the warning in a cybersecurity advisory following a recent wave of data exposures affecting both public and private sector organisations in Nigeria.
According to the advisory signed by Professor Obadare Adewale Peter, Chief Visionary Officer of Digital Encode, cybercriminals are increasingly taking advantage of easily exploitable security gaps rather than relying on advanced zero-day attacks.
He noted that attackers frequently target misconfigured systems and publicly exposed digital assets, including unsecured databases, open cloud storage repositories, leaked application programming interface (API) keys and internet-facing critical servers.
Many of these assets, he said, are readily discoverable through open-source repositories, cloud indexing platforms and dark web marketplaces.
“The growing trend demonstrates that organisations remain vulnerable to basic cybersecurity failures that expose sensitive information and critical infrastructure to malicious actors,” the advisory stated.
Digital Encode highlighted several recurring vulnerabilities across organisations, particularly within financial institutions, payment service providers, fintech companies and public sector platforms.
Among the most common weaknesses identified are publicly accessible cloud storage environments exposing sensitive customer and operational data, hardcoded API keys and authentication tokens embedded in web and mobile applications, leaked credentials in software repositories and deployment artefacts, and weak internal access controls that rely heavily on single-factor authentication.
The firm also raised concerns over the exposure of administrative portals, API documentation and development environments in production systems, alongside the uncontrolled deployment of applications on third-party hosting platforms such as Vercel, Netlify and Render without adequate security oversight.
Other critical issues cited include poor token lifecycle management, weak authentication mechanisms, inadequate vendor risk management practices, and insufficient monitoring controls.
Digital Encode warned that unless organisations adopt stronger cybersecurity frameworks, continuous threat monitoring and coordinated incident response strategies, the frequency and impact of cyberattacks could continue to rise, posing significant risks to customer data, business operations and public trust.
The firm urged organisations across both the public and private sectors to conduct comprehensive security assessments, strengthen access controls and address configuration weaknesses before they are exploited by cybercriminals.
Not a Technology Problem, But an Execution Gap
“Organizations affected in recent breaches were not compromised due to highly advanced attacks, but due to lapses in enforcing existing security controls, like, ensuring that no cloud resources linked to organizations whether AWS S3, Azure Blob, Google Cloud Storage, or Firebase allow anonymous access; Verify that no cloud credentials or API tokens are exposed in public or private repositories, container registries or deployed applications; and all external and internal APIs must enforce authentication and authorization controls at all times,” the advisory quoted Prof. Obadare as stating.
The advisory stresses that most of these risks can be mitigated with readily available tools and best practices, underscoring a critical gap between security policy and implementation.
Urgent Actions Recommended
Digital Encode has, therefore, called on organizations to act immediately by conducting a comprehensive audit of all internet-facing assets, including third-party systems; revoking and rotating all exposed or potentially compromised credentials including passwords, API keys, and access tokens; reviewing historical logs to assess the extent of any prior exploitation; engaging vendors to address third-party security exposures; fixing identified misconfigurations and validating remediation efforts; strengthening monitoring, logging, and threat detection systems; and documenting remediation steps and residual risks for governance and compliance.
The firm also emphasized the need for improved visibility into shadow IT and unauthorized deployments tied to employees’ accounts, which increasingly serve as entry points for attackers.
Call for Proactive Security Posture
Digital Encode reiterated its commitment to supporting organizations through enterprise-wide security assessments and independent validation of implemented controls.
“We strongly advise that this advisory be actioned without delay,” Prof Obadare warned, adding that proactive security hygiene, not reactive response, will determine resilience in Nigeria’s evolving threat landscape.