Oluwananumi Dawodu, a cybersecurity engineer and Fraud and Investigations Officer, UK Department of Works and Pensions, has stressed the need for education and enlightenment on how Identity Access Management (IAM) can help to tackle fraud, data breaches and cybercrime.
According to him digital identity theft is developing quickly in Nigeria and all around Africa because hackers know that consumers typically don’t have the tools or expertise to defend themselves. Phishing, fake alarms, and impersonation scams are all examples of social engineering attacks that rely on people making mistakes, not technological problems.
There are a few simple but powerful things that everyday people can do, he told DAMOLA KOLA-DARE in an interview.
Can you walk us through your journey into cybersecurity? What motivated you to specialise in this field?
I became interested in cybersecurity as I learned more about how digital systems work and where they go wrong. I work as a Fraud and Investigations specialist for the UK Government in the Counter Fraud and Compliance Department (CFCD). I was in charge of security operations at SecureO, where I oversaw the use of SIEM products, including Microsoft XDR, Azure Sentinel, Nessus, and Rapid7. I help businesses achieve PCI DSS and ISO 27001 compliance needs and provide cloud security consulting for AWS, Azure, and GCP environments. I’ve worked in cybersecurity with DigiHealth Africa, Kiteworks UK, TradesTeam, and Makintouch Consulting. As a cybersecurity instructor at GOMYCODE, I have also taught people just starting their careers. I am a 2024 recipient of the Tech Nation UK endorsement for the United Kingdom Global Talent Visa in Cybersecurity. I won the AfriSAFE Young Innovator Award (2021), the Diana Award (2021), the SDG Innovation Challenge Award from the African Youth SDG Summit (2020), and the SME100 Africa 25under25 Most Enterprising Award (2020). I volunteer as a cybersecurity mentor for Scotland Women in Technology, helping women reskill in technology through organised coaching, industry guidance, and career development. I opted to focus on cybersecurity because it allowed me to work on actual challenges that matter. Digital identity.protection and following the rules were two areas that interested me. There was a big gap between what the rules said and what people did, especially in the developing regions.
You’ve worked across Africa and Europe, what differences have you noticed in how these regions approach cybersecurity?
I’ve seen Africa and Europe tackle cybersecurity differently when I’ve worked there.
Cybersecurity is more regulated in Europe. The General Data Protection Regulation (GDPR) and other rules have made it very important to follow. Most organisations have defined plans for how to respond to incidents, security teams that work full-time, and funding to support strong infrastructure. Cybersecurity is generally a top priority for businesses in the private sector. For instance, by 2023, 88% of German organisations said they had a Chief Information Security
Officer (CISO).
On the other hand, Africa is still figuring out how to do things. People are becoming more aware of cybersecurity and putting a lot of money into it, but how it is implemented is not always the same. Some nations, like Kenya and Nigeria, have set up national cybersecurity frameworks but don’t have the resources or the ability to implement them. Many businesses, especially small and medium-sized ones, don’t even have basic security measures. However, local talent and creativity is growing, which is helping to bridge the gap over time.
What are the most common digital identity theft and online fraud vectors today?
Cybercriminals mostly use phishing, spoofing credentials, malware, and social engineering techniques to obtain personal information and commit fraud online. Phishing is still the most common type of attack. The 2024 Verizon Data Breach Investigations Report found that human error or manipulation caused more than 74% of breaches. Phishing attacks generally happen by email or SMS to get people to give up their login information. Credential stuffing, in which hackers utilise stolen credentials from earlier breaches to get into other accounts, still works since many people use the same passwords. Malware is another common way to get viruses, and it is typically buried in bogus downloads or bad websites. Public Wi-Fi is also dangerous since attackers can access unencrypted data. In some places, SIM switching is used to get around two-factor authentication by moving a victim’s number to a new SIM card. I previously spoke about global identity theft and SIM card scams in The Nation online media; you can look that up.
We’ve seen a rise in the spate of digital identity theft in Nigeria and even all over the globe.
How can everyday users in Africa protect themselves from social engineering attacks?
Digital identity theft is developing quickly in Nigeria and all around Africa because hackers know that consumers typically don’t have the tools or expertise to defend themselves. Phishing, fake alarms, and impersonation scams are all examples of social engineering attacks that rely on people making mistakes, not technological problems. There are a few simple but powerful things that everyday people can do. First, always check requests for private information, especially if they say they need it immediately or have the power to get it. Don’t click on links or download attachments from people you don’t know. Second, make sure that all of your critical accounts, such as your bank account, email, and social media accounts, have strong, unique passwords and two-factor authentication (2FA) turned on. Third, make sure your operating system and software are up to date. Most malware infestations take advantage of systems that are out of date. Fourth, be careful about what you post on the internet. People commonly utilise personal information, like your mother’s maiden name, birthdate, or school, to guess passwords or security questions. Finally, be careful of online deals that seem “too good to be true.” A lot of scams use emotional manipulation to encourage people to respond quickly.
Could you explain how Identity and Access Management (IAM) helps keep nline data breaches, fraud, and cybercrime to a minimum?
IAM, or Management of Identity and Access, is one of the best ways for businesses to decrease their security risk. This activity aims to set rules and guidelines for those in an organisation who can access specific systems and data at any given moment. IAM is a system that checks identities and ensures that the right people have access at the right time and for the right reasons. In a digital economy like Nigeria, where cyberattacks, identity theft, and financial fraud are rising, identity and access management (IAM) is no longer an option; it is a must.
IAM has already shown that it works in industrialised countries where it has been implemented.
For example, Microsoft found that using multi-factor authentication (MFA) stops 99.9% of automated account hacks from reaching their target. According to Verizon’s 2023 Data Breach Investigations Report, more than 74% of data breaches were triggered by people, most of whom exploited stolen credentials or social engineering. The World Economic Forum says that 80% of cyberattacks use old or reused credentials. IBM’s 2023 study “Cost of a Data Breach” found that data breaches cost an average of $4.45 million each time they happen worldwide. There is no doubt about the pattern: a good identity and access control system makes it much less likely that you will be exposed to cyber dangers.
What does that have to do with what’s going on in Nigeria?
There have been more cyber occurrences in Nigeria, especially in the telecom and financial sectors. Experts thought Nigeria’s banking and FinTech industries would lose more than N273 billion (approximately $762 million) to fraud in 2022. More than N20 billion of these losses were due to SIM-swap fraud. In the first three months of 2023, Nigeria reported 82,000 hacked data accounts, a 64% increase over the previous three months. There were 119,000 breaches in the first quarter of 2025, which is 85% fewer than in the fourth quarter of 2024. This shows how crucial it is to secure your identity.
Ransomware also hit 71% of businesses in Nigeria in 2021, making it one of the countries with the most ransomware attacks in the world. In 2021, a significant security breach in the financial technology industry put the personal information of more than 10 million people at risk. These numbers show that despite some short-term improvements, the main problems, such as identity theft and poor access control are still there. IAM could help in this area.
What specific IAM tools or methods would be most useful?
Multi-Factor Authentication (MFA) is the quickest and cheapest way to keep your account safe.
Requiring a second form of authentication, like a code sent by SMS, an authentication app, or biometrics, stops most credential attacks. This prevents the attacks from working. The Nigerian Communications Commission has already suggested that mobile services utilise two-factor authentication Still, many private companies haven’t fully adopted it on all platforms yet, especially in areas that have nothing to do with banks.
The notion of least privilege and role-based access control (RBAC) is also significant. This limits people’s access to only the information they need to do their jobs, which lowers the danger of accidental exposure or insider threats. Companies in industrialised countries saw a 50% to 80% drop in insider incidents when they used strict RBAC procedures. The number of high-risk access incidents in the banking industry dropped by 94% when identity and access management (IAM) technologies were used to stop power misuse. Nigerian businesses can do the same, especially in healthcare, banking, and telecommunications, where they are more likely to handle sensitive data.
Privileged Access Management, or PAM, is another tool firms with valuable assets or large customer databases should use. PAM manages and audits accounts with higher rights,including those of system administrators or developers. Most significant data breaches worldwide, including the one on SolarWinds, used privileged accounts. Nigeria’s public and private digital infrastructure must treat PAM as a prerequisite that can’t be changed.
How can IAM help with crime?
IAM stops fraud by checking that the person accessing data or making a purchase has the legal right to do so. For instance, telecom firms may reduce the number of fake SIM-swap transactions by using biometric authentication for high-risk account changes. IAM solutions that are layered assist in finding suspicious access patterns in the banking business, like logins from devices or IP addresses that the user doesn’t recognise. When this happens, they can either set off alarms or stop transactions.
Adaptive authentication is becoming more widespread in US and UK banks. This method gives access only after the system calculates a risk score based on behaviour and context. Fraud detection systems, conversely, won’t work as well as they could if they aren’t directly linked to identity and access control technology. Banks in Nigeria are already focusing on building stronger security stacks. For example, if an account looks like it might be fake, identity and acccess management systems should immediately suspend all high-level rights until the account is verified.
What about the implementation? Are there any problems particular to Nigeria?
Cultural, regulatory, and technical problems come up throughout the implementation. Even organisations of medium size and many small and medium-sized businesses still don’t know the basics of cyber hygiene. Some people keep their passwords in spreadsheets, while others send them by email. There isn’t much experience with identity and access management (IAM) in the llocal market, which leads to incomplete or incorrect installations. Government systems have the same challenges, such as identity systems that are outdated or don’t work well together.
The price is another problem. IAM solutions may cost a lot initially, but they are worth the money because they stop pricey breaches and damage to your brand. Currently, cloud-based identity and access management tools are cheaper and more useful for Nigerian businesses than big on-premise systems. Consciousness, on the other hand, is the most essential thing that is missing. Many people in charge still don’t realise how bad cyber events may be until they happen to them.
How can we get more people in Nigeria to utilise IAM?
I suggest doing a couple of things. First, organisations like the NITDA and the NCC should set minimum IAM standards, especially for healthcare, telecommunications, and financial technology enterprises that handle private information. These should include mandatory multi-factor authentication (MFA), regular access audits, and ways to let people know when there has been a breach. Small and medium-sized businesses (SMEs) can employ IAM systems with the help of tax breaks or other financial advantages. Third, there is a need for more IAM professionals in the area. IAM should be part of the cybersecurity courses offered by colleges, universities, and training centres.
The government can also set an example. NIMC, JAMB, and immigration are all national digital services that need to create secure systems for managing identification and access. These frameworks should do more than secure passwords; they should also use biometrics and behavioural analytics. A coordinated effort between the public and private sectors is needed to enhance Nigeria’s information assurance maturity quickly.
Would you like to add anything else?
IAM is more than just a technological fix; it means changing how things are done and how people think about things. To cut down on fraud, eliminate data leaks, and build a digital economy that people can trust, Nigeria needs to start thinking of identity as the new perimeter.
IAM’s structure can help with this. Data from other countries shows that when identity and access management (IAM) is done right, it dramatically lowers the chances of breaches, insider fraud, and regulatory exposure.
We should stop thinking of cybersecurity as a cost and consider it an essential part of infrastructure, like roads or power. It costs more to do nothing than to take steps to avoid problems.
Here’s How To Stay Safe
PS5 games console sales fraud sees Poole woman in court
No Comment! Be the first one.