The shame economy of cybersecurity in 2025
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
A decade ago, the biggest office embarrassment was falling asleep in a meeting; today, it is clicking the wrong email and transferring forty million naira to someone named “ITSupport_Lagos” with a profile picture of a turtle. Cybercrime is evolving. It’s slick, well-worded, emotionally intelligent, and disturbingly human. Today, the most dangerous threat to data protection isn’t just malware. It’s manners.
Let’s set the scene. You’re a mid-level manager. You receive a polite, well-structured email from your “Head of Operations” asking urgently for the vendor list in Excel. You don’t blink. You send it. The Head of Operations never sent it. By noon, the story had spread like fire in harmattan. By 2pm, you are trending internally on WhatsApp groups you didn’t know existed.
Cyber breaches have always been serious, but what’s different now is that they’re also becoming … social. There’s a shame economy forming around digital slip-ups. In Nigeria’s financial institutions, telcos, and government agencies, it’s not just a data incident — it’s a reputational baptism by fire. You don’t just get phished. You get remembered.
And as we Nigerians know, memory is a powerful thing.
It doesn’t help that attackers are using more culturally specific bait. In one recent scam, an email pretending to offer staff Ramadan bonuses caught five employees in one bank’s Kano branch. In another, a “public holiday directive” email circulated with the NDPC’s logo — and two legal departments clicked. These are not amateurs. They know our calendar. They know our habits. Some even know how to mimic our punctuation.
The result? Staff are now scared to open anything. One executive assistant reportedly flagged a lunch menu as a potential breach. It was a PDF. Of jollof rice and plantain.
Now, on the serious side, the Nigerian Data Protection Commission (NDPC) has sharpened its teeth. The new General Application and Implementation Directive (GAID) mandates more than just awareness campaigns. It demands operational proof — that your staff understand data protection beyond the PowerPoint slides. They want DPIAs, risk mapping, and records of processing. And if you use AI? Get ready to show the logic behind your model, not just its results.
In 2025, data protection has stopped being a regulatory checkbox and become a leadership metric. Executives are being judged not just by profit margins, but by how they protect data. When a breach happens, the first question is no longer “What happened?” It’s “Who clicked?”
And that question has weight.
Globally, this cultural shift is already visible. In the UK, some firms now list breach involvement in performance reviews. In Kenya, an energy company issued an internal “Wall of Caution” email listing anonymised employee mistakes — complete with emojis. In Lagos, a fintech startup reportedly introduced a “Cyber Offender of the Month” award. The winner gets a certificate. And side-eyes.
Of course, humour can’t replace strategy. Organisations need real investment in behavioural security. That means building systems that assume people will make mistakes, then designing controls that catch errors before they become front-page news. It means integrating data protection into onboarding, offboarding, procurement, and product design. And it means moving beyond shaming individuals to building cultures of digital accountability.
But if we’re honest, shame works. Not as a punishment. But as a motivator. No one wants to be the person who fell for “Happy Easter Bonus.xlsx” and triggered a system-wide investigation. No one wants to explain to the Board why the customer database is now available on a Telegram channel called “FreeBankLeaks.”
So here’s the reality. Cybersecurity is no longer about IT. It’s about culture. It’s about psychology. It’s about ego. And in Nigeria’s data economy, it’s about protecting the one thing that still matters more than your server — your name.
So before you click, ask yourself: Is this email real? Is it necessary? Is it worth being this month’s cautionary tale?
Because in this new economy, one bad click doesn’t just cost money. It might cost your reputation. And maybe your lunch invite.
- business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com