Why Critical Infrastructure Cybersecurity Must Become Forensic-Ready

Dr. R.T. Sibe is the CEO/Lead Forensic Examiner of Digital Footprints Nig. Limited.

getty

​In March 2026, a threat actor identified as ByteToBreach reportedly exploited a known vulnerability on a server belonging to one of Nigeria's tier-1 banks. The threat actor maintained undetected access for days, pivoted laterally into a Fintech company—a major gateway for private-public sector payments and remittances—and reportedly exfiltrated roughly three terabytes of data. Weeks later, a third institution, the Corporate Affairs Commission, reportedly fell to the same actor. The Nigeria Data Protection Commission has since issued notifications of investigation for these breaches.

Public-sector platforms, fintech systems and other critical national information infrastructure have all experienced significant cyber incidents in recent years, including attempted intrusions, service disruptions, unauthorized transfers and data exposure events. What unites these incidents is not necessarily the sophistication of the attacker, but the quality of response. In most cases, none of the institutions could attribute the attack in reasonable time. They are unable to produce a defensible evidentiary record on day one. And in the recent cases, only one—under regulatory pressure—eventually communicated to the public.

Nigeria’s Cybercrimes (Amendment) Act 2024, Nigeria Data Protection Act 2023, sectoral cybersecurity frameworks and emerging critical infrastructure regulations increasingly emphasize breach reporting and first-level incident governance responsibilities. Yet, this approach is poorly implemented like a fireman’s truck: put out the fire, but leave the crime scene “wet and messy.” This is the gap in evidentiary management that should haunt every critical infrastructure executive: we have built impressive detection capabilities, and almost nothing behind them.

The Detection-Only Model Is Failing Critical Infrastructure

Across Africa, and particularly in Nigeria, organizations are investing heavily in cybersecurity detection capabilities. Security Operations Centers (SOCs), SIEM platforms, Endpoint Detection and Response (EDR) tools, threat intelligence feeds and AI-powered monitoring systems have become increasingly common across banking, telecommunications, energy and government sectors. Despite these investments, one uncomfortable reality persists: many organizations can detect attacks, but very few can prove what actually happened afterward. This is the cybersecurity accountability gap.

In many incidents, alerts are triggered, dashboards light up and containment begins immediately. But before volatile evidence is preserved, systems are wiped, logs roll over, memory disappears and the chain of custody breaks somewhere between SOC, IT, legal and law enforcement. The result is a security posture that is loud at the moment of detection and silent in the weeks that follow. The organization may recover operationally, but the opportunity for attribution, prosecution, regulatory defense, insurance recovery and institutional learning disappears with it. And the case that should end in prosecution, regulatory action or insurance recovery ends in a quiet internal memo, with little or no lessons learned. Cybersecurity without forensic readiness creates visibility without consequence.​

Three Failure Modes I See On Every Engagement

The pattern repeats almost without variation across sectors:

The Visibility Trap

Detection tools fire, but no one preserves the underlying memory, volatile state or upstream telemetry. By the time forensic responders arrive, the evidence has been overwritten by routine operations.

The Attribution Void

We log an IP, block a hash and never identify who, why or what was taken. Without technical and legal attribution, regulators cannot enforce, insurers cannot pay and prosecutors cannot charge.

The Consequence Gap

Even when evidence exists, the chain of custody breaks between teams. Sequencing matters: a contain-first incident response often destroys the evidence required to hold someone accountable.

The macro picture explains why this matters now. INTERPOL's 2025 Africa Cyberthreat Assessment recorded 3,459 ransomware detections in Nigeria in 2024—the third-highest on the continent. Check Point's Global Threat Index moved the country from 35th to 13th in just seven months. Cyfirma's recent assessment documented dark-web sales of more than 60 million Nigerian telecom records, alongside compromised banking and government data. Surfshark separately reported over 119,000 Nigerian accounts breached in the first quarter of 2025 alone. The threat surface is no longer the limiting factor. The accountability response is.

What Forensic Readiness Actually Means

Forensic readiness is not the same thing as digital forensics. Forensic readiness is a concept first formalized by Robert Rowlinson in 2004. Digital forensics is typically reactive—it begins after an incident occurs. Forensic readiness is proactive. It is the capability to anticipate, preserve and produce digital evidence in a manner that withstands legal, regulatory and operational scrutiny—without disrupting business continuity.

A forensic-ready organization:

• Maintains defensible logging and retention policies

• Preserves volatile evidence before containment actions

• Embeds forensic procedures into incident response workflows

• Maintains documented chain-of-custody processes

• Trains personnel on evidence-handling requirements

• Aligns cybersecurity operations with legal and regulatory obligations

This is especially critical for sectors classified as national critical infrastructure.​

The AI Convergence

AI is now on both sides of the battlefield. Adversaries are deploying polymorphic malware, autonomous reconnaissance and deepfake-enabled fraud. Defenders are responding with behavioral anomaly detection, automated triage and AI-assisted forensic reconstruction. But there is an asymmetry that goes underappreciated: defensive AI has nothing to learn from logs that were never retained, evidence that was never preserved or systems that were never instrumented for forensic capture. Forensic readiness is the substrate on which defensive AI runs. Without it, AI produces alerts no one can act on or defend in court.

Accountability: The Missing Layer Of Cyber Resilience

Cybersecurity maturity should no longer be measured solely by how quickly organizations detect attacks. The more important question is this: can the organization reconstruct, defend, explain, attribute and legally support what happened after detection?

Detection identifies the event. Accountability creates consequence.

Without accountability:

• Threat actors remain unidentified

• Lessons are not fully learned

• Regulatory enforcement weakens

• Insurance disputes increase

• Repeat attacks become more likely

• Cybercrime remains economically attractive

As cyber threats become more sophisticated and AI accelerates the operational tempo of attacks, organizations must move beyond visibility toward defensible, forensic-grade resilience. The future of cybersecurity is not simply detecting the next attack. It is ensuring that every significant attack leaves behind admissible evidence, actionable intelligence, institutional learning and meaningful accountability.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?