Zero trust, full protection: The new risk management imperative

It was a Wednesday morning in June 2024 when a mid-sized bank woke up to a nightmare. The ATMs in Ntinda and Kabalagala were spitting out cash in irregular amounts. Customers were lining up, bewildered, some receiving double withdrawals while others got “system busy” errors. The IT team, sipping tea at their head office, thought it was a minor switch glitch. But when the treasury officer reported UGX 2.8 billion missing in just three hours, panic set in.

The fraudsters were not outsiders with hoodies in Europe. They were insiders, contract staff with legitimate access who knew which server patches were delayed and which passwords were recycled. They walked through the front door of trust because the organization had not yet embraced one principle: Zero Trust.

This case became Summit Consulting Ltd’s assignment and a game-changing one. And like many of our CSI-styled investigations, it revealed a painful truth: trust is no longer an internal control.

How the betrayal unfolded

Let us rewind. The bank prided itself on a culture of family. Senior managers bragged that they could give staff system passwords “just in case,” without worrying about misuse. Vendors had VPN access without multi-factor authentication. Mobile money integrations were monitored by one junior officer whose job description was “support.”

Here is how the scheme played out.

1. Suspect 1, a contract IT officer, discovered that the ATM reconciliation system was not patched. It still relied on batch reconciliation at midnight, not real-time updates.
2. Suspect 2, working in operations, knew that the switch logs were reviewed only once a week.

Together, they ran a script that delayed reporting of ATM withdrawals by five minutes. Within that gap, they executed “phantom withdrawals” that never hit the core banking system immediately.

The cash was laundered through mobile money wallets registered under boda boda riders in Kalerwe. Each wallet received less than UGX 4 million to avoid red flagging. From there, the funds were cashed out at kiosks and converted into dollars at Forex bureaus along William Street.

By the time the auditors identified inconsistencies in the general ledger, the scheme had been in operation for six months. Losses: UGX 12.4 billion.

The cultural conflict at the heart of the fraud

Why did it happen? Internal interviews revealed a paradox: the bank’s executives believed trust equals loyalty. They feared that “treating everyone like a suspect” would kill morale. Staff whispered that managers often shared OTPs over WhatsApp for convenience. They forgot my grandpa’s advice: trust after controls. Plain trust is a bad business, life, or family decision.

This is Uganda’s lived reality. A society where “trust me” is the most abused phrase in governance. Yet in cybersecurity and fraud, trust is a vulnerability, not a virtue.

Enter Zero Trust

Summit Consulting’s forensic team did more than trace the stolen billions. We challenged the board: “If your systems assume good faith, then fraudsters will always be two steps ahead.”

Zero Trust is not a Western buzzword. It is a business survival manual. It means,

1. Never trust, always verify. Even your managing director must authenticate like any other user.
2. Least privilege. A teller should not have system admin rights, even “temporarily.”
3. Continuous monitoring. Every click, every transfer, every login is logged and analyzed.
4. Micro-segmentation. Your HR database should not talk directly to your payments system.
5. Multi-factor everything. OTPs are not enough; use biometrics, tokens, and behavioural analytics.

How the team cracked the case

Our investigators followed the money trail with a mix of old-school grit and digital forensics

1. Pulled ATM switch logs and overlaid them with mobile money transaction timestamps.
2. Deployed anomaly detection scripts, and red flags appeared whenever withdrawals clustered around five-minute windows.
3. Traced cash-out locations via mobile money agents. Many were in Owino market and Wandegeya, classic laundering hotspots.
4. Interviewed staff. One slip, a contract officer bragged in a bar that he was “eating bank money faster than auditors.”

The final report stunned the board: losses totalling UGX 12.4 billion, insiders colluding with mobile money agents, and controls bypassed with frightening ease.

The red flags the auditor first saw

The whole scheme could have been stopped earlier if the first red flags had been taken seriously

1. Reconciliation delays. Daily reports showed unexplained “suspense balances.”
2. Unusual clustering. Withdrawals often peaked at 2 AM, when no customers were around.
3. Staff lifestyle inflation. A junior IT officer suddenly upgraded from a Bajaj Boxer to a Toyota Harrier.
4. Vendor complacency. System patches were postponed repeatedly with excuses like “we are waiting for HQ approval.”

But in typical fashion, the internal auditor’s reports were filed under “noted.” No follow-up. No escalation.

Why Zero Trust is the new imperative

Local organizations, banks, telcos, SACCOs, NGOs, are operating in a different battlefield today. Fraud is not just about missing receipts. It is about compromised cloud servers, cloned mobile wallets, and insiders who know every weakness in your control environment.

Zero Trust does not mean mistrusting your people. It means protecting them and your organization by removing temptation and loopholes. It is like building a house in the city, you may love your neighbours, but you still put a padlock on your gate every night.

How to implement Zero Trust

1. Board-level mandate. This is not IT’s job. The board must demand it.
2. Identify critical assets. What must never be compromised? (Core banking, payment switch, HR payroll).
3. Map access rights. Who touches what system? Why? Cut privileges ruthlessly.
4. Strengthen vendor oversight. Every vendor must meet your security standards. “They are from HQ” is no excuse.
5. Continuous assurance. Use penetration testing, red-teaming, and live simulations. Not annual checklists.

Ugandan executives often spend billions on flashy headquarters, branded T-shirts for staff, and retreat weekends at Speke Resort. But when asked to invest UGX 500 million in Zero Trust architecture, they call it “too expensive.”

The fraud losses you suffer are the school fees you pay for refusing to invest in controls.

In the case of the bank, the board learned a UGX 12.4 billion lesson. Summit Consulting and the Institute of Forensics & ICT Security team rebuilt their controls from the ground up, including biometric logins, real-time monitoring, and vendor audits. But the most important shift was cultural: they finally embraced Zero Trust as a way of life.

The fraudsters exploited one thing: blind faith. That faith cost billions. In this new era, risk management has only one commandment: Zero Trust. Full protection. Or total loss.