Your core banking system is not your biggest risk. Your tellers are. The wheelbarrow mentality is a condition where staff wait to be pushed to do what they are already paid to do. In banking, this mentality is lethal. A teller who logs into the core system with one hand, while texting a cousin on mobile money with the other, is not just inefficient; he is your greatest cyber liability. CEOs love to boast about multimillion-dollar core banking upgrades. “We bought the latest system,” they say, as if code could cure culture. It cannot. A teller with a smartphone can reroute millions faster than your IT firewall can blink. Hackers don’t need to break through your perimeter when the insiders open the gates daily. Every fraud story I have investigated begins the same way: with misplaced trust in “loyal” staff. The weak passwords are written on sticky notes. The workstation was left unlocked for tea. The supervisor who signs off without verifying. Banks do not lose billions through Russian hackers; they lose them through inattentive, underpaid, or compromised insiders. It’s a paradox. The more technology you deploy, the more human discipline you require. Yet most boards spend 90% of their budgets on systems, and less than 5% on building a security-aware culture. That is like buying a bulletproof car but hiring a reckless driver. “Cybersecurity is not about technology. It is about trust. And trust, once broken, is uninsurable.” If you are a CEO, your greatest cyber risk does not sit in Moscow or Lagos. It sits in your banking hall, smiling, stamping, and waiting for a chance to strike. Audit culture as aggressively as you audit systems. Train, monitor, and enforce discipline daily. Technology is only as strong as the teller who uses it. Stay safe. Most leaders talk about cyber as if it were an IT line item. That is why they lose. Hackers don’t attack firewalls; they exploit governance gaps. The weakest control is often not the system; it is the boardroom silence. To win, directors need a simple but ruthless tool that cuts through jargon and exposes blind spots. Enter the Cyber Risk Radar™: a one-page governance weapon that forces the right questions, demands evidence, and shows instantly whether your organization is drifting toward breach or building resilience. This is not a checklist for IT. It is a mirror for the board. Table 1: The board’s Cyber Risk Radar Dimension Board question to ask Evidence required What “weak” looks like What “strong” looks like Board action 1. Insider threat exposure If a teller left their desk unlocked, how much could we lose before detection? Data on maximum exposure per workstation, incident logs No monitoring; staff share logins; no transaction caps Real-time monitoring; auto-logouts; transaction caps per user Demand simulation results; insist on quarterly insider threat testing 2. Cyber red flag dashboard Do we have a one-page quarterly dashboard? Dashboard showing logins, insider breaches, near-misses, and financial exposure IT jargon slides, no metrics linked to money Clear numbers tied to financial risk and trends Require dashboard as a standing board pack item 3. Executive accountability Whose bonus is reduced if we suffer a breach? HR policy linking EXCO pay to cyber incidents “Cyber is IT’s problem.” CRO, CIO, and COO have performance-linked accountability Direct RemCo to tie pay to cyber outcomes 4. Business continuity drill What happens if the system goes down for 1 hour? Documented BCP/DRP test results, staff performance logs Panic; no plan; reliance on IT improvisation Blackout drill executed; operations continue via backups/manual fallback Order an annual “blackout drill” with the board observing the results 5. Board cyber maturity score How do we rate ourselves: ignorant, informed, or intelligent? Independent maturity assessment, board training records Board waits for IT updates; no training Board challenges assumptions, links cyber to strategy, demands controls Schedule quarterly board self-assessment and annual cyber training   How to use this table in practice Insert it into every quarterly board pack. Score yourselves honestly on each dimension (1 = weak, 5 = strong). Track movement quarter by quarter. If you’re not moving up, you’re drifting into irrelevance. “Cybersecurity is not a technical war. It is a governance war. And boards lose by silence.” Mr Strategy. About the IFIS, https://forensicsinstitute.org/about/ At IFIS, we live by our motto, “Discere Faciendo. Learn by Doing.” Every course, certification, and training session emphasizes practical, hands-on skills that empower you to solve real-world challenges from day one. Learn by doing, be empowered to transform your career and life. At the Institute of Forensics & ICT Security (IFIS), we specialize in bridging the gap between knowledge and application. Whether you are navigating the challenges of cybersecurity, mitigating enterprise risks, investigating fraud, or analyzing complex data, our cutting-edge certifications and practical training programs prepare you to lead in today’s dynamic world. Come and get skills that you can apply to your job instantly and transform your career and life. Copyright IFIS 2025. All rights reserved.

October is here. Across Uganda, thousands of employees will walk into offices, open emails, and click without thinking. One careless click is all it takes. That is why Cybersecurity Awareness Month is not just another “theme month.” It is a survival drill. Cybercrime is no longer a distant story from America or Europe. It is a Ugandan reality. From SACCOs in Masaka losing millions via mobile money SIM swaps, to hospitals in Kampala locked out of patient records by ransomware, to government agencies paying ransom quietly, cyber risk is here. It is local. It is expensive. And it is growing. Why awareness matters The biggest myth in cybersecurity is that technology alone will protect you. Firewalls, antiviruses, and fancy dashboards mean nothing if your people are blind to threats. Eight out of ten breaches in Uganda begin with human error: a staff member reusing passwords, downloading fake invoices, or sharing sensitive data on WhatsApp. Cybersecurity Awareness Month exists to break that ignorance. To remind every staff member that they are the first firewall. The cost of ignorance A Tier 2 bank lost UGX 1.4 billion in a single phishing campaign. A private school had its entire website defaced, leaving parents questioning its credibility. An NGO donor froze funding after hackers exposed project data. None of these began with a “major hack.” They began with an ignored awareness. What must leaders do this October? Make cybersecurity cultural, not seasonal – One month of slogans is not enough. Embed cyber habits into daily work. Invest in drills, not posters – Staff remember simulated phishing tests, not motivational banners. Hold EXCO accountable – Cyber risk is a governance issue. Boards must demand evidence of preparedness, not promises. At Summit Consulting Ltd, we say: “Cybersecurity is not IT. It is a survival strategy.” This month, we are running free awareness trainings for organizations that dare to take risk seriously. One hour with us could save your organization billions. The question is not whether hackers will strike. It is whether your team will recognize the attack when it happens. Stay aware. Stay protected. Visit https://event.forensicsinstitute.org/ to access free resources. Be safe online.   Cybersecurity Month 2025 is here: Stay aware. Stay protected. One careless click. That’s all it takes to lose millions. Cybercrime is no longer a foreign headline; it is Ugandan. A SACCO in Masaka was wiped out via SIM swaps. A Kampala hospital was locked out of patient records by ransomware. A Tier 2 bank is losing UGX 1.4 billion to phishing. None of these started with “big hacks.” They started with ignorance. The truth? Technology won’t save you if your people are blind. Eight out of ten breaches in Uganda begin with human error, weak passwords, fake invoices, or sharing data on WhatsApp. This October, the Institute of Forensics & ICT Security, a technical training arm of Summit Consulting, is leading Cybersecurity Awareness Month. We are offering free awareness training to organizations ready to treat cyber risk as a governance issue, not an IT problem. Boards, EXCOs, and CEOs: stop asking “What if hackers strike?” Start asking: “Will my team recognize the attack when it comes?” Register your team today. Save your reputation tomorrow. events.forensicsinstitute.org Stay aware. Stay protected.

UGX 46 million vanished in less than an hour. Not through a sophisticated hack. Not through some dark web syndicate. But because one junior accountant at a mid-sized SACCO forgot to press Ctrl+Alt+Del before stepping out for tea. That’s it. One forgotten click. While managers were busy preparing for their weekly meeting and members queued outside to deposit their hard-earned savings, Suspect 1—a teller with sharp instincts for weakness- seized the moment. He slid into her still-active workstation, typed nothing, and yet unlocked everything. Within minutes, he rerouted UGX 76 million through three mobile money accounts. By the time the IT team noticed “irregular logins,” the cash had already been withdrawn in brown envelopes from Kikuubo agents. This wasn’t a cyber genius at work. It was a crime of opportunity, powered by complacency. Here’s the bitter truth: fraud in Uganda rarely starts with billion-shilling heists or complex malware. It starts with tiny details everyone dismisses. A door left ajar. A system is left logged in. A control left unenforced. And because leaders gamble that “nothing big will happen,” something massive always does. This SACCO didn’t lose because it lacked technology. It lost because it lacked discipline. The myth of “small” risks Many leaders are obsessed with the big stuff: market share, regulatory approvals, new loans, donor inflows. Yet it is the “small” things that cripple organizations. A missed reconciliation of UGX 200,000 in petty cash. A supplier contract is missing one clause on delivery timelines. An unpatched firewall is ignored because “IT is busy.” A guard sleeping outside the warehouse, “just one night.” Each feels negligible in isolation. But in practice, small risks are never small. They are the loose threads that unravel the entire fabric. The details that destroyed giants The ghost fuel deliveries – A transport company ignored “minor” discrepancies in trip sheets. Over time, those “few missing litres” added up to UGX 1.2 billion siphoned off by colluding drivers and pump attendants. The board only woke up when clients began to terminate contracts. The weak password tragedy – A private university IT officer reused the same password across systems. Hackers cracked it within minutes. What began as a “small vulnerability” led to the leak of student data, lawsuits, and millions in damages. The fake signature scandal – A government project officer approved “small” field expenses without verifying signatures. For two years, fictitious names collected allowances. By the time Summit Consulting was hired, UGX 3.7 billion had evaporated. The pattern is clear: small risks ignored turn into scandals that cripple. Why leaders dismiss details The psychology is simple: details feel boring, beneath senior executives. Boards like grand narratives, not red flags about missing invoices. CEOs prefer PowerPoint on expansion strategies, not notes on untrained security guards. But risk thrives in the margins, not in the headlines. Remember: The Titanic wasn’t sunk by a fleet of icebergs. It hit one small detail, an iceberg tip nobody thought mattered. Take Suspect 2, a procurement officer in a local hospital. She began by “borrowing” UGX 100,000 from supplier refunds. Nobody noticed. Encouraged, she increased to UGX 500,000, then UGX 2 million. By year three, she had rerouted over UGX 600 million. When caught, her defence was chilling: “If they ignored the small things, why wouldn’t I keep going?” Fraud rarely begins with billions. It begins with overlooked details. The red flags good investigators look for When we investigate fraud, we don’t start with the “big scandal.” We start with the details: Expense claims are repeatedly just below approval thresholds. Staff who never take leave (afraid their fraud will be discovered). Delayed reconciliations were excused as “system issues.” IT logs showing after-hours access that nobody questions. Petty cash never balances to the last shilling. Each is a whisper of a coming storm. Ignore them, and you invite catastrophe. Why do details matter? Culture – A culture that ignores details creates silent permission for fraud. If bosses laugh off small control breaches, staff take it as a green light. Compounding effect – UGX 100,000 stolen weekly becomes UGX 5.2 million annually. Over five years, it’s UGX 26 million. By then, the fraudster has graduated to bigger schemes. Regulatory cost – Donors and regulators don’t care whether theft began “small.” They penalize based on total loss. And in Uganda, reputational damage is instant and unforgiving. Lessons for leaders Interrogate the details – Ask about small variances, small delays, small exceptions. That’s where truth hides. Reward vigilance, not speed – A staff member who takes extra minutes to cross-check signatures is more valuable than one who rushes. Automate the boring stuff – Use fraud analytics and dashboards. Machines don’t get bored by details; humans do. Hold managers accountable for the “small stuff” – Don’t let senior leaders hide behind strategy slides. Make them answer for reconciliations, leave rosters, and password policies. At Summit, we tell clients: “Ignore the decimal point, lose the whole figure.” Every investigation we’ve cracked, whether UGX 80 million or UGX 8 billion, started with small anomalies someone dismissed. Our forensic accountants don’t chase headlines. They chase details. That’s how we catch the ghosts. The devil lives in the details Small risks are never small. They are termites chewing silently at the foundation. They rarely shout, but they always multiply. And by the time leadership notices, the cost is catastrophic. The riskiest leaders in Uganda today are not the ones who gamble boldly. They are the ones who ignore details, shrugging off small risks as “minor.” The next fraud in your organization won’t start with UGX 1 billion. It will start with UGX 100,000; nobody cares about it. The question is, who is watching the details? Copyright IFIS 2025. All rights reserved.  

Unthinkable. It happened at 11:48 p.m. in a private hospital in Kampala. The lights were still on, but the hospital’s heartbeat, the patchwork of digital and manual systems holding it together, flatlined. The pharmacy system froze. The laboratory printer jammed mid-test. The mobile money integration for patient payments collapsed. Even the old desktop server that held patient histories blinked into darkness. Nurses in the ICU reached for files that weren’t there. The paper charts had long been replaced with a “digital records upgrade” that now lay hostage to a system crash. In the theatre, a surgeon barked: “Get me the blood group!” But the lab technicians stood helpless; the results were trapped in the system. An intern sprinted down the corridor, searching for handwritten notes. A nurse fumbled through a drawer with loose papers, praying for a clue. Relatives pressed against the glass windows, panicked, whispering, “What if someone dies?” One mother clutched her rosary, eyes fixed on the ICU where her child lay on a ventilator. The machines still beeped, but no one could pull up the latest dosage records. What began as a “minor systems maintenance” had spiraled into a night of terror. By morning, the CEO arrived, sweating, shaken, summoned by a flurry of midnight calls from doctors and the board chair. His first question was blunt: “How did this happen?” The bitter truth is that it hadn’t “just happened.” For months, the IT officer had raised red flags. The hospital was running on outdated software, free antivirus, and a third-party backup service that had never been tested. Internal audit had flagged the risks, filing memos no one read. Leadership, eager to look modern with a “digital hospital” brand, had gambled that prevention was too costly. They were wrong. By the time the systems limped back seven hours later, two scheduled surgeries had been postponed. One patient’s transfer to the ICU had been delayed because payment could not be confirmed. The pharmacy issued wrong doses due to a lack of updated stock records. Trust shattered. Word spread across WhatsApp groups: “Don’t go there, they nearly killed people last night.” The financial cost ran into hundreds of millions. But the reputational damage was unquantifiable. In Uganda, where hospitals live or die by word of mouth, this was lethal. Families spoke of negligence. Journalists sniffed for a story. Regulators circled like vultures. It wasn’t just a system crash but a mirror held up to leadership blindness, choosing optimism over action, brand over backbone. And in those seven hours, lives dangled on the edge because someone thought silence was cheaper than prevention. The illusion of safety Leaders often mistake silence for safety. Because no disaster is visible today, they assume tomorrow will be the same. But risk is like termites in timber. It eats silently, invisibly, until one day the entire roof caves in during a storm. Think about it. How many Ugandan companies waited until fraud broke headlines before they strengthened controls? How many universities ignored student unrest until a protest burned down offices? How many hospitals shrugged off weak fire systems until lives were lost? Ignoring risk is not risk avoidance. It is deferred suicide. The psychology of ignoring risk Why do smart executives act dumb when it comes to risk? Three reasons stand out: Optimism bias – “We have never had a major fraud before, so why should it start now?” That is the reasoning of a chicken celebrating Christmas Eve because the farmer hasn’t slaughtered it yet. Short-termism – Many executives are rewarded for quick wins, not for preventing invisible disasters. Why spend UGX 200 million on cybersecurity when you can buy new cars for management and show “progress”? Fear of bad news – Some boards treat risk officers like prophets of doom. Raise too many alarms, and you’re branded “negative.” So auditors soften language, executives sugarcoat reports, and directors sleep through board packs. Until the wake-up call arrives at 2 am. The hidden cost of ignored risk The cost of ignoring risk is never obvious on day one. It accumulates quietly. Banks that ignore credit concentration wake up to billions locked in real estate loans when the sector crashes. NGOs that ignore whistleblower reports discover 30% of project funds siphoned off by “ghost beneficiaries.” Manufacturers that ignore machinery maintenance see production halt when a single bearing breaks. Government agencies that ignore data security pay ransom in Bitcoin to hackers hiding in Moscow or Nairobi. Risk is a tax collector. It never forgets, never forgives, and always charges compound interest. A case in point I’ll share three anonymized cases from my investigations with Summit Consulting Ltd: Case of the vanishing payroll – In 2023, a government parastatal ignored audit flags about payroll irregularities. “We’ll deal with it next quarter,” said the HR director. By the time Summit was called in, over UGX 4.8 billion had been siphoned into mobile money wallets linked to ghost employees. The red flags were visible for two years. They were simply ignored. Case of the locked warehouse – A local FMCG company ignored repeated risk reports about inventory mismatches. One weekend, staff arrived to find the warehouse padlocked, not by management, but by suppliers owed millions. Goods worth UGX 2.3 billion were trapped inside. That “minor reconciliation issue” turned into a company-wide crisis. Case of the paralyzed hospital – A private hospital ignored cybersecurity warnings, assuming “hackers only target big banks.” In June 2024, ransomware locked patient records. Doctors could not access lab results or prescriptions for 48 hours. Two patients died. Losses? Beyond money, reputation, trust, and human lives. Each case shows the same pattern: warnings existed, but leaders chose inaction. Why ignoring risk is leadership failure The board’s role is not to cheer quarterly profits but to protect long-term survival. Ignoring risk is leadership malpractice. It signals three weaknesses: Poor governance – When boards don’t challenge management, blind spots become black holes. Weak culture – Organizations that punish whistleblowers and auditors cultivate silence, not vigilance. Complacency – Success