Organisations in the digital ecosystem spend millions trying to establish controls around their corporate networks from data breaches. This to a great extent does not phase away from the fact that breaches still occur even to the most secure infrastructures. Taking a look at the incidents in the past, high profile breaches target giant firms such as Solar Winds, Marriot, Fastly, Colonial Pipeline, Electronic Arts (E.A) and so many others whose sensitive information was stolen and had major economic and security-related impact alongside reputational risks. Ransomware is on the rise targeting most SMEs (small and medium businesses) and worrisomely supply chain security weaknesses are witnessed in most security breaches. Malicious attackers with little failure infiltrate email servers, file servers, core systems to organizations through unknown/unpatched vulnerabilities and open doors to tones of confidential data. This is Data are the sensitive records that giant companies like Marriot, Microsoft and government entities among others collect from their customers and citizens. Such data always include email addresses, passwords, social security numbers etc. Why data breaches when organizations invest heavily in network security? It’s not clear why systems for organizations that have set aside security budgets and adequate controls are still compromised. Is it a question of limited resources in some organizations, could it be a question of the skills gap in cybersecurity or expertise and or inadequate budgets in some organizations? Most enterprises experience data breaches due to the factors stated above. But whilst these factors could be true and certainly play a part, the key issue is most organizations don’t understand the gravity of this matter and do not take in mind to locate where the weaknesses are in their threat surface until systems are compromised. It is at this point that organizations wake up and invest heavily in identifying the cause of the breach. By the time they do this, it is too late and hard to prevent the aftermath of the breach or reduce the impact. Cyber attackers have an edge where they look for every possible opportunity availed to them just to succeed once into the corporate network and have access to the sensitive information and as for the security teams and network, defenders need to succeed every time. As the digital ecosystem is scaling every time, so are adversaries who have now found it easy to use automated& AI-driven tools to profile the security landscape of the target systems and penetrate and attack corporate networks with ease. Levelling the playing field for attackers With increasing cyber incidents, organization security teams face a couple of challenges from social engineering attempts, Advanced persistent threats (APT), Ransomware attacks Unpatched systems, supply chain risks among other cyber challenges. The companies’ threat landscape requires constant vigilance. Organizations must keep up and illustrate the best practices and training, and ensure their teams are well-staffed to detect and respond to attacks on the ever-increasing attack surface. To this end, organizations should do the following to level the playing field against threat actors who work tirelessly towards compromising the safety and security of your company’s IT infrastructure and data; Train/Educate and prepare your entire organization. With the ever-evolving threat landscape, organizations should find it necessary to create a strong security culture starting with training staff with basic security knowledge on how to identify, predict, and protect company information security systems. In addition to taking preventative technical steps such as utilizing offline encrypted backups, restricting user permissions, and restricting privileges. Network security leaders should educate and prepare the organization’s staff to serve as ambassadors for cyber safety in their organization. To that end, employees at all levels should be educated in the basics of cyber safety. Train them on the most common types of cyber threats (malware, phishing, ransomware, and man-in-the-middle attacks) as well as some of the basic terms applicable to network security. Forexample, the meaning and significance of endpoint security and your organization’s firewall. In educating your team, remember that practice is also important. Take time to conduct role-plays that test your employees’ proficiency with completing due diligence before opening an email, clicking a link, or sending sensitive or financial information in an email is an investment that can pay untold dividends in protecting your organization against a cyber-attack—and the business interruptions, legal risks, and reputational harms they often provoke. Empower your Incident Response Team During an attack, the incident response team should be well equipped and knowledgeable about cybersafety and prepared to respond. The response team should be proactive and provide top management with a strategy to mitigate attacks. The team files incident reports that top management benchmarks to make ongoing decisions on enforcing a security culture. The response team guides the organization’s corporate board in assessing and responding to a breach. This team should include professionals with authority and expertise in IT, operations, human resources, and internal and external communications. This team must act quickly to limit the scope of the attack and assess any damage or ongoing risk. To assist with doing so, the response team should also include legal counsel. Synergy with a legal professional will streamline the process of crafting internal and external communications about the suspected incident, managing law enforcement and governmental reporting where necessary, and conducting an internal investigation of the occurrence to preserve your organization’s attorney-client privilege and work-product protection where appropriate. Automating security practices. Much as attackers also automate their reconnaissance and target risk profiling to better understand the target and the weaknesses. Automation could also likely be a big part of the solution. Regardless of the industry or application, automating tasks allows businesses to concentrate on more productive problem-solving network defending activities. Additionally, these problem-solving activities foster innovation and can lead to a more resilient cybersecurity organization. Most cybersecurity products designed to automate threat detection, threat identification and risk profiling processes are widespread. Most organisations have already implemented automation tools somewhere within their organization. Automation enables organisations to be proactive about improving their cyber resilience rather than being a gold mine for attackers. Automated
Strategic shield: Aligning cybersecurity risk priorities across the board
“Cybersecurity is not just an IT issue; it is a business risk that demands strategic alignment from the top down.” In the digital landscape, cyber threats are evolving at an unprecedented pace, making it crucial for organizations to align cybersecurity risk priorities across all levels of leadership. Cybersecurity is no longer confined to the IT department it is a core business function that requires strategic oversight from the boardroom. Executives and board members must recognize that cyber risks pose a direct threat to business continuity, financial stability, and brand reputation. A siloed approach, where cybersecurity is treated as a technical challenge rather than a strategic concern, leaves organizations vulnerable to devastating breaches. Instead, a unified risk management strategy should be embedded in governance frameworks, ensuring that cybersecurity aligns with overall business objectives. The role of leadership in cybersecurity is to drive a risk-aware culture, allocate necessary resources, and ensure compliance with industry standards. This begins with robust policies, regular risk assessments, and cross-functional collaboration between IT, risk management, and executive teams. By embedding cybersecurity into strategic planning, organizations can proactively mitigate risks rather than reacting to crises. Recognizing the need for leadership-driven cybersecurity, the Institute of Forensics and ICT Security (IFIS) provides specialized cybersecurity training programs to equip executives, board members, and business leaders with the knowledge and skills to address cyber threats effectively. These programs help decision-makers understand cyber risks, implement governance frameworks, and foster a resilient cybersecurity culture within their organizations. In a world where cyberattacks can cripple businesses overnight, organizations that align cybersecurity priorities at the executive level gain a strategic shield against digital threats. Leadership commitment is not just an option it is a necessity for safeguarding the future of the enterprise. “Cybersecurity is not just about technology; it is about leadership, strategy, and resilience.”
Developing a Comprehensive Risk Management Process
A common definition of risk is an uncertain event that may occur and have a positive or negative impact on a company’s or organization’s goals. The potential for a risk to have a positive or negative effect is an important concept. Why? Because it is natural to fall into the trap of thinking that risks have inherently negative effects. If you are also open to those risks that create positive opportunities, you can make your project smarter, streamlined, and more profitable. Think of the adage “Accept the inevitable and turn it to your advantage.” That is what you do when you mine project risks to create opportunities. Uncertainty is at the heart of risk. You may be unsure if an event is likely to occur or not. Also, you may be uncertain what its consequences would be if it did occur. Likelihood, which is the probability of an event occurring, and consequence, that is, the impact or outcome of an event, are the two components that characterize the magnitude of the risk. All risk management processes follow the same basic steps, although sometimes different jargon is used to describe these steps. Together, these 5 risk management process steps combine to deliver a simple and effective risk management process. Identify the Risk. You and your team uncover, recognize, and describe risks that might affect your project or its outcomes. There are a number of techniques you can use to find project risks. During this step, you start to prepare your Project Risk Register. Analyze the risk. Once risks are identified, you determine the likelihood and consequences of each risk. You develop an understanding of the nature of the risk and its potential to affect project goals and objectives. This information is also input to your Project Risk Register. Evaluate or Rank the Risk. You evaluate or rank the risk by determining the risk magnitude, which is the combination of likelihood and consequence. You make decisions about whether the risk is acceptable or whether it is serious enough to warrant treatment. These risk rankings are also added to your Project Risk Register. Treat the Risk. This is also referred to as Risk Response Planning. During this step, you assess your highest-ranked risks and set out a plan to treat or modify these risks to achieve acceptable risk levels. How can you minimize the probability of the negative risks while enhancing the opportunities? You create risk mitigation strategies, preventive plans, and contingency plans in this step. And you add the risk treatment measures for the highest ranking or most serious risks to your Project Risk Register. Monitor and review the risk. This is the step where you take your Project Risk Register and use it to monitor, track, and review risks. Risk is about uncertainty. If you put a framework around that uncertainty, then you effectively de-risk your project. And that means you can move much more confidently to achieve your project goals. By identifying and managing a comprehensive list of project risks, unpleasant surprises and barriers can be reduced and golden opportunities discovered. The risk management process also helps to resolve problems when they occur, because those problems have been envisaged, and plans to treat them have already been developed and agreed upon. You avoid impulsive reactions and going into “fire-fighting” mode to rectify problems that could have been anticipated. This makes for happier, less-stressed project teams and stakeholders. The result is that you minimize the impacts of project threats and capture the opportunities that occur. For busy professionals who need to meet continuing professional development requirements and boost their career opportunities, our online courses provide a flexible and cost-effective way to achieve this by providing anywhere, anytime access and a supportive online community. Continuing Professional Development offers a series of online project management courses to advance your project management skills and your career. The Institute of Forensics and ICT Security will give you the practical skills to develop a comprehensive risk management process. You can find us at Ntinda complex, opposite St. Luke’s church, Ntinda.
A growing cyber threat landscape of East Africa – part 2
As the global digital landscape continues to expand, so too do the risks associated with it. The East African (EA) region, while making notable progress in digital transformation, still lags significantly behind more advanced regions like the United Arab Emirates (UAE) in terms of digital infrastructure, cybersecurity readiness, and exposure management. The East African Region in Context The East African region has approximately 13,409 discovered systems and applications, a figure dramatically lower than the UAE’s 155,000. This disparity highlights the contrasting stages of digital maturity between the regions. The UAE has aggressively invested in smart city projects, e-government services, and a dynamic digital economy, creating an extensive and complex web of digital infrastructure. However, this advancement comes at a cost—broadening the nation’s attack surface and increasing its susceptibility to cyber threats. Conversely, East Africa is still in the early to middle stages of digital transformation. While Kenya has shown promising growth in its tech ecosystem, countries like Rwanda and Uganda still maintain relatively smaller digital footprints. Uganda, for instance, has recognized the urgency of this challenge by launching a National Cybersecurity Strategy, aimed at fostering a secure and trusted digital economy. Still, as the digital footprint across East Africa grows, so does its vulnerability. Without significant investments in cybersecurity infrastructure, policies, and talent mirroring models like the UAE, EA countries risk exposing critical systems to increasingly sophisticated cyber threats. Deep Dive into Uganda’s Cybersecurity Posture Digital automation has become a top priority in the boardrooms of Uganda’s major sectors, including financial services, telecommunications, utilities, and government. While this shift offers vast benefits in service delivery and efficiency, it also introduces new cybersecurity risks. A glaring example was the October 2020 cyber breach. Cybercriminals exploited approximately 2,000 mobile SIM cards to compromise Uganda’s mobile money infrastructure. The incident impacted companies like Pegasus Technologies, MTN Uganda, Airtel Uganda, and Bank of Africa, resulting in an estimated loss of UGX 11 billion. This breach laid bare systemic weaknesses in Uganda’s cybersecurity posture, especially in the management of digital payment systems. Further assessments have identified a host of vulnerabilities within Uganda’s digital environment. Weak cryptographic implementations, unsecured open ports, outdated systems, and poorly configured network access points continue to pose significant threats, particularly to sectors that manage sensitive data. Exposure Through Open Ports: Uganda’s Top Vulnerabilities An in-depth analysis of Uganda’s exposed systems revealed 19 critical open ports, many of which are potential entry points for attackers. The table below summarizes key ports and their associated risks: Table 1: Open ports discovered in Uganda and services running. Port Description Security threat 80 (HTTP) Port 80 is an insecure protocol. Data is sent in plain text. Hypertext Transfer Protocol (HTTP) runs on port 80 and is used for transmitting web traffic. From July 2017 to August 2024, we observed an average of 4,837 systems and instances where port 80 was open across all internet service providers. Port 80 is vulnerable to man-in-the-middle attacks, eavesdropping, and data interception because data is sent in plain text i.e., not encrypted. Such poor cybersecurity practices are responsible for the growing number of business email compromises. For secure website browsing, websites should ideally use HTTPS (Port 443) instead. 22 (SSH) Port 22 provides encrypted communication for remote login and command execution. We observed an average of 4,186 systems and instances where port 22 was open between July 2017 and August 2024. If misconfigured, port 22 could be targeted for brute-force attacks to gain unauthorized access to information technology systems. 161 (SNMP) Port 161 is used for network management and monitoring devices. It uses the Simple Network Management Protocol. In the period between July 2017 and August 2024, there was an average of 4,027 systems where port 161 was open and running across all internet service providers. Exposed SNMP could reveal sensitive information about the network infrastructure, leading to the exploitation of vulnerabilities. 443 (HTTPS) Port 443 is a secure web traffic communication protocol. Unlike port 80, Port 443 uses the Hypertext Transfer Protocol Secure, which encrypts web traffic, securing data between the user and the web server. Our analysis shows that most internet service providers are lagging in terms of securing client data over the web. On average, 3,356 systems had port 443 active from the data analysed between July 2017 and August 2024, while port 80 had an average of 4,837. Critical for protecting user data. Misconfigured SSL/TLS certificates could still expose websites to attacks. Port 53 (DNS) Port 53 runs the Domain Name System that translates domain names into IP addresses. For any website, it must have an Internet Protocol (IP) address. We observed that from July 2017 to September 2017, no systems and instances were running on port 53. Traffic picked up from October 2017. Analysis shows that 1,253 systems and instances were open on port 53. The average is low due to the Uganda Communications Commission regulatory requirement where all domain owners were mandated to register with UCC. If misconfigured, attackers could use port 53 to cause denial of service on websites. Port 23 (Telnet) Telnet is a widely used tool that provides remote login services. Telnet, just like port 80 transmits data, including credentials, in plain text. Our analysis shows that NITA-U had the highest number of open Telnet ports. On average, 1,240 systems had Telnet open from July 2017 to August 2024. Extremely insecure and prone to eavesdropping attacks. It is generally replaced by SSH (Port 22). Port 21 (FTP) Port 21 is used to transfer files over the network. It uses the File Transfer Protocol mechanisms. Transmits data in plain text, including passwords. It’s prone to attacks like FTP bounce, packet sniffing, and brute force. The Critical Role of Cryptographic Design At the heart of any secure system lies modern cryptography—responsible for ensuring data confidentiality and verifying the authenticity of users and machines. Unfortunately, many systems in Uganda still transmit sensitive information in clear text, essentially sending critical data across the internet like an unsealed letter. When open ports are not secured with robust cryptographic protocols, attackers
Understanding Risk Assessment: Turning vulnerabilities into actionable insights
Imagine you have a crucial business pitch scheduled at Hotel Triangle in Mbarara. You must be there tomorrow at exactly 9:00 AM, ready and confident to secure a transformative deal. This is your “objective at risk”—the cornerstone of your entire journey. To ensure you attain your objective, you conduct a risk assessment – a disciplined process of identifying, analyzing, and evaluating risks that could prevent you from achieving your key [strategic] objective. It’s asking yourself three clear questions: What could go wrong? (Risk Identification) How likely is it, and how severe would the impact be? (Risk Analysis) Which risks matter most, and what will we do about them? (Risk Evaluation) Without clarity about what your “objective at risk” is—the ultimate goal you aim to protect—risk assessment becomes meaningless a) Risk identification Before leaving Kampala, you ask: “What could derail this journey?” You quickly list: heavy morning traffic at Busega, road construction at Mpigi, a car breakdown near Masaka, fuel shortage at Lyantonde, and a potential accident along the way due to reckless drivers. As you can see, understanding context – the route and journey – is so critical. For that reason, the input of the driver (risk/ process owner) who frequently drives on the road would make your risk assessment effective and on point. b) Risk analysis (5×5) Next, you weigh these identified risks using a 5×5 matrix—measuring likelihood (rare to almost certain) against impact (insignificant to catastrophic): Now you have quantified your threats clearly. c) Risk evaluation and risk appetite Your risk appetite sets clear boundaries on how much risk you are willing to tolerate. Low appetite– You won’t risk anything catastrophic, no room for breakdowns, fuel shortages, or accidents. Medium appetite– You cautiously tolerate moderate traffic delays, but only briefly. High appetite-You’re comfortable risking minor delays and manageable inconveniences. Given this, you conclude: a) Traffic at Busega (15) and Roadworks at Mpigi (16) exceed your tolerance. Action: Leave Kampala before dawn to avoid these risks. b) Car Breakdown (10), Accident (10), and Fuel Shortage (5) are manageable with preparation. Action: Service the car, carry spare tyres, refuel in Masaka, and drive cautiously. Risk register example Note Without clarity on your objective of arriving timely and prepared in Mbarara, your risk management is directionless, wasteful, and ultimately ineffective. Risk management must always be guided by clear objectives. If you don’t know where you’re going, no risk register, however detailed, can help you get there.
Risk Assessment Technique #19: Layers of Protection (LOPA)
Pick any city of your choice – Nairobi, Paris, or Dubai. For my case, let me take you to Kampala, Africa’s top entertainment city. A fuel station. Busy intersection. Trucks, bodas, taxis. One afternoon, a tanker offloads fuel. The driver forgets to tighten the valve. A slow leak starts. Nobody notices. That’s our initiating event. The fuel station is located in the middle of retail shops with a lot of traffic. There is also a nursery school, and kids are playing nearby. A Pedestrian walking by lights a cigarette. You have been observing all this… your heart starts racing. What layers of protection do you have before this becomes a headline? To answer the question, let’s apply the LOPA technique. Layer of Protection Analysis. Write this on your notepad — Mitigated likelihood = X × Y1 × Y2 × Y3…Yn Here’s how it plays out – your layers of protection (or layers of controls), “sleep” on the job… Is the likelihood of a driver error like that? Let’s say once a year = X = 1.0 First layer– Staff supervision during offloading. But the supervisor was on the phone. Let’s say 1 in 10 chance it fails = Y1 = 0.1 Second layer– CCTV monitoring. But the footage is never reviewed in real-time = Y2 = 0.2 Third layer — A spill containment system. But it’s clogged with plastic bags because it is rarely cleaned. Let’s say failure rate = Y3 = 0.5 Final layer-Community awareness signage—‘No smoking near tankers.’ But the signs are rusted and ignored. Even then, the signs are on the fuel pumps and are not easy to read. Let’s be generous and say failure rate = Y4 = 0.7 Now plug in the equation– Mitigated likelihood = 1.0 × 0.1 × 0.2 × 0.5 × 0.7 = 0.007 That’s roughly a 0.7% chance the incident escalates. Now, you may say—“Mr Strategy, that’s a small number.” But in risk management as in proactive leadership, numbers mean nothing without context. What is small could be big due to the control environment, general community policing, and city governance. A 0.7% chance every day, in a city with hundreds of fuel stations, that are located without any planning whatsoever, becomes inevitable over time. That’s why fires keep happening in our cities in East Africa. Fuel tankers overturn and burn to ashes. Because we overestimate our layers. And even do not look after them. LOPA forces you to ask tough questions– a) Are the layers truly independent? b) Are they tested? c) Do they cover human failure, technology failure, and environmental conditions? In this case, we advise a) A mandatory offloading checklist signed by a supervisor (new layer) b) Spill sensors with audible alarm (automated, independent) c) Refresher training every 3 months d) Real-time CCTV monitoring from head office (central layer) e) A large visible signage with “NO SMOKING” prominently displayed at the petrol station logo. Once these are in, you recalculate the risk. Maybe you can bring it down from 0.7% to 0.0001%. That’s what the Board should see. Such a risk appetite is safer and protects stakeholder value. Not emotions. Not stories. Numbers. Defensible, auditable numbers. That’s the power of LOPA. You don’t manage risk by feeling safe. You manage it by measuring what’s keeping you safe.
Your data is for sale: The price tag hackers put on you
How much is your life worth? Not in a philosophical sense. I mean, literally, if someone stole your email password, your National ID number, or your medical history, what would they fetch for it on the dark web? Because make no mistake, your data already has a price tag. And someone, somewhere, is bargaining over it. Most Ugandans imagine hackers as shadowy figures targeting “big people”, CEOs, ministers, bankers. Ordinary citizens believe they are too small to matter. That illusion is the first thing criminal’s exploit. Let me take you inside the underground market where you are the commodity. The Gulu cybercafé incident In late 2022, police in Gulu quietly arrested two young men running a seemingly innocent internet café. Customers thought they were just selling printing services and internet access. But when our investigators were called in, the story twisted. The café was a front. Behind the counter, the men had installed keylogger software on every computer. Every person who logged into email, Facebook, or mobile money left behind their credentials. A boda rider’s Airtel Money PIN. A nurse’s work email and password. A student’s login to Makerere University portal. These were packaged into neat spreadsheets, encrypted, and sold in WhatsApp groups for as little as UGX 3,000 per login. Think about that. Your entire financial life, on sale for less than the price of a Rolex on Jinja Road. Why data is valuable To hackers, data is currency. Each piece unlocks multiple fraud opportunities: National ID number (NIN): Used to register SIM cards for fraudulent loans. Price: about UGX 5,000. Mobile money PIN: Direct theft. Price: varies, UGX 20,000 to UGX 50,000. Email + password: Gateway to bank logins, cloud drives, and identity theft. Price: UGX 10,000–15,000. Medical records: Used for blackmail (“Pay or we leak your HIV status”) or fake insurance claims. Price: UGX 100,000+. When you add it up, an average Ugandan with three SIM cards, a bank account, and a social media presence represents over UGX 200,000 in resale value. Multiply by thousands of compromised users, and you see why hackers salivate. The invisible marketplace The dark web isn’t some Hollywood movie set. It’s messy, low-tech, and often conducted right here on familiar apps, Telegram, WhatsApp, and even Facebook groups disguised as “Forex traders” or “online hustlers.” In 2023, investigators infiltrated one such group. What they found was chilling: Lists of fresh NINs stolen from a poorly secured database. Bank statements of customers were emailed in unencrypted form by careless bankers. Hospital lab results from clinics still using unsecured Gmail accounts. Each document carried a price tag. A bank statement with balances over UGX 50 million was “premium,” going for UGX 250,000. The hacker joked, “Rich clients are more fun.” The buyers? Not just criminals abroad. Local fraudsters, loan sharks, and even debt collectors are desperate for leverage. How Ugandans leak their own data Most data theft in Uganda doesn’t happen through “advanced hacking.” It happens because people give it away cheaply. Free Wi-Fi traps. That “Free Wi-Fi” at a café in Wandegeya? It’s often a rogue hotspot. The moment you connect, every password you type flows to the hotspot owner. Phone repairs. You drop your smartphone at a repair shop in Kisekka. The technician copies your contacts, WhatsApp chats, and photos before fixing the screen. You think the risk was cracked glass. The real risk was your digital diary. Social media oversharing. Birthdays, schools, pets, and innocent posts become gold for hackers crafting password guesses. “Lisa2010” isn’t hard to crack if you just posted “Happy 14th birthday, Lisa!” Paper carelessness. At one Kampala bank, customers still throw old ATM receipts into dustbins outside. Hackers pick them up, reconstruct transaction histories, and phone-scam clients pretending to be bank staff. Your data doesn’t always get stolen. Sometimes, you hand it over. The insurance scam In 2024, a Kampala insurance company was rocked by a scandal. Customers began receiving strange calls: “We see from your medical history that you recently tested positive for X. For privacy reasons, we can help you delete this record for a small fee.” The data was genuine. How did criminals get it? An insider, a claims officer, was photographing customer files and selling them via Telegram. For each record, he earned UGX 30,000. By the time we intervened, over 12,000 medical files had been leaked. The reputational damage was catastrophic. The company lost two major international partners. Small fees for the insider. Big disaster for the firm. Why your data is never “too small” You may think: “But I’m just a teacher in Mbale. I have nothing hackers want.” Wrong. Your SIM card can be used to borrow money you’ll never see. Your photo can be edited into pornography and sold. Your medical record can be used to blackmail you. Your identity can be swapped with a criminal’s, leaving you to answer for their crimes. Even the smallest trail of data, an email, a birthdate, or a bank balance of UGX 50,000, can be weaponized. In the data economy, everyone is valuable prey. Why companies fail to protect you Ugandan companies are often complicit in this market, not out of malice, but negligence. Weak passwords: Staff still use “12345” as login credentials. Email insecurity: Client statements are sent in plain PDF without encryption. Lack of staff training: Employees click phishing emails daily. Outdated systems: Hospitals running Windows XP with no patches. When breaches happen, companies hush them up. No public disclosure. No accountability. Customers remain in the dark, literally. Red flags you are already compromised You may already be a victim if: You receive calls from strangers quoting personal details only you gave to a bank, hospital, or telco. Your email or Facebook suddenly demands a password reset. You notice small deductions from your mobile money wallet. Friends receive strange messages from your account asking for “urgent help.” These are not coincidences. There are signs your data is already circulating on underground markets. Lessons for leaders and citizens For individuals Stop
When small risks become big disasters
Have you ever watched a crack in the wall and thought, “It’s nothing, just cosmetic”? Weeks later, the same crack widens, swallowing paint, bricks, and peace of mind. That’s how risk works. The small ones you ignore are the ones that ambush you. A school in Masindi once ignored a tiny trail of ants crawling up a wooden beam in their library. The caretaker waved it off as “normal.” Two years later, the roof caved in during a rainy season, destroying books, computers, and leaving children without a classroom. The disaster wasn’t caused by the rain. It was caused by termites allowed to eat slowly, quietly, until the structure gave way. This is the anatomy of risk. Small, daily oversights, ignored emails, unchecked reconciliations, one staff member bypassing procedure “just this once”, are termites in your organisation. They don’t roar. They whisper. And yet, they bring empires down. How small risks grow fangs Normalization of deviance. A cashier rounds off UGX 5,000 from daily collections. Management laughs it off. “At least she’s reporting honestly.” Months later, the habit scales into UGX 50 million siphoned through mobile money transfers. Ignored warning signs. A bank’s IT officer notices failed login attempts at 2:00 am. He assumes it’s a system glitch. No escalation. Two weeks later, the core banking system is breached. What began as a minor anomaly becomes a multimillion-shilling cyber heist. Tolerance for mediocrity. An NGO accepts reports submitted late by one field officer. “He’s hardworking, let’s be flexible.” Soon, half the field staff stop meeting deadlines. The project loses donor funding. A tiny compromise cascades into an existential crisis. The silent fuel leak In early 2024, Summit Consulting was called by a logistics company in Jinja. Trucks were always “under-performing” on fuel efficiency. Management dismissed it as bad roads. But our audit revealed the truth: Drivers siphoned small amounts of fuel, two litres here, three litres there, selling to boda riders. No one noticed because reconciliations were manual, and the finance team saw “variances” as trivial. Over three years, these small leaks grew into a UGX 1.2 billion hole. This wasn’t fuel theft. It was the story of how tiny, ignored risks become corporate earthquakes. Why leaders ignore small risks Familiarity: They happen so often that they feel normal. Optimism bias: Leaders believe “our people wouldn’t do that.” Resource trade-offs: Boards allocate budget to fight big lions, while snakes crawl under the table. Lessons for boards and CEOs Interrogate the trivial. If a risk seems too small to care about, ask how it could multiply. Escalate anomalies. A small system glitch may be the first symptom of a full-blown breach. Audit the day. Fraud rarely begins with billions. It begins with thousands. Zero tolerance. The moment you excuse a “minor” lapse, you see tomorrow’s disaster. Organisations rarely fall because of earthquakes. They fall because of ignored cracks. The leaders who win are those who train their eyes not just on the spectacular, but on the ordinary. Because in business, the termites eat longer than the lions.
Blind spots in risk: What you don’t see could sink you
What is more dangerous, a lion you see charging at you, or a snake coiled silently under your chair? Every boardroom I enter is filled with executives boasting about the lions they’ve slain. Fraud? They have auditors. Cybersecurity? Firewalls in place. Regulatory fines? Lawyers on retainer. They beam with confidence, armed with dashboards and policies thicker than the Bible. But confidence is not control. The greatest threat is never the lion you see; it is the snake you ignore. Picture this: A farmer in Hoima builds a sturdy granary to protect against thieves. He hires guards, installs padlocks, and even digs trenches. The village admires his foresight. But while he obsesses over burglars, he forgets the simplest risk: termites. They chew silently, invisibly, until one morning the granary collapses. Not from theft, but from neglect of the unseen. Boards are that farmer. They invest in the visible. They ignore the invisible. And that is why companies collapse without warning. Blind spots in risk thrive in three toxic soils: Familiarity bias. The people we know best blind us most. A CEO in Kampala once told me proudly, “My finance manager is family. I don’t even need to check his work.” Months later, the same man begged me to investigate how UGX 3.4 billion disappeared. It was the family member. Loyalty blinded oversight. Complexity bias. Risk managers love charts. The more complex the matrix, the more it looks like work is being done. Yet complexity is camouflage. At Summit Consulting, we once reviewed a bank’s 67-page risk register. Not one mention of staff collusion. Weeks later, collusion was exactly what triggered a UGX 9 billion fraud. Complexity killed clarity. Success bias. Nothing blinds like profit. In 2019, a Ugandan microfinance institution celebrated “record-breaking returns.” Management declared the risk “low.” Hidden inside the numbers was a ballooning loan book filled with ghost borrowers. Staff had been creating fake clients and splitting the cash. When we investigated, the institution was already insolvent. Success had been the mask of fraud. Case file: The cooperative that trusted too much In late 2023, Summit Consulting was called to western Uganda to investigate a cooperative society. On paper, they looked strong: audited books, signed receipts, clear policies. Their risk register listed drought, theft, and market volatility. Not bad for a village operation. But something didn’t add up. Despite bumper harvests, the cooperative’s bank balance was shrinking. Members whispered. Rumors spread. The board finally called in “external eyes.” Here’s what we found: The treasurer used his personal SIM card for all mobile money transactions. It was convenient. Everyone trusted him. Payments to suppliers were inflated. An invoice for UGX 2,300,000 was changed to UGX 2,750,000 over the phone. The difference landed quietly in his wallet. Collections were underreported. Farmers deposited UGX 500,000, but only UGX 350,000 was recorded. The rest vanished in airtime and cash-outs. This wasn’t a one-off theft. It was death by a thousand cuts. Over five years, nearly UGX 600 million had been siphoned. The cooperative wasn’t killed by drought. It wasn’t killed by market shocks. It was dead by termites, the blind spot of blind trust. Here’s the irony. The more confident leaders are about their “risk maturity,” the more likely they are blind. Real risk management isn’t about cataloguing the obvious. It’s about interrogating the unthinkable. Every time I ask a board, “What is your greatest blind spot?” silence fills the room. They’re happy listing cyber threats, regulatory fines, and fraud. But blind spots? That requires humility. In one session, I challenged a CEO: “If tomorrow morning, your biggest scandal hit the front page, what would it be?” He laughed nervously. Weeks later, it happened. Not cyber fraud. Not bribery. It was a toxic culture of sexual harassment swept under the carpet. The board had armored against lions but ignored the snake under its chair. Red flags that expose blind spots Every fraud we’ve investigated at Summit Consulting had red flags, ignored because they didn’t roar loudly enough. Unusual lifestyle changes. A junior officer driving a car better than the CEO. “He just has side hustles,” management said. Fraud later confirmed. Over-dependence on one person. “Only Jane knows that system.” Translation: Jane controls the keys to your vault. Silence in meetings. If no one challenges management, it’s not harmony, it’s fear. Silence is a red flag. Complex reports with no exceptions. When every report says “all good,” it means your auditors are asleep or compromised. Blind spots are never truly invisible. They are ignored whispers. Let’s be blunt. Too many Ugandan boards are ceremonial. They meet, eat, nod, and rubber-stamp. They consume what management feeds them, no questions asked. That culture breeds blind spots. If your board pack is 300 pages long and directors skim it in two hours, you are not governing, you are gambling. If your risk committee meets only quarterly, yet fraud happens daily, you are playing catch-up. If your audit function is underfunded, you are paying for silence, not protection. Invite dissent. If everyone in your boardroom agrees, you’re blind. Appoint directors who irritate you with questions. That irritation is eyesight. Stress-test assumptions. Ask: What if our best employee is our biggest fraudster? What if our top supplier is overcharging us? What if our profits are fake? Rotate roles. Fraud thrives where one person holds power too long. Change custodians, passwords, and signatories often. Listen to whispers. Staff gossip is free risk intelligence. Ignore it, and you’ll pay for it in losses. The future belongs to boards and CEOs who cultivate paranoia, not paralysis, but disciplined imagination. Leaders who can scan for what isn’t in the report. Leaders who treat silence as evidence, not absence. Leaders who know termites destroy more granaries than thieves. Because in business, as in life, it’s rarely the lion that kills you. It’s the snake under your chair.
The enemy within: Why your staff may be the biggest cyber threat
On 7th November 2024, a well-known humanitarian NGO in Kampala discovered that donor funds, meant for a maternal health project in Lira, had mysteriously dwindled. Bank statements showed UGX 1.6 billion disbursed to “beneficiary suppliers.” Yet on the ground, no medicines had arrived, and the health centre shelves remained empty. At first, management suspected supplier fraud. They called in Summit Consulting Ltd to investigate. What we uncovered was far more chilling, the breach was inside the house. How insiders weaponised access The NGO’s finance system required two approvals for any payment above UGX 10 million. But insiders knew the weaknesses. Suspect 1, a trusted finance officer, had legitimate system credentials. Suspect 2, an IT administrator, had the power to override password resets. Together, they created “ghost suppliers”, registered companies with near-identical names to real vendors. For example, “Gulu Health Supplies Ltd” vs. “Gulu Health Supplies Uganda Ltd.” Funds were routed to accounts in the ghost companies, then siphoned through mobile money withdrawals in Gulu and Lira. The scheme ran undetected for nine months. Each transfer was small enough, UGX 25 million here, UGX 40 million there, to escape donor scrutiny. The human side of cyber risk Most executives think of cyber threats as hackers in hoodies in Russia or China. The reality in Uganda is different: your biggest threat is wearing your branded T-shirt, attending your morning devotion, and smiling in your staff WhatsApp group. Why? Because insiders know your controls. They know what auditors look for, and what they ignore. Understand your timing. They know when approvers are distracted (e.g., month-end rush, board meetings, retreats). Exploit trust. In cultures where sharing passwords over WhatsApp is normal, controls collapse. This is why your staff may be your greatest cyber vulnerability. The investigation trail Investigators always follow the leads. Bank account forensics. The ghost supplier accounts had no other business transactions, only NGO deposits. Mobile money analysis. Large cash withdrawals happened consistently within 48 hours of every NGO transfer. IP address tracking. Payment approvals allegedly made “by the CFO” actually came from the same office subnet used by Suspect 1. Lifestyle audit. Suspect 1, earning UGX 3 million monthly, had just completed a two-storey house in Najjera and was driving a Subaru Forester. The pattern was unmistakable. Red flags ignored The auditors had seen the signs but failed to escalate. Repeated vendor name similarities. No supplier vetting had been done for years. Unusual working hours. Approvals at 11:47 pm were logged as “routine.” Lifestyle inflation. The same officer suddenly stopped borrowing salary advances and started flashing new gadgets. Weak IT segregation. One administrator had access to both the system backend and the finance workflow. In short, the enemy was within, but the system was too trusting to notice. Why insiders turn rogue Interviews revealed three motives Perceived injustice. Suspect 1 felt underpaid compared to expatriate staff. Weak controls meant ghost suppliers could slip through with ease. The suspects claimed, “Donor’s waste money anyway; at least ours built something.” This is the classic fraud triangle: pressure, opportunity, and rationalisation, played out in cyber terms. The cultural dilemma Many organisations struggle with a cultural contradiction; they value loyalty over verification. Managers say, “We are like family here.” Yet in cyber risk, family culture can be fatal. Trust is not a control. In fact, it is a vulnerability. The stronger the “family” culture, the easier it is for insiders to exploit it without suspicion. How to fight the enemy within Zero Trust principles must be applied, but tailored to Ugandan realities Segregate duties. No single person should control end-to-end financial transactions. Automated monitoring. Deploy analytics that flag duplicate suppliers, unusual working hours, and suspicious clustering of payments. Continuous vetting. Do lifestyle audits, especially for staff in finance and IT. Enforce least privilege. Give staff access only to what they need, nothing more. Whistleblower protection. Create safe channels. Most frauds are exposed by insiders, not systems. By the time the case closed, the NGO had lost UGX 1.6 billion. Donors froze funding. Reputational damage was catastrophic. As investigators, we recommended interventions to rebuild the control environment, retrain staff, and implement continuous monitoring tools. But the lesson was permanent: the cyber threat was not outside. It was inside. Cyber resilience is not about buying the latest firewall. It is about hardening your organisation against betrayal from within. Your staff may be your greatest asset. But under pressure, they may also become your greatest liability. The new imperative for every Ugandan board is clear: Trust people. But design systems that do not need to. Until next week, we remain, IFIS.
