While technology has driven the digital agenda and led to greater innovation, growth, and efficiency; it also opens the road to potential security breaches and other types of cyber-attacks. As your company hires more and more employees, the number of active endpoint devices increases and thus the increase of threat to cyber-breaches. It should be noted that every device that connects to your corporate network further weakens your network’s overall security posture. Not to be left out of consideration to the technical challenge of security is the increase in organizational cost to protecting a growing endpoint environment. On one side of the technology, there are innovators and developers working with sophisticated technologies such as Artificial Intelligence (AI) and Machine Learning. But also on the other side, there are malicious actors and computer experts with skills and technologies to bypass security solutions to gain access to corporate networks and critical systems. Attackers are becoming more sophisticated and attack techniques and delivery vectors becoming more sophisticated which have contributed to a scaling threat landscape. With the growth in value of organizational data and intellectual property, the same data value it is to crackers and threat agents. It is for this reason that all industries and organizations of all sizes have become potential targets. In this article, we will provide some brief insights about Endpoint Security and its importance to organizations going forward. What is Endpoint Security? Endpoint security is the cybersecurity approach to secure corporate networks through defending endpoints or entry points of end-user devices such as desktops, laptops and mobile devices from malicious activity. Given the number of connected endpoints to a corporate network, endpoints are, by default, the weak link in the network. Ensuring sophisticated robust endpoint security is of paramount necessity for the organization and the entire network to protect against a successful cyber-attack. What is an endpoint? An endpoint is any device that connects to the corporate network from outside its firewall. Examples of endpoint devices include Laptops, Tablets, mobile devices, Internet of things (IoT) devices, other devices that communicate with the central network. Why you need an Endpoint Security strategy? An endpoint security strategy is important to all businesses operating in a hybrid working environment. This is so because every remote endpoint is a potential entry point for an attack. And the endpoints are increasing every day given the rapid pandemic-related shift to remote work. According to a Gallup Poll, so many organizations have adopted remote working from 2020 to about 51% by end of 2021. The risks posed by endpoints and their sensitive data are a challenge that’s not going away. The Verizon 2021 Data Breach Investigations Report found “Servers are still dominating the asset landscape due to the prevalence of web apps and mail services involved in incidents. And attacks over social networks continue to compromise people (they have now pulled past user devices), we begin to see the domination of phishing emails and websites delivering malware used for fraud or espionage.” With the current challenges facing your organization concerning remote workers and the vulnerability of remote endpoints connected to the network, a greater emphasis on endpoint security should be considered a priority. All remote endpoints connect to the corporate network from outside the traditional perimeter of the corporate firewall and in some regards miss the benefit of monitoring incoming and outgoing connections. Cost of a data breach resulting from insecure endpoints Having in mind the cost implications and complexity of endpoint security risks, Ponemon’s research reveals 63% of enterprises have no capacity to monitor off-network endpoints, dark endpoints, leaving more than 50% of endpoints vulnerable to a costly data breach. Ponemon’s institute’s research about endpoint security reveals that traditional endpoint security approaches are inadequate. Organizations spend over $6 million annually in poor detection, slow response, and wasted time. As the aggressive nature of emerging threats to proprietary data continues to grow, the cost and complexity of reducing risks and confirming compliance are at an all-time high. Additionally, the study revealed that enterprises find it difficult to identify dark endpoints (or rogue access points, out-of-compliance devices, or off-network devices) which create blind spots and increase the organization’s vulnerability to attack. While there is less confidence in endpoint security, the IT security experts in this study believe that close to 60% of the time invested in the capture and evaluation of intelligence surrounding the true threats, to both compliance and proprietary data, can be saved each week by deploying automated solutions. Conclusion Malicious attacks will continue growing in sophistication and magnitude. Threat agents will continue to advance their skills and techniques of attacking. It is time organizations prepare for attacks to come and take into account the full picture of endpoint protection. Organizations need to focus on their security position by enhancing their security solutions. Endpoint Security Solutions need to have tools in place to detect and respond to targeted incidents. For example blocking malware through signature analysis, machine learning and behavioural analysis. Without an endpoint security strategy in place, protecting against endpoint attacks will be a great challenge to organizations going forward. Because endpoints exist where humans and machines intersect. To be continued…
Risk is inevitable. Are you managing it or reacting to it?
What is a black swan? Some events have never happened before. No model can anticipate them. These are modern-day black swans. They pose high risks. Today, risk is not a possibility; it is a certainty. From economic shocks and cybersecurity breaches to natural disasters and operational failures, every organization is exposed. The difference between those that survive and those that fall is not luck. It is preparedness. Yet far too many companies wait for risk to strike before they act. They rely on outdated reports, fragmented data, or gut instinct, reacting to events instead of managing them with intention. By the time the alarm sounds, the damage is often done. A forward-thinking organization treats risk management as a core function of leadership, not a box to check. It builds a culture where risk is assessed continuously, monitored actively, and mitigated with discipline. It connects risk to strategy, uses data to forecast potential disruptions, and empowers decision-makers with clear insight. Managing risk means more than writing policies. It means asking: What could go wrong? How prepared are we? Who is accountable? What indicators warn us before the storm? In contrast, reacting to risk means scrambling. It means press briefings, board apologies, customer churn, and financial loss. It means learning lessons in the worst possible way: too late. The truth is, no company can eliminate risk. But every company can manage it better. The choice is yours: anticipate or apologize. Govern or gamble. Lead or react. Risk is inevitable. But disaster is optional.
A growing cyber threat landscape of East Africa-part 1
As East Africa rapidly embraces digital transformation, the region is increasingly becoming a target for sophisticated cybercriminal networks. In particular, Uganda, Kenya, Tanzania, and Rwanda face growing cyber threats as businesses, government agencies, and service providers expand their digital footprints. This surge in digital adoption, while fueling innovation and economic growth, also expands the attack surface, exposing critical systems, applications, and data to serious risks. Cybersecurity is no longer a luxury; it is a strategic imperative. The cyber threat landscape in Uganda and the broader East African region is intensifying. Businesses are relying more on digital platforms to serve customers and operate efficiently. However, this digital evolution introduces new vulnerabilities, and core business assets such as intellectual property, customer databases, payment systems, and supply chain networks are increasingly vulnerable, especially due to the heavy reliance on third-party service providers like cloud services and payment gateways. In an interconnected environment of millions of users, countless applications, and diverse devices, the number of possible entry points for cybercriminals multiplies. From financial institutions and fintechs to e-government platforms and online vendors, the threat is widespread and evolving rapidly. The iShield 360 Research, while mapping the Regional attack surface To better understand the region’s cyber posture, the iShield 360 Research Team conducted an in-depth assessment of the digital ecosystems in Kenya, Tanzania, Uganda, and Rwanda. The team profiled exposed systems, applications, and vulnerabilities that contribute to each country’s attack surface, the total number of entry points susceptible to cyberattacks. Figure 1: Kenya has the highest total attack surface in terms of discovered applications and services Uganda, still in its early stages of digital maturity, has fewer exposed systems, about 27,250. This lower exposure currently acts as a partial shield, but as innovations increase, the risk will rise sharply without robust security frameworks. Rwanda, with a smaller digital footprint, is taking a proactive approach. With deliberate capacity building and a security-first mindset, Rwanda is laying a strong cybersecurity foundation even as it digitalizes a fortress before the city grows. When it comes to actual system compromises, Tanzania tops the list. 10,847 out of 54,330 of its systems have already been breached, nearly 20%. This highlights a major gap between digital expansion and security implementation. It’s like leaving gates wide open in a busy marketplace. Uganda follows, with 1,934 compromised systems out of 27,250, showing that even with fewer systems, targeted attacks are increasing. These breaches expose sensitive data and create opportunities for financial fraud and reputational damage. Interestingly, Kenya, despite having the largest number of systems, has a relatively lower compromise rate, only 14%. This shows some effectiveness in its cybersecurity infrastructure, although its large surface area still poses significant risks. Rwanda stands out with just 39 compromised systems out of 13,460. This exceptional performance is due to the early adoption of strong cybersecurity measures. Rwanda shows the power of strategic planning, limited exposure, and deliberate protection. Figure 2: Tanzania with the highest percentage of applications and systems compromised. The percentages are based on the compromised systems. Now is the time for organizations across the region to act decisively: Conduct regular vulnerability assessments, implement Zero Trust Security models, secure third-party service connections, prioritize cybersecurity awareness training across leadership and technical teams The iShield 360 Readiness Assessment provides a practical starting point for evaluating your digital posture and addressing weaknesses before attackers can exploit them. Through penetration testing, continuous monitoring, and tailored executive training, we help build digital trust across the ecosystem. East Africa’s digital future is promising, but only if we secure it from the ground up. This article draws on key findings from The iShield Project’s Frontline Report 2024, offering a snapshot of the region’s evolving cybersecurity landscape. For deeper insights, case studies, and recommendations: Download the PDF here. If you are interested in a full report, please contact us
The cost of cybercrime in Uganda
Unlike other types of crime, the majority of cybercrime incidents in Uganda and the East African Community go unreported, primarily due to the affected entities’ efforts to protect their reputations. Often, victims are financial institutions entrusted with safeguarding customer deposits. They are obliged to keep customer data safe. In 2022 and 2023, the reported annual costs of cybercrime, according to the Uganda Annual Police Report, were UGX 19,193,008,000 and UGX 1,165,850,696, respectively (see Figure 16). Figure 16: Cost of cybercrime in Uganda, Source: Annual reports of Uganda Police Force. Over the years from 2016, the annual cost of cybercrime in Uganda has been in a steady decline, according to the data from the Uganda Police Force annual reports. 2017 experienced the biggest losses. The large amount in 2017 is attributed to a suspected cyber-attack at one of the leading banks in Uganda, affecting many ecosystem players, especially aggregators and mobile money agents. Over the years, cybercrime cases reported to the Uganda Police have been growing in numbers despite the decline in actual amounts involved. Figure 17: Reported cyber crimes and losses drastically reduced in 2021 and 2023. Victim organizations prefer to handle the incidents internally for image and brand reputation. The true cost of cybercrime in Uganda remains elusive. While the Uganda Police Force’s 2023 annual report recorded cyber losses of UGX 1.5 billion from 245 reported cases, the iShield 360 Team’s findings paint a far graver picture. Our analysis puts losses at UGX 11 billion, highlighting a substantial gap in reported and actual impacts. These are actual cases that have been handled in our This discrepancy underscores the hidden nature of cybercrime and the difficulty in capturing its full financial toll. The rise in the number of reported incidents signals growing awareness among victims but also points to a larger issue: the increasing sophistication and frequency of cyberattacks targeting organizations across sectors. Interestingly, while reported losses appear to have declined, the scale of damage in unreported or poorly documented cases continues to climb. Organizations must take proactive measures to close this gap. Strengthening incident reporting, improving forensic readiness, and investing in robust cybersecurity frameworks are critical to understanding and mitigating the true costs of cybercrime. At iShield 360, we remain committed to helping organizations uncover and address these hidden threats, ensuring their defenses match the ever-evolving tactics of malicious actors. Figure 18: Estimated cost of cybercrime by the iShield 360 Team The Uganda Police report provides critical insights into the state of economic and cyber-related crimes, with obtaining by pretense topping the list at a staggering 10,709 reported cases. This crime serves as a glaring example of how deceptive practices can exploit weak systems and human vulnerabilities, much like phishing attacks in cybersecurity, where attackers manipulate trust to steal sensitive information. Following this, forgeries and uttering documents account for 868 cases, a crime that mirrors the cyber realm’s struggles with identity theft and counterfeit digital credentials. Forged documents in the physical world are analogous to falsified digital certificates or hacked credentials, which can provide malicious actors with unauthorized access to systems and resources. Figure 19: Uganda Police Force Annual Crime Report 2023 Cyber (computer) crimes, with 245 reported cases, underscore the growing threats in Uganda’s digital landscape. Although this number appears relatively low compared to traditional economic crimes, it highlights a critical and evolving issue: cybercriminals are capitalizing on the increasing adoption of digital technologies. Think of cyberattacks as digital termites, often unnoticed until the damage becomes extensive. Interestingly, crimes like embezzlement (101 cases) and causing financial loss (49 cases) are not just financial issues but also cybersecurity risks. For instance, insider threats often leverage weak internal controls, much like embezzlers exploit gaps in financial oversight. Weak access management, similar to leaving cash drawers unlocked, is a common entry point for insider-related cyberattacks. Bank and other corporate frauds (43 cases) further emphasize vulnerabilities in financial institutions. These crimes often rely on exploiting lapses in transaction monitoring systems, akin to attackers bypassing firewalls and intrusion detection systems to exfiltrate sensitive data. Cyber harassment (12 cases), though fewer in number, reflects the increasing misuse of technology for personal and professional harm. It highlights the need for stronger digital literacy and enforcement mechanisms to curb such misuse. For cybersecurity leaders, this report is a wake-up call. It underscores the importance of adopting robust preventative measures like multi-factor authentication, regular vulnerability assessments, and employee training to close the gaps that cybercriminals exploit. Just as physical security relies on vigilant guards, cybersecurity demands constant monitoring and proactive defense. The numbers may appear disparate, but they collectively point to one conclusion: Uganda’s threat landscape is evolving, and organizations must prepare for an increasingly complex battlefield. This article draws on key findings from The iShield Project’s Frontline Report 2024, offering a snapshot of the region’s evolving cybersecurity landscape. For deeper insights, case studies, and recommendations: Download the PDF here. If you are interested in a full report, please contact us
Deepfakes & AI scams: The new face of digital deception
Kampala, June 2025. A senior finance officer at a regional bank receives a Zoom call from her Group CFO. The CFO is in Nairobi, but his face is on screen. His voice is unmistakable. He urgently instructs a confidential payment of UGX 680 million to a new supplier in Nairobi. She verifies the caller ID. Matches the voice. Sees the familiar hand gestures. Approves the transaction. Two hours later, she gets an actual call from the real CFO, confused, not on Zoom, and certainly not in Nairobi. The money is gone. What happened? She didn’t just get tricked. She got deepfaked. Welcome to the new battlefield: Trust Forget old-school hacking. In 2025, cybercriminals aren’t just stealing passwords. They’re stealing faces, voices, and identities, and weaponizing them. Deepfakes and AI scams have become the new face of deception, and Uganda is not immune. In fact, we are particularly vulnerable. Why? Low awareness levels Overreliance on WhatsApp, Zoom, and unverified voice calls Absence of verification protocols beyond “I know that voice” And criminals know this. What is a deepfake? A deepfake is a synthetic media file, video or audio, generated by artificial intelligence to mimic a real person’s face or voice. Think of it as Photoshop on steroids. But instead of editing a photo, you’re fabricating reality. Want to make a politician endorse your NGO? Deepfake it. Want to trick a bank into wiring funds? Deepfake the CFO. Want to manipulate the public? Release a fake press statement, on video. The worst part? You won’t tell the difference. The anatomy of an AI scam in Uganda Let’s break down how a real scam unfolded in a Kampala logistics firm: Data harvesting. Fraudsters scraped social media, YouTube interviews, and conference recordings to train an AI model on the CEO’s voice and face. Email compromise. They hacked the CEO’s Gmail via a phishing attack disguised as a URA tax notice. Now they had access to past vendor invoices and board emails. Synthetic video creation. Using tools like Synthesia and ElevenLabs, they generated a fake video of the CEO instructing an emergency transfer to a “strategic vendor.” Deepfake delivery. A video file was shared via WhatsApp with the Head of Finance, marked “Confidential– Urgent”. The voice was emotional. The story plausible. The pressure real. Transaction authorized. UGX 420 million was wired to a Kenyan fintech account. Within 12 minutes, it was broken into smaller chunks and laundered through mobile money agents in Busia and Kakuma. The red flags that were missed Urgency and secrecy. “Do not discuss this with anyone else. Just get it done.” Slight video lag. Deepfakes often have slight inconsistencies, lip sync issues, awkward blinks, unnatural pauses. Unusual instructions The CEO had never requested payments directly before, but no one questioned it. The rise of Voice Cloning scams In Masaka, a businesswoman lost UGX 18 million after “her daughter” called crying and begging for money. It was not her daughter. Just 20 seconds of an Instagram video was enough for fraudsters to clone the girl’s voice and simulate distress. What you must do now Zero-trust culture. Even if it’s “the boss” calling, verify. Create a policy: no transaction is above verification. Two-channel confirmation. If an instruction comes via video, confirm via SMS. If it comes via WhatsApp, confirm via call. If it comes via call, confirm via email. Use AI to fight AI. Adopt tools that detect synthetic media, like Microsoft’s Video Authenticator or Deepware Scanner. Train staff on voice phishing (vishing). Add deepfake drills to your cybersecurity training. Make people experience it before the real attack hits. Monitor your digital footprint. Your voice is on that podcast? Your face in that YouTube webinar? That’s training data for your enemies. Limit exposure. Who’s behind these scams? We’ve seen links to cross-border fraud rings with operations in Nairobi, Lagos, and increasingly, Kampala. At Summit Consulting, we traced one attack back to a Telegram group where fraudsters exchange deepfake templates and Ugandan bank staff data for UGX 250,000 per package. Yes. You are being bought and sold in pieces, email by email, voice clip by voice clip. What boards and CEOs must ask immediately: Have we done a deepfake exposure audit of our C-suite? Do we have a no-exception verification policy for payments above UGX 5M? Have we trained our team to spot and stop voice and video-based scams? Are we running AI red team simulations to test response reflexes? Case study: How a fraud was averted using a password… not on a system, but in speech A leading telecom company in Uganda now uses verbal passphrases in every financial video call. When the CFO needs to issue a payment instruction, he always includes the words: “Pineapples and power cables.” That’s the internal signal. Anything without it is fake. It may sound silly. But it’s worked. Final word from Mr Strategy: The world has entered the era where reality is programmable. Truth is now something you verify, not just trust. In the old world, criminals needed to impersonate your boss physically. Today, they generate him, in HD, with perfect voice tone and facial expressions. Your firewall won’t save you. Only vigilance will. Need help stress-testing your team against deepfakes and AI scams? Summit Consulting offers synthetic media simulation drills, AI scam red-teaming, and digital risk assessments tailored for Uganda. Book your simulation now: www.summitcl.com Don’t wait to be fooled. Train to detect. Prepare to defend. Because in this new world, seeing is no longer believing.
How to build a risk-aware culture in your organization
The popular saying goes: “Culture eats strategy for breakfast.” And when it comes to risk, culture doesn’t just eat your strategy, it leaks your passwords, signs off bogus deals, and buries red flags under a carpet of silence. So how do you stop that? How do you build a culture where every employee thinks like a risk manager? Let’s dive in. This isn’t a textbook answer. This is war-room advice. Because in today’s Uganda, your biggest risk is not knowing what’s walking out your door, or into your systems. Start with this truth: Risk is not the job of Internal Audit or the Risk Manager It’s the job of everyone, from the receptionist to the CEO. The boda guy who tailgates your CFO knows this. The fraudster, calling “pretending to be URA,” knows it. But inside your company? People still say, “That’s not my job.” That mindset is the virus. Culture is the cure. Step 1: Make risk personal People don’t care about frameworks. They care about stories. Tell the story of the accounts assistant who lost her job after unknowingly paying a fake supplier. Show the case of the NGO that lost UGX 2.4 billion because one USB stick infected their network. Explain how one weak password gave hackers access to payroll. When risk becomes real, people change. Step 2: Use visible leadership Culture cascades from the top. If your EXCO doesn’t walk the talk, forget about the staff. Is your CEO on WhatsApp groups sharing unverified links? Are directors exempt from cyber drills? Does finance override controls “because the MD said so”? Fix that first. At Summit Consulting, we audit culture before we audit controls. Because we’ve learned this: People don’t do what’s written. They do what’s tolerated. Step 3: Define your “Risk Culture Anchors” These are 5–7 core behaviors you embed across the organization. Think of them as your cultural commandments. Here’s an example set for a Ugandan SME: # Anchor Description 1 Own the risk Don’t wait for the audit. If you see a gap, say it. 2 Pause before you act Don’t click. Don’t pay. Don’t sign unless verified. 3 Escalate without fear No retaliation for whistleblowing. Truth > hierarchy. 4 Data is sacred Lock devices. Use strong passwords. Respect privacy. 5 Ask “what if?” Before any project or decision, think risk first. 6 Challenge nicely Encourage “dissent with respect” in meetings. 7 Speak up early Problems grow in silence. Raise the flag early. Step 4: Integrate risk into daily rituals Culture grows from repetition. Add “any risks today?” to morning stand-ups. Make “risk impact” a section in all reports. Recognize and reward staff who escalate threats early. Include a risk-focused question in every performance review. You don’t need a new department. You need new habits. Step 5: Run “Red Team” Exercises This is where you simulate an incident and test the organization’s reflexes. Send a fake phishing email to all staff. See who clicks. Leave a USB in the staff canteen. Who plugs it in? Have a third party pretend to be a vendor and try to get paid. Then review what failed, not to punish, but to learn. At Summit, we call this “stress-testing the culture.” It reveals what policies can’t. Step 6: Flip the language Stop talking in audit jargon. Talk in human language. Old way Risk-aware way “Update the risk register.” “List what could go wrong in this project.” “Evaluate inherent and residual risk” “How bad is the risk now, and after controls?” “Report control failures” “What slipped through the cracks?” Plain English builds risk fluency. Fluency builds ownership. Step 7: Measure what matters Don’t just measure risks. Measure risk behavior. Metric Why it matters % of staff who reported a phishing attempt Shows alertness # of near-misses reported per month Indicates psychological safety # of risk discussions in team meetings Shows risk is part of work, not an extra # of senior leaders who model risk behavior Signals tone from the top The company that turned its mess into a model A mid-sized Ugandan distributor faced a UGX 870 million fraud, duplicate payments, fake vendors, and insider collusion. Their solution? Not just controls, but culture repair. Every team now has a monthly “risk huddle.” They gamified risk awareness: the best alert wins lunch. Leaders share one personal risk mistake in every town hall. Result? Fraud attempts are still there, but detection has tripled. Staff morale has risen. External auditors reduced the control risk rating by 40%. You don’t rise to the level of your controls. You fall to the level of your culture. If your culture rewards silence, punishes whistleblowers, tolerates shortcuts, and exempts leaders, no risk framework will save you. But if your culture trains reflexes, celebrates escalation, and makes risk part of your DNA, then you’ve built your fortress. Not a paper policy. Not a checklist. But a living, breathing, risk-aware tribe. Want help embedding a risk-aware culture in your organization? Summit Consulting offers customized culture transformation programs, red team simulations, and board risk coaching sessions. Book a strategy call today: www.summitcl.com Risk isn’t going away. But with the right culture, neither are you.
The Human Firewall: Training staff as your first line of defense
There’s no patch for human error. You can spend billions on the latest firewall, deploy AI-powered threat detection, and encrypt every byte of data in your system, but if your staff clicks on the wrong link, it all crumbles like a house of cards. Welcome to the frontline of cybersecurity, not the SOC. Not your firewall. But your people. The weakest link, or your greatest asset? Ask any hacker, and they’ll tell you the truth: humans are easier to hack than machines. Phishing attacks don’t need to brute-force passwords; they need curiosity. Social engineering doesn’t exploit system flaws; it exploits trust. Ransomware doesn’t walk in through the server room, it strolls in through your receptionist’s inbox. In over 90% of cyber breaches globally, human error is involved. In Uganda, recent financial sector cases revealed staff unknowingly exposing login credentials through spoofed emails and WhatsApp messages. The criminals didn’t bypass firewalls, they bypassed awareness. So what’s the solution? Build a human firewall, not just a technical one The human firewall is your trained, vigilant, cyber-aware workforce. It’s your receptionist who knows that an invoice from an unknown supplier is suspicious. Your finance officer who calls to confirm before changing payment instructions. Your IT admin who doesn’t reuse passwords across platforms. It’s the cultural shift from “IT’s job” to “everyone’s job.” 5 principles of a strong human firewall Cybersecurity is behavioural, not technical. Training must focus on habits, not just knowledge. It’s not enough for staff to “know” what phishing is, they must develop a reflex to pause, question, and verify. Make it local and real. Generic e-learning won’t cut it. Use real Ugandan case studies. Show how a fraudster impersonated a known supplier via email and walked away with UGX 80M. Context creates relevance. Relevance creates retention. Repeat until it sticks. Cyber awareness isn’t a one-off training during induction. It’s a culture, weekly tips, monthly drills, fake phishing tests, team leader reminders. Frequency fights forgetfulness. Attend our upcoming IFIS cybersecurity conference and network with industry professionals. Reward alertness. Celebrate the staff who report suspicious emails. Make them heroes. Build a badge system. You don’t just want compliance, you want champions. Executive role modeling. When the CEO falls for a scam, so will the staff. Cyber hygiene must start from the top. Leaders must lead by example, strong passwords, VPN usage, MFA enabled. Anatomy of an effective human firewall training program # Component Description Example in Uganda 1 Cyber Drills Simulated phishing attacks to test staff response. Ugandan Cyber researchers once ran a fake email titled “UNRA Contract Award Notice”, over 60% clicked. Those who reported it were recognized. 2 Dark Web Awareness Teaching staff about data leaks and online identity threats. Show staff how compromised work emails are sold for UGX 15,000 on Telegram groups. 3 Role-based training Custom sessions for departments: finance, HR, IT. HR learns about fake CV malware, finance learns about CEO fraud. 4 Incident response workshops What to do when a breach happens. Use roleplay: “The CFO clicked on a link. What do you do?” 5 Policy and procedure refreshers Quarterly reminders of acceptable use, data handling, and escalation channels. Include WhatsApp group etiquette and device security. Common red flags every staff member must know Urgent emails demanding payment changes, especially on a Friday evening. Emails that say “Click here to confirm your salary.” Login pages that look slightly “off” but mimic known portals. SMS requests from “the CEO” to buy airtime or send mobile money. Tools to support the human firewall Password managers to avoid reusing passwords. Multi-factor authentication (MFA) on all critical systems. Endpoint protection with behaviour-based detection. Simulated phishing platforms like KnowBe4 or custom ones built by Summit Consulting. How a bank saved UGX 1.2 billion In 2023, a mid-tier Ugandan bank was targeted in a Business Email Compromise (BEC) scheme. The fraudster mimicked a known supplier and sent a modified invoice. The finance assistant almost paid it. But thanks to recent human firewall training, the staff paused. She noticed the sender’s domain was off by one letter. She called the supplier. The invoice was fake. The cost of the training? UGX 18M. The fraud averted? UGX 1.2B. Return on security awareness: 6,566% You can’t firewall stupidity. But you can train vigilance. Cybersecurity is no longer about tech; it’s about trust, reflex, and culture. And the cheapest, most powerful firewall you’ll ever invest in is already on your payroll. Don’t let your staff be the breach. Train them to be the defense. We remain, iShield 360 Cybersecurity, a department of Summit Consulting Ltd Need help building your human firewall? Summit Consulting offers Uganda-specific cybersecurity awareness programs, phishing simulations, and board briefings. ️ Book your organization’s training now: https://forensicsinstitute.org/ Your next breach won’t come from a hacker; it will come from an unsuspecting click. Let’s make sure that click never happens.
Is conducting IT Audit necessary when you have adequate security controls in place?
The increasing number and sophisticated nature of cyber-crimes prevailing in industries worldwide. As governing bodies are stepping up to help organizations mitigate the prevailing attack techniques, it is to this day evident that no particular enterprise can be 100% immune to the stretching threat landscape. That said, businesses should be proactive in addressing potential threats and possible attacks and have an effective cybersecurity strategy in place. An IT security audit can be helpful in such scenarios. It is for the same reason organizations should conduct audit assessments to determine whether their cybersecurity posture is up to scratch or whether the organization is meeting the requirements of security standards. Different assurance actions should be taken to assess gap analysis, risk assessment, and various IT tests, which are fundamentally important for continual security improvement and assurance for the organization. What is an IT Security Audit? IT Security Audit is an evaluation process that assesses an organization’s established security practices. It is a process that determines the effectiveness of the defence systems implemented against any threats to information systems and company assets. The IT Security Audit is a combination of vulnerability scans on business information systems, applications and processes, penetration testing, network assessments, and much more that help determines vulnerabilities and or entry points in the IT systems. The audit covers the administrative processes, physical security (hardware), software application, and network assessment. This way, the evaluation process can help a company/organization gain an understanding of its current security posture. Case scenario: Even organizations that are low on the maturity scale have often implemented key controls that are necessary as the first line of defence. However, these organizations may not have planned their systems implementation and configurations with comprehensive identification and installation of cyber defence according to a formal and recognized framework. For example, organizations may implement a firewall, IDS/IPS systems, and antivirus software, and might have conducted some user security awareness sessions about common cyber-attack techniques and making proper backups. Each of these practices, and related controls, serve an important purpose to protect information assets at any organization. However, the same organization may not have placed adequate attention to assuring that adequate firewall rules are implemented and updated regularly, antivirus software may not be installed on all workstations or may not contain the latest malicious signatures (i.e., unique and identifiable malicious code), users connecting with unmanaged devices on corporate company networks or end-users who are on leave may have missed security awareness training. Why your organization needs regular Security Audits? An Information Security Audit is an evaluation process that helps organizations identify vulnerabilities and security risks in their IT Ecosystem. Risk exposure does not just impact the security of systems and Infrastructure but also affects the overall business operations. Information Security is not just about IT security, but also Information/Data security. Below are the reasons why we recommend regular Information Security audits for every organization to stay secure and compliant. 1. Gain independent assurance on the Security Posture of information systems at the organization. Through conducting audits, organizations gain clarity of their current security posture. Reports from the assessment will indicate whether or not the organization’s information systems security is effective against threats. The organization gains a better understanding of their internal and external IT practices and system. The report details a list of findings, highlighting areas of high risk, and recommended solutions on how to fix them. The report will further guide businesses to improve their security policies, procedures, controls, and practices. 2. Protect IT Systems & Infrastructure against Attacks The assessment helps organizations identify weaknesses in systems and key processes and discover any potential entry points and security flaws that attackers may compromise to gain access to critical organizational systems and networks. The audit exercise helps keep a regular check on the effectiveness of security measures that in turn keep valuable data safe. 3. Audit Verifies Compliance Regulatory and governing bodies from around the world have established strong security measures, requirements, and standards for businesses to adhere to, for protection against prevailing cybersecurity threats. Organizations are expected to ensure compliance with various standards and provide evidence for the same. To this end, Information Security Audit will help organizations stay compliant. Conducting regular audits will help the organization determine whether or not they have adequate measures implemented to achieve compliance against various security standards and certifications. The audit gives the organization a direction towards implementing measures and achieving compliance. The Information Security Audit verifies whether the organization is compliant with standards and industry best practices set by the top regulatory bodies globally. 4. Evaluates the Security of Data Flow Through Information Security Audit, organizations gain insight into the security of their critical and sensitive data both in transit and at rest. Audit keeps a check on the security of systems and networks but also ensures the security of business-critical data. Data is today an essential asset of any organization. Given the value that it holds, securing data is today every organization’s top priority. So, an audit assessment determines the effectiveness and security of the data flow throughout the organization. Furthermore, the findings in the report help organizations lay the groundwork for any improvement or enforcement of security in the network. This helps establish strong security measures against attacks and data breaches. Conclusion. To this end, even when there are robust controls in place, the organization must regularly conduct (independent) audits to ensure these processes are well-designed, are executing properly, and are meeting senior management and business needs.
Have you established an Attack Surface Management (ASM) for your organization?
According to Gartner’s report on ‘Innovation Insight for Attack Surface Management (ASM)’, which covers the growing need faced by security teams to manage an expanding attack surface. Gartner addresses the ‘Top Trends in Cybersecurity 2022’ where it reports that security and risk management leaders ‘anticipate the continuous expansion of the enterprise attack surface, and increase investment in processes and tools…’ Gartner advises that going forward, organizations; Rethink their security technology stack to address sophisticated new threats. Push cybersecurity decision making out to the business units to improve their security posture. Evolve and reframe the security practice to better manage cyber risk. Given the evolving nature of technology adoption, attack surfaces for business enterprises are expanding. Technology risks associated with the use of IoT, open-source code, cloud applications, any internet-facing systems, complex digital supply chains, social media and more have led to the exposure of organizations’ surfaces. The growth of containerization, SaaS applications and the hybrid workforce have all led to an expansion, and the development of new attack surfaces to identify and protect. Enterprises are bound to look beyond traditional approaches to security monitoring, detection and response to manage a wider set of security exposures. What Is ASM? Attack Surface Management (ASM) is the continuous discovery, inventory, classification, prioritization, and monitoring of an organization’s attack surface from an external attacker’s perspective. This emerging cybersecurity technology helps organizations to identify internet and attacker-exposed IT assets as well as to monitor them for unexpected changes and vulnerabilities (i.e., blind spots, misconfigurations, process failures) that increase the risk of attacks. From the external attacker’s perspective, it’s easy for security teams to prioritize those assets for remediation based on their level of attack ability. The increasing ransomware and supply chain attacks along with recommendations by analysts like Gartner have made ASM one of the top cybersecurity priorities for CISOs and security teams in recent times. Attack Surface Management (ASM) is also referred to as External Attack Surface Management (EASM). Another emerging technology is Cyber Asset Attack Surface Management (CAASM). It helps security teams solve persistent asset visibility and vulnerability issues. What Is an Attack Surface? The attack surface is referred to as all organizations’ internet-accessible hardware, software, SaaS, and cloud assets that an adversary could discover, attack, and use to breach a company. Why should you consider having ASM in Your Company’s cybersecurity program? Given the volatile landscape and the evolution of both threat types and threat vectors. The organization needs threat intelligence insights to stay ahead of attackers and fortify your critical assets more than ever. The following are some of the great benefits why ASM should be part of your cybersecurity program; Find Unknowns & Prioritize Top Targets. With an ever-changing attack surface, it’s impractical to keep track of all targets. External ASM allows the organization’s security team to focus on assets that can be weaponized by attackers, reducing operational noise Harden and Reduce Your Attack Surface. Knowing what’s exposed to threats also enables the security team to secure the top assets. Hence, successfully hardening and reducing the attack surface in line with the company’s security best practices. Strengthen Your Cybersecurity Posture. With ASM continuously monitoring the attack surface for new changes in technology and vulnerabilities. The security team and company will get better at predicting and preventing cyber threats. Conclusion The tangible benefits of ASM to organizations help security leaders with important insights, prioritization and reduction in team workload. CAASM and ASA tools help to align security, IT and GRC teams. This is so by providing a unified view of assets, cyber-risk and business applications. This creates better organizational alignment and focuses on delivering key cyber objectives. Another critical benefit is the concept of actionable intelligence. This is where automation is critical. Security leaders need CAASM & ASA tools to solve problems, not just highlight them, visibility cannot be enough. To be continued…
Why your fraud investigations are still stuck in the stone age (and how AI & Data Analytics are fixing it)
Dear Assurance Manager, Let me pull back the curtain on a real case. A financial institution processed over 300 mobile money withdrawals from dormant accounts within 48 hours. Each withdrawal was small enough to fly under the manual threshold radar. Internal audit flagged it weeks later during their quarterly routine. Too late. The money was long gone, the insiders who coordinated it had vanished, and management had to scramble for explanations. Typical scenario, right? Here is how it plays out Most fraud investigations today are reactive, painfully slow, and entirely reliant on hindsight. You audit after the damage. You manually review transactions after suspicious behaviour has already cascaded. You are fighting yesterday’s battle. That is not how fraud works anymore. The game has changed. AI and data analytics are flipping the script. The banks winning the fraud war aren’t waiting for audit cycles they are using real-time AI models and predictive data insights to hunt fraud before it even matures. Let me show you how. Case closed BEFORE fraud even matures: Use cases of AI & analytics Pattern recognition beyond human capacity AI systems analyze millions of data points across accounts, devices, transactions, and behaviour logs. They find micro-patterns humans can not: Multiple small transactions designed to avoid thresholds? Flagged instantly. Same mobile phone IMEI used across different account holders? AI picks it up. The same device used to approve loan applications and process disbursements? A suspicious link was spotted. The outcome was fraudulent chains are broken early before funds vanish. Network analysis busting insider collusion Let us stop pretending insiders always act alone. AI-powered link analysis tools visualize hidden relationships between employees, vendors, and customers. Example: The loan officer approves three different loans, all backed by collateral verified by the same third-party vendor, all default within months. AI maps this and reveals unusual ties. The investigation starts before the defaulted loans pile up. Natural Language Processing (NLP) for document tampering Forget manual document reviews. AI systems with NLP scan submitted land titles, business registration documents, and IDs, comparing against known templates: Slight font inconsistencies? AI detects. Metadata manipulations? AI catches. Same photo used in different applications? AI flags. Fraudulent paperwork does not make it past the gate. Employee behaviour analytics Your biggest threat is not always external. AI models track login patterns, approval speed, and override frequency: An employee logging in at odd hours to access dormant accounts? Repeatedly overriding KYC protocols? AI builds risk scores per staff member. Suspicious trends bubble up. You do not need to wait for whistleblowers. Predictive risk scoring do not just look backwards Here is where data analytics truly shines. You stop looking at past fraud cases and start predicting who might commit fraud next. Example: Customers opening multiple accounts, maintaining low balances, suddenly requesting large loans? Vendors repeatedly late in delivering services, requesting advance payments? Your systems predict risk, not react to loss. The real shift stop investigating fraud like it was in 1999 Here is my challenge to you: How many cases is your institution investigating weeks after the fraud? How many could be prevented if you applied AI and analytics now not after the fact? AI does not replace investigators. It turns them into hunters, not janitors cleaning up messes. Actionable next steps: Integrate real-time AI pattern recognition in transaction monitoring. Assign your data team to implement link analysis to expose insider collusion. Equip fraud investigators with dashboards powered by predictive analytics. Automate document verification using NLP tools. Make employee behaviour analytics part of monthly risk reporting. If your fraud team’s biggest tool is Excel, you’ve already lost. Change the playbook. Let AI do the heavy lifting. Yours in strategy, Mr Strategy Institute of Forensics & ICT Security
