Last year, during a routine advisory assignment, I walked into a SACCO that believed it had strong cybersecurity. The board had approved a budget for antivirus software. Staff attended annual security training. The IT manager proudly showed me a firewall dashboard glowing with green indicators.
Everything looked safe until the finance system stopped working. Invoices would not load, and files refused to open. Staff thought it was a temporary network issue. But by midday, a message appeared on the screen of nearly every employee. Your files are encrypted. The organisation had just become another victim of a cyber-enabled fraud and ransomware operation that had quietly entered their systems weeks earlier.
No alarms had gone off, so no one noticed. That moment is where cyber resilience begins, not in theory, not in policy manuals, but in the painful realization that the threat is already inside most organisations long before anyone detects it.
Let me take you through what happened. Four weeks before the attack, an email arrived in the inbox of a finance officer. The officer was a young professional with glasses and a calm personality, someone trusted in the office because she rarely made mistakes.
The email looked routine and came from what appeared to be a supplier requesting an updated invoice template. The message contained a document attachment labelled “payment schedule”.
When the officer opened it, nothing happened. She assumed the file was empty and moved on. But what actually happened was invisible. A small script executed in the background and created a connection between the organisation’s computer network and an external command server controlled by the attacker. That was the first door.
Key observations
1. The entry point was not sophisticated hacking; it was a normal email attachment.
2. The attacker gained a small foothold inside the network without raising suspicion.
3. The malware waited quietly for instructions rather than causing immediate disruption.
4. Most security systems ignored the activity because it looked like normal network traffic.
This is a critical point. During training, I ask participants to form groups of three. One person plays the employee receiving the email, another plays the attacker, and the third plays the IT manager. Each group has five minutes to explain what they would notice first and what they would miss. The discussion usually reveals how easily such attacks bypass normal attention.
The quiet expansion
Once inside the system, the attacker did not rush. This is where many people misunderstand cybercrime. Bollywood shows dramatic attacks. Real attackers behave like patient auditors, they explore. The attacker quietly mapped the network. They checked which machines had administrative privileges and which servers contained financial records.
During the investigation, system logs later revealed repeated login attempts late at night. These attempts were not random, they were deliberate steps to escalate privileges.
Eventually, the attacker discovered an administrator account whose password had not been changed in two years, which was the second door.
Key observations to note:
1. Cyber attackers often move slowly to avoid detection.
2. Weak password practices remain one of the most common security failures.
3. Administrative accounts provide access to large parts of the network.
4. Attackers rely on legitimate system tools to avoid triggering alarms.
Take a few minutes and list every account in your organisation that has administrator privileges. Most participants realise they cannot answer immediately. That moment of silence is always revealing. Can you answer this question? Do you know how to check your laptop to determine whether you have user or administrator privileges?
The data reconnaissance
After gaining deeper access, the attacker began collecting information. File directories were scanned, email archives were reviewed, and financial spreadsheets were copied. This stage is rarely noticed because it looks exactly like normal employee activity.
In the case I mentioned earlier, investigators later discovered that over 20 gigabytes of internal documents had been quietly transferred out of the organisation’s network. The attacker now understood the organisation better than many employees, that was the third door.
From this you notice that:
1. Data theft often happens before ransomware attacks.
2. Attackers use stolen information for extortion or fraud schemes.
3. Large data transfers are rarely monitored in many organisations.
4. Internal knowledge makes later attacks far more damaging.
Now imagine you are an attacker. List the three files you would steal first from your own organisation. The way you answer this always revealing, financial data, payroll files, and confidential contracts. Be honest, what did you write?
The trigger moment
The ransomware attack occurred early Monday morning when employees arrived at work and attempted to log into their systems. Files refused to open, and screens displayed a simple message demanding payment. The attacker had deployed encryption software across dozens of computers simultaneously.
Investigators later determined that the attacker used the administrator account to distribute the ransomware across the network overnight. In less than ten minutes, years of organisational records became instantly inaccessible.
You notice that:
1. Ransomware attacks are usually automated once attackers gain access.
2. Administrative privileges allow attackers to spread malware rapidly.
3. Most organisations lack tested backup recovery procedures.
4. The financial and operational impact escalates quickly.
How the breach was finally noticed
Ironically, the ransomware message was not what first alerted investigators. The real clue appeared earlier. A network monitoring tool had recorded unusual data transfers late at night. The IT officer, a quiet man with a trimmed beard who preferred analysing logs to attending meetings, had flagged the activity two weeks earlier but did not escalate it because the system did not classify it as a threat. When the attack occurred, investigators revisited those logs. The pattern suddenly made sense. The breach had been unfolding quietly for weeks.
A keen observer will note that:
1. Early warning signals often exist but are overlooked.
2. Security monitoring tools require human interpretation.
3. Small anomalies often precede large cyber incidents.
4. Organisations rarely review system logs proactively.
If you are a senior manager, ask your team to identify the last time anyone reviewed network logs manually in their organisation. You will realise it happens only after a problem occurs. Proactive threat intelligence requires real-time analysis of network logs. Now with AI, you can automate the process and have more visibility in your business.
The digital investigation
When investigators entered the case, they focused on digital evidence. Every login record, system modification, and network connection was analysed. Digital forensics works like reconstructing footprints in sand, each action leaves a trace.
Investigators traced the attacker’s movements across the network and identified the command server used to control the malware. More importantly, they discovered the initial phishing email that started the incident.
Take note that:
1. Digital investigations rely heavily on preserved system logs.
2. Email records often reveal the original entry point.
3. Network traffic analysis helps reconstruct attacker activity.
4. Evidence preservation is critical for legal proceedings.
During employee trainings, I ask participants to review a simplified timeline of system logs and attempt to identify the moment the attacker first entered the system. In the case above, recovery took weeks. Systems were rebuilt, backups were restored, and Security controls were redesigned. But the most important change was cultural. The organisation realised cybersecurity was not only an IT responsibility, but an organisational discipline involving finance teams, administrators, executives, and board members. The organisation implemented stronger authentication controls, continuous monitoring systems, and regular cybersecurity exercises. The next phishing attempt was detected within minutes. That is cyber resilience.
Key takeaways:
1. Cyber resilience focuses on rapid detection and recovery.
2. Organisations must combine technology, governance, and training.
3. Continuous monitoring reduces the time attackers remain undetected.
4. Executive leadership must treat cybersecurity as a strategic risk.
What else leaders should know
Cybercrime today operates with the discipline of a professional business. Attackers conduct research, test systems, and exploit predictable human behaviour. But the same technology that enables cybercrime also provides powerful investigative capabilities.
Digital evidence is persistent. Every login, every file access, and every network connection creates a record somewhere. Cyber resilience, therefore, begins with one fundamental question. If an attacker entered your organisation tonight, how long would it take before someone noticed? Hours? Days? Months? Your answer reveals more about your organisation’s security than any policy document ever will.
Copyright Institute of Forensics & ICT Security, 2026. All rights reserved.
