Cyberattacks do not begin with code. They begin with people. One click on a malicious email, one weak password, one moment of inattention is all it takes to set off a chain of events that can cripple an entire organisation. Contrary to popular belief, most cyber breaches are not the result of sophisticated hacking but rather simple human error, errors that are fully preventable with awareness and discipline.
This briefing outlines the typical lifecycle of a cyberattack, beginning from a single click and ending in potential disaster. It is designed to raise awareness across all staff levels and support the development of a cyber-resilient organisational culture.
Step 1: The deception (social engineering)
Every major cyberattack starts with a form of deception. The attacker does not knock down firewalls immediately, they knock on your inbox, disguised as someone you trust.
A common tactic is phishing: sending an email that appears to come from a colleague, vendor, or manager. These emails often contain a sense of urgency (“Payment overdue,” “Action required,” or “Security update needed”) to trigger impulsive action.
Key vulnerabilities:
- Opening attachments without verifying the source
- Clicking on links without hovering to check their destination
- Relying on sender name instead of inspecting the full email address
Step 2: The click (execution of malicious code)
Once the employee clicks on the attachment or link, malicious software is silently downloaded. This could be a keylogger, remote access trojan (RAT), ransomware, or a backdoor script.
The malware executes in the background, often without triggering any antivirus alert, especially if the organisation’s systems are outdated or improperly configured.
Common outcomes of this stage
- Immediate compromise of the employee’s computer
- Credential harvesting (usernames and passwords recorded and sent to the attacker)
- Silent lateral movement across the network
Step 3: The breach (access and escalation)
With a foothold in the system, the attacker begins exploring. The goal is to access sensitive systems or high-level accounts (finance, HR, procurement, etc.).
In many Ugandan organisations, internal access controls are weak. All users have broad access rights, and few systems log or monitor user activity effectively.
Attackers often exploit shared passwords, poorly segmented networks, and lack of multi-factor authentication to gain elevated privileges.
Targets of interest:
- Bank account credentials and payment systems
- Customer databases and personally identifiable information (PII)
- Internal emails and project documents
Step 4: The exploitation (theft or disruption)
At this point, the attacker chooses their method of exploitation. This may include:
- Data exfiltration: Sensitive files are quietly transferred to external servers.
- Ransomware: Files and systems are encrypted, and a ransom note is delivered demanding payment, often in cryptocurrency.
- Business email compromise (BEC): Fraudulent payment instructions are sent using compromised internal email accounts.
- System sabotage: Critical files are deleted or systems rendered inoperable, often during peak business hours.
By the time the breach is discovered, the damage is already done. In many cases, attackers have been inside the network for weeks or even months before being detected.
Step 5: The aftermath (response, loss, and recovery)
The consequences of a cyberattack can be severe and far-reaching:
- Financial loss: Funds may be fraudulently transferred, or costly ransom payments demanded.
- Reputational damage: Clients lose trust when they hear their data has been compromised.
- Operational downtime: Critical systems become unavailable, halting service delivery.
- Regulatory consequences: Non-compliance with data protection laws may result in penalties or litigation.
Many organisations discover that they have no adequate incident response plan. Backups are missing or corrupted, logs are incomplete, and staff are unprepared to respond.
Key lessons for prevention
- Cybersecurity training is essential for all staff. Every employee should know how to recognise suspicious emails, verify requests, and report incidents.
- Enforce multi-factor authentication (MFA). Passwords alone are not sufficient. MFA blocks over 90% of credential-based attacks.
- Keep systems updated. Regular updates patch known vulnerabilities that attackers exploit.
- Limit user access. Apply the principle of least privilege: users should have access only to what they need.
- Implement a clear incident response plan. Ensure your organisation can act quickly when a breach is detected. This includes regular backups, designated response teams, and simulated drills.
- Monitor your network continuously. Real-time monitoring helps detect unusual activity early, before damage escalates.
Cyberattacks are not acts of chance; they are the result of gaps in discipline, awareness, and internal controls. One click can initiate a catastrophic chain reaction, but with the right measures in place, that chain can be broken.
Executives must treat cybersecurity not as a technical issue, but as a strategic priority.
Managers must take ownership of their teams’ cyber hygiene.
Staff must understand that cybersecurity begins with them.
Because in today’s environment, from click to catastrophe is only a matter of time, unless you are prepared.
Cybersecurity checklist every employee must know
| # | Item | Description | Why It Is Critical | Comment |
| 1 | Think before you click | Always pause and review emails before clicking links or opening attachments, especially those marked as “urgent.” | Most cyberattacks begin with phishing. One careless click can download malware or expose credentials. | When unsure, verify via phone call or direct message. |
| 2 | Inspect sender’s email address | Carefully check the full email address, not just the display name. Look out for small alterations in the domain (e.g., @bankofugandà.com vs @bankofuganda.com). | Attackers often impersonate trusted senders using deceptive addresses to bypass your attention. | Hover over sender details to view the full address. |
| 3 | Use strong, unique passwords | Create passwords with a mix of letters, numbers, and symbols. Avoid common words or names. Never reuse passwords across systems. | Weak or reused passwords are a top cause of credential theft and unauthorised access. | Use a password manager to help store and generate secure passwords. |
| 4 | Enable two-factor authentication | Use 2FA on all systems where available. This typically involves a password and a temporary code sent to your phone or generated by an app. | Even if your password is compromised, attackers cannot access your account without the second factor. | Particularly critical for email, finance, and HR platforms. |
| 5 | Lock your computer when away | Always press Windows + L (or Ctrl + Command + Q on Mac) when stepping away from your workstation. | Prevents unauthorised physical access to sensitive systems or emails when you are away from your desk. | Set auto-lock for 5 minutes of inactivity as a backup. |
| 6 | Avoid public Wi-Fi for work | Do not access internal systems via open or unsecured Wi-Fi networks in public areas. Use a mobile hotspot or VPN. | Public Wi-Fi can be intercepted, allowing attackers to steal credentials or monitor your activity. | If unavoidable, use VPN to encrypt the connection. |
| 7 | Install software updates promptly | Regularly update your computer, browser, antivirus, and all applications. | Updates patch known vulnerabilities. Delayed updates leave you exposed to known exploits. | Set updates to automatic where possible. |
| 8 | Report suspicious activity | Inform your IT or cybersecurity team immediately if you receive a suspicious email, link, file, or see unusual system behaviour. | Timely reporting helps contain potential breaches before they spread. | Never assume someone else will report it. |
| 9 | Do not install unauthorised tools | Only install software or apps that are pre-approved by your IT department. | Unverified software can introduce malware or create vulnerabilities in your system. | If you need a new tool, submit a formal IT request. |
| 10 | Use only approved USB devices | Avoid using personal or unverified flash drives or external devices on office computers. | USB drives can carry viruses or malicious code that runs automatically. | Request scanning and approval before use. |
| 11 | Secure your mobile devices | Lock your phone/tablet with a PIN, password, or biometric security. Keep operating systems and apps up to date. | Mobile devices are often used for email, messaging, and 2FA. If lost or hacked, they can become entry points into the organisation. | Enable remote wipe and tracking. |
| 12 | Limit social media disclosures | Do not post photos, names, or internal details about projects, meetings, or locations without authorisation. | Attackers use social media to collect intelligence and craft convincing phishing attacks (“spear phishing”). | Avoid check-ins, tagged posts, or sharing job-related documents publicly. |
| 13 | Know your organisation’s policies | Familiarise yourself with internal policies regarding data protection, acceptable use, and incident reporting procedures. | Understanding these policies ensures that you comply with expectations and respond correctly when something goes wrong. | Attend onboarding refreshers or policy update briefings. |
| 14 | Attend cybersecurity training | Take all assigned cybersecurity awareness courses seriously. Participate in phishing simulations and feedback sessions. | Trained staff are statistically less likely to fall for phishing or social engineering attacks. | Make it part of your professional development goals. |
| 15 | Understand incident response steps | Know who to contact, what to report, and how to act during a suspected breach. Keep the emergency contact list accessible. | A delayed or confused response increases the damage during an active cyberattack. | Conduct drills annually to test response readiness. |
IFIS & SCL Teams.
