Three years ago, I worked with an organization that prided itself on having “world-class” IT controls. Firewalls, intrusion detection, antivirus subscriptions, the full package. During a strategy execution session, I asked the CEO one simple question: Would your staff recognize a phishing attempt if it landed in their inbox today? He smiled and said, “Of course. We train them every year.” To test the assumption, we ran a controlled phishing simulation. Within 24 hours, 41% of staff had clicked the malicious link. Even worse, several forwarded it internally, magnifying the risk. The breach did not start with servers; it started…

It started with a link. One click. That’s all it took. On a cool Friday morning in April 2025, a procurement officer at a leading Ugandan NGO, let’s call her Susan, received a WhatsApp message from an unknown number. The message read: “Hi Susan, I saw this on Twitter about your organization. Thought you should see it.” (link attached) The link preview showed the NGO’s logo with the caption, “Shocking scandal involving NGO procurement manager leaks online.” Her heart raced. Susan clicked. Nothing loaded. “Maybe it’s my MTN data,” she thought. She brushed it off. But unknown to her, that…

It never starts with a bang. Cyber fraud does not arrive at your doorstep with sirens. It whispers in the background. A delayed payroll here, a customer complaint there, a donor asking awkward questions about leaked contracts. By the time executives pay attention, the damage is entrenched. Cyber risk is a slow bleed, and the organizations that dismiss it as an IT issue end up paying the highest, most invisible bills. The illusion of savings Boards and their executive management love to postpone “non-core” investments. Cybersecurity tops that list. “We’ve never been hacked. Let’s deal with it next year.” That…

Why do banks demand a board resolution to reactivate an account they themselves marked “dormant” simply because you did not transact? Why design hurdles that punish a customer for inactivity instead of rewarding them for loyalty? I see this as a paradox of modern banking. Banks preach financial inclusion while erecting barriers to access. They claim to protect you from fraud, yet what they protect is their bureaucracy. A dormant account is not a risk; it is an untapped opportunity. In modern banking, smart banks treat dormancy as a trigger for engagement, not punishment. They call, they nudge, and they…

Imagine this. You are a director of a mid-sized company. One morning, the security guard calls you in a panic: “Sir, thieves broke in, but they did not touch the furniture or computers. They opened the safe.” You rush to the office. The steel safe stands wide open. But strangely, bundles of cash are untouched. Instead, the robbers carried away files, employee contracts, customer details, supplier bank accounts, and even board minutes. That is the modern burglary. No crowbars, no gunfire, no missing shillings. Yet, the loss is catastrophic. Competitors now know your customer lists. Fraudsters will exploit payroll records.…

Across Uganda and the wider region, businesses, banks, NGOs, and even government agencies are losing billions of shillings every year to digital fraud, ransomware, and phishing. The attacks are becoming more sophisticated, yet too many leaders still dismiss cybersecurity as an IT problem. The truth is, cybersecurity is no longer about computers; it’s about continuity. If your systems fail, your business stalls. If your data is stolen, your reputation collapses. If your board cannot explain its cyber risk strategy, regulators, investors, and clients will not forgive you. At the Institute of Forensics & ICT Security (IFIS), the technical training arm…