Three years ago, I worked with an organization that prided itself on having “world-class” IT controls. Firewalls, intrusion detection, antivirus subscriptions, the full package.

During a strategy execution session, I asked the CEO one simple question: Would your staff recognize a phishing attempt if it landed in their inbox today? He smiled and said, “Of course.

We train them every year.” To test the assumption, we ran a controlled phishing simulation. Within 24 hours, 41% of staff had clicked the malicious link.

Even worse, several forwarded it internally, magnifying the risk. The breach did not start with servers; it started with human judgment.

The hidden cultural risk

The danger in most organizations is not technology failure. It is cultural complacency. Leaders assume staff know better because an annual awareness session was conducted. They confuse attendance with competence.

Yet phishing is not static; it evolves. Attackers study your procurement cycles, copy your supplier email formats, and even time their attacks to coincide with payroll. The weakest link is not the junior officer; it is leadership silence that assumes “we are covered.”

I have witnessed multimillion-shilling losses triggered by something as trivial as an HR officer clicking an email about “updated benefits.” Once inside, attackers moved laterally across the network, escalated privileges, and drained accounts. The board’s response? Shock. The regulators’ response? Penalties. The staff’s response? Fear and blame. All of this is because no one dared to test the obvious.

Cybersecurity is not an IT department’s problem. It is a leadership issue. As an executive, your job is not to assume protection but to prove it.

Ask yourself: when was the last time your board received phishing resilience results, not just IT uptime metrics? If the answer is never, then you are leading blind.

The Phishing Resilience Test

1. a) Simulate, run controlled phishing campaigns quarterly across all levels of staff.
2. b) Measure, track click rates, report rates, and time to escalation.
3. c) Debrief, share results openly; celebrate those who reported, not just punish those who clicked.
4. d) Embed, make phishing resilience part of departmental KPIs and leadership scorecards.

When done right, these simulations change culture. Staff stop fearing mistakes and start owning vigilance. Leaders stop pretending to be perfect and start confronting reality.

Hackers do not break your firewalls; they break your people. And your people click not because they are careless, but because leadership assumes instead of proving. If you have not tested phishing resilience in the past quarter, your organization is not secure; it is lucky. And luck is not a strategy.

To truly understand your organization’s vulnerability, it is time to stop guessing. Visit Summit Consulting and request a Phishing Resilience Test. It will expose your blind spots before the attackers do.

If your board and executive team have never confronted live phishing results, ransomware simulations, or insider threat case studies, then you are walking blind. Cybersecurity is no longer a back-office issue; it is boardroom oxygen.

2025 Cybersecurity Conference on 16^th October 2025 at Speke Resort, Munyonyo, Kampala.

This October, I will be speaking at the Cybersecurity Awareness Conference in Munyonyo, where we move beyond theory to show you exactly how hackers break your culture before they break your systems. You will see, live, why your staff remain your greatest risk and how to turn them into your first line of defence.

Do not send your IT manager alone. Bring your EXCO, your board audit and risk committee members, and your operations heads. If they do not understand the language of risk in cyberspace, every shilling you spend on firewalls is wasted.

Reserve your slot now. Walk into Munyonyo with assumptions. Walk out with a playbook. That is the difference between surviving a breach and issuing a press release.

Register today for the Cybersecurity Awareness Conference. Book a free session today: https://event.forensicsinstitute.org/cyber-security-awareness-month-2025/