Every board loves to talk about “digitisation” and “firewalls.” But here’s the truth: the easiest way to hack a ministry, bank, or NGO is not through code, it’s through ghosts on payroll. When HR fraud meets weak IT, cybercrime becomes institutionalized. That’s why I designed the Boardroom Payroll Integrity Tool, a no-excuses dashboard for leaders who want to know if their payroll is a fortress or a fraud pipeline. Ask yourself: a) Can you prove every person on payroll exists? b) Who controls the power to add or remove names? c) Are payroll anomalies linked to IT audit trails—or are you blind? If your board is not asking these questions, you are not just paying ghosts and funding hackers. “A ghost on payroll is not just stealing a salary. They are stealing your cyber defense.” – Mr. Strategy This October, as part of Cybersecurity Awareness Month, I will be sharing 30 tools for boards, CEOs, and EXCOs, one every day. Tools that expose silent risks and give leaders weapons to fight back. You and your team can now register for a free virtual Cybersecurity Awareness Session worth UGX 5 million, offered at no cost. Simply visit https://event.forensicsinstitute.org/cyber-security-awareness-month-2025/ to secure your slot. For organizations that prefer in-person training, IFIS is offering on-site sessions at a facilitation fee of only UGX 500,000 net per team, per session. Do not gamble with silence. Invest in awareness before a breach forces you to pay in panic. Register today. How to participate in Cybersecurity Awareness Month, 1st – 25th October 2025 a) Register your team for a free cybersecurity awareness session (valued at UGX 5 million), absolutely free of charge. Don’t miss this. b) Join us at Speke Resort Munyonyo for the one-day Cybersecurity & Risk Management Conference, the highlight event of the month. c) Visit https://event.forensicsinstitute.org to download free cybersecurity resources and share them with your colleagues to spread awareness. Cybersecurity is no longer optional. It is governance. Act today. I remain, Mr. Strategy

On Saturday, I drove over 250km to Kagadi. Not for a wedding. Not for a political rally. But for the burial of a man who lived 100 years and shook the very ground he walked on. By the look of things, the entire district of Kagadi and Hoima closed shop. Over 5,000 people. Ranked and unranked. Big men and nobodies. They all showed up. Not for a concert. Not for money. But to bury a man. That is how powerful he was in life. And yet, he still bowed. That is the irony. Death doesn’t respect influence. It doesn’t care about age. It doesn’t ask for your CV. Death is the only true democracy. The mighty and the powerless, the rich and the broke, the famous and the unknown, all must sign the same attendance book. This man lived fully. A century of laughter, power, mistakes, victories, family, and legacy. He had lived. But when the curtain call came, even he had to take the final bow. I say this not to mean it was good he died. Far from it. I say this because, however invisible you think you are, however high you rise, the rules of life are unbendable. Even the untouchable must eventually touch the ground. So why the sleepless nights? Why the endless worry about who said what? Why the race to prove yourself to people who will all one day stand on the same ground, facing the same end? Take life easy, show up, do your work, love deeply, light clean, and rest often. For in the end, everything works out, sometimes in ways beyond your comprehension. The mighty fall. The weak fall. We all fall. The only question is: will people close shop to honor your journey when you do? Mr. Strategy

Three years ago, I worked with an organization that prided itself on having “world-class” IT controls. Firewalls, intrusion detection, antivirus subscriptions, the full package. During a strategy execution session, I asked the CEO one simple question: Would your staff recognize a phishing attempt if it landed in their inbox today? He smiled and said, “Of course. We train them every year.” To test the assumption, we ran a controlled phishing simulation. Within 24 hours, 41% of staff had clicked the malicious link. Even worse, several forwarded it internally, magnifying the risk. The breach did not start with servers; it started with human judgment. The hidden cultural risk The danger in most organizations is not technology failure. It is cultural complacency. Leaders assume staff know better because an annual awareness session was conducted. They confuse attendance with competence. Yet phishing is not static; it evolves. Attackers study your procurement cycles, copy your supplier email formats, and even time their attacks to coincide with payroll. The weakest link is not the junior officer; it is leadership silence that assumes “we are covered.” I have witnessed multimillion-shilling losses triggered by something as trivial as an HR officer clicking an email about “updated benefits.” Once inside, attackers moved laterally across the network, escalated privileges, and drained accounts. The board’s response? Shock. The regulators’ response? Penalties. The staff’s response? Fear and blame. All of this is because no one dared to test the obvious. Cybersecurity is not an IT department’s problem. It is a leadership issue. As an executive, your job is not to assume protection but to prove it. Ask yourself: when was the last time your board received phishing resilience results, not just IT uptime metrics? If the answer is never, then you are leading blind. The Phishing Resilience Test a) Simulate, run controlled phishing campaigns quarterly across all levels of staff. b) Measure, track click rates, report rates, and time to escalation. c) Debrief, share results openly; celebrate those who reported, not just punish those who clicked. d) Embed, make phishing resilience part of departmental KPIs and leadership scorecards. When done right, these simulations change culture. Staff stop fearing mistakes and start owning vigilance. Leaders stop pretending to be perfect and start confronting reality. Hackers do not break your firewalls; they break your people. And your people click not because they are careless, but because leadership assumes instead of proving. If you have not tested phishing resilience in the past quarter, your organization is not secure; it is lucky. And luck is not a strategy. To truly understand your organization’s vulnerability, it is time to stop guessing. Visit Summit Consulting and request a Phishing Resilience Test. It will expose your blind spots before the attackers do. If your board and executive team have never confronted live phishing results, ransomware simulations, or insider threat case studies, then you are walking blind. Cybersecurity is no longer a back-office issue; it is boardroom oxygen. 2025 Cybersecurity Conference on 16th October 2025 at Speke Resort, Munyonyo, Kampala. This October, I will be speaking at the Cybersecurity Awareness Conference in Munyonyo, where we move beyond theory to show you exactly how hackers break your culture before they break your systems. You will see, live, why your staff remain your greatest risk and how to turn them into your first line of defence. Do not send your IT manager alone. Bring your EXCO, your board audit and risk committee members, and your operations heads. If they do not understand the language of risk in cyberspace, every shilling you spend on firewalls is wasted. Reserve your slot now. Walk into Munyonyo with assumptions. Walk out with a playbook. That is the difference between surviving a breach and issuing a press release. Register today for the Cybersecurity Awareness Conference. Book a free session today: https://event.forensicsinstitute.org/cyber-security-awareness-month-2025/