On 7th November 2024, a well-known humanitarian NGO in Kampala discovered that donor funds, meant for a maternal health project in Lira, had mysteriously dwindled. Bank statements showed UGX 1.6 billion disbursed to “beneficiary suppliers.” Yet on the ground, no medicines had arrived, and the health centre shelves remained empty.

At first, management suspected supplier fraud. They called in Summit Consulting Ltd to investigate. What we uncovered was far more chilling; the breach was inside the house.

How insiders weaponised access

The NGO’s finance system required two approvals for any payment above UGX 10 million. But insiders knew the weaknesses. Suspect 1, a trusted finance officer, had legitimate system credentials. Suspect 2, an IT administrator, had the power to override password resets.

Together, they created “ghost suppliers”, registered companies with near-identical names to real vendors. For example, “Gulu Health Supplies Ltd” vs. “Gulu Health Supplies Uganda Ltd.”

Funds were routed to accounts in the ghost companies, then siphoned through mobile money withdrawals in Gulu and Lira. The scheme ran undetected for nine months. Each transfer was small enough, UGX 25 million here, UGX 40 million there, to escape donor scrutiny.

The human side of cyber risk

Most executives think of cyber threats as hackers in hoodies in Russia or China. The reality in Uganda is different: your biggest threat is wearing your branded T-shirt, attending your morning devotion, and smiling in your staff WhatsApp group.

Why? Because insiders know your controls. They know what auditors look for, and what they ignore. Understand your timing. They know when approvers are distracted (e.g., month-end rush, board meetings, retreats). Exploit trust. In cultures where sharing passwords over WhatsApp is normal, controls collapse.

This is why your staff may be your greatest cyber vulnerability.

The investigation trail

Investigators always follow the leads. Bank account forensics. The ghost supplier accounts had no other business transactions, only NGO deposits. Mobile money analysis. Large cash withdrawals happened consistently within 48 hours of every NGO transfer. IP address tracking. Payment approvals allegedly made “by the CFO” actually came from the same office subnet used by Suspect 1. Lifestyle audit. Suspect 1, earning UGX 3 million monthly, had just completed a two-storey house in Najjera and was driving a Subaru Forester.

The pattern was unmistakable.

Red flags ignored

The auditors had seen the signs but failed to escalate.

1. Repeated vendor name similarities. No supplier vetting had been done for years.
2. Unusual working hours. Approvals at 11:47 pm were logged as “routine.”
3. Lifestyle inflation. The same officer suddenly stopped borrowing salary advances and started flashing new gadgets.
4. Weak IT segregation. One administrator had access to both the system backend and the finance workflow.

In short, the enemy was within, but the system was too trusting to notice.

Why insiders turn rogue

Interviews revealed three motives

1. Perceived injustice. Suspect 1 felt underpaid compared to expatriate staff.
2. Weak controls meant ghost suppliers could slip through with ease.
3. The suspects claimed, “Donor’s waste money anyway; at least ours built something.”

This is the classic fraud triangle: pressure, opportunity, and rationalisation, played out in cyber terms.

The cultural dilemma

Many organisations struggle with a cultural contradiction; they value loyalty over verification. Managers say, “We are like family here.” Yet in cyber risk, family culture can be fatal. Trust is not a control. In fact, it is a vulnerability. The stronger the “family” culture, the easier it is for insiders to exploit it without suspicion.

How to fight the enemy within

1. Zero Trust principles must be applied, but tailored to Ugandan realities
2. Segregate duties. No single person should control end-to-end financial transactions.
3. Automated monitoring. Deploy analytics that flag duplicate suppliers, unusual working hours, and suspicious clustering of payments.
4. Continuous vetting. Do lifestyle audits, especially for staff in finance and IT.
5. Enforce least privilege. Give staff access only to what they need, nothing more.

Whistleblower protection. Create safe channels. Most frauds are exposed by insiders, not systems. By the time the case closed, the NGO had lost UGX 1.6 billion. Donors froze funding. Reputational damage was catastrophic. As investigators, we recommended interventions to rebuild the control environment, retrain staff, and implement continuous monitoring tools. But the lesson was permanent: the cyber threat was not outside. It was inside. Cyber resilience is not about buying the latest firewall. It is about hardening your organisation against betrayal from within.

Your staff may be your greatest asset. But under pressure, they may also become your greatest liability.

The new imperative for every Ugandan board is clear:

Trust people. But design systems that do not need to.

Until next week, we remain, IFIS.