 "Barclays boss shows CEOs still haven't quite got the hang of tech")
Executives tempted to chuckle at bank chief Jes Staley’s recent email missteps might want to hold off on the smugness.
When you look at trends among senior leadership at large companies, it’s easier to believe a CEO can be tricked into believing a fake email from a colleague is genuine, as the Barclays Plc boss reportedly did. Even after Hillary Clinton’s private server scandal and two decades of experience by big companies learning how to manage employee email use, high-level executives are routinely using tools for communication that their company would rather they didn’t.
That means that even if Staley spotted the Gmail address atop the “phishing” messages from the impostor posing as Barclays Chairman John McFarlane, he might not have thought anything of it.
“It is more common than we think,” said Nicholas McQuire, a cyber-security analyst at CCS Insight. “Many employees, including CEOs, often choose the convenience of using their personal productivity tools like email or Dropbox over company policy and the technology provided by the company. In fact, it is the senior executives who are the biggest culprits in bypassing company security policy.”
An April 2017 cyber-security study published by the UK government’s Department for Culture, Media and Sport concluded that of about 1,500 business surveyed, 83 per cent outline what an employee is or is not permitted to do on their employer’s IT equipment. Only 62 specify restrictions on using personally-owned devices for business activities. Fewer still, 56 per cent, include provisions on the use of new digital technologies such as cloud computing services, although this figure is higher, at 67 per cent, for the larger companies studied for the survey.
Angry shareholders
Top executives “are actually the worst offenders for this,” said Jamie Akhtar, co-founder of the London-based security software firm CyberSmart. The majority of companies specify that employees must never use personal email for corporate communication, Akhtar said, “but it’s rarely followed.”
The Financial Times’s Alphaville blog reported late Thursday that the impostor using john.mcfarlane.barclays@gmail emailed Staley with a message of support after the CEO faced angry questions at the British bank’s shareholder meeting earlier in the week. Staley replied with effusive praise for his chairman, earning him the derision of columnists. A Barclays spokesman confirmed the contents of the emails reported by Alphaville were genuine.
A Gartner study published in April concluded that fewer than 2 per cent of CEOs and enterprise executives surveyed mentioned cyber-security as a most important external macro trend. The study reported that many CEOs are paying more attention to technology, but not necessarily the associated risks.
The use of personal email for confidential and sensitive business was thrown onto front pages worldwide in 2015, when then-presidential candidate Hillary Clinton was discovered to have set up and used her own email system for personal and work-related communication. That led to investigations — subsequently dropped without charges — by the FBI, giving now-President Donald Trump a frequent line of attack on the campaign trail.
The email incident is doubly embarrassing for Staley, who was already attempting to mollify investors over weaker-than-expected first-quarter results and an unrelated conduct issue where he apologised for trying to unmask a whistle-blower. Staley is also a champion of London’s tech scene, and has repeatedly stressed the need for Barclays to invest more in information technology.
“The news that Barclays’s CEO fell victim to an unsophisticated email prank is troubling, given the important role he plays for shareholders and customers,” said Russ Shaw, founder of Tech London Advocates, an industry body. “Cyber security is becoming the number one operational priority in the public and private sectors, and I hope that this incident serves as a warning for senior figures who still are not fully cyber-literate.”
When you look at trends among senior leadership at large companies, it’s easier to believe a CEO can be tricked into believing a fake email from a colleague is genuine, as the Barclays Plc boss reportedly did. Even after Hillary Clinton’s private server scandal and two decades of experience by big companies learning how to manage employee email use, high-level executives are routinely using tools for communication that their company would rather they didn’t.
That means that even if Staley spotted the Gmail address atop the “phishing” messages from the impostor posing as Barclays Chairman John McFarlane, he might not have thought anything of it.
“It is more common than we think,” said Nicholas McQuire, a cyber-security analyst at CCS Insight. “Many employees, including CEOs, often choose the convenience of using their personal productivity tools like email or Dropbox over company policy and the technology provided by the company. In fact, it is the senior executives who are the biggest culprits in bypassing company security policy.”
An April 2017 cyber-security study published by the UK government’s Department for Culture, Media and Sport concluded that of about 1,500 business surveyed, 83 per cent outline what an employee is or is not permitted to do on their employer’s IT equipment. Only 62 specify restrictions on using personally-owned devices for business activities. Fewer still, 56 per cent, include provisions on the use of new digital technologies such as cloud computing services, although this figure is higher, at 67 per cent, for the larger companies studied for the survey.
Angry shareholders
Top executives “are actually the worst offenders for this,” said Jamie Akhtar, co-founder of the London-based security software firm CyberSmart. The majority of companies specify that employees must never use personal email for corporate communication, Akhtar said, “but it’s rarely followed.”
The Financial Times’s Alphaville blog reported late Thursday that the impostor using john.mcfarlane.barclays@gmail emailed Staley with a message of support after the CEO faced angry questions at the British bank’s shareholder meeting earlier in the week. Staley replied with effusive praise for his chairman, earning him the derision of columnists. A Barclays spokesman confirmed the contents of the emails reported by Alphaville were genuine.
A Gartner study published in April concluded that fewer than 2 per cent of CEOs and enterprise executives surveyed mentioned cyber-security as a most important external macro trend. The study reported that many CEOs are paying more attention to technology, but not necessarily the associated risks.
The use of personal email for confidential and sensitive business was thrown onto front pages worldwide in 2015, when then-presidential candidate Hillary Clinton was discovered to have set up and used her own email system for personal and work-related communication. That led to investigations — subsequently dropped without charges — by the FBI, giving now-President Donald Trump a frequent line of attack on the campaign trail.
The email incident is doubly embarrassing for Staley, who was already attempting to mollify investors over weaker-than-expected first-quarter results and an unrelated conduct issue where he apologised for trying to unmask a whistle-blower. Staley is also a champion of London’s tech scene, and has repeatedly stressed the need for Barclays to invest more in information technology.
“The news that Barclays’s CEO fell victim to an unsophisticated email prank is troubling, given the important role he plays for shareholders and customers,” said Russ Shaw, founder of Tech London Advocates, an industry body. “Cyber security is becoming the number one operational priority in the public and private sectors, and I hope that this incident serves as a warning for senior figures who still are not fully cyber-literate.”
One subscription. Two world-class reads.
Already subscribed? Log in
Subscribe to read the full story →*Subscribe to Business Standard digital and get complimentary access to The New York Times
Smart Quarterly
₹900
3 Months
₹300/Month
SAVE 25%
Smart Essential
₹2,700
1 Year
₹225/Month
SAVE 46%
*Complimentary New York Times access for the 2nd year will be given after 12 months
Super Saver
₹3,900
2 Years
₹162/Month
Subscribe
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app
SAVE 25%