Executives tempted to chuckle at bank chief Jes Staley’s recent email missteps might want to hold off on the smugness.
When you look at trends among senior leadership at large companies, it’s easier to believe a CEO can be tricked into believing a fake email from a colleague is genuine, as the Barclays boss reportedly did. Even after Hillary Clinton’s private server scandal and two decades of experience by big companies on how to manage employee email use, high-level executives are routinely using tools for communication that their company would rather they didn’t.
That means that even if Staley spotted the Gmail address atop the “phishing” messages from the impostor posing as Barclays Chairman John McFarlane, he might not have thought anything of it.
“It is more common than we think,” said Nicholas McQuire, a cybersecurity analyst at CCS Insight. “Many employees, including CEOs, often choose the convenience of using their personal productivity tools like email or Dropbox over company policy and the technology provided by the company. In fact, it is the senior executives who are the biggest culprits in bypassing company security policy.”
An April 2017 cybersecurity study published by the U.K. government’s Department for Culture, Media and Sport concluded that of about 1,500 business surveyed, 83% outline what an employee is or is not permitted to do on their employer’s IT equipment. Only 62% specify restrictions on using personally owned devices for business activities. Fewer still, 56%, include provisions on the use of new digital technologies such as cloud computing services, although this figure is higher, at 67%, for the larger companies studied for the survey.
Top executives “are actually the worst offenders for this,” said Jamie Akhtar, co-founder of the London-based security software firm CyberSmart. The majority of companies specify that employees must never use personal email for corporate communication, Akhtar said, “but it’s rarely followed.”
The Financial Times’s Alphaville blog reported last week that the impostor using john.mcfarlane.barclays@gmail emailed Staley with a message of support after the CEO faced angry questions at the British bank’s shareholder meeting earlier in the week. Staley replied with effusive praise for his chairman, earning him the derision of columnists. A Barclays spokesman confirmed the contents of the emails reported by Alphaville were genuine.
A Gartner study published in April concluded that fewer than 2% of CEOs and enterprise executives surveyed mentioned cybersecurity as a most important external macro trend. The study reported that many CEOs are paying more attention to technology, but not necessarily the associated risks.
The use of personal email for confidential and sensitive business was thrown onto front pages worldwide in 2015, when then-presidential candidate Hillary Clinton was discovered to have set up and used her own email system for personal and work-related communication. That led to investigations — subsequently dropped without charges — by the FBI, giving now-President Donald Trump a frequent line of attack on the campaign trail.
The email incident is doubly embarrassing for Staley, who was already attempting to mollify investors over weaker-than-expected first-quarter results and an unrelated conduct issue in which he apologized for trying to unmask a whistle-blower. Staley is also a champion of London’s tech scene, and has repeatedly stressed the need for Barclays to invest more in information technology.
“The news that Barclays’s CEO fell victim to an unsophisticated email prank is troubling, given the important role he plays for shareholders and customers,” said Russ Shaw, founder of Tech London Advocates, an industry body. “Cyber security is becoming the No. 1 operational priority in the public and private sectors, and I hope that this incident serves as a warning for senior figures who still are not fully cyberliterate.”