Executives tempted to chuckle at bank chief Jes Staley's recentemail missteps might want to hold off on the smugness.

When you look at trends among senior leadership at largecompanies, it's easier to believe a CEO can be tricked intobelieving a fake email from a colleague is genuine, as the Barclaysboss reportedly did. Even after Hillary Clinton's private serverscandal and two decades of experience by big companies on how tomanage employee email use, high-level executives are routinelyusing tools for communication that their company would rather theydidn't.

That means that even if Staley spotted the Gmail address atopthe “phishing” messages from the impostor posing as BarclaysChairman John McFarlane, he might not have thought anything ofit.

“It is more common than we think,” said Nicholas McQuire, acybersecurity analyst at CCS Insight. “Many employees, includingCEOs, often choose the convenience of using their personalproductivity tools like email or Dropbox over company policy andthe technology provided by the company. In fact, it is the seniorexecutives who are the biggest culprits in bypassing companysecurity policy.”

An April 2017 cybersecurity study published by the U.K.government's Department for Culture, Media and Sport concluded thatof about 1,500 business surveyed, 83% outline what an employee isor is not permitted to do on their employer's IT equipment. Only62% specify restrictions on using personally owned devices forbusiness activities. Fewer still, 56%, include provisions on theuse of new digital technologies such as cloud computing services,although this figure is higher, at 67%, for the larger companiesstudied for the survey.

Top executives “are actually the worst offenders for this,” saidJamie Akhtar, co-founder of the London-based security software firmCyberSmart. The majority of companies specify that employees mustnever use personal email for corporate communication, Akhtar said,“but it's rarely followed.”

The Financial Times's Alphaville blog reported last week thatthe impostor using john.mcfarlane.barclays@gmail emailed Staleywith a message of support after the CEO faced angry questions atthe British bank's shareholder meeting earlier in the week. Staleyreplied with effusive praise for his chairman, earning him thederision of columnists. A Barclays spokesman confirmed the contentsof the emails reported by Alphaville were genuine.

A Gartner study published in April concluded that fewer than 2%of CEOs and enterprise executives surveyed mentionedcybersecurity as a most important external macro trend. The studyreported that many CEOs are paying more attention to technology,but not necessarily the associated risks.

The use of personal email for confidential and sensitivebusiness was thrown onto front pages worldwide in 2015, whenthen-presidential candidate Hillary Clinton was discovered to haveset up and used her own email system for personal and work-relatedcommunication. That led to investigations — subsequently droppedwithout charges — by the FBI, giving now-President Donald Trump afrequent line of attack on the campaign trail.

The email incident is doubly embarrassing for Staley, who wasalready attempting to mollify investors over weaker-than-expectedfirst-quarter results and an unrelated conduct issue in which heapologized for trying to unmask a whistle-blower. Staley is also achampion of London's tech scene, and has repeatedly stressed theneed for Barclays to invest more in information technology.

“The news that Barclays's CEO fell victim to an unsophisticatedemail prank is troubling, given the important role he plays forshareholders and customers,” said Russ Shaw, founder of Tech LondonAdvocates, an industry body. “Cyber security is becoming the No. 1operational priority in the public and private sectors, and I hopethat this incident serves as a warning for senior figures who stillare not fully cyberliterate.”

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.