CEO email scam is wake-up call for boards

Fake emails apparently sent by chief executives to senior employees asking for money transfers are estimated to have cost businesses as much as $2bn in the past two years, the FBI has said. There have been more than 12,000 corporate victims worldwide. Are you sure your business will not be the next to fall for the scam?

It is ironic that businesses can suffer from the malign entrepreneurialism of the cyber criminal. “The internet was built for connectivity and speed, not security and protection,” according to David Lawrence, founder of the Risk Assistance Network and Exchange (Rane).

“For criminals, rogue states and mischievous ‘actors’, the digital world has become the ‘promised land’ — low risk and high reward — offering borderless reach, assured anonymity and defenceless victims who are not allowed to fight back,” he wrote in an article for the Wharton business school at the University of Pennsylvania.

Cyber security is clearly a board-level concern, but the expertise needed to manage it may not always be present around the table. This is not something those who have built careers over the past 30 years have dealt with, after all.

More than half the 10,000 businesses questioned by PwC for last year’s “global state of information security” survey have now appointed chief information security officers. Meanwhile, the UK market appears to be a particularly attractive target for cyber criminals. According to PwC, about 55 per cent of businesses have been attacked over the past two years. Globally the average rate is 36 per cent.

Last year’s attack on TalkTalk, the UK telecoms company, was a prominent example of what businesses are facing.

This is an urgent issue, not just for maintaining business continuity and avoiding losses. Breaching the EU’s new “general data protection regulation”, which should come into effect in 2018, may result in personal as well as corporate fines.

Cyber security is “no longer a dark art but an everyday business practice that must pervade every level of the organisation”, according to Greg Day, chief security officer in Europe, Middle East and Africa for Palo Alto Networks, a cyber security company. It is not simply or solely a matter for a couple of clever people in the IT department, he says.

What can the board do to spread that level of cyber crime awareness? Mr Lawrence’s colleagues at Rane have identified some key actions that can lead to greater cyber security.

● Develop and practise “cyber hygiene”. Carry out background checks on personnel to reduce insider threats, and insist on robust passwords and multi-factor authentication. Employees have to be kept up to date about the latest email scams.

● Know your vendors well, and manage them carefully. Insist that their security standards are high.

● Protect your “crown jewels”. Identify, and separately protect, critical data and systems (such as customer data, intellectual property and market-sensitive information).

● Practise your incident response plan. This will involve working across departments and avoiding silo thinking. External technical, legal and crisis assistance, and public relations experts may be needed.

● Assess your levels of security with regular “penetration tests” that might reveal weaknesses.

● Develop a cyber threat monitoring and sharing team and make sure you have some cyber security insurance, if you can find anyone to price it appropriately, that is.

Boards must realise cyber risk is attracting shareholder attention. According to EY, the professional services firm, only 17 per cent of UK businesses report on the cyber risks they face and what they are doing about them. David Patt, analyst in corporate governance for Legal and General Investment Management, has called this a “huge gap in transparency”.

That is why boards must give this matter due attention and make sure it is being managed effectively.

But it is important, too, not to overreact. Believe all the hype from security consultants and you might never turn on a device again. Business life and transactions must go on. But today they have to be conducted with ever more care, and it is employees — the human software — who are perhaps most likely to succumb to workplace attacks.