Barclays boss fell for fake e-mail, showing how CEOs still cyber security dinosaurs

Barclays' chief executive officer Jes Staley at the Yahoo Finance All Markets Summit in New York, in February.
Barclays' chief executive officer Jes Staley at the Yahoo Finance All Markets Summit in New York, in February. PHOTO: REUTERS

LONDON (BLOOMBERG) - Executives tempted to chuckle at bank chief Jes Staley's recent e-mail missteps might want to hold off on the smugness.

The Financial Times's Alphaville blog reported late on Thursday (May 11) that an impostor posing as Barclays chairman John McFarlane used to e-mail Mr Staley with a message of support after the CEO faced angry questions at the British bank's shareholder meeting earlier in the week. Mr Staley replied with effusive praise for his chairman, earning him the derision of columnists.

When you look at trends among senior leadership at large companies, it is easier to believe a CEO can be tricked into believing a fake e-mail from a colleague is genuine, as the Barclays boss reportedly did. Even after Mrs Hillary Clinton's private server scandal and two decades of experience by big companies learning how to manage employee e-mail use, high-level executives are routinely using tools for communication that their company would rather they did not.

That means that even if Mr Staley spotted the Gmail address atop the "phishing" messages from the impostor, he might not have thought anything of it.

"It is more common than we think," said Mr Nicholas McQuire, a cyber security analyst at CCS Insight. "Many employees, including CEOs, often choose the convenience of using their personal productivity tools like e-mail or Dropbox over company policy and the technology provided by the company. In fact, it is the senior executives who are the biggest culprits in bypassing company security policy."

An April 2017 cyber-security study published by the UK government's Department for Culture, Media and Sport concluded that of about 1,500 business surveyed, 83 per cent outline what an employee is or is not permitted to do on their employer's IT equipment. Only 62 specify restrictions on using personally owned devices for business activities. Fewer still, 56 per cent, include provisions on the use of new digital technologies such as cloud computing services, although this figure is higher, at 67 per cent, for the larger companies studied for the survey.

Top executives "are actually the worst offenders for this", said Mr Jamie Akhtar, co-founder of the London-based security software firm CyberSmart. The majority of companies specify that employees must never use personal e-mail for corporate communication, Mr Akhtar said, "but it's rarely followed".

A Gartner study published in April concluded that fewer than 2 per cent of CEOs and enterprise executives surveyed mentioned cyber-security as a most important external macro trend. The study reported that many CEOs are paying more attention to technology, but not necessarily the associated risks.

The use of personal e-mail for confidential and sensitive business was thrown onto front pages worldwide in 2015, when then-presidential candidate Clinton was discovered to have set up and used her own e-mail system for personal and work-related communication. That led to investigations - subsequently dropped without charges - by the FBI, giving now-President Donald Trump a frequent line of attack on the campaign trail.

The e-mail incident is doubly embarrassing for Mr Staley, who was already attempting to mollify investors over weaker-than-expected first-quarter results and an unrelated conduct issue where he apologised for trying to unmask a whistle-blower. Mr Staley is also a champion of London's tech scene, and has repeatedly stressed the need for Barclays to invest more in information technology.

"The news that Barclays's CEO fell victim to an unsophisticated e-mail prank is troubling, given the important role he plays for shareholders and customers," said Mr Russ Shaw, founder of Tech London Advocates, an industry body.

"Cyber security is becoming the number one operational priority in the public and private sectors, and I hope that this incident serves as a warning for senior figures who still are not fully cyber-literate."