The CEO Phishing Scam – It’s All About People, Policy and Procedure

Posted on : 30-03-2016 | By : kerry.housley | In : Cyber Security, Data, Uncategorized

Tags: , , , , , ,


The CEO phishing scam, where fraudsters impersonate the email accounts of chief executives, has grabbed the headlines increasingly over the last few months and is proving to be a huge potential threat to any company, large or small.

The FBI Internet Crime Centre IC3 has been tracking Business Email Compromise (BEC) scams and found that over $2BN has been lost globally over the past two years. There is no doubt that the real figure is considerably higher as companies hide the loss from their shareholders and the media.

So why is this very low tech scam so effective in this ever growing technical age?  Companies are very aware of the cyber attackers trying to penetrate their networks and therefore implement sophisticated preventative measures to stop them from doing so. Unfortunately, it is difficult to block human nature which is the key element to a successful phishing scam operation.

Most of the scams follow a similar pattern, with the average loss at $120,000 rising up to tens of millions being lost. So how do the fraudsters strike it lucky?

When the corporate controller of a US grain trading company was sent an email from his CEO asking him to transfer $17.2M to a Chinese bank account he didn’t think twice about doing so. The controller was told in an email that the company has been in confidential negotiations to purchase a Chinese company and that the purchase was almost complete. In order to finalise the deal, he was to liaise with a lawyer at consultants KPMG who would then send him the payment details. Over three separate transactions the financial controller wired across a total of $17.2m to a Shanghai Bank.  It was that easy – The Sting Had Stung!

How do the fraudsters convince intelligent professional individuals to send across such large sums of money with very few questions, if any, asked?  Settling invoices, making purchases is an integral part of the day to day running of any business.  The scammers use this to their advantage. They work hard to set the scene, follow the tone of existing email conversations and tag on to existing scenarios. In the case of the grain company outlined above, there had been talk of acquiring a Chinese company so the request was not totally out of the blue. The fraudsters had used the name of a real person at KPMG, setting up fake email accounts and phone numbers for this person.

Social media sites make it easy to build a picture of the hierarchy of the company and see when key individuals might be out of the office making it easier to pull of their heist. A common way in is to use a traditional phishing email to access the companies email network. This enables them to track conversations and adopt the tone and the language to convincingly script their fake emails.

What can companies do to protect themselves against this growing phenomenon?  In most of the cases, if the person responsible for making the money transfer had actually picked up the phone then the scammers would have been found out!  The following steps could help your company beat the fraudsters:

  • Review your accounts policy, ensure that all payments require the approval of two people. Create internal checks that will check and slow down the process.
  • Increase awareness and train all staff in the ways in which they might be targeted.
  • Encourage staff to me more guarded on social media sites, particularly high profile board members.
  • Maintain system security, for example a company could scan the validity of email addresses entering your network.
  • Buy all domain names that sound similar to your companies to prevent copycat domain names being set up.

The CEO phishing scam is not a security scenario easily fixed by a shiny new piece of technology. It’s essentially a conversation, a story between individuals so the key to combatting has to be people, policy, procedure.

Get that right and the scammers are less likely to sting!

The upwardly mobile CIO

Posted on : 27-02-2014 | By : richard.gale | In : Innovation

Tags: , , , , , , , ,


Back in 2011 we discussed the challenges to progression of CIOs and changes they could make to move up to CEO level. After reading a great article in Information Age magazine on Richard Lloyd-Williams (CTO at Net-A-Porter) we thought it would a good time to revisit the subject.

The essence of the article is that the successful implementation of the right technology is integral to Net-A-Porter’s success “if the website is down we have no money” says Lloyd-Williams. The CIO and IT push innovation, keep the engine running and the transactions flowing. Richard’s predecessor went on to become CEO of so we can watch and see how they progress.

Net-A-Porter is a classic internet company – a great idea (selling high end fashion clothing) utilising slick branding and innovative technology. So can the same approach be used by other ‘non tech’ organisations? We think the answer is a yes but it requires certain changes in behaviour and outlook by the CIO and IT teams generally.

Business Orientated viewpoint

This is obvious and most CIOs have a deep understanding of the business they work within. The additional piece that needs to be added is getting into the mindset of the CEO or Sales Director to understand and fully comprehend their viewpoint and drivers. This is a difficult challenge, to move away from the value add, cost focused, efficiency mode to true strategic thinking about the direction of the company and the path to achieve that success. A way to do this is for the CIO to be included and an active part of strategic planning and ALSO the execution of this which will involve extensive time alongside the CEO and senior team. A seat on the board of the organisation is a good starting point for this to begin.

Integration of IT into the business

Again we have seen this add so much value to a firm. It may not be the most obviously cost effective mechanism as local, expensive, business savvy people generally command a premium but the speed and quality of the solutions can easily outweigh the obvious costs. There has been a trend to move IT and specifically development away from the business to lower cost ‘factories’ of production. This may achieve headline cost savings but we question the overall benefit to the business. What needs to be catered for is ensuring a degree of standardisation (in architecture, documentation and supportability amongst other things) in the solutions delivered to avoid overlap, gaps and ‘instant legacy’ systems that cannot be sustained long term. Net-A-Porter manages this by having a common service orientated architecture that the business units plug in to.

Small, nimble teams

This is really part of integrating IT into the business. Small teams that can work with the business, and get a deep understanding of what the business want and can deliver on that vision quickly and completely. This agile approach and it really does work and also should be flexible enough to cope with the inevitable changes of direction as the business and market changes. Less than double figures is a good size for a team that can work closely together, have great communication whilst having the breadth to have expertise in the areas required to deliver successfully.

Empowerment & devolved responsibility

Providing support and direction to your teams whilst giving them enough scope to make decisions and backing them up where needed is a difficult but necessary attribute. As most CIOs have come from an IT background there is a certain level of ‘baggage’. This is usually a very positive aspect as it is required to help make intelligent, experienced based decisions but can be something of a double edged sword as diving into the detail of an issue can be too easy. Trusting, supporting and letting the team make their own decisions empowers and motivates your resources as they feel accountable for the successful outcome.

Continuous, iterative delivery

Large projects with big steps of delivery are sometimes necessary. Most of the time, though, a big project can be broken down into smaller parts with discernible business benefits drives momentum and keeps the team – both business and IT motivated. The ‘every journey of a thousand miles starts with a single step’ statement rings true in IT as it does for life.


I started this blog with the aim of showing how successful CIO’s can step up to the next level with the right skills and mindset. This has morphed into our thinking in regard to a good model to deliver IT projects. The points above are truisms, but ones that we’ve seen make teams and individuals successful time and time again.

Business & Digital alignment – how close is your firm?

Posted on : 28-06-2013 | By : john.vincent | In : General News

Tags: , , , , , , ,


Over recent years we have seen the rise in prominence and status of technology with organisations. If we take the Gartner Hype Curve analogy, we spent much of the mid 1990’s through to mid 2000’s in “The Plateau of Productivity”, with technology being an integral underpinning necessity or enabler, but less frequently an innovator or driver of competitive advantage, outside of stability and speed of execution (although, some business leaders might point to a “Trough of Disillusionment”).

Todays world and, in particular, the relationship between business and technology is much changed with organisations introducing new governance structures and roles to more closely take advantage of digital innovation and their ability to disrupt business models. Indeed, we have seen the introduction of the Chief Innovation Officer and Chief Digital Officer with elevated positions in the corporate structure.

That said, from a company’s board perspective, how can they ensure that the business direction and technology are aligned effectively to capitalise on digital innovation. Below are some themes/questions which are useful as a test of capability:

How is our industry changing as a result of technology innovation?

It is important to understand how new innovations are breaking down the boundaries of business models and reducing the barriers of entry. This is not simply keeping abreast with the latest trends in mobile, cloud, data analytics etc… but how new technologies are being exploited by competition and new entrants which can potential erode business revenues. This is difficult, as often the it is not obvious where the challenges will come from. Some can be predicted, such as trading engines and decision support built from social media sentiment analysis, or the myriad of mobile payment solutions. Others, however, are more difficult to predict like the introduction of gamification techniques across industry or the introduction of big data analytics for operational efficiency/intelligence such as with applications like Splunk.


What is our structure and process for nurturing developing digital technologies?

A recent survey by McKinsey showed that organisations are still coming to terms with how to develop, nurture and commercialise ideas within the organisation. From 2240 respondents, 50% stated “We have pockets of successful innovation but it is rarely scaled” and only 36% thought “We have the right balance between good ideas and effective commercialisation”.

So, does your organisation have someone responsible for driving forwards digital advancement? (such as Chief Innovation Officer)…or, is there a way to garner ideas within the grass roots and ensure that they are given enough runway to develop, through incubation mechanisms?


Have we the correct governance structure and a defined technology roadmap?

Business and IT alignment is often talked about but not really executed upon. Having the CIO/CTO or IT Director in operational or strategy governance meetings does not provide an optimised solution as often the focus is on efficiency, budgets, risk etc… and very rarely on a close (bi-directional) coupling between business priorities and “technology possibility”.

We see new models emerging where business and technology are brought together under specific “Digital Units” on an equal footing, where the goal is to build a technology roadmap which is completely not only aligned, but in many cases, actually informs and drives business into new customer markets and revenue opportunities.


Have we aligned our business operating model and portfolio of change effectively to the underpinning technology investments?

A natural lead in from the previous question. By putting the correct governance in place and removing internal barriers, it is much easier to ensure that the business operating model is driving technology investment and vice versa. Too often, organisations still operate a model from which the business change portfolio is defined and the “handed” to the technology leadership to deliver. And when we talk about large/global IT programmes, how many of these turn into “Black Swans“?

CEO’s need to look at, and question, the cross functional aspects of their business and technology organisations. We often see technology departments “aligned” to business units, but how often are more permanent/product related horizontal structures created?…and do individuals move in both directions through their careers to strengthen and embed competitive business knowledge and drive innovation?


What are we doing to increase the commoditisation and agility of technology resources?

The agility objective has been largely “etched into” power-point presentations for many years as they’ve made their way into the board room. “We’ve outsourced and increased agility…”…”Our ratio of perm to contract resource has increased from X to Y allowing us to be more agile.”….(tick in the box then).

What CEO’s need to gauge is truly how fast their internal technology organisation can respond to changes in business services from all aspects be that functionality, new products or volumes? (and the important part of this is whether can they be scaled down or switched off?)

Whilst the move to a more commoditised service model needs to be evolutionary, particularly in terms of risk and compliance, what CEO’s should look for from their technology leadership is a committed multi year roadmap which lays out the resource model for infrastructure, applications and people, with associated metrics/budget. Without this, and with the pressure of day to day efficiency challenges, CIO’s cannot be blamed for maintaining previous models.


“C-Level” job titles – too many chiefs?

Posted on : 30-04-2012 | By : john.vincent | In : General News

Tags: , , , , , , , , ,


I recently saw a press release about a new Chief Operating Officer hire at a top tier bank within their retail banking unit. Amongst what I assume are the traditional COO responsibilities, part of this persons remit was to drive “customer service, innovation and technology”.

Knowing a number of people in similar roles at this company I pinged an email over to a friend asking how many COO’s does the company require?, to which the response was “one for each business and no need for CIO’s anymore”.

That got me thinking on a number of fronts.

Firstly, I’m of an age when C-Level was an executive at the head of a organisation or business unit, normally either resident and/or responsible to the board of the company. These are very important roles providing ownership, accountability and leadership both from a strategic and tactical level.

Chief: One who is highest in rank or authority or office; a leader…Most important or influential.”

However, over recent years it seems that certain C-Level roles have been duplicated and positioned throughout organisational functions, often being further removed from the original hierarchy (particularly with respect to CIO’s and COO’s).

Whilst I understand the rationale to have some level of realignment as business evolves, both from a scope and scale perspective, it does seem that we’ve gone a bit too far. One organisation we know effectively has 3 tiers of COO within the IT department alone…seriously? Does this devalue the importance of the role?

The second point is about the plethora of C-Level titles themselves, which are exploding at a rate which may require its own standards organisation to manage it. Here are a few which you can tick off ( there’s a prize for anyone with a full house…).

Of course, there are many more (take a look at Wikipedia for a exhaustive list ) than included above. The good thing is that some, such as the titles of Chief Procurement Office and Chief Risk Officer, do still seem to be bestowed on an individual.

Recently there has been an increase in a new role, the Chief Digital Officer (not to be confused with Chief Data Officer which also exists in many organisations). This is a high-level executive reporting directly to the CEO and someone who’s seen as “instrumental” to the future of a company according to a report published by executive search firm Russell Reynolds Associates. Search requests for this new role are up with organisations such as GlaxoSmithKlein and Starbucks all appointing CDOs.

Maybe this marks the start of a new, more significant emphasis on the importance of technology innovation as an enabler for the traditional C-Level leaders to gain a place at the top table (see “From CIO to CEO – Can clouds break glass ceilings?”)

We also believe that we are a tipping point now with respect to the operating model for support functions such as technology, operations, finance, hr, etc… ( see our article last month asking how much we need to Run the Bank ).

As part of this evolution it is important that the proper consideration is given to the job titles and role descriptions…and maybe, just a few less chiefs.

From CIO to CEO – Can clouds break glass ceilings?

Posted on : 24-11-2011 | By : richard.gale | In : Cloud

Tags: , , , , , ,


As technology becomes even more entwined in the fabric of organisations, the opportunities for technology executives will increase. Will a CIO’s potential promotion to CEO be as commonplace as the CFO or COO in the next few years? Historically, with a few technology industry exceptions, it is rare for CIOs of organisations to become CEOs. CEOs either come from the profit-making, client side of the business or the financial area. CIOs are generally seen as managing a silo and being a cost centre rather than being a part of business growth.

How can cloud computing change this? Cloud infrastructure has been hyped to be the answer to almost every technology issue and we think it does have great potential. However, will it change the make-up of a CIO and go as far as to alter the way businesses view them enough to take the chair at the top table?

Well, we think that the IT department in a significant number of organisations will transform radically over the next few years. Let’s take universal banks as an example. Why would a global bank build and operate £200m datacentres? It is nothing to do with their core business and has significant financial, personnel and regulatory complexities. They only do it because they have to. They have vast processing requirements and need to support a huge level of increasing demand. Furthermore, new technologies are always breaking through so the equipment, skills and services constantly have to be upgraded and renewed.

Cloud or Utility computing fundamentally changes this model. If computing is seen as another resource to be switched on and off as required (with an associated usage based charging model) then the basic questions to be answered are:

–          What is the cost of supply compared with others?

–          How reliable, safe and secure is the supply?

–          How flexible and appropriate are the providers?

Obviously it is unlikely that all of the major banks’ IT operations would be placed in the cloud, but it will become the exceptions that are not in the cloud rather than the default.

The traditional IT department would then shrink down to very specific IT functions that were not suited to be run elsewhere. Obviously business-focused change and delivery teams will be the core functions and will keep on growing. Another focus of the ‘IT Department 2016’ will be on management of the demand and supply of technology with vendors. Infrastructure IT will become a relationship management and negotiation function requiring people to change their skillset radically or a different set of resources altogether. The emphasis will be on finding the most appropriate execution venue with external suppliers for an application rather than building the disk or server farm to house it.

So how will this impact the CIO and their future career direction?

–          The move to utility computing will enable CIOs to focus more or real business value and change.

–          CIOs will have to be even more business-orientated, managing external suppliers and their internal customers.

–          CIOs are less likely to be dismissed as ‘techies’ as they will no longer manage large technology-led departments & datacentres.

–          They will be more involved in the strategic future of organisations as the commodity aspects fall away

The modern CIO is already on this road and the future will further embed IT into the backbone of firms.

However, being an essential part of the fabric of an organisation is not enough in itself to get the leading role. Other aspects which are common to CEOs are needed such as the ability to have an external focus, international or overseas experience and proven business experience and qualifications. The business sector also matters – technology & manufacturing organisations currently have many more CIO to CEO promotions than financial services, for instance. But there can be little doubt that the impact of cloud could play a small but important part in ensuring that more CIOs become CEOs in the future.