Corporate IT security? Start with the CEO and email invoice fraud

Consultant Ibukun Adebayo suggests CEO email fraud and spear-phishing are the biggest security threats organisations face

Ibukun Adebayo, ex-IT director at social care charity Turning Point and now an independent consultant, has warned that CEO email fraud and spear phishing are among the biggest IT security threats facing organisations.

Speaking at a panel session at Computing's recent Security & Risk Management Summit, Adebayo warned that fraudsters were increasingly targeting high-value individuals in organisations in spear-phishing operations.

"In companies in the UK at the moment, I believe that the most important threat is CEO email fraud. We have got to address that," said Adebayo.

Furthermore, with corporate IT security typically starting at the top, Adebayo suggested that CEO email fraud was a good place to start.

"You can't have an organisation where the CEO and senior executives are succumbing to fraud and yet expect the rank-and-file employees not to succumb to the same threats," said Adebayo.

She continued: "We have a key role to play as security professionals in terms of converting our security policies into awareness programmes that encompass executives within organisations. This is to make sure that they are aware of the threats, and are open to mitigating the threats by their own actions before they can take the lead in reducing the threats to their own organisations."

Adebayo cited the case of Walter Stephen, the CEO at Austrian aerospace parts manufacturer FACC, who succumbed to an email fraud that lost the company €42m. He was fired in May as a result, following a 14-hour board meeting.

The hoax email asked an employee to transfer money to an account for a fake acquisition project - a kind of scam known as a "fake president incident". Stephan believed that the email had come from a trusted employee.

"The supervisory board came to the conclusion that Mr. Walter Stephan has severely violated his duties, in particular in relation to the 'fake president incident'," FACC claimed in a statement.

Corporate boards need to be told bluntly that they need the training, added Adebayo.

"It's a case of preparing a paper for the board and requesting a meeting with the board... you may not be at a senior management-team level, but if you have been hired to mitigate the risks to your organisation then you have to do exactly that.

"You have to tell them: we are at risk; you are a known vulnerability to the organisation," said Adebayo.