You are on day eight of a family holiday in Florida. The sun is out, the kids are in the pool, your phone is on low volume. Then your accountant calls. A six-figure sum has just left your account. You did not approve it. You were not even in the country.
That is exactly what happened to Ken Ross OBE DL, who opened the Highlands and Moray Chambers Cyber Resilience event in Aviemore this February. Ken runs a seven-person company in the built environment sector. Not a stereotypical high-tech target, not a careless leader. He had insurance. He had procedures. He was an experienced business owner. And it still happened.
WHAT YOU SEE AS A BUSINESS OWNER
You are deep in a major corporate acquisition with lots of one-off invoices and unusual payments flying around. You shifted to hybrid working after COVID and kept the same email habits going. You trust your finance team. You trust the email trail.
WHAT IS REALLY HAPPENING IN THE BACKGROUND
Criminals quietly gained access to Ken’s email system months before anything was noticed. They inserted hidden email rules to intercept and copy financial correspondence. They studied his writing style, his tone, his timing, who he copied in, how he signed off, when he travelled. They waited until he was abroad and distracted. Then they sent emails that appeared to come from him, approving payments. Funds moved through multiple accounts within hours. By the time anyone questioned it, the money was almost impossible to recover.
As Ken put it in Aviemore: these guys are amoral. They do not care. They will take money out of a charity box. You are not too small and you are not too big.
This is not random opportunism. It is patient, targeted and organised.
THE REAL IMPACT ON A LEADER
Ken went from holiday mode to crisis mode in minutes. The immediate feeling was shock and disbelief, followed by physical symptoms, stress, sleeplessness, feeling physically sick. On top of the financial loss, there was the weight of responsibility for his staff, his partners, his reputation.
Cybercrime is not victimless. The emotional and operational cost is real, and it lands squarely on the person at the top.
WHAT CHANGED
With painful hindsight, Ken and his team recognised that their cyber practices had not kept pace with hybrid working. Cyber risk was not on the risk register. Payment approvals had not been redesigned for a remote world. Leadership had not fully owned it as a governance issue, not just an IT one.
After the incident that changed. Significant payments now require multiple channels of confirmation. Cyber resilience is written into leadership responsibilities. Culture shifted towards openness and learning rather than blame. And after improving their controls, their insurance premiums actually went down.
Ken’s message in Aviemore was simple: if it can happen to him, it can happen to you. And leadership has to own the response.
ACTION THIS DAY: 30-MINUTE PAYMENT SAFETY CHECK
Before you finish work today, block 30 minutes with your FD or finance lead and do three things.
1. Map who can currently move money. List every person who can authorise or action payments. Note which of them can approve by email alone. That is your vulnerability.
2. Agree a 3 of 4 rule for any payment over a threshold you set. Before money moves, you need at least three of these four: an email from an authorised person, a phone call to a known number (not one in a fresh email), a text or messaging confirmation, a signed document or approval in a secure system. Write that rule down and share it with everyone who processes payments.
3. Add business email compromise and payment fraud to your risk register. Give it a named owner at leadership level, not IT. Set a review date within three months.
CONVERSATION TO HAVE WITH YOUR TEAM
At your next leadership or finance meeting, open with this question: if someone got into our email tomorrow and started approving payments in my name, how quickly would we notice and what would we do in the first 60 minutes? Listen to the answers without interrupting. Agree one concrete change, and write down who is making it happen.
This is Article 1 of the Cyber Resilience for Business Owners series, based on the Highlands and Moray Chambers Joint Cyber Resilience Event, Aviemore, February 2026. Speakers: Ken Ross OBE DL, Mark Gallagher (Police Scotland), Gordy McDonald (Police Scotland), Heather Lowry (Scottish Government), Drew Hendry (teclan Ltd).
