Ken Ross does not have to be here.
He is a well-respected business leader in the built environment sector, holds an OBE and a Deputy Lieutenancy, and runs a company with 30 years of client relationships. He could have stayed quiet about what happened in 2022. Most people in his position do. As he said in Aviemore, a senior director of a major funding organisation admitted to him privately that a cyber attack had hit them, then added: but we don’t talk about it. We’re worried people will question our credibility.
Ken chose to talk about it. This is his story.
THE SETUP
In 2022, Ken’s company was completing a major corporate acquisition. Nine months of work. Non-standard one-off payments throughout. A lot of moving parts and a lot of legitimate financial activity happening at once. The acquisition was completed in November. Things were going well. Ken took his wife, two of his grandchildren and their parents to Disney World in Florida. A week in the resort, a week in a villa nearby.
On the afternoon of day eight, in the villa, with the boys in the pool and the sun shining, Ken’s phone rang.
It was Elaine, his accountant. She was calling about invoices she had been sending him for approval. The ones he had responded to, authorising payment. What invoices, he asked. He hadn’t received any. By the time he had spoken to his FD, Keith, the picture was clear. Someone had been responding to financial correspondence in Ken’s name. Authorising payments. Using his language, his style, his sign-off. A substantial six-figure sum had already been withdrawn from the accounts. Another invoice was waiting.
THE REALITY OF WHAT HAPPENED
With the help of Police Scotland and HSBC’s cyber fraud department, Ken was eventually able to piece together what had occurred. The criminals had accessed his company’s email system months before the attack. They had inserted hidden rules that intercepted financial correspondence and redirected it to themselves. They watched. They learned how Ken communicated. They waited for him to leave the country.
Then they acted.
Every response the criminals sent was in Ken’s voice. His tone, his phrasing, even the new email footer he had added the afternoon he left the office. By the time anyone noticed, the money had moved through three separate accounts.
THE MOMENT IT LANDED
Ken went outside after the phone calls and was physically sick. He had been working at full speed for twelve hours, on a family holiday on the other side of the world, trying to reach HSBC, trying to get hold of funds before they disappeared entirely, trying to manage his team. He felt violated. He felt responsible. He kept thinking: why us?
He also had to consider, however briefly, whether someone inside his own small team had been involved. He dismissed it immediately. He trusted his people completely. But the thought occurred to him, and he wanted to be honest about it in Aviemore, because he knew it would occur to other business owners too. It doesn’t mean the thought is right. It means you are human and you are frightened.
HOW IT ENDED
Because Ken acted fast, because Police Scotland responded quickly, and because HSBC’s fraud team worked through the problem with him, the money was traced. Every penny was recovered. The cyber insurance Ken had taken out — reluctantly, on the advice of his broker, without really believing he would ever need it — covered the loss in full. After the attack, once better controls were in place, his premium went down.
But Ken is clear about what the insurance did not cover. The three days of his grandchildren’s holiday were spent on the phone. The feeling of violation. The physical impact. The months of reinforcing trust with clients and partners. The cost, mentally and physically, he said, I cannot put a price on. I do not want anybody to bear that cost at all.
WHAT HE CHANGED
Ken now requires three out of four channels to authorise any payment: email, phone call, text message and a signed document. Any combination of three. The audit trail must be one that cannot be replicated by someone who has only accessed one channel.
He added cybersecurity to the risk register with a mandatory annual review. He built a culture where his team feel safe reporting anything suspicious immediately, without fear of blame. He got the insurance.
And he came to Aviemore to tell 74 business leaders what had happened, because he believes that organisations that suffer attacks and stay silent make it harder for everyone else to protect themselves.
ACTION THIS DAY
1. Review your payment authorisation process today. If a payment can currently be approved through a single channel – an email, a phone call – that is a gap. Require at least two independent channels for any payment above a threshold you set. For anything significant, require three.
2. Check whether cybersecurity appears on your organisation’s risk register. If it does not, it is not being treated as a business risk. Add it, and put an annual review date next to it.
3. Ask yourself Ken’s question honestly: if we were attacked tomorrow, would my team feel safe telling me immediately? If there is any doubt, that is this week’s action as well.
CONVERSATION TO HAVE WITH YOUR TEAM
Ken’s summary to the room in Aviemore was simple: you are not too small. These criminals are amoral. They do not care. They go fishing, and if you are one of those they catch, that is it. Tell his story to your team. Not as a scare tactic — as a demonstration that this is survivable, recoverable and preventable, provided you act before it happens rather than after.
This is Article 3 of the Cyber Resilience for Business Owners series, based on the Highlands and Moray Chambers Joint Cyber Resilience Event, Aviemore, February 2026. Speaker: Ken Ross OBE DL.
