David Pollock, Executive Chairman at CyberLab, on the cyber threat every business leader needs to take personally.

Most UK business leaders are not technologists. They are decision makers. With more than 30 years of experience leading technology businesses, David knows this better than most. And his view is clear: because cyber security can feel like a technical specialism, it drifts to the IT team’s desk rather than staying firmly on the board agenda. That has to change.

Recently, David sat down with CyberLab’s Sales Director Adam Myers to share what 30 years of building, buying, and leading businesses has taught him about cyber risk. His view is direct: cyber security is the single biggest threat.


Cyber Security is Your Number One Risk

The average data breach now costs a UK business £3.29 million, according to IBM’s 2025 Cost of a Data Breach Report. David does not treat that as a vendor statistic. It sits at number one on his personal risk register. He said:

“If you’re a chief exec running any company and cyber security is not number one on your risk list, you’re in danger of losing your job and, more importantly, losing the jobs of all your people.”

The DSIT Cyber Security Breaches Survey shows that 43% of UK businesses experienced a cyber security breach or attack in the last 12 months, yet many boards still treat it as an IT matter rather than a leadership priority.

As NCSC Chief Executive Richard Horne has stated: “Board members have a critical role in ensuring their organisations are able to exploit the opportunities that technology brings in such a way that they build a resilient and secure business.”

Cyber security belongs on the board agenda every single month. If it is not there, the organisation is carrying a risk that could end it.

Speak with Our Consultancy Team

Why Executives Are the Highest-value Target in Your Organisation

Senior leaders are not incidentally exposed to cyber risk. They are deliberately sought out.

Board members, NEDs and executives carry access to sensitive commercial plans, M&A data, strategic decisions, and wire transfer authority. NEDs operating across multiple companies expand that exposure still further. Criminals understand this and use publicly available information to build detailed profiles before making first contact.

The attack surface for a typical senior leader spans three dimensions:

  • Professional: LinkedIn profiles, Companies House records, board bios, event appearances, conference talks, and media interviews. Every public appearance reveals seniority, relationships, and business context. It also provides voice and facial data that AI tools can use to create convincing impersonations.
  • Personal: Family members as pivot points – children visible on Instagram, a spouse’s public profile. Information that builds a fuller picture and creates leverage.
  • Physical: Home address exposure through property records, electoral roll entries, and domain registration data.

Before you can manage your executive risk exposure, it helps to know what is already out there. HackRisk is CyberLab’s external attack surface monitoring platform. It scans your public-facing assets, monitors the dark web for exposed business credentials, and identifies vulnerabilities across your digital estate – delivered as a board-ready report with a risk score and remediation advice.

Get Free HackRisk Report

When the Chairman Got Caught: What a Phishing Simulation Revealed

David Pollock knows executive vulnerability first-hand. His security team ran a phishing simulation within his own business, sending an email designed to look like a post-Christmas party message from his colleagues. David clicked it.

“I was on the phone immediately going, ‘they’ve got me’,” and they went, ‘don’t worry, we’ve got three layers of security, we can protect you’.”

Two things stand out in that story. First: if the Chairman of a cyber security company can be caught in a controlled simulation, any executive can be caught in a real attack. Second: what made the difference was not just the layered technical defences. It was the culture of transparency. David reported it immediately, and the right systems were in place to contain the damage.

This is precisely why regular phishing simulations matter. They are not designed to embarrass people. They build the muscle memory of recognising and reporting suspicious communications before a real attacker uses the same technique.

“It is the first line of defence in protecting your organisation, teaching your people not to get caught. We all get caught. But the more you are trained, the better your defences become.”

Get Security Awareness Training For Your Team

How AI Has Changed Executive Impersonation

Phishing emails are only part of the picture. AI has made the threat to senior leaders significantly more dangerous by enabling attacks that were not possible even two years ago.

Voice cloning now requires as little as three seconds of audio – the kind that is readily available from a conference talk, a podcast appearance, or a LinkedIn video. Voice cloning fraud increased by 700% between 2024 and 2025 (Source: CallerCheck). The average loss per victim is £11,000. In one documented UK energy sector case, a company lost £200,000 to a deepfake audio attack.

The landmark case is Arup (2024). A finance employee received an email from someone purporting to be the UK-based CFO, requesting a series of confidential transactions. Initially suspicious, the employee felt reassured after joining a video call where the CFO and several colleagues appeared on screen. They then made 15 transactions totalling $25 million. Every other person on that call was an AI deepfake. (Source: World Economic Forum).

This type of attack falls under the broader category of Business Email Compromise (BEC) and CEO fraud. According to the FBI’s Internet Crime Complaint Centre, BEC fraud has caused more than $50 billion in global losses. Closer to home, the M&S breach of 2025 was confirmed by its CEO as “a consequence of human error” carried out through “social engineering tactics via a third-party supplier” rather than a failure of technical systems.

Most attacks exploit trust, not code. The attack vectors are email, phone or SMS, and social media. AI has made all three harder to detect and easier to execute at scale.

Run a Tabletop Exercise with Your Leadership Team

How to Spot CEO Fraud Before It Lands

Knowing the warning signs is the first layer of defence. When a request arrives by email, WhatsApp, Teams, or phone that combines several of the following, stop and verify before acting:

  • A senior leader contacts you via an unusual number or method.
  • The request is urgent, with a tight deadline.
  • The situation is sensitive or confidential: a merger, a tax issue, a late payment, an accounting error.
  • A third party is involved.
  • You are asked to make an immediate payment or transfer outside normal processes.
  • On a video call: limited facial movement, or audio with an unusual tone or rhythm.

The pattern to recognise is: urgency, plus authority, plus an unusual request. That combination should always prompt a call back on a known, separate number before any action is taken.


Practical Steps to Protect Yourself and Your Organisation

The following controls come from CyberLab’s executive security workshops and Sophos threat intelligence guidance. Many are low-cost. All are high-impact.

Personal actions:

  • Use a password manager. Password length matters more than complexity – three random words you can remember is an effective approach.
  • Enable Multi-Factor Authentication (MFA) on all accounts. Never approve an MFA prompt you did not initiate.
  • Use a VPN on personal devices, particularly when travelling or working in public spaces.
  • Keep all software updated across personal and work devices.
  • Tighten privacy settings on personal social media to reduce your publicly visible attack surface.

Business controls:

  • Implement verbal confirmation codes for any wire transfer or unusual payment instruction.
  • Require dual authorisation for all financial transactions above a defined threshold.
  • Establish a clear protocol: always call back on a known direct number before approving anything out of the ordinary.
  • Never bypass financial controls on the basis of urgency, regardless of who appears to be requesting it.
  • Train staff on voice cloning and deepfake fraud, not just traditional phishing.
  • Run regular phishing simulations so your team develops recognition through practice, not theory.
Assess Your Microsoft 365 Security Posture

Find Out What Data is Already Exposed About You

Most executives assume their business’s external exposure is something IT keeps on top of. In most cases, no one is actively checking. Before making contact, criminal groups map your public-facing assets, search for misconfigured systems, and check the dark web for credentials exposed in past breaches – all before a single message is sent.

HackRisk is CyberLab’s external attack surface monitoring platform. It scans your public-facing assets, monitors the dark web for exposed credentials, and identifies vulnerabilities across your digital estate. You receive a board-ready risk report within 24 hours, with a risk score and prioritised remediation advice – so you can see exactly where you are exposed before an attacker does.

Get Your Free HackRisk Report

How CyberLab Supports Business Leaders on Cyber Security

  • We support 1,200+ UK organisations with their cyber security strategy, from foundational controls through to advanced threat detection.
  • Our social engineering and phishing simulation programmes are built to change behaviour, not satisfy compliance checklists.
  • Our tabletop exercises prepare leadership teams for real scenarios, including deepfake and impersonation attacks on executives.
  • Our M365 Security Assessment identifies which controls are active, which are not, and where to focus first across the Microsoft stack.
  • Our consultancy team works directly with leadership and board teams to frame cyber risk in business language.
  • We are CREST-, CHECK- and NCSC-accredited, with 30+ years of combined expertise and over 1,500 Cyber Essentials and Cyber Essentials Plus certificates issued.

Start the Conversation

Cyber security does not require a technical background. It requires leadership. If you want a clearer picture of your organisation’s risk exposure – or your own personal exposure as a senior leader – CyberLab’s team can help, in plain language and without the jargon.

CyberLab is a CREST-, CHECK- and NCSC-accredited cyber security partner trusted by 1,200+ UK organisations.

Get in Touch