Category Archives: Business

CEOs Less Ethical Than in the Past

The job of a chief executive officer at a large publicly held company may seem to be quite comfortable — high pay, excellent benefits, elevated social status, and access to private jets. But the comfortable perch is increasingly becoming a hot seat, especially when CEOs and their employees cross red lines.

As this year’s CEO Success study shows, boards of directors, institutional investors, governments, and the media are holding chief executives to a far higher level of accountability for corporate fraud and ethical lapses than they did in the past. Over the last several years, CEOs have often garnered headlines for all the wrong reasons: for misleading regulators and investors; for cutting corners; and for failing to detect, correct, or prevent unethical or illegal conduct in their organization. Some high-profile cases, involving some of the world’s largest corporations, have featured oil companies bribing government officials and banks defrauding customers.

To be sure, the number of CEOs who are forced from office for ethical lapses remains quite small: There were only 18 such cases at the world’s 2,500 largest public companies in 2016. But firings for ethical lapses have been rising as a percentage of all CEO successions. (We define dismissals for ethical lapses as the removal of the CEO as the result of a scandal or improper conduct by the CEO or other employees; examples include fraud, bribery, insider trading, environmental disasters, inflated resumes, and sexual indiscretions. See “Methodology,” below.) Globally, dismissals for ethical lapses rose from 3.9 percent of all successions in 2007–11 to 5.3 percent in 2012–16, a 36 percent increase. The increase was more dramatic in North America and Western Europe. In our sample of successions at the largest companies there (those in the top quartile by market capitalization globally), dismissals for ethical lapses rose from 4.6 percent of all successions in 2007–11 to 7.8 percent in 2012–16, a 68 percent increase.

Eliminate Your Authenticity Filters

Leading is learning. Not so much learning how to do the things we refer to as “leadership” — giving direction, managing accountabilities, and motivating others — but rather, learning who you are and how to bring the best of yourself to moments of influence with others.

Many of us feel at times as if we are impersonating a leader rather than working out what it means to be ourselves in a position of leadership. Instead of covering up those underdeveloped areas, great leaders learn how to operate as they truly are.

Take now-retired host of The Daily Show Jon Stewart. His story about the early years of his career offers a lighthearted but incisive description of what happens when you take a learner’s mind and experiment with the connection between who you are and what you aspire to do: “Sunday night through Thursday night it was me and drunk Dutch tourists in a basement in the Village…. I went on every night and I learned the difference between impersonating a comedian and being a comedian. And that was my break. [It] was learning how to be authentic. Not to the audience but to myself.”

How to Resist Future Attacks

The ransomware attack known as WannaCry first struck on Friday, May 12, 2017, and by the following Monday, it had reached more than 200,000 computers in 150 countries. Although we still don’t know all the details, it’s clear that some organizations were victimized far more severely than others. The news of this episode reinforces a view that we at PwC have promoted for a long time: Effective protection against cyber-attacks has less to do with any particular technological factor, and everything to do with proactive risk management in general.

Like all ransomware, WannaCry damages companies in two ways. First, it costs the organization to recover the documents that the algorithm has encrypted. Second, even if the ransom payment is small — and there’s no guarantee that future ransomers will limit theirs, as was the case with the WannaCry fee, to US$300 in bitcoin — the costs of coping can be immense. Research conducted by PwC found that most ransomware incidents resulted in hours of downtime or networks taken offline for up to 10 days. Moreover, the attackers still hold any proprietary data they picked up. They can sell it or release it publicly, even after the targeted company has paid a ransom.

We expect there will be more attacks because the techniques and exploits used to distribute WannaCry were only recently leaked to the world in April 2017 (allegedly from the National Security Agency by an anonymous group called Shadow Brokers). Similar documents (allegedly originally from the Central Intelligence Agency) were published by WikiLeaks in March 2017, and there will probably be more such leaks, not just in the U.S. and Europe, but in countries around the world. Every breach will empower independent actors with tools heretofore held by governments. Ransom, blackmail, surveillance, shutdown, and data manipulation are all more feasible than they were only a few months ago.

All companies and organizations must now ask themselves the same question, whether they were affected by WannaCry or not: How can we protect ourselves from similar attacks in the future? Here are five key factors that separate vulnerable companies from more resilient enterprises.

1. Robust digital hygiene. The WannaCry event highlights the importance of vigilant IT management: staying up to date with technological advances. Microsoft released its patch for WannaCry’s Windows vulnerability in March 2017. Companies that promptly installed it were protected, while many of the hardest-hit companies were using outdated operating system software and even pirated software. Robust hygiene also involves rigorous backup practices. For example, don’t just back up your company’s data. Test the backups regularly. Secure them so they are separate from your other systems or networks; otherwise, they will be corrupted as well.

2. The ability to detect intrusive behavior. Human error is still the most prevalent means of gaining access to proprietary information. Employees often unwittingly expose data to a cyber threat actor through a fraudulent email or other socially engineered techniques, thereby giving hackers access to passcodes or other means of entry. Organizations with effective risk management practices rarely release sensitive information to outsiders inadvertently. They are particularly protective of administrative accounts and other privileged information; they make it extremely difficult to obtain the kind of data that would allow someone to take over a system. They are also attuned to detection, learning to recognize the keystroke behavior common to intruders and isolate it in real time. The one thing they share openly is the data about the intruders they detect; collaboration among security professionals from a wide range of organizations is one of the best defenses against cybercrime activity.

3. Thoughtful design of IT infrastructure. Every company has its own most valuable information assets: critically important intellectual property, proprietary customer-related data, financial data, and other strategically valuable insights. These must be protected differently from other information assets. Design your systems accordingly. Pay particular attention to your information supply chain: Which vendors, suppliers, and partners have access to your data, and what are they doing to secure it? Rethink your authentication and security controls; for example, introduce two-factor authentication, in which a password must be combined with biometrics, tokens, or some other authentication factor.

Next Corporate Leader

Predicting the effects of a CEO’s tenure can be a tricky business. Boards of directors, investors, and analysts hunt for clues in the backgrounds, personalities, and characteristics of CEOs that might indicate which strategies they’re most likely to employ and in which direction they’ll take the company. How much experience do they have in the industry? Which school did they attend? Do they seem confident or cautious, aloof or personable?

But there’s another question that directors and shareholders might want to ask at some point during the proverbial conference call or job interview: “Do you fly your own plane?”

As offbeat as it might sound, the particular hobby of piloting a small aircraft appears to act as a proxy for a CEO’s willingness to both take on risks and seek out new experiences, according to a new study. This particular combination of qualities seems to give CEOs the intrinsic motivation to lead firms that experience more innovation success and novel breakthroughs. Indeed, the authors found that this effect grows stronger over the first three years of a pilot CEO’s tenure, suggesting that the CEO has a definite impact on the innovation strategy and culture of a company.

Being Ready for a Crisis

Of the many well-publicized cyber-attacks that have occurred in the past decade, at least one was noteworthy because it failed to bring a company down. On the morning of Jan. 16, 2012, millions of people awoke to the news that every online shopper dreads: Zappos, a leading retailer of shoes, apparel, and accessories, had been the victim of a cyber-breach that captured information from as many as 24 million customer accounts. Major news outlets, financial websites, and security blogs all published headlines covering the crisis at Zappos, which had been acquired by publicly traded Amazon just three years prior in a deal worth US$1.2 billion.

The online retailer immediately announced the launch of measures to reduce the impact of the crisis. But the most critical factor in surviving the attack didn’t need to be launched. The company had already put preventive measures in place, long before the hack was discovered. For example, it had stored customer passwords and credit card information on a separate server from other customer details, a server that was ultimately found to be uncompromised by the cyber-attack. Zappos also had used hashtag encryption to conceal customer passwords. Had the hackers accessed the relevant server, they would have seen “##########” in place of the actual passwords.

These precautions were considered leading-edge practices for protecting customer information from cyber-attack, but they were most noteworthy for something that had little to do with technology. They were part of a comprehensive crisis response plan that articulated the capabilities that Zappos would need if a cyber-attack — or any other type of business-disrupting crisis — occurred.