With everything online, it’s easy to be paranoid over privacy. It’s important to secure your business. You’ll never know if someone is watching you online. Maybe you opened a malicious email and you get hacked. Or a stranger who added you two weeks ago could just be using you for more information. Information and credentials are what they’re really after. Hacking has become such an organized crime that cybersecurity is now a must for big companies. Learn how to protect yourself online with your host Michael Zipursky and his guest Gary Peace. Gary is the founder and Managing Director of ESID Consulting. He helps organizations manage online threats and defend against cyber-attacks. Join in the conversation to learn how to reduce the risk of getting hacked.
I’m very excited to have Gary Peace with us. Gary, welcome.
Michael, it’s so great to be here.
You spent eighteen years as a police officer investigator in London. Now, you’re the Founder and Managing Director of ESID Consulting. At your company, you support all types of different organizations, security, teams, family offices, boards, legal HR and business owners to help prevent data breaches, reduced disruption caused by insider and cyber-attacks as some people think of the cybersecurity world. Let’s go back in time a little bit because your background and your story in some ways is like out of a movie to a degree. You and I have joked on many calls as we’ve had over the years. Where was the impetus or the attraction of getting involved in law enforcement and becoming a police officer?
It was a long time ago. I originally wanted to join the Armed Forces but defense cuts came along. I couldn’t get to go and do what I wanted to do. It was looking around for the next best thing. It gets me going. I plumped for the Met Police and went to join the police at Scotland Yard in London.
Once you were in Scotland Yard, how did you go from being welcomed into ending up managing teams in different areas around security? What was the drive or the pull for you to get into the whole world of networks, security, counter-terrorism or all the areas that you work on that you’re involved with? Describe a little more of the work that you were doing at that time.
Everyone starts off the same in the police in the UK. Everyone starts off in uniform for two years’ probation and then you get specialized after that. You need to stay in uniform when you go down the detective route, which is what I did. Within six months of coming out of probation, I joined the CID and ended up doing priority patrols for robbers and drug dealers. That’s what got me tracked into it. I enjoyed investigating and getting my teeth into proper investigations. That’s what dragged me in or threw me into the CID, into detective work. That’s where I ended up doing the vast majority of my eighteen years.Cybercrime is really just old-fashioned theft done over a computer. Click To Tweet
Out of all the different projects or cases that you were involved with, which were the ones that stood out to you most or that you enjoyed the most? You were involved with drug dealers or all kinds of different cases.
I don’t know whether I enjoy it most but I ended up dealing with racially motivated crime, homophobic violence and domestic violence. I ended up doing that for four years covering the whole Westminster. Those are five different police stations. That was heavy going. It was a hard and challenging work. A lot of it didn’t go to court. That’s the way things were with domestic violence but it was hugely rewarding. For the four years, it almost killed me but that was the most rewarding of the jobs I did. Later on, I got dragged into professional standards, internal investigations and anti-corruption. We targeted corrupt police officers. Those corrupt police organized a crime. They’re trying to bribe police officers and destroy cases. That’s where I ended up. I spent a good 8 or 9 years of my service investigating corruption.
Let’s fast forward a little bit. You left the formal world of working inside of the police department and organization to go off on your own. When you left, did you know right away that you wanted to get involved in consulting? Were you thinking about other options? What was that like at that time?
I wanted my own business because the stuff I’d been doing for the last years got me on with anti-corruption, computer forensics and data breach investigations. That was definitely where I was aiming at. I fell into consulting thing. I didn’t know about it, to be honest. I left the police with a skillset thinking, “I want to go into business.” I fell into contracting initially and that moved over into the consulting world. It wasn’t a planned move.
The first clients that you had as a consultant, you were acting as a contractor. What were the first projects? Were they coming through other organizations that were offering services and you worked for them? Walk us through the first few clients that you got. Where does most of that business come from?
The first couple of times it was data breaches that happened. Someone else is investigating the computer forensics behind how something happened, how someone stole data and then they came to me to put the systems in place, the management systems, the governance and the procedures to stop it all from happening again. That’s how I ended up in those first few jobs. Another big contract was Competition and Markets Authority in the UK. They were setting up from scratch and they needed someone to set up their first criminal cases on their forensic software. I fell into that one as well. It was a bit of a mismatch. It was government and private companies but it all had something to do with either investigations or leakage of information in one form or another.
You give a presentation to me to some of our clarity coaching client group around cybersecurity and best practices, which people felt was very helpful in the sense that this is top of mind for a lot more people in terms of cybersecurity, privacy and protection of data just because more people are online, things are in the cloud. I want to back up for a moment before we get into some of these best practices.
Have you seen a big change in the industry because you’ve been involved in this area of work? If you went back several years, not many standard typical consultants or consulting firms were paying much attention to cybersecurity. Nowadays, you see it in headlines almost every day. There’s a lot more in terms of data breaches and things of that nature. Has there been a surge of volume around this area? Is it more that people are catching on like this is happening? How have you seen the landscape of cybersecurity and data breaches shift over the years?
There’s been a big change in it if you go back several years. Everyone talks about IT security as opposed to this cloak-and-dagger world called cyber, which is a term I hate. Everyone thinks it’s cloaking. They think everything has to do with dark arts and it’s not. Cybercrime is just old-fashioned theft, fraud or criminal damage but it’s been done over a computer. That’s it. Nothing has changed. The people don’t change. If you go back for several years and you talk about hackers, the stereotypical image was some spotty kids sitting in a dark room clicking away at computers. It’s big money now. Money is the new gold, the new oil. It’s information and it’s been commoditized. The cybercriminals that are out there, there are a number of threats that are coming from Russians, Chinese, North Korea.
If you’re talking about the Chinese then it’s all about how you felt high-value intellectual property. If you’re talking about Russians, a lot of it is Russian criminal gangs but what it all comes down to is commoditizing and monetizing your information. That’s where the big change is. It’s big money. When you’re getting hacked, it’s by organized criminals. You can go onto the dark web and you’ve got a shopping cart. You can go out and buy the programs to hack computers. You can buy information. It’s all for sale and it’s professional. That’s the biggest change over the last years. It’s gone from being the script kiddie sitting in the bedroom. It’s an organized crime and there’s big money behind it.
Does the solo consultant or small consulting firm owner need to be concerned about this? Is this only an issue for larger organizations?
This is an issue for everyone. If you look at the likes of BAE Systems or General Dynamics and huge multinational companies, they’ve got billions in revenue. They spend millions on their cyber defenses. They need to do that because they’re being attacked by nation-state actors to great extent but the thing is, if you’re a consultant and you’re in their supply chain, you’re a bigger risk than perhaps they are. There were a whole bunch of figures. Before COVID came along, the supply chain risk was the biggest risk in cybersecurity because it’s far easier to attack the sole consultant who doesn’t think he’s at risk or doesn’t think it’s a threat or he hasn’t got the money to spend on cyber defenses. Therefore, he’s got the bare minimum place.Information is the new gold. Click To Tweet
The hackers will go for that sole consultant or that very small micro business because they know that they’re not spending thousands on cyber defenses. If they break into that sole consultant database or their small consultant’s computer, that’s the way to the big corporations. We’ve got a lot of Americans doing this. If you think back to Donald Trump’s elections, Hillary Clinton’s emails were hacks. The way her emails were hacked was because they got into the interns and they got in through her supporters who didn’t have the security in place. Once they broke into those helpers, they were then able to go through all the different networks through emails to get to Hillary Clinton’s email account.
That’s the easy way. It’s where I’m looking at. If you go along the streets, you got four houses and the three of them got a burglar alarm box or a trigger alarm box on the walls, the burglar is going to pick the one that doesn’t have that box in the wall. It’s about picking the low-hanging fruit and finding the easiest way to get into a network. Once you’re in, you’re in and you can do what you like.
Provide everyone with a little bit more context around how are people going in, stealing information or accessing your computer, your database, your network and then let’s talk about what people can do to protect against that. To begin, let’s say the standard or typical situation for how someone might try and access a consultant’s computer or a network. What would that look like first of all, Gary?
The first and the easiest way is social engineering. They’ll look at a big company that they want to attack. They’ll try and find the easiest way. One of those ways was that they’ll be looking at who’s joined that company. They’re looking at social media, news reports, who is working with a particular company or organization. Quite often, an SME or a sole consultant might announce on social media that, “I’ve got a contract working with,” or it goes on their LinkedIn account that says, “I am a consultant for company ABC.” That’s the person that most of those attackers will have a go at. Another way might be that a new employee joins company ABC and they put on their social media profile, their LinkedIn account saying, “I’ve started as an intern with this so-and-so company.”
The hackers will then socially engineer and attack that particular person. They’ll do something quite simple. Maybe they’ll find out and they’ll become friends on Facebook or on LinkedIn. Over a period of time, there’ll befriend that person or get into a conversation and they might send them an email, a connection request, a link or something on that social media platform knowing full well that the person will click on the link. They know it’s come from a known email address, they’ll open that email. If they don’t, particularly any time in the day, that person will open it from their work computer because maybe this organization has a policy that says that their employees can surf the internet or they can go on the social media account at lunchtime. They do that. They clicked on a link. They download some software to that computer without knowing it, which captures usernames, passwords and bank.
It’s so everyone is aware, you can open an email or click on a link and you’re not even aware that there’s software being downloaded into your computer that’s going to grab passwords and other things of that nature. It’s just happening in the background.
That will capture user credentials, which is the golden nugget for lots of these criminals and hackers. They need those credentials because once they get credentials then they can log into your account using your password and your username. What you also bear in mind is lots of these people also share passwords and share usernames. If the hackers managed to grab one password, they know that you’re using another five different websites. It’s not only the company that’s at risk. It’s your own personal data. It might be your own bank accounts, your other social media accounts. Once they’ve got that one password, if you’re sharing it then potentially they’ve got access to everything else. That’s grabbing the passwords.
One of the other threats is CEO fraud, which is where they will look at and click on the profile on a company webpage. They’ll forward an email to the CEO supposedly coming from the CFO saying, “Can you please pay this invoice?” We all know that when you see an email address, you truncate it down. Mine is Garry Peace ESID. That truncates down to Garry Peace. You don’t get to see the ESID in the end. If you change one character on the end of an email address, no one’s going to notice it. They don’t know that it’s coming from a dodgy email account.
That email might contain an invoice, which is then going to go to the CFO or the CEO. If it’s at a particular time of day or night or whether they know that someone’s away on holiday or a conference, they put urgency behind it. A bit like you using sales techniques put some urgency, put some context behind it, that person will click on that link. There’s a very good chance that those invoices will get paid and they’ll get paid to the wrong account.
If we’re thinking of the small consulting firm or solo consultant, in your experience, is this stuff happening all the time? Is it a rare occurrence? What are you seeing in the marketplace?
It’s massive at the moment especially with COVID fraud. We’re talking about PPE. There are millions and billions of pounds worth of fraud that has gone on with PPE equipment. If people are also latching onto the whole COVID thing and working from home, what you’ve got to remember is you’ve got a whole bunch of people that were in corporate environments and are working from home addresses on routers that haven’t been patched and updated for many years. They’re possibly using home computers, which don’t have the same protections that the company has. If you add all that into the pot together with a lack of supervision, these people aren’t in the corporate environment.
They’re sitting at home. They’ve got the kids screaming in the background, the dogs are barking, a person is knocking on the door. They’re trying to do some work at the same time. They’re not going to be paying the same attention to these spoof invoices or emails that are coming in and going out and because they’re not on the corporate systems, they don’t have those protections that you might have in the corporate environment. With fraud, I can’t put the figures on that but there was something like a 600% rise in fraudulent attacks over the COVID period because everyone has been working from home.The golden nugget for hackers is people's credentials. Click To Tweet
Let’s go through then a bit of a progression for the reader that’s going, “I haven’t done anything about this. I need to treat this more seriously.” What would be the progression if we started off the easiest first step to try and protect one’s self? What would be the one thing that’s not hard to do and people should consider looking into taking action on it quickly?
First things first, make sure you’ve got antivirus on your computer. It can be the free version so you don’t have to pay for it. They’re all pretty good but make sure your antivirus is on the computer and it’s turned on. That’s the first thing. Secondly, make sure your computer is completely up-to-date. What I mean by this is called patching. Every Tuesday you’d turn your Microsoft computer on and it goes into these automatic updates, which is a real pain especially when you’re sitting down for it to go on a team meeting, a Zoom call or something and all of a sudden, your computer kicks into overdrive. That’s called Microsoft Patch Tuesday. It’s when Microsoft rolls out all of the fixes to the vulnerabilities and the issues that it’s found out over the last few weeks.
It is essential that your computer is as up-to-date as you possibly can. Always make sure that those patches are updated and rolled out. If you look at your iPhone for example and you might be on iOS version 14.0.1, the reason they roll out version 14.0.2 was that they found some vulnerabilities and some glitches in the previous software. If you don’t update that software then it means you’re vulnerable to attack. The vast majority of the hackers, they’re not targeted. It’s just a random drive pie. They’ll fire out some software and may know that if they fore out the software to enough people, they will pick up a bunch of people that haven’t updated their software. That’s the way into those machines.
The two things in terms of antivirus and updating the version of your software on your computer are very simple straightforward things that anybody can do and 100% should do but that’s not why your clients hire you. Take us to that next level in terms of the work that you’re doing. What kinds of things are you helping your clients with to protect them, to reduce or eliminate data breaches to ensure that there aren’t security issues occurring?
There are three outcomes that pretty much all of my clients want or need. It doesn’t matter whether they’re in government, in defense, private companies or whatever. The first is the protection of IP or data. What are your crown jewels? What is it that you’ve got to protect beyond all else? It’s the protection of intellectual property. Secondly, it’s the preservation of assets. I don’t mean assets in information stuff. I mean your IT network. Are your computers patched up to date? Do you have a firewall on? That’s the protection of assets but that’s also capital. At the end of the day, it all comes down to the bottom line. It’s making sure that you’re not going to lose money because you’ve been hacked.
If you employ me or someone else to come along and investigate the data breach is ridiculously expensive but then you’ve got to take into account that you’ve got to get your IT team to fix those things as well then you’ve got reputational damage and you’ve got the fines. If you think of something like the GDPR, for example, you’re talking 4% of global annual turnover. You could be talking many millions of dollars. It’s the protection of IP, preservation of assets and lastly, it’s securing reputation. That’s one of the biggest things because if you lose your reputation, you lose your customers anyway. It’s making sure that you’re protecting your reputation. It’s those three things.
If you look at Venn diagram, if you look at those three things altogether, the bit in the middle where they all overlap, I call that your critical data assets. They are your crown jewels. You don’t have to protect everything in the same way but you need to identify what are your most important assets and that’s what you have to look after. The way we do that is by putting a bunch of controls in place. Not only if you’ve got to have your IT controls, which I like to say your antivirus, antimalware, patching, encryption, all that stuff in place but you’ve also looked at your people policies and your procedures.
What are your people doing with your data? A lot of security consultants will say that people are your biggest risk. I would say no. They’re your biggest assets because, at the end of the day, they’re the first line of defense. They are the ones who will notice when John Smith is badmouthing the company whether he’s staying late or leaving early, maybe accessing a printer he’s never used before. Why is it? What do I do? It’s about bringing all that together, bringing your IT controls and your people controls all into one place and then looking at the risk overall. That’s how we help manage the insider threats of the anti-corruption risks. The insider threat is someone who’s got access to your data, your network and your IT. They could be a contractor, an employee or a family member. It’s anyone who’s got access to that data. It’s the risk that they pose to your organization.
What about Wi-Fi networks? When you give that presentation to our group that Wi-Fi can be quite dangerous. A lot of people, when you’re on your cell phone in an airport, at a café, you access public Wi-Fi. How dangerous is that? What should people be careful about in terms of public Wi-Fi?
Public Wi-Fi touches on two things. For example, if I send you an email, I’m sitting here in the UK and you’re in Canada, that email will bounce around a whole bunch of servers as it gets to you over in Canada. Everywhere that’s bounced potentially someone can read that email. An email is like sending a letter with our own bloke. It’s open and anyone can read it. The only way of protecting that is to encrypt the email or use something, perhaps a cover letter called a VPN, which is a way of tunneling that communication in a secure way. If we don’t all got Wi-Fi or you’re sitting in an airport lounge or a coffee shop, I can sit there a bit on my computer and I can sniff the airwaves so effectively. I can see all of your communications leaving your computer or your mobile phone and going off to the internet.
It’s a free bit of software. It’s not a very expensive kit to do and anyone can do it. I can set up my own spoof Wi-Fi. If you’re sitting in Starbucks, for example, and you’re on the Starbucks Wi-Fi, if I create a spoof or Wi-Fi site called Free Starbucks Wi-Fi, who’s going to know which is the real one? If they log on to mine, I can get and read all of their information. The way to do that, I would strongly suggest if you’re either on your phone so that you’re using 4G or 5G, go access the internet through your phone connection, not free Wi-Fi or download some VPN software, which is a Virtual Private Network. They’re not particularly expensive.
If you’ve got an Apple iPhone, you can turn it on because mostly it comes with the phone. Make sure your VPN is turned on. What happens is that all of your data is then transmitted effectively, it’s encrypted and protected. If you imagine a hose pipe, you connect the hose pipe to the tap on the wall, you turn the tap on but your hands don’t get wet because that water is flowing through the hose pipe. That’s exactly what a VPN does. All of your internet communications, your emails or your web surfing are all going through that hose pipe and coming out the other end. No one can tap with it and see it. That’s what a VPN does. If I’m going to be in a hotel or a coffee shop, that’s what I’ll be using.There is a 600% rise in cyberattacks over the COVID period because everyone's been working from home. Click To Tweet
I certainly was in this camp for quite some time. If you look at all this stuff, you’ll think, “I’m okay. This is for large organizations. How relevant is this for me?” What’s happened is as you’ve shared especially in 2020 through COVID, it’s accelerated the danger, the prevalence and how common it is to have these kinds of breaches or security issues. What’s important for everyone to know this call-to-action to all of our readers is it’s not just about your phone or your computer, think about your clients. If you have client files, client information, you’re not only putting yourself, potentially your family or anyone else around you at risk but you’re also putting your clients at risk.
You hit on something important Gary, which is not only could this cause fines and downtime but also reputation. Imagine if you are the one that all of a sudden causes a bunch of issues for one of your main clients or any clients and they have to deal with fixing that issue, they’re not going to be very happy. We all want to look at what can we do to ensure that we’re providing great security and protection, not only for our own businesses but also for anyone that is entrusting us with their information as well that you’re handling that properly. That’s a good point there and some great tips around this.
Even in your own business, you have access to all kinds of very cool technology. You know what’s happening in the world of security. What has been one thing that you do that might be a little bit higher level or more advanced but you think it’s a good approach to greater protection? Is there something that we haven’t yet touched on that you’re doing that you think could be beneficial for others as well?
It’s looking at things as a whole and holistically. With my background, you can employ a consultant that does GDPR or data protection on its own but they don’t know anything about forensics. You can employ forensic consultants but they don’t know anything about governance. With my background and what I ended up doing, I’ve done all of that. The only way to properly secure an organization or a person to high-net-worth individuals is to look at things holistically so you’ve got to bring everything together. You’ve got to look at all the threats and what it is that tips people over the edge. For example, my big thing is insider threats and looking at counterespionage. We know what it is in people’s lives. They call them stressors that push them over the edge. The way I look at things is no one is above and beyond their approach.
Bear in mind, I used to investigate police officers who were on very good salaries, with big pension pots yet they still sell information to the press, sometimes for the price of a cheap meal. People would throw these things away for all sorts of different reasons. If you look at a pretty simple idea, mom and dad with their mortgage to the hilt, they got two kids, two cars on high purchase and then dad or mom gets poor so that’s going to pull double shifts. Something then goes wrong with the car or the washing machine packs up. All of a sudden, you have all these things that start bubbling up. Adding to that, maybe it’s been passed over for a promotion at work or where he’s being bullied by a bad boss, all of these things.
If you look at all of the research that’s gone into, these are what we call stressors. If you add them up, eventually it will push that person over the edge. For example, someone then comes along and says, “Here’s a couple of grand in the back pocket if you can just give me that bit of data.” I challenge anyone who says that they won’t come to a point in their lives when they will be tempted. That’s what people are going to look for because everyone assumes that, “It doesn’t happen in my company. My staff is all happy. We don’t have any bullying.” I challenge anyone who says that anyway.
There are always people that are going to be unhappy. No one comes into a company being disgruntled or being unhappy with their firm because they all join a new firm and they’re ready to go. Most unhappy employees are created and they’re created through circumstance or bad management. If that continues, that unhappy employee becomes a disgruntled employee and therefore, temptation comes in. You’ve got to look at the people’s side of it but then also you’ve got to have the technology to back it up.
We’ve got some clever kit, which will recognize anomalous behavior. If someone is doing that, something outside of the norm, something you haven’t done before. When you tie in the stressors, the unusual behavior and then you feed that into the management team, which is why we created an insider threat management program, if you feed that into the right channels and you apply context to it then that’s when you end up with a real nugget that says, “We need to maybe look at that person.” Not for anything bad but it might be. You solve it by saying, “John, we’re sorry you didn’t get that trip or the promotion. We’ll make sure you get it nice next time.” By doing something as simple as that, it may well be you avert disaster. You’ve got to have all that.
You’re looking at it from the perspective when you’re working with clients, you’re looking at the people, the technology and the overall analysis. You’re doing a very comprehensive look at all the different variables that could cause an issue. Based on your analysis of that then you figure out what needs to be adjusted, repaired, removed or added to ensure that the whole environment, business, system or ecosystem is protected and safe. That’s what I’m hearing from you.
It’s putting an ecosystem in place that allows trust and transparency within an organization. If you’ve got a little playing field with an organization, you’ve got a happier workforce, therefore your risk of disgruntled employees goes down. It’s having that environment where you’ve got checks and balances but you’re relying and trusting your staff to get on and do their job. If you give them that opportunity, they will pay you back. They will reward you in space. It’s about treating people fairly and equally.
It’s an important topic. That’s why I was very glad to have you on because it’s an area that some people don’t pay much attention to. It’s starting to get more visibility. Still for so many consultants whether you’re an independent solo consultant or you have a mid-size and large size firm, maybe you already have some resources going towards this. For many of the people who are either solo or small firms, many have not spent much time thinking about how to protect themselves. That’s why it’s so important. I’m glad to have you on so that you could not only bring the awareness to more people but also share some best practices to help people.
The last thing to add is it’s one of the blockers that I came up with quite a lot where they’ll say, “I’ve got this covered.” That is a huge trap that not the really big ones but medium-sized companies fall into this trap when they say, “Our IT is going to cover it.” The problem is IT is traditionally quite nervous when I come along because they think I’m going to show them up, I’m going to embarrass them or take their job. That’s not the case. This comes back to the first question you asked. What were the changes in the environment? If you go back in several years, IT security was just that and the IT guys would have it covered.
What’s happened over the last years is information security has become its own separate skillset and the two are completely different levels. One of the biggest things is IT are important stakeholders, don’t get me wrong but they’re stakeholders alongside HR, finance and all the rest of it. You’ve got to have independent oversight of IT security and information security. You can’t give an information security project to the IT department in my opinion because firstly, people go, “It’s just an IT thing.” They’ll forget about it, it’s not that important and they’ll ignore it. The other thing is that you need that independent governance over what’s happening with security. Information security is a business risk, not an IT risk. That’s why it’s going to sit at a different level.People aren't your biggest risks. They are your biggest assets. Click To Tweet
I know you do a lot of work with established organizations for all the consultants and consulting firm owners, even if they’re of a smaller size and not large organizations. Can you help them? Should people reach out to you on this? Are you more focused just on the larger organizations?
I’m focused on larger organizations because they’re the ones that have generally got insider threat programs and big enterprise programs. For me to help those large organizations, I also need to help the small one-man consultants or those micro-businesses. The way into those larger firms is through the consultants. If we can help out and put some simple measures in place to help smaller consultants happen, it’s great. I would love to talk to any of them.
If people want to reach out to you to learn more about ESID and maybe chat with you, Gary, to get some resources or get some guidance in this area, where’s the best place for them to go to or the best way to get in touch with you?
Gary, I want to thank you so much for coming on here and shining a bit of light on this important topic that far too many of us don’t spend enough time on. Every day, it becomes more important to at least put some things in place, even that initial level of protection and you can get much more advanced from there. Thanks so much for coming on.
Thank you, Michael. It was great to be on the show. It’s something I’ve read for many years. To be interviewed by you is a great honor.
It’s my pleasure.