Cal Leeming, cyber security advisor and chief executive of Lyons Leeming, on how to protect IT systems from criminals and why leaders must stop hiring weak links.
What’s your IT security background?
I started hacking aged 10, partly because I enjoyed learning how systems worked, but also for survival. I came from a background where [my family] didn’t have much money. It was great, I thought, that
I could get free stuff delivered to the house by typing in a few magic numbers and stealing credit card [information] from companies. I was naive.
I was arrested at 12-years-old. I was terrified, but not enough to stop hacking until I was 18. By then, I had been arrested for a series of instances where I had broken into UK internet service providers and stolen tens of thousands of credit card details.
I went to jail and was released five and a half months later. I then started on the road to rehabilitation. I was dismayed by the way that people treated me, being fresh out of prison. My arresting officer helped me with references. He put me back in front of the banks that I hacked. I helped them to secure their systems.
I eventually found myself building start-ups in Silicon Valley, where people didn’t care about my prison time. I spent 10 years learning about what it takes to run a business. Then, having built a good reputation,
I was approached by some high-net worth individuals to provide their individual security – and that’s how Lyons Leeming was born.
What’s the biggest motivator for hackers?
There’s the bored kid, the financially-motivated individual, the state-sponsored attackers. There are insider threats, political activists
or hacktivists – or any combination of those. You can have an insider threat that’s financially motivated: someone who will throw the company under the bus for £100,000, for example.
Business leaders need to assess which threats are greatest by asking themselves who they might have annoyed over the past
few years, whether their systems are locked down and so on.
When you consider threat levels, you can always be sure of one thing: you’re vulnerable. It’s no longer just about defending one particular point of entry into a system. Detection and deterrents are essential. Detection is the idea that if someone breaches a system, you will have enough layers of security that at least one will be triggered.
What steps do businesses need to take to establish an effective security strategy?
Good security costs money. There’s a reason why the most profitable companies are some of the most secure. Look at Google and Facebook. They’re not perfect, but they have a great instant response.
For companies with minimal funds, they can employ an engineer or security person, who might charge £500 a day or so, but they won’t get an understanding of the business impact of an attack.
Costs come from employing an entire team of people who understand the problem. They’re in such high demand, because the industry is saturated with mediocrity. Everyone is jumping on the cyber security bandwagon, because it’s a cash cow.
Companies should call in a professional if they can afford it. If not, they must educate themselves. If there’s a firm that has been doing good security in your industry, talk to them. Also, consider the basics:
do basic two-factor authentication, don’t leave a lot of files on your desktop, and look at digital asset management and intrusion detection systems.
What makes for a good corporate security culture?
When we investigated why people are likely to betray their companies, the biggest issues have been having to submit receipts for nominal amounts, companies refusing to give staff time off, sitting in
poorly-managed meetings and so on.
These people didn’t see any reason to love their company, which is when the insider threats became problematic. Make sure that your staff feel valued by not wasting their time, and by respecting and trusting them.
Why are staff considered to be the weakest link in the business chain?
The human threat is definitely the weakest link. Not [just] because people can be socially engineered, choose poor passwords and don’t patch their machines, but also because of the activities that they perform.
Running a security team is a never ending hosepipe of a lack of training and other people’s ineptitude. All you can do is keep on top of it.
You’re there to enforce the law like a policeman: you won’t be able to stop people murdering each other, but you try to solve the crime when it occurs.