Use VPNs that encrypt data and hide IP addresses. Given that millions of people are now working from home, VPNs are essential, especially when employees use public Wi-Fi networks that are extremely easy to hack. By always connecting to a VPN before working online, company data is secured, safe from prying eyes, and protected against attacks that target data as it leaves a computer — such as man-in-the-middle attacks.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Paul Lipman, CEO of BullGuard, an award-winning cybersecurity company focused on the consumer and small business markets. He has extensive experience building and leading security and consumer technology companies, and is a recognized thought leader on cybersecurity, data privacy and IoT.
Before joining BullGuard, Paul was CEO at iSheriff, a recognized cloud security innovator acquired by Mimecast. Prior to this, he held the CEO role for Total Defense, a high growth consumer security business, which was acquired by Untangle. Paul has also held leadership positions at Webroot, Keynote Systems and Accenture.
Paul holds an MBA from Stanford and a Bachelors in Physics from Manchester University. Outside of work, Paul is an avid snowboarder, amateur astronomer and dabbles in quantum computing.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in the UK, in a suburb of London. I was a tech enthusiast from a young age. My school had an old computer from the 1960s, an Elliott 803b. The computer, and the punch tape writer required to program it, took up a small room. Learning to program this machine in ALGOL was my first exposure to computers. When I was 11 years old, I saved up money and bought a Sinclair ZX-80, which was the first personal computer available in the UK. This computer taught me a valuable lesson about technology upgrade cycles. The ZX-80 had extremely limited compute capacity, so it couldn’t simultaneously execute a process and send a signal to the display. A few weeks after I received my ZX-80, Sinclair released the ZX-81 — a significantly more powerful device that addressed all of the ZX-80’s shortcomings. After overcoming my shock and disappointment, I was fascinated by the potential for this exciting new world of computing and its pace of change.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
In early 2006 my PC became infected with malware, causing endless pop-ups and the machine to slow down to a crawl. I tried all of the well-known antivirus programs but to no avail. A colleague of mine suggested Webroot SpySweeper, which got the job done quickly and effectively. Purely serendipitously, a couple of weeks later, I was contacted by a recruiter from Webroot and jumped at the opportunity to join a company so uniquely positioned to solve a significant and growing pain point. That was almost 15 years ago, and I’ve been in cybersecurity ever since.
Can you share the most interesting story that happened to you since you began this fascinating career?
I acquired a small IoT cybersecurity start-up in Israel, Dojo Labs, which we built to be a security space leader. We had a small crack-team of “white hat” cyber hackers, who had previously worked in the Israeli military’s elite cyberwarfare divisions — the Israel Defense Forces (IDF) Unit 8200. We hacked popular IoT devices in order to test our technology against existing threats and uncovered potential future areas of vulnerability.
The Ring video doorbell was hitting its stride at that time. Our team uncovered a complex vulnerability that would enable recording video and then playing it back to the Ring user any time through the app. A hacker could, for example, record video of a family member entering the home, then play that same video clip back, so the end user thought they were seeing someone they know. If the user were away from home, this could mean they might be letting a malicious stranger into their home with potentially devastating consequences. We notified Ring, and they quickly fixed the vulnerability.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I’ve had the pleasure and good fortune to work and interact with many great people over the years. I’ve learned to treat every interaction as a learning experience. Some colleagues and managers have inspired and motivated me to emulate aspects of their skills and approach, whether in terms of technical depth, management style, decision-making ability, or other components of their abilities. There are others where I’ve learned through negative examples. However, seeing their shortcomings and weaknesses helped me identify areas for my own personal improvement, focus and growth.
Are you working on any exciting new projects now? How do you think that will help people?
We’re particularly excited about the recent launch of BullGuard Small Office Security for channel partners. SMBs have long been a terribly under-served segment of the market. Small businesses have had to either rely on complex products built for larger enterprises or consumer-market offerings that don’t meet businesses’ management and control needs. We’ve made it extremely simple for smaller organizations to get world-class protection and easy-to-use cloud-based management. Our service also enables channel partners and MSPs (managed service providers) to manage security on behalf of their customers.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I think this is far simpler than most people expect. First and foremost, it’s so important to treat colleagues as human beings with needs, expectations, challenges and emotions. This is especially important in the current remote work environment, where we are missing the human connections that are such a critical part of how we interact with others. Keeping connected is a basic human need, so communication and engagement are now more important than ever.
At BullGuard, we use daily “huddle” calls to keep connected — both for the flow of operations and to connect to each other. A huddle is a daily standing call, typically no more than 5 minutes in duration, and the purpose of which is to quickly surface issues and figure out who needs to be involved in solving them. As we don’t have the opportunity to quickly huddle up in person, this virtual communication technique is incredibly valuable in keeping us connected and efficient.
Lastly, it’s imperative to make time in your day for those things that keep you fresh and grounded. I find that exercising daily before the workday begins clears my head, boosts my energy and keeps me focused. I also try to make time every week for personal learning — right now, I’m focused on learning to code quantum computers — this keeps the mind fresh and open to new ideas and new ways of thinking.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The first and most important is that cybersecurity provides real societal benefit. The internet provides tremendous utility and value to consumers and businesses, but cybercriminals attempt to take advantage of this fact — sometimes with terrible impact. Cybersecurity companies and professionals are literally on the front line, keeping the world safe from this pernicious threat.
Secondly, we are seeing an interesting evolution in the consumer segment of cybersecurity from a purely security-centric approach to becoming more privacy-focused. It’s been said that if you get a product for free, then you are the product: the large technology and social media giants (i.e. Facebook, Twitter, Google and others) have chipped away at consumer privacy over the last few years. The average consumer really has no idea how little privacy they have online, so investments in strengthening privacy protections are hugely important and exciting.
Finally, the cybersecurity industry is at the forefront of applying powerful technologies such as machine learning to identifying and blocking threats. Anti-phishing, anti-fraud, anti-malware, privacy protection, etc., are all benefiting from innovative applications of machine learning.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
We anticipate that the “new normal” of work and study from home will likely be with us for quite some time. This presents significant challenges for companies in terms of keeping their data and employees protected from cybercrime. In terms of how organizations defend a truly distributed workforce and enforce adequate controls, policies and monitoring will require a fundamental rethink.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I’ll give you another example from our Israel team. We identified a vulnerability in a popular “smart” home alarm system that would enable a hacker to access and disable the system over the internet. Moreover, the vulnerability enabled the alarm to be switched off without the owner ever knowing. We notified the vendor, but it took them six months to issue a fix — during which time they continued to sell their product with this significant and unpatched issue. The main takeaway from this episode is that any application is hackable with enough time, motivation and resources. A “zero trust” approach to cybersecurity is a good starting point to ensure that you are taking the necessary steps to keep you, as well as your business protected.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I use BullGuard Premium Protection and BullGuard VPN. BullGuard Premium Protection is our top-of-the-line offering. It provides a comprehensive multi-layered protection suite that incorporates advanced malware protection, a smart firewall, safe browsing, a dynamic machine learning engine and other advanced features. It’s literally the full set of BullGuard’s endpoint protection capabilities. BullGuard VPN is our virtual private network product, providing an easy-to-use, high performance private connection to the internet. BullGuard VPN keeps your traffic safe from prying eyes — whether a malicious actor is sniffing Wi-Fi traffic on a hotspot, or your ISP is attempting to record every URL that you visit.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
If your organization doesn’t have the budget or need for a CISO, then hire an MSP or MSSP to manage security for you, as it’s not something you should “try at home” with no prior experience.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Arguably the most important thing is to learn the telltale signs of a phishing attempt, as this is by far the most common starting point for a cyber attack. If an email looks suspicious, check the actual sender address and not just how it renders in your email client. I find that weeds out a high percentage of phishing attempts. Then ask yourself whether the email is typical of what the sender would be sending to you. For example, an email from your CEO asking you to wire money, change passwords or do something else out of the ordinary is that typical? If not, then try verifying using something other than email. Of course, never open an email attachment unless you are 100% sure that it is legitimate, and similarly, avoid clicking on links in emails. Another example, perhaps you receive an email from your bank telling you that you need to change your password. Rather than clicking on a link in the email, go to the bank website directly to figure out if the request is genuine.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Once a breach has occurred, it is imperative that you get out in front of it. If you don’t have the in-house resources to conduct a breach investigation, bring in an expert to lead the investigation. You’ll also need to very quickly get legal advice on your reporting obligations depending on your jurisdiction, and determine a plan for communicating with affected customers.
Hopefully you are conducting regular backups. Backups are a critical component of your defense against a ransomware attack. If you are able to re-image all of your devices, then the ransomware wipes from your systems (unless the backups themselves are infected).
The breach investigation should also include a full review of your cyber posture and identify any gaps in your plan and infrastructure. Unfortunately, no cyber defense is 100% foolproof. More often than not, breaches occur as a result of human error, so cyber awareness training must be an integral part of your organization’s training plan.
GDPR and the CCPA have reinforced the good practices that we already had in place. As a security company, the privacy and security of our customers’ data is at the core of what we do, so the legislation has helped to crystalize and further formalize our approach.
More generally, these laws help protect consumers. However, technology and industry move much faster than legislation, so consumers cannot merely rely on the privacy laws to protect themselves. A proactive approach to protecting one’s privacy and data will always be necessary.
What are the most common data security and cybersecurity mistakes you have seen companies make?
1. Lack of training. This is arguably the most important. A company can have the best and latest security products, but if employees aren’t practicing good cybersecurity hygiene, then it will be easy for a hacker to take advantage. Look at the recent compromise at Twitter, where famous people’s accounts were taken over through a social engineering hack, to see that budget is not a sufficient defense.
2. Lack of backup. As mentioned earlier, backup is a critical component in a data and cybersecurity plan. Backups can be the difference between a quick recovery from a ransomware attack or other loss scenarios and a complete disaster.
3. Lack of a plan. Many companies tend to think of cybersecurity as an afterthought, if at all. Having a plan, understanding your objectives, working out a response strategy should you be compromised are all critical prerequisites to a strong cybersecurity posture.
4. Relying on consumer-grade products. Consumer products are great for consumers, but businesses need control, procedures, policies and management. Even a small business with ten employees could have over 50 devices, all of which need protection in a coordinated manner.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Please read my earlier comments that address this question.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Data is the lifeblood of any company. It’s the oxygen that keeps organizations breathing. A data breach can cause severe damage ranging from loss of credibility, high customer churn, financial loss, plunging share prices for a listed company to large fines from regulators, and, in the worst case, the business folding. So how do you avoid this? Data breaches can be avoided by following some simple pointers.
- One of the first steps is cybersecurity training for employees. You can have the best cybersecurity technologies in the world, but if employees are not following processes, it means nothing. Take, for instance, the need for strong passwords. It may seem obvious, but you’d be surprised by how many weak passwords are in use and how much damage can be done when exploited by hackers. Social media platform Linkedin, Florida based data aggregation firm Exactis, and Hotel group Marriott International between them managed to expose upwards of 900 million customer records largely as the result of using weak passwords. Some hackers are smart and sophisticated in their attacks, but human error remains the leading cause of data breaches. Employees protect your business and its data assets. Cybersecurity training is an effective way to educate employees and ensure proper procedures are followed, reducing risk and keeping an organization’s data safe.
- The second point — which I touched on earlier — is backing up data. Data loss can be devastating. The cause of data loss is due to a number of factors, including weak passwords and social engineering attacks like phishing or equipment error. You might think that it can never happen to you, but the truth is it can happen to anyone at any time. Some years ago, a UK consulting firm lost a lucrative contract with the UK prison system when an employee misplaced or lost a USB drive containing the personal information and release dates of more than 80,000 inmates. The stick was lost when the employee went on vacation and left it in her unlocked desk drawer in an unsecured area of the company’s building. When she returned from her trip, it was no longer there. No one backed up the data.
- Centralized management for endpoint devices is also critical, and especially so for small businesses. Small businesses are underserved in this area, and to protect remote devices like smartphones and laptops, have either used enterprise products or consumer-grade security. Enterprise endpoint security is typically too complex and confusing which can lead to abandonment. Consumer-grade cybersecurity isn’t appropriate for small businesses because it requires individualized device management. For a small business with even just 20 devices, this is inordinately time-consuming. We have just released BullGuard Small Office Security, which addresses these issues. It provides small businesses with control, procedures, policies, and management of all devices from a cloud-based dashboard. For instance, a small business can remotely apply updates on say 30 smartphones and laptops simultaneously, remotely isolate and lockdown devices that are lost or stolen, or remotely apply access policies on specific devices, all from a cloud dashboard.
- The fourth point is to use VPNs that encrypt data and hide IP addresses. Given that millions of people are now working from home, VPNs are essential, especially when employees use public Wi-Fi networks that are extremely easy to hack. By always connecting to a VPN before working online, company data is secured, safe from prying eyes, and protected against attacks that target data as it leaves a computer — such as man-in-the-middle attacks.
- The fifth and final point, and which relates to employee training, is to use a password manager. Remembering long, strong passwords is near impossible unless you write them down, which defeats the purpose. A password manager automatically generates super tough passwords for each account or service that needs to be password protected.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Everyone should learn to code. It doesn’t have to be much, and it doesn’t have to be at a deep level — unless you are so inclined. Learning some basic coding, however, has three unexpected benefits.
Firstly, software underlies almost everything in today’s world and is becoming increasingly pervasive in some profound ways. By way of example, machine learning has become an integral part of the fabric of everyday life — from the news we see online to the algorithms keeping us safe when we drive our cars. Getting a hands-on appreciation of how code and algorithms work gives you a deeper understanding of what is happening “behind the scenes.”
Second, learning to code helps exercise and train the logical and analytical parts of our minds — a useful skill for anyone, regardless of what they do for a living.
Lastly, coding is fun and can be psychologically rewarding in its own right.
How can our readers further follow your work online?
Twitter: @paullipman https://twitter.com/paullipman
BullGuard blog: https://www.bullguard.com/blog
This was very inspiring and informative. Thank you so much for the time you spent with this interview!