SafetyDetectives recently interviewed Geoff Leeming, Co-Founder of Pragma, where they discussed several pertinent topics within the realm of cybersecurity. These ranged from proactive methods for detecting and responding to cyber threats, to the significant challenges that small and medium-sized businesses (SMBs) face in this domain. Furthermore, Geoff shared his insights about the potential evolution of the industry over the next few years and addressed additional crucial issues.
Hi Geoff, thank you for taking some time to speak with me today. Can you start by introducing yourself and telling me what motivated you to start Pragma?
I've been in cybersecurity for slightly over 30 years. I was very fortunate to get into it right from the beginning. I spent most of my career running security teams for investment banks, which gave me a robust introduction to doing things well. I've lived and worked through some very interesting times. For instance, I was working for Lehman Brothers during 9/11 when two planes struck our headquarters. I was also working for Barclays Asia during the Fukushima disaster, which had a massive effect on our operations in Japan.
What motivated me to start Pragma was the constant struggle to find good, professional services in cybersecurity. I noticed a gap in the market that I felt needed to be filled. Moreover, from my personal standpoint, it is endlessly fascinating to deal with organized crime, manage security breaches, and witness companies defending themselves while assisting them to recover after they've been attacked. These factors inspired me to found Pragma. We're seven years old now, spanning across nine countries with a diverse customer base that stretches from the UK to Australia.
What are some of Pragma’s top services?
Preventative Security Consultancy: In this traditional approach, our primary goal is to prevent unauthorized access. The main services we offer include:
- Security Architecture
- Cloud Security
- Endpoint Detection Response
- SIEM (Security Information and Event Management) System Monitoring
- Post-Breach Incident Response: Over the past few years, we've dealt with several hundred cases where we've stepped in post-incident to aid with recovery. Our services range from helping to rebuild systems, conducting investigations for regulatory reporting, to assisting large companies to get back to operations after some pretty severe incidents.
We divide the firm into two main components:
We operate as a Security Operations Center (SOC) and provide SIEM services for large companies. In our opinion, the most crucial aspect of security is continually monitoring your controls and potential breach attempts.
Can you provide an overview of your approach to cybersecurity and regulatory resilience consulting?
One of the first things we prioritize in our approach is hiring senior experts. We have a somewhat different model from more traditional consultancies, which typically operate with one knowledgeable person at the top, followed by a large team of highly intelligent graduates in nice suits, hoping they will learn quickly.
Our structure is more of a 'diamond shape'. We have a larger number of senior individuals capable of providing the necessary advice promptly. Additionally, and this reflects in the name of our company, we provide very pragmatic advice. Our focus is on helping clients implement the most efficient, effective, and cost-effective controls possible, rather than adopting a high-level, 'ivory tower' perspective.
We strive to keep our solutions practical and straightforward. We ensure they're correctly installed, effective, and functioning before we build on that foundation. We've found that this approach resonates particularly well with many firms, especially emerging fintech companies.
What are some tools that companies should use to proactively detect and respond to cyberthreats?
There are three key components every company needs to incorporate for proactive threat detection and response:
- VAPT (Vulnerability Assessment and Penetration Testing): It's essential to have experts attempting to breach your systems and reporting on their findings. At Pragma, we have a thriving CREST-approved testing practice and, so far, we have never failed to infiltrate a system. This must be the first line of defense for most organizations.
- Endpoint Detection and Response: Two decades ago, we could rely on a secure perimeter model with firewalls. Now, that model is obsolete. The protective walls have come down. Now, we need to protect everything, as every endpoint is a potential avenue for attacks. Therefore, you absolutely need to have endpoint protection and incident response clients installed on every single machine.
- SIEM (Security Incident Event Monitoring): It is crucial to have a central security operations center actively monitoring alerts and responding in real time. A single alert might only mean so much, but when you correlate multiple alerts, you can often detect an ongoing attack. Understanding when and how you're being attacked is absolutely essential for effectively managing and surviving any breach.
What are some of the worst cyberthreats currently facing SMBs?
Two main threats are currently targeting SMBs quite heavily: ransomware and private data breaches.
Ransomware is a frequent issue. We see many of these cases coming in via insurers from small firms who believed that they were too small to be a target. However, attackers don't discriminate based on size; they will break in, encrypt everything, and hold your data to ransom. At this point, having insurance becomes vital, as the ensuing processes can get very expensive. It then circles back to basic security measures - how good your backups are, how effective your recovery plan is. It's completely possible to build a system or a company that's 100% resistant to ransomware, but many companies neglect the preventive work, leaving them vulnerable to organized crime gangs.
The second major threat is breaches involving PII (Personally Identifiable Information). We do a lot of work with banks and fintechs, and people often assume that hackers are after money. However, they're usually after data; it's much more valuable and portable, and much harder to protect.
The most significant issue SMBs face is when a database gets stolen, potentially exposing the personal details of hundreds of thousands of people. Such a breach results in significant regulatory issues, massive reputational damage, and loss of customers. Once you add the technical recovery and remediation costs, as well as legal fees on top of that, it can lead to utterly destructive consequences.
How do you see the cybersecurity industry evolving over the next three to five years?
I see two main trends here:
- The first is that the threats we face will continue to evolve. The criminals in the cybersecurity world are some of the most innovative individuals I've come across, continually adapting their methods to exploit vulnerabilities. While we're currently dealing with ransomware and PII breaches, in three to five years, we might face entirely different threats. They might find new and innovative ways to attack that we can't foresee right now.
- The second significant trend is the rise of cyber insurance. I believe it's going to fundamentally alter how the entire security industry operates. Over the past 20 years, when a company has had to address security, it's been largely up to the CEO or CTO to determine what needs to be done, often based on their professional judgment or gut instinct. This lack of concrete direction is mainly due to a lack of data about the cost, frequency, and likelihood of cyber attacks.
Now, insurers are starting to compile this data. They might not make it publicly available, but over the next five years, they're going to be the only ones with a comprehensive understanding of the real cost of inadequate security. They'll also have a clear sense of the necessary controls to put in place. We're already seeing this shift. Many insurers now refuse to cover companies that don't implement multi-factor authentication (MFA), for instance. That's because they have data indicating that MFA is one of the most effective controls for preventing external attacks.
In contrast, CISOS are often left guessing, and sometimes, they guess wrong. I think this shift toward data-informed, insurance-led cybersecurity will be the most significant change. It might not be flashy, and it might occur quietly and subtly, but it will have a profound impact on the industry, and I believe it will change it for the better.