Geoff Forsyth of PCIPal: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

An Interview With Jason Remillard

Taking the basic steps will get you 80% of the way to being secure — the hackers are looking for easy pickings and will go elsewhere. For example, backup all your data to the cloud. In the event of a ransomware attack, you can quickly get your data back.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Geoff Forsyth.

Geoff is the CISO with PCI Pal. This important role is dedicated to maintaining the Group’s existing information security strategy and standards to protect our customers’ data as the organization expands its operations globally and works more with enterprise-sized channel partners. PCI DSS certification, information regulatory compliance, risk management and other relevant data security requirements are at the core of the organization and this position reinforces the commitment to ensuring data security and global regulatory compliance, now and in the future.

Back in the day, it was 15 years spent computing in the Nuclear Power Industry, Geoff then became a founder member of COUNTYWeb, an internet business directory that floated on AIM in 2000. The company subsequently changed direction to become a call centre and software business in the early noughties — changing its name to IPPLUS in the process. Again, all change in 2016 when the main contact centre and software divisions of the company was sold off, allowing a strategic move into the PCI DSS compliance for contact centres space. The company re-branded as PCI-PAL PLC with Geoff as the CTO, overseeing the architecture and development of a cloud compliance telephony project (and authoring several patents along the way). Now launched in America, Canada, Europe & Australia, the PCI Pal cloud telephony platform has supported the company as it becomes a true global player in the market.

Originally from the ‘grim north’ (Manchester), Geoff currently lives and works in the delightful county of Suffolk. He only has three hobbies — computing, computing & computing. Happily married, with two grown up sons, now off doing their own thing.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

My father was a Chemical Engineer at a local oil refinery and my mother was a civil servant. I grew-up in northern England during the 1970s. Whilst my father was keen that I go to university, as a rebellious teenager, I had had enough of the school system and joined the Electricity Board as an apprentice engineer. Later on, I discovered that my father had been right all along, and I ended up doing an Engineering degree on day release in my twenties, having to work back the extra day for four years each weekend. I became a Fellow of the British Computer Society in 2005.

My introduction to computing was really with the Sinclair ZX Spectrum back in 1982 (called the Timex Spectrum in the United States). Whilst the games were great fun, it was always more interesting to do a bit of hacking myself and examine the code behind them (and find out how to get ‘infinite lives’). This led to an interest in computer programming and all things techie. Even now, in my late fifties, I still love computer games and recently bought myself a VR headset so I can go adventuring in full 3D.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My career changed from engineering to computing in the 1990s and I became CTO for an Internet start-up in 2000. As the company grew and we introduced more networks and IT kit, the ‘security side’ of keeping the equipment safe and keeping the hacker out slowly became a bigger and bigger part of the role. So much so, that when its importance grew so much that it warranted a dedicated position, that of a CISO, I took the opportunity to move over into that role and put a small team together dedicated to cyber security, data privacy and breach prevention.

I know podcasts have become fashionable again recently, but back in 2005 I came across a podcast called ‘Security Now’ presented by Steve Gibson of GRC and hosted by the broadcaster Leo Laporte. A great show, each week they discuss security and hacking in the news and more importantly how to stay safe. Over the years I have found it a great podcast to listen to. It’s free, and still going to this day (currently on episode #793). If you haven’t come across it, check it out.

Can you share the most interesting story that happened to you since you began this fascinating career?

Two things shaped my career, and certainly made it interesting: building a private cloud PCI compliant system in 2008, just two years after Google and Amazon popularized the term “cloud computing.” And a bit later, building a public cloud platform from scratch in 2016 with security as the most important thing.

Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I am always grateful for my Dad, who is right more times than I’d like to admit to myself. Had he not reinforced the idea about the importance of going to university, I may have never gone and found my passion in computing and cybersecurity.

Are you working on any exciting new projects now? How do you think that will help people?

Of course, but as PCI Pal is trading on the London stock exchange, I need to be careful what I say as I don’t want to get into trouble with the authorities. To us, it’s all about enabling secure financial transactions and keeping sensitive information, such as credit card numbers and bank details, away from the merchants providing the goods and services. If companies are not storing customers’ financial information, then there is nothing for hackers to steal if they compromise a merchant’s systems.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I have to admit to being close to burn out a few times myself, especially as mini-disasters seem to strike whenever you go on vacation!

Trust your fellow workers and try not to micro-manage them. A ‘no blame’ culture, where staff can talk about their concerns and not keep them bottled up is needed.

Also, of course, plenty of fresh-air and walking in nature — I am lucky to be near the coast and have local forests to trek through at weekends and then sit on the pebble beach and share a flask of coffee.

What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

It really is a cat & mouse game. Everytime a system is declared ‘secure’, the bad guys find a way in. Bill Gates back at the launch of Windows XP said it was the most secure software, but it was soon found to be full of holes. However, I am excited most about rapidly changing AI, ‘the cloud’, and progress toward open banking standards which are making a big impact.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

We could talk about quantum computing, and the instant cracking of any encryption system, but I feel that is many years off. Just doing the simple things, to make the hackers give up and go somewhere else is the important thing.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

In a previous company we had a telephone fraud attack (Inflated traffic). Spyware on a manager’s laptop was not picked up by our anti-virus software, but it could not do any damage as our network firewall stopped it communicating with its remote command-and-control center. Until, one day, we opened extra ports on our firewall for some testing, and finally it could communicate. Then, on a Friday evening (when most companies would have gone home for the weekend), it started dialing premium rate numbers until all our phone lines were used up. As we ran a 24/7 call center at the time, all lines became engaged and the call center stopped receiving calls. As you can imagine, the IT support team was called and we quickly isolated the problem. It could have been a massive phone bill if we hadn’t found it quickly.

The main takeaway is, don’t assume that anti-virus systems will catch everything — and don’t leave test connections open over the weekend!

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

People are the main tool! They should always be checking to make sure they do the simple things and don’t click potentially damaging links, or share personal or sensitive information across non-secure platforms.

You cannot just ‘buy’ a product and think you have it covered. We use ‘phishing simulation‘ products, and regularly test out our staff by sending them fake emails with tempting links — I even got caught by one of those emails from our own system myself recently, which just goes to show how people in a hurry (myself included) will just click on email links without thinking (ouch!).

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Our InfoSec team is small, with only 3 people — myself as CISO, a Data Protection Officer and an IT Security Engineer. The important thing is to have the ‘buy-in’ from the full management team and train all staff to think about security before anything else — they effectively become your company ‘human firewall’. One of our company mantras is “Security is job zero”.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Slowdown in systems is often seen, so you need to ensure that servers are updated and rebooted regularly. Leaving your PC/laptop powered up 24/7 is also bad, so make sure you turn it off at night so it goes through regular reboot cycles and gets the chance to install updates.

70% of all breaches start with phishing attacks, so companies should encourage their staff to keep an eye out for any breaches or hacks and importantly, report any they get to the IT team immediately, especially if they have inadvertently clicked a link.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Cyber insurance is a big one. I know it sounds boring, but insurance companies not only cover you for the cost of a breach, but they have portals in place that can provide an Incident Response Plan to assist in the event of trouble, offering forensic investigators, call centers to handle customer enquiries and credit checking facilities for people who feel they may be victims of a breach.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Data privacy is ‘hot’ at the moment, which has led to an increased interest in the industry as a whole and has created more competition. And though many view these laws as restrictive, they’re not as bad as they first seem — you just need to have processes in place to monitor them.

What are the most common data security and cybersecurity mistakes you have seen companies make?

There are a few: thinking you are covered and taking your eye off the ball, not having top management‘s full buy-in to foster a company security culture, and keeping systems up to date — with latest software patches. It always amazes me how often companies leave default passwords on systems.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

At the beginning of COVID-19, many companies scrambled to get their workers up and running from home as quickly as possible, and security fell by the wayside. At the same time, call centers being set up from home have stretched IT teams and have led to unprotected systems. While some companies even offered employees WFH stipends to create a comfortable working environment, how much money or time was spent on ensuring that employees had the proper tools and knowledge to protect their home equipment from cyber threats? As Verizon’s 2020 Data Breach Investigations Report showed, there are increased human errors due to distractions from working at home, an increased use of ransomware in phishing emails, and an increased and manipulative use of people’s emotions in phishing emails. And according to our research, 64 percent of Americans reported that they’d stop buying from a company that had suffered a COVID-19 related data breach, which shows that companies need to step up their security efforts if they want to keep their customers safe.

What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Taking the basic steps will get you 80% of the way to being secure — the hackers are looking for easy pickings and will go elsewhere. For example, backup all your data to the cloud. In the event of a ransomware attack, you can quickly get your data back.

Get buy-in from all staff, as good security awareness is important company wide. Remember: security is job zero.

Phishing is the biggest threat, so train staff not only to be on the lookout for phishy emails, but also for them to develop social media awareness.

All data is valuable, not just credit card information. Put yourselves in the shoes of the consumer — while financial information is potentially the most damaging, so too is identify theft.

Let the cloud take the strain — after all, these companies have spent millions on security

If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be?

Ah, the ‘beauty pageant’ question — I would strive for more compassion and tolerance in the world. People are so entrenched in their own views and are quick to anger. We all just need a bit more kindness in the world. So, everyone out there, please just remember to be kind.

How can our readers further follow your work online?

I regularly blog for PCI Pal and participate in webinars and podcasts. Find out more at pcipal.com, and by visiting our news page.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.

Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.

Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.