Dan Middleton, Vice President UK & Ireland at Veeam: “Cybercrime is now an industry. They have ERG policies”

We need to change our clichés about cybercriminals. They aren’t disgruntled teens in hoodies, nor an army of highly trained agents in some distant land. These are people, like us, who are doing a job. “Cybercrime is now an industry, with real companies offering good salaries, pensions and benefits packages,” says Dan Middleton, Vice President UK & Ireland at Veeam.

“This industry is constantly innovating new ways to exfiltrate or hold data for ransom, and they’re relentless.”

In this interview, Dan sets out the consequences for this upping in professionalism. What can we, as protectors of our company’s data, do?

“When you have a list of priorities as long as your arm, it can be overwhelming just to know where to start, let alone what to do about the issues you’re facing,” he explains. But don’t be paralysed: “Here, it’s crucial to remember that while it’s impossible to do everything, you can do something. And that something might be the thing that stops an attack or mitigates its impact.”

Your first step is obvious: read our full interview with Dan below. Who knows, it might just provide inspiration for your “something”.

Could you please introduce yourself to our audience and share how you ended up working in cybersecurity?

My career in IT started back pre-‘millennium bug’ era when I recruited software developers for the banking and finance sector. I then moved to a systems integrator and consulting company to sell services around SAP, Oracle and MS Navision. Back then my experience of the security side of IT was keeping your anti-virus up to date and always patching.

Then I moved into the IT channel working at Computacenter selling broader products and IT services mostly around the datacentre. I recall that ‘security’ was a network/permitter issue still very much in its own box. After a few successful years, I had the opportunity to become a sales manager and mentor the company’s new graduates.

After a four-year spell at then Kelway (now CDW), I had the chance to build a data centre practice for one of Lord Sugar’s companies – Viglen. Pre-cloud, my focus was always on the data centre. Cybersecurity and data protection became much more of a consideration as the data centre is/was where the ‘crown jewels’ were kept. I joined Veeam ten years ago and as customer environments moved to include hybrid and cloud-native, data protection became part of the wider cybersecurity remit.  

What are some of the major trends in ransomware professionals need to be aware of?

Cybercrime is now an industry, with real companies offering good salaries, pensions and benefits packages! They have ERG policies. This industry is constantly innovating new ways to exfiltrate or hold data for ransom, and they’re relentless. For most organisations, this unfortunately means it’s now not a case of ‘if’ or ‘when’, but ‘how often’ they will get hit by ransomware, and how quickly can they recover.

Investment has increased to prevent and reduce the number of attacks. However, professionals need to understand that no matter what they do, they need to plan to recover from a successful attack. Veeam research found that 75% of surveyed organisations suffered a ransomware attack last year, with 26% stating they were attacked four or more times. This means that more businesses were hit every quarter than not at all.

Once business leaders understand just how vulnerable their data is, they can take the necessary steps to protect it. This is vital as cybercriminals are becoming more tenacious and evolving their tactics as businesses find new ways to resist their attacks and, if they are targeted, resist paying the ransom demand.

Worth a read: Dominic Trott, UK Director of Strategy and Alliances at Orange Cyberdefense: “Cyber resilience should start in the boardroom”

What are the biggest cybersecurity challenges those in leadership roles are facing?

The list of cybersecurity challenges is endless, which reflects my first point. We’re increasingly seeing ‘cyber overwhelm’ become a challenge for those in leadership roles. When you have a list of priorities as long as your arm, it can be overwhelming just to know where to start, let alone what to do about the issues you’re facing. Here, it’s crucial to remember that while it’s impossible to do everything, you can do something. And that something might be the thing that stops an attack or mitigates its impact.

Another common challenge is a lack of alignment between teams. The roles closest to cyber events that have to face their consequences head-on are often those least satisfied with how teams across the business are aligned. The Veeam Ransomware Trends Report 2023 found that 70% of backup administrators believe alignment needs ‘significant improvement’ or a ‘complete overhaul’. This figure is 62% for those in IT operations, 59% for security professionals, and 51% for CISOs or IT execs.

Cyber breaches are almost inevitable for businesses. This means that urgent investment needs to be made in collaboration and integration between teams to ensure a cohesive cyber resilience and defensive strategy can be adopted.

What are some prevention strategies you believe every business should adopt?

Our research found that 93% of cyberattacks targeted backup repositories last year. Considering that 75% of these were at least somewhat successful, it’s clear that more needs to be done to prevent the impact of cyberattacks. Backups are the failsafe within cybersecurity, but if a business’s only backup is encrypted after an attack or if the backup has errors, the team is really in trouble.

The 3-2-1 backup rule is commonly followed, but we believe in taking it two steps further. The 3-2-1-1-0 rule is as follows:

• Maintain at least three copies of your data
• Store your data on at least two different types of media
• Keep at least one copy off-site
• One copy must be offline, air-gapped or immutable
• No errors must be seen within backups after testing

So many worst-case scenarios end with “I can sleep better knowing we can recover fast,” so take every step to ensure you can say those words!

Approaches such as Zero Trust Data Resilience can also be adopted to minimise the number of attacks that make it through your defences. This approach applies Zero Trust principles to backup and recovery to limit the blast radius of data breaches and ensure that immutable backup storage is in place, meaning the data contained within the backup can’t be modified even in the event of a ransomware attack.

Worth a read: Japan’s Kasugai Municipal Hospital migrates critical data to the cloud with Wasabi Technologies

What is it about generative AI that makes it so prone to exploitation by threat actors? Conversely, how can it be used for good (in cybersecurity)?

GenAI has lowered the barrier of entry for those wishing to take malicious action, and I don’t believe we’ve seen the end of its impact in this space. In essence, it can plug various knowledge gaps for cybercriminals. For example, a technical gap can be filled as it can support coding, a language gap can be filled as it can write phishing emails in perfect English, and a visibility gap can be filled as it can be used to research targets and find weak spots. AI has paved the way for ‘next generation social engineering’, so enterprises must invest in ‘next generation data protection’.

Conversely, AI can be used for good. AI-powered malware detection engines or assistants can significantly improve the effectiveness and reach of cybersecurity teams, who often fight an uphill battle when preventing, detecting and responding to cyberattacks.

What’s something that has drastically changed about cybersecurity since you first got started in the field?

The environments and architecture we’re currently dealing with have changed significantly, even in the few years since the pandemic. For example, the rise of cloud and cloud-native environments means a whole new level of protection is required compared to traditional on-premises environments.

However, the good news is that the fundamentals haven’t changed – the best practice remains the best practice. For example, the concept of data backups hasn’t fundamentally evolved, but what has changed is where the data is being stored.