When the WCRC met with convicted Welsh ex-cybercriminal Daniel Kelley: Part two

The WCRC has been learning more about how reformed Welsh hacker Daniel Kelley operated as a cybercriminal, putting to him a series of questions. In part one (insert link) he told us how he chose his victims, the methods he preferred to use and who in his opinion, are the most vulnerable.

Now, in part two, Daniel explains to us where he thinks businesses are going wrong when it comes to their cyber resilience and what his top tips are to stay protected.

What are the simple mistakes companies are making when it comes to their cyber security?

 A lot of businesses still make basic security mistakes that leave them exposed. Some of the most common ones include:

·       A lack of attack surface management

Many organisations are unaware of the full extent of their internet-facing assets. Servers are deployed, software is installed, and over time, these assets are forgotten. Years later, they become vulnerable entry points for attackers. I’ve seen this firsthand—gaining access to a system, checking file or system update timestamps, and discovering that most hadn’t been touched for potentially years.

·       Not factoring in risks when bringing in new software

Businesses are constantly adding new applications, third-party integrations, and cloud services, but they don’t properly assess the security impact. Every new system increases the attack surface, but many companies fail to evaluate how it could be exploited before deployment.

·       Letting employees use the same password for every account

Credential reuse is one of the biggest security problems because if one platform gets hacked, those same credentials can be used to access corporate accounts. Employees don’t think about security the way attackers do, which is why enforcing password policies and managers is important.

·       Not running their own security scans for low-hanging fruit

There are so many automated security scanners available that can detect common vulnerabilities, but many organisations don’t even bother using them. Instead of waiting for a penetration test or security assessment, they should be proactively scanning their own systems to catch the obvious weaknesses.

·       Lack of investment in credential monitoring platforms

Password dumps from breaches are constantly being sold and leaked online. If a business isn’t monitoring for compromised credentials, they won’t even know if their employees’ accounts have been exposed until an attacker uses them.

What are the easiest online systems a business can have to hack into?

From my experience, custom web applications are the easiest to hack. They typically don’t go through the same level of scrutiny as widely used, open-source applications. If a company hires a development agency to build a custom CMS or web app, the security of that application is often ten times worse than if they had just used a pre-existing, open-source solution.

The reason is simple: the open-source community naturally scrutinises codebases more than a single developer or agency that’s just trying to deliver a product and get paid. Some of the worst, most negligent security vulnerabilities I’ve come across were in custom-built applications made specifically for

individual businesses.

What are your top tips for SMEs to keep cybercriminals out?

 Here’s some of my top tips based on my own personal experience:

·       Focus on attack surface management

For every asset or new piece of software you introduce into your IT ecosystem, you should be assessing all the potential threats it could open up and thinking of ways to mitigate the risks.

A healthy security mindset means continuously monitoring, updating, and securing every asset from the moment it’s introduced. If you don’t have a structured approach to managing your attack surface, you probably wouldn’t even know you’re affected.

·       Run security scans to catch low-hanging fruit

There are plenty of great security tools and automated scanners available now, that can detect low-hanging vulnerabilities. Running regular scans on your infrastructure can help catch the obvious stuff before attackers do. Using these tools is a cheap and effective way to cover basic risks, and it’s far better than doing nothing. The idea here is to catch the obvious gaps before they become major issues.

·       Have an incident response plan that’s been tested

An incident response plan details exactly what happens if you suffer a cyber-attack or ransomware incident. This includes making sure your backups are actually functional and can be restored quickly, having pre-established contacts with cyber security firms or response teams, and knowing how to contain a breach before it spreads. It’s not just about the technical response either—there also needs to be a plan for how management will communicate the breach to customers, regulators, and the media.

Running simulated attack scenarios also ensures that when a real incident happens, you don’t have to panic, you already know what to do.

·       Use password managers

Employees are always going to be the weakest link in security. If left to their own devices, most will reuse the same password across multiple accounts, and that’s exactly how companies get breached. I’ve personally gained access to systems because someone at a large company used the same password for a dating application and their corporate email. The dating application got hacked, and because the password was the same, I was able to log into their work account.

Every employee should be required to use a password manager that generates random, unique passwords for accounts. This eliminates the problem of weak passwords and credential reuse.

Organisations should also invest in leaked data monitoring services which some password managers already offer, or you can use services that actively scan the dark web for leaked credentials and notify you if any of your employees' accounts have been compromised.

Compared to 10 years ago, do you believe SMEs are better at protecting against cybercrime?

 There are two sides to this. On one hand, there’s a greater awareness about cyber threats with more proactive measures being adopted by SMEs than they did a decade ago.

On the other hand, the world is far more digitalised, meaning the attack surface has expanded. With more companies relying on cloud services, remote work, and online transactions, cybercriminals have an even larger pool of potential targets. So, while SMEs have improved their defenses, from a cybercriminal’s perspective, the sheer number of opportunities may make it feel like hacking is just as easy—if not easier.

Daniel is now reformed and is putting his cyber security skills to good use. He has worked with more than 35 leading cyber security firms and is currently focused on improving cyber security marketing, with aspirations to grow his own agency.

If you’d like to increase the protection of your small business, please see our services and membership packages or get in touch with a member of our team.