Editor’s Note: We hope you enjoy the video above. If you’d rather just listen to the podcast, click the button below to Apple Podcasts: The Common Bridge. It is also available on all other podcast platforms. We have included the transcript to this program below. We offer this program in it’s entirety to our paid subscribers, and welcome all to subscribe below.

You can also help the show by contributing in any of these methods:

• Shop. https://thecommonbridge.com/subscribe-shop/

• Zelle. rich@richardhelppie.com 

You can also send an email to Editor@TheCommonBridge.com

Thanks!

Richard Helppie  

Hello, welcome to The Common Bridge. If you're listening to this as a podcast, you're connected to a network some place, that network is connected to the internet. If you're looking at the video on Substack or on YouTube, guess what? Your digital device is also connected to a network connected to the internet. Let's say you're reading on Substack. Guess what? Same thing. So we're here today with two experts in cybersecurity. They're going to explain what cybersecurity is and how you can be more secure. I hope you'll get a lot of value out of this. We welcome today, the co-founders of SensCy.com, the 40th governor of the state of Michigan, Rick Snyder, and co-founder Chief Client Success Officer Dave Behen. Welcome, gentlemen, thank you, it's good to see you both. Rick, of course, you're well known for doing a great job as the governor of the state of Michigan. We appreciate the relentless positive action that you brought. But you had a pretty good career before serving as the governor. Can you tell our audience a little bit about that and then a little bit about what you did post governorship?

Rick Snyder  

Sure Rich, and it's great to be with you, good to see you and catch up with you again. This is actually my fifth career; I can't hold down a job. So if you look at it, basically, if you go back in the 80s, I was with Coopers & Lybrand, now PricewaterhouseCoopers. I was a tax professional. I became a tax partner and then a mergers and acquisition partner helping people buy companies. That led to going to Gateway Computers in the 90s. There I was the number two guy working for Ted Waitt, the founder, and that was an incredible experience. We went from 600 people, 600 million revenue, to 6 billion and 13,000 people in six years. I was the chief operating officer and president. Then I came back to Michigan. Ted was moving the company to California, we wanted to come home; I did $200 million venture funds. So I was doing the craziest work; doing dead cold startups, finding professors and technology. Then Michigan was absolutely a disaster in 2008, '09 and going into '10 so I ran for governor and I won. I had the wonderful opportunity and the honor to serve for eight years as governor of Michigan. There are term limits so I got thrown out on the street after eight years. And then what do you do with an old governor? Well, I was very fortunate, I met David - who had actually worked with me at the state - and a couple of other colleagues and we formed SensCy. Because if you look at [it] we were the best in the nation, state government in the state of Michigan. Cybersecurity is a huge pervasive issue and I view it as a way to continue to help people, to give back just in a different context, because small organizations are desperately in need of help, even when they don't know they need help. They need help so we're here to help with SensCy.

Richard Helppie  

David, you met the governor, worked for the state. You were the chief information officer. You're a Detroiter. Share with our audience a little bit; what's your career arc been like?

David Behen  

I am a proud graduate of Eastern Michigan University. I like to joke it's the the good school in Washtenaw County.

Richard Helppie  

That it is, all right.

David Behen  

I started out as a small time city manager out in the west side of the state for a couple of years, right out of grad school. Then I worked at Washtenaw County. I was there for nine years and was the deputy county administrator and CIO there, then went to the private sector for a little while. Then I met this guy right here sitting next to me and he ran for governor. He ran for governor and he won and so anyway I worked with him; I had known him for years before that. Then I was the CIO for the State of Michigan for six and a half years and for about four of those years, I was also the director of the Department of Technology, Management and Budget. And then I kind of put my public service days on hold and put them away for a little while, went to become the CIO for Lazy Boy, a great company in Monroe, Michigan. Then got back together with him and we started SensCy because again, as he talked about, it's small and medium sized organizations getting hammered. There are some really common sense things we can do to help them and so it is like he said, it's like giving back. But actually, you can make a little money doing it too.

Richard Helppie  

Well, profit lets you sustain the runway; let's you help more clients. People that haven't been in business don't understand it's all about satisfying a customer and making sure you have a satisfied and motivated workforce. Those make a better country and a better state, better communities. And I can see the connection; Lazy Boy, you're thinking about, you're kicked back in your recliner, you're looking at your iPad, and all of a sudden the ransomware grabs it or phishing comes in. So what is cybersecurity and what's the threat out there? What should people be thinking about when they think about the term cybersecurity?

Rick Snyder  

The way to look at it in many respects is we live in a digital world today and we're surrounded by it. If you ask anyone - whether it's iPhones, iPads, Android phones, any kind of electronic device that's connected to the internet - you have to be concerned about cybersecurity. You're in a connected world. I wish we would say we didn't have to worry about it but there are bad people out there that are going to take advantage of the fact that, that network, that connection, is not perfect. There are holes, there are things that we don't do, there are ways that people can exploit vulnerabilities in the cyber world. 

Richard Helppie  

What are they after? What are the cyber thieves, cyber criminals, after?

Rick Snyder  

There's six or seven different categories, but the one that's really prevalent today, the biggest one, is cyber criminals just want to make money. That's where ransomware comes from. A big enabler of that...that didn't happen 10-20 years ago, very much, it was other issues that were, the cyber hacktivist or activist. Now, it's mainly cyber criminals, because they see the opportunity to make money because of Bitcoin. If you think about it, there's an anonymous way to get paid, essentially so there's their currency. And once that currency was created they learned, okay, now I can go shake-down people, get money from them and not get caught.

Richard Helppie  

I was in a venture and one of my investing partners there, one of their companies, got hit with ransomware. And for my audience who doesn't know what ransomware is, your network is seized and you've got to call this number and we'll give you a key to unlock it and there's a payment. They had to pay in Bitcoin. To look at how organized they were, the cyber criminals had a help desk to help transfer the ransom in. They were that sophisticated. Obviously, it was fairly lucrative. They're mostly offshore:  Russia, Brazil, I believe China. So ransomware, tell us more about that.

David Behen  

So the bad actors are trying to get your information and trying to get your data as an individual. But as they look at companies and those kinds of things, they'll attack you with phishing email. When you click on it, it'll drop ransomware on your system. Ransomware actually has evolved, not only do they have help desks, they're like a little organization, the ransomware has evolved to where it's dual extortion. So what happened to your friend was that they locked his network and they say, if you don't pay me in a certain amount of time, I'm going to delete all your files. Well, a lot of organizations in the world now have evolved a little bit to where they're a little bit better at their backups, they're backing up their data in the cloud, or in some kind of off network location. The bad actors actually are very good [they say] great job, you did really good traditional ID, but we've stolen your data now and we're going to drop that on the dark web and you're going to be liable for that. And so that said, dual extortion, that's becoming really bad these days, you're seeing that happen all the time. It doesn't matter if you're a big company or medium sized company or small company, they're coming after you. 

Richard Helppie  

Because there's a market for that information. Somebody wants to buy it on the dark web. I think there'd be some obvious things, like bank records and that type of thing. What else are they after?

David Behen  

So think about it, they're going to look for your social security number, your credit cards, your identity, your health records, anything that they can use that they can sell on the dark web to other bad actors, so they can exploit you, they can go into those holes in your digital persona and start attacking you that way. That's what they're going after. They're very successful at it and they're very good at it. I think you were bringing up China, you're seeing that the ransomware groups are mostly in Eastern Europe or South America. But those in the nation-states - China, Russia, Iran and North Korea - they're really active as well.

Rick Snyder  

And these are large organizations. You both mentioned it to some degree, but literally they now have HR departments in addition to help [desks]. They publish openings, position openings, recruiting, they have full blown...they're just like a multinational corporation, some of the bigger organizations, and it's gotten worse. One of the things that we've seen that really concerns us and our whole team now is even more horrific. The worst case that I can think of was there was a school district that was held for ransomware, and not only did they suffer through that, they didn't respond particularly well, they didn't get notices out to parents and students who may have been hit. And the tradition was even the bad guys had certain standards of how they behaved where typically they put it on the dark web. Well, since they didn't pay and stuff, the bad guys went out and posted the worst files possible on the open web. They put out the disciplinary files, the mental health records they had on students. So can you imagine that the school district had what the parents and the kids know and you go home from school and you see that now your kid's prescriptions are up there, what they may be on, did they attempt suicide - that now is publicly available, that all their friends and family can see. That's horrific.

Richard Helppie  

Malicious, at a different level. I know protection is hard. We used a very good company out of San Antonio for many years, called Rackspace, to manage the exchange server. Just about a year ago they got hit with an unresolvable ransomware attack. And I know they have all sophisticated backups, they had every layer of protection you could get, they never could bring that service back on line, millions of users.

Rick Snyder  

One of the big issues...you hear about these big organizations getting hit and we could list a whole bunch that have all been hit - the University of Michigan got shut down for three days at the start of the semester, so these big organizations are getting hit - but what we did with SensCy, our focus is the people that don't have a place to get help in terms of the traditional cyber industry. There's a big cyber industry, a lot of venture capital, a lot of great companies, a lot of really smart people. They're building technology tools that are well suited to sell or to be used by places that have sophisticated people that know how to take multiple tools and put them together to protect themselves. What happens to the small organization that doesn't have a full time security person or even a full time IT staff? So we built SensCy to say, let's help the unprotected, let's try to find a way to go out and help them. Because there are half million of these medium and large organizations, there are six million organizations that are for profit, not for profit, governmental, that we think we can really make a difference for. That's why we're excited to do this. This is a calling in addition to a business.

Richard Helppie  

So as small as like the local bakery, or, as you mentioned, school systems, which clearly need a level of sophistication. Bring some of this to life. Are there some examples of places that had cyber vulnerability that they didn't think they had an answer for?

David Behen  

I'm glad you brought up education, because education is now the fifth most attacked industry in the world and it's only increasing. So education, for sure, is one of those areas that we're working in. But we work with all different kinds of organizations. We work with companies in California who make commercials, we work with companies in Massachusetts who are trying to cure cancer, with private equity and venture capital in other states. Anything from law firms, accounting firms to nonprofits, to education, we go all the way across. One of the other ones is software development firms, software and software shops. Everybody who you described earlier, everybody's on the internet and if you're a small or medium sized organization, you're a digital organization in any way, you are a target. We work with a lot of manufacturing companies. Manufacturing companies somewhere in mid-Michigan or Upper Michigan think, nobody wants to attack me, I'm a medium sized small company in mid-Michigan, nobody knows I exist. Well, you're on the internet and if there's a door or port open in your organization, those bad guys are looking to go through that.

Richard Helppie  

Talk about those doors and those openings. Surely they don't have human beings sitting down trying to look for them. How do the cyber criminals locate the target?

David Behen  

They have some great software, they have a bot that is just...I call them drive-bys. They're just driving by and then pinging to see if anything's open. Once they see something's open, they get really interested. They go in and then they start to do a little intelligence gathering. We're seeing this in every industry, all over the world.

Rick Snyder  

Now the other thing, Rich, and you know this because we all get it. Every person watching or listening to this is getting phishing email, the kind that says here, here's a chance to win a Yeti cooler. Here's the chance to say there's something really urgent and this offer is going to expire and here's something you can do. All those are traps, trying to get you to click on some attachment or something.

Richard Helppie  

There are some very clever ones that I've been personally bombarded with. It's like, oh, here's your payroll record or your payment went through, and they've spoofed my family office URL. So it looks like it's coming from that; obviously a very small operation. I know it's not good. But I could see if you were running a 20 person company, and it looked like it was coming from your company, you might click that.

Rick Snyder  

We're getting all the time. And that's more than email now. Now you've got to be ready for text messages and voicemail even. We actually have in our company where they tried to get us; I mean, we're cybersecurity, but they would get a kick out of getting us. But we have people that are on our team, they get a text saying - this is from me - please go out and buy a bunch of gift cards. I've got an urgent need, I can't do it myself, go out, buy a bunch of gift cards. If anyone asks you to buy a gift card, be worried, it's probably [cross talk] sounds too good to be true or super urgent. You have to build in an extra two or three second response to say, before I click this - this could be really important - but let me check it out first. Let's hover over the address. Let me look at a couple of other things. If it doesn't seem right, don't do it.

Richard Helppie  

Get one letter off; one of my ventures - and it went through several people - it looked like the chief operating officer telling the CFO to give them some payroll data. It went through three or four people saying that it looks suspicious, one person said no, I'll take care of this right away before the weekend starts, and just handed over a lot of information to a cyber thief.

Rick Snyder  

Yeah, that's what they try to do. They know Friday afternoon, someone may be trying to get out on holiday. Anything that could be urgent that way, you have to be worried. If you're a finance or an HR person, you have to be particularly concerned about the email you're getting. Because the common one - if you're an HR person - is I've changed my bank so my payroll deposit number is now this instead of this - be careful. Finance person, any kind of wire, in particular if you're transmitting money, I would get that verbally confirmed or double checked.

Richard Helppie  

So that's a good take home value there, if you're sending a wire transfer to make sure that your financial institution has to call and get a voice confirmation. Now I understand with the AI they can steal your voice and make it sound like you too. I don't know how sophisticated that is yet but still it is a measure.

David Behen  

It's starting to get pretty good. Deep fakes are getting really, really well done. But the point you just made about the institution calling you? Well, you might want to call them and you might want to make sure you look up their number and not just take the number from the email they sent you because they're actually putting - like you were saying, their call centers - a fraudulent number. They tell you to call to verify, when you call that number you're calling the bad guys help them. So there are several steps you can take to really protect yourself. Like you said, it's just take a couple extra seconds, take a deep breath, take these extra steps. For the most part, you've got to be protecting yourself and your company.

Rick Snyder  

There are two or three things, Rich, that we would clearly put on everyone's list to do, to check out. Passwords, the classic there is never reuse a password and we find most people are using the same password more than once in some contexts, really bad idea. Because if the place where you use that password gets hacked or the bad guys get it, they know that password now, they know who you are, they're going to try that password now on every kind of account they can find out about you.

Richard Helppie  

Or just randomly be done digitally, you'll take that sign on password combination and just maybe get a hit, it cost them almost nothing.

Rick Snyder  

Never reuse a password, come up with strong passwords - those alphanumeric things - longer is better. And again, this can be a burden for people because you may have a lot of passwords; get a password manager.

Richard Helppie  

One of the things I was going to ask you about, password managers, wouldn't those be easier to hack? How does somebody protect the access to the password manager, which has all your passwords?

David Behen  

There are a couple of reasons why we recommend password manager. First of all, I can't remember them all. I do a talk where I say - in front of hundreds people - don't reuse your password. When I say that I can see people in the audience who are reusing their password. They've turned pale or they mouth to the person next to him, I'm doing that, and start writing down feverishly. But password managers allow for you to have complex passwords, unique password for everything you're signed into, and it's encrypted. It's military grade encryption. There are several different layers they build into it. Now nothing is...I will never say nothing's breakable, but the password manager's done well and there are a few of them that are really, really, really well done. They are a really good, safe way of keeping your passwords.

Rick Snyder  

Just make sure you keep your password for your password manager.

Richard Helppie 

That's what I was concerned about was that.

Rick Snyder  

Make sure that's complex and don't lose that.

Richard Helppie  

Right, because if I'm a cyber thief, I'm going to say, Mr. Behen, you need to reset your password and I'm your password manager and now I've got your password into everything.

David Behen  

In those situations right there, take a deep breath, take a few seconds, your password manager is not going to call you and say you need to reset your password. Never going to happen.

Rick Snyder  

So other things you should be doing in terms of turning on multi-factor authentication or two factor authentication...

Richard Helppie  

Tell our audience what that is, for people that aren't familiar with two factor authentication. 

Rick Snyder  

That's basically the common one. This is where you turn it on and it says, we want to send you a text or an email to your number, in addition to you putting in a password to verify. Usually it's a text, and it'll be a code, then you have to enter that within a certain time frame to get in. You should have that on whenever possible. Two factor authentication is a really good thing. We really encourage people to do that whenever possible, so there are simple things. The other one is your software, make sure automatic updates are turned on. Most people don't have them turned on and even when they are turned on, don't always believe they've updated. You'll find that in all your hardware and software usually, there's a place for auto updates. Make sure that's enabled, because if you don't, then you may have an older version that the company that sold you that software has identified where there's a security hole, the bad guys know that, and they've sent me a patch to repair it. If you don't put that patch in place, you're vulnerable. So see Rich, there are a number of really simple things you can do to be safer. We tell people, no one can tell you to be safe. If anyone tells you, you're safe now, they're wrong. (Rich Helppie:  Absolutely.) Because the National Security Agency is not safe. If they're not safe, we're not totally safe, but you can be much safer.

Richard Helppie  

So we've talked two factor authentication and we've talked about the password managers, what about some of these things you see advertised, like LifeLock? What category of service is that and are those worth it?

David Behen  

I actually, I am a big believer in those, the LifeLock, Experian, all of those, because again, they are organizations who are all about securing your data; military grade encryption on those as well. What they do is they help monitor your credit cards, your even your passport, your email addresses, your phone numbers, your bank account, they're monitoring everything for you. And one of the things I really like about them is - I actually use Experian, and we have a whole bunch of people, my wife, my kids are on it as well with me - what I really like about it is I can just shut my credit off. I remember back when - I think it was Equifax - if somebody got breached, they were charged ten or seven dollars to open your credit and close your credit. Now, click the button and your credit is locked.

Richard Helppie  

So if somebody is trying to steal your identity and use your identity to check credit, they run into a block. It's like no, you can't use it.

David Behen  

That's right. And then if they detect something...it's almost like a service we provide at SensCy because we're doing vulnerability scans and dark web scans for our clients, when we detect something, we alert them and they do the same with those.

Rick Snyder  

So our company actually does that for these organizations. We do it for the organizations where these other companies tend to do it for individuals. And they're all good things to do. They're really important things to look at. One other one that I'd mentioned in particular is if you travel and want to be online. So this is about getting a virtual private network, VPN. Many, many people don't have this. If you've got an open network somewhere, the bad guy can often try to be getting in your system. If you don't have a virtual private network, and the classics are airports, you shouldn't be on an airport open network unless you're on a VPN, it's a dangerous thing. A VPN is relatively inexpensive to get.

Richard Helppie  

I use a product called Nord VPN, I know there are others out there. And for our audience, if you get hacked, all the bad guy can see is the tunnel out to the VPN, they have no idea where you're going, it's an encrypted route. It's kind of a roadblock. The virtual private network not expensive. What about the vulnerability differences between going on airport Wi-Fi and or just accessing the internet off your cell service? Are you better protected on the cell service or not?

David Behen  

No, I highly recommend a virtual private network whenever you can or tethered to your own device too, I'd never jump on the Wi-Fi at the coffee shop or the airport or the hotel. Even though they may...some are starting to say network secure, I don't believe it. There are smarter guys, there are bad actors out there who are going to do something. I always tether to my phone or my iPad or something like that and then I jump on a VPN, a virtual private network - this guy is the acronym police, he doesn't let me use them.

Richard Helppie  

Those of us who have been in technology, we don't realize how often we're throwing around acronyms until someone's like, stop it.

Rick Snyder

Unless you tell people, it's like you think that cyber people are from Mars or something, a different language.

Richard Helppie  

Guilty. So on the VPN, I do a lot of work on my phone or on my iPad, and I will just be onto the cell service and I turn the Wi-Fi off. My understanding - correct me if I'm wrong - is that it's harder to intercept that cell signal, not impossible. What's the vulnerability for places that block you from using your VPN? Ticketmaster, by way of example, if you're behind the VPN, it thinks you're a hacker. There are a lot of them out there, what's going on in that cyber battle?

Rick Snyder  

Well, again, they're trying to protect themselves. What I'd say is, again, hopefully you don't have to buy those tickets at the airport when you're on a cell system. So this is where you're going to find these conflicts, you just have to work through the challenges there.

Richard Helppie  

Okay, so we're talking about VPN, we've talked about Experian or LifeLock and we've talked about two factor authentication. Some of the things too...and Dave, I've had the pleasure of hearing you speak about this, and there are ruses. There are things that are obvious - someone gets an email - what's the right thing to do when you're looking at an email and it says, click here? What do you do?

David Behen  

When it's obvious phishing and says, click here?

Richard Helppie  

Yeah, or it's not so obvious. How are people penetrating these networks?

David Behen  

So first of all, if you get an email that is out of the norm, maybe some grammar is wrong, it [has] spelling errors, or it's asking you to act quickly on something that is not normal. Delete it, just absolutely delete it. There's no reason for you to even interact with that. I have people sometimes who will say, well, I'm just going to mess with them, and I'm always like, don't do that. Just delete those.

Richard Helppie  

There's not really a human behind it, you're not going to mess with it. It's an AI bot...if you don't know, [that is] artificial intelligence, sorry, Rick [laughter]. Sorry to go on there.

David Behen  

If you don't know who it's from, just delete it, just get rid of it and move on with your life.

Rick Snyder  

You find these all the time. I got one yesterday, actually, my wife, Sue, got it first. She got it from an organization that said we had an alarm go off, a Telco alarm, so she was concerned. She sends it to me and I go check out the address. This one was easier than I thought, because it was a legitimate address, but it was for an organization of Bulgaria. I was like, I don't think we really have an alarm monitoring system with the headquarters in Bulgaria, so this is one just to delete. So again, you get them all the time. You just have to be extra thoughtful about checking them, and it can happen to anyone. Another group, though, I would mention that are like that, but they've gotten so sophisticated, DocuSign. They're now spoofing or making a fake DocuSign on you. So if you think about it, you just bought a house or you bought a beautiful condo, the closing is in the paper. That's public information. The bad guys may get that list to say, okay, you've closed on this condo, they know the address so they'll send you something to say, congratulations, it's so exciting you got this place, you just forgot to sign this one form, so please complete the DocuSign.

Richard Helppie  

I actually got one of those at one time. I deleted it.

Rick Snyder  

It looks very real.

Richard Helppie  

Oh, yes. If I'm not expecting to sign a document, I don't touch it. Someone's going to have to tell me it's coming and then I will deal with it that way. These guys are ingenious about getting in and they can drain your bank account. They can steal your identity, they can take your sensitive personal information. You made mention that one of the places they go is the dark web. People hear the term the dark web and it sounds scary and it is, but our audience is more of a lay audience. Can you just explain what the dark web is and what's going on there?

David Behen  

The dark web is the underground of the internet, where bad actors trade and sell information:  personal information, credit card information, health records. It's where they barter and sell that information. The dark web actually was originally developed for research but the bad actors really took it.

Richard Helppie  

It's dark, because I can't get it on my browser.

Rick Snyder  

You have to know how to get there and the people on there are anonymous. I mean, they're using some identifier but you don't know who they really are. This literally is a different world that you need to worry about. One other area, though, I would mention to you Rich, that we encourage people to look at - especially organizations - is what's your incident response plan? How do you respond if you have a problem. Because we've talked a lot about it and if you look at the best practices framework put out by the federal government - that we emulate - we actually encourage people to do this. Our practice is...there's like prevention, detection; see the bad stuff, stop the bad stuff coming in. Again, you can be safer, you can't guarantee something bad won't happen but what happens if the bad thing happens? Do you have an incident response plan to say this is how we respond, this is what we do, this is how we recover. How do we deal with this? So it's recovery and response.

Richard Helppie  

Are these services that small and medium sized businesses can buy from you as a package?

Rick Snyder  

We package this as part of our whole solution, where we try to help with that whole framework. One of those elements is this incident response plan. That's a template. You start to fill in who are your emergency contacts? Where are your backups? Where are all these things ready to go? Because the analogy I give people...it's like, it's funny to watch people's reaction when you put it in terms they are used to understanding, like, do you have a fire evacuation plan for your business? And everyone goes, yeah, we've got a plan on what we do if we have a fire. I said, okay, you're in Michigan, are you ready for a tornado? Or if you happen to be down in Florida, do you have your hurricane evacuation plan? Then I say, do you have an incident response plan for cyber? They go, huh? And it's like, okay, now let's talk about this. What's more likely? Are you more likely to have a fire, to get hit by a tornado, or to actually have a cyber incident? And everyone goes, well, the cyber one is the one that's really going to happen. So you've got this backwards, you've got plans for the things that are less likely and you're unprepared for the likely.

Richard Helppie  

If you're a heating and cooling company and you've got lots of trucks on the road, you're directing your technicians, you're ordering parts, you're having your customer sign invoices - it's all digital - it goes dark because you just got hit by a cyber attack.

Rick Snyder  

But if you have good backups, you know where they're at, you know how to restore, you know how to do all those things, you can make a huge difference.

David Behen  

Yeah, that incident response plan is really critical. When I talk to small, medium sized organizations I talk about that because it'll take that bad day and make it a bad day or days, but not a bad week or weeks or months. That's why the incident response plan is so critical, because, as you said, everyone has a business continuity plan but that leaves cyber out, and that cyber is the one thing that, right now, can stop your business in an instant.

Richard Helppie  

Two questions here, one about cyber insurance and the wisdom of that and then, secondly, but not related, my understanding also is some of these bad actors will go and infiltrate a network and actually go and put bad code into the backup file so you can't get your backups back either.

David Behen  

So for that first, yes, some of the more sophisticated groups, they will corrupt your backup but there are tools now, there are things you can do to help remediate that. I put it this way, if a bad actor really is coming after you and they're very sophisticated, it's going to be tough to stop them. But there are things you can do to remediate it and be back up quickly. That's why we work with small and medium sized organizations to make sure they understand these really common sense solutions you can put in place to really help protect your company.

Rick Snyder  

And then insurance, to go to your point, we recommend to get cyber insurance, it's a good thing. I mean, that's another layer of protection to help you come back if you have issues. The issue with cyber insurance though, you have to be really careful. It's not a simple field to get cyber insurance. In a lot of cases ransomware may be a separate policy so even if you get cyber insurance you may not be covered for ransomware. So that's a whole issue. The other part that we try to help our clients with is filling out the forms to get insurance. Again, they're not in English, generally. I mean, they're written in English, but it's back to "cyberease" quite often. If you don't check the right boxes, or if you check something that really isn't true, you know what happens.

Richard Helppie  

Right, they'll take the premium but you're not getting the coverage.

Rick Snyder  

Exactly. For the average small business person to even know how to fill out a form is very challenging. So that's where we help our clients, we recommend people get help to make sure you know what you're checking  and it's accurate.

Richard Helppie  

So all of these small and medium sized businesses are protecting the enterprise and you're bringing forth some great services around that. I want to make sure, how do people get a hold of you if they're listening to this broadcast or podcast and they say this is something I need to do? How do they get a hold of you?

Rick Snyder  

SensCy.com. We've got a lot of great resources, back-up, that you can just go get too. SensCy.com is the place to go. One thing that we do offer, Rich, that we're very proud of, is we offer the opportunity to get a SensCy score for free, no obligation. As we started the business, we started doing SensCy scores to help our clients. That was sort of the cyber health evaluation. It's a half hour long interview or less, it's 39 questions, collects about one hundred and some data points. Most people can answer those questions, they may need a little help, that's why we interview them to help make sure they understand. You go through that, we'll come back and give you a score like your credit score. It's on a thousand point scale. Basically, if you're 800 or better, you're in pretty good shape and means you've understood cyber, you've done a lot of good practices. If you're 500-800, it usually means you've recognized you need to do something on cyber, but you've still got work to do so if you want to become a client, we can still help you a bunch, but you're on the path, you're making progress. If you're below 500 the three choices I tell people are watch Star Wars and learn about the Force, go to religious services, or hire somebody like us.

Richard Helppie  

I thought you were going to say buy some old Smith Coronas because you can't hack those things. [Laughter].

Rick Snyder  

If you're below 500, you're living on borrowed time.

David Behen  

What we tell everybody is just assess where you're at, it takes less than 30 minutes and if you score 400, you equate that to your personal credit score of 400 - you've got to work on it, right? So it becomes really tangible. It's an easy way to start looking at cyber in a really common sense, sensible way, sensible cyber.

Richard Helppie  

Sensible cyber, I like that. So one of the things I'm curious about is this, all these small and medium sized organizations are populated with employees that are individuals and they have customers that are individuals and these individuals might be in the Apple ecosystem or in Google, they've got a Gmail and whatever. Aren't those points of attacks too, on the personal level? Individuals ought to be thinking about their own cybersecurity?

Rick Snyder  

Absolutely. Again, that's going back to some of the services you can get as an individual, that's doing all the things we talked about; the passwords, the auto update. All these things that we talked about are equally applicable, whether you're an organization or you're a person. When you talk about organizations in particular, it's interesting that small organizations...what we're seeing are big companies now, their greatest threats are going to be the smaller organizations. Because the bad guy is seeing they're spending all this on defense - the big organizations - it's going to be easier for them to go through and sneak up through the small companies if they're in their systems at all. So this is only going to keep becoming more challenging. If you're a small organization, you don't have a good place to hide. I mean, you can believe you're going to hide for a while but do something. We tell people a lot of this is changing a culture from passive to active regarding cybersecurity. We're honest about this; cybersecurity is never going to be your number one priority until you get hacked. But it needs to be a priority on your list of priorities. I told people I'm on my fifth career, I never thought I'd be excited to work in a company where my key goal is to help people sleep better at night. I don't sell pills or mattresses or Ambien but the goal is to help people sleep better at night. So a lot of this is to say it's cultural, too often people think this is all techy and all tech tools.

Richard Helppie  

To your point about something attached, when we had outsourcing contracts, nothing got on the network. Well, one of the small dietary departments in a hospital went and bought a system and attached to the network as a rogue connection, had a worm in it. I mean, we got it quick, but it was somebody attaching something foreign. That's why I think about the individuals. One of the questions is if you're using Microsoft Exchange or Office 365 and you get something that says you want to report this as junk or you can say this is a phishing attempt, does anything actually happen to that stuff when you report that out?

David Behen  

It does. If you're part of a organization and you're doing like Microsoft 365, and you had the report phishing button, clicked it, it will go to either your small IT team or your managed service writer. They actually look at it, they quarantine it for a minute, they'll check it out. But it's a really good point, though because if you have a report button and that [email] doesn't look good, hit that report button.

Richard Helppie  

I always do the report button. I will say that Rackspace, when we were using them, they were really good about following up. I'd send them something and they'd say thanks, that's a new one we haven't seen.

David Behen  

They're looking at it, they're going to peek at it.

Richard Helppie  

They're good company. Gentlemen, we've covered a lot today, what didn't we cover that would be important for the listeners, the readers and the viewers of The Common Bridge?

David Behen  

I want to say this again, cyber is never going away but there are certain things you can do, not only to protect your company, your organization, if you do those same kinds of practices at home, you're protecting your family, too. It's one of these things that's never going away. That's why we're really excited about starting SensCy because we want to educate, part of our mission is educate the world in cyber. Take a couple extra seconds, take a deep breath, slow down, and make sure you know what you're doing.

Richard Helppie  

Sounds great. Now, imagine that you were called today by a small group, let's say the president of the United States, the head of the Department of Homeland Security, and I'll throw in the Treasury Secretary for good measure. And they said, Gentlemen, what national or state level policies do we need about cybersecurity? What would you tell them? 

Rick Snyder  

One of the first things to do is to say, broaden the discussion. Again, as just as we said, it's a human issue. 80-90% of the breaches are due to humans being involved in it and it is having an active versus passive culture. Nationally, we treat it as a passive culture. They are some really brilliant people that are doing cyber stuff at the national level. But if you look at the dialogue, it's all about them talking to other cyber people. Not much is really...it's about talking agency to agency or about talking to government or talking about their big suppliers. There should be an educational awareness thing for the average citizen just going through the list and making it much more visible. We do have Cybersecurity Awareness Month, it was October. How much do you remember seeing during Cybersecurity Awareness Month? Not much. So this is the thing, we need to get word out to people and again, make it an active versus passive thing. The biggest recommendation I'd have is, stop treating it like a technical thing, or the techies, stop keeping it just in the world of people that live in this world, and help the general public understand they can be safer. This is scary stuff. Let's make it so you're concerned, but don't be scared. By taking certain actions you can live a good life.

Richard Helppie  

It's common sense things like locking your car, that type of thing. I think saw in Oakland County, Michigan, the sheriff said that there are sophisticated rings that are invading homes, they're doing the Willie Sutton thing. That's where the money is and cyber is the same thing. And it's not just your money, it's your personal data. There's a market for that out there. SensCy.com, great place to start. Gentlemen, as we wrap up today, any final comments for the listeners or readers and viewers of The Common Bridge? 

Rick Snyder  

Thanks for having us out. This is great. This is an important topic to get out to people. So we're excited to share it. Let us know if you want us to come back with other scary stories [laughter] and hopefully solutions to this subject of the story.

David Behen

We could talk for hours. Rich, thank you very much.

Richard Helppie  

Alright gentlemen, thanks very much. We've been talking today with Dave Behen and Rick Snyder of SensCy, about cybersecurity. It's a big problem today, it's going to get bigger, but you can protect yourself. You can protect your organization. Let's just make it tougher on the bad guys. And with that, this is your host Rich Helppie, signing off on The Common Bridge.