Technological advances in the past several decades have been overwhelmingly positive for businesses globally. Regrettably, they’ve also exposed new points of vulnerabilities. From the alarming regularity of phishing scams to the rise of ransomware or DDoS attacks, the numbers can be chilling.
Luckily, there are steps that businesses can take to fight back. Cybersecurity firm SensCy was founded by former two-term Michigan Governor Rick Snyder, who also has extensive experience in corporate America as a venture capitalist as well as president and chairman of PC manufacturer Gateway. He, along with his fellow co-founders, CTO Dave Kelly, Chief Client Success Officer David Behen, and COO Bhushan Kulkarni, built SensCy to help arm small and medium-size businesses create and implement proactive cyber programs with easy-to-understand solutions.
On the eve of October’s Cybersecurity Awareness Month, we spoke with Snyder about the rise of cyberattacks, the key findings from their recent Cybersecurity Readiness Report (read it here), and what companies can do to help protect themselves and clients against these threats.
Chauffeur Driven: Why are small and medium-sized businesses so at risk?
Rick Snyder: Small and medium-sized organizations, or SMOs, can be easier targets because they tend to have fewer resources and fewer protections in place. They draw less attention when the attack takes place. In the aftermath, a large organization may end up in the press and get much more attention from law enforcement. But if someone’s being attacked for $20,000 or $50,000 it doesn’t draw the same amount of attention, although that’s a lot of money to an SMO.
CD: What types of small attacks are frequently overlooked?
RS: There’s no such thing as a small attack, but there are attacks that you might not notice that can be devastating. If you had what’s called a phishing attack, where you click on a link in an email that you shouldn’t have, it will quite often download software on your system. If you notice your computer working slowly, or if you’re not able to log into your system, or if you see files being downloaded that you didn’t download, those are all indicators that you’ve been hacked. That can have a devastating effect, because that can go on for days, weeks, or even months, where they collect more and more data that they’re going to use to hold you hostage or sell.
CD: Is traditional virus software effective?
RS: You should have virus protection—it’s often called endpoint protection—but you should do more. If you want to be in a safer area, there are a number of things you should be doing like multi-factor authentication. Instead of just letting you log in, it’s going to ask, can you verify it’s you somehow? Can we send you a text? That’s another great step to go along with virus protection.
CD: Your recent report found that most businesses across many industries aren’t doing enough to protect themselves. Can you explain?
RS: In many respects, it’s like they’re living on borrowed time. We made a simple scoring system—the SensCy Score—that’s much like your credit score: If you’re below 600, you’re in that borrowed time. What we found, after doing hundreds of scores for organizations, is the average is 488. So collectively as a nation, we need our organizations to really step it up in terms of better cybersecurity.
CD: How did you develop your SensCy Score?
RS: One of my co-founders came up with the concept. We wanted something easy to understand based on the federal government’s best practice framework for cybersecurity issued by the National Institute of Standards and Technology (NIST). NIST’s guidelines aren’t the easiest thing to read, so first we translated it into plain English. We assigned points to the various things it calls for you to do, and we weighted them based on what we thought were the highest priorities. To make it very understandable, we made it just like your credit score: 800 or better is the safer zone, just like a credit score of 800 or better is good. It’s a very objective measure of your overall cyber health.
CD: What should businesses be asking of their software vendors?
RS: They should be asking about their overall cyber health. Again, what’s the SensCy Score or equivalent for those type of organizations? What are their practices for notifying their clients when they have an issue? There are cases where third parties don’t always tell their users they’ve been hacked. Also, every organization should have an incident response plan, so if those companies don’t give you good answers, that’s a real concern.
CD: Most know to protect their phones and computers, but what other devices should they be concerned about?
RS: Just about everything is connected nowadays. One of the most obvious is your router or your Wi-Fi. Make sure they’re set up the proper way with the right protections. Your IT department may not have changed the password or they may still have the same password from when it came out of the box. That happens a lot more frequently than you think.
Think about all the other devices you may have connected in your vehicles. If you have cameras or other monitoring information, you want to make sure that they’re secure by having, again, good password protection. Every year, for example, in Michigan, there’s a contest where they get college students to try and hack vehicles to take control of cars. So, don’t overlook this stuff, particularly with your vehicles.
CD: What else can be done?
RS: Do an inventory of all the things connecting to your network, and then make sure you secure those with appropriate passwords or other protection mechanisms. We do external vulnerability scanning when working with clients. We’ll go out and look for holes, seeking devices they may have on their network that are unprotected. You’ll often find a printer on the network that isn’t protected appropriately, and the bad guys can use Wi-Fi to come in through that printer and get in your system. One of the biggest hacks in history was a huge multinational company that had a soft drink machine on their main network—it should have been on a separate network—and it essentially allowed the bad guys to get all their customer and credit card information.
CD: Wow. Do you have recommendations for an effective password?
RS: vComplex is important, so it should include both upper and lower case and special characters. Also, never reuse a password. That’s one of the greatest mistakes you can make because if you happen to get hacked, the bad guys may try that password against other accounts that you are likely to have.
CD: What impact is AI having on cybersecurity?
RS: AI is already changing cybersecurity dramatically, and it’s going to continue. Attacks are only going to get faster and more complicated. The illustration I’ll give you is a phishing email. In the old days, all of us could spot them quite often because they would be written in broken English or wouldn’t make sense. Now, with AI, the bad guys are creating well-written emails to try to get you to click on stuff, so you have to be better trained to spot those things.
CD: What’s the first thing to do if you’ve clicked on a malicious email?
RS: Call for help and get experts to come in and address the issue.
CD: Should they power down or unplug from the internet?
RS: The best thing is to call for help. Sometimes powering down can be good to do; but in some cases, it can be bad because you’ve erased the way to track back and see what’s happened. Get somebody who’s knowledgeable to that computer as quickly as possible, so they can make the right assessment on the next steps to take.
CD: How should a business handle ransomware attack?
RS: That’s a tough question, because it depends. What I would say is before the ransomware attack, it’s critically important to have an incident response plan. It’s the plan you put into action as soon as you know you’ve been hacked. Without one, companies typically are down for 22 days—over three weeks! If you have a good incident response plan, in many cases, you may only be down for 24-48 hours. We ask, do you have a fire evacuation plan for your business? Do you have a hurricane or tornado plan? Now what about a plan for a cyberattack? Only about 30 percent had one, according to our report. Of all those things, what’s most likely to happen? It’s going to be a cyberattack.
CD: How often should the plan be updated?
RS: You should do it at least annually. And if you have major changes in staff, your insurer, or other events that relate to cybersecurity, you should update it when those events happen.
CD: What are your thoughts on VPNs?
RS: Virtual Private Networks are very important to have, especially if you have people working remotely. What a VPN does is create a safe, encrypted tunnel for your communications. If you’re on an open Wi-Fi, other people may get your information that way. One of the worst examples is airport Wi-Fi because it’s so wide open. You should only connect through a VPN.
CD: What about cyber insurance? Is it worth the cost?
RS: Actually, it’s not as expensive as people imagine. There’s a cost to it, but if you want to be safe in the cyber world—safer, because no one is completely safe—you do a layered approach. We help companies identify their issues and challenges for better detection and protection. The next level is response and recovery, which includes the incident response plan. And beyond that would be cyber insurance, which could help with bringing in technical resources. It’s a good thing to have, and the market is becoming better than it was.
CD: You mentioned remote workers using VPNs. Is that enough?
RS: In a perfect world, you’d have people using separate devices for personal versus work, because quite often, if they’re doing personal things on work equipment or vice versa, that can be a backdoor way to get into the company.
CD: If a business’s data has been compromised, how should they notify their clients?
RS: In many cases, one of the first calls you’re going to end up making will be to your legal counsel and insurer, assuming you have cyber insurance, in addition to someone like us who is already helping you. It varies by state in terms of the notification requirements, but you want to make sure you comply because the penalties and the alienation of customers can be significant. This just shows how complex things can get.
CD: What three things do you recommend every business do?
RS: One of the first things is to get a SensCy Score, or an assessment like that, to give you an understanding of where you are today compared to where you need to be. The second step is training your team. About 90 percent of attacks involve a human so it’s critically important you have what we describe as an active cyber culture in your organization. Cybersecurity will never be your number one priority until you get hacked. And the third thing would be the incident response plan.
CD: What is the most important piece of advice you would offer?
RS: Do something! It goes back to having that active cyber culture. The way I describe cybersecurity—because it’s an alien and scary concept to most people—is to think about it like being a diabetic. Diabetes is a chronic condition that isn’t going to get cured, but with diet, insulin, and exercise, you can live as good a life as anyone else. Cybersecurity is the same kind of way: It’s a chronic condition that isn’t going to go away, but if you do the things we talked about, you can live a safer life and sleep better at night. [CD1024]
Q&A With Rick Snyder Co-founder of Cybersecurity Firm SensCy
- Details