What's the Startup?!
Welcome to “What’s the Startup?!”, the podcast that opens the door to the dynamic and ever-evolving world of startups in Western Kentucky. Whether you’re an aspiring founder with a groundbreaking idea, a go-getter business owner looking to scale, or simply curious about the entrepreneurial landscape, this podcast is for you.
Each episode, we sit down with seasoned entrepreneurs, successful founders, and gifted mentors who have navigated the highs and lows of the startup journey. They share their stories, insights, and hard-earned lessons, giving you a front-row seat to the strategies that drive success.
But it’s not just about the stories—we’re here to provide you with actionable advice and practical tips that you can apply to your own venture. From overcoming challenges to seizing opportunities, “What’s the Startup?!” is your go-to resource for turning ideas into thriving businesses.
Join us as we build a community of innovators, thinkers, and doers in Western Kentucky and beyond. Subscribe now, and get ready to unlock the secrets of startup success!
What's the Startup?!
Don’t Click the Link: Cybersecurity for Startups with Dr. Michael Ramage
In this episode of What’s the Startup, we sit down with Michael Ramage, Director of Cyber Education and Research at Murray State University, to tackle one of the most overlooked yet critical topics for startups: cybersecurity. Michael breaks down why small businesses and startups are prime targets for cyberattacks and shares practical, low-cost steps you can take to protect your business today.
From avoiding phishing scams (seriously, don’t click the link) to setting up two-factor authentication and backing up your data, Michael lays out a clear, no-nonsense approach to managing risk without breaking the bank.
Note: We had microphone issues during this recording, but this conversation is too important to leave out of the podcast lineup. Please bear with us as we work with the audio we have for this episode—you won’t want to miss these valuable insights!
Key Takeaways:
•The #1 mistake startups make that opens the door to cyber threats
•Why password managers and two-factor authentication are non-negotiable
•How to define and protect your most valuable assets
•What small businesses can learn from “honest bad guys” (yes, they exist)
🎧 Tune in and start securing your startup—because the cost of ignoring cybersecurity is too high.
Thank you for tuning in to this episode of the Sprocket Podcast! If you’re ready to dive into the world of startups and innovation, visit us online at Sprocket WKY to learn more about our mission and how we support entrepreneurs like you.
Ready to check out the space? Book a tour with Tiffany, our Community Coordinator!
Got a business idea? Apply for a mentorship session with one of our experienced mentors!
Stay connected and join our growing community on Instagram for the latest updates, inspiration, and behind-the-scenes looks at what’s happening at Sprocket.
Let’s turn your ideas into reality—together!
Sprocket is proud to be supported by Team Kentucky, the Commonwealth's Cabinet for Economic Development. Learn more about their initiatives and resources at ced.ky.gov.
Welcome, Michael. Thank you so much for joining us today on What's the
Michael:Startup. very much. Happy to be here.
Kaylan:Introduce us to who you are and what you do. Alright,
Michael:My name is Michael Ramage. I'm the Director of the Cyber Education and Research here at Murray State University. In my role, I teach a little help recruit a little do a lot of outreach, work with our alumni. My passion and probably the part of the job I do the most is working with our region and across the commonwealth with groups and organizations that need help with tech, need help with cybersecurity issues. Whatever it is that I can do to help grow our region from a tech standpoint, I have a tendency to get involved.
Kaylan:I feel like so here at Sprocket, obviously we're working with startups and small businesses every day. I feel like cyber security is probably something that is an afterthought, or maybe even worse, a thought that comes when you really need to think about it. Tell us why this is such an important topic for small business owners.
Michael:Yeah, so security, whether it is a startup company that has one or two staff members, or it's a thousand person organization security does not necessarily always bring increased value to an organization. It's a cost. It's not a revenue generator. So people don't think about it until it's too late Some of the largest county governments in the country got hit with cyber attacks. They spent a lot of money, invested a lot of money in cyber security now, but they should have done it before. So when a small business is, or a startup is really just getting going, you have only so many dollars. How do I allocate those? And security is so easy to just we'll get to that. And that's what happens, so often is that we just get to, we'll get to it later.
Kaylan:And how do you start? I have so many questions, but how do you start to allocate that? What are some of the biggest opportunities?
Michael:So in, I'll see your statistics that are between 93 and 98 percent of cyber attacks happen because of the human element. So, that is for, you taking the time to slow down and reading an email to make sure that it's legit. Yes, you're a startup. Yes, you need money. Yes, you're trying to find capital. But not every email that says we have capital for you is a real email. So just taking the time to slow down, and before you click that email, see if it's a real, legitimate thing. Knowing, whether or not somebody that's calling on the phone is legitimate. Just those basic steps of, I know startups, their hair's on fire, they're trying to get things as fast as they can, and they're quickly going to click yes on that email. That's how most threat actors are getting into organizations are through somebody clicking an email. If you invested as an organization, thousands, hundreds of thousands of dollars on the most secure network that you can have. All of it can be undone by you clicking the link in the email. So think about a castle that has the moat and the bridge and all the things, but you open the door and let the bad guy come in. That's essentially what you clicking that email does because you're opening that door from the inside out. And so, Just that basic thing is going to help a lot. Another piece that would help a small business a lot is better password security. And I feel like a broken record talking about passwords, because first of all, long passwords that aren't reused, it has to be unique. But then the second part of that is that you have to use two factor authentication If your bank, I'm sure has it. Your Gmail account has it, your Facebook account has it, your X account has it, LinkedIn has it. All of these systems have it to where they will send you a text or on your phone or if they open an app on your phone. That right there. will also eliminate a large number of attacks. So those two things are probably free already. They're just inconvenient and it's about time. I
Kaylan:guess it's more inconvenient
Michael:to get hacked. Once the bad thing happens and then you realize, oh, I wish I had done that. And it is absolutely inconvenient. There's a tool that I have, I keep it on my backpack as a prop. That the whole point in it is a metal piece that fits in your seat belt lock. So for people that don't want to wear their seat belt, you can stick this thing in the receiver so that your car will quit beeping as you put your seatbelt on. It's like we have a product to bypass the safety feature of your car. And that's the problem with security is that we're going to go out of our way. To make it more convenient for us. And every time we do that, then it impacts security. So, really, security technology in general is a balancing act. Usability, security. The more usable it is, the less secure it is. The more secure it is, the less usable it is. So where is that balance for your organization?
Kaylan:What are some of the biggest threats to small businesses today? What's behind the veil? I think of cybersecurity and I think people in hoodies who are just trying to get into my email, but I'm sure, it's so much bigger than that. What am I actually thinking about
Michael:cybersecurity? So in the cybersecurity world today, now there's, over the last few weeks, there's been news about A group, a nation state that has been hacking telecom switches to get into devices of President elect Trump's inner circle. So they've been hacking their phones through the telecom networking. That's not something that most small business startups are going to have to worry about. We're not talking about that. But, outside of those nation state attacks, it's about money. That's It's about money and The catch is and this is where I think a lot of small businesses and startups don't care about security And I'll say that I'll put that in quotes So we don't have any money. So why are you gonna attack us? Yeah, so Ransomware attacks don't take a lot of effort Because I can send out, a hundred thousand emails and I just need a couple people to click on that link but you gotta have it in context. If I send a ransom and I make you pay$50,000 and American dollars, okay, maybe you don't have$50,000 to spend on it. A company does, insurance will cover. But in America, that's not a lot of money. And the Ukraine, and I saw this analogy. Their average salary is less than 5, 000 a year. So, or annual income for our family. So if I am a hacker in the Ukraine and I can get you to pay, click the link that forces you to pay a 50, 000 ransom, that's a 10 year salary. That's life changing. So it is all about money. The threat is about money. There's two aspects of it. It's money and data. And really they're stealing data to build and make money. So when we think about the threats out there, all of these threat actors, all these bad guys are trying to get into our networks to, to force you to do something that is going to make you pay ransom. And that's really, or they're going to sell your data on the black market. And, that, the value of that, this is really sad. There's so much data out there now that the value of that data has gone down. There was a data breach, a national public data breach happened over the summer. And I forget the number. It was 175 million Americans had their social security numbers. And it's just one of those things. It just is. But it's once in a time, third time. There. I actually pay for a service to let me know anytime they see my data out there. All my credits are locked. You, I get notified anytime somebody looks my name up. If my phone number, if my bank accounts, if you know any of that information is anywhere, I will get alerted And and I get alerted more often than I would like. Wow. And I have not, had my personal computer compromised. But the other part, and I would say this is true for startups and small businesses especially, is that I don't have the ability to have my own accounting system. So you pay for that. I don't have the ability to have, four servers to do X, Y, and Z. So you use the cloud for that. So that means we're trusting that the cloud providers are going to do their job as well. And that's where the problem is. Because if I want to steal data, if I hit you, then I will get your data. But if I can hit AT& T, I can get all their customers. And so there was a breach this I guess it was in April, March, April, Ticketmaster, AT& T, and a number of other big companies all got compromised. They all got compromised because they were on the same cloud provider network. That cloud provider was compromised and they just went from tenant to tenant. So from a small business standpoint or a startup standpoint, we have to rely on those types of providers because we just can't afford to do it otherwise, nor would I recommend it. But when you're thinking about it, that's still a security element that has to come in mind.
Kaylan:What are all the tools that you use that we can be
Michael:using? First of all, I use LifeLock for monitoring. There's a lot that are out there. I went ahead and paid for LifeLock for my family. So, we monitored for all of us. One of the things that I highly recommend is a password vault. A password manager. Let me put it in context. If you're using your bank password and Facebook is the same password, if Facebook gets hacked, they're, the bad guys are going to immediately take that username and password combination and use it with everything they can. And it's automated so it's real fast. So if your bank password or your email password are the same as your Facebook password, and that system got, had a data, a password data breach, then essentially all your passwords, everywhere you've used that, is no longer safe. So the uniqueness of the password is really important. I have 700 passwords, and I can't remember all those. So I use a password manager. And I do it in a secure way. There's a password to get into the password manager. But that's one password I have to remember, not 700. So those two tools, my very first thing I would say are to do those two things. If you are the victim of a data breach, then you're going to get, Equifax credit monitoring for a couple years or whatever. One of the three credit bureaus, that's fine, but I like to take it a step further and just be extra safe. So those are the first two things that I would say. And they cost, not much. You can do both of those things for less than, I don't know, 100 a year. What's the number that you use in the last pass? I use one password last pass works. I, I am extra security conscious, so I don't, on one password, I don't actually use their cloud. I use my personal cloud. So, it's on my phone. It's on my iPad. It's on my computer. It's everywhere on all my devices. So I can get access to all my passwords. But it's not stored in 1Password's cloud, it's stored in mine. So now if you break into my cloud, you're going to have to be looking for my password file. But even, it's encrypted, and you have to have a password to get in it. So there's a couple of layers that I use, but frankly, all of those are better than nothing. So that's the, those are the couple of tools that I always recommend to people to use. Because I think those are certainly helpful. And I guess the one thing I would say to a small business or startup, and this is true for local governments, Paducah has a department for IT, but a lot of governments don't and a lot of small businesses don't. A lot of startups don't that if I can help point them in the right direction, I am always willing to do it. I'm not an I. T. Company. I'm not a security provider. We have a ton of really good ones in our region. Actually, we have more strong I. T. Companies in our region and our population says that we but if they want to talk to me because I'm not trying to sell them something, I'm always happy to point them in the right direction.
Kaylan:That's so generous. Yeah. What about with everything with AI? I'm just imagining AI is going to, or already has accelerated its ability to get into passwords and all of that. Is there anything that we need to be conscious of with that? Yeah.
Michael:So, if you asked me four years ago, how do you know that an email is spam or a phishing email? First of all, I don't know any Nigerian princess, so we, that one we can write off. But beyond that, they always said typos, look for typos, look for misspells, look for back grammar. And that was true. With AI, you have no excuse. You and I have no excuse, neither do the bad guys. So, just on a surface, what it has done is allowed. Even crafting the phishing email to be better. And phishing emails are still going to be the number one way they get in. Steal your password or get you to click a link. That's going to be the number one way they get in. So it's still going to be that that issue. But now their emails are really good. Beyond that, it, you can, on the good side, you can utilize AI to analyze a lot of data and create some really cool tools based on the data it provides. And some of the MSPs in our region have talked with me about some of the things that they're doing. And it's really cool. It's one of those work smarter, not harder. Same thing's true on the other side, on the bad side. They're using it to analyze these same things. to find better ways to attack us. Ultimately it's a business. Ultimately these are criminal gangs that are in it to make money. And so they're always reviewing their processes. And I mean it, it sounds horrible, but they're trying to make their product better every time. Now their product is distilled money from us, so it's criminal or horrible, despicable, illegal activities, but they use Salesforce. They're using all these tools. Wild and because it is a real business for them. It's just illegal.
Kaylan:They've got SOPs.
Michael:They do, they really, they. Are, for example, states have started, Kentucky's not one of them yet, but some states have started making it illegal for you to pay a ransom. So if you get hit with a ransomware attack, it's, you cannot pay. Or it's strongly discouraged. Something like North Carolina. Local governments aren't allowed to pay. Private sector can do what they want. But where they're really being discouraged, you're like, okay, so what do we do to make it more likely that you're going to pay? I know we'll steal your data. So they steal your data, then encrypt it. And then if you don't pay, not only will they not decrypt your data, But then they're going to release your confidential information online. So now it's a double whammy, a double ransom, just all of those pieces together, AI makes it easier for them to collect data from you and to figure out how best to utilize it to compromise you. On the flip side, if you look at security tools, Every security tool that's out there, I won't say every, it feels like every security tool that's out there has some AI element that's built in. And in fairness, AI didn't come, didn't start with ChatGPT, it's just the public awareness started with ChatGPT. But it is, how do you take it to analyze a lot of data, and how do you prompt it to create usable perspectives of this data. Good guys are using it just like the bad guys. The only difference is hopefully the good guys are taking into account privacy components. The bad guys don't necessarily have to worry about that. So is AI going to make it easier to steal passwords? Yeah, I'm sure it will. Quantum computing, there's a lot of those pieces that are going to make it. Encryption is not as strong but as much as we're using it to help analyze data to protect us, they're using it to analyze data to attack us.
Kaylan:So this is a side question, but even, so if we are attacked and we see a ransom and we pay it, how do we even know that they're, they didn't just write down our information anyway? It's still going to.
Michael:So that's a actually a very good question. When ransomware first started being a thing, people would ask, why would I pay? What, what makes me think they're actually going to decrypt my data? And the answer was, at first other people had done it and tested it and security researchers would do it on purpose just to see what would happen. But they were honest bad guys. They were illegal, but you would have to receive the service that you pay for. And they were doing that. So, so then it became all right. So that works. So they continued on with, if you provided a service that somebody paid for, there's trust that the next person would do it. And they actually even took it to a step where they will negotiate with you on that ransom. So there's actually someone put together a life cycle for ransomware attacks, and there's a negotiation component that goes into that. But then they started stealing that data and they would put it out. If you didn't pay, they would put it out. So it's, if you don't pay, we're doing this. So they didn't, but So all of that has been true for, whatever, however many years, right? Somewhere it's been around eight or 10 years now. What has changed over the last couple of years is that for the most part, if you've paid, they haven't released that data. And in, in the past, it has been, if you pay, they'll leave you alone. That has changed. There was a survey that came out. Regarding 2023 data, 76%, it might have been 73% of people that paid got hit with ransomware within the next 18 months and maybe 12 months, either. And half of those was from the same ran ransomware gain, if you will. So they did what they paid for, but they're no longer leaving you alone. So the value to pay is really not as strong as it used to. And when they would come back that second time, it would be for more money than when it was the first time. So it's a real challenge. Um, ultimately at the end of the day it's about stopping it from happening in the first place. And, there, there are local governments in this region that have paid ransomwares before. Organizations in this region have paid ransomware before. If you're going to even think about not paying, then you'd better have your data backed up. If you don't have a copy of your data in a place that the bad guys can't get to it, then you're almost forced you really don't have a choice, you have to pay. So
Kaylan:what does that mean, having your data backed up, and this is going to be the most common That's the most basic question, but what is the data?
Michael:It, for every company it's going to be different. If you're a company developing a product, like an app, that app, you're only copy of that, of the source code of the app, of whatever it is that you're developing. Of the blueprints, of the designs, of the, whatever that you're building. If it's on your computer, and it's only on your computer, and your computer gets hit with ransomware, you're game over. You have to pay. If you have an internal server and it's saved to your computer and to your server, but you have control of your server, then what those bad guys are going to do, is they're going to A lot of times they'll, if they get into your system, they'll look for a couple days to see what kind of the lay of the land, if you will. They'll encrypt both your computer and your server. What the recommendation is they call it a 1 2 3. Three copies of your data, the original, a backup, and then another backup. At least two different mediums. So, if it's on a hard drive, don't do them all. Just on a hard drive, do something different. And then at least one of those should be in a different location. So, it could be on a cloud. It could be some sort of online backup. Or, it could be saved to an external hard drive and taken somewhere off site. But if a fire happened here, then you've lost all your data if it's only here. So whatever that means, customer information, think personally, I have a digital copy of every picture I've ever taken of my kids. You know that I want to make sure, forget ransomware. I don't want to lose those. So, so I'll back those up, so that just, it really depends on your organization. If you lost your accounting system, and all of your accounting records, then how are you gonna know to who to even bill? Just think about all the things that you would have to recreate from scratch if you lost those things in to forget ransomware in a fire, in a a power surge that fries, your system, just whatever it might be. Having those backups are gonna be really important, but that's like the first step in defending against a ransomware attack and it's actually having the data. That they're trying to hold ransom.
Kaylan:Now hearing you say all that, I'm like, of course there's going to be full time roles on these teams for people who are just focused on making sure the data is duplicated and safe and secure. Yeah, it just seems like a lot of work, but It
Michael:is
Kaylan:a lot of work. Valid and valuable work.
Michael:It is, and, if you're a 10 person company, you probably don't need a full time person. Yeah. But you need somebody that is watching your network. And I mentioned there's a lot of IT companies in our region. There's a lot of what's called managed service providers and managed security service providers, MSPs and MSSPs are the two terms and we have a ton of them. And they can take care of all that so that a founder can focus on the product. They can focus, our small business can focus on the product. What they're trying to do relatively speaking for 10 people, it's not going to cost very much. It's going to cost. When you get to that point, that's an easy way to offload that stress is having somebody else do that.
Kaylan:What should they, are there any resources or trainings or anything that as founders build their team and start hiring people? What can we be training our teams with? Are there any good resources out there?
Michael:There is. So, first of all I'd say Martin State University is a great resource. We offer a number of different programs. We have our traditional bachelor's degree in cyber security network management. We have a master's degree in cyber security management. We've also started a number of certificate programs. One of those, cyber security analyst, is an entry level cyber analyst role that is funded out of the Department of Labor grant. So we are we're in the midst of our first cohort right now, but we'll start our second cohort in August. But tuition's paid, they get a free laptop, they get support for doing some industry certifications and a paid internship. And the whole goal is to help for those roles that don't necessarily need a four year degree or even an associate's degree. This is a way to get some of those people out in the field. And if they want to go on and do more training, then we'll certainly love to have them. But there's such a deficiency in those people right now in our field that we wanted to provide some of that, those an easy entry point for people to get in and start doing that. Beyond the training that we can provide, CISA, Cybersecurity and Infrastructure Security Agency, is part of Homeland Security, the federal U. S. Department of Homeland Security. They are the point people for the federal government and for all cybersecurity matters. There's DOD is doing stuff and intelligence agencies are doing stuff for the white person or particularly for the critical infrastructure areas. They are the point people, depending on what your industry is, they will come in and do assessments. They actually will take a look at what you're doing and provide some guidance. We have the ability to do a little bit of that too. They also on their website have I think it's cisa.gov. cisa.gov. I'm not positive on that. I think that's right. But on their website, they have a ton of resources, free tools, free things to use. A lot of the things that we're talking about today are really small potatoes in terms of pricing. We haven't talked about firewalls. We haven't talked about what's called a seam a security event, an incident manager. We haven't talked about, massive intrusion detection. We haven't talked about all these things, which are all great, but all cost a lot of money. What we're talking about are the small things, the baby steps to get you going. And when I say baby steps, I don't mean that your company is immature. What I mean is that your company is trying to prioritize where we go. And then the other thing that CISA would have are some policies. Policies. Policies are, I enjoy policies. I enjoy a good policy. I know I, I do I enjoy that strategy side of security. Most people despise it. Most people don't want to write a policy about what's acceptable, what's not acceptable, or it, or how none of that stuff sounds fun to most people and I get that. But if we don't establish. Some rules, then outside of doing a password manager or monitoring your credit or doing two factor authentication, how do we know what we're supposed to be protecting? And it might be as simple as any cyber security framework, and there's a bunch of those out there that you start with, answers the question that you asked a little bit ago. What are we protecting? If you don't know what your assets are, those things, digital and hard copy, it could be a thing, a physical thing as well, but if we don't know what those things are that we're protecting, then it's really hard to develop a security strategy. Yeah.
Kaylan:And I can imagine, some people might think, for example, like a good policy is just my employees can't use chat GPT. They are going to use it. off, they're going to find a way to use it. And how do we know that they're not going to just download a document, upload it, permission going somewhere. And I can imagine it just, it opens up a can of worms, but I feel empowered from this conversation that there are some strong steps that I personally can take. And even here at Sprocket in my role too, just starting to be more cognizant of like, what is an asset? That's a huge question that you just brought up that. What am I working with on a daily basis that I would be gutted if I lost or if somebody else had? Yep. What are some other questions that we should be thinking about as we leave this conversation and try not to feel anxious?
Michael:So the, I guess the way I wrap all this up is cyber security today is really about managing risk. It is, what is the risk that we're facing? And what the best practice is that you should always be on a monthly, quarterly, yearly basis, depending on the organization, be thinking about what are the risks that we're facing. And it's not just that, We're going to not have enough capital. We're not going to have cash flow to pay bills. That's, those are recent organizations. What I'm talking about is those risks to, from a cyber standpoint and you start with those assets, you start with where those assets live you think about what are the threats to those, and this doesn't have to be a long, long complicated process. But as we think about it, and as a company grows or enters a different vertical, then there's going to be different risk. And every time that we can go back and look at those, okay, we're now doing this. We need to think about this new thing. And there's ways there's frameworks and guidance and ways to do that, that make it pretty straightforward, like almost answering a questionnaire and it will pop out. Kind of a risk assessment for your organization. So there's a lot of things that you can do to do that, but that's it. It's coming to it with a mindset of we're managing the risk. And there's some risk just like if you were thinking about insurance. It depends on the value of the asset. It depends on your risk appetite. There's a lot that goes into that question. Same way with cybersecurity. It is what was the asset worth, and what's your risk appetite, and then you go from there. And the passwords, the two factor authentication, some of those things, don't click the link. That actually, that's probably the biggest one, don't click the link.
Kaylan:Don't click the link. Yeah. That's the headline of today. That is, don't click the link.
Michael:Just those things can reduce that risk. So, there's those basic things that we can do that don't cost a lot of extra money that just it's blocking and tackling. All
Kaylan:right. So walking away from this, I'm getting life lock. I'm using last pass for everything, or one password. You said I'm setting up two factor authentication for everything. I'm defining my assets. I'm up and taking notes. And oh, what was the last one? Oh, I'm making backup copies. My backup copies. Is there anything else? That's it. All right. Michael, thank you so much for taking some time to chat with us and help us to get more prepared for managing our own risk.
Michael:Happy to help. Thank you.