Read the summary and watch or listen to the interview here: https://www.crowleylawllc.com/podcasts/how-hackers-get-in-lessons-from-bob-michie/
Introduction to the Podcast
Voiceover: Welcome to the From Lab to Patient, Garage to Market podcast with your host, Phil Crowley. In each episode, we discuss professionals serving the tech startup market and the issues important to those companies. You can find this show on all major platforms, including YouTube, LinkedIn, Facebook, Apple Podcasts, Spotify, and on our website, crowleylawllc.com.
Now, here’s your host, Phil Crowley.
Phil Crowley: Hello and welcome. Thanks for joining us today. We bring you leaders in life sciences and technology to share their perspectives on developments, mistakes to avoid, issues to focus on, and opportunities to seize—helping demystify the process of taking your ideas from the laboratory to the patient’s bedside or from the garage to the marketplace.
### Meet Bob Michie: Cybersecurity Pioneer
Phil Crowley: Today, I’m delighted to welcome Bob Michie, founder and CEO of Metro MSP, a full-service managed IT provider covering IT services, cloud computing, and network security. In the area of cyber risk, Bob and his colleagues play a major role in keeping companies’ IT infrastructure safe.
Bob, welcome. Please tell us about your background and how you got into this field.
Bob Michie: I’ve been doing cybersecurity since before it was called cybersecurity. Back in the 1980s at NJIT, I was involved in responding to the Morris Internet worm on campus. From there, I continued focusing on technology, particularly security.
Phil Crowley: So you were truly a pioneer in cybersecurity. What are some other examples of your work?
Bob Michie: I started in education, then moved into industry, including Digital Equipment Corporation, where we worked on early host-based firewalls. Later, I handled internet security for Toys “R” Us and helped bring toysrus.com online.
More recently, I’ve focused on professional services firms in New Jersey. Many smaller companies lack the expertise needed to stay protected, so our focus has evolved into cyber protection. IT is increasingly self-managed, but cybersecurity still requires a personal, hands-on approach.
### The Importance of Cyber Protection
Phil Crowley: You’ve also written a book, *Cybersecurity Minefield*. What inspired that?
Bob Michie: We wrote it during COVID to help educate people. It became an Amazon bestseller. I focused on how to recognize when your email has been hacked—something many people underestimate. A single compromised account can cost a company a lot of money.
### Recognizing and Responding to Email Hacks
Phil Crowley: How can a company tell if its email has been compromised?
Bob Michie: There are signs, but they’re not always obvious. For example, your inbox may seem unusually quiet because attackers create rules to hide important emails. They look for things like invoices, then respond on your behalf.
We had a client send a retainer agreement. The attacker intercepted it, sent updated banking details, and $10,000 was paid to the wrong account.
Phil Crowley: That’s alarming.
Bob Michie: It is. In that case, forensic analysis cost $35,000. Insurance covered it, but the client still paid a $10,000 deductible.
Most compromises—about 90%—come from phishing. Someone clicks a link, enters credentials on a fake site, and the attacker gains access.
Phil Crowley: How can companies protect themselves?
Bob Michie: Education is key. Train employees to recognize suspicious emails and avoid clicking links. Even something as simple as a fake coupon can lead to compromise.
We saw a case where a lawyer clicked on what appeared to be a legitimate email. Within 10 hours, attackers extracted 40,000 emails from the account.
### The Role of Logging in Cybersecurity
Phil Crowley: How do you determine what attackers accessed?
Bob Michie: That’s where logging and analysis tools come in. We use SIEM platforms to collect and analyze data across systems—desktops, cloud platforms, and email.
These tools allow us to see who logged in, where they were, and what they did. In one case, attackers installed applications that allowed them to re-enter without a password. Logging revealed that.
Phil Crowley: Is this expensive?
Bob Michie: It’s typically a few dollars per user per month, depending on how long you retain data. At a minimum, I recommend 30 days, though longer is better. Historically, attackers could remain undetected for over six months.
### Legal and Insurance Implications of Cyber Breaches
Phil Crowley: What about the legal risks?
Bob Michie: They’re growing. Companies are facing class action lawsuits after breaches, even when they’re victims.
There was a case where a company claimed to have multi-factor authentication everywhere on its insurance application. It didn’t. After a breach, the insurer denied a $1.5 million claim—and upheld that denial in court.
Phil Crowley: That underscores the importance of accuracy.
Bob Michie: Absolutely. Insurance applications are contracts. If they’re filled out incorrectly, coverage can be denied.
### Crowley Law: Supporting Innovators
Phil Crowley: Let me briefly introduce Crowley Law. We’re a boutique firm focused on helping innovators in life sciences and technology bring their ideas to market while avoiding common pitfalls.
As a former research physicist and now corporate lawyer, I understand both the innovation process and the legal challenges involved. Visit crowleylawllc.com for free resources, and check out my book, *Avoid Startup Failure*, on Amazon.
Now, back to our discussion.
### AI in Cybersecurity: Opportunities and Threats
Phil Crowley: How does artificial intelligence impact cybersecurity?
Bob Michie: AI is both powerful and risky. On the positive side, we use it to analyze logs and detect anomalies across multiple clients. It can even identify previously unknown threats.
On the downside, attackers use AI to create highly targeted phishing campaigns. They can research individuals online and craft messages that are much more likely to be clicked.
Another concern is employees using AI tools without oversight. Studies suggest up to 70% of employees use them without their employer’s knowledge.
That creates data risks. If employees upload sensitive data into free tools, that data may be used to train public models. There have already been cases where proprietary code was exposed this way.
### Final Tips and Resources
Phil Crowley: What are one or two key tips you’d give our audience?
Bob Michie: First, create an AI usage policy. Define what tools employees can use and ensure sensitive data stays within private, secure environments.
Second, focus on cybersecurity fundamentals—training, monitoring, and verification. You can’t eliminate risk entirely, but you can reduce it significantly.
Phil Crowley: You also offer a free resource, *15 Ways to Protect Your Business From Cyber Threats*, available on your website.
Bob Michie: Yes, and I also offer cyber strategy calls. You can schedule one and access the ebook at info.metroMSP.com.
### Conclusion and Farewell
Phil Crowley: Bob, thank you for joining us. These issues affect virtually every company.
If you enjoyed this discussion, please visit Bob’s website and ours at crowleylawllc.com. Subscribe to the podcast so you don’t miss future episodes.
Thanks for listening.
Voiceover: You’ve been listening to the From Lab to Patient, Garage to Market podcast with Phil Crowley. Find us on YouTube, LinkedIn, Facebook, Apple Podcasts, Spotify, and crowleylawllc.com.
If you found this helpful, please subscribe, leave a review, and share it with others.
