 Good day friends. Hi, my name is Eli and I'm a community manager at TechSoup and today I'm super excited to bring you a webinar on creating a culture of security. We're presenting this webinar in partnership with our friends at the Communities Foundation of Texas. If you're a non-profit working in Texas, they're going to help make sure that you're connected to a community and resources to help you thrive and succeed. Let me tell you about our guest experts. We've got two amazing people here with us. We've got Aaron Dowell, who is your advocate and champion for anything to do with TechSoup and specifically our Quad community. So say you're trying to say, is my organization actually eligible for that awesome security project in the TechSoup catalog or that service offering? You can actually reach out directly to Aaron by email and get direct support there. So if the website is confounding you a little bit, don't worry. You've got a human there to cover you and make sure that you're on the right path. But speaking of humans who are going to make sure you're on the right path, we also got here Michael Enox. Michael is a senior technical director at TechSoup, where he manages the community and platform. And what that really means is he's actually responsible for TechSoup's infrastructure and security. So he makes sure that all of our internal and external teams are set up with the right tools and the right approach and the right cultural mindset to make sure that they're operating effectively, efficiently and securely. Let's give it up for Michael Enox. All right. Hello, everyone. Listen. Yeah, so I'm going to talk today about security, specifically cybersecurity, and I'll go through the whole sort of kind of agenda. But especially one thing that I just wanted to call out is that when we talked about security, there's basically sometimes they talk about data security. We also sometimes talk about data privacy. Data privacy is a different topic. And I'm not going to be going into data privacy so much as I'm going to be focusing on data security, which is essentially the effort to make sure the data is secure. There's another effort has to occur within an organization to make sure it's private. I think we all have private apologies on our website. That's why we have contracts and stuff. We're a third party processor. And then at work it's done side by side. I have a counterpart at TechSoup, an amazing individual who's an expert in data privacy. And between us and our legal department at TechSoup, we cover the sorts of things of compliance and governance when it comes to security and stuff. For you too far, we're going to cover basically the agenda here. Basically, we're going to start with, I'm just going to give myself a kind of a brief introduction about my background and especially the context. And then we're going to talk about the threat that organization that we see in the sector and why it is so important for civil society to really create programs to help them improve their security boss here and also govern it and also train that. And then we're going to talk about the guiding what we call a framework, cyber security framework. And we're going to discuss that because it doesn't, Mike will make you next step up for TechSoup, right? So we all need guidance just in a similar way that lawyers look to the law or accounting team look to general accounting principles, but we have our own standards by which we measure ourselves. And our organization and many other organizations use NIFT and we'll talk about that in detail. Like a lot of what we're talking about today is how TechSoup applies to the framework to our and hence the following topic after that will be essentially TechSoup, our own sort of case study in terms of how we employee these things. It looks as though my video is frozen. Is that correct? Other goes okay. And so anyway, and then we're going to basically, I've got some links and stuff to some resources for you all. So essentially, my background as I introduced it essentially, that I direct our DevOps, our better priced infrastructure and our security program. I also work closely with the software development team to TechSoup and the different platforms and such that we see underlying oriented infrastructure that we host and in various places. And it, thanks to the very large has the very large technical ecosystem that spans the entire globe. We have over a thousand servers and in multiple different data centers, providing these services to our, not just us in the US, but also our partners. And so it's quite a lot of moving parts. And so there's a lot to cover both with a small team like any other sort of organization. Yeah, that's a nonprofit. TechSoup does have a little resources. So we do what we can with the resources we have. So we have to be organized and efficient. Be a little bit about my background prior to where I've been with TechSoup for about 10 years now in the fall. And prior to that, I spent 15 years as the Chief Technology Officer for a second harvest food bank in Silicon Valley. So those who know the Bay Area or are familiar with food banks, especially the food bank in the Bay Area is one of the largest food banks in the country. And so with that, I work very closely with Feed in America on helping them develop technology for food banking and security and also data research. In that capacity, I learned a lot about the needs of nonprofits and especially in the food security sector. And then of course, it's working out TechSoup. I'm seeing working with organizations on parts of civil society and really trying to understand and also help the community. And so in my title, the community part is the part where what I'm doing now in terms of discussing things, writing blogs, doing webinars and things for our community. That's why I'm the director of community and the platform of course is the technology. Anyway, moving on. Why is this important for the nonprofit sector or NGOs? Sometimes we just use word civil society organizations, GSOs. Essentially, as an organization, we're susceptible to the same thing any other organization is, whether it be a government or a private sector business or we have to do the same mechanism of cyber security, cyber threats, arts. You have to, they're really sometimes they're targeted, but sometimes they're not. Many times they're not. In fact, most of them are not. Most of them is just people trying to find something and something valuable, something that they can get hold of some value. And it's pretty nonscript in terms of threat actors and where they're looking. And what they do is essentially, they scan, they just scan, sit down, they can, they interact constantly. I've got a data slide where I'm going to show you the, that's at which our own organization is being constantly aborted with people looking for something to uncover, some risk that they could be exposed. But what's important about civil society is that in my view, I believe civil society is part of the critical infrastructure of the fabric of the entire world. Without civil society organization, the world would not operate the way it does. If you think about it in that context, we are critical infrastructure and hence our data is part of that critical infrastructure needs to be separated and stewarded. When, for example, when I looked at the food bank, we had access to donor information from it's weird fellow gone valley from the wealthiest people in California. And at the same time, we had access to the information of all the vulnerable populations that we serve. So here we were sitting with data of two different, but both the extreme magnitude in terms of sensitivity and having to figure out how to protect this stuff because it's all kinds of reasons why people wouldn't want to get information on vulnerable populations. And also I didn't want to get information and data on people who are being proliferated. And obviously the result of some sort of something that can happen are through the result of malware or phishing or it's essentially an inept situation where your website is higher and you need to pay some coin amount in order to try to unlock it or lawyers. And I could be, that can usually spate in your communities, especially in the trust of them, especially because the data breach and their data is lost and you have to go and communicate people that there's been some effort. And we've all seen those emails, we've all seen the new headlines. And it's interesting that even some of the most sophisticated tech companies will sometimes have to crack somewhere and somebody will wedge into that crack and then open it up. I'm not trying to get anybody, but essentially that is the reality. And so what we have to do is we have to do our best effort to protect that because we do have a responsibility of being the stewards of data in order to help hear that. And please, as I go through this, if that means it's being a talking edge here, please, Eli said earlier, please suggest things and I could all be interrupted so that I can then address the question as it comes out. Eli, we good? Everybody can, you guys can all hear me okay? Rock solid, keep going. Excellent, fantastic. Just like to check in. So essentially these things are pretty best. So anyway, the one I want to show you here is actually what we see it in our perimeter. Okay, so TechSoup.org, obviously our U.S. product donation site, but we also have, you know, a whole bunch of these all over the world that are TechSoup partners like TechSoup Canada, Kenya, basically almost in every plate, except for the bar of states, TechSoup has some representatives to help distribute the philanthropy of our donors and also to help our impact and through things like this, through other types of resources and educational materials. What we're seeing, for example, this is a seven-day snapshot. And in seven days, snapshot, you can see that basically there were, we had 60,000 requests blocked to people trying to get to TechSoup.org in seven days. Of those, you can see the wave break down. Equal interjection is the type of exploit that people try to get in to try to see if they can get a little bit bigger, like a single database. And so that's, that's what we have, what you're seeing here is a tool that we call a web applications firewall. And we have web application firewalls in front of all of our websites that have critical data inside them. And we do that because with just like your regular firewall that you have in your network, that's provides a firewall against people who are exactly trying to do this. And so it senses that used to release smart analytics to monitor this and prevent it. And fortunately, it worked. As you can see, basically, this is the sort of stuff that we're seeing a lot of it. It's just bot, bot activity. People just stop flying it at the website. The reason why it's, we'll go into, there's important having something like this is also because we get through great performance. You just see down here, we had something called, we actually had one denial of service attack or attempted attack. And that's a distributed denial of service. You may have heard of those. It detects that what they're trying to do is trying to hit the website. So bounce with something that actually just brings it down, knocks it off line. The required by scripting is another type of exploit, attempted exploit. You can see these other ones will be able to just try to get access. So this gives you some indication. You can actually see where they're coming from. So there's a heat map here. And because we can see the IT address, you can see that these things are coming from all over the world. And oftentimes these are organized just, it could be everything from a teenager. And it's not what I'm trying to see without on the internet, or it could be something that's sophisticated as an international state actor operating out of labor farms and in another country and one of the barbecues. This is what we see here. This is what the internet looks like from a security perspective. That's at the internet. And then of course, we have the issue that you would hang on, perhaps, somebody clicking on a link in an email right that they say that most, security events happen because of human error, like an internal error, not necessarily this. Although either way, it's you have to work both the internal security, mostly around security awareness and understanding, but also things like using encryption VPN, and other things that will get go into a little bit when you get when you start walking through the framework. So just moving on here, that one of the things that I'm going to be discussing here is essentially, that I mentioned earlier, NIST, the Fiber Security Framework. And the reason why we want to use a framework when creating policy, creating practice, this is an organization, is because like I said earlier, we need to use the guidance from its chief leadership body. And for people who that there's lots of effort and research that goes into this from a certain institutions like NIST, which stands within National Institute of Security and Technology Standards and Technology. And there's other ones. There's other government ones and there's other private ones essentially, all kinds of resources out there. But we've settled on NIST as an organization, as a for our methodology and I'll go into the details about NIST works now. Um, but especially the reason why we do this is, as I mentioned earlier, but where it's due to the data reflecting the critical sort of civil society, and it's our duty and responsibility to do what we can within the resources that we have in order to, you know, try to mitigate and any sort of possible threat that can come our way. But another reason why we do this obviously is because it's audit controlled. Audit controlled are based on the standard. For example, if you were to go through a cybersecurity audit by a fiber insurance company, you're finding a fiber insurance, what they're going to do is they're going to ask you questions based on the standard. And so by using the standard to then guide your policies, you can say, Oh, because those guys, do you have a backup and disaster policy? You can say, Yes, I do. Because that's one of the things that NIST talks about or do you have a security instinct policy? And do you provide security awareness training to your staff? They ask those questions during the third party audit, whether that be from a insurance provider or sometimes another authority to come in, depending on the circumstances of the organization. And sometimes organizations will, obviously, which is always a good practice, look to an organization like Tech Impact or something. You actually help them do an assessment so that they can then understand that. And then actually have a third party assessment done so that they could really find out where they land with that. Yeah, actually, I really like that recommendation of having one of these third party assessments. And I'll share a link actually in the chat in a moment about actually a new service from TechSoup with partnership for Tech Impact. But that gives you that first level. What is the level of risk we're actually, we have right now? And what are some of the next steps we would take on? I also have a really timely question coming here from Randy Coleman, who asked, is the NIST 800-53REV5 a good resource? And obviously, did we catch you out there? Is that something that brings a bell to you? That's actually what I'm going to be going into right now. Thank you for bringing that up. Yeah, that is a great reference. And that is the, they can have movies that understand it in ways that are a little bit more, you can go through the entire document, it's heavy reading. And but if you're like me, I like to do that kind of stuff. But if you, there's also just more, they break it down into more just guiding principles and also control that those standards are based on. But yet that is the, for us, that is the gold standard by which we try to measure ourselves. It's like the ruler by which we measure ourselves, put it that way. And I think we all need rulers to measure ourselves or performance or policy. And what it does is it gives you something to go to your leadership to the drill border directors and say, look, these are the gap. We just looked at, I just got through this NIST framework, and we have some gaps and we need resources or funding or seek a grant to help us implement this. And I've worked with organizations that have gone back to say, well, they've done, they said, look, we need a security program, but we don't have the resources to do that. And then we'll go get funding for that. And because organizations see that's a capacity building exercise for an organization, it's not operating full costs just to add more budget. It's actually a project based cost to help improve the organizational capacity of the organization. So eventually you get here, as described, it is a trick from the website. It's the framework for us to understand how all cyber security worked. And it covers these five, they were actually on the framework version two, but I didn't, I hadn't updated this slide, but it's the same concept. They just change small bits of the standard. But eventually the, the actual theme here, that sort of, we see this a lot in, in, in business plan, do you check out, plan, do you check out? So it's cycle, right? In this case, what we're seeing here in that sort of cycle is we're seeing identify, protect your organization or have mechanisms to identify, have mechanisms protect your organization's data. And then also to detect it, so that if it's something that's happening, you know what's happening. And then also to respond to something when it does happen, because chances are things are gonna happen. It's simply just have to have the ability to respond. And then also recover or remediate. Sometimes like in this slide, sometimes I'll combine, respond and recover, essentially because those are really pretty closely connected. And also they're all connected. So this isn't totally delineated. One kind of moves to the next, to the cycle. I'm going to go to some details about this. Effectively breaking down that, this framework, what did it look like when you actually start diving into it? Essentially, this is the better high level version of it, where it discusses the sort of different relative aspects of each one of these, and the basically some guidance in terms of what are the basic things you need to do. I'm going to go in a little bit more detail on the next slide, and then also I'm going to talk about how TechSoup, what we do in each one of these things, a little bit. Eventually, you can see here that a lot of times what we're focusing on here in the Identify are things like access control or understanding who had access. I'm going to talk a little bit about that in a bit. Protecting obviously there's all kinds of ways protect your system. And a lot of this is going to be individualized for each organization and prioritized. For example, if you're an organization that works with a vulnerable population, one of places where you should be focusing your efforts is really looking at that data, understanding, identifying where it lives, who have access to it, and protecting that data. There's some types of data in an organization that is all organizations that's important. But something like, for example, like this, what I'm doing here in this presentation, this PowerPoint slide deck, doesn't contain any sensitive information. It's public information. It's something that we want to share with people. It's the opposite of something we want to protect in a way. We want it to get out there to be disseminated for information to learn. But if you think about your systems and such, we have to identify your assets and such, and then by doing that, then you could protect them better. And that's why Identify is happening. And then obviously when we, as we're doing this, we have to be able to detect things. So that's why we're using antivirus, antispyware, and more programs, and also having these alert mechanisms and monitoring mechanisms that are associated with the logs that are being generated by our systems. And there's tools out there that you've been used to do that. We're going to talk, we're going to provide some resources around the tool that TechSoup offers and other guidance for them. And then of course, there's respond, which is what happens if something happens. How do we respond? You don't want to be the situation where you feel like it's happened and you don't have a plan, or you haven't really thought through communication plan or response plan. And it could be when you're actually in it, that's not the time to be thinking that through because you're going to be very busy trying to respond and recover, essentially, which is going to be essentially ensuring that you've got some remediation plan, something like you've proven that the backups were, you've tested them, you know that data they swore somewhere else. And also that you use that, this route to help improve processes and technologies and policies. So diving into the little bit further, maybe I'll take a break, see if there's any other questions. Eli, are we good? We've got a couple more specific questions. What are we diving to those and then we can go back into framework high level stuff. Yeah. So the first question is go back to Randy's question, which is you'd love to get a sense from you on some of the tools available to help with continuous monitoring. Do you have a go to that you think is the thing to start with? Yeah, there's different types of monitoring like, for example, if I borrow an anti malware programs like Bitdefender and a bath and Norton, which are in the Texas catalog, do a pretty good job at least on the device level in terms of saying, look, you've got a threat here. But what it doesn't do necessarily is fan defeat, you have some outdated version of Chrome browser. So sometimes some of the more sophisticated tools do, for our servers, we use a product that's not on our catalog. Again, I'm not endorsing this particular product, but since you add, we use a tool called Rapid 7, which is a little bit of code that's on our system, and it's constantly providing analytics. And so we can see, because we're dealing with over a thousand nodes, eventually, we need to be able to see it all in a single pane of glass, we need to be able to look at a screen and see, get a record of what systems didn't get the security back. Obviously, one of the best ways you can manage any user devices is to ensure that your patching process is up to date, and that systems are automatically passed by whatever operating system you're using. That is a critical aspect of this. But there is stuff where different types of tools that do continuous vulnerability. They look for CDEs, essentially is what they do. Think that are known exploit, sometimes related to code library, or the operating systems of the servers that you're working with. Awesome. I've also got a trio of questions here coming in from Denise. Quick question here. First is, what type of protection should be used for our employees' mobile phones? And I'm going to assume that these are corporately issued phones in this case. Yeah. Okay. Well, for corporate issues, they'd be managed by the corporates sort of same, like most of the systems we use, like the defender and things like that, will actually have software you can learn on your phone for malware. Also, it will, one of the things we do recommend, also the same thing with VPN for encryption. And also, if you know it's probably if it's a corporate issued phone, the IT department generally will have something they use called the mobile device management solution for both your phones and your lab. And what happens is that those go to an inventory. For example, Intune, that probably offers 365, I think you have to have a different level of licensing for it, but then you can get Intune, which is especially in Microsoft mobile device management system. You can get all those things in the inventory. And if there's an issue, then you'll get alert and you can also remote wipe it. Now for, but oftentimes, when you, since you brought this up, a lot of organizations are moving more towards a way called BYOD policy. Okay, bring your own device. We care in a remote work environment post pandemic. There are so many people are working remotely that you don't know necessarily if you've issued somebody a corporate laptop, you don't know if they're the next to remove it. They just a lot of check their email and they're on their own computer. So more and more thinking is going into what we call zero trust, which is especially the thinking that by creating access mechanisms to get into anything by using multi-factor authentication, by using other mechanisms for authentication, so that whatever you're accessing knows who you are on a multiple level and it identifies you as an authorized user of this. And then it can also do things like ensure and then you minimize what can happen with your own device interacting with that. For example, by using malware and such that you did, if you did accidentally click on the link, even if it was in your BYOD device system, that there'd be some protections against it. So we're trying to think more about zero trust. And that's why it's important, especially that would you think about mobile device. Awesome. The next follow up question for Denise is around basically data in the cloud. And so this is specifically about Google Drive, which is is it safe with personally identical information? And if it isn't, how can we reduce the threat vulnerabilities? Yeah, that's a really good question. I'm glad you brought that up because Steve knows that it's going to speak a little bit to that. I'll just go ahead and correct it now that, especially when you get products such as Office or Google. And let's say you get it from through the desktop or for Google or the Microsoft program, or even or if you're just using it on your own or anything after using box, flag, anything like that. We have to assume that when you get those products out of the shell, they are configured for security, high security. You have to go in and try to understand what that means in terms of making it secure. For example, enabling MFA also restricting. I'm going to talk a little bit about this on this next slide. In fact, maybe I'll just move to the next slide because that's the exact next topic I was going to be talking about with something that we call under this aspect here, where it says asset management. These are things for identify, but essentially what we're discussing here is a little bit around access control. And one of the things that we employ at TechSoup is something called the principle of least privilege. And this is a very important concept for organizations and sometimes it's called privilege access management. So the way you can minimize the cloud is not to make everybody an administrator or your Google tenant or your Microsoft Office 365 tenant. You limit the amount of administrators and then you only provide the knowledge of access or right to something that's required for them to do their role in their organization. For example, QuickBooks, for example, or when the cloud like into it in a cloud, they're sensitive information that arrive like finances, but you don't make everybody in your organization a administrator of your online QuickBook. It's going to be the people who are in charge of finance, that's their role. And then what they may do is provide reports for you to read or read only access to certain aspects that relate to your job. So in the same way, if you think about that concept when it comes to things like Google Drive, so you can protect Google, you can make sure that it that is secure with sensitive information, but you have to understand how that works in terms of the configuration of it. For example, limiting access to those people with not only within your organization, that's a control that's commonly found in box and Microsoft and other places. You can create a folder to it with nobody outside your organization only and only name specific people can access information here. And then you took guards against that, but then also in plain MFA on top of that will mean that basically not only do you have both my background and occasion, so only the people who have need to know that information have access to it. You don't just create a share drive in Google and then let everybody and then take that link and share it with people and make that link externally accessible by anybody who has the link. That's the number one Google there that you'll see that when you go to share something because Google, Microsoft, they want you to share things, right? Because they're they want more people using their products. So you have to really constantly step back to, okay, gosh, I'm going to be, it says, do I want to create a shared link and anybody with the link can access this folder? No, basically just make it so that only the people who have permission in that structure of that file documents, please. I hope that answered your question. So diving in a little bit to this, this is basically just another version of what was what we saw before in terms of these different parts and new, basically. And so these are some of the questions that are part of identified as I spoke about this a little bit, but asset management is a big one. If you don't know what devices are out there, you can't manage them for good, if you don't know that there's somebody is using, but but you also have because of that, you have to say maybe there's going to be some apps that some inventory that you don't have access to because somebody's using it outside of the IT department, some shadow IT, they say, or they're using something like a personal delight, because they can log into a cloud system. And so you have better stand in all, but I think without that managed part of it knowing your applications, right? So when often at the organization, some team will say, Oh, I need a project management tool. And so what they'll do is they'll fit up a project management tool without telling the operation or IT department or whoever. And so as a result of that, then they become administrators about, and then what can happen is that if they leave the organization nobody knows exactly how to take over that account, you have to go through a whole bunch of work. So generally, in an organization, what you're going back to the privilege access management, we always ensure that there's a process to approve an application that it goes through a security review. And then we authorize the use of that application, and we make sure that somebody in IT could also be an administrator that did that team, there be some attrition or something that happens where or an event that occurs. And also so the IT department can govern and monitor how it fed up from a security person. The other thing that's really important is to think about a risk management strategy and governance. We talk about this a lot in IT and security is governance and risk assessment and risk management. From a business perspective, with all the stuff that I'm talking about, business, this is risk management. And because there's all kinds of risk that organizations could pay, whether it be natural disaster, changes in the market funds, economic forces, things of that nature, all kinds of risks, especially people having to attend formation in their single-point failure in the organization. So a lot of cybersecurity is really risk-based assessment and management. And by doing that, having proper governance over that, then you're essentially joining the right thing for your organization and also being stewards of that data. In terms of protect, this is where WAPNW has been a lot of our effort. It's basically protecting us. As you saw before in a slide where I showed you the data of all the stuff that's getting fit in TechSoup, we really focus a lot on that. The other is security awareness. It's super important. Data security, making sure that's protected data loss prevention and maintenance, making sure things are maintained. You're like, how are we doing on time so far? Where are we at? We're doing okay. We're 40 minutes through. We've got a solid 15 minutes until we need to bring it all to a close. Great. Excellent. Then I'm going to basically just one, two, these good things with these four that I'll talk a little bit about with TechSoup, TechSoup in point. There's a pretty great board, but essentially one of the things we do is that you met this earlier with Continuance, Monitoring, Security, Abortability, Views, and also the detection process. Ensuring that we basically have ways to alert, notify, when events happen. This morning, for example, I would see some emails that I could see that one of my system admins was then making some changes to our DNS records. I was able to see that and then look and make sure that was by an authorized person who had the religion that's part of the role to make those changes and it wasn't done by because somebody hacked into our Route 53 and AWS and started doing that. It's really important. I have an entire, you know, I pick all those filters and stuff, and I have to be filtering them so that's just not no way it's because a lot of stuff gets generated. And we also have these windows that we can go in like port of, we can go and see everything at one place like I demonstrated earlier. Response 20, super important is creating a security incident plan. And also to understand what that, as part of that, you understand the communications, both internally and externally, that would happen as a result of an event. And then obviously, when you recover from something, you have to do an analysis, you have to do the medication, and then you have to do things that are proactive to keep it from happening again. TechBip says, so what we do is we take these things and we apply policies and create information security policy document, where we cover these things. And then we make sure that's an alignment and that lines up with this. So basically, like we're taking that ES 800 dot 30, I don't have it memorized, but basically taking that those guidance, and ensuring that we've got a template of policies for those. There's some links, I think at the end of this presentation, where you'll be able to see where you can get template link and then modify them for your own use. But especially we, for example, we basically have application asset management, which looked at that a little bit earlier, we also have, we do MDM, we use intent to basically ensure that we have an inventory of our user devices. And, and then we have policy based governance. So we basically have things to do with the data. And we enforce that. And people have to sign off and employ them about these are the things you can do, and not do with our data. And then also the document or infrastructure and document things. So it's there. I mean, it's not just in some of these heads somewhere. I mentioned earlier, protecting like I mentioned earlier that we have these web application firewalls, input protection, encryption, multiple authentication, disaster recovery, we use as far as is that we use cloud based backups that are encrypted, but they're not stored in the same play. So you don't want necessarily your backup to be in the same room as your, you know, your production data, because it defeats the purpose of something that's happened to that room like a disaster, or that environment or that system. It's always good to think it's off-site, but we don't like people to have physical things off-site unless they're pictured. We always recommend looking for a cloud based backup solution provider. And it's huge security warranted training. It's super huge because you can prevent a lot of stuff by just going using a program like no before, which is our catalog to ensure that your users and your staff are trained. And I discussed earlier previous access management. I wanted some details about that. But these are some principles for protection that we like to recommend. And then in terms of detecting, but once again, we have others continue with vulnerability monitoring and assessment using rapid seven. We also use, we have data that comes, we use a SIEM called SumoLogic to actually move data into. We also use New Relic, which is one of our partners to help us understand what's going on with our infrastructure. And then through those tools, we have a learning and escalation protocol. So if something comes up and somebody feeds it, they know exactly who to go to to escalate it for investigation and achieve and to identify things. And then also than that, if it's thought to be a security incident, then it goes to our, then they have to go to the incident response team, which has been identified in a response, an incident response policy, which is a fundamental aspect of having an incident response policy is to identify who's part of that incident response team. And that'll generally be somebody in an arcade in TechSoups, they'll be representing legal communications, IT, and operations. Or it's a lot of recover, but you basically need to do incident containment, and you have to have a disaster response protocol, and then they communication, and then you just need to do what you should do, a root cloud analysis, final what happened, what were the gaps? How did this occur? And you do that to prevent, basically, so that you can learn in the future how you can improve. So this is part of that, that damning cycle that they talked about in business, about continue with quality improvement or being a learning organization, right? So we, TechSoup, we talked about that with our, with our communities. And so we try to walk along when they come to that. So, essentially, I think, and I've got some resources here at the back, but especially, I think at that point, I just wanted to walk through that because I want to provide enough time for questions. And I'm going to go ahead and stop my share and so that we can, we can get into some questions and discussion. Does that sound good, Eli? That sounds perfect. Excellent. I've got two questions in the queue, which means probably enough time for a couple more. So keep throwing them into the chat and we'll keep trying to stump Michael. Come on. I dare you all, let's try and do it. Question number one comes here, courtesy of Sean, who says, look, I'm a small scrappy nonprofit. We've got one person who's the in-house IT guru, but that makes us a little bit baller. Things happen. Yeah. So they've talked a little bit about working with a managed service provider who might be stepping and help do some coverage and start filling in some of those gaps that because no one person is an expert in everything. So the first question is, what is a managed service provider? Could you just give us a really quick sense of what that is for those for whom that's a new concept? And then what are maybe some of the pros and benefits of engaging one? And then I'll have a final question to keep you going. Great. So a managed service provider is going to be a contracted IT resource for the organization and generally you should do your own betting with them, honestly, and get preferred recommendations. But generally, if an organization has only really as many times they don't want to hire more full-time equivalents for IT, some of the IT persons should be to the response school over that managed service provider or the ops or a leader within the organization to ensure that there's a plan, that they're not just doing what you tell them to, that they actually are following your guidance and your recognition and your work. I think one thing about one of the pros about it is that it does, oh, in terms of cost management and also ensuring that you've had experts looking at things, but one of the cons of that is that they have to be anything else they have to be managed. And as a result of that, it's important to know that they're going to do depending on the quality of them, they could come in and say, you need all this stuff is going to call your office with money or they can come in and just do what they're told. I think it's good to sometimes have a third party provide a gap lift of things. So have somebody else do an assessment like Tech Impact or somebody doing an assessment and then hire a managed service provider to come in and then help you remediate the gaps of that assessment and then go outwards and have that assessment done again. Because if you have a managed service provider sometimes do that, it's the same. I don't know what's wrong with my house. I'm going to call somebody out like the construction person, what's wrong with it. They want to get the business, obviously they're going to do whatever they can to tell you like everything. And so if you need some help understanding what to prioritize, how to prioritize, that's where third party who's not the service providers probably be doing that. Interesting. So you recommend actually maybe pulling those things apart, which is get an assessment of what you think you need and then go for your quotes and see if what you're getting back is reasonable because as you say, it could be very different. They may have it, they may have input two, but I think that it's just having just only one force of the truth there or what you think is the truth. If you or a guy, a key person says, I think we need all that stuff and we don't need it. I think there's other checks and balances you can put in place there, especially when it comes to ensuring the security of the firm and making sure that they are employed with proper security practices because you're potentially going to be in a contract with them and you need to check the legal contract, the DPA, the data privacy agreement and these things and have some legal oversee that because they could be liable anyway. You have a cool responsibility at that point. Especially if you're a small scrappy startup nonprofit, you may not have all those skills in-house to properly make that assessment. So that's why having that third party is really helpful, especially if you don't have that really technically minded person on your board. Awesome. I have got another question coming in here and this one is coming from Randy who's saying, disasters happen. It's happened in Texas for sure, floods, storms, snowfalls, it all happens. Any recommendations on how we might start the process of drafting a disaster recovery and preparation plan? Yeah. It's important also to break out two things in terms of disasters and things like that because when in California, when I worked with the feedback system, we had to think about that obviously because there are potential earthquakes and in other areas of the country, there were gains in other natural forces to prepare for it. So there's sometimes the concept of contingency planning and contingency planning is sometimes goes hand in hand with the disaster response plan. The IT could be one component of that because you have to think about other things. Okay, how are we going to operate in a natural emergency? Continue to operate. What's the contingency? What if something happens to an individual who's the leader in the organization? So there's that sort of aspect of it and that's a brick broken off to what we sometimes call disaster recovery and storm which is really about being able to understand that your data that is protected and then also that you can recover that data and you have the systems that you've practiced it. So one of the, I think part of this is there's templates online at fans.org at the end of that or basically where you can get templates for these policies. But I think conceptually it's important to break out those two things, contingency planning and data recovery because there's going to be, that data will be part of that if something happens to your server room or your IP infrastructure as a result of a natural disaster. But there's also going to be all kinds of other things that that can happen as a result. Awesome. And I wanted to also share a link to a total guide that TechSoup put together a couple of years ago that actually was specifically created with a grant in support of Texas non-profit that was created with people who know your pain. So we're coming in towards the end. People can throw a couple more questions at us, but I wanted to come here with Denise's super tricky question for you, which is top line, high level, if I could do one thing to prevent or minimize the threat of professional hackers and breaches in my organization, what is that one thing? Obviously, you can't choose between all your children. You love them all equally, but pick your favorite. That's the tricky one. That's the tricky one, right? I would say access control like privilege justice management, because if you don't have MFA, one of the, for example, a lot of things are going to be subject to somebody being able to get access to something like a fishing link. For example, if you click on a link and they were able to steal an email or figure out your username and password, it will be able to get into that system without MFA, without you having some MFA. I would say if you don't have MFA in your Google or your Microsoft tenants or what you're doing, then you've got sensitive data there. I think you should out be like number one. That's not any of the fruit too. You just maybe decode MFA for those who aren't necessarily familiar with GIA. Multi-factor authentication, sometimes dual something that's called two-factor authentication. It's what you do when you go to your bank and you need to then they send you a code on your phone or use an authenticator app. Eventually, what the factors are, multi-factor authentication to break it down is that there's few different things. It's something you have and something you know. Simple example, when you go to use your ATM card, you put the card in and have something you have and then ask for your code. That's something you know. I think when you type it, go to a gas station and you put your card over gas it. That's you which are zip coded or something. Basically, something you have is something you know. Those are the two factors. Right. If you were to start bringing that into your organization, what's the best way to bring that in? Do you use a third party thing like an octa? Do you just go into office 365 and turn on the new rule? Yeah. I mean, essentially, it didn't find the organization and the level of what the organization, the tools, but all tools these days, modern app tools will have a way to enable the administrative and enable multi-factor authentication. If it's not, you should probably consider using a different tool. Especially, and let me paraphrase that, if that's where you're continuing sensitive data. For example, your QuickBooks online or something like that, you want to be able to use multi-factor so that you can hack into your five minute look. There'll be a thinning under administration and security that'll say enable enforce. You don't want to just enable it. You want to enforce it because that's different. You can enable it, but eventually it's not going to be as forward. They're generally those stupid steps. Oh, yeah. That's really helpful to get a sense of. You think that's almost a deciding factor for a new service or tools to say, does it support this two-factor or multi-factor authentication? So you don't have to worry as much about that. Someone stole the password and you're like, yes, that's bad, but actually there's still other protections in place. We're going to assume that we're going to almost assume that basically passwords and also there's all kinds of other part things that have to do with password policy. TechSoup has a password policy. We have access protection policy that all that guidance is available. Awesome. No, that's really helpful. Then with that, let's bring this to a close.