 Welcome to Keep Your Connected Nonprofit or Library Secure. My name is Becky Wiegand and I'm the Webinar Program Manager here at TechSoup Global. I'm happy to be your host for today's event. And joining us as our expert today, a really preeminent expert in this topic is Kelly Bray. She joined Symantec's Global Security Office in the spring of 2014, charged with reinvigorating their security awareness and training program. And so she is the employee trust lead in that department responsible for helping to continue creating innovative ways to engage employees on how to change their behavior that affects Symantec's security. Prior to joining Symantec, Kelly spent five years in the federal service system with the Transportation Security Administration of Chief of Cyber Security Awareness. While there, she worked on the TSA's Security Awareness and Training Program and the Cyber Critical Infrastructure Protection Mission, where she trained over 60,000 TSA employees every year on how to stay more secure and battle insider threats at the TSA. So she really comes to us with a lot of hands-on experience on how to train staff, employees, how to train people just to think differently about their behavior to stay safer online and keep your organization more secure. So we're really excited to have her join us today. You'll see on the back end Allison Bliss and Ali Bazikian, both from TechSoup who will be joining and helping to respond to your questions and flagging them throughout the webinar. So watch for them and feel free to reach out if you need help at any time. TechSoup staff are here in our San Francisco office at TechSoup's headquarters. Kelly is way over on the East Coast in D.C. Go ahead and chat in to let us know from where you're joining today. We have folks often from all over the world. I always like to imagine that I'm hanging out in the Bahamas, but right now I don't think I'd want to be there since they're getting walloped by Hurricane Joaquin, or maybe it's Tropical Storm Joaquin. But thank you all for joining us and chatting in. We know you can't see the chat messages, but if you have experiences with specific products or things that you've found worked really well with helping your staff or team become more secure and adopt better policies and better safety on the Internet, feel free to share them out with us and we will share them back out with the rest of the audience throughout the webinar. Looking at our agenda today, I'll do a quick introduction of TechSoup for those of you who aren't familiar. Then we'll jump right in to identifying the problem here and helping you embrace kind of where the world is at with security threats and online threats with some fun quizzes. Then Kelly is going to take us through their common approach to solution and how Symantec does things a little differently including a variety of simple security tips that she'll share. And then I'll talk toward the end about some of the donated and discounted Symantec and other security products that are available through TechSoup's catalog if you're looking for some installed software or online services to help your organization stay more secure. That won't be the majority of the webinar. That will be just toward the end. So we won't be trying to sell you anything, but we want to make sure that you have the options that you need to help best secure your organization. Ask those questions throughout and we will have time at the end. So TechSoup Global is a partner network of 63 NGOs worldwide serving more than a half million organizations in 121 countries. You can see where we are on the map worldwide here and we're ever expanding. We've served nonprofits to the tune of nearly $5 billion in technology products and donations around the world. Prior to coming to TechSoup I was a beneficiary of many of those donations at three small nonprofits I worked for in Washington, D.C. and Oakland, California. So I'm really glad to be your host and tell you about our programs too. You can learn more about them at TechSoup.org. So on to today's topic. Before we get started with identifying the problem we really want to have a good understanding of where you're at and what security tools you're currently using at your organization. Many of you may be piecemilling different products together. Many of you may not have any. So we recognize that this list is not comprehensive. It doesn't include an I don't know or none. So that's your situation. Go ahead and chat that into us or if there's a product that you're using that's not listed on this list of options feel free to chat that. But feel free to click any of the ones that you are currently using as security tools at your organization. Because that helps us get a handle on where your organization is at. We aren't going to go into detail about what you're individually doing since there are a lot of people on the line, but it's a helpful way for us to have an idea of what most people are employing for their security products. We have some folks mentioning Trend Micro products that's not on this list. We only had room for 10 options. So we included a handful but we also know that if you're coming to this and you're not sure if you have any security products installed, that's helpful for us to know too. So we can help make sure that you've got information on how to find the ones that might work best for you. So I'll give just a couple more seconds so everybody can participate. We have other folks commenting, David comments, we are migrating to Panda Free. Another person comments Kaspersky which is down here is the very last option. I'll go ahead and show the results here. It looks like of the people who responded, Norton Security and Microsoft Security Essentials are the top two most commonly used among the options on the screen. Symantec Endpoint Protection follows third. So that's helpful for us to know and gives us an idea of where you're at with your security software and application needs. With that, I'd like to go ahead and move us into the practical domain of what are the big problems and challenges in the security landscape out there? What are the big threats? And really why we're all here today, what are some of the solutions? What are some of the practices that we can employ to make our organizations, our nonprofits, our libraries, our churches more secure? With that, welcome to the program Kelly. We're so glad to have you take it away. Thank you so much Becky. I hope everybody can hear me clearly. Yeah, you sound loud and clear. Wonderful, thank you. And thank you all so much for taking your time today. I understand that time is valuable for all of us and over here on the East Coast we have the hurricane coming and it's security awareness month and it's the end of the quarter for a lot. So thank you so much for sharing the time and I hope that you will find something valuable out of this presentation and certainly thank you to TechSoup for the opportunity to speak. So I want to tell you real quick just a little bit about me and why I call this presentation Simple Security. And honestly the reason is that security isn't really that simple. You don't usually hear those words together in the same sentence. Security you hear is complicated and you hear it's scary and you hear it's expensive but you don't often hear that it's simple. So I try to be the one person in the security world that takes all the crazy tech out of it and talk about some of the basic things that we can all do regardless of size or budget to provide a baseline of security for any organization regardless of size. So a little bit about me. Becky did do my intro. Thank you for that Becky. I spent about five years in the federal government prior to joining Symantec almost two years ago. I was not one of the people that made you take your shoes off when you had to go through security so please don't throw anything at me. I will say that one of the greatest things I got out of working at the Fed though is I learned how to do a huge mission with very, very little. We were spending your tax dollars to make sure people were doing the right things with their computers. And we just figured out a lot of ways to be creative and how to talk to people correctly and how to make a difference with people's behavior and not spend a million dollars doing it. So we got a lot done there. When I moved to Symantec I was very excited to be part of the private sector because you can get things done faster and we have a little bit more leverage for creativity but there's also a little bit more pressure because I am an army of one. When people ask about my team or my staff I jokingly say that it's just me and my six other personalities. But otherwise we are charged with securing the company that secures the entire world. We are a $8 billion global organization. So there's a little bit of pressure there to make sure not only that we are protecting ourselves and our brands and our employees but also by extension the millions of customers that we have both on the enterprise and consumer side. And finally probably the biggest, most important piece to me is I have three kids. My youngest is seven months old and the only thing he wants to play is my phone. So clearly we are in a world where children growing up are living in a digital age and an on-demand age and technology is going to be a huge part of their life. We'll probably drive to most of it. So it's important to me for my mission to make sure that we all have the right information and the right tools and tips to protect ourselves when it comes to security. All right, my slides aren't advancing. What did I do? No, there we go. We did talk about the agenda a little bit so I'm going to skip over this. Quickly we are going to go through a little game to play the problem because it's a little bit more fun that way. We'll talk about kind of how common the solutions are and then why we do it a little bit differently at Symantec and then some information to help you guys get ahead. So in terms of our game, let's start here. I'm really interested in this information that's in you guys. All of this information by the way was taken from Symantec, Internet Security Threat Report. We publish it every year. It's a big scary document that gives the state of the world. But there's a lot of great information on it so I'll make sure that Becky has that link to share out. But for now, how many zero-day vulnerabilities were reported in 2014? And just in case you all don't have a CISSP, a zero-day vulnerability is one that pops up and we have absolutely no difference against it. It means it's something we've never seen before. As a vulnerability that can be in our systems and networks, we're not attached against it yet. We have to figure out one that we can put into place in order to provide protection. So do you think there were 18, 24, 12, or 8? Go ahead and click on those radio buttons and click Submit. We'll give a few more seconds so everybody can participate in our little trivia quiz here. And I did just chat out the link to the Threat Report. We'll also include that in the post event email and in the slide deck that you get. So no need to copy it down right now if you don't need it. But if you want to go and look at that report, there's tons and tons of stuff in it that's really great and compelling and frightening. So I'm going to go ahead and show the results. It looks like the majority of folks, well, 37%, guest 24, but following pretty closely behind, people thought the low end of 8. So which is it Kelly? Tell us. It is 24. So you can see there's a little tracking graph here about how many vulnerabilities have popped up. It's a little bit scary that it rose dramatically in the last couple of years. We put the Threat Report out. I want to say in the mid to late spring time normally. So it will be interesting to see how it looks next year. But good guest guys and good participation. Thank you. So as a follow-up question to that, the top 5-0 days, they came up out of the 24. How long do you think they left companies long before? I mean, it can't be that hard to fix, right? So do we think it was maybe just a day? Usually if we have an IT issue, most of us can get it fixed in a day. Was it 2 weeks, 180 days, or 295 days? And for those of you who opened the slide deck that was sent with the final reminder and no cheating, well, okay, you can cheat if you look. But go ahead and answer what you think. And we'll talk a little bit about that. But again, these are these threats that showed up with nothing, no preparation, no idea that they were coming and just happened, and suddenly responses need to be built right away or as quickly as they can. And go ahead and make sure everybody has a chance to chime in. Give just a couple more seconds and then we'll show the results. And fortunately it looks like not too many smarty pants in this answer. Looks like the great majority thought 2 weeks, almost half of our audience thought that they lasted, vulnerability lasted for about 2 weeks, and 40% or so, almost 40% thought 180 days. And you know what, you're all wrong except for the 7% of you. 295 days folks, the top 5-0 days left them. So that means, and that's probably an average, right? So there was a few that got hit for longer than that and a few that were maybe in that 100 level. But 295 days is creeping up on a year. That's a really long time to have a vulnerability in your environment that you're not aware of. Or if it was been in there and you couldn't protect against it, that's just absolutely terrifying especially depending on the type of business you're in. I can tell you if that happened to Symantec, this would be crippled. That would be the end of our company. But these are the types of things. And as we go through this trivia, the point is not to terrify everybody, it's just the world is bad and it's a lot more fun to describe the world and this environment by playing a game than it is to make you listen to me drum on and text speech. So the next one, what do you think or what were the top 3 causes of data breaches? Think about that just for a minute. Go ahead and just chat your answers in. What you think may have been the top causes of data breaches. Do you think it was spam? Do you think it's coming from people accidentally using really bad passwords? Do you think it's from intentional malicious theft? Go ahead and let us know and I'll read some of the answers off that come into our chat. We have employee emails, hackers, email Hillary Clinton, employee activity, human error. That one actually really makes me kind of chuckle. Credit card hacking. Let's see what else is coming in. Good guesses, spam, phishing, infected websites, employee activity and hacking, vulnerable websites, email attachments, internet sites, embedded links in email, malicious hacking, bad passwords. Lots of good guesses here, flash drives. Yeah, that's another good one. Yeah, lots of good guesses and all verifiably not good things. So what are the top 3? So just a quick graph to show you guys how we broke it out. About 50% were malicious attackers, so bad people doing bad things for bad purposes. But it's really interesting if you look at the other side of that, that 50% was accidentally exposed information of theft or device. I mean if you think about how we hear, I mean the OPM debacle of this year which had, having been somebody that held a top secret clearance, I've now received 4 letters from DHS reminding me that the Chinese have my information. But over 40% is accidental. And then the insider theft is here as well. And it's really important, I've spent a lot of time on the insider theft program at TSA and I actually partnered very closely with our insider theft threat program manager here at Samaritake. Sometimes insider theft is intentional. In fact, a lot of times it is you have disgruntled employees, etc. that have access to things they're not supposed to. But a lot of times that can be unintentional too. And half the time we give messaging to people we remind them that you would never think of yourself as an insider threat, but you certainly are if you're not doing the appropriate things by the passwords and managing the phishing, etc. So we make sure to remind everybody of that. Okay, I think this is our last one. So in 2014 we analyzed over 6 million Android apps and found that one in how many contained malware do you think? First of all, when I read this in the report I was shocked that there were over 6 million Android apps. I think I have 3 on my phone. So I was really excited to see that this many were out there. See now I'm on the other end of the spectrum with my Android device. I have probably 150 apps so it scares me to think about the percentage of those that will likely contain malware. And I'm sure this is not exclusive to Android apps. I'm sure that other platforms, Windows devices, and Apple devices probably also have malware in their app stores. But this specific one is just highlighting the Android statistics. We have just a few more seconds for people to weigh in. One in how many contained malware and I'm going to go ahead and show the results. It looks like people were smart, almost 40%, 37%, 36% saying 6. Go ahead and tell us what our answer is. Correct. We had 6.3 million apps that we analyzed in 1 in 6 for class of time with malware, which is pretty shocking. I use this actually as a discussion point with my kids when I want to download a new game on an iPad or on my phone every 15 minutes and I remind them that just because they say they're free doesn't mean that's a good thing. That makes me want to go delete some stuff from mine. Okay, so we don't need to belabor the point you guys get at the world of stuff. It's scary and big and knowing that and we see it in the news every day and we are affected personally by it if identities are stolen, our credit cards are stolen, and professionally if our identities are stolen or if we have network issues. So the idea is for this presentation how do we move forward from that? The projection strategies vary. You guys have very diverse organizations, probably not sums of money to spend on your security, so what do you do? Funds are limited for everybody. Even for semantics, we do not want to spend every dollar we have to checking our network, although I think we come close. And finally, the tech speak isn't for everyone. I am certainly not a technical resource. I will tell you that I have a background in security training for a long time now but prior to that I did a stint in HR and I have a business degree. So not everybody knows how to handle security and technology because it's very intimidating if you don't have all the certifications and you're not a 5,000 by 3. That is why we focus this presentation on more of the simple security and what you can do to start with your people. So for semantics, you may or may not know that because of the size of our company and the business that we're in, we have some very strict requirements for our security awareness training. It seems like an add-on for a lot of people but more and more as time goes on we're realizing that a lot of our customers and partners are realizing that it's absolutely critical to compliment your technology with decent training for your folks. Because I say all the time you can't solve a technology problem or a people problem with a technology solution. And if you think about it, we have partners that will spend a million dollars on an intrusion detection system but not teach somebody not to click on a phishing link in an email. Although if you don't do that, you just flush your million dollars down the toilet. So for our requirements you can see here we have to secure our network and data to protect our brand. We have very, very strong compliance requirements because of our credit card processing and all of the data and customers that we have which we very, very careful about how we protect our information and who has access to it. Much like you, we have to spend our money wisely and we have to show improvement and impact. I'm not able to run this program unless quarterly I'm able to show that it's making a difference, that people are participating and that we are seeing a reduction in incidents that come into our security operations center. In terms of tangible, I have to conduct a lot of training both for our new hires and on an annual basis. And it is happy to have several security awareness months. We have a massive program going on this month to engage our employees and get them to celebrate security. And overall just find ways to get our employees to care. We take our core values and semantics very seriously. And the first one is called do the right thing. So we're trying to remind everybody through all of our communications and activities that it's critical to do the right thing when you're working in security. The difference in our model, a lot of if any of you have had any baseline security awareness training or you're familiar with it even at a base level, most training is driven by compliance. NIST tells us it's the right thing to do, PCI or SOC compliance or ISO or any of those tell us that you have to have training. So oftentimes it is if I've checked the box for compliance, I must be secure, right? Clearly not. If that was the case, then OPM wouldn't have gotten hacked and we wouldn't have that be a issue that we did. In my model, compliance and security are not the same thing. And I'm honestly pretty sure that's how I got hired to do this job. I feel like we will make all of our compliance requirements, but it's critical to make sure we are thinking about the security of our people, of our systems, of our data, of our networks constantly outside of just taking a checkbox training. Awareness doesn't equal a change in behavior. I saw this in a presentation, a good friend of mine who owns a security company and gave. And my favorite way to talk about it is to say that I am 100% aware that I need to get up every morning and go to the gym. I'm positive I'm aware of that. I'm sure that when I roll over at 5am in the morning I know I'm aware I need to go to the gym, but doesn't necessarily mean I get up and go. So where is that bridge between being aware that you're supposed to do the right thing and actually changing the behavior? What's the connection between the two? And that's the drivers of ease and semantic in our program. And finally, talking at and talking to. The way that I clarify this is when you talk at somebody you're telling them something you want them to know. When you're talking to somebody you're having a conversation and you're giving them information that they need. This is critical in our program at PSA. I honestly took all of this piece here from my experience there, because when we would go and we would travel to 30 airports a year and we would work with these folks that sat on the checkpoints at 4 o'clock in the morning and the publicated them because they kept making them take their shoes off and their laptops out of their bags. They make very little money. They have to work odd hours. So it was interesting talking to them about what was important to them with cybersecurity. And lo and behold we found out that we could sit there and talk about policy and people would nod and smile or we could sit there and talk about how their kids are using social media and how to protect their mobile phones. And that started the dialogue. That got people realizing that we really wanted to give them information that was valuable to them. And once we went through all of that then they wanted to hear what we had to say. So it's about making sure when you're sharing security information that you're having a dialogue that's meaningful to people. So how I define success, I created this slide believe it or not 18 months ago or 20 months ago when I started at Symantec. So I want to make sure that people do the right thing with their computers and I want it to be as natural as putting in a seatbelt. When was the last time you got in a car and thought about putting your seatbelt on? Probably not because most of us were kids because that's when they made it so everybody had to wear one. My kids, they were tiny. They know that they have to put their seatbelt on. So they don't even think about it. And that's kind of where we want everybody to be. We want you to lock the doors when you leave the house. You don't need training for that. You don't need somebody to tell you through an email marketing campaign or training every month that you need to lock. You just do it. And that's kind of where we're going with our program through getting the right messaging, providing the right types of materials. We are making this natural behavior for our employees. So getting to simple security. This is the stuff that everybody should have in place that we think is the right thing to do, a real baseline for you. Again, based on the audience, I wanted to provide information that you could take with you tomorrow and you. You're going to get a copy of these slides. You're going to see the recorded webinar. So feel free to take any piece of this that you think is useful and implement it or find more information about it. And we do have a where to start slide at the end of this presentation. First, basic security in terms of software and hardware is required. You want to have antivirus. You probably have a firewall set up. It really just depends on your type of organization, what your network is like, how many people are in it, if it's open to the public. All of those factors can kind of weigh in. But it sounds like just based on the quick touch that Becky had early on, I'm seeing that everybody has some sort of security software in place. So that makes me very happy. Also make sure you want to update that security software. I remember 10 years ago I bought Norton Antivirus actually from Samasack for my home computer. And I would pay it every year. Why do I have to pay another $69.99 or whatever it was back then? And now I realize when I see the inside of it and what goes into protecting all of the new vulnerabilities that come up every day, you need to make sure that you have whatever security you're using. It doesn't matter if it's ours or anybody else's that you have to make sure that it's up to date because that's going to give you that baseline of defense. When you add on to that, if you think about it, protecting your people is easier. First of all, it's basically free. I mean, if you have money that you want to spend on a security awareness training, I could tell you how to do it for $15 or for $50,000. It really depends on what you want to do. But it's a good way to start because it gets, if you think about your security as your security software as a basic perimeter, now you almost have all of your employees, if you've engaged them correctly, you have them in that next line of defense. And as I mentioned before, good behavior does transcend the walls of working home. So there's no do the right thing at work and then give them information for do the right thing at home. It's just do the right thing because we're basically a mobile workforce now anyway. Most of us have a mobile device, an iPad or a tablet, or we talked about the phones earlier. All of the things you're going to learn here today affect everybody whether they're at work or at home. So it makes it more relevant for them. And along with the basics going a long way, I always like to point out and remind people that everybody is a target. Most of us don't think that we are. A nation state is not going to be after Kelly Bray who lives in Fartisfarge, Virginia. Maybe not. But they might be after the Target Corporation that got hacked not that long ago, or any of the major breaches that you've seen in the news including OPM and TJ Maxx and Sony and everything, but one of them has gotten hit across nobody's safe. So you want to make sure that you remind yourself, honestly, your families and your employees that don't ever think that you're immune. Everybody is susceptible to phishing and spam. Most people have gotten them. And I want to make sure you just know that if you start with that, every time you look at your phone or open your computer and you go, hmm, maybe this sounds too good to be true, or maybe this doesn't look quite right, you're already halfway through the battle. So let's start with passwords. And this is my favorite one. And I know that passwords have been beaten to death. I know we have too many passwords. And I'm sure sometimes very soon software will be developed. So we only have to have one. I won't trust it. That's just me because it makes me very nervous. Yes, you need to have a complex password. And I will combine these first people by saying please make sure it is complex and that you can replace if you want some quick tips. Replace the A in your letter from the little app sign which is the ship number 2, or replace the 1 with an exclamation point. These are really simple things you can do or an O with a 0. Simple things you can do to have a much more complex password. And I know that it sounds silly that I have to take it to that level, but you would be absolutely shocked that there are millions of people that have a password that is password. Still do it, even after now that it's 2015. So make it complex and do not use any of your personal information. I would love to because it's easy to remember, but this is where I have to go on my little social media so far. Anything that you put about yourself on LinkedIn, Facebook, Twitter, wherever you have it can be found and can be used against you to find your password. For example, I just put a thing about two months ago my daughter turned 10, Haley. Her first name is Haley. She was born in August and was on the 4th. That's when I posted her happy birthday. So if I am a hacker, I'm going to go, let's do that. Let's try Haley 0804. I would say that was my password for years until I started doing this for a living. Wow, that's silly. Because if it's your first name, if it's your family name, your pet's name, any dates that you recognize, any combination of old addresses, or if you think about it this way, if you go into your banking site, mine asks me security questions. How many of them say, what was your first car? Or where did you go to elementary school? Or when did you graduate high school? All of those things are information now that people put on Facebook. So just think about that when you're creating your password. Don't put anything in there that you know is already online somewhere. Change it as often and possible as you can. One thing that's not in here that I always recommend is have something completely separate for your personal financial transaction. And this is me just talking to you with people outside the business realm. If you have an email address and a password that is just for your credit card and banking site, you will save yourself a ton of stress and hassle because you will know pretty much anything that goes into that email address is going to be spam because you're not giving it out to anybody. So that's just the tip of the day. In terms of remembering passwords, that's kind of difficult sometimes. We have a million of them, including myself. And this is something that I've employed for a long time, and that's to use a password. So I'm here at ReachOut to any of my Billy Joel fans out there and show you an example. If you want to have a good password that you can remember easily, pull it from the song lyric or the punchline of a joke or something hilarious that you saw from a comedian or one of your kids said that you can't get out of your head, and just pull the first letter from each of the words. So for example, New York State of Mind, one of my favorite songs. I'm a big Billy Joel fan, NYSOM. All I did was add one, two, three in an exclamation point. That is incredibly simple to remember. It's incredible. I did see a chat pop up on the bottom. PII is Personally Identifiable Information. I apologize. I am guilty of being in the government for too many years and we speak in acronyms, but that's what that is. So in terms of creating your password, use a passphrase that's simple. And it can last you a really long time. I mean, you can go through your favorite sports team rosters. You can use just about anything that's comfortable to you that you know, but that nobody in a million years would think again. So hopefully, you can use that and it's helpful to you to enter those within your organization. Just more basic tips here that you should share and be aware of. One, if it's too good to be true, we're again in a mobile workforce and everywhere and every day now. I mean, Chevy makes cards for how Wi-Fi, how amazing is that? I still have to figure out how that works, but you can get on the Internet anywhere. And it's really nice when it's free. You can go to an airport, you can go to any Starbucks, a lot of the Panera breads have it. Chick-fil-A, really any restaurant that you go to these days, want you to sit and stay and work and spend your money there so they're going to give you free Wi-Fi. Just please remember that that is not designed with any type of security in mind. It's designed for availability so they can get as many people in their seats drinking $8 coffee as possible. And don't get me wrong, I love working at Starbucks. But just if you have information about your organization that you are processing, if you have a VPN, use that. Otherwise, just avoid it when you're on the free Wi-Fi because it's an amusement park for bad guys. And we've seen lots and lots of examples like that. It's also a place where people leave their computers. You'd be surprised, we see it all the time at the coffee shops near us, but people will just get up and go to the bathroom and they'll leave their person, their laptop and the phone and it's a comfort level there. Starbucks designed it that way, which is wonderful if you're comfortable, but you don't get so comfortable that you leave everything behind. So be careful when you're on an open Wi-Fi and just be mindful of the work that you're doing, both from a personal and a professional level. I wouldn't process any type of financial data that anybody could easily grab from your machine or from any web traffic that you're doing if you're on a free Wi-Fi. The free USBs are also something that I warn people of. And I have a great example that I shared with Becky the other day when we were talking through this presentation. So USB sticks are neat. They're great file storage, plug-and-play. They're very useful. When I was in the government we had used encrypted thumb drives and they were very expensive, but they were worthwhile because they're the only ones that you could use where you can be certain that they wouldn't share and grab the badness off of them from various computers that you plug them into. About five years ago when I worked at TSA I worked in our critical infrastructure mission and we worked a lot with the postal and shipping sector. And I was asked to give a presentation about our program down at a national postal forum in Florida. And right before me one of the presenters was from the Postal Inspection Service and he had one of the best presentations I've ever seen. He had several videos. He had really interactive data. He had lots of graphics. It's exactly the type of stuff you want to give people in a boring government presentation because it looked fantastic. And he was really excited to tell everybody at the end that they didn't need to worry about going to try to download the file somewhere or asking for copies of the slides because they were going green. They weren't printing out things anymore. They were developing. Instead he had boxes and boxes in the back of the room of these. They were USBs, but they looked like plastic credit cards and you could flip the little thing around and have the USB port and the entire presentation was loaded. And it's fascinating and wonderful as I thought that was. I sort of stood in front of the boxes and hid them because every single one of them had a made in China sticker on it. I'm like, come on guys, let's think about this. So if you're going to, in fact I brought one back to our forensics lab just for fun, but just think about the source of it and where things are coming from. If anybody had ever heard of Stuffnet, you can Google it if you like. I will tell you that there are rumors somewhere along the line that that was started because whoever plugged the USB into the reactor actually grabbed it from a security conference. They grabbed it for USB from a security conference. So I'm sure that'll make a great movie someday. There's probably one or two of them out there, but just beware. If it's free, you just want to be very, very careful because you never know where it's coming from. Physical security, we already talked about a little bit. And in terms of managing sensitive data, I know lots of you will probably process or don't process different types of data, but anybody that works with you if you have their financial information, et cetera, you want to make sure that you protect it like it's your own checkbook. So you don't want to leave sensitive documents laying around. A lot of times we find that our insider threat cases start that way. People will print something out and then leave it on the printer because a lot of us don't print as much anymore. And then we find it on the printer three hours later and have to go, okay, where does this come from? How long has it been here? Who had access to it? My sense on social media, I talked a little bit about Facebook earlier, but I also want to make sure that I bring up these points to all of you because, again, as we talk about doing security awareness and having the right training in our organizations, even at a baseline level, it's really good to talk to people about social media because most people don't just share personal information. They talk a lot about work as well. So in terms of the basics, I always say that the internet doesn't love us back because the internet is forever. Once it's out there, you can't get it back no matter how hard you try and you can't control what anybody does with it once you put it out there. My rule of thumb is that if you wouldn't put it on your front door, you cannot put it on Facebook. And by Facebook I say everybody else too. There's a billion people on Facebook, so I assume most of you have them count. I do. But that's just the rule of thumb. So it's something good to share with everybody and believe it or not, there are still people every day that post, they check in here, I'm going here, my flight leaves here, and I won't be back until three Sundays from now. I just never understood why people have to share every bit about when they're not at home because I think that leaves you vulnerable. It's really important to update your privacy settings. Facebook is designed to be wide open. They don't want you to be private because then their marketers can't get to you successfully. And that's how Facebook makes money. So just make sure that you update those privacy settings as often as possible and you encourage others to do as well because if you're leaving things posted for friends of friends of friends, those are strangers. A buddy of mine I would use to say in one of our presentations would you share a bottle of water with a stranger? And people would look at him and go, that's absolutely grossest thing I've ever heard. He's like, yeah, but you'll give away everything about what you're doing today, where you're going tomorrow, all of your personal information. And if you think about it that way it's a good way to make you stop and think. And finally another tip of the day for social media and this has to do with your cell phones. Do you know what geo-tagging is? And you don't have to necessarily chat in but we'd like to remind everybody that I would get lost getting to the end of my street. I rely on the Google Maps on my phone far more than I should. So I always have the GPS on because then I can just loop or I can talk to it and tell it what address I want and then it pops up to the map and gives me my direction. So by having the GPS on all the time there's a function that's enabled. So I say I take a picture and we are at Pumpkin Patchdown Street to this October and I post it to Facebook. If I still have that setting on, anybody who can access a picture all you have to do is mouse over it and you can see the exact GPS coordinates of where that person is. So just another tip of the day for you and for your families, for your teenagers especially, if the GPS is on on your phone and then they take a picture and post to the internet regardless of Instagram, Snapchat, you name it, the GPS coordinates will be there. Okay, and finally phishing. And I think we're doing great for time. I'll be done in five minutes for you to hear from her. So I am incredibly lucky in that I get to spend probably a third of my time phishing some of the employees for a living. I was given the funding and the tools to purchase a program called Blackfin which ended up working so well for us. We purchased them as a company. Samantha acquired them back in August. And I go through and I finished everybody in our company between three and five times a year. Nobody is safe, probably except for me, although I wonder if somebody in IT pushes me for fun too. But I've phished our executives. I've phished their administrative assistants. I've phished everybody in our Asia Pacific region. Every accountant in Europe, you name it. I can break it down by roles, by geographic regions, etc. And it gives us some incredibly interesting data on where we need to target our training better. So the most part, our employees do incredibly well. And they enjoy the program. They get a lot out of it. They have to contest among different groups to see who can do better. In fact, part of our security awareness month celebration is giving our employees an opportunity to win a prize by helping us design phishing emails that they think would work really well. So the reason that we pay so much attention to this is that as I mentioned earlier, no matter how hard you work to harden your infrastructure or how hard or amount of time you spend to keep your network safe, all you need is to have one person to click on a link. That's it. And then all of those defenses you put into place are not going to help you. So it's really important and you spend a really strong amount of time talking to people about phishing and how to avoid it. So the first thing that you and everybody that you work with needs to know is not to open emails from people that you don't know or that you don't recognize. Now understanding in business, that's incredibly difficult for most of us to do. I say that understanding that when you have customers you're not going to know all of them personally. So what do you do then? Mostly it's just take a look at the email address. Verify it. Is it something that looks normal? You know, if I normally send you something from kelly.bray or I'm actually kelly.underscorebray.com. And all of a sudden you've got one from kelly.bray with my first name spelled wrong or with an extra A in my last name or something scary like that. They get missed very often. And mostly another tip is they get missed on electronic devices not computers. And I separate those out because we sit in front of computers all day and the screen is bigger and we have our outlook or whatever our email client is up and we pay really close attention there. Most of the people when they do fail our phishing test it happens because they opened it on their iPhone or on their Android devices. So be very careful when you're looking at email addresses there. Also, read the message and see if it makes sense. If there's even a tiny little thing that makes you raise an eyebrow, just pick up the phone and verify. We had a couple come into semantics not that long ago where folks were some of the people in our finance department were getting emailed directly from the CFO and when they looked at it again they realized that wasn't even the CFO's email address. And it was about, if you really get in contact with you about making this wire transfer to this specific account, of course not. Or those types of things, if it doesn't seem like it makes sense, if it's really out of contact rather than clicking on the link in the email or even replying because you don't want to validate to the phisher that you're there and paying attention, just pick up the phone. Spellian Grammar, they seem basic. I know that spam needs to be so easy to spot because you could really tell that it was written by somebody who didn't always write an English for a living. So you can figure it out or in your native language depending on where you are. It was pretty easy to figure out that they were spams but our phishers have gotten very sophisticated. So keep watch for the tiny little errors like the use of they are there and they are spelled three different ways. If it's not the right one and it's an email coming from Discover, they're probably going to have a marketing person that vets their emails so it's going to be wrong. If it's going to be true, it probably is. I'm sorry, you're not going to get a $10 trillion check from the Nigerian Prince if you just give them their Social Security number. I laugh at that saying, most of you I'm certain are absolutely aware that's true. But we also see people still fall for it. And there's always going to be people in our lives that are not as security as where as you. So it's important to me as I mentioned in the beginning to give you all as much information as possible to include other people. You know, grandparents, they have email and they fall for this stuff all the time. So just to give you a quick example and then I'm going to turn it back over very quickly to Becky here but I just wanted you to see one of the examples that I sent out to phish our employees. It looks like it's coming from me but you'll see there's no signature. We sent this to a group that came to our Global Security Conference from EMEA. So that's for us it's Europe, the Middle East, and Africa. So we had a whole group of people come to our field conference and it was in Las Vegas and the weeks they got back we phished them which is a terrible name but incredibly effective as well. Because it's in US dollars and it shouldn't be. It shouldn't be. It should be in their native currency. You'll see it's a second notice. But is it really, did they really receive a first notice? It's from somebody named Expense Team. That's not even the name of a person that they could go in and verify. So this is just a quick example of types of things that on the first glance can look legit but wouldn't necessarily be so. Okay, so how to get started and then I can turn this back over. There's a lot of free resources out there. If there's anything in here that you found useful you can certainly take it. And I hope so. I hope that there were tips for you and for your family, for your friends, for your customers, for your constituents, etc. Also the National Cybersecurity Alliance which is at StaySafeOnline.org. I'm sure they'll share that out after this as well. They have a lot of strategies for individuals for small businesses for training. They have lots and lots of links for free virus scans. So if you're one of those people that didn't have some security in place already and you wanted to get a free scan it's absolutely out there. There's a lot of baseline training if you're not sure where to start. You too. We actually, Norton publishes they're called 30-Sec Tech Videos. They're great. It takes a lot of the really technical terms that are out there and breaks them down in 30 seconds. They're cool cartoons. You could even use those to train your employees and to train yourselves if you want to. I always say baseline policy because you really have to let people know what they are and are not allowed to do. Don't assume that people think that they can access whatever they want on the Internet or that they don't have to change their password. Sometimes just a one pager that says do you understand that these 25 things are really important to our company or to our library or to our nonprofit inside the sheet? And that just reminds them that it's important to you so it should be important to them. And as I mentioned earlier it keeps those patches up to date. So I am a few minutes over. I did see a lot of things slide out of the chat. If we have more questions in time Becky I'm happy to take them but I want to send it off to you next to kind of talk through the text in pieces of this that come next. Terrific. Thank you so much for that Kelly. And I love the idea of friendly fishing your own staff as a way of testing who falls for it and providing some learning opportunities on those security best practices. I think that's a terrific way just to highlight that yep it can look convincing but it might not be real. So really carefully inspect those emails before you're clicking on attachments and opening things. That's a great idea. So I'm going to jump in really quickly to just show some of the options available through TechSoup's donation and discount programs with different vendors including Symantec who has a big donation program with us. And I want to go ahead and just show where folks can find some of the technologies available on our site. But these are not the only ones. Many of the ones that we listed out in that poll question at the very front end. Some of those are free. Some of those may also already be included with software you have on hand and you just need to turn them on or turn on automatic updates. So keep in mind that these are really just as a resource if you're needing to change or upgrade or adopt some technology for your security. If you need antivirus, if you need end point protection, depending on the size of your organization there may be different options that best suit your needs. And we have a variety of resources on TechSoup's site to help you determine what those might be. So the first being Symantec. Since Kelly is joining us from Symantec today, I wanted to talk quickly about their program. If you go to TechSoup.org slash Symantec you can click on this big blue box that says Browse Symantec Products. And then it takes you to a page where you see this drop-down up here where you can see Symantec Norton products. And these are primarily geared toward organizations with fewer than 20 seats or staff people that need to have antivirus or security protection. And so Norton Security is a single package right now that you can get a subscription for one year and it comes in different numbers of devices. You can get it for one device, five devices, 10 devices, 20 devices. Once you move up from 20 devices you're really looking at something that's more of a small or medium business. And so you would select this drop-down and you can be taken then to Symantec Small and Medium Enterprise Products. How handy that is. And I'm not navigating this directly on our site but you can see that there are tools like Backup and Restore programs, Endpoint Protection for small businesses. These are donations so check out whether you're eligible organizations that may not be like churches. We do have some other tools available on our site that you may qualify and be eligible to request but they're system recovery. So again these are programs that are available. You can find them all more in detail at techsoup.org slash Symantec-catalog. But you'll see on the side over here too that on all of these pages we have all kinds of resources. If you're looking to prevent disasters which having Backup and Restore and Recovery products are a big part of your disaster planning and preparedness. If you are looking to learn more about Cyber Security Awareness Month and how to engage in that you can learn about that. If you want a guide to the Backup and Recovery products that helps you compare the different options out there. We've got resources linked on all of these pages. Just to show a couple of other different products that are on our site and partners, you can look at Komodo. They have both a donation and a discount program. So everything from an app that you can have on your mobile device to help secure, to secure socket layer SSL which is where you get the little HTTPS in your address line for your domain name. And then also these products that are Internet Security, Anti-Spam. So lots of different products available through our site. That's with the Komodo program. Bit Defender is another one. Again, find that at TechSoup.org slash Bit Defender. I've included the links that are clickable at the bottom of all of these pages where you've got antivirus options, Internet Security options. This is again if you're with an organization like a church or a religious group you may not be eligible for the Symantec program so this is an alternative for you. But you'll see again that we've got security resources for your nonprofit or library. We've got a lot of resources to help you select the products and compare them to find the ones that best suit your needs. Mail Shell is another one where this is an Anti-Spam desktop product. And so there's both a discounted product and a donated product. You can see about things you can do to prevent spam. So last one I'll show before moving into question is RedEarth which is another program that is specifically for helping you filter your email, help keep that phishing and spam out of your inbox. So it's another option for you if you're interested in it. Again, check those out and resources along the side for all of them. You can find more and ask questions in our security forum which is exclusively about security. So you can go in there and ask about specific products, ask what might be the best for your organization's specific needs, ask questions about policies and get examples from experts in the community. And you can also check out some of these resources I shared out, the link earlier to the Internet Security Threat Report that Symantec created. And it is really the preeminent report that's evaluating the threat landscape out there. And they add pieces and publish new reports every month on what's happening out in the world. A link to the post that we're doing about Cyber Security Month and the different resources that we're creating that we do every October. We have a guide. It's a PDF that you can check out 12 Steps to Stay Safer Online that includes some of the similar things as to what Kelly shared. Again, we have a whole category on security that includes articles, how-to's, blog posts, webinars, all kinds of things, articles and how-to's. And then we ran a webinar specifically with Symantec on their Norton Security products earlier in the year so I wanted to highlight that too. So with that, I'm going to go ahead and jump us into some questions for the last few minutes here. You know, Gwen asked a couple of questions about what is typical malware? What kind of stuff are you finding on the apps that people are putting on their phones? Do you have examples of what those look like or what they're doing when they're on mobile devices? No, I can easily get them for you, but I try to stay away as far as I can from the high-tech stuff. I leave that up to the socks, but I can absolutely share them. I was shocked at the sheer number and I know a lot of them because they are out there dumped for free. So just be very careful. And also a lot of the training that we saw, if you get it on your phone and a lot of times it happens because they come through the kids because they're a lot less security conscious than adults are. But if it immediately makes your phone act weird, get rid of it and then just do a quick scan. And also having mobile security on your phone is highly recommended too. That's something I did this year for the very first time. I mean Symantec Office of Products is great, but a lot of people do. It's just something to be aware of. Yeah, and a lot of times those mobile security apps that you can purchase are like a buck. I mean they're really inexpensive many times. I mean they're some that are more robust than others I'm sure. And I would imagine that a quick Internet search would yield a lot of comparisons of what's out there. But there are many affordable options to help encrypt and secure your mobile device which like Kelly said is just a little computer you're carrying around in your pocket. And it is probably the most common thing that's left in bathrooms and left in restaurants and lost even though it includes passwords to your bank and all kinds of crazy access to apps that give your sensitive information out. Maria asked a question about what do you think about using biometrics like fingerprints instead of passwords? Is that a good alternative if people have it available in their technology? I think it's a wonderful technology. We do for us that's the extra added layer in terms of physical security. Like if you want access to any of our, we have three states of the art. I think we have a dozen of them across the globe but our managed security services stocks you have to go through search bio to get in the door. I think it's probably expensive would be my guess. So depending on you know you have to go cost-benefit for your organization. I don't see anything wrong with it whatsoever. Passwords can be stolen. They can be hacked. They're hard to remember unless you go through the processes I discussed earlier. So it would make more sense for your organization to go down that road. I know that the biometrics are just going to get more popular rather than less. So it's certainly a way to go. Great. And it seems like it's the thing that they always focus on in all of the cool action movies. So it must be, it must be, right? Your friends, your blood sites, the whole thing. They want to kid me before you can get through the door. Exactly. Well they should require that if you're launching nuclear weapons like in every Mission Impossible movie, right? Let's see, we have a bunch of other questions. Do you have any tips on how to encrypt email so that a recipient can, like if there's a product that does that where it will keep your data secure when you're emailing it but that it doesn't become a hindrance to actually opening it? Because we know different platforms and devices can not open. There's a lot of email encryption tools out there. You just have to get the one that works for your organization. And we can throw out a couple of recommendations. I'm so glad you asked my question because that's the second layer security question that doesn't often come. A lot of data breaches, many many come from people sending information that should be protected over regular email. Or we have to train our users all the time. For those that develop source code to just send it to their Gmail account to work on it at home is basically like giving it away for free. So excellent question to ask. We can put out some recommendations. One of the things you can do too is at least as a layer password protect the documents that you're sending because that's a start. So if you're in Word, if you're in Excel you can protect the document and then to send the password. Make sure it's a strong one based on our discussion earlier and then send it in a separate email. So two separate emails so at least the document is protected. But if you want your email encryption you should have some tools for that and we can talk through that. Great. So we are almost at time here, but one quick last question. Do you think it's worthwhile to invest in things like wallets or phone cases that protect your cards or your phones from being able to be read by readers when you're walking around places? Like are there things that are detecting your data off of these devices that these special wallets that we've heard of can help protect again? They absolutely exist. And I will say if you are going to a hacker conference you should absolutely have one. If you're walking through your Walmart probably not. But they're not very expensive. I was at brunch with my mom the other day and she had one. She's almost 70 and there she was. So clearly there's a market for them. I don't have one yet, but I have been thinking about it. So the tools are out there to do your data. If it's an inexpensive solution why not protect yourself through that way? I mean it just kind of makes sense. Great advice. Inexpensive solutions, common sense applications to things that you know you should be doing anyway like getting up and going to the gym which I never do either. But running those updates, letting you're making sure that your antivirus and Internet security programs are updated regularly. Those are things that are common sense coming up with those secure passwords. I love your New York State of Mind example because I think all of us have a favorite song that we could do something like that with to create something than our daughter's birthday like you used in your example. So take these ideas back and try to do your best to implement some of them at your organization and let us know in the chat which of these tips that Kelly shared today and advice you're going to take back and try and implement where you work, whether it's for yourself and your own behavior, or whether it's helping your staff adopt better policies and better activities in the way that they manage their sensitive information from your organization. I'd like to go ahead and wrap it up and say thank you so much to Kelly. We really appreciate you sharing some of your expertise today. I wish we had more time to tap into more of it. We'd like to invite you to join us for upcoming webinars and events coming up on the 6th. You can join us on Twitter for our next NP Tech Chat which is Civil Society Under Threat. You can join us on Twitter there using that hashtag. Learn more about it at the link there that you'll be able to click in the PowerPoint after the webinar when you get this. You can also join us if you're joining from a library. Come and learn about Pinterest for Libraries, how librarians are using it to build community on Pinterest social media platform. Then we'll be talking for a couple of weeks in a row about the new Microsoft Office. Office 2016 is now available so definitely check it out. Join us on the 15th to determine if it's something that you want to upgrade to for your organization. We'll be talking about it also on the 22nd specifically for those of you who are Mac users. So join us for that. And then I just put a little reminder in here that if you have heard about our Adobe Creative Cloud Contest where we're welcoming your submissions of Adobe Creative Collateral whether it's a poster or an invitation or newsletter or what have you, you can submit that by the 15th for our next contest where you can win up to $1,000 and some free Adobe Creative Cloud products. So check those out. You can also explore our webinar archives for more. Join us at TechSoupGlobal at TechSoup.org on our Facebook and our Twitter. Lastly, thanks so much to ReadyTalk, our webinar sponsor. And you can visit their donation program to learn more about the platform we use today. And when you leave this room please complete the post-event survey that pops up when you close the window so we can continue to improve our webinar programming. Thanks so much Kelly. And thanks everyone for joining us. Have a terrific day. Bye-bye.