 A little bit more than, I'm recording sorry, thank you for starting that. So we'll start with, with some quick introductions. So, I'm Michael Hernandez from Just Tech, my colleague, Tim, Alkenfeld is joining me on this and on the panel helping us with this is Charnell and Carlton. So Charnell is a consultant but has worked directly with legal nonprofits in the past and Carlton is working directly currently as an IT director for legal nonprofit in Texas and is Carlton very active on the LSN TAP listserv. So I'm sure if you've, if you've read any of the postings emails that are on there, you've definitely seen him respond to questions that have been posted. So he is on this call just nice sometimes to put a face to the name, especially someone that has been as active as he is. So the topic for today is cybersecurity training for your staff. This is everyone that's, that's on the panel. And, you know, we're all sort of easily accessible, you know, especially through LSN TAP. So, you know, if there's anything, you know, post this webinar that you would need, you know, have questions for with, you know, like some additional information. I'm sure any, any one of us would be more than happy to, you know, to help answer whatever questions that you have. And, okay, so some of the topics, you know, that we're going to discuss. So why, why, why security awareness training. We're going to talk about the, you know, some of the methodologies of frequency, you know, how to reinforce supervision, talk, you know, show a little bit about costs and implementation and onboarding, because, you know, cost is important on, you know, and on if you're going to do it or not. So we, you know, thought, you know, including some information on there would be helpful. And if time permits, there are some other areas outside of training that, you know, we just wanted to sort of touch on related to security that we thought was would, you know, be worthwhile discussing. I'm going to leave up this slide for, you know, for a sec. I think it has some, you know, some, some useful information I think, you know, especially the first one right human error is involved in, you know, 90% of data breaches I mean I'm sure, you know, that number depending on the risk, you know, could go up, could go down some. But I think the biggest sort of takeaway there is, you could spend a lot of money on security and have different systems and policies in place to help secure your data. But your users are the ones that, you know, are at sort of the biggest risk of allowing, you know, unintentionally, you know, a breach. So that's really where sort of the training comes into play and helping them, you know, sort of understand. So, you know, how, how, how are these people trying to get my information and why and what are the different methods that they use, you know, education and knowledge is key. So if you have that information. Hey Michael, you just muted yourself. Okay. So, you know, having that that knowledge of how they're going to try is going to help. I mean, I'll tell you the ways that they do things are getting more sophisticated they're very targeted. You know, especially, you know, when they're using social engineering, even with, you know, to give you an example of how they work around systems is if so, you know, in the past, if they would send you a link that was bad and you had a good, you know, email security in place, they would be able to, you know, they would know, okay, this isn't this is not a link that we want to sort of allow. And what they're doing now is they'll send an email with a link that's to a legitimate place. They'll wait 1015 minutes, 20 minutes, you know, whatever it is. And then on the back end, redirect that link. So the link where you that was going to originally take you now forwards you to another site. So what that does is it allows the email to get through and not blocked and then now on your computer. So then when you click on it, it then now really takes you to where they want. So, you know, they're, you know, unfortunately, we're always, you know, one step behind, always one step ahead because they're, you know, figuring out ways to get through, you know, all the security that's in place. So this is where the training, you know, really comes into play and getting people to understand, you know, Oh, someone sent me a fax. This is not what I normally see. I shouldn't have to enter in my, my username and password for Office 365 to access, you know, something that is not on our system. So, you know, understanding all of that is important. And I go to the next slide. Okay, so here, here's where I'm, you know, the rest of the panel is really going to start sort of. Sort of, you know, sort of pitching in so Carlton, I'm going to sort of pick on you first in terms of the types of attempts that I have listed here. What do you think you've tried to relate to staff, most on, you know, what, what, you know, what type of attempt to look out for most from this list. And the common theme in all these are most of these is, there's usually a link inside the email. And that's, you know, really getting troubles they don't mouse over the link to find out where it's actually going to take me to just click on whatever they see. That's part of the training is it teaches you not to just, you know, just click on whatever you see in the email you have to look at the, the link works going and then look at the email address who's actually coming from is it. Is that really the executive director's email address or is that a misspelled version of the email address. Right. So, you know, what Carlton's mentioning from this list, and as an example, is a, you know, spear fishing or clone right where they're impersonating, you know, someone that you know work with. A lot of the times, you know, unfortunately, they're able to go to your website and see who's the executive director who's the CFO, you know, who the managers are, and then use that information to target you so, you know, they create a sense of urgency when they're sending emails from from upper management and you think oh you know this is an important email let me act on it right away. What Carlton mentioned was, you know, training users to, you know, look, look, look at the email scroll over and make sure it's actually coming from that individual. You know, as easy as it is for them to, to, you know, a spoof, an email address, it is harder to, you know, replicate the language that that person would normally use in an email. So that's, you know, definitely a telltale sign on, you know, is this something that this person would normally, you know, send me and so that's aside from, you know, looking at if the emails actually from them by looking at the email address it came from. That's, you know, that's another way, you know, to sort of, you know, to help. Charnel, when, because you, you know, recently had a security system implemented, could you talk a little bit about, you know, sort of why you thought that was important for the organization. I do think my first deep dive really into cybersecurity needs for either clients or the previous organization I worked with was I would say more in 2019. I'm based in New York and so the New York Shield Act was requiring all New York employers to be responsible and have certain types of safeguards in order to protect data and confidential information. And so, since we transitioned in 2020 into that remote format, it did create a new structure that needs to be implemented for that particular organization. A lot of my clients and organizations were quickly shifting from that full on-prem format to remote work. And so simultaneously, the tech team had to really make those adjustments and either really look into our existing processes and then start creating new systems that we needed and connecting with new vendors and really launching that new tech. So it really was important for the staff to get trained on what this remote work would look like and what type of either phishing attempts or things that could impact our work. And also making sure that they were getting trained on those new systems that we're putting in place. So, you know, we all know cyber attacks and slow down, and we just wanted to make sure all of our client data was being protected. Great, that's great for now. So at the bottom here, you know, so I wanted to start off one, so why? Why think about doing, you know, security training for staff? You know, so I've listed sort of the biggest reasons below in terms of what the hackers are trying to attempt, right? So they're trying to attempt to steal your credentials to access your data. You know, sometimes it's just to access your email to then send out additional phishing emails. It could be ransomware. It could be to pay a fake invoice. We've, you know, we've seen that it could be to change direct deposit information. I mean, that's that's been going on for years now as well. And I think this one's been going on for a while too. But, you know, I think a little bit more and play recently where, you know, they're trying to get staff to buy gift cards. So that's that's normally what I've seen. You know, sort of the clone where, you know, it appears a manager is sending an email to staff and trying to get them to purchase email. We actually had one, one organization that we were helping with recently where unfortunately, a staff person that was on the job three days. They fell, fell victim to that. And, you know, the executive director said, you know, so I feel like how would they know that, you know, this person just started. I mean, how would they know to sort of target that that person like, I think her concern was, you know, was her, her email compromise. I can't say 100% that this was the cause but a quick, you know, sort of search of that staff member's name. You know, was able to find their LinkedIn page and they had posted on LinkedIn that, you know, they were going to be starting at this organization, you know, in a week. And, you know, this is, you know, they were going to be, you know, this is what they were going to be doing there. So this is where the social engineering, you know, anything that you, you post online, whether it's on the website, the organization website or your own personal website, they use that information, you know, to help, you know, narrow down sort of the target. So can I say 100% certainty that that, you know, LinkedIn was the cope, you know, what sort of help. In this case, I can't but more than likely that or, you know, if the user had posted somewhere else. That's, you know, how they were able to sort of target him, you know, so quickly from when starting. So the submission for those that I think a lot of people sort of understand these but the submission is actually text messages. So you might receive a text message that's, you know, hey, you want a prize click on this or, you know, some other text that has a link in it. The Amazon order was delayed, you know, click on this link to get details and, you know, most of the time, the, the attempts are not ways that you would normally do business so, you know, that's that's a telltale sign there, you know, I don't normally get texts from Amazon, you know, about a delayed order, you know, I normally get that via email so I don't think this is legitimate and, you know, my best advice for, for any of these, you know, when in doubt, you know, look, look to, to contact the source directly. And unfortunately, email is not a good way to, to, to contact someone because of their account is compromised. The person who has access to that account is going to be the one responding so but the phone is is typically the best, the best approach. Okay, so, Carlton, I'm sure so you've had no before just call by name installed at your organization for a number of years. You know, there are a lot of ways to do staff training. Is there, you know, there's something that directed you to know before or an online training platform that, you know, made you go that route versus other avenues. Actually, I found out about them at a IT conference here in Austin called Spice World. So I got a lot of information from them at their booth. And then they also have a free assessment you can take. So we did the assessment for this end up a phishing test. And we, I think we failed pretty miserably. I think we had a click through rate of like 40%. The industry standard for nonprofit agencies I believe is like 34%. So that was kind of an eye opener for us and that was, that was when I went to my manager, and I think we need to go ahead and implement this. Great. Carnell, when, when you were thinking about training for staff, were you thinking about live training as an option? As far as live trainings, I do think having trainings physically either in the office or in person are beneficial. A lot of times folks do tend to ask more questions in person. However, with COVID and with implementation of a lot of these trainings in 2020, things had to be done online. So the online presence did allow that flexibility for folks that were either far away from the office or decided to relocate during the shutdown. I do think either training is effective, but live trainings naturally or preferred because you want that face to face communication with your staff should they have questions. Right. So live training definitely has some, some benefits. I think the challenge with only doing live training is, you know, that training is happening there at that moment. I mean, yes, you can, you know, you can record it. But for the staff that missed that training, for the staff that you hire after that training, that, you know, so that's, that's the challenge I think you have with, with, with live training and, you know, those, those, the live trainings can be very expensive. And to record that training, you know, that, that content gets still, you know, somewhat quickly right so from year to year, you're going to end up, you know, sort of doing that live training again it's, it's the one time live then you have the recording accessible. So, I think the live, you know, the live training does, you know, propose some benefits, but I don't think that's, that's the only way, you know, you do it I think the, you know, the online training. The advantages are right the content, you know, there's, you know, depending upon the vendor that you pick, you know, they can have an extensive library. So staff could take them at, you know, when, when time permits for them, you're also able to monitor who's taking it who hasn't, you know, some of the trainings are interactive. So, you know, there is a score that's kept. So, if, if there was, you know, I think, you know, my recommendation is, you know, if you're only going one way, you know, to do a training that I think the biggest advantages are the online training, because of because of all the added benefits and value that that that brings most. So, most platforms that do the online trainings also allow you to do fake fishing test. And, and then there are some platforms that that's all they do. They'll just do a fake fishing test and, and what, you know, for those that, you know, might not be familiar. A fake fishing test is where you send out an email to staff, you know, you're using a bogus address, and you're making it appear as if it's a legitimate email. And it's, it's seeing, you know, how far you go with the email, do you open the email, do you click on the email, do you click on the link in the email. Do you enter in any credentials, you know, to, you know, your username, your password, it wants to see how far you go, and then reports that information back. And what that does is that it allows the organization to know, okay, well, you know, we just sent this email out to staff and, you know, X amount of people, you know, if this was a real fishing a test they, they, you know, attempt they would have failed. So the fake fishing tests are helpful in that way to give the organization a sense of, okay, you know, who's, who's, you know, really paying attention to the emails coming in and not falling for the stuff, and who needs training. And a lot of the platforms what they'll do is if you fall for it. Then they'll, you know, they'll make you take like a refresher training, or, you know, or, or training, you know, specifically, you know, in the areas of concern so the fake fishing tests again. There's organic there's companies that that that's all that they do they don't do the other, you know, sort of trainings. So, you know, if you don't have an online, if you don't have a training platform in place. And it's something that you can't do. I definitely look to see about, you know, working with someone that could do the fake fishing tests to kind of just give you a sense of, you know, where your staff are with that. And, you know, Charnels in terms of, you know, frequency. Where did you land on and why in terms of how often you wanted to have staff trained. Frequency. I put them in two buckets like you have your standard regular trainings that I believe should happen monthly, which is what I rolled out for an organization for specialized trainings that occur should there be like changes in your contract contracts because some folks get a government contracts and have certain requirements they have to follow, or their state law expectations for them on how they're maintaining records and keeping cyber cybersecurity and data. And so should those changes occur just having some specialized trainings as well focus on that. And I'm an advocate that trainings in general shouldn't be one off. Also, as far as a frequency, I will say that it also depends on the industry, because there are different data management expectations so I always encourage companies or clients I'm working with to review what their document retention requirements are so you're really like taking the time looking at that data lifecycle how long you should be keeping those documents. That retention destruction of information at the end of that life cycle making sure that that happens in a certain manner and it is coupled with whatever security trainings that you're going for your particular company. Also, I do think it's important for organizations to really plan. Who has access to what and for what purpose right so you don't want to give a vendor or there's certain people in the organization that don't need access to certain data. You want to make sure that if there's certain things you want to limit they are limited to certain people. So making sure that those trainings really reinforce that. And they're also really in line and how you're structuring whatever program. Great. And, and Carlton, and any additional thoughts there on on how you landed on the frequency for the training for your organization. Yeah, so no before hasn't every year they come out the new version of their training. As far as fishing test scale. So we have staff are required to take that annually, and then the remedial train someone fails the fishing test. I mean, they have to take that every time they click on it so they usually learn pretty quick, not to start clicking on things. But we see that usually with new hires and then you know it just gradually goes away. But Daniel trainings about 45 minutes, 45 minutes long and then the remedial trains about 15 minutes. And then from both of those trainings there's a little test in between in the middle of the training to verify that they actually took the training. Okay, you know for the people that are on. Could you talk a little bit about so, you know, in terms of the system that's in place. You know, is there, how do you see who's taking the training who hasn't, who's failed the fishing test can you talk a little bit about that. Yeah, I get a weekly report of who's failed the remedial training. I also get a report every week of like, okay, this person hasn't started the training at all, or maybe new employees started and they haven't started their initial training. So I get a weekly report of that and then I don't have the setup you can set it up to where let's say after two weeks I haven't taken it and then their manager gets an email and you can set up to maybe another week later the executive director gets an email, we don't have that set up because we don't, we haven't had that issue but you can automate it to where it does that. And we send out fishing tests on a monthly basis so I find it pretty quick he's collecting through. Great. So if you know on the screen that you know in terms of frequency right I have monthly quarterly by annual annual. You know, I think, you know, with understanding with all the work and all the other training that staff have to do, you know, committing staff to monthly is a challenge but you know I think it's it's something you know this this training should be taken serious. There is a lot of, of, of, you know, content to cover right so, so one training whether it's 15 minutes, half an hour 45 minutes an hour. It really is sort of difficult to capture all that in one training so, you know, having multiple trainings, you know, sort of throughout the year is is definitely, you know, the way to go. But, you know, at, at minimum you've got to do annual but you know hopefully you're able to do, you know, something that's, that's more frequent. Okay, so, you know, how, how to make this a success right so what are some of the ways, you know, so the, for the people that are listening now that are, you know, thinking about it or, or, or saying or joining because hey, you know, I've heard about, you know, security awareness training, you know, is it something that I should do why why is it important. But, you know, talking a little bit about how to make it a success. You know, Carlton, you had mentioned, and I think sure I know as well, you know, buying from from upper management, could you, I guess talk Carlton a little bit about why you think that's important. Yeah, you know, usually with these types of projects, I asked for the funding and if I get it for the project and something like this I go straight to executive director and just say hey, can we buy in this you guys guys got to help me implement this by making a priority. Because if you don't have buying from upper management then you're never going to get it rolled out. Because if employees find out they don't have to do it they're not going to do it. So, my job a lot easier, rolling out and implementing it and then you know enforcing it. Right. And then so on on focus training Tim I'm going to look to you on this. What. So, okay, I guess can you talk a little bit about what focus training means and and how an organization could think about that. So I think Carlton touched on it a little bit with the kind of assessment and just kind of looking at no before as an example but I'm sure other platforms have it as well. You can have like an entire company wise assessment that you can send out and just get a feel for where your company is kind of better at and where you're maybe need some training on. And use those assessments as that you send out that each employee would take the kind of focus on the trainings that you want to kind of push out to people as a whole as a whole company. And then there's also trains that you can push out that are kind of individual to based on people's roles. So if you have CEOs, you can have trainings that push out to CEOs and executive directors, as well as HR and financing. You can have certain trainings that might be geared towards them as well. And kind of the automation can tie into that as well because you can have automation towards the focus groups where you set up certain groups and then you have trainings that just get pushed out to those particular groups that kind of focus on as a whole on the position that they are in for the company. So, anyone that's looking into different solutions, I would definitely ask about, you know, do they have focus training because I think that is important because it's, you know, it's not a one not to say it's not a one size fits all right but the there's some trainings that are better suited for specific staff. So, as an example, you know, I touched on earlier, you know, sending a fake invoice. Well, you know, there are trainings that, you know, sort of talk about the different ways that, you know, fishing tests, fishing attempts and other ways that they try to get, you know, target fiscal staff. So that that's going to help, you know, train, you know, targeted training focused on on your fiscal staff to be aware of that, you know, not to say that that wouldn't necessarily be helpful for other staff to do it as well. Because maybe, you know, do you have other attorneys that are dealing with vouchers or, you know, reimbursements, but you know, having, you know, focus training I think, you know, really adds to, you know, the training sort of platform, and it and it's not just, you know, one training or the same training that's sort of taken across the board. I think that's, that's definitely important. Carlton, can you talk a little bit about the the automation piece. When when we spoke you you brought that up as a way to sort of, you know, you've got a lot of other work to do right you want this to be a success you want this to happen. But using automation to help, you know, keep things running with with, you know, you know, somewhat minimal work, you know, helps you know to make sure things get done. I guess can you talk a little bit about how you've used automation to help with your program. I've shown a little bit earlier to really have three people in our IT group, we've got 160 employees so we're all you know running around crazy all day just trying to put the fires out so I think automation is really important when you're trying to do something with this because it's impossible to keep up with, you know, is this person doing the training or they're not doing the training, those weekly emails just give me an insight into what's going on so it's a lot easier for me to look at and go. Oh, this is the second time I've gotten noticed on this person, they either didn't get the original email they deleted it or they just forgot about the training so even though they get emails from no before. Anyway, it's just it's easier for me to manage it if I have automation set up to where it automatically sends out emails and helps me enforce some of these training like remedial training. No, I mean three three staff for for as many users as you have I mean anything that you could use to keep things going. Without your involvement is definitely helpful and I'm sure there's a lot of organizations on this call that's in a similar boat right. How do I get this implemented and now, you know, I've got to do this every week every month, like, you know how am I supposed to do it but you've sort of touched on something that you know hopefully they'll think about right using the automation, you know spend a little bit of time to get that set up but then it's doing a lot of the work on its own so you know definitely something that's important when when looking at different solutions. And the nice thing about no before to is that they have really good sales people. I mean they'll contact me and say hey Carlton I noticed that this one training campaign you have it's about to expire do you want to. We have new trainings that are coming up for that you want to switch over the new training you want to let this one run out. What do you want to do with that so and they're there to help that you know I'll get on a call them they'll walk me through what it is that needs attention. It's like 15 minute call get it set up, fix whatever it is. You tell typically get that with most most companies now you have to call tech support and, you know, I need help with us and you're on hold for 30 minutes but these guys, they're really stand off of it. Right, right. I'm going to throw the last couple your way, because they think to some degree they sort of all tie in right so the onboarding, you know the reinforcement and supervision. With, with having implemented, you know, any sort of tips there that you have to share, you know, on on the onboarding and you know I guess what I'm sort of thinking about is, you know, so that initial sort of process to get people on but then you also have to worry about the new staff starting after right before it was implemented and then you know with the reinforcement and supervision you know any tips on how you sort of, you know, keep that going. As far as onboarding I think the buy in from the managers is the key component, because you want to make sure that you have the cyber policies drafted and ready for staff when they're coming in. So you will be able to communicate to staff early on these are our cyber procedures. This is within place this is responsibilities that you have and with my experience working with a lot of legal service organizations, you know attorneys have a legal obligation and a professional responsibility to manage client data properly. So really emphasizing that component. Whenever you draft these policies making sure that they're present in your employees right and so you want to make sure it's really outlined for them if they have any questions they're able to talk to either executive team their manager HR. Also, I suggest that folks draft incident response procedures. I like to put these in line with for anyone that lives in New York and had to really draft a covert response plan is similar to that. You're really drafting a document that's going to provide your staff with guidance on what they should do or who they should be in contact with should there be any type of incident. Just planning out and identifying what cyber events could happen different scenarios and the appropriate responses. And in those guidance and tips you give them who's a response team what are the reporting requirements. Whenever they're initiating that initial response to that breach making sure that they're following those procedures and having a proper investigation. And also you want to make sure that you're talking to your tech team if it's internal external, whatever recovery and follow up procedures you need to follow. And then something that's really key for the management team is making sure that if that breach is leaking out extremely confidential information and you know it gets to the media or anything related to that. So that's the communication and public relations plan. And for states that do you have those data breach laws, just making sure that that notice requirement is met. So, if you have to reach out to certain state regulators so the AG sometimes you have to reach out to law enforcement depending on what type of cyber insurance you have for your company you have to actually reach out directly to your funders or to your company for it impacted by the issue. So just really reinforcing that and all of the procedures are presenting to folks. Also, as far as maintenance, you want to make sure that you're providing folks the equipment checkout forms is what I usually call them your drafting documents so you're able to track internally who has certain devices within your organization. So they understand that they have a responsibility to maintain their equipment a certain way. And also, you're able to conduct that analysis internally. Do we have device management procedures in place so if someone loses the device is your tech team able to easily just wipe that information off that device so just having those steps, and make sure it's communicated to all your staff across the board. That's great, great information. So I appreciate you sharing that. Tim, I'm going to throw a couple of of your way. Any, so any tips on the fishing tests that you would, you know, sort of suggest I mean, I think this is part of making a success I mean you know we have, you know, limited space on on on the slide but I wanted to sort of touch on that I mean, what are some of the things that you think can make the fishing tests, you know, more beneficial to the organization. Yeah, I think you can. I mean you have different options and it may vary through some platforms where I mean you can send a fishing test where it's from the same sender and it all goes out right at all at once. And what typically happens there is, well, more often if people were in the office but still happens to teams and other chat systems where one person gets it and they start notifying the other person and it goes through the entire company that this fishing email came through. And it doesn't really do the same effect that it would if it was unique. So, a lot of times we recommend to send out a fishing campaign that is scattered between multiple senders and also has different body messages that in different categories, so that it's unique to the person that gets it, so that it will actually really test them on what what they're looking for when emails come in and just kind of noticing that it's from someone that they've never contacted before. And also just kind of scattering it out. So I mentioned the sending it all at once, you could send it between like a three day period you could send it through a whole week period. You can also set the timeframe of like the proper day it could come at night to really a lot of these platforms have flexibility as to how you want to send it, and to really kind of get a gauge in a test that people will use will fall for the fishing. Right. Yeah, it's really it's really good advice to when when doing the test to scatter it out over time so it doesn't go out to all staff at once. And if you have the ability to send different emails out as well so not everyone's getting the same one helps get get more out of those fishing the test attempts or tests, then then you would if sending out to the same one. Another thing I wanted to add I think I touched on it a little bit. So the, you know, for the online training platforms, they do have, you know, there's a library of material. And, you know, some are just videos that you watch right there's nothing more to do than than just watch it. They also have some that are interactive where you're watching and then you have to, you have to answer some questions or maybe you answer, you have to answer some first and then depending upon what you select, you know, it'll show you, you know, the video that's appropriate. So, you know, I think just watching a video, you know, all the time. If it doesn't go as far as one that's that's interactive so I, you know, definitely, you know, having a solution that that could do that I think is is helpful. I think you'll get more more out of the platform as well. I'm going to keep track of time here so 347 so doing doing pretty good on time. Looking through some of the questions that I have. I'm on the paddle so outside of what we've talked about to make this a success. Any, any other thoughts or suggestions that you think would be helpful for our audience to be aware of. I think, I mean, one of the nice things about the training, you know, everybody's super busy. When you start the training, they can always come back later and finish it they won't have to watch the entire video again. So that's that's really helpful and you were talking about online training versus live training before I mean, even before COVID we had a really hard time getting people together for live training we have advocates and attorneys that travel the state all the time. So it's really hard to pin them down for training so I mean the online training was really that late option for us. It's worked out really well. That's good and good advice. Anyone else just while we're sort of on that. So the automation piece I mean a lot of these platforms will integrate with G Suite now Google workspace or officer 65. So you can really integrate them users can be imported automatically as part of the automation as well as new people that are onboarded. So if you add it in, they'll automatically get assigned over to the platform and then assign the training that they're supposed to start with. So that just ties into the automation process of new people coming in, just less for you have to kind of remember to do it just confirming that they show up in the portal and then they're good to go. Great. Yeah, that's, that's definitely good to know. I mean, again, it ties into what Carlton said earlier, you know you're busy doing a lot of other things, even though this is important. Does it mean that more time is going to be added to your day. So, you know, whatever you're able to do in an automated fashion to help, you know, to help the process, I think is is going to be welcome. So, in terms of costs and implementation, the prices really do vary. I definitely suggest, you know, to look at more than one platform, I think, you know, the probably the most known and common is no before. And, you know, each one of these options have different packages. The cost depends on, you know, per user per year, based off of how many users you have so I try to put in the high end of the cost. Then say, or less, because a lot depends on how many users you have, and then also what package you select. I think, you know, if you, if you think back to this video, this webinar and you know, think about some of the things we touched on and making sure that, you know, the solution that you end up going with, whether it be one of these or, you know, another solution that you've been made aware of or told about. Yeah, I think you're in good hands if you're able to cover, check a lot of the boxes on, you know, sort of what we've picked about. I included NGO because, partly because at the beginning of the pandemic, they actually offered the legal nonprofit community free. I think it was like three months or six months worth of training. It was a limited access to their library, but they did offer it for free, which I thought was, you know, was great on their part and they have, you know, good content. If, you know, in terms of implementation costs, it really sort of depends on, so one is like the cost here is if you're, you know, outsourcing, you know, the implementation of it, if you've got internal IT staff, you know, like someone who are like Carlton where, you know, you're doing it in-house, you know, you don't have to necessarily worry about these costs, but the implementation costs really does vary because there are a lot of things that you could do. I mean, you could do a pretty basic setup, right? You know, pick a couple, you know, pick one or, you know, a few trainings, you know, get people, you know, accounts, you know, send out an email and say, hey, you know, these are the trainings that you've got to complete, but then when you get a little bit more into the automation where you're doing the phishing test and you have that going out and you have your solution integrated with Active Directory or Office 365, like Tim mentioned, you know, there's more work involved there. So the implementation cost really varies depending upon how much, you know, you want to sort of do up front. I think when possible, you know, think about the long-term solution and, you know, do as much as you can up front, so then it's less work down the road. But yeah, these are some solutions you could look into, but there are definitely a lot more out there. And again, the price, the pricing varies, you know, the one thing that's common is, you know, there's an annual per user cost that you're paying for. Hey, Michael. I mean, I'd also ask whoever you go with to find out what is included. I mean, maybe the implementation is included in the cost of your paying. Yeah, no, definitely. There are some solutions that, you know, we'll do some of the implementation. I mean, you'll end up being sort of involved in that because there are, you know, decisions that they can't make for you. You've got to, you know, you've got to sort of answer those for you. But yeah, definitely worth, you know, talking to them about implementation and seeing if that's something that, you know, they're willing to include or can do or, you know, if you've got to find someone. Because there are some solutions where they only sell to MSPs. So you'd have to get it through them. The ones I've listed on the previous slide. I mean, those you're able to, you know, to get directly or through an MSP, you know, if you like. So I forgot this next slide was coming. But yeah, in terms of when shopping around, I mean, you know, these are the, you know, these are some of the things to sort of look for, you know, the automation, you know, a good, you know, library of trainings to interact with options, you know, that they update their content, you know, annually, if not more frequently, you know, especially if there's a new sort of type of threat that you need, you know, to alert staff about, you know, the recording and monitoring options and, you know, also the phishing tests. So, you know, these are all options that, you know, you should really look at. Making sure that the solution that you go with has these. Okay, so we've talked a lot about, you know, the training on the why the different ways that you could get, you know, attacked. Why they sort of they do it, what you should look at for a solution, what are the different solutions, you know, include and do. So here we just, you know, with we've got a couple minutes, wanted to just touch on some other security related items that you should be thinking about that's, you know, not necessarily part of training, but that's either you know, going to be basically, you know, required to do either by funders or or by your insurance company, like Charnell mentioned earlier. And, you know, for those of you that are filling out, you know, the grant applications and the renewals. So we're seeing every year more and more there's more security related questions that are on there. And, you know, as I was mentioning to Carlton, before this call started, you know, that's, that's how it starts right first it's it's asking, Hey, are you doing this, you know, what are you doing for that. And, you know, as time goes on, those, those what are you doing becomes more, you know, more times and not required, right. And then it goes from from if you're doing it to, you know, what are you using what are you using for MFA what's what's your VPN product. What are you using for for email security. So, Carlton, you are actually today, congratulations. Have, you know, MFA installed. You want to just touch real quickly on on what it does and and why you've implemented it. Yeah, so multi factor authentication basically provides a second level of security when you're checking your email or accessing office.com. So you basically type in your username and password and then you have to have a second form of authentication whether it's a security token, or an app on your phone. And then you have access. We, my plan was to do MFA with just off 365 in 2022. But I find out about a month ago from our cyber insurance provider that they are requiring MFA on. Anybody has an email address. We're accessing servers for web application so they basically gave us a 60 day reprieve to get all this setup so that's that's where I'm at right now got to the end of this month to get all of that in place I've got. Excuse me I've got 110 people set up with MFA right now I've got 50, yeah, 50 people to go so it's not been a fun. I'll say to have only two months to do it and and you're more than halfway through is pretty impressive so congrats to you that's that's that's very impressive. Thanks, and then you know that was another instance where I, you know, actually I didn't have to do anything director came to me and said, I know we got to do this so where we need for help you need for me let me know so she's been super supportive and and actually all the employees have been supportive as well because they know the situation. Great. Yeah, no that's great. So, VPN, you know virtual private network. So that basically secures your connection, you know from outside into your network. And that's just becoming, you know, basically standard practice. Because if you don't have that, you know, basically your server that because you're, you're allowing staff to connect, you know, to your resources network resources, and if you don't have that. So basically, you know they're they're considering that being open to the outside world. So, you know, that that's just, again, some another security item that's becoming more and more, you know, standard to practice to do. Tim, do you want to talk a little bit about and you know briefly, because we're at four o'clock email security. There's definitely a decent amount of platforms, there's just even with no before they have like a fish ER pool that basically when you submit a fishing email that or an email that you think is fishing it will report it and then can be analyzed and there's other platforms out there that are similar through Microsoft 365 that you can link through as well as Google workspace. So oftentimes they'll have kind of machine learning and AI that's kind of reviewing your mailboxes and trying to pick out the bad ones. There's also on the user side. There's a fish alert fish reporting button. So you can report it. And those reporting options will work differently for the platform that you may that you may try but they'll have options where it will actually display some details before submitting it kind of showing you know they want to look for possibilities of what they think is why it might be fishing or why it might not be, especially if it's a sender that's never sent you before. So there's definitely some some great tools out there to filter the the emails and help protect and none of them will be perfect, and which is also why the security training aspect is a huge to kind of go alongside that. But they definitely can help thin out some of the some of the obvious ones. So without without sort of add to that is, you know, so email security goes beyond just, you know, your standard, you know, spam filter. It does more. So one one sort of example depending upon the solution that you have. So let's say in a fishing email is sent out right. It's, you know, someone's account has been compromised. And that account is being used to them mail, you know, email everybody that they have that they have in their address book, plus any other emails that they add. So email sent out. Initially, you know it's just another email right it no one knows that it's you know it's a malicious email until it sort of gets flagged and you know one of the things that these email security platforms are able to do is, even though an email has bypassed. Once it's sort of flagged as as a, you know, a malicious email. You could manually go through some of them could do it sort of automated. And what I mean by manual is, you know, you could do a search for that email so you know one user has received that email. And then you do a search through all of your organization's mailboxes, you could see exactly who's received it and then you could delete it from everyone's mailbox. There are some platforms that once you tag it as a malicious email. There's an automated process that it does it on its own right it just, it does a search for you it pulls that email out. Because that way, you know someone who hasn't read it, you know, they won't even have a chance to see that email and potentially, you know fall for that. So, you know that's a, you know, sort of a few reasons why email security, you know something that you should think about as well. Okay, so I'm going to, I'm going to stop sharing my screen. For a sec. There are some posts in the chat. I wanted to try to get to to see. Let's see. Okay, so, so Eric, I see that what are the costs for the online training. There was a slide, you know that that has, you know, that has some some basic information on the cost. Again, you know it really depends on the package that you select, you know, just think of like the, you know, the bronze silver gold, you know, some of them include more training, some of them less some of them include more automation some of them include like what Tim mentioned, the fish you are solution so really, you know depends on on the package that you pick but you know I gave that slide that that kind of gives you an idea on the higher end, you know, I think, you know what what those costs vary. Liza Rosa I see you, you, you posted that question as well about, you know, do you have some companies or for cybersecurity. So I hope that was helpful. So, you know, we want to open it up this is there anyone that you know you could either chat, or you know you could you could type it in the chat box is there any questions that we could, we could help answer for you. So, someone's asking, where, where would you rank advanced advanced endpoint protection. So, so endpoint protection. Allison is, is a little bit different than what we've been talking about. So, we've been talking, you know, more focus on on on email, and you know what comes through with, you know, links and attachments and, you know, the training around that advanced endpoint protection. More focus on your machine itself so you know think of the antivirus that's installed on your computer. And, and how you know your computer is is checked. I mean, you know, one of the more popular ones right now. You know, unfortunately, a lot of the top tier solutions aren't cheap is, is checkpoint, because of all, you know, the databases that it use the engineers that they have on on on their end, you know, monitoring and and you know keeping the database updated so when there's new, you know, types of threats. You know that, you know, it's searching for that. It can also do things where you know it's searching for suspicious activity that is, you know, potentially on your computer so you know, you know, think of ransomware and it starts, you know, encrypting your files and, you know, it's looking for things like that. I hope, Allison, I first when I read it I thought you might have meant advanced threat protection, which is that, you know, Office 365 email, you know, email security system and, you know, if you were discussing that. I think advanced threat protection is a good solution to have in place if, you know, if that's all that you could do. But if you, if you've got a little bit more of a budget, I would definitely look at some other options out there. But, but really good question. I hope I hope, you know, one of those two answers answered that if not please chat. Thank you, Allison. Anyone else have any questions, you know, you can unmute yourself, you could put it in chat where we're here to help answer any questions that you have. All right, no seems like no questions, which is okay. No problem Allison again I hope, I hope one of those two answers helped you. I guess, so there are no questions, any additional questions any, any last minute thoughts from the panel. Carlton I'll just start with you first. As I see you first sorry. Yeah, I would, I would start implementing things that that come with your if you have Office 365. It comes with two factor authentication so if you signed up with them after 2018 it's already enabled by default but if you sign up before then you just go and enable it you can enable it for all your users or just a small group of them. I would start there with the, you know, the things you can do right now without with no cost. That's good. Good, good advice I mean, again, if, like you said if you have, you have it in place already. It doesn't, you know, unfortunately that only protects you for Office 365. You know, doesn't protect you, you know, remote access or, you know, other ways that you might have to log in, you know, doesn't for your case management system but for anyone using legal server legal server now has MFA, you know, built in. And also, you know, tie into certain multifactor authentication like octa as well. So, you know, you're able to protect your case management system as well. Chanel, any, any last, last words of advice or wisdom from you. I would definitely suggest that folks conduct a risk assessment. When you do those assessments that will help you plan and implement whatever cybersecurity program you're going to roll out. Also, if you do not have cybersecurity insurance, I suggest you look into that. If you are a firm, a legal service provider, a lot of the malpractice insurance folks will provide cyber coverage you just need to talk to them and see what type of plan coverage is that they have for you, but make sure you get the insurance coverage. Great. And yeah, great. Actually, we should have added the insurance to our other things to think about as well. So I'm glad you brought that up. We should have added that to that slide. So thank you. Tim, any, any last words of advice for those that are with us. Yeah, I mean, I think the just overall education on the end users and just in a way and I think the platforms do in a way that's not trying to shame people or make them feel like they don't know what they're doing. A lot of times it's beneficial where you can actually just learn and have an understanding that you're working with your company to help protect it better while and learning at the same time, which is great. And I think just kind of echoing the MFA I mean, they have platforms like duo and octa that can really tie into multiple platforms all into one MFA. But like Colton was saying, I mean, if you wanted to push forward with something right away and you have G Suite or Google workspace or you have Office 365, there's a lot of MFA that you can just deploy right away. And kind of with the MFA, I would just encourage making sure you have decent password policies in place to make sure that there's no easy guessable passwords as well. Great, great. Okay, I'm just making sure I didn't miss any questions. So, Liza, I actually Liza Rosa, I see your question now sort of full for some reason it wasn't showing completely. You asked, you know, do you have some companies or cybersecurity consultants you could recommend for nonprofits. So, with with so Tim and I work for just tech we do a lot of work with nonprofits, but I don't know this isn't a sales call so what, what I would do so LSN tap is a great resource for posting, you know these kind of great questions and you've got people like Carlton. You mentioned at the beginning of the call you've got, you know, people from the community that are very active on those on LSN tap listserv. So, Liza, that would be a great question to post within LSN tap, because you're going to get a lot of different responses from people. So, you know, I think you know that that would be a good, a good place to go to, you know, for the for the question that that you have. All right, well, we have utilized all but one minute of the time. I really want to thank Charlotte Carlton for joining us on this panel. Definitely appreciate all the work that you do within the community. Appreciate, you know, you're bringing your knowledge and expertise here and sharing that. I think that's, that's how we work together. Right. I hope that we've, you know, spoke about answered questions that help people take those next steps to what they, you know, should be thinking about or thinking about doing and hopefully we've made that a little bit easier for them to do and be able to take the next steps so thank you everyone for joining I really hope this was helpful. On this, on this, you know, there's, there's a lot more LSN tap trainings, you know, that are, you know, coming up so, you know, please look at the at the website for upcoming events and I hope everyone enjoys the rest of the day. Thank you everybody.