 Good afternoon and thank you for joining us for Best Security Practices for Advocates Working Remotely. Today we will hear from Jasmine Amour, Satish Nori and Scott Ellis. We will start off with a fact pattern that highlights key security issues. Then we will discuss the best practices for advocates and we will wrap up with some tips for you to take with you. You are working on an important case with a pro bono attorney at a private law firm. There is suddenly an emergency that requires documents to be filed urgently. You need to get confident client information, share it with a pro bono attorney, and work to meet the deadline. This is unfolded while at the airport as you head to your cousin's wedding. You think, I've got time, six hour plane ride, I'll get it done in no time. On your personal MacBook, you log into the airport's public Wi-Fi, connect to the firm's remote terminal server, and email documents you need to your private email address to work on them from your Mac. You also text your client from your cell about documentation you need from your client. In-flight, you conduct to the free in-flight airplane wireless network, log into your 365 web mail to review the document from the pro bono attorney and save it to your laptop as well. You remote back into the terminal server and email yourself more files. You use your laptop email to save the email attachments to your laptop. Air drop client images and documents to your laptop that were sent by text MMS to your personal phone, and your client's emails more documents to your personal email. You've made it through the six hour flight into the hotel. As you unpack, your laptop flies out of your bag and onto the floor. It won't turn on. Fortunately, your Mac syncs your documents to your Apple iCloud account. You run to the hotel's business center, open your iCloud account, download your documents, copy everything onto your handy USB key, and email everything to the pro bono attorney for filing. You get some rest the next morning while getting ready you look for but can't find your USB key. You realize your USB key isn't encrypted and has client data on it. Enjoy the wedding. You can't really blame the attorney in this position, although unfortunately they took some shortcuts here and I think that's what we're going to get into as some of the red flags and like I would just say about taking those shortcuts is like we're all trying to get you know these our jobs done we care deeply about what we're doing and unfortunately like sometimes especially when you're out and about and in public in these public places you need to take an extra moment to think about what what extra steps I might need to take to protect my client data and I think you know we're going to get into some of these red flags next. So yeah the next question I guess is what what stood out what were a few a handful of things that you know just made you cringe in this box pattern? Well I I'll go really quick first that I um I would say like the one thing that you know is that this obviously it's the attorney felt like it was necessary to email documents to themselves to their personal gmail account which is a big red flag obviously um but I I also see in this that they remoted into their terminal server at work to their remote desktop at work and like presumably we're not able to do the work that they needed in that um using that system that their work had provided to them so this is I mean I think this is a scenario where like we need to look at like what the you know attorney could do better which is like not use your personal account hopefully and also you know maybe the employer needs to look at modernizing their system to using something like using a file like a cloud-based file sharing so that attorneys can get access to their files um this is something that you know we have really like pushed forward and just even in the last three years is like we've recently moved everything on premises into a share point and I'm and I don't want to be a salesperson I want to start out saying I'm not trying to be a salesperson for any platform or anything I'm just mentioned some of the things that we do and I hope in your your comments you maybe mentioned some of the things that you're doing as well and some of the tools that you're doing but we found um a share point to be great um for having a platform to share files with opposing counsel so we're not like we can maintain uh we don't have to be emailing back and forth all the time there's like we can be working on our files and and they can be working on the same files and they can have access to the same systems we do and I'll get into we're going to get that into that later but that was like one of the big things is like you know for me that stood out is like that um the personal device but the not so much the personal device but the personal account use was a big thing. Satish has a caseworker and supervisor what is your perspective about all of this and and how realistic is this fact pattern? I would say that this is very very realistic and not just because I helped come up with it but um this is something that happens for example I'm using my personal iphone for work right now and that's probably um that's not in fact what my organization recommends I'm supposed to carry a second work iphone um and I'm sure many people who are watching this right now may already have two phones and you know what a hassle that is to have to charge two devices to have to carry two devices have to check two devices all the time um that's something that I think many people deal with they face the second thing is many of us prefer to use a Mac for example and at work they make us use PCs and when we get home we open up our Macs or many new lawyers for example had Macs in law school and they continue to use them um whenever I visit a law school I'm struck by how prevalent Macs are um in contrast to their prevalence in real legal environments where no Macs are used more or less right and so many new attorneys are probably using their Macs um when they start their new jobs and they continue to use them at home maybe there are organizations where you don't get a device um budgets are tight and you're not going to get an iphone or a computer a laptop or a tablet to use at home so you have to get your own um and then um as we work remotely during the pandemic I mean how many people were given hotspots by their nonprofit organizations not many so how are you supposed to conduct work when you're sitting home because of the pandemic and it's not safe to go in um you're using your personal wi-fi or you're at Starbucks or you're at the um bus station because you're traveling somewhere or you're at the airport so I think these are things that are very very realistic and then I think the other part about this fact pattern that's really critical is we're all working with emergency issues and we don't have time to think about what could happen because as legal professionals we're worried about the legal outcome someone could get deported or evicted will not have a benefit that allows them to put food on the table or pay for necessities or pay for medicine and so if we don't get things done quickly then good things will not happen and bad things could happen to our clients so I think all of these things are things that we deal with every single day and I as I said at the top if we're going to work from home we're going to see it more and more and more yeah and I would reiterate and we we see I mean at least half of the students coming out of law school with max and they you know they want to use them and and many of them you know are very great you know of learning are very proficient um with their device and just like the flexibility of just having one device and so trying to set up a system that allows them to do that has been really I has really helped us a lot and we got it started before the pandemic but we actually like invested in Microsoft's Intune mobile device management and what that has allowed us to do is actually enroll these devices in our Active Directory and set some minimum security conditions on them so we before they can access our SharePoint sites so we're actually like know where that data is we have some oversight of that data and we know that they're like they have some minimum security standards like they have to have a pin on their device and they have to have a password so these are the kinds of things it was like realizing we're moving into a period where more and more people are going to want to be using their personal devices and it being hard right now to even get laptops like for for people it's you know it's I think it's important as we are IT professionals is to realize this and that's something like I was saying this fact pattern is employer you know it needs to catch up with the times and get on the cloud and maybe overcome some trepidation there might be to being on the cloud because there can be like in this particular instance like losing the USB you know divide thumb drive being the major incident you know is obviously something that could have happened way before we had the cloud so yeah I would say so in the event my I know not everyone agrees personal devices should be in the mix but I think like this is a reality that even if our even if our staff is using a device like our students that are volunteering for us are going to be using personal devices probably and wanting to be using personal devices certainly outside council we can't control what devices they're using volunteers other organizations that want that we want to collaborate with like we need a platform that can work with everything and like that is like what we need to look to and look to for security models that can can hold can carry that the teacher do you have any concerns around the communication with some MMS texts so picture messages and some of the document sharing details that we added to our fact pattern you know that's a great question something that's really helped us is allowing our clients to text us things or to send us photographs for example if we're working on housing cases and we want to show the judge the picture of the leak or the mold or the rat it's great that our client can just open up their device and text it to us sometimes on our personal device and so it's been really effective in getting information from our clients and then communicating that information and it's helped us win cases and really present claims in a clear way it's also helped in getting documents like leases and rent receipts social security statements letters notices from immigration people had to bring it to us in the past or they had to mail it to us and we'd have to wait for it to arrive or they'd have to go to a bodega and fax it to us and sometimes they're charged like a dollar a page to do that I know many of you have probably dealt with this kind of thing now they can just open up their phones and just text it to us so the benefits are so tremendous the questions become well like who else can get access to this type of information if it's being texted and what happens if all this data that's on your personal device what happens if you lose your phone what happens if you leave it somewhere what happens if someone steals your bag and it has your laptop or your phone and all these text messages from your client it has their documents it has their social security number maybe so I think the analogy that I would use is it's like now we have these shiny bicycles and there are bike lanes everywhere and we can ride them anywhere we want and get there quickly and cheaply but we got to wear helmets and it's not because we are not good at riding bikes because we've been riding bikes since we were kids it's because there are bad actors out there who are trying to crash into us who are trying to throw us off our bikes and take our information and and hurt us and hurt our clients and so that's the thing that's really been challenging for me to understand and I think many of you may be in that boat too it's like well I know what I'm doing I text everyone all the time nothing bad ever happens to me I text my mom and my sister and my friends and my kids so what's the difference here and I think the difference is what we want to stress to you it's that we have an obligation to our clients and the risk is that something terrible could happen to our clients and we'll talk about that and I think Scott is is an expert on some of these things so I'm really glad that he's part of our group here oh thank you thank you I'm thank you all for having me and thank you Satish um for your comments for sure um yeah I I think you know in this situation I I mean this is a perfect example I think of what we're where you have to there's a balance like because when I think you know as an IT person I'm looking at what is better but I rather have my client you know my staff emailing the client with or texting I would be like well email like encrypted email so then we're like then we can pull that back if someone loses you know gets their email hacked or we can we just have a lot more control over this but then there are certain barriers that adds to the experience and like may not make us able to do this effective and advocacy as we need to or act as quickly as we need to so you know we need to be I think it's like imperative that advocates are telling us like what they need and like these are the this is what I want to be able to do talk to you know talk to us and help us come up with solutions I one thing we are you know in the process of doing we we had SMS built into our case management system previously but we're moving to a new case management system and we do want to incorporate MMS into that to for communication with our clients and so this would be I think you know is a hopefully will be a solution to some of these things in terms of like governance I mean it's still not going to be encrypted however it'll you know at least it'll not be on your phone you know sitting like if you lose your phone or you dump it in the water or whatever so again like I don't think there's a they don't think there's perfect solutions here I don't think like we're not trying to give you a list of things that you should do it's more of like just to kind of get the get things going get some thoughts going and Scott can you talk a little bit about encryption and what that entails and it's a word we all use but what does it really mean and how do we go about it and what and if you do have some tools that you might think are helpful for the legal community of course respecting the governance and the guidelines established by individuals organizations it policies because you should always follow those first but can you give us some more insight around how we should handle encryption if we did need to share documentation with clients well in the latin I would say in the last six months it's become much more of a pressing issue because of lay advocates in our organization who told us like we really need an email encryption like we're handling you know some of them you know health information immigration like very sensitive immigration information and we we absolutely need this and and I you know frankly I was like really like there's not a way around this and the more I looked into it the more I saw the advantages with email encryption which which we use like we have gmail and g-suite and we're using virtue which is really integrates with and makes it a little bit easier for staff to use but I'm been hearing some complaints about other outside counsel who don't like the way it works and don't like the extra you know bit to it but what it does allow us to do and we've actually had this situation happen where one of our another organization our state had a manager had an email hack her email hacked and was used for phishing and was and sending out to like like many people in our organization around the state and we I was able to go in and and any email that she was on that had an encrypted message which there was only there were only a few at that point but I was able to disable her access to that so it's like I don't think we think about I mean it's something that really became clear to me is like hey with encryption it's like that email is gone but I can still lock it down after it's gone I can remove access to that email and those attachments and everything even after it's out the door so I think that's really cool and I see that as really the future of this kind of zero trust model of security that we're moving to I'm I I see also like and I've been investigating encryption in office 365 and in SharePoint and they with sensitivity labels and Microsoft is really heavily like investing in this as a future security model where we can encrypt not only were like office 365 documents but PDFs using like azures like encryption information protection and we can set limits on how long someone can you know have a document offline so we can say like every three days they need to log in and confirm their access to that file so it's like if they if so in this fact pattern I think like we're looking at like even if this attorney is using an unencrypted thumb drive which you know hopefully it or not but of course like people you know don't take the time to lock down their thumb drives I don't do it on honestly like it's not something I think about doing and I we don't not dealing with client data as much but I you know but if we had those encrypt if the if the files that we had on though there were encrypted files that they had downloaded from our SharePoint site we wouldn't have to worry about it because like anyone who got a hold of those files would not be able to authenticate in and get access to what was in there so I yeah that's great we have a question in the chat oh what about using password protected documents via email this is something that maybe we've seen so we work with a partner organization and they use encryption for every single email that they send and each recipient has to log in and create a password and of course I can never remember my password so I get these emails and they're always marked urgent and then I have to click forget password and get the new password email to me and then I log in again and then my phone rings and then I forget what I was doing and I have to go through that all again and then I get into the email and it says thanks like it's a response to a long thread and that's all it was and so I think that there is a sense that sometimes this can feel like overkill like we are just slowing down and some of this stuff isn't necessary and we need to find that balance where what is safe enough and what are the threats and I think Scott can attest to this but the threats are constantly evolving and that's one of the problems is they're getting better and better at breaking into our systems and they're phishing and phishing means that they're like looking for private information and they're looking for people to basically just give it up or allow access into a network or a system and I think sending documents that are password protected is a great way to do that. Does every single email have to require a password to be read? Probably not but I think you got to ask yourself in every situation in which you're transmitting something over online what's the worst thing that could happen here and I think what we're hearing about in many contexts is the worst thing that can happen is really really bad. Yesterday Facebook went down for six hours and if they're vulnerable with like billions of dollars in network security then everyone is vulnerable and so we've got to be looking at this in a new way. It's kind of like when people first started wearing seatbelts it seemed like such a hassle like nothing's going to happen. I've driven this road like every day to work and then it just becomes habit right? Now you can't get into a car without putting on your seatbelt and that's the kind of thing that we need to look for here. Solutions that become second nature and result in a much safer and more secure work environment. That's great advice. Thank you so much Satish and I guess I'll move on here. Are there any tips and aside from what we have on the screen now, things that we should follow, establish protocols, talking to our IT department and any tools that you guys may have in your toolkit that could be useful for the legal community? I was thinking about this and I do think that I would say for tips for IT folks out there if there are on this call is like education. It's amazing to me how much opportunities for free and low-cost education there are now and I think that that like I mean and I haven't investigated as much but for staff as well if you're interested in these things they're you know avail yourself of that. I think that the more you understand it the better you're going to say for you're going to be for yourself and for your clients. I mean I'm sorry I just one last thing sorry on the I just wanted to suggest too like you know I think we hit it before but talking to your IT staff don't just go out and like do your thing and wait to be like wait for somebody to tell you you shouldn't do it and like this is not this is not the place to be doing that I'm sorry like there's a lot at stake for the you know our clients like there I mean a data breach could cause someone the could cause them to lose their job lose public housing protracted litigation you know to be outed publicly about their you know gender sexuality like there's innumerable of bad outcomes that our clients could suffer because you decide that you can do it faster and better and so please work with your IT department. Yes and we have in the chat what tools do you have in your toolkit for the less than techy folks who work in organizations without an IT person? Well we have a very large IT department because we are like a 1500 person organization in New York City but it never seems like we have enough people and people are always complaining about the lack of IT support so at a basic level we use all of the Microsoft tools and we use SharePoint and Office 365 and all of that happened right before the pandemic or maybe during the pandemic I can't remember anymore. We also have multi-factor authentication that they just rolled out like last week for our email on personal devices so what does that mean that means if you want to check your work email on your phone you have to confirm your identity in more than one way so you could get a text message you can get a code through an app you can get an email to another account that's also yours and I think this is a really simple way to make sure you confirm your identity and that no one else can break into your accounts. In terms of like if you don't have an IT department I think that could be a real liability for your organization if you're dealing with confidential information and clients so maybe you've got to figure out within your organization and maybe within the board or hire a consultant and figure out like do an assessment of your security risks groups like JustTech do this work I'm quite sure and there are others so you would really want to make sure that you're not just a sitting duck for some kind of breach and then tools that I learned about in talking with this team and I actually downloaded a VPN platform yesterday because I learned about the importance of having something that protects your access to public Wi-Fi and your own kind of internet provider from looking at what you're doing and what data you're sending and so a VPN kind of creates like a tunnel through which you can access the internet and protects you from all the threats that might exist so maybe your office already has an account for a VPN service and you just need the credentials maybe you already have hotspots that can be deployed and they're just sitting in a drawer somewhere and nobody knows about it and you just have to ask maybe there are devices that you can get that would allow you to do your work from home and you just need to talk to somebody and figure that out so I think the first thing is find out what's already available and find out how you should be working like Scott said don't wait until there's a breach because that's going to be really bad it could be bad for your clients and then figure out like what tools and what what gaps you may have and try to fill those gaps as efficiently as you can have another question in the chat um one tip we got from a state entity was not to respond to emergency emails by forwarding requested information ASAP but to confirm with an actual person by phone or virtually what do you guys think about that yeah I I didn't I don't see that one on my chat that's interesting but um oh it might have been a direct to me oh okay yeah I I no I've had this scenario actually where like one I responded by chat like Google chat to one of my colleagues who told me he was overseas and he needed me to send him some money urgently and so IG chatted him because I got an email and then he was like yes I'm really it's really me and I'm here you know and then I was like wait a minute let me actually send him a text and he was like no no you know so yeah I mean I tell actually in our trainings we tell staff is like if you know the person if you got a sketchy email from someone that you know pick up the phone and call them call their landline like talk to them on the phone yeah I mean yeah because I mean if they hack the accounts there's like innumerable different ways that they could try to scam you that's right and I think it really goes to some of these phishing emails that we see more and more of and a lot of small organizations almost saw that they were a small fish and that they would never be targeted with this kind of you know attacks and the reality is is that more and more our staff we are personally under attack right and and so I one advice that I can give and it's the way that I try to carry on when I do see suspicious emails is really just looking for misspellings looking for you know certain little cues within the actual email itself that make you suspicious about whether or not the person who you are accustomed to communicating with probably wouldn't communicate that way another tip is definitely not forwarding that email right you can actually you know put someone else at risk what we would tell staff at my former position was take a screenshot of it once you take a screenshot of it that's a different story is no longer a risk if you are questioning it it's probably best to just throw it out put it in the trash and do not open any attachments because this is how your information can become vulnerable there is another question in the chat do you have any security suggestions for organizations that use volunteers who do not have work associated emails can we require volunteers to use certain software etc should we oh I get I we actually have that this exact thing that we're doing a lot especially during because of the eviction work that we our organization had done and during the moratorium and and rental assistance a lot of organizations that we like our partner organizations in the community are very small and not necessarily like using a lot of personal emails and things and so we actually with SharePoint we were able to set up externally facing SharePoint sites that are walled off from our main client sites that they can log into with their personal email and but it also requires multi-factor authentication on their part so it we did have that minimum security requirement but like we knew there was no way we could force them to enroll their devices and go through all this and that would just be like slow things down way too much and we did get some pushback about that but then once people started using SharePoint online I mean that was the other thing is like some of them didn't have word on their devices but with with Office 365 online in the cloud it's just totally free you you can edit files there I mean the same thing with I think you know Google Gmail would work as well but unfortunately you know in Google Drive but unfortunately in that situation you have to have a Gmail account so there may be other options but that has really been a game changer for us to me I think that's a really good example of creating low barriers we don't want to discourage volunteers from joining us and helping us help clients and if we set up but you know something that's too onerous and too strict and too invasive we risk turning volunteers off and making it difficult for people to be engaged with the organization but at the same time we have to convince volunteers that this is important why are we doing this and I think there is a dearth of information from IT departments to the frontline staff about the why why is this important and I think some of us just think they're doing it because this is what they think but they don't know what it's like for us on the front lines or they're doing this because they like such and such company and they want our organization to buy their product or they're doing this because whatever right and I think we need our IT folks and others to talk and that's why we're having this event it's like we need to all talk and say why is this important what are the risks and what's the lowest kind of friction way to achieve all our goals right a related question on the chat should we require volunteers to use multi-factor authentication for logging into case management software we already spent lots of admin time resetting legal server passwords well I think so yeah I think multi-factor authentication absolutely if they're touching confidential information like I don't think that's you know I think they should I mean but I'm also a supporter of like self-service email or or password changing you know so like people should be able to forget their password set their own password encourage people to use password managers and rotate their passwords and and require multi-factor authentication absolutely I have another question here we have a single sign-on system with our case management software and email behind that wall with multi-factor authentication do you have concerns about using public Wi-Fi such as a hotel with that setup I mean I think there is I don't think that I think it was in the past vpns were like more essential because the traffic before we had encrypted traffic like SSL encryption for most websites almost all websites now that we interact with so the traffic is encrypted but I mean that said like if you're just doing your own thing and you're like browsing websites I think that's fine but if you're dealing with client data here it's as important you and the vpns are not hard to use so I think do it you know like it should be even though you're using single sign-on I mean there it actually is a known there is a known risk to even in that scenario to using a public Wi-Fi that's great thank you both if there are more questions please drop them in the chat do you guys have any additional advice around this topic um I know Scott touched on this very briefly but we have on the screen avoid shadow it what does that mean so yeah this is a term I learned recently in the last couple of years but um basically the shadow it is like when when you like in this scenario in our fact pattern you're saving files to your gmail your your like google drive maybe you set up your own dropbox with another organization where you're going to share files like with opposing you know or or not like a pro bono attorney or whatever it's like basically anything you're not telling your IT department about but where you're like doing work organizational work so that's kind of the idea behind shadow ID it's like we ideally and it kind of it goes along with this idea of like information governance like we want to know where our information is and we want to be able to and when if we know where it is then we have a better chance to be able to control it know when it's being accessed getting it back if there's a data breach just you know investigating problems with if you you know you might have the created the best system for yourself but if it's like one that your IT department doesn't know about and can't access and has no governance over then that's going it very likely is going to not end well unfortunately okay so we've talked a lot about risk we've talked a lot about tips and what we can do what what's this overlining i'm a little stressed out i feel like i don't have control over you know my tech setup i was confident before and now i'm questioning am i doing it the right way is there a silver lining behind this conversation i think and then scott obviously you can weigh in on this too if we do this right we open up the door to a new way of working we don't need to go to offices and sit at our desks and stare at a you know beige box all day long um we can work from anywhere we can really be free we can work like flexible hours we can take emails from like soccer practice or waiting for the dentist or you know at a guitar lesson or whatever you want to do like this can really open up you know a universe of possibilities for the way we work but on the other hand this could really backfire if we see like a series of breaches um somebody's in trouble um if we see a series of breaches then you know these freedoms that we've been accustomed to during the pandemic are going to be taken away like we are going to build a case against this new model of working and so if we all participate now we can build a safe way to work and really benefit from it in the future yeah absolutely i i agree and i i mean i think there's a lot of trepidation in our organization about the use of personal devices and i i think that some of that has gone away and some of it but you know certain we've had a couple of bad incidents with it too so it's like that's that's the other thing about being when you're using your personal device for work like be be you know conscientious about it don't try to be like downloading torrent movies and you know like you know don't just you know try to think about like what what could go wrong like okay you know what malicious software might accidentally get installed on my you know while i'm you know checking out you know whatever like application i think it looks good or whatever like and if i've got client if i've got access to client data on my computer if i've got like it in one drive and it's opened up and i accidentally share that what if you accidentally share that on a peer-to-peer network you know and you're connected to literally like your organization's SharePoint site i mean it's frightening like some of these things that's like that could go wrong so you know we all have a part to play in making for sure we can get to this future and and you know so and i and and it it's there's no there's just no easy answers so hope i'm not leaving you all this doesn't sound like a silver lining i'm sorry i'm but i think the silver lining is like yeah i think we can get to this place but like we it's still in process like we you know i think big encryption is a big going to be a big part of this where we can even if even if bad actors got these files like they couldn't do anything with them because they can't log in and they can't authenticate and encrypt and see that see them so like i i mean but this is going to take a lot more development of the technology microsoft is still working on it it's still buggy you know there's still got a lot of stuff in preview so it's like we're we're getting there you know but it's it's gonna still take a few more years have one well it looks like two questions that i'm going to try to address very quickly as we come up on the hour so what alternatives to having a text sent to your personal say uh cell phone for two-factor authentication can be used when the company does not provide phones or they're not available i mean i i'm thinking just for myself a couple of i want to say one or two years back i started to switch even my personal devices on to authenticator apps instead of receiving a text message to alter to authenticate myself i think it's so scary a couple of months ago t-mobile got hacked you know some of our clients might have gotten hacked and their information might be up there and up in the car um and now you know the fear is some people can take control of even our cell phone accounts and call and and act as if they are us with the information that they have obtained and get access to some of those codes that are sent to our phones and so i think that as scott and satish have mentioned we have to continue to read about educate ourselves around security and what are the the best steps i think authenticator apps could be something that you can talk to your it department about and whether that is suggestion or an alternative to getting text messages uh scott satish do you have anything to add with regard to that no i mean i i don't think there is anything else i would add other than um echoing that you know this is a new frontier and we have to be thinking about this stuff more than ever and it's going to really pave the road ahead and allow us to do a lot more allow us to help a lot more people i mean fundamentally we are here because we want to serve people um and help them with their legal needs and we're going to be able to do more of that if we do this all in the right way so you have any written best practices or models for a clean desk policy for remote workers that you can share or maybe quick tips maybe that that'll be a to-do for a toolkit i mean i we just finished just gonna say really quick quick plug at the end of the security series um what should be at the end of this year in december we will be um combining all of these recordings and um excuse me compiling best practices um like the one that was just asked for um so just stay tuned for that in the toolkit that'll be coming out um at the end of the year thank you leticia that's perfect and uh i have one more comment we recently implemented multi-factor authentication for some staff um they were using personal phones um so they're offering a phob device um that can be synced with specific user accounts do you all have any thoughts about that setup so yeah i mean i think that probably what you're talking about like is a ubt which is like usb security device which is basically like stores kind of like a long very very long unhackable password on the on the hardware device so you just you can use that as a means of multi-factor authentication and it is actually considered the most secure way to um use multi-factor in fact because it's not it doesn't come over any cell network it's like something you carry around and you hold in your hand and so and we because we use g-suite that we i've locked my account down they require two hardware keys in case you lose one to to enter into their uh i forget what they call but they're super security like unhackable account status or whatever so they it is a it's a great idea i also i wanted to say before about like i think using phone apps is like the way to go i mean if you've listened to any like no before no before we which we don't use but i listen to their your uh webinars all the time about you know is like you can you know unfortunately people's multi-factor is hacked like regularly through sms it's like it's becoming more as it becomes more and more common for people to be on multi-factor they're going to go after it with sms and so if you're using you know apps or ub keys you're going to be much safer thank you scott let's see i think i um says what we are using is different than a usb device it is a safe id oath compliant hardware token device yeah it sounds i mean it sounds like a similar you know uh type of yeah device yes thank you all for all the great questions and comments um we asked you all to participate in our poll and i'm so curious to see what we have all answered i did participate myself let me try do you think you can give us uh the results of our poll number one can you see them yeah okay yes thank you so much so to use a personal device for any work purposes and i think most of us do sometimes right we're all being honest here um we do have 28 percent that never uses a personal device and that's super commendable i applaud you all and 26 that use a personal device all the time so i think it's it's just very clear to us that use it sometimes or use personal device all the times to really consider best practices while using personal devices have you ever used a personal account for work purposes uh 69 say no and 31 say yes our next question do you ever use public wi-fi when working 78 percent of uh of our audience said no and only 22 percent said yes so you follow your organization's policy to securely share sensitive confidential information with clients and i think there's a winner here 76 uh percent said yes my organization does not have a sharing policy um or i do not know my organization share uh sharing policy so we had a few that fall into that population as well so for those that do not know of the data sharing on policy please go back to your organization to have those conversations with it they are the key members to you know give you insight on best practices um our last question when was the last time you attended a cyber security training and it looks like 60 percent have attended uh cyber security training within the last three to six months i think that's awesome um and definitely our recommendation uh here uh over a year ago at i don't know scott satisha if you have you know best practices i'd like to keep on the up and up with my cyber security personally but um i think the usual is once a year but more is never bad so it seems like we've been preaching to the choir today because many of the attendees here um the majority have been engaging in very very good practices um it's the challenge of of you know all of us to convey this to everyone else who didn't attend today um and probably it's a self-selected group right um the average person who works within our organizations isn't going to be necessarily interested in attending this but those of us who already know about it and are and are aware of its importance are here obviously so we need to spread this information and the urgency of this issue um throughout our organizations great and scott any last words before and if anyone else has any questions please please please share through chat um any last words around this topic uh no no thank you all for you know um listening to to us and like you know i you it sounds like you're our ambassadors and like in arming you with this you know these thoughts i hope you know of how we can you know move move better you know move better in the world and do our work and live our personal lives and get it done you know because i mean we got a lot of work to do i think we all know that definitely well thank you scott and satish for all of your amazing advice and tips and for taking the time to speak to us um and for all of our uh attendees thank you for attending uh best security practices for advocates working remotely i want to remind you to join us lsn tab uh october 19 there is a 3 p.m. session on security assessments for legal aid you can register at www.lsntab.org forward slash thanks you again you guys have a great day thank you