 So, Square is a company that focuses on supporting the technology of nonprofits, and in particular, we focus on building CRMs, constituent relationship management systems for nonprofits. The technology that we use happens to be a technology that's available, but as Eli did a great job explaining, there's so many technologies out there available to you, and our job here is to help you navigate what technology is right for you, what you can get through TechSoup and the relationship, maybe where there's some licensing wave, waving happening there that might help you out, but we're here to help you and support you. And we in, I think it was September or October partnered with TechSoup to be the North Texas community organizers of TechSoup and the NetSquared events and Tech for Good. So we are here to help organize this community. If any of you, particularly those of you in the North Texas area know of other resources that want to do educational programming, please reach out to us, let us know. We'd love to get as many people in this conversation as possible. And for today's event, we've got Peter Petrick, who is the founder and CEO of Square and Adam Schaffers, who is our lead DevOps system admin person who is going to be sharing with you some of our learnings about cybersecurity, and in particular, how they relate to nonprofits and specific issues that nonprofits have faced in that area. So I will be quiet now and leave it to the experts on cybersecurity, because that's why we're here. Thank you, Adrian, and welcome again, everybody. As Adrian mentioned, my name is Peter Petrick, the founder of Square. We've been in, really, North Texas. This is where the home basis, we've been here since 19, actually 2008, sorry, I was trying to count the decades plus since 2008 and supported a lot of local nonprofits, as well as nonprofits and other organizations, NGOs across the U.S. And as Adrian has mentioned, while we do have a preferred set of tools, a lot of our involvement is in the open source community in particular. Today's conversation applies regardless of whichever tool you use, or specifically, it's not specific to, you know, a particular industry or particular efforts that you're making with your organization. So with that, Adam, as Adrian said, is our lead, sysadmin slash DevOps person, and for those of you that don't know what DevOps stands for, is developer operations kind of, it's being shortened in the community and in the industry. But basically, think of a person that's truly kind of behind the curtains of making the websites work, making the servers secure, making sure that everything, basically, everything you need to talk to somebody at Adam's level is usually not a good thing. These are the people that are behind the curtain, and you hope you never have to talk to them because if you do, that generally means there is a problem, they're the people, it's kind of like insurance, you never know you need it until you really need it, right? So we spent a lot of time going through and making sure we adapt this presentation to be specific to the audience and to the level of knowledge we're not going to be getting into some deep, dark secrets of servers or the internet. So Adam, with that, I'm going to hand it over to you to kick us off. All right. Thank you, Peter. Hi, everybody. Yeah. I'm glad to be here, and I work for Square.com remotely, and it's my favorite job I've ever had. There's a lot of technical stuff, but like Peter said, this talk is for everybody, and there's a lot of things that we can do to protect ourselves, to protect our organizations, and I just want to go over all of that, and so basically starting out, but first of all, this is being recorded, but also feel free to chime in if you have any questions along the way. If I say anything that's unclear, I would feel a lot more comfortable, I think, if we're all interacting together in this. Otherwise, I have a bunch of slides and a bunch of content, and I'll just keep going through. So the first point I think that I want to kind of make is that this is about all of us, and we lock the doors on our houses of our homes for security, and we close the curtains on our windows, that's privacy, with our lives being online more and more, especially with COVID and everything. How do we do that digitally is the question, and then also maybe what's required of us, of the law, the legal aspects, I'll get into that a little bit. We can go ahead and go to the next slide, Peter. The point of this slide statistics basically is that it's a big deal. It's $3.5 billion lost to cyber crime, but what does that mean for us? Is this just, is that what happens to big corporations like Walmart or Amazon or something, or can this happen to a non-profit? How can this affect us? The answer is, I think, yeah, it affects all of us, and our organizations are on the line, too. So the next slide, Peter, please. Thank you. So to define our terms, digital privacy, what are we talking about is the first thing. Does anyone want to say or have any ideas? Okay, so privacy is our personal information, basically. We're talking about email addresses, phone numbers, social security numbers, credit cards, bank accounts, first, last names, physical addresses, et cetera, data or personal information, and we want to keep this safe. Next slide, please. So security, so for example, with security, if my laptop gets stolen, that's a real threat scenario. Laptops get stolen every day. Cell phones get misplaced or lost or picked up by who knows. My private information may be on that laptop or other people's private information, but if the hard drive is encrypted and it requires a password to log in, then at that point, that encryption and that password, hopefully a strong one, is protecting or securing my privacy and the privacy of everyone on my computer. So that's a simple example of security and privacy working together to achieve this common goal. Go ahead, Peter. So the disclaimer is I'm not a lawyer. My idea is to help us prevent things from happening and prevent needing to talk to lawyers. I do want to go over just quickly the basics of the legal stuff. So there's the GDPR that protects citizens in the European Union, the CCPA, it protects people in California. Those are general policies for companies that are collecting private information. In the EU, they have to opt in. In California, they have to be providing Californians a way to opt out. I think more importantly, most states in the USA where I am have some type of reasonable security procedures and practices law. And so I want to go over how we can meet those expectations of reasonable security procedures and practices. That's what the law states. That's really general and generic. And hopefully we never end up in a position with our organization where we're being asked if there was a data breach. Well, were you reasonably secure? And did you have best procedures and practices in place? Because that will be at the discretion of the judge. And that's never a position we want to be in. So this presentation is really about how to prevent this from happening in the first place. But I'm going to go over the simple things we can do to give us reasonable security and practices. So with common, I mean, a case study, an example is BlackBot. If anyone's heard of BlackBot, this is not a bad BlackBot or good BlackBot. It's just an example that BlackBot had a data breach in 2019. And BlackBot is a large corporation, I think, and they serve or work with 45,000 nonprofits. So we're talking about serving millions of people. They're one of the largest providers of financial and fundraising technologies to nonprofits. And they got hacked. They had a data breach in 2019. So at work, we call this a dumpster fire. And there's a couple more slides, Peter. You can go through them kind of quickly. And it's not a position we want to be in. If there's like a data breach affecting 45,000 nonprofits, what ended up happening is that I think people may be suing or losing trust in those nonprofits because they lost their data. And then the nonprofits in turn have to come together and sue BlackBot, who was responsible for all of this. And it's a big mess. There's 23 class action lawsuits underway right now. And so the question is, like, how does a nonprofit come back from that? Or how did this happen? How do we prevent it from happening in the first place to make sure something like this doesn't happen to us? I'm going to just interject really quickly. What Adam is also pointing out kind of indirectly here is that oftentimes as we think about data security isn't just about your organization or your laptop necessarily. And part of the reason why we chose to do this particular case study is because it's a well-known tool, but it's a third party tool. So if your website even has a contact form or it has any kind of interaction where you're integrating third party or maybe you're putting something in a Google form or Google Sheets and that data is flowing through a third party. Basically, I remember when on TV it was like, you know, it's eight o'clock. Do you know where your kids are, right? And this is kind of like 24-7, is do you know where your data is flowing through? So even though BlackBot may not be or this particular case study may not be you, your organization or your individual device phone laptop or something like that getting hacked, the third party, it's not good enough to just say, well, we just trusted them. Understanding how the third party providers are protecting your data and your constituents' data is the real highlight. Yeah, thanks, Peter. And please feel free to keep jumping in here. So how did this happen? Go ahead. So not by traditional means. Basically, they did not have a lack of IT guys at work. Tech was actually BlackBot's thing there. And it's supposed to be their expertise. And it is their expertise. So how did this happen? Was it they didn't have antivirus? Well, Windows 10 and Mac OS both come with antivirus installed by default nowadays. Was it that their operating systems are out of date? No, none of that stuff. They automatically update themselves. It's deception. So more and more cyber attacks are becoming about deception, the art of deception. And so the idea is there's social engineering, phishing, and data ransom. I want to talk about those three things. That's exactly what happened to BlackBot and how we can protect it from happening to ourselves. So social engineering is the idea that people are the weakest link in every security organization. What happens is people, a social engineer, can maybe pose as somebody in a position of authority over your organization or over your computer or your internet or your utilities, your telephone. Or they might pretend to be somebody they're not sending you a fake email from your boss or something. That would be a type of phishing email. We're going to get into that. So we have to understand, first of all, that a lot of the modern cyber attacks are psychological and not necessarily technical. Before we go on to this, I was thinking that a lot of it, too, is when it's, I think you can't emphasize the social engineering part enough. We really have to think deep down inside about ourselves about how we're vulnerable. Because I think things I was thinking about is we tend to be lazy or indifferent. It's not that we're dumb. It's just like we're in a hurry all the time. If we are really busy at work, we got this email. It looks legitimate. I'm being asked to provide this piece of information or do this certain task for my boss or something. And I'm just going to click through it, click the button. I need to log in on this website really fast and get this done. OK, got it. But sometimes we're vulnerable when we're in a hurry. There's urgency or stress, or we're trying to keep up a reputation or an offer sounds really good. These are all types of psychological vulnerabilities that we have as people. And we just need to be aware of them. And if those feelings are coming up, it's a good idea to slow down and just analyze the situation, maybe verify the communications using another communication platform. Like if I'm suspicious of an email, I'm going to make a quick phone call. It's a five minute phone call to protect everyone's data. Well, and one example I was going to share is as Adam and I were preparing for this presentation, literally as we went through the slides and the examples and everything else, my phone rings, just as we hung up from our internal call a couple of days ago, and my phone rings. And it's got this automated message that says, hey, Amazon has your Amazon order, something, something. You're being charged $129. Stay on the line for a representative. Now, we've got quite a few people here on the call. I'm assuming everybody's at some point ordered something from Amazon, or probably now that we're largely stay at home, we're probably ordering more than usual. So a phone call like that comes in, and I'm thinking, what did I order from Amazon? I mean, I don't even know how many orders I'm expecting or anything like that. So I waited on the line until the representative came on, and they started quizzing me on different things. And I said, well, which order are you calling in regards to? So it's one of those kind of trust but verify situations where did I expect this phone call? A lot of times when a phone call like this comes in, like Adam said, you can use a different method to contact. But another option you might want to use when you receive a phone call from somebody asking for information, A, either ask them something that they can verify that they are who they are, that they know what they're supposed to know. And that's one part of it. And on more sensitive things, like if I get a phone call or if you get a phone call from, let's say a credit, somebody claiming to be from your credit card company, you can go and grab the credit card, look at the phone number on the back and say, you know what, I will call you back. And hang up on the call that was initiated externally coming to you. And now you can make a phone call going out and you know at that point for sure that you're calling the credit card company, right? And at that point, they can verify you, you can valid in and say, okay, I got a call that there was fraud on my credit card. Is that really the case, right? So social engineering again comes in many flavors. And I would say all of us are subject to some kind of a social engineering attempt many times throughout the month, even without probably realizing. A lot of it probably ends up in our spam, et cetera. But there is many, many opportunities for us to be exposed to social engineering. And we'll get to some specifics about it such as answering security questions. What's your mother's maiden name? What's your first pet's name? What's the first city you lived in? Because while they're called security questions, they don't provide as much security as we tend to think they do. Back to you Adam. Thank you, Peter. So we can move on to the next slide. So social engineering is gonna underlie various types of phishing attacks. Basic phishing, I think we've all seen like we only get the email and it's often poorly written. Often the domain name is misspelled, often has a strange attachment, et cetera. However, there's more advanced types of phishing that we need to be aware of. And that's what I wanna get into next. So here's an example. I just did a quick Google search looking for them, just to make a note that they can look really well designed. They can have all the company logos. Usually they have a suspicious link and then like click it, log in. And you think that there's a reason like this one says review your information or it might be even like a reverse psychology move where it's like your account has been compromised. Click here if this was not you. And sometimes Google really sends me those if it thinks someone's trying to log into my account or if I'm logging in from a different location than I normally do. So we get real ones and fake ones and they can look a lot alike. This one's pretty obvious in my opinion because it says it's from the Pentagon and what's American Express doing there and what's a .ci and domain name. But about that, I'm gonna show you guys that actually the from address can be anything and it will not necessarily even go to your spam box. Here's another one from PayPal, for example. And again, some of these examples might be may appear benign. We recently helped an organization who got an email from their domain registrar. So basically their URL like square.com you have to renew periodically the domain registration a separate from where it's hosted and everything else. And by now I think all of us realize that having control of the domain there is only one of those, right? It's like your phone number. And somebody sent them an email saying, oh, your domain has not been renewed. Your 30 days past due, if you don't click here and pay the domain's gonna expire. And so they, again, there's a lot of commonalities in these kind of spearfishing and social engineering and all of those elements which is generally they tend to induce a sense of urgency and some kind of severity, some kind of impact that's gonna happen. If you don't ask by this, then these severe consequences are going to happen. And obviously if it was a real email, which sometimes we do, whether it's go daddy or name silo or ICANN or something, whoever registers your domain. And part of the challenge nowadays is there is literally thousands of companies that are domain registrars, right? So if your organization, you might have one main URL but you might own 10, 15, 20 other domains that expire at different times, they might be even with different registrars. And so when an email like that arrives, it's very challenging sometimes to realize, okay, is this a real email or is this not? So just some examples to connect the dots about what we're kind of talking about kind of the theory and showing some examples to some of that you might have seen in your real life. And I can see the chat on my secondary screen here is being very active. So thank you for sharing your examples. Back to you Adam. Right, thanks Peter. So basically one thing I would really point out or advise to keep an eye on is email account emails because often our email accounts are tied to other more important accounts that we think of like maybe the company website or CRM that where I can log in and it has all my organization's contacts and that's like the last thing we ever want to lose. They're not necessarily gonna fish for that. Maybe they're just gonna send me a Google office or an Office 365 phishing email because they know that if I can get that then maybe I can use the password reset to gain access to something more valuable than just an inbox. So that's something to keep an eye on. It gets scary right here where we're talking about advanced phishing. It's gonna use social engineering and if you're targeted by some wannabe hacker or just like someone with too much time on their hands during COVID they figure out how to send fake emails. It's not hard to do. And what if they picked me or my organization as a direct target? They might even do some research like probably everyone in my organization or most of them are on LinkedIn and so they can get names, titles, what everyone's doing, who might regularly contact, who we can do some recon and then they're gonna pick someone and target them directly. That's called spear phishing. It's focused, very related to business email compromise. Third one. And the key parts to realize here is that you might think or one of your employees or whoever is associated. A lot of times this happens that we see it in organizations and they're volunteers, right? A relatively easy target doesn't may not even have a organizational email or something like that. And many people will say, well, it's not that big deal like, if somebody sends me an email, I have very little to provide or I don't have that much data, right? And what we have to be cognizant of is this is not necessarily about us as individuals. It's about the data and the access that we have. So it's that second layer, third layer because if somebody were to get into, let's say your computer or your email or your cell phone company or any of your accounts, again, nobody's quite interested in what are the contacts on your phone or what contacts are who you email from your Gmail account. That's not the key part here. The key part is where is your Gmail account or Yahoo or Hotmail or whatever you're using where is that link to what password reset can I initiate that's gonna go to that email. It's that next layer and the layer after that, that's the really important part. And a lot of organizations that we've seen is they consider the volunteers almost like this ancillary thing that nobody thinks about, yet those very people, even if they have read only access into an internal system, right? Maybe it's somebody that's providing some kind of support or some kind of care or something like that, just being a supportive volunteer for an organization but you're directing them to your website to say, okay, well, go here and maybe read only information. Well, that means they have a vector of attack for tapping into the database and if they get into their email and have username and password, they can start extrapolating a lot of information very quickly. That's right. At this point in the presentation, I had an idea of sending an email from Adrian to Peter, but it would be me who does it all. I don't know if you're able to share that, Peter, or if you're not set up for that, regardless of the point of stands that an email can be spoofed easily. Yeah, I don't have that set up but we've done again in our preparation and we can record a shared video maybe and share it when we publish this recording and some screenshots of that. But again, most people tend to think and I remember I'm gonna date myself here back in the 90s. There used to be emails going around, Bill Gates is gonna pay you $10 for every person to send you forward this email or whatever, which again, back in the 90s was very believable and a lot of people would forward it and I remember one time somebody forwarded it to me and I replied to that email but I changed the email headers, which is all the from to and everything else that said that I was Bill Gates, right? And everybody started all getting excited because they literally thought they were gonna get whatever, you know, $10 per forwarded email or whatever that was. And the scary part of that is again, this was back in the mid to late 90s when I was doing this, again, was doing it obviously to teach people a lesson back then, but the scary part is 20 plus years later today, we still have that same problem and that's just because the way the internet was designed, the way email was designed, et cetera, et cetera, it was never meant to go to the scale and to the kind of utility that we're putting it through its basis today. And the lesson still stands today just because somebody sends you an email like we saw a couple of emails here, right? That Adam was pointing out that it's a PayPal letter for example on here and it says, petersonfamilykiro.com or the previous email where it's American Express, but it's coming from a completely unrelated domain. Well, point stands that if we wanted to, we could replicate any kind of email in the from field. So don't make the assumption just because, let's say a follow-up email comes from Adam or Eli or somebody, if it comes from techsoup.org, you can't make the assumption that it actually came from there. That's a pretty scary proposition to think about is that you never really know when that email shows up in your inbox that it is actually from the person that the email claims to be from. That's right. Like at Square, we do implement the latest email technologies to help verify them. It's called SPF and DKIM and DMARC, but even there, with all of that implemented, I'm still able to send emails spoofed from my laptop at home from my boss to my coworkers that say like, cookrats your employee of the month and it'll even have his picture that automatically shows up. It'll have his signature. And unless you're trained in how to analyze the headers and even then it's still super complicated. Like my research in emails, it actually, it scared me how easy it still is to spoof an email. So my main recommendation about emails is never send confidential information over email. That's, if I had an organization that would be a company policy. We would have a more secure means of communication. However, we're gonna need email because like Peter was talking about, it's kind of a legacy technology that we just can't get away from. The world depends on it too much. So I like to just assume email content may be public. And again, a lot of times people say, and again, not to pick on anybody in particular, but a lot of, obviously everybody knows about, let's say Gmail, right? Or, and many people because Gmail offers services to where you can have your own domain, but it's still hosted on the same infrastructure. And sometimes people say, well, that's fine. I'm not worried about where my data goes or whatnot because I don't use Gmail. Well, the latest statistic I saw was 46% of email globally goes through Gmail servers because chances are whether your organization is using Gmail, one of the recipients of that email is likely on there, right? So it's not just, and that's the scary part or the eye-opening part really about cybersecurity is you can be doing everything right and you still have very little control about what's going on, right? So, what are you doing? And I'm happy to take any questions or input in the chat. The question to you is what are you doing to educate, train, make your team members in your organizations aware? Maybe you're a volunteer and I would like to actually kind of create a bigger group of these people and just call them constituents to your organization, right? And again, so that could be an employee, that could be a volunteer, that could be a consultant, that could be a board member, right? All the different constituents that your organizations have, what are the different vectors of attack that you need to make them aware and educate them? And it sounds very scary and like Adam said, email is not a secure, secure mean of communication. Thanks, Peter. We can go to the next slide. Sure. So what happened to BlackBod was actually after they were targeted through phishing, probably like we were talking about a spear phishing, a business email compromise, something directly targeted to really be deceptive. I doubt they clicked on something that originated from some weird part of the world or far away, it was all misspelled where, but I think that it was probably a direct attack and that it was probably spelled properly. Everything was, had the company logos, it might have had a login link to their company website and it might have been appearing from someone who was a person of trust. So after that type of phishing attack, what it led to was a data ransom. So data ransom is when they get the data and then they take it from you, they delete it off your company website servers or from your computer if that's what they gained access to and then they encrypt it and they won't give it or they'll just leave it encrypted in place and they won't give you the decryption keys or passwords without money. Question is, did they really get the data? Did they really encrypt it in the first place or is it a trick? Another question is if we pay, will they really give us the data back or will they give it part of it to us back and then ask for more money? It's a lose lose from the get go. So the idea is we wanna prevent this from ever happening in Blackboss case, they did pay it. And we're telling you a lot and we're gonna get as a matter of fact, next slide. It's gonna have a number of recommendations of actions you can do to protect yourself of we're trying to lay a ground here of what is out happening in the world and the things we're talking about and a lot of you again, appreciate your comments in the chat. A lot of you are sharing that you're already experiencing these things. What we're talking about and what we're saying is happening to big companies or data ransom. Some of us have probably heard of the cases where a hospital had to shut down because their data got encrypted or entire counties had to shut down or school districts, et cetera, right? In many of the organizations that we deal with, people will say, well, we're just a small organization. We only have 20 people here who would care about us, right? And what we have to be aware of and we try to impart this on the organizations that we work with is to say the level, whether somebody's going after a corporation that has 10,000 employees or going after your organization that has 10 employees, the level of effort, the barrier to entry is almost zero. As a matter of fact, it takes way much more effort to social engineer a much larger corporation and get into their network than send something to you. And again, the cascading effect, the domino effect of getting into an organization with 10 employees and where they're all hooked up in the third party relationships and everything else, that's the part that's really relevant. If you've been online for a couple of decades, you know spam used to go only to specific people, but then it started trickling down to individual user accounts, right? Because again, the barrier to entry and the cost to send out that one additional email or a million additional emails was virtually negligible. And that's where we are today, whether it's with social engineering or phishing or whether it's with data ransom is yes, the hackers and the bad guys are gonna go after the big targets first, but what's happening there is only a month or a year or two away from what's gonna start happening to us as individuals, much less our organizations that are kind of in between those two extremes. But we're gonna see a lot more individuals who are suddenly gonna open up their laptop and it's gonna say, hey, your data's been locked, you gotta pay us X and it may be, in the grand scheme of things like a hospital or a school district, they will have to pay millions. The thieves, they know that they can't ask you for a million dollars, but they will ask you for $100, $500, $1,000, which could be a big amount to you when if you combine all the individual ones, the consequences of that are pretty substantial. So, and as Adrian just pointed out in the chat is, it's all digital data. There is no way to prove that you've deleted the zeros and one off the hard drive. Like literally, there's no way to know if somebody made an extra copy, there's no way to know if they're selling it on the dark net somewhere. There's just no way to know. You might still unlock your data, but you have no idea where that data might show up one, two, three, five years from now. Thanks, Peter. Another consideration would be, does your organization or the ones you partner with in the tech side of things have insurance that covers these types of scenarios? All right, we got about 11 more minutes, Adam. So let's go through these five things that everybody can do right now so that we give a great value. Got it. So five things we can do. Next slide, please. One is protect from physical theft. So we can do that by encrypting our devices, our cell phones, our laptops, and making regular backups. I recommend encrypted backups offsite at a secure location. There's a link in this slide and the slides will be made available afterwards. And so then you can download them and click the links if you needed more information or resources. And a quick tip, and you can Google this on, I use an iPhone, but I'm sure Android has a similar feature. If I take my phone and I hit the power button, I have, there's a setting in the operating system. And you don't have to unlock the phone or anything. If I hit my power button five times in sequence, one after another, right? So this is, it automatically locks my screen and it says, okay, is this an emergency? Do you need to call emergency services, SOS? Or is this a medical thing and show the medical ID, right? So this is a great thing to know that if you're in a position where maybe there's some physical theft happening or something like that, you can just reach in your pocket or purse or wherever you're carrying your phone, hit that power button five times, and it'll automatically lock your phone. And the only way to unlock the phone at this point, even if I cancel out of it, is it's gonna say, enter your passport, right? So they can just take your fingerprint or put it up to your face. Now they have to have, if they steal the phone, they would have to have the physical password. It's much more difficult to unlock the phone if you do that. So that's just another kind of a self-protection, quick way to protect yourself. The second thing I'd recommend is email scanning for phishing emails. Most emails scan for viruses nowadays, but there are providers, there are providers that provide more advanced detection for phishing and stuff. So I recommend either a third party like premium G-Suite's Office 365 or Amazon Work Mail, or if you're partnering with like a web hosting organization that handles your email as well, I would ask them if they're using RSVAM-D email scanning, which is gonna get you covered. And I recommend RSVAM-D, it's good stuff. Next one is DNS filtering. So we can install an app on our phones and modify a few settings on macOS or Windows. And what can happen is every time a domain name is resolved, which means when you type in like www.google.com, not only do these services check that it really is Google.com, which is what DNS is supposed to do, but it also checks to see if you're accidentally clicking on a malware or a phishing type of website. And so Cloudflare and Quad 9 both provide a free service that you can set up. Add those links there, they provide video tutorials, it only takes a few minutes to set up all the apps on your phones and on your laptops. I highly recommend it. Password managers are actually really great for this because if we regularly use a password manager to log into our regular websites, if we accidentally click on a website, that's a phishing website, the first clue is gonna be that it's not going to offer to fill out the form for us with our password for that site that we usually go to. Also a lot of them, I know Google Chrome will automatically offer to give you a generated strong password. So the days of coming up with a unique password and then remembering it, and then all the websites require like a different type of password with a certain amount of capital and lowercase letters and symbols and numbers. And it gets really hard to remember all your passwords. Like if you use a password manager, it's really easy to forget about all that and just let your computer work for you. I highly recommend it. And you hear a lot about people saying, have these long, complex, elaborate passwords. And sometimes people do that and then they reuse that same complex, elaborate password in multiple, multiple, multiple places. Here's a quick thing. I would highly recommend you choose distinct passwords and then use a password manager and you can keep them simpler, right? You don't have to go into all sorts of weird characters and everything that, but using distinct passwords, even if they're simpler and less complex is much better than using one complex password and reusing it across multiple websites. Why? Because if there is a breach that complex password is gonna get passed around on the dark web and the scripts and methods to test that password into your Amazon account, into your email account, into your credit card account, into all of these, they can run literally millions of these in a day for your username, password combination across multiple different sites. And they know 99.9% of the time they're gonna hit and say user invalid or password invalid because you may not even have an account there, but it's that 0.01% when they hit and it says, oh, Bobby's account, what's the password, right? And the next thing is gonna say, oh, what was your first pet's name, right? And a quick Google or LinkedIn or Facebook profile will provide that. And suddenly multiple of your accounts are compromised. All right. And so the fifth thing I recommend is two factor authentication. This one's a bit more complicated, but basically once it's set up to log in on your website, you log in like you always do, but then it will ask you for a code from your phone. And it helps. It does improve security. And if you get that set up, it will help. However, it's not foolproof. There are sophisticated fishing websites that have no problem with two factor authentication. So it shouldn't be considered a silver bullet. And again, password managers, for example, one password, they help and use the two factor authentication so that you can use it more readily. Again, if you have availability of setting up two factor authentication, that you can integrate into your, just having it text to your phone, that's better than not having it, but also realize that if somebody's really determined to get in, they can spoof your SIM card. And when it sends the text message with the two factor authentication, the code, they can actually see a copy of that and start doing that. So if you have a choice, yes, set it up on the phone that's better than not having it at all. But if you have a choice, kind of the next layer of protection is set it up through an independent tool. There is Google Authenticator, there's one password, et cetera, et cetera. And Melissa, you need to tell, you need to introduce us to your puppy. I don't know if you also noticed, I also don't know if you noticed Melissa's comment that her people all whine about two factor authentication, that they don't like to use it. Well, to kind of wrap this all up, summary is, it's a fight for online privacy and security together. And if hopefully you've taken away a number of things from this presentation, but if there is one thing of how the lens through which I encourage people to think about this topic is the level, it's layers of security and layers of improvement. You're not gonna go out there and suddenly encrypt everybody's laptops and set up two factor authentication and everything, everything, everything, just do one thing at a time, implement it, get people used to it, just layer it. Because the key part here is, are you making it easy for somebody to hack you to steal your data, to get into your computer and so on and so forth? If you need a kind of a mindset for protection, think about it from two standpoints. What do you have and what do you know? Those are two aspects that when combined provide an extremely secure point of verification. That is an example of the two factor authentication, right? What do you know? Meaning you go in, you put in your username and password, you know the password, and then what do you have? Either your phone or your Google Authenticator or something like that, right? There is other layers of physical, called UB Keys or other validation devices that are used in much more advanced areas. But in your organization, you can just, every time you're looking at adding a layer of security, is it something you know? Is it something you have? Can you combine them together? Can you improve what you already have? Adam, I'll let you close it out. Sure, I think my last word to everyone is I think just like try to know yourself and have a healthy skepticism, a reasonable paranoia. Just like if it feels wrong, it probably is. Trust your instincts. Online, we have to be a little bit paranoid. It's better to be safe than sorry when we're handling private information like this. I think it's okay to confirm, neither confirm or deny things. We should train people about not easily giving out information that it's okay to take our time and sit on things to confirm communications using other methods if we're a little bit suspicious. Because most of these cyber attacks are starting out with psychology nowadays. And there are tech things we can do to protect ourselves. But I think the idea is basically a computer or a phone is like a glorified calculator. And we can never trick it that two plus two equals five. But with people, we have a different vulnerability like this and that's what a lot of modern cyber attacks are taking advantage of. So we fight for privacy and security together. In our organizations, let's implement these five things. Let's do training about all this stuff. And let's do research about tech organizations we're partnering with. Do they take security? Seriously, are they security conscious? What do they have in place? So I'll leave it open-ended with that, I think. Yeah, that's great. Thank you, Adam. And I'm sure that Peter and Adam are happy to stay on for a couple extra minutes if anybody does have questions that they want addressed but in respect of everyone's time or at the top of the hour. So we're gonna wrap up. And like I said, I'm sure Adam and Peter are happy to stay if anyone has a question they wanna make sure gets addressed. Yeah, feel free to unmute and ask a question or I'll put it in the chat and we're happy to address any inquires. Actually, I don't know if you can unmute. So either raise your hand or just wave your hand at the screen or there's a raise hand thing. Are we good? All right, well, you guys know how to reach us. Thank you so much for coming and being a part of it. We've got another event coming up in two weeks from today, February 17th. So hopefully we'll see you guys there. And if you need anything in the meantime or have any questions, let us know. We'll send out the slides and a whole bunch of links from today's presentation with the follow-up from this. Have a great day. Thank you, everybody. Thank you.