 or security, put on by Idealware, made possible by a grant from LSC. Questions can be submitted through a question box chat. All attendees are default muted. There is an option to use the raise your hand and have us unmute. If you've got any questions, there's other people who have similar questions, please feel free to ask them. We're happy to have a dialogue as part of this. We've got some upcoming webinars also on the LSM tab website. I'm going to drop a link to the trainings page. But we've got one on how to do videos coming up with share law videos, quick start guides. There's a Drupal basic installation one coming up put on by Urban Insight, a Drupal meetup, and then features that are common across all Microsoft applications all within the next 30 days. So we've got a packed back to school schedule here. Turning it over at this point to Joshua Peska, thank you so much for doing this webinar today. My pleasure and thank you so much, Brian. And thanks to LSM tab for having us here and for Idealware for putting together this slide deck. So just very quickly about me, I've been an Idealware expert trainer for a little over three years now. I'm also the vice president of Roundtable Technology. Roundtable Technology provides technology services and strategy to nonprofits and small to mid-sized businesses in New York City and in Maine and also around the country, but we're predominantly in those two places. And I am delighted to be joined today by Peter Campbell, Chief Information Officer of Legal Services Corporation, and I will let him introduce himself. I think most of the people on this call, because I can see the names know me, but yeah, I'm the CIO of Legal Services Corporation and I have a long background doing technology for nonprofits and law firms. Excellent, all right. And so we've got a fair amount of content today. So we're going to move briskly, but hopefully not in a rush. And I just want to introduce Idealware for anyone who's not familiar with Idealware. They help nonprofits make smart software decisions. They do that through articles, reports, online training and webinars, such as the one you are attending right now. And what we're going to cover today is imperfect security and what I would consider to be, from my perspective, the most important thing. If you do one thing coming out of today's webinar, it would be assessing your risk, understanding what risks you face and the impact of those risks and how likely they are to happen, things like that. Some common risky practices that we see across nonprofits and legal services organizations. What do you do if you experience a data breach and talk about what to do about that and establishing policies for your organization? And we're going to start off with a quick poll here. So let me get my polls up, which is on a scale of 1 to 5, how concerned are you with your data security? I'm going to go ahead and launch that poll. And up for some reason, it's not... Oh, I'm sorry, we're all set. So one is I'm not very concerned about my security and five would be I am deeply concerned about the data security of my organization. So level of concern here, five being very concerned, one being not at all concerned. And we'll leave that poll open just for a few more seconds. Count it down, five, four. If you haven't gotten your response in, go for it, three, two, and one. We're going to close that poll down and share the results here. So no one is either not concerned or only a little concerned. Everybody is at least moderately concerned leading up to being a aggressively concerned. This makes sense as a self-selected audience of people who are attending a webinar on security. So that certainly makes sense. And hopefully we will alleviate some of those concerns today or at least give you some steps you can take to help alleviate them in the future. So let's start with this idea of a false sense of security and where we think that might be a concern. So why is everyone talking about security these days? And is it just a bunch of FUD, and for those of you who aren't familiar with that term, fear, uncertainty, and disinformation? So FUD is kind of a marketing sales, maybe even a propaganda term, certainly common around presidential elections, where you create a certain amount or a lot of fear and uncertainty and doubt in people in order to convince them that they need your help. So one of the questions is sort of how much of security that you hear, that you read about, is this kind of FUD of people wanting to sell you services to protect you from things that you may not need protection from. And I think it's easy to kind of see a lot of that as noise and to be a bit complacent about your security. And I think that for people like, I'll put myself in the category and Peter and I did wear and other folks that want to train about security. I do think it's a pretty hard line to walk. And I know I struggle with it always, which is how alarmist do I want to be in terms of making people aware of risks against how kind of calm and reasonable do I want to be in terms of not causing panic where it's really not warranted, right? And so what I'll suggest everybody attending this webinar is that we're doing our best to walk that line. And so the recommendations that are coming out of this are trying our best to be reasonable about things that we're warning you about and not cause unreasonable amounts of alarm. But there's certainly room for people to disagree on this. And so that's one point. I don't know, Peter, is there anything that you want to add to that? I know I've muddled that up a little bit, but in terms of... I would say that the goal I'm sure that we have is to give the common sense ideas about what you really should be doing. And, you know, yeah, there are companies now selling huge defenses against hacking and things like that that are very expensive and very complex. And whether we need those or not is a question, but there are definitely some very simple ground-level things that we should be doing that we'll go over today. Excellent. And not to try to cause any fear, but I've dealt with several organizations in the last several years that have had websites hijacked or their data servers directly targeted and lost client information. The concern is very real for me and the smaller organizations with less dedicated staff, less likelihood to have regular updates, are clearly being targeted. So there's a real need out there. And in case everyone wasn't clear, that was Brian. And thank you, Brian. And you're, of course, welcome to contribute as well throughout this, Brian, wherever you have comments. And so one thing I think that we can all agree on is that avoiding it because it's complex and because it's scary and because it's kind of not a priority and it's not something from which you see immediate benefit is not going to protect you. And I think that this is one of the areas where security and backups and kind of preventative types of activities are hard. I think for any type of organization, but particularly for nonprofit organizations where there's so much focus on how can I see something that benefits our staff, that allows our staff to work more effectively, that allows us to raise more funds, to impact more constituents, to reach out to more people. So those are all gains. And where you're preventing harm from happening to your organization, it's the benefit is much harder to quantify for your organization. So I think that can be a trap that's really easy to fall into. And at the same time, I don't think everybody should stop what they're doing and focus all their energies and money on securing their organization. So I think Peter said it really succinctly, like we want to get across a kind of common sense approach here and that's what we're going to be trying to do. And so one thing that's really, really clear and Brian said it and we were talking about it before we came on the air here that you're not profit status and if you're a small organization and you don't think you have any data that's worth anything, that is not going to protect you. So the stance, which I don't hear so much from people these days, but that I certainly have heard long before as well, you know, there's no information that we have that's particularly sensitive. There's really, you know, nothing that would bother us. So we're not really a target. That may be true, but if you aren't protected from something as basic as let's say a ransomware attack where someone can lock down all your files and make them unretrievable to you without paying a ransom, unless you can literally say, well, you know, we could delete all of our documents, Word documents, Google documents, you know, PowerPoint slides, PDFs, everything tomorrow and not care, then you do have some risk in the sense of just losing that information could be a risk and this could be a very costly thing. So your nonprofit status, the fact that you're a small organization, perhaps the fact that you don't have what you consider to be valuable information is not something that you can fall back on as a means of protecting yourself. And small nonprofits can be attractive targets, and Brian alluded to this just a couple minutes ago with the idea because they don't have IT resources and that's known. So they are softer targets to use that term and they aren't likely to notice a breach. And just a quick technical example, I don't want to get too technical here, but we've seen two different organizations that have engaged us because they were having problems with their network that their existing IT support kind of couldn't identify. And when we ran some fronts at some of their network, we literally found torrent servers running on their network. You know, basically people had breached their servers, they had installed torrent software and were using their network as a distribution source and you can imagine that has not only functional impact on the organization because it's eating into their bandwidth, but their IP address, the organizational IP address, is sharing out copyrighted material and they could potentially be on the hook for or certainly be nuisanced by RIAA lawsuits in terms of going after them. So there's all sorts of things that can happen to you even if you're very small and don't have information. And Peter, do you have anything you want to add to that? Yeah, I mean, that was kind of the comment I was going to make, that even if you don't think that your data is all that sensitive or all that concerning, a lot of times the attackers want to use your system to attack others. So in addition to torrents, they might set spam servers, they might put up phishing pages. This actually happened to me on a personal server where somebody managed to hack into it and put up a page that they then sent out an email and it took people to so that they could gather, you know, information. So everybody's targeted. Yep, your resources are targeted. If you have a server that's connected to the internet or even just computers that's attached to the internet, that's a resource that a hacker may find very appealing, especially if it's not well secured. So what are your risks and what should you do about them? We're going to take some time, the bulk of this webinar is to kind of run through some of the practices that are there. And what I want to start with, and I'll go back to what I said before, which is that this, I would consider this from my perspective to be, if you do one thing coming out of the webinar today and do one thing to improve the posture of your organization around information security, it would be doing some kind of a risk assessment, risk analysis, whatever you want to call it. We're going to talk about what that entails right now. And to me, this is the most logical starting point. And if you haven't done this, then I think it's hard to know whether your security practices are appropriate for your organization or not. And so let's explain why that is. So it's a process of understanding what risks you face. All right, and in order to do that, you have to think about what information you have. And there's this kind of specific way to think about your data. And I'm going to part ways just a little bit from idealwares comments here as we go through this, but not in a significant way, but just so you're aware. And what this means is kind of thinking about all the different information. And the average nonprofit these days has information in a lot of different places potentially. So you may have information on a file server in your office. You may have information in a Salesforce database. You may have information on a website. You may have information in an email marketing platform. You may have information on Google Drive and Dropbox and all these other places. And all of those different places are potential concerns for you that we want to understand well, how sensitive is the information that's in that place? And there's a specific way to kind of look at that. And we're going to talk about that a little bit now. And so a suggestion here, and I think this is a great one, is to just, you can do this in a spreadsheet or you can do this with a little group of people in your organization and literally just do it on post-it notes where you're going to write down, this is the information and here's basically where it is, right? So this is where it's stored. It's either physically on a computer, in our office, on a server, on a desktop, or it's hosted on some cloud service and if so, what that is. If it's your website, it's at, you know, Bluehost. If it's your Dropbox information, it's hosted by Dropbox. If it's in OneDrive, it's in your Microsoft Office 365 account. So it's, you kind of organize it that way so you start to have an understanding. And one of the handouts that we will have at the end is actually a spreadsheet that we're going to share with everybody. Something that I put together a couple of years ago to help organizations with risk analysis that allows you to organize this on a spreadsheet. So after you have all of your information written down, here's kind of the key part. You want to think about it across, oh, an ideal word did update it, this is great. Okay, so I'm going right with ideal word slides here so they update it based on my feedback, this is great. So CIA, which is a little bit of annoying, but an easy acronym to remember. Confidentiality, integrity, and availability. So every piece of data gets kind of ranked and I would keep it really simple, high, medium, low in each of these categories. And I'll just give you two very quick examples because I want to keep moving briskly here, but let's take your website data. So website data on a confidentiality is obviously low or non-existent, right? It is exposed, it is by design public information. So the information on your website on the confidentiality spectrum is very low. The integrity, well you certainly wouldn't want to lose it, right? Having to recreate all the content on your website and all the, yeah, all the content on your website, that'd be a big bummer. So it would be high on integrity and availability also high because you don't want your website to be unavailable for long periods of time if you're an average nonprofit organization or legal services where you are expecting donations to come in, where you're expecting constituents to be able to come to your website to download necessary forms or sign up for your services, make appointments. That availability is very high. So a website would be confidentiality low, integrity high, availability high. And then we can flip that and say our file server where we have all of our documents, our case management files, our legal templates, our briefs, all of that kind of stuff. So the confidentiality on that, well that might depend, right? If you don't actually have any particular sensitive information there, it might just be moderate. It might even be low. The integrity, that would be high because again, you don't want to lose that information or have it modified. The availability, well maybe that's moderate. Maybe if you were without that data for 24, 48 hours as long as it wasn't lost and it was safe, maybe that wouldn't really have that much impact on your organization. So the availability might be moderate or might even be low. And you just walk through that for every piece of information that you've identified and that helps you kind of understand what information you really care about and across which of these kind of areas. Peter, is there anything you want to add to that before I cruise on? I know you covered it really well. Thanks. All right, and then consider the rest. So after you've identified your data and how important it is on a confidentiality availability integrity level, you then think about well what could happen to the data. And this is where I think people often when they're talking about security, they don't think about, when people hear the word security they think of breaches, of attacks, of malware, of fishing attacks and all these kinds of things and only that. But I think it's important to understand that a hard drive failing falls under this realm of security risk. Because if the data is important to you to both be available and to not be lost, then if it's not backed up and the hard drive fails on your server, then the data is now lost and unavailable. So it has become a real problem for your organization. Even though no one did anything, there's no breach, there's no security thing, the hard drive has failed. That's just as bad. And it doesn't really matter to you how the thing happens, what matters to you is what happened. So you think about what could happen to your data. So we could have a hard drive failure, we could have a outage of our web host, we could have a password that we lost and we can't log into the service because we forgot what our password is and so that would make it unavailable and so on and so forth. And then we think how likely are these things to happen? And then we think how bad would it be if that particular thing happened? And how bad part, I try to keep it as simple as possible to think in terms of impact, mostly in terms of cost and cost can be dollars, cost can be time, cost can be reputational damage, but all of those things are what you look at in terms of impact. How bad would it be if that particular thing happened? And that now as we put these things together, this idea of here's our information, here's where it is, here's how much we care about it across these three areas, here's the risks that are identified. Now we can look at what safeguards we have in place in terms of password policies, backup procedures, et cetera, that can help us protect against those things and start to identify where there might be some gaps and some insufficient safeguards based on how we've classified our information. And with that, we're gonna kick up the next poll and we're going to, let me go ahead and launch this one, which is, what security risks are keeping you up at night in our audience? So we'll ask for some quick responses here. So we have weak passwords, we have unsecured remote access, we have public Wi-Fi risks, reputational damage from a data breach, and of course, other. And if you have other, I think you can go ahead to let you type something in, I'm not actually sure. You can type stuff into the question box and we can read those out. Gotcha, okay, we're definitely happy to share any responses for other there. Fantastic, okay. All right, and we'll leave that open just for a few more seconds. We've got just over half the audience voted, so if you have not put in a vote yet, please do so and we'll keep it open for another three seconds, two seconds, one second, and let's show what people have to say. And I didn't see anything come into the chat. Okay, other staff using Dropbox, that's great. So weak passwords is about a quarter of us, unsecured remote access, a little bit smaller, reputational damage from a data breach seems to be the biggest concern. And then in the other, a couple of people selected that but we've got staff using Dropbox as the thing. There's a name for, what I'm guessing that the person who entered the Dropbox in is this idea of something that would call shadow IT. And what shadow IT is, which I think is an important term for folks to understand, is when staff just use their own software or their own service in order to provide some function and by doing so they take organizational data and take it completely outside of organizational controls. So if you have a file server, a traditional Windows file server in your office and staff are clamoring for remote access to files so they can work on stuff and they wanna be able to do it from their mobile device and all you give them is log me in and that kinda doesn't work so well from a mobile device so they're kind of annoyed because it's like I wanna be on the train with my iPad editing a legal brief and that's super annoying. Then what your enterprising young staff person will in almost all instances do is just trade their own Dropbox or Google Drive and just dump their briefs into that and now that's just sitting in their personal Dropbox or Google Drive so that they can edit on their iPad while they're on the train heading in or out of the city and that is shadow IT in a nutshell and so the onus becomes on the IT department to provide a higher service level in order to constrain and make it so much that that people don't need to use these shadow ITs. So actually insufficient IT service levels become themselves a security concern for an organization. Yeah, there was another comment in here and the other not so much weak passwords but bad habits with passwords which is related topic definitely. All right, and we are going to address those head on just very shortly and thank you for that Brian. All right, so we're gonna jump now into the kind of meat of this which is the eight common risky practices that nonprofits either do or don't do and so number one is unmanaged personal devices and this kind of is a adjunct to shadow IT. Do staffers use their personal devices for work? And in almost all cases, the answer to that is yes. People use personal devices for work. They have email on their personal phones. They have email on their personal computers. They may often have documents. They may even have documents that are stored on their personal computers. They are using those devices and personal computers on networks that are completely outside of your control. So that is happening pretty much all the time, pretty much for all organizations unless you put in really, really constrained environments that disallow for that. So it is very, very hard to control access to these kinds of things and so that is something that can be a real challenge and a personal device may also have additional users. So you have to remember that your executive director, their iPad may also be being used by their eight-year-old and if there's data on that iPad it may be that the executive director isn't going to post it on Facebook but that eight-year-old might very well do that either on purpose or by accident and so that's one real challenge and then also employees that you terminate may still have quite a bit of organizational information on those personal devices after leaving and Peter, I think you had some other things that you wanted to contribute here if I'm on the right place. Perhaps I'm not. Yeah, I think I was gonna, did we talk about mobile device management or is that the next slide? So mobile device management is coming up. Yeah, yeah, is, hang on, hang on a second, let me tell you. Nope, we did not talk about most and we aren't so this is the place to talk about mobile device management. Yeah, I think it was mentioned also that we kind of breeze by that. It's just gonna say, I think the slide says anything about it being expensive but basically the advice I was gonna give is anybody who has exchange or Google as their email system has some rudimentary mobile device management capabilities or there are products out there. I think there are some free ones that are reasonably good and often you can get them in suites with your antivirus and other security tools but the main thing that I kind of urge people to do is have a policy in the organization that says if users are going to do email or work on their personal iPads and phones that the company reserves a right to wipe those phones if they're stolen or lost. You know, it's not something that would be time for the user to lose everything on their iPhone but that gives them the choice. They can not do the work on the phone or they can protect the data. Absolutely and I don't wanna scare anybody who's on the webinar and doesn't know this but if your organization uses for example Google Apps or Office 365 and are in presumably the nonprofit editions of those, when you install, connect your account to your organizationals Gmail or Google Apps or Office 365 account, you're actually granting permission for them to wipe your phone at any time so you've already done that and your organization technically already has that ability to wipe your phone if you have put your organizational email on your personal device so just to be aware of that and signing it would be nice to make sure that staff are aware that they've given you that right but technically that is actually granted when you set that up. There are a lot of things like that goes over much better at the beginning of the process than you used later. And the way that you're told that when you set up your email account on the phone it doesn't look like that's a message from the organization it looks like it's a message from Microsoft or whoever so I mean you wanna make clear that this is the organization's policy. And if you as an organization wanted to go a step further there are additional programs you could buy they typically the industry term is mobile device management or MDM and there's variety of different platforms for this but what they'll typically do is create a sandboxed environment on somebody's personal mobile device inside of which lives all the organizational application so the way that would work is if legal services let's say used an MDM tool you wouldn't actually be able to just add your legal services email as an additional email account on your phone the only thing you'd be able to do is add the legal services application, the MDM legal services application to your phone and then once that's installed and credentialed appropriately you would open that and then you would see an email application a document application and that would all live inside of that mobile device management kind of wrapper and that is probably the best practice but unfortunately it's still a bit expensive and also requires quite a bit more management from IT which some organizations don't have so and I don't know that I would recommend that it's best practice oh go ahead Peter. What one more issue with the MDM which is that they want to put an app on the iPhone and Android and everything those apps can often be resource hogs or we had a bad experience with one where it was really disassembled to make people live through having the app installed on their phone, yep. Yeah and it's still I would say a maturing space and so for that reason I'm not recommended as best practice the pricing is also all over the place the technology is all over the place but a lot of corporations are very as you can imagine invested in this particular through very large all right. So the software ownership the other thing is if staff are using their personal devices for things that they're using unlicensed software they're using old versions of software that may not be secure the more people again are using personal devices to work on your organization's data the more there are potential security risks and even licensing risks that you're being exposed to that you may not even realize and so these are not necessarily reasons to say and again this is the common sense part of the webinar right the productivity losses from basically refusing any of your staff to be able to work on personal devices are probably not worth it in terms of the security gains but they're having some awareness about what these security risks are and maybe there are certain types of information for instance HIPAA information if anyone has that that you do constrain and don't allow people to use on personal devices and put some auditing and policy tools in place to prevent that. Right I've definitely seen the orgs adopt policies that are way too stringent and then that just encourages the shadow IT problem. Yep and hopefully we're not making people feel hopeless but it is a hard thing right if IT starts putting a lot of constraints around employees they'll start doing shadow IT and then you lose the security anyway so it all comes back to providing a high level of service to staff so they can do the things they want to do in a way that is in alignment with the security posture of the organization. Let me just add to that that it's also relationship management. I mean staff generally understand that security is an issue they're hearing it from more places than you and they want to be secure so they have that desire you have a desire for them to be secure but you may be the IT department all by yourself so you don't have resources to provide a whole lot of support but as long as you I think you have a good open dialogue with staff and they understand and you are respectful of their business needs you know you start out being respectful of their business needs then they'll be respectful of the security needs it's very much the relationship between IT and staff. I love that I wish I had that written down Peter that is great. If you are respectful of their business needs they will be respectful of your security needs that is what relationship is right it's great. Thank you. What can you do? So you can provide virus and malware software for people for their home devices right that's not horribly expensive that way you know there's some basic level protection there if you use a managed tool then you'll even get notifications apologies for background noise and if you're on Queens Boulevard in New York City about a block from a fire station it's actually been a very quiet webinar from my perspective so far usually there's sirens going by about every 10 minutes so you can provide virus and malware software for their personal devices you establish obviously software licensing policies so you make sure they're using the legitimate license on their home computer if they have that need you can consider providing devices for work most people don't want to carry on two phones but certainly providing work-based laptops or iPads or things like that that you have people limit to that purpose is possibility and again mobile device management exists as we talked about but can be a little bit expensive and onerous to manage and with that we're going to cruise on to password management. So are a lot of people using the passwords you bet they are and the most popular passwords last four years and by the way there's fun stuff out there I don't know how accurate these are as it is with these internet memes but if you look at like the LinkedIn data breach the of all things the Ashley Madison data breach the you know they show like what the top 10 passwords were on those things and it's pretty much exactly like this list so people on LinkedIn, people on Ashley Madison for those who are not familiar with it it's like a website for married people who want to cheat on their spouses so you would think that people that are signing up for that service might be motivated to use a more secure password. Nope, they were still the top 10 passwords for like one, two, three, four, five, six password so on and so forth. So weak passwords are out there in heavy use and why because our brains and Peter and I are going to talk about this as we come up. Our brains are really not you know password generation algorithm machines like we're just not designed to generate all sorts of complex passwords and remember them that is not what our brains are good at it's probably something that you could develop if you really felt like it I'm not sure that's a skill that's worth the effort and especially because there are lots of good tools to do it and so what happens because we're really bad at generating lots of unique long complex passwords is we do things like we share passwords with other people we reuse the same password over and over we don't even bother to change a default password for something like a router or a computer we write passwords and post it notes and keep them written around where anyone walking up to our desk could find it, take a picture of it and we keep passwords just in general too simple and we do see brute strength attacks against all kind of services so having a weak password is a legitimate risk against someone just guessing your password for a system and if you've reused that weak password across other systems now you've been breached across multiple systems so if your Gmail password when your personal Gmail is weak and you use the same password on LinkedIn and on Facebook and on Twitter and on Amazon and someone breaches your Gmail account does a quick search of your email for LinkedIn and all these other services you're part of them now they log in to all of these other things so that's a real risk one thing that any service that makes it available and this has gotten so much easier to use that I think it's really something that I recommend is the best practice for most people at this point is this idea of multi-factor authentication and the simplest way it's usually done is with two factors and I'll explain how this works so there are three factors that can essentially be used to authenticate you to a system number one is something you know that's all we've typically used a username, a password those are two different things that you know and you use to authenticate to a system and that's all we've ever been used to something you have physical key is an example of that the thing that's most often used is now your smartphone which has a password a little key generator on it the Google Authenticator is a very popular one that you can add lots of other two factor authentication systems and most of us probably saw this first probably 10 maybe 15 years ago when some of the payroll providers would give you this little key fob that had like a eight digit code that would change every 30 seconds on it and your payroll administrator in order to log in and generate payroll would have to put that in in order to connect to ADP that was probably the first time anyway we saw this example of two factor authentication in normal life but that's another example and then there's something you are of course most of us now have on our iPhones or our androids which is like a thumb print to authenticate so that's just something you are so some sort of biometric authentication retina scan would be that voice authentication is an example of that and those three things can be used the easiest thing to add at this juncture is the something you have which is this authenticator on your phone the way that works is if I'm gonna log into Gmail then I put in my username and password and then it hits me for a six digit code that I have to go to my phone to get and that code is changing every 30 seconds in the authenticator app and to answer the first question usually comes up is no you don't have to do this like every time you go to Gmail if you have your work computer your personal computer that you use you can usually set it to say don't ask me again for seven days or 30 days on this particular device and then that will you know so you're not getting dinged for that all the time but if you go to log on to a different computer or a different device it will absolutely hit you for that. Peters or anything you wanted to add to that multi-factor did I cover that okay? Yeah I mean I would just I mean I don't know I think we have a fairly specific audience here but what I always explain to people is what it doesn't 100% protect you from being hacked but it protects you from the most common kind of hack where that hacker in Romania is trying to guess your password or more likely running a program that's trying every possible password to get into your account but then once they get the password they can't get in because the code to further do it has been sent to you or followed up to them. So the layer that it has is very big for protection for your personal data. Additionally although we have a very tech savvy audience we are recording this they will be posted online and they are likely to be used to refer individuals after they've had a data reach or something like that so anything that you think needs a little more explanation that is definitely useful for that later audience even though we've got a very tech savvy audience today. Very cool. Yeah I saw Guyton in the crowd you know. Hello, I've worked with him before. Hello William, good to see you there. All right, fantastic. Okay, I think maybe we're, did we do a webinar together? I don't remember, I think we did. Maybe it was one of the previous ones we did for this audience actually. All right, password banitures. So we have just these are just three examples that we're not necessarily recommending any one of these three I just wanna be clear about that. I do personally use LastPass and Peter is gonna talk about the use of LastPass Enterprise for legal services in just one moment. But these are programs that generate passwords for you, manage them, they usually have browser plugins or things that run on your computer or mobile device that will recognize that this is a website or a service that we have a credential for and we'll just automatically log you into that and the beauty of them, and I'll let Peter talk about more is the idea that they can not only generate and manage secure passwords for you but they can also provide some auditing capability. So Peter, go ahead. Yeah, well, Peter, you know, my standard answer to the question of what keep you up at night has always been that I've got users on my network who use the same password for their network login. They are well as far go bank account and Twitter, you know. So the basic thing that a password manager does is allow you to memorize one password and then not have to memorize the rest and in a world where, you know, now we have anywhere from 25 to 150 places where we regularly enter passwords. The idea that you memorize all of them has really gone out the window. But the great thing that LastPass does is it has a security check and it will give you a warning if you have an account on a site, say Target or something like that that's been breached. So the standard operating procedure was always that you change your password regularly so that the, you know, if the hackers get your password, at least you've changed it. Maybe before they've gotten into your account, maybe not. Now you can actually do that real time. The hack happens. They know about it. They let you know you change your password immediately which is much safer way to go. We rolled out the enterprise version that was years ago and we didn't force everybody to use it. So we've got about two-thirds adoption and we were getting more comments all the time because you can see how much easier their lives get when they have it. It is a hard sell at first because it's not, you know, password management isn't an easy concept when you first install it. It means changing your habits of how you do things and I think that makes it a bit of a hard sell. But again, the security way that adds, it's huge. And change management is probably a different webinar entirely but that is definitely something similar to what I've found. One of the things I really like about LastPass is it actually does give you a score, a security score for your password vault and that can be used to, I get a little bit annoyed at hearing this term all the time but to gamify things a little bit within your organization so you can kind of say, we'll give out a $25 gift certificate for Amazon for the top five people who have the best security scores and you can also kind of notify people that have really low scores and kind of say this will, something we'd like to address. And so that's a little thing. All right, so onward. So what can you do on the password stuff? Well obviously implement a password management such as one login or LastPass and LastPass is all of $12 a year per person. This is not an expensive thing. The change management and support of it is far more expensive than the monetary cost. So the monetary cost should not be in any part like a consideration there. Ask people or even enforce multifactor authentication especially for your most sensitive systems and often that can be your email and you can establish password creation policies and certainly provide training around password and support. I would say ongoing support at helping people use password managers and understand where they might have some weaknesses. Number three, consumer grade cloud storage. Is there a difference between just personal Dropbox and Dropbox for business? And the short answer is yeah and that's true across most things and most cloud services in terms of what kinds of controls you have around what we'll call access controls. And access controls are basically who has what level of access to what information, right? So if I have this slide deck that's a PowerPoint presentation and we stick this in Dropbox. So some people can have zero access to this meaning it's not shared at all. We can say that anybody who has a link to it can get it and view it but they can't make any edits to it and they can't download it and they can't do other things. We can say that anyone with a link can download it in which case we're giving up most of the control over copies of the document although our original will still be safe. And or we can just give full control to a group of people and they can go and make whatever edits they want in which case now we have a whole bunch of people. Now the beauty of cloud systems from a security perspective is that you do have for the most part really good audit trails of who made what changes and when in ways that you typically do not on a traditional file server or if you do they're much harder to run forensics on to take a look at. And so that's one big advantage that you get straight out of moving to a cloud system. But as is indicated here by this it is difficult to control access to data when it's in cloud systems. And I would submit to you that it is also hard to control access to data when it's on your file server and you have an entire staff that's connected to that file server that also have email accounts because if that's the case staff can email any document to which they have access to anyone outside your organization and at that point you've lost complete control over that copy of that document that's been sent out and it's been true ever since we've had email and file servers so that really hasn't changed. And with cloud systems I would say the advantage is that you actually can again know that that's happened. So again if you have a file server and a sensitive document and a staff person who has their own personal Gmail and you allow that to be used then they can log into their Gmail, grab that file, email it to somebody and you have absolutely no way of knowing that that ever happened. There's just you have no record of that. On the other hand if that doc, go ahead. So I double ask you a little bit because you know one of the things that these cloud systems you know in Google Drive and Microsoft 365 certainly do this box does many do is disaster recovery. It's built in disaster recovery. When you save a file it's saved to two different servers and for more than two different servers in multiple server farms in different locations and more and more they also give you options of where you can choose where your files are saved which becomes a huge benefit. What I'd argue is that the risk that your files aren't controlled between a cloud service and your own network it's negligible the difference. Yes it's a little easier for them to do it from home in their box or drop box than from the network but benefits the cloud, the security of the established systems are huge. We've moved the box at a LLC and that's been a big success. And Alice Ntap also did a short video that I'm putting in the chat on how to add Boxcryptor to Dropbox last year by one of our interns. If there is particular super sensitive data that you want encrypted, well it's sitting in Dropbox. It's actually pretty easy to do at this point. Excellent. We were happy to know that a box is a FedRAMP certified so it passes the government's requirements for security. Yep and OneDrive and GoogleDrive and box.org all also support encryption layers that you can throw on top of those whether it's Virtru or Boxcryptor or other services which is an additional layer of security you can use for even sharing sensitive information with other people and that allows you to do things like obviously encrypt it so that only the intended recipient can view that information but can also time, I'm trying to think of the term I'm using but basically make it so that the sharing permissions expire after a certain amount of time so I can send Peter a document and say Peter's access to this document expires in one hour so he's got an hour to go open and look at it to do what he needs to do and then after that he no longer has permission anymore so I don't have to worry about unrolling permissions or all these permissions that may be out there. Sorry if we've gotten a little bit in the weeds here for everybody. So if you're using just kind of the free basic tools or even the personal tools you're quite a bit more limited than what you get with the enterprise levels of this and again as non-profit organizations unless you're massive in terms of your hundreds and hundreds of staff people then this stuff is either free or so inexpensive as to be for all intents and purposes free. So Google Drive, you're talking about getting 30 gigs of storage per user if you wanna buy 100 gigs it's a walloping $24 a year I think to get 100 gigs of storage with one drive you get free one terabyte of storage with box.org you get a terabyte of storage per user for free for up to 10 users on their box.org platform and so there's not really any compelling reason why non-profits should not be in what's the equivalent of an enterprise level service because they're getting it for free so you absolutely should be enrolling in those and trying to really limit the use of personal tools personal drop box these things if at all possible. So what can you do on this level? Use business-grade cloud storage that lets you set controls add on services such as BetterCloud or Boxcryptor or other things can give you deeper audit and policy controls and Google, most of the services are adding these as well and some examples of those audit controls is we use BetterCloud at Roundtable so we can say if someone tries to email out something or the social security number in it we can basically stop that from happening and the person who gets a little note this email has something that looks like social security number in it so you have to get that out of there before it gets emailed out or if they're going to share a document that has a social security number in it same audit policy runs and basically prevents that same thing for credit card numbers or other things you can if we want to see what are all the files that are shared with people outside of Roundtable we can run a report on that and if we say that we want things that are contain these sets of words or that are in these specific sets of folders we don't want these shared outside we can either create an audit report that will notify people that they're in violation of our policy or we can actually create a policy that runs every let's say 15 minutes and just rolls back any sharing permissions that have been given that are in violation of our policy so those are all things you can add on and again these are not massively expensive things you know BetterCloud I want to say is something like $30 per year per person with a new organization so it's not nothing but we're still not talking about major amounts of money here Peter anything to add on that or are we good there? Not really good, we killed it. Number four. Overgit it, you know. I understand, overkill. Poor backup infrastructure so what if your office experience is a disaster and one of the handouts again that we'll have at the end we wrote up a little primer a couple of years ago that people have given us a lot of good feedback on so I've got that shared as well so it's a little three-pager and it kind of talks about the difference between like backups having your data backed up versus disaster recovery what that means versus business continuity because I think these terms are often used interchangeably in ways that are not helpful for non-technical people and I think, I don't know Peter if you've had this but nine out of every 10 executive directors that I've ever talked to assume that a backup is the same as high availability so if they've been told that their email server is quote unquote backed up and then an email server, not that there's that many of those out there anymore but then the email server fails because of a hardware failure and the email is unavailable the executive director is confused because they say I thought it was backed up and they don't understand that like, oh now we have to restore the backup and get the server running again and the difference between a backup and high availability or business continuity was not in any way made clear and so that document seeks to kind of elaborate some of that and how it impacts within cloud services so, Oh Brian, I'm happy to do a webinar on how to translate technical English for you second year directors is not that confused but yeah, I've been there I've certainly been there with you know, Edie as an executive too. Data needs to be in a safe place so you'd need to obviously have it backed up and that backup needs to exist somewhere other physically than in your office especially if that data only exists physically in your office. If your data is in the cloud then there's a variety of backup services you can use and you may not need them depending on whether the retention policies of your cloud provider are sufficient for you. I do really encourage people to understand what the retention policies of let's say Salesforce or box.org are natively because if they are not sufficient to you you will want to pay for some additional retention or pay for a third party service to get more backups and so a lot of times the default retention might be 30 days which means if you delete something today don't notice for 31 days that it was deleted you actually won't be able to recover it from your system and that's kind of a default for a lot of these things and that might be fine for you but if that's not if you need to keep things for seven years then you need to go figure out how that's gonna work within your cloud system and you also again wanna think beyond backups so think of continuity challenges so think of okay if we, you know Office 365 has a 99.9% uptime that means there's going to be on average eight hours of unplanned downtime per year it's probably not gonna be one continuous stretch of eight hours but what are you gonna do if Office 365 is down for two hours in the middle of the business day you have any workarounds for those kinds of things what are you gonna do if razor's edge is down if this other system is down so what are these what kinds of continuity challenges can you tolerate and what can't you tolerate and if you can't tolerate two hours of unplanned downtime on a service because that would be a catastrophic risk to your organization as we talked about in the earliest part of this then we need to think about what safeguards we can put in place and that might mean you can't use something like Office 365 if you really can't tolerate that so the things you can do you can regularly schedule backups you obviously want these to be kind of automated and have notifications and all that good stuff on them I would also recommend because again you have data in so many different places that you create a backup selections spreadsheet this can just be a copy of the business I'm sorry the information identification and classification template that we shared before you can just take that same information that you've listed and convert that to a backup selections which says here's how each of these things are being backed up here's how much retention we have on each of these and here's our sign off saying that we understand this and think it's okay and you can actually have an incident response plan and continuity plans and all that other stuff and test them another template we gave people is this is just the thing we use within Roundtable we actually have an incident report form I think it's six or seven kind of questions that take you through an incident report that's just a basic best practice if something bad happens it's what happened and what did we do about it and how did we know that it was happening and what have we done to mitigate against this sort of thing happening in the future so these are all just some basic things you can do and Peter unless you have anything there I'm gonna just keep cruising on I'm gonna try and hustle us back on the time here all right so poor software management is the software your team using safe and so people can often just install their own software they decided I just wanna add this thing and this gets even tougher with cloud services because there's all these third party things that can get added on and be given permissions on your domain I'm sure people read about the Pokemon Go kind of fiasco that was in the early going of that where the permission because it used one of the options was to use a Google account and so if you gave it access to a Google account you're basically giving it an incredibly far reaching set of permissions to the domain on which you were allowing that which was kind of scary so they rolled that back pretty quickly but that was certainly very scary for a lot of IT administrators that people were using their corporate account to register their Pokemon Go account again God forbid that that was happening but scary stuff so there's a lot of that kind of things out there so you do wanna have clear policies again there's a lot of tools that you can use to kind of audit and you want to automate as much as possible and again it gets back to service levels you wanna make sure that people have the tools that they need that they feel encouraged not discouraged from reaching out to the IT department to get help with meeting some need that isn't currently being met for them and you certainly want machines to have automated updates running you do wanna be careful it's not rebooting like in the middle of the day we did have a support ticket that came into us where a Windows machine just decided to run its update at two in the afternoon in the middle of a webinar which is not super convenient so you do wanna be careful about those kinds of things but all that can be handled through good management hackers are always looking for security holes and out of date software and all that kind of stuff so you always wanna make sure that you're patching that's really low hanging fruit kind of stuff to do to improve your security posture and prevent against some of these kinds of attacks and again you wanna make sure that people aren't installing ridiculous software on the network you can kind of go one of two ways about this as a rule you can either just not let people install software on their own computers which is certainly a reasonable approach but again adds to the kind of service level burden of that and then staff are gonna have to reach out to the IT team in order to install even just a basic little tool they wanna use increasing it's less of an issue because these tools are web based so all they need to do is just use them in a web browser which is a lot easier from an IT perspective and a lot of these things obviously can carry malware and other things oh I was gonna say the second approach that you can do is let people install whatever heck they want and just be running tools that tell you what software is and can flag other software it's a little bit more labor intensive for you on the second route but let staff kind of have the freedom to do what they wanna do. So things you can do establish past management procedures, manage software installations for your staff, perform regular tuneups of your systems make sure you're just kind of on top of all of that and I would say that at this point if you're managing a network of more than five or six computers you certainly wanna have some what we call RMM tool but some automated tool whether it's Login or SpiceWorks or there's dozens of others out there that is running on every machine and giving you live inventory information what software is running on them what's the state of their computers and that's an invaluable tool to you if and for no other reason this gives you a live inventory of what your computers are when you start to talk about replacement. Yeah, SpiceWorks is free and then of course Microsoft Suite has a pricing in TechSoup. What was the last thing mentioned here Microsoft Suite? The SCCM systems configuration, something or other manager. Oh, gotcha, okay, yep, yep, okay. Available for free on TechSoup. Well, no, available for no inventies but affordable. Excellent. Number six, overlooking physical security. So this is again another risky practice that an organization might be taking which is that it's just too easy to just walk in and steal things and again it could be that your staff are walking around with mobile devices and not treating them carefully and maybe that it might be easy to come in and steal data. It's a fairly common mantra within the IT world which is that if there isn't physical protection then there really isn't any protection meaning I can have all the wonderful software and everything running on a server to protect it but if someone has physical access to it then if they know what they're doing they can pretty much route around every possible protection I could put in place there. So if you don't have physical protection again if someone can physically steal it and walk out of the office. So you can think of it in some ways like a safe, right? If you have a safe that maybe takes someone two hours with tools and explosives and other things to get into then that sounds very safe unless they can easily pick up that safe and carry it out of your office to some sort of warehouse in New Jersey and then work on it for as long as they want to then obviously that security is not gonna help you that much. So your servers and your computers and things are very similar in that regard. Someone can just pick it up and walk away with it and have all the time in the world to work on it with physical access to it then all the security you put in place to protect it are much more likely to be compromised. So you can take basic office security measures, you can lock computers to desks especially laptops generally not desktop computers. You can get the little wire cutters and again obviously someone can walk into the wire cutter and clip one of those little cables but at least you're making casual theft quite a bit harder and you can institute checkout policies for shared devices, kind of keep them locked away when they're not in use. Just take basic common sense approaches especially if you have an office where you have a lot of visitors, we have a lot of people coming in and out and it's not really security restricted in terms of physically getting into it. If you have an office where you have to sign in at a front desk of the lobby then you have to type in a special code in the elevator to even get to your floor then you have to punch in a six digit code or do a badge with an RFID tag to even get in the door and you don't have a lot of visitors then the physical security within your office at that point is perhaps less concerning than if you're a storefront that trains people all day long and so you have people that are not familiar to you and your organization going in and out of your office all day long. Those are very different kinds of profiles. Number seven, unsafe wireless. So is your Wi-Fi connection secure and also are there what are called rogue access points or rogue wireless access points on your network? So office Wi-Fi needs to be protected and you can't just plug in some sort of $50, $100 home wireless access point and take all the default settings and assume that everything is okay. In fact, that's a really great way to ensure that everything's not okay. For anyone, and again I think it's we have a fairly technical audience so I'm guessing the folks here know that WPA2 security is the minimum that you wanna have on a device. If people are interested in adding even an additional layer of security there's what's called hotspot 2.0 which instead of using a username, I'm sorry, a network name and a key in order to get access actually sends a private key to every single device that wants to connect. That's a pretty interesting technology that you can kind of mess around with. You certainly wanna have, if you have a lot of visitors, guest networks and private networks, if you're providing access to any local resources on your network, to your printers, to your servers, the things like that, you certainly wanna have a private network and obviously you wanna change default settings for those devices so that someone who comes in can't just go to the IP address, the device login with admin as a username, admin as a password and change all of your Wi-Fi settings to whatever they want. Another thing about, just to back up a little bit, another reason why physical access is a challenge is that if you have an office and there are LAN jacks all over your office where people can plug in and someone just walks in and under a desk just plugs in a little wireless router or hotspot to your network and you don't have any way of detecting or identifying that this thing is plugged into your network. Now all of a sudden someone's just plugged in something and giving themselves total access to your local area network from outside, physically outside your office. They just have to be physically close enough to access that wireless access point. So that's another reason why physical security can be a concern. Coffee shops and public access points can be extraordinarily risky. Peter made the point in the notes that if people have enough on their data plans to use the personal hotspots that are built into their phones, those are a much more secure option than using the public wifi networks that you will run into at your average Starbucks or airport or other place. And paying for those data plans for staff is certainly something worth considering in terms of a cost benefit analysis around improving your security if you're getting resistance from staff to pay for their own data plans. You can also from TechSoup get very low cost hotspots. I believe it's through mobile beacon and those cost a walloping $10 a month and then that's a hotspot that you can give someone to just carry around. And that's a secure 4G connection. It uses Sprint's network, I believe, and then they can have up to eight devices connected to that mobile hotspot. So that's another option you can give your staff. Peter, did I cover most of your notes there? Is there anything you wanna add to that? Yeah, no, you got my point. Okay, sorry. We're actually paying for the hotspots for our staff for their travel. Oh, those mobile beacon hotspots? Not the mobile beacon, no, just hotspot service on those hotspots. Just hotspots. Okay. So what can you do? You can make sure your network is protected by a firewall and a password. That's a little strange, but protected by a firewall that firewall should be running universal threat management or comprehensive gateway security services. These go by different names, but they're basically subscription services that go along with the support contract for the firewall also wanna keep current throughout the lifetime of that firewall to make sure you're getting all the firmware updates and you're not open to known exploits. And the security services do things like stateful inspection and intrusion detection. We'll scan from malware, come across it and protect that from coming in. So those are typically a couple hundred dollars a year to keep those services running on a typical firewall. Sonic wall is one brand, Forti gates another, checkpoints another, all of those are absolutely fine. And you wanna avoid and discourage your staff from working in insecure environments. And that would primarily mean unencrypted wireless networks into a lesser degree encrypted public wireless networks. Where, you know, if it's a coffee shop where they do have a password, but that password is just printed on the wall and anyone who walked in can see that's better than an unencrypted network, but still not optimal from security perspective. And that leads us nicely into eight and this is I would say, so I said risk analysis was the number one thing that I would recommend. If you were gonna do a second thing coming out of this webinar that you aren't already doing, I would suggest that security awareness training for your staff would be the second thing. I think that would give you the best bang for the buck in terms of your effort. Making your staff aware of things they can do to improve your organizational security and their own security practices is relatively easy to do. You just have to get some time with your staff and either train them yourselves and we're another resource that I've given to Brian that you can share with you. We did a webinar called the best free one hour security awareness training ever. It was very modestly titled and we had a few hundred people that came to it and we are happy to give you the recording for that. We're happy to give you the slide deck for that. You can take the slide deck, do what you will with it, present it to your own audience. You're welcome to all those resources. We just want people to be more secure so we're happy to share everything we've got. And you can get security awareness training from a lot of different places. But one of the things that I think is great about security awareness training and the security awareness training that we did focuses a lot on social engineering, kind of how that's done and just kind of best personal practices, how to kind of identify what an attack on information looks like and the kind of characteristics of what the, and I'm not gonna get too much into it now, but one of the things I really love about it is it not only benefits your organization, but it's really a benefit for your staff personally because all of the things that you're going to teach someone in a security awareness training about how to identify social engineering, how to protect personal information is all incredibly helpful to them in their personal lives. And will decrease the likelihood that they will be defrauded by someone calling them and pretending to be an IRS auditor. It will protect them against all kinds of different identity theft threats against phishing attacks, against sending money to some friend who's trapped in Holland and needs them to have to wire them $2,000. Like these kinds of trainings which can take all of a half an hour to do can help your staff not only not breach your information, but not breach their own information and not basically have their own money stolen from them. So, and I hear someone chuckling on the line. Peter, do you have anything to add to that or Brian or whatever it is? Just so when we do the security trainings at LSC, we make it clear that these security trainings are about work and personal security which now overlap more and more with things like dual factor and path to managers and things like that. But it makes it much more appealing to the staff to know that they're going to get the personal tips along with the work plans. A security training for work seems like a really boring, horrible hour to spend. But a security training that's also going to help them with their iPhone is great. Yeah, and it's not BS. I mean, that is 100% true and I can't tell you how many people I've had that have come to me after, you know, I've been doing this for several years and basically said, you know, because of this training that I, you know, was forced to attend, you know, because my company did it and you were the one who delivered it, I actually didn't wind up losing $2,000 to this person who tried to scan me in my personal life. So, I mean, I've gotten that a lot. So, Ellis Untap is happy to take any of those videos and put them up on our YouTube channel, give you link backs, other places, that type of stuff because they would be very, very useful to the community and we would definitely get a lot of use out of it. We should talk offline, but we can create a short blog post of those best practices also. Yeah, absolutely, and it was a one-hour training. We tried to keep it pretty concise. We actually, the thing that was fun in it, I mean, it'll be out of, you know, sort of, it'll be dated out, probably within a year or two. We'll have to do an update, but we also did fishing quizzes throughout it. So, at the beginning of it, we put up a fraudulent website or a website and we asked people to guess whether it was a legitimate or a fishing site and we did that six more times over the course of the webinar as we taught people how to identify the things that would tell them that it's a fraudulent website and they went from, in the webinar, they went from like only 30% got it right the first time to 96% getting it by the last one. So, that was really satisfying. So, what can you do? You can regularly provide short training sessions, incorporate security issues, discussing and I think Peter's point is maybe the best one here which is really express to staff that this is something that is a personal benefit to them in a really true legitimate way and that you're not just trying to tell them that to get them to come to the security training but we really think this can help you and that has organizational benefit. You know, a staff person who's dealing with like an identity theft in their own life, right? That's going to impact their productivity or organization in some way. You know, that's a huge distraction for someone in their life. So, a lot of value. All right, and we're kind of in the wrap up stretch now which is good because we're close to the end so I was able Peter, sorry that I kind of to give you a lot of time there for 20 minutes. We are now caught up so you can now jump back in at full strength and as we start to talk about establishing policies. So, A, having a committee of different stakeholders within your organization can help you see risk and I think that risk analysis project that I kind of said is the starting point. That's where you would really want to talk to different people because what your marketing director thinks, what your executive director thinks, what your CFO thinks, these are all going to have, they're all going to have different perspectives about the risk to the organization and different things on which to focus. So that can be very helpful as a starting point. I don't think they all need to be included as you go through the technical parts of the security but certainly around what policies are going to impact staff and the way they work. And you want to ask difficult questions. Don't avoid unpleasant things. Look all of this risk and things straight in the eye and don't shy away from things that might be difficult from a change management perspective and don't feel like it all has to be, I think Peter's point about last pass, I really like the approach there that they have it. Two thirds of the staff are using it. They haven't forced everybody to use it but they are learning what strengths and weaknesses it has for the organization, how they can better implement it and moving toward in a very consistent and steady way a better security posture for the organization. So you don't feel like you have to do all this overnight or do it whole hog right away but every step you take in a more secure direction is certainly a good one. Think of all the ways a breach might occur, right rules that govern activities as to how you're going to create and handle passwords, hopefully password management and how files can be stored and shared, how you're going to manage these things. And also I think it's really important to understand that policies are all fine and good but if they're not understood by staff and practiced by staff and enforceable by management then they don't have a heck of a lot of value and I see way too frequently organizations take a lot of time thinking through policies. They'll be sitting in meetings for hours and hours and hours talking about what do you think about this policy, what do you think about that? Let's wordsmith this policy to death and then the last step that they take is after they finalize the policy, they email it out to all the staff, maybe they get a signature to put in HR packet and then that's it. And in my view, and maybe this is a bit harsh, Brian and Peter, give me whatever feedback you want, to me that all the energy went in the wrong activity. Like you should have taken five minutes to write up the policy and all that energy that you spent like wordsmithing it and going over it should have been on making sure staff understand the policy, getting feedback from staff and whether they can be compliant with that policy and thinking about how you're going to enforce that policy and support the practice of that policy organization. Well, I actually agree with you on all of that but the kind of advice I give on policies is make sure that you're writing it in plain understood language and what the users, you know, the people who are gonna subscribe to the policy have to understand is they have to really understand why the policy is in place and it has to make sense to them, it has to make real common sense to them that we would have this policy that we're protecting against something they know what it's protecting against and they're bought in that way. Where I see the real danger is that people, you know, the lawyers write the policy. Now maybe for a lot of people in this call, that's not a problem because almost everybody works there as a lawyer but if the language isn't clear and people aren't clear on why the policy exists, then they're suspicious of it. Yeah, that's why it's just hugely important. Like here's the problem, you know, I do project management wherever it's a lot and I'm always beating people over the head with like what problem you're trying to solve, what problem are we trying to solve? Like we don't come to something with a solution without understanding what the problem is so I think policy is straight point, Peter. Like don't just tell people we're implementing this policy. Like here's the problem that we have that we are implementing this policy to attempt to address, that's the why that can be really clear to people. Our profession also has a strong grounding in having continual legal education but I think there's a need for continual security technology education as part of that professional responsibility of understanding how these things work for clients, that type of stuff. So we're trying at Northwest Justice Project to integrate on a yearly basis in our regular kind of tech training security as part of those social media outreach, those type of different things as part of the basic literacy for being a lawyer and for helping clients. Excellent. All right, so how are you responding for breach occurs? Again, one of the templates we're sharing with people is actually a really basic incident report that can work as an incident response. If you go through any of the, for anyone who's gone through any kind of security certification or looked at any of the NIST documents or SANS documents or any of these things. One of the big things that people get dinged on when I look at their security stuff in terms of an audit is they don't have any kind of response plan written, meaning there's nothing that says, if here's how we're going to know that something happened, here's what we're going to do if something happens and here's how we're going to communicate about what happened. And that seems kind of basic but it's amazing how few organizations have anything even approximating that. So the incident report that we included, it's not gonna get you through a HIPAA audit if that's what you're hoping, but it is just a basic incident report that you can use that at least gives you some kind of basic steps. And that's really important because we were talking about this again before we got on the broadcast but a lot of times people are sort of doing this on the fly after a breach and that's not a great time to be sort of figuring out a communications plan is while you're in the middle of like some breach and emergency within your organization, it'd be really nice to have kind of thought through how we're gonna do that beforehand and then just have a checklist to start working through that you'll think yourself if you ever wind up in the emergency situation. Bring your own device, so have use guidelines again, this gets part of your policy and also make sure your IT support team is on board with how they're going to support people's mobile devices, what they are and aren't going to do about those mobile devices that becomes part of that. It's iterative, so you're gonna need to be reviewing it, it does this still make sense, how many times have you heard about some ridiculous law that's on a state's books because something happened in 1916 and now it turns out that it's still illegal to yell at a squirrel on Main Street and it's like you could get arrested for that, like what it makes no sense at all to have the policy and it's kind of funny in some cases and it can be irrelevant but everybody ignores it but the real danger that I see is if you have a bunch of policy that is irrelevant that people look at when they're going through your organizational policies then all the policies become irrelevant. You're asking staff, if you have a bunch of no longer relevant policies that are part of your HR handbook or whatever you're communicating then you're asking staff to make judgments about what is relevant and what is not and you'd like to be able to say this is all relevant, these are all our policies, they're all important if they're not, it's not going to be very helpful. So we got some templates, some policy examples at this link up here that'll be included in I think the handouts that will be given are on the course page and I'll, Brian I assume that you'll be taking care of that but I can, we can also paste that in the chat I suppose if people need it. And the other thing is we don't have links here on this page but Brian is going to share them so these are some additional things, the round table resources that I mentioned before that doesn't include the webinar security awareness webinar I talked about, Brian I do believe you have that link but again you can come back to me and I'll get you whatever you need afterwards. And there's other resources, there's the what non-profits need to know about security practical guide to managing risk and there's all sorts of other things that you can find on this topic as well. And last kind of a last point is just remember that it isn't possible, this is sometimes something I start with, you know when I do these risk analysis things but you can't protect yourself 100% against every kind of thing and hopefully that's really clear and really obvious to everybody. If it's not obvious I mean just read the news for one day and you know, do you have to go further than say the NSA basically can't keep their own information under control so what chance does anybody else have? But you can go Target, you can go Chase Bank, you can go Sony, you can go NSA, you can go Home Depot, you can go on and on and on the breach is just keep on coming. And they're going to because this is not easy but there are some pretty basic things you can do to reduce your risk a lot and reducing risk is certainly something that is desirable. So practical security, preview passwords, make sure you're patching, make sure you have a firewall, those are some really basic things. I would say the security awareness training risk analysis would be two things obviously that I would do. And last thing before we kind of jump into questions is we wanted to know sort of what resonated. So if people wanted to just throw in to the question field you can either obviously throw your questions in now but we would also love to hear having been through this webinar, what's one if anything that you will do in the next month that you might not have done before you attended this webinar today? I would love to hear that. And you can just write in like password management, you can write in risk analysis, you can write in security awareness training, you can write in updating our firewall firmware and whatever you want to put in. So go ahead and throw those in and with that we have six minutes for questions and we will take them now for anyone who has them. And big thanks to Peter Campbell for all his contributions throughout today and also reviewing the slide deck and giving us feedback on that. Thanks to Brian for being not only a host but also a contributor and thanks to much of the audience. We got some good comments here definitely on the security awareness training including a link there that James put in that I'm gonna be sharing out to everybody for be known for for security awareness company and then also last pass as a full organizational implementation. Yeah and in addition to know before there's a bunch of security awareness programs that are out there, Wombat security is another one that I have recommended to a few organizations that needed to do full on security awareness training programs that what know before and Wombat security is another one called the Secure Human which is from the SANS organization that what those security awareness programs will do in addition to trainings they can actually send targeted phishing attacks to your staff so your staff will get emails that are phishing attacks and essentially if they fall for them they get routed back into the appropriate training to help them not be as susceptible to that particular kind of phishing or spear phishing attack. So it can be very targeted training that sends people to specific short webinars or short video trainings on avoiding that particular thing and then we'll continuously test your staff in a way to let them know and in case anyone's wondering when you do these kinds of tests where you are phishing your own staff it is never ever ever really shouldn't be punitive so it's really just helping people identify hey you had a weakness and fell for this attack so we'd like you to retake this training again you're not calling them out not shaming anybody you're not punishing them for having done that but those things will provide that extra level of kind of testing of your staff. Thank you so much Joshua and to Peter Campbell I greatly appreciate you both being here and sharing your expertise. This is one of those topics that there's a lot of work to be done in this area and I look forward to finding ways to share these best practices more broadly. Thank you so much everybody. Thanks everyone.