 I just want to say a huge thank you to Community Legal Services of Mid Florida and especially Jeff Harvey, the executive director there who's passionate about this topic and pulled everything together for this webinar today. I'm turning it over to Jeff. Thank you so much for all your work on this. Sure. Thank you. I'm honored to have the privilege today of presenting this webinar on behalf of Community Legal Services of Mid Florida. We are approximately have 60 lawyers and we're really the only resource for about 2 million low income central Floridians for civil legal assistance. And being in Florida, we are no stranger to natural disasters and other types of crisis for that matter. And over the last five years we've been working very diligently to improve our ability to be crisis ready so that next time we face one because it's a matter of when, not if, that we are able to quickly shift our focus from worrying about the organization and its ability to operate and focus then on the clients that really need the assistance that just don't have the resources. So today you're going to hear from four individuals who've helped us through this series of evolution and the format today is really to help you kind of provide some context, maybe a little bit of outline in terms of things to think about and then to provide you with access to the resources as well. So I believe that the both the slides and the contact information are going to be made available if they have not already. So without further ado I'd like to introduce everybody on the webinar today. First we have Mr. Dan McCarroll and Mr. Aaron Leonard from Saab Excellence. Dan has over 30 years working in and on and around information systems. He now focuses on offensive and defensive cyberspace planning in both private and public sectors. Dan is a CISSP associate and PMP certified and he has co-founded with Aaron who I'll introduce in just a second Saab Excellence to deliver support, assessments and planning capacity to the private sector for organizations under 500 people. And one thing about Dan and at least one other person on the webinar today very interested in flying. If you ask me about flying he will drop everything and go do that. So Dan welcome. Next Aaron, Aaron Leonard is 16 years of experience of financial statement audit internal audit and information technology and cybersecurity spanning big four public accounting. He also has civilian service to the U.S. federal government and military service to the U.S. Marine Corps Reserve as an information systems technology officer. He brings a multidisciplinary approach to the assessment of cybersecurity risk management internal controls evaluation and financial investigations. He typically favors business process design analysis and employee training rather than reliance on new tech gadgets or solutions that can add unnecessary layers of complexity. So it takes a really interesting approach to that that really allows organizations like ours to leverage the resources we do have instead of spending money on resources we don't. And so welcome to you Aaron. Our third panelist today is Gaurav Mukherjee from Emergent Security. Gaurav is an information security and risk executive as well as a practicing cybersecurity and privacy attorney. Gaurav has over 20 years of experience in the information security industry and has worked with multiple Fortune 500 companies supporting privacy, security and compliance in over 170 countries. Gaurav welcome to you as well. Thank you for joining us. And then finally I'd like to introduce the person responsible for this webinar Veronica Vasquez. Veronica is CLS MS Director of Information and Risk Management. She is the lead person in our organization that's responsible for compiling continuity of operations plans, disaster plans and is currently working on developing a cybersecurity program for us that takes into account all of the good tips, tricks and assessments that we received from the other three gentlemen on the panel today. So I'm going to turn it over to Veronica and thank you again for putting this together. No problem. Thank you. Well, welcome everyone. Thank you for joining us for today's webinar. Today we are presenting on cybersecurity, building an organization that is prepared for crisis. Shortly you will get the opportunity to hear from three cybersecurity experts in overcoming the internal struggles of becoming Christ ready. They will share their insight and expertise on effective cyber crisis management and how to avoid a cyber incident during a crisis. But before we get started, just a little housekeeping. Right now I have everyone on mute to avoid background noises that may distract you from listening to the webinar. If you have any questions during the presentation, please type them into the question box in your go to webinar control panel. We will have time for questions at the end. I would turn the time over now to Dan and Erin. Thank you, Dan. Thank you, Erin. All right. Thanks, Veronica. It's a pleasure to be here. If we could go on to the first slide, Veronica. Sure. So this is what I'm going to, Dan and I are going to cover today. I'm going to begin by talking about cyber audits and assessments. Give an overview of what each of those mean and the process that you can expect. Should you decide to undergo one in your organization? And Dan is going to talk about crisis response. And then both topics that I'm covering will feed into your crisis response because the cyber audit is going to give you that first level of understanding of how to respond to a crisis. And then your cyber asset inventory is going to let you understand what you're trying to protect when you're responding to a crisis. Veronica, next slide, please. And then this is just what I'm going to hit in my first part of the presentation. And so as my introductory bio said, I started my professional career in accounting and big four public accounting specifically. And so when I think of an audit, I think of certain things where there's an audit opinion issue, there's assurances provided in that opinion, and it's done underneath a framework, US GAP, US generally accepted audit principles. When we're talking about cybersecurity audits and assessments, we don't have a decision making body in the same way that financial statement audits have. And we don't have, while we have certifications, we don't have certified public accountants who we traditionally think of doing audits. If you look at the AICPA's website, cybersecurity falls under advisory services. And so they are fundamentally different things. And those are the points I'd like to highlight in the first part of my presentation. As we're discussing today, cybersecurity audits and assessments typically rely on industry best practices. And there is guidance out there from government bodies. But what we don't have is kind of a worldwide organization promulgating statements in the same way that the accounting profession does. And that really creates a lot of ambiguity in what you're getting when you sign up for an audit or assessment for cybersecurity purposes, because they come in all ranges. For me personally, I know there are strong opinions out there about what term is more accurate, but I prefer the term of cybersecurity assessment. And that's because when you procure these services, I haven't seen a firm out there that actually provides a cybersecurity audit opinion and they don't provide the same types of assurances within a financial statement audit, for example. And so I prefer to think of it as an assessment. And what we're assessing is an organization's cybersecurity maturity. And that runs from the very basic and immature cybersecurity awareness and implementation of security standards to the more mature and hardened networks and systems that you see in some of the larger companies and cybersecurity professionals. And so the assessment, for me, is useful for identifying where, on that continuum, your organization sits. In the majority of cases, a company decides to undergo a cybersecurity audit or assessment to demonstrate an adherence to an industry best practice or their own internal level of risk acceptance. And it might be a board that requires this of your organization because they want assurance or better understanding of whether or not the risk that they think the organization is assuming on the cybersecurity side is acceptable or whether or not IT professionals and security professionals within the organization accurately understand the risks that they've incurred in the design and implementation operation of their networks. You can also have regulatory requirements. Certain funding streams will require a certain level of due diligence and ensuring that you've looked at your cybersecurity platforms and whether or not customer information is secure, whether or not your client information is secure. And that's particularly important with legal firms because with that, there can be adverse actions taken against your clients if there's a data breach, and then also you've got huge reputational risks that are involved, and that's something I'll get into a little bit later when I talk about the cyber assets. In terms of, again, the cybersecurity audits and assessments come in in all shapes and sizes, and so what do you want to look for when you're talking to a firm about coming in to look at your networks and conduct an assessment? For a lot of people in the industry, the first thing that comes to mind is I want to do a penetration test. And the part I like to highlight here is a lot of times that's purely technical evaluation and, again, looking at your business processes and networks and how your people work, whether it's an office setting or distributed workforce like so many of us are working at today. The penetration test has its limitations, and it's important to remember that it's just one aspect of a complete assessment that you should be looking for. The quality firm that comes in, they're going to provide you a written risk assessment, and what that means when you get that document is you know that they've done some due diligence. They've done essentially a survey of your networks and your cybersecurity landscape, and they know or they've put in some rigor to understand where those risks are for your organization. And they're going to use that to tailor their procedures. All right, we've identified some potential increased risk in your accounting function, and so we want to spend some time looking at how your accounting department works, uses their information technology assets and ensure that we mitigate and are able to make recommendations for the organization to mitigate risks in that particular area. And so the written risk assessment is a marquee document that you want to look for and what a firm delivers to you before you sign that contract for them to do their work. And then the dovetailing into that, the other portion is a written report or assessment. You don't want something purely technical. You don't want them to perform a pen test and just provide minimal supporting documentation. That written report should really be a narrative to highlight business processes and internal control weaknesses and give the consumers of that report a much better and broad understanding of how cybersecurity is implemented and performing in their organization. That type of report allows you to have a roadmap and gives you the opportunity to start building and hardening your networks as you take those recommendations and implement them and a lot of it, you'll hit on policy requirements that you thought you had, but there's actually nothing officially promulgated with your organizational, like I said, internal control weaknesses where they've identified an opportunity for an employee to take your IT assets when they leave or some weakness in the hiring process. And so when you evaluate what the product is that you're going to get when you have a cyber auditor assessment performed, you want to look for it in terms of business processes as well. The more time that they spend talking to your employees and those key process owners within your organization, those managers and the C-suite managers of the organization or executives of the organization, they're going to really be able to identify the weaknesses and the potential gaps in security implementation as communication and data flows throughout your organization. Again, with that risk assessment, they're going to have an informed opinion when they go out and do their audit work and their assessment work. And so they'll be able to determine with a high degree of confidence where you need to spend some time and address things going forward for your organization. I think the other part that you want to be able to evaluate and talk to a firm about is what type of evidence are they going to be collecting and basing their opinion on. When we think about it in these terms, it is very similar to what a lot of you are used to within a legal framework. We grade evidence based on sufficiency and reliability. And so it's worth having those conversations about what are they going to do to ensure that they collect enough evidence to meet that sufficiency requirement. And then in terms of reliability, let's understand whether or not the evidence they're collecting is persuasive. It comes from an independent source or the correct source in many cases and the nature of the evidence. And the real value of an audit and assessment is that it's done by an independent third party and they're able to provide that objective view of cybersecurity within your organization that you don't get when you assign it as a collateral duty to your IT office manager or another security officer just because they're so close to the networks and the data a lot of times. And then the final aspect of evidence that I want to hit on as I'm evaluating a firm and thinking about getting an auditor or assessment done is thinking about the completeness and accuracy when they ask for reports. And a lot of firms that provide these services don't understand how to ensure that you've made a request for the list of assets and we want to be able to identify each of those IT assets and whether or not something's missing because that can be a big deal if you've got a lot of information on a single laptop. And so covering the completeness aspect of it is critically important. And so just having those conversations again at the beginning to ensure that everything gets that you've got a competent company collecting the evidence and writing the report so that you can have some assurance of the opinions that they're forming and the recommendations that they make to you are valid. And then the final thing I just wanted to close with in this part is again going through the business processes, internal controls, evaluating human behavior aspects that might highlight a need for training. All of these combined with something like a penetration test are the multidisciplinary tools that allow you to make informed decisions as you go about hardening your networks and systems to a degree that you accept risk that your organization is comfortable with. And it's also just kind of the first step as you're doing your business continuity planning as well, which is what Dan's going to get into. Once you've had an assessment done and you've got a good inventory of your IT assets, then you're ready to start that planning. Dan, go ahead and pick up from here. Aaron, thanks. So Aaron kind of gave us an idea, this kind of the inside out approach to this. What I'm going to talk about is crisis response. And I really kind of agree with Jeff Harvey on this. We were talking before we started. I can get your attention if I talk about disaster response and they're kind of synonymous. But at the strategy level, we know what our mission is as an organization. And then when we get down to the planning level, we're talking about how we're going to do something. And disaster recovery is going to be inside of your cyber continuity plan, or your business continuity plan. And it's really important that we don't sprinkle cyber on top of plans after we've built them. What we do is we integrate cyber in it throughout it. So we'll talk a little bit about how you design your planning team and what things you consider. So just some of the rules that I use is it's in Florida, a hurricane, because I was a member of the Florida National Guard, we almost are tracking those things 10 days out. So while everybody else in Florida may be oblivious to the tropical depression south of Africa, as it approaches, who knows what direction it usually ends up in on the west of Africa, but you've got notice. So the tool I like to use when we do these planning, and I would recommend this, is assume that you have no notice, that it caught you off guard. You didn't have any trigger set. And we'll talk a little bit about triggers. And what that does to you is that forces you to design a response, a disaster, and so this disaster is because your continuity plan failed to capture all the possible things that could go wrong, a flood. The flood took out all of our archived files that we've got a compliance requirement to retain. We've got something stored remotely in an iron mountain environment on a cloud, but it costs us money to bring it back. So those are kind of the examples. The flood could be the result of a burst pipeline, which you have up in the northeast, and we have freezing, or the flood could be the result of a tropical storm or a hurricane. But the approach of no notice, I think, is one of the guiding principles. And I'm obviously not going to be able to cover everything that you need to consider in your disaster recovery plan or your crisis. But I'll try to hit on a few. Okay, establish triggers and delegate. So I'll talk about delegation. Typically, in an organization of 20 or more, there's going to be a level, an hierarchy level of transparency on information. So for instance, and the ability to take action. The IT help desk is a good example. They service the clients and customers in some cases, their ability to access resources. Availability of resources, especially in the legal services, as we found working with Jeff and Veronica, is usually the first thing we try to accomplish. We want to make the data available. We want the attorneys to have access to it. So there's some risk in that. But at the same time, there's the need to say, okay, I can make information available. I've delegated the authority to the IT department, because we're going to be in this disaster recovery, that you've got some more responsibility and authority to execute in order to support us during the crisis. These are not things you want to do, seat of the pants, because there's obviously a whole bunch of potential legal ramifications. There's reputation ramifications if you don't do it right. But imagine if I opened up privileges to everybody to a certain resource, and then I violated, by accident, HIPAA and PII. Now, that is not what I intended on doing. What I intended on doing is that the attorney that was going to court the next day, despite the fact that we had a flood in Orlando, was going to have access to information. And the only way he or she was going to get to it is if in a timely fashion, based on basically a playbook, which is down at the bottom, I've delegated an authority to do this to the IT office. Now, the IT office typically would never do this without approval from the C-suite, but that's why it's important that we have triggers. The triggers are going to tell us, are we going to execute a portion of this disaster recovery plan so that we don't end up in a broken organization environment where we can't protect our personnel, we can't protect their information. Okay, so what that means is I need to have greater transparency and I need to see data at a higher level so that the recovery team that's built this disaster plan that's been endorsed by the C-suite has said, yes, we need to know that we've got enough licenses for you to dial in VPN to this resource, and I've delegated the authority of the IT department to open up their access for this period of time so we can continue to service, right? Now, all of these have to be informed by policy. And the training piece is not so much training as it is exercise, training, re-exercise, and refinement. You're not going to get this right the first time you do it, and if you don't do it, seat of the pants is going to put you at engraved risk. So the example would be help desk services as we disaggregate. The challenge there is if everybody found out on Friday, you're not coming in on Monday because of COVID, and there were a lot of organizations, big ones, federal organizations that made those decisions, and they did it on a single sheet of paper, and then everybody's sitting at their apartment at their home, and they've got an ISP provider, they've got a government laptop or a company-issued laptop, or they have their own laptop, right? So there's a whole bunch of policy considerations there. What is my bring-your-own-device policy? Have I verified through exercising and training how we're going to access information so that I don't end up with an innovative, highly motivated professional who says, oh, I know how I'm going to do it. I'm going to have Veronica go to my office, find my toast, my little napkin that has all my passwords on it. I'm going to ask her to sign in. I know she wouldn't do this, but the point is this is why it's important that we develop a recovery plan, that we train on it, that we exercise on it so that we mitigate and reduce our greatest risk, is our innovative, diligent, highly motivated professionals. I'm not saying they do it all the time, but we are the weakest link. I've kind of beaten around the bush about the planning team. Here's the real important piece about planning team. The planning team that builds your disaster recovery plan has got to be informed as to what the senior leadership in the organization is interested in supporting. You've got your asset inventory done. You've got hopefully a risk assessment done. You've prioritized, but your team is not just cyber. As a matter of fact, some organizations, your CISO, your Cyber Security Information Officer, is either your operations officer or, worst case in my mind, is your IT person. IT is a customer service thing, and your CISO is kind of a compliance person. They've got to be technically competent, but they're really protecting your integrity, your data, your availability of your data. Anyway, so the point is you absolutely have to have your team be a cross-section of the business units that are in there. Do not send two people in a room, because if one of them isn't compliance or legal, you're in trouble. If you don't have finance there who can take care of payroll and make sure that your grants are being worked and your funding streams in and out are working. So it is a contact sport executing a planning team. I would also recommend that your planning team becomes your lead response team element, not on the ground, but monitoring, leveraging the transparency and the data that is being provided so decisions can be made and your leadership is able to be informed on those things that are related to the confidentiality, the integrity and the availability of your information, and that's really what you're trying to protect in cyber all the time. Okay, last thing before I get off, playbooks. Bottom line in playbooks is those are the checklists that I use in my business unit. They're probably my standard procedures that execute day to day. So that's my start point. Your planning team takes those playbooks with that business unit representative and with the entire organization representative. And if it's payroll is a priority and it can't be at risk, then you take their standard practices and how they do things. You run it through. Am I remaining confidential? Is integrity of data going to be good? What services do I need and are they in place? So I've got a primary method of doing things. I've got an alternate method of doing things. I've got a contingency method and then I've got an emergency method. I don't think we ever want to get to emergency methods, but you want to think about your playbook in that term and then you want to build your playbook. The reason playbooks are critical is you can practice on a playbook. You don't need to trigger an entire event and run through an entire disaster recovery plan so that your playbook is going to be tied to a function or a business unit. And that playbook, you should include as much of your senior leadership in the exercising of it and they should approve it because they're going to want to see that that playbook does not violate laws, your current policies, and if they do, then maybe you need to adjust your policy. I am going to hand it back to Aaron at this time. It's a big topic so we can't cover it in too much detail but hopefully that gives you some insight. Go ahead, Aaron. I just have a quick question for Veronica. Are we over time and do you want to transition to Gurov or do you want me to continue? You have three minutes. All right. So I'll just use that time to give a really quick overview of the cyber asset inventory and what we want to do for this is do a complete accounting that it comes as a hardware, software, cloud services, end user, mobile devices. And then also just data. There's a lot of data out there in our cloud environments and we oftentimes do not have a handle on the security of it, who's responsible for securing it. And that comes down to the user agreements that you've signed with your cloud providers. Software is important because employees can install additional software on their company computers and if you don't have the right controls in place to prohibit that and constantly monitor that, you're going to have issues there because they create additional threat vectors. So those are the main classes of cyber assets that I wanted to talk about. The DN already hit on the bring your own device policy. That's incredibly important in today's networks because it is convenient to have people bring their own devices to work and be able to access their enterprise email on their personal mobile phone and keeps them from having to carry two devices. But it does create significant issues with using personal devices in regards to cybersecurity. And I think one of the best ways to approach this is taking the time to provide that employee training to know how to use your device safely to set up your home network, Wi-Fi safely so that it's hardened and not put the onus on your employees to figure out for themselves because at the end of the day it's still your data. And then this is also a useful endeavor just because it highlights the incredible number of touch points a single employee has. They've got a company laptop. They might have a company phone. They've got a number of server and cloud applications that they log into and each one of these represents a risk that needs to be considered. And talking about risk, I think that's where Gaurav is going to go next and how do you evaluate this risk and ensure that your risk profile for your company is acceptable to what you've set up for? Go ahead, Veronica. All right. Thank you, Dan and Erin. We will have time for questions at the end. Just a reminder, please continue to type your questions into the question box in your control panel. Now I will turn the time over to Gaurav. Thank you, Veronica. And thank you, Erin and Dan. I appreciate you guys covering a lot of the really important topics that are necessary for organizations today, especially with all the ongoing craziness that we have with COVID and work from home. And one of the things that both Erin and Dan touched on is this idea of a disaster. And I think a lot of the initial topics that Erin covered with regard to an audit and an assessment and getting ready for the way in which we prepare for these things and the way that Dan very nicely covered the topic of how we have a plan and how do we make sure this plan is in place. I think that really is a good segue into what I'm going to talk about, which is the risk-based approach, cyber resilience, and data assets. And as we're going through the process of deciding what is important for our organization, what is it that we need to focus on? There's so many things here. There's topics that may have to do with regular business continuity. They may have to do with specifics about cybersecurity. They may have to do with things like, is the power on? Like in Florida, we often deal with hurricanes. Here I am, and it's raining outside, and I'm sure at some point this season we'll have a tropical storm. So we have to deal with all the various different aspects and all the various different incidents that may arise and trigger your business continuity or your disaster plan. And one of the most important things is getting prepared for that. And so Veronica, we'll go on to the next slide and talk a little bit about the risk-based approach and what are some of the ways you can kind of filter through everything that's out there. There may be 300 requirements that you come across and you say, look, we have to do all 300 of these things in our compliance framework. We have to do all 300 of these things in our approach to security. And we want to make sure we're doing our best job following that CIA model that Dan mentioned. We want to look at confidentiality. We want to make a good attempt at maintaining integrity. But we also want to make it available to our user base and make sure that it's not so overbearing and burdensome that they're not able to access the data that they need and conduct business. So how do we find this nice balance, sort of this triumvirate, the C, the I, and the A? And one of the things you have to look at is risk. So what is a risk-based approach? Well, in a nutshell, risk-based approaches is taking a look at the things that might occur, the incidents that might happen, look at the vulnerabilities, look at the threats. You have a threat and you have a vulnerability. And you go, okay, here's something that we're vulnerable with. We have a specific computer system that has a particular vulnerability. And then we have a threat, which might be a hacker that's trying to get into the system. Or we may have a faulty roof on our building. And then you have this vulnerability. That's the vulnerability. And then you have this threat, which is a storm that's coming down and bearing down on you and it's going to be here in a couple of days. These are all examples of threat and vulnerability pairs. And you take those two things together and you look at them and say, how do we assess which of these is likely to happen? Which of these is not likely to happen? Which of these is going to have a huge impact on us if it does come to fruition? And which one might be a minor inconvenience? Maybe a small roof leak might be a minor inconvenience. If that roof leak happens to be over your server room, it might be a major inconvenience. So you have to look at risk-based approach and how do we apply this to the concepts that both Aaron and Dan were talking about? We look in an assessment. A lot of times we're buried when we first take a look at our security. When we first take a look, we say, there's so much to do here. There's so many things that we have to focus on and there's so many things that we have to try to conquer in a short period of time to make sure that we're either compliant or that we reduce our risk and improve our security. We can't do all of them and we can't do all of them all at the same time. So you have to pick. And that's really where the risk-based approach comes into play. There are going to be things like privacy laws and compliance requirements that you have to deal with. These things are regulatory. They're required and you have to meet them. So those are going to be some of the things that you're going to put first because you're going to say, you know, if we don't do this, we might get fined or we might have a penalty or we might lose our contract. There's other types of risks that are a little more nebulous and we're not going to be quite as easy to pinpoint. So a vulnerability sitting on a computer with a hacker that may or may not be out there with someone that may or may not be trying to get into your network. These are things that it's really difficult to guess. How many times in a year do we think that that vulnerability is going to actually have a threat that meets up with it and become an incident? So that's where we move on and say, how do we quantify this risk? How do we take this risk and make sure that we can identify what's important and what's not? How do we prioritize as we're going through the process of looking at security, as we're looking at privacy, as we're looking at risk in general? And one of the most important tools for doing that is a business impact analysis. Now, what does that mean? It means we're going to take a look and say, if we have threats and we have vulnerabilities and they pair up together and an incident happens, you end up with a situation. What's the cost of that situation and what's the likelihood of that situation? Like I said before, we're talking about the roof leak. We have a roof leak over the storage room. There's nothing of importance in there and maybe nothing is going to get damaged. Well, it's not going to cost your business a lot of money. Same thing, if you have a kiosk in the front of your building or a display board in your lobby and there's no sensitive information on it and somebody happens to hack that computer, you look at it and say, you know what? What's the cost to the organization? Maybe we have to buy a new computer. Maybe we have to spend a couple of hours of IT's time and cycles on repairing that computer. But if there's no sensitive data and there's no access to sensitive data, then that might be a very low risk. So that might be something you put down lower on your priority list. Now, if you find out that that same computer happens to also connect back into the server where you have sensitive data or you find that that computer is holding data on it that maybe didn't even know existed but is sensitive, now you have to turn around and say, okay, that risk, that impact to the business just went up. The average cost of a breach, I think as late as 2019, Pranaman Institute came out with a study and said it's $3.9, almost $4 million is the average cost of a data breach. Now, you have to think about this. Can your organization absorb a $3.9 million cost? That doesn't mean they're all $3.9 million, it's an average. So you might have a $200,000 breach or you might have a two or 10 or $15 million breach, but the idea is that data breaches cost money and a risk-based approach is the fastest way to reduce that expected value or the potential value of a breach for your organization. Veronica, if you want to go to the next slide, we can take a look. So the next thing we're going to talk about and this dovetails very nicely with what Dan was talking about with business continuity, cyber resilience. What is cyber resilience? This is really making sure that your organization can continue to operate. Depending on what stressors and pressures are placed on your organization, you want to be able to continue to move forward, continue to operate. And you're going to take a look at how flexible your organization is under pressure. If you have, again, I like using the hurricane example because I live in Florida and we deal with them all the time, but if all of a sudden you find that there's a hurricane coming and it's going to disrupt your operations, how flexible are you? How much have you planned for being able to operate when that disaster or that incident occurs? So, again, you look and say, in an ideal world, we would have 10 levels of redundancy for everything that we own. Well, as soon as you put that plan in front of your board or in front of your leadership group, you're going to come back and realize, that's an expensive plan. So, they're going to want us to cut something out of that budget probably a whole lot. How do we get the best bang for our buck? And, again, that's where risk comes in. You have to factor risk in. In Florida, we've had maybe 200 years of history where you can go back and look at what do hurricanes do? How frequently did they hit? How strong are the winds? What are the different times of year that a hurricane hits? So, we may find that you have some flexibility in your business continuity or your cyber resilience plan. You may not be in a situation where you say, hey, the likelihood of a hurricane hitting in January, for those of you who don't know, is very low. We're not going to get a hurricane in Florida in January. It's highly unlikely. Is that happening in January or February or March? Very low. You take a look at that and you calculate that and factor it in to your business impact analysis. How does it impact your business? How hard is it going to be for you guys to recover? How hard is it going to be for you to continue operations under those types of pressures? So, first thing is, identify critical components and systems within your organization. What are the key things that keep the lights on in your organization? You may not have to have every single process in your business function. In fact, you may choose that it's too expensive to do that, but you want to look at what those processes are and how you can maintain the ones that are key, crucial, and important to your business. And then, you can set up a system, maybe a tiered system. You call them Tier 1 is the most important. Tier 2 is the second most important. Tier 3. And you can create categories of systems and categories of processes. And don't always think of a system in terms of computers. Sometimes these processes are just as important in a physical capacity. You have a process about mailing out checks if people get paychecks in the mail. But that's what? That physical component of mailing the check to them, a lot of people have direct deposit, but some may not be. We have to physically get that in the mail. We're now depending on the Postal Service and other downstream entities that might also introduce risk into that process. So how critical is it that somebody gets their paycheck? It's probably a pretty critical component of what you do every day. So the next thing you want to take a look at, as you're going through with cyber resilience, as you're going through with overall resilience, business continuity, and the process in which you evaluate criticality. You want to make sure that you have a good understanding. And I'm pointing back to that business impact analysis. I'm pointing back to that plan that Dan and Aaron talked about, where you have a good assessment. You have a good understanding of what the environment looks like to quantify that business impact analysis. And then you make your best decisions about how to make sure that we can identify those and prioritize the ones that are most important to our business. So I recently underwent a project with Community Legal Services in mid-Florida, and I can tell you that one of the most important aspects is communication with the clients. Now, the courts sometimes shut down. Sometimes you find that the courts may not shut down, and you might find yourself in a situation where you have to respond. There's a 20-day response period or some of the other important timeframes that are critical to the process of a case or the progress in a case. Those timeframes may not stop holding if the court systems don't shut down. If you're in a unique situation where maybe your business was impacted and others weren't, or it wasn't a regional event or a county-wide event, so you might find yourself in a position where you have clients that are depending on you. They're depending on you to make sure that you file an answer, that you file a response, that you file other critical components to their case, and meanwhile, that time is going to continue to toll while you are trying to get your business back up and running. So you have to look at what these critical processes are. The project that I underwent with Community Legal Services, some of the key pieces there for being able to handle what happens if we have a client that has a need? If there are pleadings that come in that we have to answer, how do we make sure that those things can get answered and responded to? Some of that requires us to go to a cloud-based environment. Some of that requires us to go to a work-from-home environment. Fortunately, during the COVID disaster that everybody's experiencing right now, this pandemic that we're in, there's a lot of things that are also shutting down. So maybe your resilience wasn't as important because the court system also stopped holding those times. But if they hadn't, it was a different type of disaster. It was a different type of peril. You may find yourself in a position where you've even possibly committed non-practice by not being prepared enough to make sure that you can respond in your clients perhaps. Do you want to go to the next slide, Veronica? So one of the most important things for us to do is look at risk we've talked about, but also data assets. Because here's where a lot of the risk can be trimmed down. Do you have an inventory? Do you know what data do you have? Do you have social security numbers? Do you have credit card information? Do you have banking and checking information that might be an exhibit to a pleading? Do you have routing and account numbers on it? Do you have information that is going to be something that is a little bit of a honey-pot or a target for a hacker? And then, who owns that data? Are you just the custodian of that data? Are you, in fact, the owner? Did you create the data? Oftentimes, as a law firm, we're not the creator of the data. We're just the custodian. So we have to remember this, that we're introducing risk if we get hacked or if we have a breach. Or oftentimes, if we may only have a copy of record, the only copy of record for a particular document like a original note or a mortgage. These are all things that we have to look at and say, we have to make sure that we take advantage of our risk reduction. Now, if somebody hacks into one of our systems, if we remove that data, if it's not business-critical, if it doesn't support a particular service for our organization, we need to make sure that we can remove that data and then it's no longer a target. Again, risk, ranking the risk and the impact on your business. It's probably one of the most critical aspects of what we do in the security field. And with that, I'll pass it back over to you, Gaurav. Thank you, Gaurav. And now we're going to go ahead and start the question and answer portion of today's webinar. I'm going to ask the panelists if they could go ahead and turn on their cameras. Thank you. So the first question I have is, how does this sort of risk assessment relate to the business of legal aid slash courts? Dan, do you want to take that one or you're on mute, Dan? Gaurav, I was going to recommend that you take it. I saw your mouth moving, but I couldn't tell if you were answering or saying something else, so fair enough. So how does this sort of risk assessment relate to the business of legal aids and courts? So I touched on it a little bit in my presentation, but one of the most important aspects of what we do as an attorney is maintain confidentiality of client data. We are a trusted advisor. We have not just a responsibility, but often ethical responsibility, professional responsibility goes along with us having a bar license that requires us to maintain the confidentiality of our client information. So that C in the CIA model is very important for a law firm. Sometimes it's secret information, sometimes it's information that isn't publicly available. I know court pleadings and those type of documents become public record, but there are often components that we might be using for drafting those things that are not public information that could give an adversary or an opponent an advantage or even the ability to hack into one of our client's data files. If, for instance, they have social security information, sensitive information that might be on their two-factor questions for banking, things like that. So there's all sorts of different ways in which we could involuntarily disclose information about the client, and that's important and that's a risk that we need to make sure that we maintain good security around. If you have an old file system, and I mean paper files like in boxes and cardboard, and they're sensitive or important or original documents in those, and we have a flood in Florida or a hurricane comes through or another type of disaster, a fire, and those documents get destroyed, you might be in violation of Florida bar rules or even bar rules in other states that require you to make sure you maintain that client's paper files. And if we're not doing a good job of that, if we don't have a backup, you may not even know it. You might not even have looked in those files in the last 10 or 20 or 40 years depending on how long your firm has been serving the community. There might be files there that you aren't even aware of. So doing a data discovery, that inventory process that I know Erin touched on, it's really important to include paper files and other types of data in that inventory process so that we can make sure we give a good, thorough assessment of your risk for your information in your own information. Thank you, Gaurav. Veronica, I have something to add to that because one of the assessments we did was almost identical to what Gaurav described. There was a storage closet or a vault, call it what you will. Vaults are only as secure as the procedures you have in place to protect it. So this had nothing to do with flood risk. Had more to do with inside of that storage closet was a copier machine, makes total sense. Probably had the ability to journal digitally or a log of who made copies. But the control of that door is critical. And the reason this is cyber is because there's a way to exfiltrate data on some of these copier machines. So if I make copies, I'm using an information system, I may even be able to scan it and send it to my email outside of the building. So while it's almost purely physical, whether I control the access to that room or not, that's the archive. We're archiving it, we're in compliance with policy and regulation for holding files and then disposing of them. But if we're not careful, we have a cyber crime as a result of physical security. So that's why I go back to, whenever we're doing any of our assessments and we're taking a look at our risks, we want to make sure that we understand that cyber doesn't start with digits. We're leveraging technology and our cyber infrastructure to we, whoever's perpetrating this. And it may not even be a deliberate leakage of information, but that violates confidentiality. And I think what the root cause of these type of things goes back to availability of information. So in this case, the key was on somebody's desk and if you asked for it, you didn't sign a document that said you took it, you just grabbed the key, you went in and accompanied and 99.9% of the time, nobody's going to do anything wrong with that. But that system lends itself to a vulnerability. It's a huge risk. And it's because we're trying to make things available and there's always should be a really good tension between confidentiality, integrity and availability. If you can have, if you sense a tension between those, you're probably going in the right direction. If you have so much availability that there's no way you can maintain the integrity of the data, whether one is a one or an L and you can't guarantee that it's going to remain confidential, you may have too much availability. That leg may be too tall and that three-legged stool is not going to stand up as well. Anyway, that's all I've got on that. Karen, do you have anything else to add to the topic? No, I don't have anything additional but I thought that was a great aspect that grew up right off about the physical aspect of files and how they relate to cybersecurity. But I'll go ahead and leave their answers as is. Okay, well, due to time, we don't have any more time for additional questions. So I just want to go ahead and thank Dan and Erin and Gara for being here with us and thank you all for joining us today. We hope you found this information and dialogue valuable in understanding the importance of knowing your organization's internal vulnerabilities and the importance in building a secure, vigilant and resilient organization. Thanks again and enjoy the rest of your day. Yeah, thank you so much to Legal Services of Mid-Florida and all of the speakers that we've got here today. We really appreciate the help and consider joining the LSNTAP email list. It's a wonderful resource and these are the type of topics that we talk about all the time.