 Thank you again for joining us for this future work. So what I'm gonna do now is introduce our speaker. I'm so excited because I get to work with this gentleman, Kevin Mulholley. Our topic today is security and privacy in today's IT environment. Kevin is a certified, four-time certified plus success professional with technical and administrative experience across a wide range of software, hardware, network and IoT solutions. Kevin does it all. He is the Customs Success Manager here at TechSoup. But Kevin, I'm so excited that they get to hear from you today because I hear from you all the time. I'm always learned from you. So welcome, Kevin. And I look forward to your presentation. That was such a nice intro. It's always a pleasure working with you. As Aretha said, my name is Kevin Mulholley. I'm a technical customer success manager here at TechSoup. I'm a multi-Microsoft certified professional. I have experience across a wide range of hardware, software, networking, IoT environments. And today I'm going to be talking to you a little bit about security and privacy in today's IT environment. So for the sake of time here, I've condensed this down to some really simple, lower level concepts, but I still think it's enough for individuals to be able to successfully begin to roadmap and discuss internally strategies surrounding security and privacy. So a quick agenda of what I'm going to be overviewing here. I'm going to start first by taking a look at the numbers, specifically around a couple of things you may have heard of, fishing and ransomware. The numbers don't lie. That's a popular expression. And then in case of both fishing and ransomware, the numbers are actually a little bit concerning. Then I'm going to move into a discussion of basic security steps you can take around the areas where you can most easily engage with the applications and technologies that you're using. I'm then going to switch the discussion to privacy and also how privacy differs from security. They do go hand in hand to a degree, but understanding that privacy and security can also, and in some cases should be treated as separate components is a good way to approach this. And then we'll be opening up to Q&A. So let's hear, let's start with some numbers surrounding fishing and spoofing email statistics. As you can see here, nearly 96% of fishing attacks are conducted using email. 77% of organizations faced business email compromise in 2021. The average cost of a BEC exploit was $5.96 million. Last year, 83% of organizations have faced a successful email-based fishing attack. 39% of individuals have said they've received at least one suspicious email. I got one this morning and 15% of individuals say they received an email impersonating someone in their organization. Ransomware, this is another thing which if you've paid any attention to the news in the last couple of years has gone from something that was done is almost a one-off type of attack to essentially something that's actually called ransomware as a service. Frightening that is there are organizations that do this as a profession. Some of the effects of ransomware, the average downtime accompanying experiences after a ransomware attack is 22 days. Our recent survey found that 37% of responded organizations were affected by ransomware attacks in the last year. The largest ransomware payout was made by an insurance company for $40 million that actually could be corrected. I believe the largest ransomware was just paid out earlier this year at the tune of $70 million. The average ransomware fee requested has increased from 5,000 in 2018 to around 200,000 in 2022. So again, for the sake of time, what are some basic things that we can do to defend ourselves? As mentioned in the earlier slide surrounding email phishing and spam is protecting our email. Email is the lifeblood for a lot of people. I'm not an email guy, but I do use email like most people in corporate environments and having a good policy in place and a good strategy in place for addressing potentially malicious email is critical. Identity, what is an identity? I'm a person, you are a person. We have an identity as individuals. We have an identity within a corporation or an organization. Our identity there operates within the digital space. Protecting that identity in the digital space is critical. As you'll see here, there's a couple of different logos here. These particular products are, which I will speak of later are Microsoft Authenticator and Google Authenticator. And then the last item here, and this certainly is not a full list, is defending ourselves at the device level. So what that would mean in the particular cases you can see here on the screen is our laptops, our mobile phones, our tablets. These three in general, again, I think are a good place to start when beginning a basic security strategy. Some simple steps surrounding each of them regarding email. Develop a culture of email security awareness. What does that mean? Be aware, be almost an advocate for your email. You protect it like you would protect your home to a certain degree. And internally yourself and those that you work with, you'll want to embrace the idea of treating email as more than just something that you passively engage with and that you can proactively communicate with one another surrounding on, just as you would have a conversation if you were sitting next to a person. Use strong, unique passwords across accounts. This is a big one in that you can go certainly down the road in the tunnel, so to speak, rather, in how you address strong passwords. There are password platforms, which could certainly could be spoken to. Many people are familiar with. But the general idea here is that if you are aiming as a bad actor to attack someone and someone is successful, they happen to guess even just something random like a Facebook account, which we'll speak about in privacy. I'll speak about it to a degree. If you're using that same password across the board, you are going to be in trouble because it's just a matter of time before someone figures out where you're at, Facebook, LinkedIn, what organization you work for, guesses your email, your work email, and then all of a sudden it's just a cascade. Learn your email posts, security function and tools. This particularly goes for people who operate no matter how big or small in more of an administrative kind of capacity, but even the frontline users that goes back to the idea of a culture of security awareness, be a learning organization, especially around security. You don't need to know how to program some type of app, but understanding like, hey, this email that's coming in, I don't know this person. Where is this coming from? You do a little bit of investigating. Be that type of person that has that approach to that and that can again can occur at any level. Some examples of security tools and functions would be any type of anti-malware, anti-fishing, anti-spam tools that you have, certain things around DNS. Again, I'm not gonna go down the rabbit hole with what these particular things are, but just understand that there are tools whether your host is Exchange, whether your host is Google by Google Workspace. If you have a PHP host, if you have an IMAP host, it does not matter, have an understanding. And if you're an admin, you definitely need to have an understanding of what tools are there. Be cautious of email links and attachments. This is where they get you. Within a mail message body, you have text, you have some HTML components, then you might find again URL links and then some types of attachments. Somebody's sending you something. Again, do you anticipate an email from this person? Is what they're sending to you, does it make sense? Why is Kevin sending me a RAR file? You don't need to know what that is. It's just a file type that there wouldn't be most likely a reason for you to send that type of file extension to me or to somebody else in most cases. So I'm gonna question what's going in there. So understanding the pieces and parts of email and being suspicious of them, having a healthy level of suspicion is important. Identity, establishing multi-factor authentication. This is the buzzword I think of the last year and a half. A lot of you are probably familiar with multi-factor authentication. How it works is you are attempting to access, again, the identity component, some type of resource. It is a challenge to your general access. What is it saying? I'm not accepting just a username and password. I need you to verify using another method. In the case of the earlier slide, we have apps like Microsoft Authenticator, Google Authenticator, which, by the way, can also support logging into other applications, not just Microsoft, not just Google. Having an environment that is away from single-factor authentication is the single smartest thing you can do. I personally, in the last year, have blocked three access attempts to my personal tenancy that were made by someone probably acting maliciously that found my email probably in some type of dark website, adopting devices with keys or biometrics. So if your organization has a deployment of, say, devices that it has in place, do those devices, for example, have something like Windows Hello for Business, which is a fingerprint biometric. If you're using something like a MacBook, a fingerprint reader, these are types of things that, enabling these types of tools, again, provide an additional layer of identity access. For something like security keys, I'll discuss that as we move over to devices here momentarily. They operate in both spectrums at the device and identity level, so it's worth knowing that they reside in both places. Consider whenever possible a location-based access tool. An example of something like that would be a policy that you have in a Microsoft 365 account called Named Locations. This also exists in Google Workspace. You can create workplace locations. What this does is this either can prevent access to your resources from certain internet traffic outside of regions that you designate or even set it up something like trusted IP addresses so that if you are logging into an account from a fixed, say, home address working remotely, the system knows what your IP address is. It's static. It stays the same. It knows that it can trust you. Developing policy surrounding privacy. A little vague, but the idea is that when we get to policy, you'll see it even more. If you don't have something in place with how all of you within an organization are addressing the way that you conduct yourself and your identity in the digital space, you ultimately need to have one. Formal, informal, it just needs to be something that is out there, is written and spoken of. As for devices, invest time in learning about device encryption. Again, that's kind of a slight rabbit hole conversation, but it's something worth knowing. This is that if somebody gains access to your device, how can I keep them out from my device? Microsoft BitLocker is a great tool, for example. It's part of a professional version of Windows. Mac has various tools that you can use to encrypt or lock. It's based on Unix, so it's really built on security anyways. But just learning a little bit about that can go a really long way. Again, along with identity, looking at onboarding new devices, when looking to onboard new devices, consider a product that does have a biometric reader, or even something like a FIDO2 key, which is fast ID online. It's something that are very inexpensive. There are a few bucks, some of them, they're out of the box, they're real easy to set up. And again, your device has an extra layer of security, your ability to engage with certain endpoints like Workspace 365, and even other third-party applications can actually be controlled by a tool such as a FIDO key. This is a big one. This is actually, if I put anyone up there, I'd probably put this one, especially in our COVID remote environment, is avoid commingling personal and professional devices. I operate with a work device. I have a MacBook, I have an iPhone, I have an iPad. I do not engage with those components of work with my personal devices. It's a big no-no. It should be standard policy. If somebody's in a position where they're forced, and it's a place where they have to do both, if you will, I would really try to limit and encourage some type of strategy for how you separate those, because it's when people jump over to certain websites where they're trying to interact with people socially, that there's mental slip-ups, they're engaging in a way that maybe potentially makes them more vulnerable. The effect that has will ultimately cascade down to a personal device that they have that's operating, using, and accessing your enterprise applications. You don't want that. That's a lot of where these attackers nowadays come in, again, is where can I hit you, and a low level, in a way that I know that I can get into the back end through your standard personal social media, et cetera. Moving over to privacy versus security, let's start by defining just what privacy and security are. Privacy refers to the control that you have over your personal information and how that information is used. Personal information is any information that can be used to determine your identity. Security refers to how protected your personal information is. Now, again, going back to the early example is when we were talking about personal, you have your individual, you as a person, and then you as a member of an organization or enterprise. Avoid commingling those types of environments and treating privacy as a back channel into ultimately security. I'm gonna jump over here. As I mentioned, they've operated slightly separately, but they also work hand in hand. Just some basic things that you can do as practice to ensure a more private experience and engagement that you have on the web, on the internet. Limit sharing on the web. You could carry that over to a variety of different scenarios, but just the main takeaway here is think, like, what am I engaging with? If I'm attending something personal, am I using an enterprise email address for that? Ideally not, is this something where I can separate my work and personal identities and engage with this just on a personal level versus bringing the enterprise into there? That's something that's worth considering. Again, I added this on here twice because separate device environments wherever possible. It's a big one. Work from home has really changed this. I get at least two or three calls a quarter about someone that was hacked going in through Twitter, through Facebook, through a variety of other things. These platforms do a fairly good job of keeping things at bay, but when you get to user levels of hundreds of millions, that's a very daunting task. So again, keeping them separate is the key to just general privacy and security for both the individual and for the enterprise. One thing here that I don't actually often think is discussed is know your web browser. So when you get into things, and this is around privacy, you get into things like cookies, third-party cookies, tracking cookies, analytic cookies, et cetera, et cetera. They certainly have a value and I understand why they're being used and there may be instances where it's either required or necessary to engage with an element to do that. That's fine. What just understand those is that when there are instances where you're engaging with maybe a not-established trusted resource, do I need to provide complete and total access to my browser's cache? I maybe I don't. And then to that effect, like to what degree can I then start to engage certain advanced security components within the respective web browser, something like Edge, Firefox, Chrome, these are all Chromium-based browsers. They all have advanced security features. One of the big ones that I'm a fan of is HTTPS Connect Only, which goes over to the understanding the connection and I'll talk about that more in a second. But these are basic things that when you start learning, there's a ton of resources. What is the secureest level that you can make your web browsing experience? There's a feature like application guard that Microsoft has, I use Edge. There are ways to keep yourself safe as you move along on the internet. To that point, understanding your connection. Is my connection to a site secure? Have I been redirected to another site? Is that site encrypted? HTTP versus HTTPS in simple terms is a question of, am I doing on this site secure or is it not secure? If there's not secure TLS transport, you're not working across an encrypted browser connection. Unless it is an absolute necessity to be engaging in there. Like there are some kind of, there are some storage things that have come across where I do need access to this PDF. I don't know why it's not encrypted, but I do need access to it. I know it's a trusted resource, et cetera. That's one thing. It's another thing if I'm going to, again, going back to the links, the malicious links and these other types of things are going to a site, is miss even misspelling your site in the URL browser. What, where have I landed? Like, what am I connected to and how am I connected to it? That's a big thing. Another thing is wifi and public wifi. Now wifi six and a change the game a little bit here, but it's a new technology for securing wifi wireless connection endpoints when coffee shops, et cetera, airports, but it's not universally adapted. And I'm not going to trust it. So if I'm connected using a work device somewhere, do I have something like a virtual private network setup? Like how, again, how am I reaching the resources I'm at? Is it something that everybody has access to? Understand and know that. And the last part here is review apps and permissions. We're probably familiar with this without realizing we're familiar with it. Policies and permissions surrounding any application come in a form of implied and then some that are even, you will dictate it to us. Understanding what role an application can play rather than just simply checking off, I allow this, I allow you access to that. Sure, you can do this, I agree to this in order to integrate this app. Take a second to look at what permission you are providing a partner or a vendor before you go all in. It's not like you have to stop the train, but it's still worth understanding that, okay, so if I've added disintegration to an application I'm using, it has access to my contacts. Why does it need access to my contacts? And if you're really looking to use something, have a conversation internally with your IT team, et cetera, and say, hey, I would like to use this. I'd like to know, is this a trusted third party extension or application that I can use? Having a conversation, taking a second to review things is hours or even potentially weeks or months worth of headaches prevented by doing something very simple. And with that, I'm going to open this up to the Q and A that we have coming in here. All right, thank you so much. That was awesome. I learned a lot there with the world of portions coming in the chat room and the Q and A, so we'll just get right to it. One second, how can I use a pass feed to provide MFA access to pass online resources and protect PCs and laptops? Okay, yeah, so there's a bit to unpack about that. Regarding pass keys, you're talking about tokenization and that's where it's ultimately moving. I think for the sake of time, I would just probably encourage you to like to really honestly to reach out to us because I could talk about this for a half an hour. Pass keys are a new thing that people are moving towards as well, I'm just the tokenization is somewhat similar in construction to SSO, which some of you might be familiar with, but yeah, I'd really like to connect actually to have a larger conversation about that. Okay, thank you, Kevin. Here's a good one because I always think about this too, how to remember every single password, what is the safest system to use? Excel, software, notebook, what do we do? So that's an awesome question. Probably one of the least that I would recommend is Excel. Now you could of course password protect an Excel spreadsheet, but what are you gonna call it? So if you wanted to get really clever and you had an Excel spreadsheet with passwords on it and you called it whatever, that's clearly not passwords and they had a password protected. But that is the like lowest level of security and quite honestly someone looking into that, I'm gonna dig around, I'm eventually gonna find it and I'm probably gonna figure out what the password is. So in something like that, honestly, if you're old school and you wanna keep a notebook, that's fine, again, identity and access management keep that aware, like where's the notebook? Is it in an office, is it whatever? So to me, I look at that and I think of something like a feature like LastPass or Dashlane, Bitwarden, a ton of technology tools that you could integrate into your existing environment. I would use those. I'm a big fan also of like Keychain, which is Mac OS, but certainly for Windows, I would be leaning towards like probably a password solution, they're very inexpensive and some of them like even can scale to even more functionality than just general password protection. Okay, thank you, Kevin. Here's a question, what are some things we can do as an organization to address both privacy and security? Yeah, that's a great question. So I would probably start with just a couple of items and I'm gonna keep this short, but this is just to have context. Have a plan for a potential breach. Like you have insurance on your house, you protect yourself in certain ways, have a contingency plan for something happens to someone. It's always after it happens that people are responding and then they don't have something in place. So at least begin a conversation internally like where you can begin to outline those things. When adopting or scaling an IT solution, whether it's equipment or software, make sure security and privacy are part of the design. Like your roadmap should have security somewhere built in there. The other thing is regulations. Everyone works in a variety of different types of business or enterprise. Some of you deal with financial information. Some of you deal with HIPAA, these types of things. Knowing the programs that you're doing and how to classify and protect data that goes into that roadmap thing I was just mentioning. Begin the process of whiteboarding that out somehow. Know what it is that you're engaging with and what special attentions it may need. And then the last part, and this kind of just as an extension of those, perform a review of your security and privacy policies regularly. It does have to be every week, maybe once a quarter, by annually, but please do it because the landscape changes and it's really important to understand if you need to make adjustments, like where we maybe need to add things, where we may be being a little bit too aggressive in our security and privacy policies. Wow, that's good. That's good, Kevin. It's a question, it may seem simple, but this is a very quick question. What are some things while surfing the web that we should pay attention to? Yeah, that's going back to the HTTPS that I brought up a couple of times. Is a website encrypted? How are you being routed there? Am I at the correct URL for address? Was I rerouted through a different address? Popups and analytics, do you have the ability to control what types of cookies are permitted to be cached during your time on the website? If no, it might be worth again restricting them to just maybe necessary or functional cookies. It really just comes down to if you are venturing into an untrusted source, do you have the ability to get a resource even from something on the web that you know and trust versus the way that searches are indexed? I don't know this particular website. Anybody can pay for an ad that does not mean that it's necessarily trusted. So when you can refer to a trusted source of authority for something, do it. It's just eventually you build enough or large enough from a resource catalog. And this is another thing, do it. I encourage this internally, even our customer success team is when people come to me to ask for technical documentation or resources, I only go to maybe a half a dozen different sites. I don't need to peruse the web and guess why I'm at XYZ company site to learn something. I stick with what I know and typically it answers the majority of the questions that I have. Very good. What's a VPN and why do I need one? Why do I need to use one? Yeah, that's a good question. VPN is a virtual private network. It's a networking service that allows you to create a secure connection to another network over the internet by essentially masking your routing or your traffic on the internet. One thing VPNs especially are good for is shielding your browsing activity and going back to that airport WiFi scenario that I was talking of. I would not put it against some bad actor to bring you don't need to know what this is but they're called pineapples. I would not be surprised if somebody at SF had a pineapple and it's rerouting web traffic through their router. It is for pen testing. You don't really need to know what that is. It's just for security but it's used to do bad things too. So again, where you can use a VPN and where it makes sense, you probably should. Very good. So what's the best way to create and manage a strong password? You talked about that a little bit but where should people start? I know you mentioned Dasserine and some things. Yeah, those are a really good start. To me, it's depending on what environment you are on Windows, Mac, Chrome OS. Any type of hexadecimal is just a general discussion. Hexadecimals are so much more infinitely difficult to guess. Avoid common words, common phrases. Do not use something about your company. Don't use something about your dog that I know I can find all about on your Facebook feed. It's beautiful and wonderful as it is. Their name and the year that you adopted them is gonna be where a lot of these people are gonna start searching through. So again, hexadecimal is a great place to start. Any type of combinations that are typically not sequential are great as well. Thank you. Somebody talked to him hexadecimal. They appreciated that. I should have explained what that was. Yeah, I think this question kind of ties in from Sabrina, how would you use a password mantra like Dashlane or any other products that you recommend? Dashlane is really just about something that's sitting within the interface of your web browser. And as you begin new and initiating sessions, uncached sessions against something, it just essentially gives you the ability to then begin saving it. It works how a password extension would work. Slightly different types and levels of encryption are associated with something like Dashlane. So versus using something that's hosted completely in your browser and that information is there, that information and password information resides in on Dashlane's end and it gets communicated to whatever the particular browser is as per needed. It's not about it sitting in the browser and then me just like, say it's doing something like a browser hijacking session, like me overtaking like the actual login session that you have. And then the first thing I'm gonna do in an attack like that is I'm gonna immediately go into your settings and I'm gonna look for your passwords. So something like a Dashlane, I can go into your Dashlane account, but it's not gonna matter because I've got to ultimately get that from Dashlane and good luck with doing that. Historically, they've done great jobs of protecting people despite the fact that all the security stuff I engage with, CISA, security newsletters, podcasts, they're content targets, but they just do a great job of just evading the bad people. Grace, DJ asks, how do I encrypt everything in my email? Best practices and apps that support past key encryption options rather than a machine based PG, PG. So getting into email encryption, it's really just about leveraging like what tool is in their SMEM. I never heard of somebody setting SMEM as like a default format, but in theory, I mean, you certainly could if every mail message that you had to push was encrypted, required encryption. Yeah, you could set up SMEM or MIM encryption and then set that to the default mechanism. Something like an exchange server has the ability to do that. I know how to configure it in 365. It's actually something as simple as just really turning on SMEM encryption. And you can do that across, you can do that across the tendency in the admin portal. So again, this is a great question. This is very high level, which is awesome. I think talking about like practices and roadmapping something like this, I'd be happy to have a longer conversation about. Awesome. So Kevin, here's a question. Do you recommend organizational issued phones for security as well? If you can afford it, yeah. To me, it's the, this is the thing is that you run into and I'll try to be very quick about this. Is that for example, I have an iPhone and I'm going to be very forward and it's describing when it goes not well, because I will admit when I don't do things correctly, I bricked my iPhone trying to enroll it in an MDM solution, which means I was blocked out of my iCloud account for three months. And that was specifically because I was trying to cohabitate a personal iCloud environment with what was a mock enterprise environment. The lesson that I learned from that is where you can acquire tools that are specifically related to the enterprise and pushed out through the enterprise, I would. It requires a lot less work. Like in the case of Apple, you don't have to have two Apple push notifications. Like just one single Apple push notification configured and then a business, one business manager account. In case of Android, it's enrolled a bit differently. It's actually really easy to enroll in Android devices I discovered. But to the point, if you can, I would just, because the big thing is some of the features that you get from a mobile device management tool. One of those big things is locking out. I've lost the phone. There's a lot of clever people that know how to do a lot of things as far as bypassing biometrics, other types of security, et cetera. Loading a phone or booting it from BIOS, which just means I'm getting to the core parts of the phone of firmware. If you have an enterprise device with a mobile device management solution, okay, somebody lost their phone. I can either lock it out completely, at least from the application end, like they can get into the phone, but they're not going to do anything within the company portal. If it's a cake, Microsoft, similar profile in Google, or it's like, you know what, this lost. We're not getting this back. We have no idea where it's at. I just do a remote wipe. The phone is done. It's trash. Some bad person gets it. It's irrelevant. The phone is essentially worthless. So again, based on your scenario, if it makes more sense to do that, I'd recommend it. I've actually heard, like, I've had one really bad customer story about somebody called Mingling, company profiles on devices, and then they unfortunately had to let people go and retrieving access to those devices was almost impossible. It took them about six months. Wow. Oh, this sounds scary, but that's why education and information is important. So we appreciate you doing this, Kevin. So here's a question from Anna, three parts. So I'm going to grab one for it. Will you advise against using a password system like a word plus the name of the website? For example, curtains plus Twitter plus a number and keep it a system? I would, like wherever you can. Again, it's just, it's a wall of large numbers at that point. And if you look at something, just even Google things like band password lists, like that, you know, resources maintain. And it's just, I just don't really like word, like specific pronoun word associated password. I just, I'm just really not a fan. So not in line either. I guess I still will say I'm 99.9% not a fan. I guess the 0.1% would be, do you have something additionally to authenticate against that? So somebody does guess, like you had a combination of whatever it was with some type of random year or something like that. If you are receiving a notification through a Microsoft authenticator or Google authenticator, you could do that, but that would be your notification to you that you then need to change it to something that's not even close to that. Okay, Sabrina asked, any recommendations for affordable VPNs? Yeah. I have to take a look to see if there's anything through our catalog I don't know if anybody here tech supplies is aware of any solutions I've used express. It's not a partner of ours. It's very inexpensive. It's a great tool. Think it's maybe $100 a year. So can install it on five devices, I believe I have it on three. Okay. Yeah. I mean, I, there's a ton of them. Norton makes one bit warden and then bit warden can actually even theory double as your password manager too. It does VPN and password manager. I think, I think Nord VPN does as well. Norton might have a solution. It's really take a look at it, see like what kind of works best to your environment and then just, you know, just go from there. I think you'll see that a lot of these companies kind of sit at that like a four and a five star rating and there's not really necessarily something that differentiates one from the other. Well, this has been good. I think we've answered all the questions here. Let me see. Just want to make sure there's one question. How to remember every single password with safety system? Okay. We did answer that. There was a more answer. So I think we've answered all the questions, Kevin. This was amazing. Any last words to everybody? Yeah. This is really just, it's about learning. It's about being proactive. It's, you figure you take the time to maybe learn how to install like tile or something. Like set time across your work day. Like, and you should encourage this as an organization. It's about learning and encouraging healthy communication. It's that you don't want people like just assuming that people are all doing the right things. We generally are, but like, man, that Amazon gift card. I really want that. And I'm sure that this came from somebody legit. It's just about having a culture of openness around privacy and security. And just, and where you can be as close down the same page. First and possible. You weren't looking, but there are lots of virtual claps in the chat room area. So thank you to lots of chat room saying, thank you, Kevin. It was great information.