 We all responded incredibly quickly, obviously, when the, well, at least in California, the shutdown orders came in and we really sent people home overnight. And, you know, we sent them home with whatever we had, whatever laptops we had on hand, you know, people were using their own home computers. They were, we didn't have work phones to send them home with, so they were using their cell phones. They, you know, kind of scrapped around and made do with whatever applications they could, that they could find and make them get their work done, whether it was Google Voice or finding some scanning application or figuring out how to do, you know, downloading a trial for some e-scanning application. And they were incredibly creative and really adapted the environment because they really wanted to get the work done and they really wanted to serve clients. And, you know, I really want to take a moment to appreciate that incredibly, that incredible adaptation and creativity on the part of our staff to keep getting work done through all of that. And then gradually, of course, over the past now more than year and a half, we did adapt, right? We got, we finally got computers and we finally, you know, we were now finally to the point where everyone has a legally received laptop and we got a voice over IP phone system and everybody can now communicate with clients by voicing text through the phone system with using Microsoft Teams for internal collaboration. So we kind of caught up with everything and implemented and deployed lots of solutions. Knowing all of that, I still have in the back of my mind the sense of, I don't know exactly what everybody's doing. I think there are probably some people out there who, even though they have a lovely little Dell laptop that I gave them, are still using their old clunky workhorse personal computer sitting on their desk at home that they're used to and like. I know that there are people that are still using Google voice for client meetings and client conversations and meetings. And I don't know how many other things that are like that are out there. And so I feel like what we've talked about is this is a time when we need to really do that taking stock where we really need to kind of enter a discovery phase of what's out there, what are people using? And the reasons are twofold. One reason is addressing risk, right? It's what's out there that could come back and bite us down the road like somebody using an insecure personal computer that then somehow that gets hacked. So that's obviously one set is just that sort of risks of not knowing exactly what, not knowing exactly where your data is sitting and how it's being used and how it's being disseminated and needing to get a handle on that. And then the other piece of it, the other side of that is really opportunity. Our staff did an incredible job of doing this adaptation and we've learned some things. We were not a shop that said we could support, wrote remote work for attorneys and then suddenly we can. We made access to clients easier in some ways that would like that would, I'm sure they would like to retain and we would like to maintain after this emergency situation is over. We didn't allow them to text us documents, right? Now they can take a picture with their phone and upload a document to us. And that wasn't something that we really were set up for we most of our work was face-to-face client meetings. And now we've really figured out ways to do a lot of things by phone. And for a lot of clients, especially clients who are older and with disabilities that's easier for them. And limit some of those travel barriers. So we've increased some technology barriers reduce some travel barriers and we need to kind of take stock of all of that and figure out what the right balance is in terms of maintaining some of that flexibility and increased access to clients and different ways of providing service in more accessible ways. And at the same time, get a hold of some of those risks, figure out what those risks are and get those under control. So that's kind of where we are now and some of the ways that I'm thinking of doing that that would be even as simple as just doing a user survey to figure out what exactly are people do it using for different kinds of solutions. And then trying to do that in a really non-judgmental way where we're appreciating that creativity. And then thinking that later, once we really do do that taking stock, we can come back and say, okay, there are real security reasons why some of those things aren't okay. But while taking the time and trouble to understand the problem that people were trying to address and making sure that as we're proposing solutions they're really tailored to what they were trying to do and how they were trying to get their work done and making sure that we provide adequate training for new solutions that we're proposing. So the user survey, really figuring out what people are doing or one of the things that we wanna make sure that we're doing now. And then also just generally updating our inventory, what systems are we using? What cloud services have we now brought in? And I realized that more now when I'm doing onboarding of new staff is like, what are the six logins that I've created for them when it used to be one? And so what are all those services? How are they integrated? What are we doing around managing that set of passwords and identities? And then of course updating our disaster recovery plan and documentation. So just making sure that all those pieces are in order now that we're kind of in this taking stock phase. And at this point, I will turn it over to, I think John's gonna introduce this part, right? On the technology tools and policies. Sure, so thank you, Stacey. So I think what when the three of us met, we actually say the four of us met with LaDudra, we know that there's obviously a very limited amount of time to talk today. And so we wanted to focus on where some practical things that we think executive directors and likely already IT managers and leaders are already thinking about, but that we want to focus the conversation on some of the priorities that every organization should be sort of focusing on. And then immediately, or maybe I've already taken care of some of these items. And then some longer term security initiatives or tasks for organizations to investigate and hopefully move forward on as well. So there's sort of two parts to this. And Elaine, did you wanna take us off? Sure, so I'm gonna talk about some, I'm gonna call them baseline or low-hanging fruit. And a lot of these are a spectrum, like you can start with some low-hanging fruit and then John will talk about some deeper dives that you can do in this. But I think first and foremost, making sure that you have cyber reliability, cyber security insurance. Just the questionnaire that you have to fill out to get that will give you a good checklist of things that you should be doing. And if you're not doing, they'll often require that you do it in order to have coverage. So if you don't have it, make sure you get it. And if you do have it, review your policy to see what it covers and what you should be doing in order to make sure you maintain your coverage. Stacy touched upon this, but knowing your technology, knowing what's out there, what hardware, what software, what's already in the cloud that you're providing. And then to Stacy's point, what are people using on their own? And oftentimes, if you find that they're using something off on their own, why are they using it? And do you as a program need to provide an enterprise level solution so that others in your program can benefit from it? But just knowing what you have is important because you can't protect yourself if you don't even know where your risks could be. A BYOD policy, again, as Stacy mentioned, we all sort of pivoted very quickly to virtual. And in some cases, that meant people taking their own devices home with them and just working on those. And maybe now we've bought some laptops, we've got people on more equipment, but really knowing that if people are using their phones, you need a policy. And sort of policy is the first step, eventually you need to get to a mobile device management, but at least have a policy on what they can use the device for or password protection that they have to have on the device. If they are not allowed to access something, even though if you can't use a mobile device management program right off the outset, but at least make them sign something saying we won't go into these programs, a test that I won't use them on my personal cell phone, for instance. There's just a lot of risk with their own devices. You don't know if somebody else is using them. So at least having a policy so your staff is aware of what they should do. And the policy may look different for exempt versus non-exempt staff. So for instance, we don't allow outlook access on cell phones for staff that's non-exempt because we don't want them working after hours on their phone. And so it may look different for different people. It may look very different for interns as well. There's maybe a less level of trust an employee versus an intern who might be gone from your program in two or three months. Make sure everything is up to date and know the frequency with which you update everything. So don't just like once a year we update everything. No, you should be doing it on a regular basis on a scheduled basis. And executive director should be working with their IT departments to make sure what the policy is and how frequently that's happening. People are our biggest liability. And one of the biggest ways that we're liabilities is password, password phrases. Everybody knows the sticky note under the keyboard situation. For a long time we used to have loaner laptops and every time I would get it back somebody would inevitably have put a sticky note with the password on it. And every time we'd rip it off and then it would magically reappear. Obviously cause people forget passwords but you need to come up with a system that works and people need to have a good and password phrases are better than passwords. And ideally you move to an enterprise level password manager, which not only keeps your passwords so that you don't have to remember all of these but when passwords expire which you all should have policies setting them to expire on a regular basis it can auto generate a password for you that isn't just your kid's name with their date of birth every time. And you might switch that up depending on if you have to update the password. Multi-factor authentication I think at this point we're all familiar with this. You log into your bank they send you a text to make sure it's you. You log into Google for the first time Gmail for the first time and they send you a text. It's the same concept. Initially you're gonna wanna do this on the programs that you use the most and that's why it's sort of low hanging fruit. It could be a much bigger project where eventually you put it in place for all the programs that you use but if you're a Microsoft Outlooks program or if you're Microsoft Suite or Google Suite you're gonna wanna make sure at least those programs have MFA because that is where the bulk of your data and particularly client data is being stored. So make sure that you have that in place and think about and plan long-term how to expand it to all the programs you use. Data and drive encryption. If you have more computers all the drives should be encrypted that protects your data. But again, because users are our biggest weakness training your staff on encrypting sensitive emails on not sending passwords via email. So we have a medical legal partnership and the hospitals require us to send them encrypted emails. So we can do this. A lot of the programs already have it out of the box. So Gmail or Outlook has already some encryption services. If you don't wanna fully encrypt an email but you're sending passwords Priv Note is an easy thing to use. I would tell staff if you remember Inspector Gadget which at this point I think I'm dating myself but the note would self-destruct after he read it. And so the same thing happens with the password. Whatever you send through Priv Note eventually self-destruct. So nobody else can access it. Now, if your emails hacked somebody has a Priv Note link in there but they can't access it they can't use it because it's already self-destructed. Make sure that your backups are corrective and that they are tested. And this again is a low hanging fruit but they can be sort of a little bit more long-term because you're gonna wanna make sure you test your backups but eventually you're gonna wanna test how quickly you can recover if you have to go back to your backups. That may not be where you start off. First you're just gonna wanna make sure that you're backing up. I can tell you for us we were backing up for a long time and then we had two offices we would back up on tapes and switch where the tapes were so that if one office experienced some kind of damage the tapes backing up the other office would be at the other office. However, we closed that second location and it took months for someone to realize where are we backing this data up and what's happening now? So in the same server room we had the backup tapes and our servers and that's a big problem because now if there's damage to that room you've lost everything including your backups. So we had to put a system in place. So make sure you know where your backups are and how frequently you're backing up your data. Lock down your devices. Pins and passwords obviously for any work devices but also making sure the device is auto locks so if somebody walks away the device doesn't just stay open and unlimited amount of time and lock down USBs. And this is probably one of the things that my staff hates me for the most. It's better now that we're in the cloud but for a long time people would put something on a USB and then take it home and vice versa. Well, that's just a recipe for disaster to have that plugged into your computer. We even have a managed IT company they do like penetration testing and that kind of stuff and one type of testing they do is social engineering testing and they literally drop a USB in your parking lot and never leave some really well-meaning employee will pick it up, go back to their desk and put it into just who does this belong to so I can return it and you have no idea what's on that flash drive so lock down the USB ports. Know which services you have via VPN which services you have in the cloud and maybe come up with a plan for, for instance our finance department uses quite a bit of software that they have to get into through VPN they're not happy with it, it's slow and the program all have a cloud version we just never had it because they were in the office and we didn't need it so if it's possible considering and planning maybe for the following year budgeting or moving those services to the cloud if it's a pain point for your staff but know what you have access via VPN and know what is in the cloud because that's how you also know your risk and then tech support and I think this goes back to what Stacy said at the top of the presentation which is your technology should not be independent of what your staff needs it has to support what they need and your security should to the extent possible not offer huge barriers because we know if we put up a lot of barriers people are gonna find workarounds and they're just not gonna wanna engage with your technology so find out what your staff needs and find out the best way to meet those needs while still maintaining a security for your program and a lot of this requires even though we call this low hanging fruit this is gonna require training staff bringing on staff and discussions with staff to make sure that they understand why you're doing all these incredibly painful things for them like having their passwords expire and blocking USB ports and doing all of those things and then ultimately how does this look if we come back to the office? If we're back full-time does any of this change? Do we have to have a plan for changes? I don't think any of us are gonna revert back from the cloud for instance but if there's programs that you have now for instance we're using docuSign for clients do we stop using docuSign once we're back in the office and people are now expected to come in to sign documents? I suspect not but it's a conversation to have with our attorneys maybe we don't need the same number of envelopes or licenses so those types of discussions so you know what services you're gonna continue past the pandemic. And John I think you're gonna talk now about some long-term deeper dive. I think that's a great way to put it it's a deeper dive there's some of the recurring themes here it's taking it to sort of that next level and again we're sort of sizing this for our conversation today it's not exhaustive so I'm sure and I encourage folks on the call to join in with their suggestions and comments in the chat with other ideas but so for sort of a next level one of the things that we think is really important and again it's something that involves both the leadership and the IT team is managing access, managing the movement and storage of data sort of globally diving in a little bit deeper who has access, where can they access it? How do we know whether they're given sort of the right level of access? So for instance, I think number programs with their case management systems will give interns access to it are you locking down that access so they can't run reports and potentially you lose a lot of data when they leave a report on their school laptop let's say. So getting more granular, getting more specific with data access is I think really important and it will inevitably lead to other questions and conversations and again this is why we think it's gotta be the leadership of technology and the leadership of the program working together we can't work in a vacuum when we gotta involve our advocates to the extent we can to ensure that we're enabling them and not really sacrificing program delivery for security we think we can work together. MDM, again that next level really is to push that out across all your services especially your case management systems. There are some programs that are using multiple MDM solutions. The challenge for that is of course your users having to navigate through different second factor systems still maintaining additional passwords and having to remember those passwords. So with an enterprise wide MDM solution you get your case management system, your accounting system, your HR, your email, your documents, even your VPN integrated into one solution and that ultimately is a safer, simpler, easier to manage approach. Beyond basic antivirus security we really think providers and this is actually something that insurance providers as Elena said are starting to really kind of push the technology requirements but moving to endpoint detection response software that's really looking for behavior, things that are happening on your laptop or on your servers that are out of the norm and interrupting that, stopping that activity and in some cases allowing you to roll back to before that activity happened but also doing a good job of raising the alert and alarms that you can take action or your IT partner can. And that of course comes at a cost but one of the things that's pretty either free or moderately expensive is building out your logging of your existing environment. So servers, laptops, pretty much every device has the firewalls have the ability to log events and the more data you have there and the longer you retain it the better because if you have a security incident you need to have as good an idea of what happened and when it started as possible that really helps inevitably the team that comes in to dissect what happened and take actions to help you restore your environment do their job. So logging is really critical. At some level it's again baked into like windows but you may set up either a server that captures that log and stores it or use a cloud based solution. And again we talked a little bit this is a progressive thing about security, audits, penetration testing we really think that's something important Legal Services Corporation this year has specifically called out the value of that with their TIG applications suggesting and with the TIP grants that folks do more security investigation audits. Another next step and this is something where artificial intelligence is sort of improving the availability of the service and I think eventually it will improve the cost of it but using security information and event management it's something that a lot of the larger corporations and larger law firms have been doing and it's really taking that logging to the next level of having enterprise wide sort of analysis of your normal work and then looking for things that are out of the ordinary. So that's also something that we think it's worth investigating. And then scrutinizing your service providers so it could be your cloud providers like Microsoft or a legal server or justice server or your IT vendors who are doing your help desk and making sure that they're walking shoulder to shoulder with you. So you don't want your weak link being your third party provider. And so that takes time, it's effort and hopefully you have partners that are publishing that on their website or are happy to answer your questions. And then again, I think this is why it's this is sort of iterative looking at the systems that are working poorly and causing pain for your users because beyond it working, to extent for instance you can get VPN in and access your files, that's great but if it's causing frustration it's gonna lead to people doing things like saving documents locally or circumventing your systems in some of your security. So it really is important to continue to meet with your colleagues and ensure that they know that you're concerned about their experience and that you're gonna do everything you can and obviously with budget limitations as they are to make this a better environment for them. Well, I think we probably just overwhelmed everyone with all these ideas, but I think Stacey I think from our perspectives, how do we get there? How do we implement these things is the next big question, right? Because these are all I can and we will be sharing checklists for like IT and executive directors, things to think about but people are your greatest weakness and I mean, I can tell you our number one tool in this toolbox is over-communicating. We tell people what we're doing, why we're doing it. We do cybersecurity trainings and those are important for us to make sure that we bring people along and that way people understand the risks and why we're doing these things to protect ourselves, protect our data and in some cases, especially with phishing scams protect them as well. You're muted Stacey. I know. One of the components of that over-communicating is of course to make sure that you have documented policies and practices and that's really step one because your staff can legitimately say I didn't know I was supposed to do it that way. I didn't know I was supposed to use that. No one ever told me, I didn't know where to look all of which are completely common responses and often completely legitimate especially when you're implementing new technologies and systems quickly. Often you think I'll catch up with that later I'll write that down later that I'll add that to the policy manual later and often later never really kind of catches up to you. So I think that's an important thing to make sure that you build in time for is make sure that you are, once you've done that kind of discovery piece of figuring out what are all the, where is our data? What are all the systems and devices that we're using now and get that list up to date then what you're gonna do is make sure that you have those policies documented on what you expect everybody to use for what use case and how you expect them to do it and what to do if they have problems with it and how to get training on it. Yeah, and I think in the environment that we're in we're seeing some new challenges, right? Because for us, when everybody was in the office RIT department or managed IT provider had a lot more control over all those security features and now with everybody being home or at least a good portion of our staff being home most of the time there's all sorts of additional concerns and things that people need to know about. So we've had to update policies because we contemplate that even post pandemic remote work will be a significant piece of work going forward. So updating those same policies to bake in what it looks like when you're home versus what it looks like when you're in the office. Have you seen any other challenges with implementing some of these things, Stacy? Well, that's one of them we just made me think of immediately was what to do about people's home internet. Somebody has home internet that doesn't support say the Zoom meetings or the team meetings that we're requiring them to participate in whether they're internal or external. What do we do? Do we just say, well, you have to deal with it? Do we ask our managed IT provider to troubleshoot one by one our staff's home wireless routers and internet service? So that's been a real challenge and honestly, we don't have a good solution to that. We've basically just thrown hotspots at it when somebody said I can't maintain a phone call or a team's meeting, which works in some cases and doesn't in others. But I think for the longer term where you have people saying, I would like to work remotely two or three days a week and they don't have that set up. What are you gonna do with that? That's a big question. And we've been struggling with that with coming up with our long-term telecommunity policy which is like, what are the baseline technology needs? And for a large part, we don't need printers, but we do need a stable internet connection and especially at the beginning of the pandemic with everybody home, people who thought they had out of clinic in it before not wasn't enough because they might have had four family members all in the household using up the bandwidth. And to your point Stacey about tech support, it is, our managed IT provider has been excellent throughout the pandemic, but they've never, we have had people who they've had to call and say like, this is what you need to do, restart your router, do this, that or the other and they've done it, but it's very different to provide support when you have 60 staff members plus maybe 10 to 15 interns all in the office, all on the same network, all on the same servers versus everybody in their own home. And that's something to think about especially if people are considering moving to a managed IT company, that could mean additional costs if you're having significant numbers of your staff working from home. You know, one thing Stacey is sort of how do we budget for this? How do we plan for this financially? And that's a big question. And one of the things that we're starting to do is build it into grants, make sure that we have specific technology line item that we're building in that isn't just support for that managed IT provider, but that covers some of these other components. So that's one, just build it into grant budgets as well as our own organizational budget. And you've just, it's one of those things I think that we just have to hold the line on and say these are important infrastructure costs that we can't compromise on. We can't responsibly provide these services unless we're backing them up in this way. And you know, as somebody who, I became the Chief Information Officer at Legal Services about four years ago and we started talking about security and cybersecurity when that happened and we shifted to a managed IT provider and there was just a lot less motivation from management to pay for these sorts of things. It was like, well, we're fine. Who wants to hack a legal aid anyway? Like those were the sort of the things I would hear. And that's definitely shifted. But what's really helped is things like this training, being able to point to a training like this to an executive director and say, you know, we are, these are real concerns. These are top 10 tips. These are things we should be doing. LSC has updated a lot of what they're asking for. So even if you're not at LSC program, you can hold up some of the things that they're even asking in their annual application. The cybersecurity insurance applying for that has helped really highlight that these are costs but this is just the cost of doing business now because our managed IT provider services when we added the cybersecurity component that they provide pretty much doubled overnight, but you just sort of can't work 21 without a cybersecurity component to your IT department. And, you know, I think it looks different if you have staff in house versus managed IT but either you sort of have to have that cybersecurity component into the plans and all these best practices that we've talked about. And I think we've gotten a couple of questions. Oh, this is a good one. I think you might have some information on this, Stacy, which is our office is paying for full cell phone bills for employees. We're not paying the full cell phone bill but we have a reimbursement for, let me think whether it's, we reimbursed $30 a month for internet and $20 a month for cell phone services just with a check box at the, you know, they have to, for tax reasons and whatnot, we make it through a reimbursement request. So they do have to do that reimbursement. It's literally a form where they have to check those two boxes and send it in and then they get that $50 a month towards that. California is pretty strict about reimbursing for employee expenses. So we didn't, I don't think we really had much of a choice about doing it at all but the way we, people have done, I know implemented that in many different ways. For us it was, we, because I think we were sort of every three months thinking like soon we'll go back to the office, soon we'll, we didn't do it monthly but at the end of the year we gave everybody a stipend for internet costs because we recognized that people, a lot of people had to increase their internet. So that was part of the, the sort of implementation concerns. And I think just to sort of wrap up our pieces and then we're getting more questions so I want to give time for that. But I think for me it was you have to get buying from the top and you have to communicate to sort of the staff. And those were the two sort of crucial things. Once you're, once EDs are on board and you can sort of budget appropriately for this, we were able to make a lot of these changes and plan for them. And we had to bring staff along because we, you know, we wanted to do an MFA project and get everybody through multi-factor authentication. And it took like two months because some people were like, well, do I really need that? Was that a choice? It's not optional. So making sure that people understand that this is the way that the world operates. And honestly once you've had a couple of phishing scams be successful, that sort of gets people to start thinking about it a little bit more seriously. John, I know you've been probably monitoring the questions. Yeah. Well, and I think some of it is sort of supportive of what we've been talking about that the, you know, the cell phone, you know, for instance, for work purposes only as opposed to using it both personal and work. And then you have some of the tax implications. And that is an extra complication. We don't want to make our staff's lives any more difficult than they already are. Yeah. So I think actually one question I have, so, you know, there are challenges working with funders, but also what about boards and other stakeholders? I mean, what do you, you know, are they prepared or how do you prepare them? You know, if you're changing your budget or changing your approach, can they help? What's, what do you, what are you seeing? Our board has been supportive of these changes. I think it helps that some firms have had some of these same security risks and security concerns and they're seeing it as a best practice now too. So maybe three years ago, they would have said, well, why did the IT manage IT services double? But I think after they've probably had the same experiences in their firms, they've been supportive of our technology initiatives and making sure that we're secure even though, you know, there could be the pitfall of like, but it's a legal aid program, but we have a lot of sensitive client data and we need to protect that information. Stacey, what about, what about you and your program? Yes, our board's been supportive of these efforts as well. Like the same thing, they've all seen fishing attempts and ransomware, at least in the industry, if not in their particular firm or corporation. So I think it doesn't seem out of line to them. And, you know, and some of the clients we work with in the legal aid community have gotten pro bono help from their board on some of the policies. So I certainly would encourage folks, if you have a good board or just know people who are volunteering with your local bar, your state or city or county bar, who work for a larger firm or work for a firm with some cybersecurity practice to get some help because it's, a lot of this obviously is technology, but there's a lot of policy questions. There's some liability issues, you know, it's risk management and law firms who work with a lot of corporate clients are typically pretty good with that. And one client, they recently shared with us a draft of a policy that they developed for them, that they really tried to simplify it, prioritize it. You know, you could come up with a hundred different policies, but you've got to start somewhere. And I think some of these firms who, you know, again, do this for their for-profit clients, maybe helpful and willing to do this on a pro bono basis for you. And our managed IT provider, too, provides a lot of these policies because they've done it, you know, for themselves. Our managed IT provider, it's interesting, is also a, they actually come from an auditing background. So they started their IT piece because of all the security concerns and IT concerns in the banking industry. And so they provide a lot of policies out of the box and sort of we can then tailor them to our needs. And that's been really helpful, too. So both John and Elenia just talked a lot about policies. So I want to pose the question of, and maybe there's not a definitive answer, but like how often should people, even if they're not editing or updating these policies, like how often should we be looking at these kind of policies? I think with the rate of change, and we started doing this about a year ago, two years ago, now before the pandemic, when we update our COOP, our continuity of operations plan, we sort of look at all these policies again, because things change all the time and we reference a lot of them there. So I think at least once a year, unless it's something that really is stagnant, but I just think with technology and the rate that things are changing right now, looking at your policy manual annually is a good, you know, and if you're looking at it annually, it won't be like when we didn't look at it for a couple of years and then it's a ton of changes. It's just some updates here and there. And I would suggest that you also do enough training on the policies or the practices with staff regularly, because it is a lot, and it's not the only thing that your advocates are worried about. And so if you can break it down, give them refreshers. And really, again, even within the policies you ultimately have, they're probably the 80% or 90% of the risk is gonna be focused to a much narrower set of specific requirements. That might also be role-based. So if it is somebody who's working in an administrative capacity or working on the finances, they're gonna need to focus on different elements of that policy likely than an attorney working with clients in the field. So yeah, the training and as we said, sort of the over-communicating applies to all your policies as well, because it's not something that's necessarily intuitive for everybody. Speaking of training and keeping our staff abreast of the different policies that we want them to abide by in different technologies, can you all speak to training and what have you seen that works in your staff as most responsive to and what trainings have they maybe not been so responsive to? Or are you doing web videos? Are you doing calls? Are you doing, is it email? Just, if you could just say a little bit of how you're training your staff and keeping them in the loop of what you're doing and why you're doing it. I think that'd be helpful. Well, I think one of the things that's not that effective is that we have our staff go through, actually there's a couple of different versions of an online training that everybody's required to do annually. And it seems to just not stick. There's a one that the state, well a couple of different state agencies that require us to have our staff go through those. And it just doesn't seem to penetrate. And I don't know whether it's the format or the actual quality of the training. They seem to be produced by perfectly good people and the content seems solid, but it just doesn't seem to settle into people's brains. So what I found, while it's pretty ad hoc, what I found most effective so far is every time we get a phishing attempt, I talk about it at staff meeting. I say, hey, this is what happened. The bookkeeper got this email and they said, hey, can you change this? I'm on vacation, so I'm using my personal email. Can you change the bank that my check is deposited to? Okay, and often they got pretty far down the road with that before somebody caught it and recognized it. So I just try to highlight examples like that. And whenever somebody sends me an email and says, this looks fishy to me, then I really appreciate it. I send it back to them and say, thank you for being careful, you're right. Please delete that. So it seems to be, it's hard to engage around it because the content is not familiar or interesting to many of them. One thing I found really helpful is what I call micro trainings, because I agree with you Stacey, those long, and we do an annual cybersecurity training. And that one, I have to say, our Managed IT company is pretty good because they'll show you like your worth on the dark web. And so people are a little bit more engaged in that. But for the most part, it's once and it's done and they forget about it until next year when you have to do that training again. But I will get emails or questions from time to time and sort of like to your point that you share the information. If somebody asks like, how do I encrypt an email? I do a little video and I send it back to them walking them to the steps and encrypting it. And then I put it up on our stream channel which is like our internal YouTube channel on Microsoft. So other people can see it there or I can reference it and send it to other people. So it's like, it's a little bit of, but then you save it and you can share it. And so people sort of ask for it when they need it in a lot of cases and you wanna be able to provide that on demand and not just give them like, here's a 30 minute training on cybersecurity and email. That's not what they're asking. They just wanna know how to encrypt the email that they're sending out. So there are a number of companies that offer cybersecurity training. One of the big ones is no before. And I think what they try to do is, small trainings, basically a campaign is like a political campaign every month. And then they do some sort of testing and so I think pretty quickly staff get up to speed and you have the statistics to sort of show that they're not falling for some of these well-crafted and I think that's sort of part of the work of the program is to design these phishing attempts to stump people if you can. But the thing is they can be good today or good for the next couple of months but the attacks change and our guard gets dropped. And so I think that repetition, small snippets repeated, tested. And then you know also if someone again, we can't be punitive, we can't be judgmental, we've gotta be supportive, we've gotta figure a way that we can be more effective as trainers. It's our job to reach people and but I think if we know who's having a hard time with this then it gives us the ability to focus a little bit more instead of taking everyone's time, we can help the five or 10% of your staff that really need a little bit more guidance and maybe a little bit more one-on-one assistance. Thank you for sharing that. I'm gonna jump to the chat. There's a couple of questions in there. So the first question, are any of you actively utilizing dark web monitoring services? And if so, what services are you using? We, our managed IT company does but I don't know the name of the program they use but they and people will get an email saying it looks like your password is, has been breached or has been compromised and make sure you change this password. Sometimes it's, the biggest one I've seen is that it's always like old, old programs that people are like, does that website even exist anymore? But if they've been using the same password and that's why we want it to expire, it could be a compromise. We don't use anything fancy but I do run things through, have I been by the whole domain through have I been pwned periodically just to see what pops. Yeah. And we certainly don't see a lot of firms using it but again, I think the point about making sure whatever your policies are that you stress the importance of keeping passwords, passwords and again, passwords are a little easier for folks to remember and manage as long as they're not like I love the Yankees, might be a little bit too obvious or something but not using their old passwords or for Facebook or Twitter or Instagram with or even a bank with your firm's accounts. And so I mean, I think again it's, there were ways that we can sort of enforce some of that actually it's hard to enforce whether they're using but like password complexity and the frequency of changing but even as we suggested getting folks to sort of sign a statement like here are some of the top 10 things that we really need you to do to help us maintain a secure environment. It's low tech, it's low cost. Is it 100% effective? No, but none of this is. Is it harder to administer? Maybe a little bit, right? And so getting clarity with your team in terms of what those security parties are and then communicating and getting some sort of acknowledgement from staff because certainly everyone has had at least like probably 10 passwords that there's in the past compromised on some site over the last 15 years if not 100, you know? And so we're, we know that those user IDs vary a bit but the passwords get reused and that's a huge threat. And one of the reasons why we're seeing again in the chat, the value of the MFA because while you don't want that password compromised having a second factor can really help mitigate the risk that your account actually is compromised when they get your password. Thank you. The next question, are there any recommendations for password manager service? We use Bitwarden internally for organizational passwords and I encourage people to use whatever they're interested in but I feel like there isn't a whole lot of interest except for people that I make use the organizational one. Thank you. I would just also suggest that again for anybody who is responsible for your administrative accounts or administrator accounts folks who have elevated privileges that you really also wanna focus in on their use of a good password management tool and some of them are open source or you can use like a commercial cloud-based solution but making sure that they're also not reusing administrative passwords across devices or services especially if you have a team of folks and this is something where you really wanna talk to your IT consultants or helpers or manage service providers as well to make sure that they're not using some common password across your devices or even across clients. So that's as bad as it is to have an account compromised for a regular user, it's definitely worse if they have privileges to make more changes to your environment. And I've personally used LastPass for a long time and I like it. It's a little pricey for the enterprise one so we are moving our staff to NordPass and I found that one to be more cost-effective but we watched, we did the demo, we priced it out but we haven't started using it yet so I can't tell you how good or bad it is. Great, thank you so much for that. This is taking a step back here but one of the comments I think Ken mentioned that his firm is paying, I love this for a part of the electricity for staff until they're back in the office which is in New York, well in California a lot of places electric is not cheap but that's a really kind of important part of this equation, we're running air conditioning or heating, all this equipment. So I really love that they thought about the electricity cost, not just the connectivity. I agree. The next question, I think this one's gonna be for Alenia. How do you promote your stream channel? Do you have champion program that staff can engage with before coming to you or your help desk? So the stream channel is posted on the staff wide teams page, it's also posted on department share point sites so it becomes accessible for people and it's something that every training we do anything I share the stream link, people forget about it so I'm not gonna pretend like that's it, everybody goes to it but it is fairly low effort to then share a link with them if they're calling the end or emailing about a problem and I always remind them like if you ever have questions about this you can search our stream channel. So I try to just, it's sort of what Stacy said about training it's like you have to keep reinforcing it. I don't have, unfortunately we for a long time it was me as the chief information officer and the managed IT company. We've recently hired someone so I'm hoping to have more help and sort of before things have to get to me but we're not that big a program, we have 60 staff so it's not like we're all in one location so no, for the most part those questions still come to me. Okay, great, another question for you. Oh, sorry, John. No, no, no, please. Another question was someone asked what is the name of your managed IT company that you use to share that? We're gonna be using NordPass and I said I personally have used LastPass and Stacy mentioned another. Yeah, that was the password I think they're asking about your IT company. Oh, I'm sorry, the managed IT company. Genesis Consulting Systems and I can share their link in the chat. They have been excellent, we've had them now for, this is I think our fourth year with them and we do like every two to three years because we have a contract with them. You know, again, look at other companies pricing they give us a non-profit price which makes a huge difference not all of the companies we reached out to did. So I'll put their information in the chat. And then David pointed out that again, the frequent password changes sometimes leads to people recycling passwords or incremental changes and that passphrases generally are considered sort of a more secure way. It's easier for folks to remember typically. It just can also be a little hard to type in. I mean, I've definitely used passphrases that people can't believe how long I'm typing for. I'm actually like, but it is again, that's the thinking now if you don't have MFA especially it's something long complex but a passphrase which is even longer and again, it can't be a very simple, it should be a simple statement it should be something a little bit odd that makes sense to you. Sometimes you throw in words in a different language into your phrase again, that helps make it more secure. And we don't require password changes any longer because of that change to guidance unless there's been a compromise. Right. And just one more word on passwords. One thing that, so there's two ways that staff keep password that have really scared me. One is someone actually bought a password keeper that's a big notebook that they write all their passwords. And then on the front page you write your contact information so should it ever get lost someone can return it to you. I don't, so. And the other one is people would keep a lot of passwords in a Google doc and that also scares me. It's an insecure document in the clouds and now they've got a list of your, the URLs and passcodes and usernames for your important stuff. So make sure staff isn't doing that and is aware that they need to be, keep using, I mean, to David, sorry to John's point, I just read David's name to John's point using phrases that they'll remember and not have to rely on a list of passwords that is not secure. One other thing I'd like to add to me again we're sort of focusing in on some of the top items that is broader. There are security frameworks out there that sort of help guide you along sort of the path of really analyzing every element aspect of your IT including if, for instance, you do integration work across your applications you hire a consultant to build some software or you have someone in-house who's regularly doing that kind of work and modifying maybe your accounting system. So there are systems out there that sort of look across the end user work as well as the sort of operational and development side of it. One I'll paste into chat is from a nonprofit that recently came up with a new version a slightly simplified version of their security controls that I think is accessible. I can't say it's necessarily all lay speak but it's not all geek speak either. So if you're interested again, I mean, I think there may be pieces of this that I'm certain do not apply to your organization but you can look at some of the elements for the ones that maybe you feel like you're most at risk for. So I wanted to share that out. Somebody mentioned single sign-on earlier and then absolutely that would be the way to go. Single sign-on covered by MFA for everything would be ideal. It's not as easy as it sounds. We just started looking into that and looking at can we bring everything under an octa umbrella which actually has a very good nonprofit discount through TechSoup, you can get 50 free licenses but actually implementing it with the kind of spread of applications that we have out there is not that simple. There's also of course the Azure AD identity option but again, it's a great in theory and it's great if something is already in their catalog of integrations but if you're using something that's a little bit one off you may find that either it doesn't integrate or that you have the wrong version of it. We looked at our e-signing program which says it does integrate with these things but not only if you have the enterprise level of the package which costs four times what we're paying. So it's a great goal. Even Zoom you can do single sign-on with the right level licenses. And so yeah, I think it's but it's one of the things I think you know certainly as soon as you can do it you wanna add MFA to anything critical or with critical data but as you're looking at new systems hey, we're changing our accounting system you're looking at it for security as well and how can I make this simpler and therefore in some ways more secure but octa or duo generally speaking are I think really good at allowing you to integrate if the application or service you're trying to connect to supports it. And again, you might push your provider to enable SSO and recently they're one of the big case management systems providers both put out sort of a homebrewed version of MFA and also the ability to use single sign-on and that's critical. And so now there's sort of no excuse for any provider not to at least use their freebie version of MFA if not do the integrated. There's another question about timeframe to release a locked account automatically without causing security risk. Someone's seen policies for hours, some for minutes and recently we've seen from insurance companies that it has to be done manually that it can't be automatic after like just three attempts or something. Which just becomes a real management headache or support headache, I guess, and staff headache. I don't know, does anyone have any suggestions there on how long the timeout should be? Our managed IT company has I think I said it for like 20, 30 minutes. I can't remember exactly, but that's a good point. I don't know if there should be, I know that it would cause especially with how frequently people forget their password if we made it much longer than that we'd start getting some complaints from staff. And Michael says they use 20 minutes as well, yeah. And I think again, the over-communicating there's no such thing. So letting folks know this is what's gonna happen and hopefully don't call us at three in the morning with your account lockout. It will go back to being accessible but you just have to wait. But that's where again, all these things taking together, if you have a password manager that automatically populates your password or you have single sign-on, you have fewer of these issues popping up. So we're looking at it from the user perspective just like we're doing that when we're looking at designing tools for clients, that user experience, that user interface. So we really should be thinking about that. And then maybe again, deciding with staff and making some sort of judgment call and where that number should be. John, this is Michael from Laughla. Also too, with Microsoft Azure, you can go into the compliance part of Azure and set up rules so that if you have it set, so like say it unlocks the account after 20 minutes, if they do it again, then you could send an email to your admins letting them know that there's an issue that somebody's trying to get into your system and you can look at it further. So there are those safety precautions that you could set up in the compliance center of Azure that will help out with some of those things. Love it, thank you. And that's also sort of part of the logging or like how do we get notified? And that's, we just sort of posted a link in here for some 10 questions that we were thinking executive directors or executives within programs should be asking their IT leadership or IT partners or both and then sort of 10 things that the IT leaders should be thinking about or pushing with their leadership. And again, it could be 20 of each or maybe even more, but we had to sort of simplify it, cut it back a bit to make it a good starting point. Yes, I just wanted to share those as people start to drop off. I just do want to remind everyone that this will be recording, it will be on LSNTAP along with the info sheets. So if you don't grab the link in the chat, they'll be available there. And it looks like we have just two more questions. Someone's asking, are advocates go off site for an eviction clinic and more concerned about access to secure Wi-Fi? Any suggestions for mobile hotspots? We have a rise in mobile hotspots and they've been pretty successful with using those. We don't let staff use, you generally use Wi-Fi, like the courts are off site intake or anything like that. So they provide the devices for free and then it's an unlimited plan for I want to say like $50 a month. And actually, so I think Michael mentioned the cradle point. So they're devices that are sort of geared to use 4G and now 5G in some cases, wireless internet access to do a really good job of making it accessible to multiple devices. I just, I think we've seen a lot of problems with multiple people using mobile hotspots and the quality of the connection. So I would just be cautious. I would test it out before you get staff or even volunteers doing a clinic with inadequate internet that that can really be demoralizing. But one of the things that we've seen during the pandemic and I just saw it again was that, you know, T-Mobile and this is where you might have to partner with a few other organizations because there's a minimum device count of like a hundred devices, but they have a tremendous deal for like $15 a month for phones with mobile hotspot, unlimited, everything, which is kind of what it should be but unfortunately isn't very often. So another Verizon has a prepaid service. Oh my gosh, I'm spacing it, that I will put in the chat but again, theirs is a device that lets you use the phone fully but use it as a hotspot. And if you have like four people, it's $25 a user. So there are certainly, if you're gonna be providing devices and paying for that internet service, it's worth doing the research. And then someone mentioned the mobile, oh Stacy mentioned the mobile beacon devices. And Jerry provided the link, thank you. All right, well, that looks like that's all of the questions that we have in the chat for now. I just want to say thank you to both of our panelists today for coming and sharing with us and answering all of these questions. Again, all of this information will be available on Ellison Tep's website.