 as you come in. Let us know where you're from. Everybody see my screen. Give me a thumbs up. Awesome. Thank you. Hi everybody. Thanks for joining our meeting today where we chat with the faith-based organizations. My name is Aretha Simons. I'm the webinar producer here at TechSoup. If you would mute yourself as you come in so that we have no sounds coming, make the quality of the recording for everybody. This is being recorded and it will be emailed to you within four to eight hours. If you watch this on YouTube, give it a thumbs up and subscribe to our YouTube channel. We greatly appreciate that. We have a lot of courses on cybersecurity and we're going to put some links in the chat room later. And I guess speaker is also going to share some links. But if this is your first time here at one of our chats, we would love for you to stay involved. But this is how you can engage. Please keep your microphone on mute for the quality of the recording. And so that everybody is not speaking on each other when we get to the question and answer, use the raise your hand option. There's an option here and it'll allow you to raise your hand. Then we'll ask you to unmute yourself. If you could keep your comments to a minute or minute and a half. If you need the closed caption, just hit the CC button at the bottom of your screen and allow you to have the closed caption. So today, before we get started, I have a couple of announcements to make. I would love if you have a conference coming up for your organization or an event that you would like somebody to come from TechSoup to share, please let us know. We would love to come share. You would contact Denise Farah. Her email is right there on the screen and we'll put that in the chat room later as well. Or you could take a screenshot of it with your phone. Also, I would love if you would become a feature speaker. There's so many topics that you all put in our surveys. And we want to hear from you because a lot of you are also experts in what you do. You serve your nonprofits, but you might be an expert in management or technology or whatever. Let me know on the survey. There's a link. Also put your contact information. I want to share with you something that's exciting here at TechSoup and that is Quad. I know it's a crazy name, but it's going to be a crazy platform. It's a new platform that we've just launched. It is a community-only platform. And it's a community for people who are addressing one of our global pressing issues, which is food insecurity. So we're going to start with food insecurity and we'll probably add some other platforms later. But we're going to have a special meeting about Quad. So if you want to know more about Quad, we're going to have a special meeting this Friday. We're going to put the link for you to join that meeting so you can learn about Quad and all the offers that it has to offer. I mean, trust me, there's many, many special events that's going to be held for, again, it's a members-only event. So we would love for you to learn about that. Now I know there's going to be a lot of links being popped in the chat room. And a lot of times people say, are you going to share the chat? The best thing to do is click on those links. It'll open up another window. You will not leave the webinar. I promise you it'll open up another window and you're ready to have that. So when you get off the platform, you'll be able to see it at your convenience. So enough about all the announcements. I want to get into the topic of today. And it is cyber security threats. Now I get lots of emails from Michael. And so I said, Michael, you've got to come on and talk about this. And Michael, is our speaker? Oh my goodness, slow down, girl. Is our featured speaker today? He's a senior director of community and platform for TechSoup Global. And we say TechSoup Global. That's TechSoup around the world in over 100 companies. TechSoup's mission is to build a dynamic bridge that enables design and implementation of technology solutions for a more equitable panel. So in this role, Michael directs development operation, enterprise infrastructure, information and technology security, and software development teams that build and support platform products and services. So he wears a lot of hats. Michael has an MBA from Santa Clara University. In his professional career, started in 1996. That's about the time. No, I joined in 10 years earlier than that. But he began as a system admin for the for Bay Area nonprofit that serves adult in need. He transitioned into another role as a technical consultant, developing data system to help measure and track service quality to individuals being served. Also, Michael was hired at the second harvest food bank of Santa Clara and San Montel counties to manage 2000 technology and information systems. Now that's a lot. That was in the year 2000. Sorry, Michael. I'm just messing up your bio. But I got to tell the people who you are because you do so much. He's helped transform organizations into a more effective enterprise using the best class technology and efficient to distribute food, communicate, raise money and measure the food base impact. And I can't begin to tell you what he does for TechSoup. Again, we get emails telling us we need to do this. We need to do that because Michael is on top of it. So Michael, I'm going to turn it over to you for you to share more with us. And thank you so much for being here today. This is it's a great pleasure actually to be here. One of what's interesting about my role is it's it's both internal but also external. You know, when I first met Rebecca RCO, I was very much interested in TechSoup because being in the nonprofit sector as a CIO for so long, I knew of TechSoup. My wife was the founding executive director of a nonprofit organization. And I was her, you know, IT person. And so we used TechSoup for all of her needs. And I remember when TechSoup was called Complementer in the 90s. And so I had a long history with TechSoup. But I've dedicated my life to the nonprofit sector as a location. And so, you know, when I was first hired, I told Rebecca, I said, look, I can help technology. But I can help TechSoup with technology, but I'm very interested in the community we serve. And that's why my title is Senior Director of Community and Platform. So I wrote, I wrote both roles. So I tried to, you know, do what I can to help our members. So it is a pleasure for me to do this and to help to try to see what I can do in my small way to help people. So today, we're going to be discussing cybersecurity. One of the house I work at TechSoup is I'm sort of our chief, the security officer. So and I oversee our security operations. And so we, we have a lot of platforms and we have a lot of internal systems. And so what I wanted to do was just share four basic ways I put together a small presentation. I want this to be a conversation because I'm happy to answer questions or, you know, be a resource to you. So but I'm just, I'm just using this as a guide. So please stop me or chime in on the chat. If you want me to discuss something in particular. And I hope that this is helpful. So I'm going to share my screen. And, and hopefully you all can see that. Is that working for everybody? Yes. Okay, great. So these are basically, you know, something, you know, that I consider like four simple practices or principles, you know, that to think about, I try to boil it down to, you know, what's really important when you think about cybersecurity and about keeping organizations safe. And ultimately, what this is about is, is keeping your data secure and also not losing it. And also your brand. So, you know, essentially the, and I'm just going to run it very, very loosely here. Basically, the purpose of this presentation is to just provide a general framework for data protection with, with these four simple things. One of them is kind of broken out. But essentially, this is really what, you know, if we think about security, what's important to think about is what, what is it that we're doing? It's not just making sure we have antivirus and and all that. It's like, what's, what's, why are we doing this? And so, you know, we already, you already learned a little bit about me. So we don't have to do the introduction here. But, you know, I want to just jump to the first sort of basic principle in that I think organizations, before they even delve into trying to solve problems about cybersecurity, that they need to understand their data. They need what they're working with. Because not all data is the same. And some data is more important than other data. It's, you know, to be frank, I mean, there's certain information that an organization needs that's very, very sensitive and important. And when we think about cybersecurity, what we need to do is really make sure we prioritize, if you've got limited resources, limited funding, you know, and you have limited, you know, time and then really, you know, find out where the most important data, the most sensitive data, maybe that's your customer data, maybe that's your the people who are raising money, maybe it's your constituents data, your constituents information, and really understand it. And these are the kinds of things that we really need to understand when we think about the data is where does it live? Is it in a cloud? Is it on a server in a closet? Is it on somebody's desktop? Like, where does that data live? Because you can't protect the data unless you kind of, unless you know where it lives and where it is. And then you can start thinking about other things like, well, now I know that it's here, maybe it shouldn't be there, maybe it should be in a place that, you know, is either correct or a centralized place, like in the cloud, like in Office 365 or Google. You know, if your data is scattered throughout the organization, if it's on people's home computers, it's really important to understand that, because then you start thinking, developing a strategy about how to protect it. And also we want us to know where it comes from, because you want to know, essentially, the source of the data, because that will help you understand sort of, you know, if you have a responsibility to be a steward of that data, essentially. And the other thing is to, you know, where does it go? When it leads your organization, you know, are you doing things like, you know, just saying, oh, I've got this, you know, you know, constituent information, and I'm going to send it somewhere. You have to think about, like, okay, is that secure? What is it that you're sending in? Do you really need to send that in? Do you have a policy, you know, around protecting that or to tell your constituents that you're doing that? You know, what are your compliance requirements around there? This is very important. And, you know, PII, what is PII? PII is personally identifiable information. It's really important to understand where, which parts of your data that you have contain that, you know, something sensitive, like, you know, personal identifiable information. Because of all the data that you have, that's probably going to be something that you're really going to want to be protective about, because that you have a responsibility as a steward of that information to protect it. And so that's going to be something that you're going to want to prioritize. You're also going to want to understand who essentially is the owner of that data. Is that you? Or is it a vendor? Or is it somebody else? And that'll help to understand your compliance requirements, you know, where your responsibilities are around it. And then lastly, who can access it? You know, and I'm going to talk about this a little bit later, but, you know, sometimes what you want to do is you want to limit access to just the people who need to know. I'm going to talk about the principle of lease privilege a little bit later. So anyway, I wanted just to kind of say, you know, does that make sense to people? Does that resonate with people? Or does anybody have any comments for things that they would like to or questions about that that they'd like me to address? Just about data. If you have a question, you can use the raise your hand option and I'll unmute you or actually unmute yourself. There's a lot of good information about where's your data kept. Anybody have any questions about that? If not, then I'll just move on. Okay, go ahead and move on, Michael. Great. So the next sort of basic principle is to I call this know your boundaries. And this is, I have this picture of a chicken coop here for a reason. And that's because in my other life, that my home life, I built a chicken coop. And I had I raised chickens. Now, that just this story, there's how happy there's there's a reason why I'm telling this story. So, you know, so I raised these chickens and I built this really nice chicken coop and had chicks and the chicks grew up to be chickens. And then one day I went down to the chicken coop and a fox had gotten in somehow and ate the chickens. And it was really, really upsetting. And so I thought to myself, how did that happen? And then I realized that I hadn't put anything at the bottom of the chicken coop. So essentially, what I did is I thought that I built this really nice fortress for the chickens really safe place, but I didn't really think about the boundaries, like how could something get in. And so this taught me something, believe it or not, about cybersecurity, that if you're trying to protect something like your data, you need to understand the boundaries that you need to understand what, you know, how could people get to it from what direction, what angle, and then that way you could actually fortify your defenses against somebody getting in like you can fortify your offensive against a fox getting into your chickens essentially. So this is like sometimes I say this is like building a better chicken coop. I mean, you basically to do it in the basic one of the basic principles in IT is building a perimeter around your data or understanding the boundaries of it so that you understand where people can get into it because maybe it's from the inside of the organization. I mean, a lot of ransomware things that we've seen recently happened because people get to the data from the inside of the organization. That's the equivalent of somebody kind of crawling underneath the chicken coop and getting in from the bottom. That's the equivalent of what happened to me. So oftentimes people think about the outside, like they put firewalls and maybe protect the outside or they have threat protection. They don't think about the inside that, you know, somebody comes into it if you used to meet if you leave your computer on at your desk and you walk away from it, somebody could potentially come in and just start typing away unless you unless you close it. So these are the things we have to think about when we think about protecting it. So know your boundaries. And so essentially as I was saying, this is what is between you, what is peanut data in the rest of the world? Is the perimeter secure? Is traffic in and out secure? Is it going, is it encrypted as it goes in and out? Right now, everything that we're doing today on the internet mostly is encrypted. But if you send something like just via regular email, and it's not encrypted, like it's, and it's, it's sensitive information, you know, it's not really, it's not really as, it's not as secure as if it was encrypted. And also, if something leaves, like, if you have information like customer data or the constituent data, or, you know, fundraising information, and you're sending it to somebody is it anonymized? Meaning that have you, you know, oftentimes what people want in analytics or reports is information like the top level stuff they don't need to know the actual names or email addresses of people. So what we want to do sometimes with data is clean enough so it's anonymized because if your data gets in the wrong hands, it could be sold essentially. So we, you know, there's some basic principles around data management that this is sort of about, you know, keeping your data secure. So pausing there for a minute. Does anybody have any questions about, you know, basic, you know, perimeter security, you know, firewalls, or, you know, how we, you know, keep information safe in terms of like protecting the boundaries of the data? I'll pause for a second so that in case anybody wants to share anything. I'm interested in knowing what you get with what this, what this, what the people on the call use for, you know, to secure their data in terms of parameters, like maybe with a show of hands, how many people or use, and you can use the reactions feature, how many people have firewalls in the organization, or are using, is there, so a lot of people are, it looks like we have people using firewalls. Excellent. And how many people are have data on-premise, not, not in the cloud, like meaning that they're like in a physical server room that your organization manages or like on-site. So, and then the last question is how many people have their data in the cloud? Like in obviously 65 or Google or something like that. We've got, excellent. Thank you for the ones who are participating. That's good to know. Glad that people are leveraging cloud for security. It's really important. Fantastic. And let's see. Just moving to cloud. We've got some comments here. The cloud doesn't seem trustworthy. You're a member for, we have Salesforce. Excellent. I've left some decent people in the chat. Use church management. Okay. We have Salesforce. Salesforce is very, you know, is a good option for organizations, especially to manage, you know, customer information. And, and it turns out that the cloud, and it's trustworthy, I think that, you know, I think that the cloud is, is trustworthy, but it does require some configuration. It's more to actually work. I think that's out of the box. Aren't as secure as it would be if you understand how to go in and change, you know, actually, and lock it down. And most of the cloud products will have some guidelines around how to, how to leverage their security features and ensure that they're, that you're actually, you know, they're, that they're more robust that way. I'm going to see you have, there's a question. At what point should be considered going from software to hardware firewalls? I think that that if you're, if you're in a data center and your, your equipment's in a data center, and so, so you actually have a server or something of that nature, then you, that's when you should be leveraging a, and if you have, that's when you should be leveraging a physical firewall, like, and I know a tech suite in our catalog has, you know, Cisco devices that can, that are simple, you know, to set up and operate that can act as a physical firewall. Oftentimes your router will have security features or you can buy ones that have that built in, firewalls built in. And sometimes you can actually use a software as a service as a firewall as well, meaning that it kind of goes through your data passes through someplace first before it goes somewhere else. And it's like, like sort of cloud-based firewalls. So you have some options there. So that's sort of like, that's like an in-between step. But if you, if you have people who are, you're just operating on desktops, using their Windows firewalls, then they're, you know, assuming that they're going out to the internet, like a central internet, or they're going through the router at home, I think if they're managing customer data, and it's actually located or sensitive data and it's located on their device, the meaning like, you know, they're actually to have spreadsheets with, you know, things or they're mad, it's actually like an application or something like a database on their desktop. I think that it's important to think about your home security, if you're a remote employee and you're doing that kind of work at home, it's important to fortify your security element and by an upgrade your home router or home to actually have those features, those firewall features and some routers have them and some don't. So, you know, you'd want to look at that and then read the information about that particular product, understanding how to ensure that somebody can't from the outside hack your system because they could, they could identify you and, you know, and, you know, there's, there's constantly people from the outside world trying to get it to try to find vulnerable systems and sensitive data and there's just robots that are just kind of pounding things all the time. Our systems get hundreds of thousands of requests every single day of people trying to get to our systems and so we've got this, you know, massive, you know, web-based application firewall before anything comes in and also anything goes out. So, but we're a larger organization obviously. So Michael, before you, before you do that, I have a couple people that have their hands raised. I also have Naysan here and I know she probably has to go to another meeting. Naysan, you wanted to make a quick announcement and Carrie, I see you and I see you, James, I saw your hand raised. I'm going to let you ask your question in just a moment. Naysan, are you still there? I am here. I'm here until the end of the meeting. I don't know why we thought I'm leaving. It's just that if you have, sorry, Michael, didn't intend to disrupt your presentation. It's just, if you have any questions regarding the products we have in our catalog for cybersecurity, if you put it in the chat, I would be able to answer them for you. Awesome, thank you. Yes, please do. And it's very important that, you know, because as I mentioned, when I was consulting for other organizations and when I was working, you know, helping my wife with her own profit, we used TechSoup and we used, and, you know, we found, we saved so much money out of the organization that I consulted with and that was why I've been such a huge fan of TechSoup and actually wanted to work at TechSoup. Thank you. Anne, you can go ahead and unmute yourself and ask your question. My question is pretty basic. I'm the executive director, but I'm also the person, the only person that really uses the internet. So I've got a PC trying to move the data on the PC into the cloud and just need some basic help in that way and hopefully Michael will address that. Okay, and there was somebody else that had their hand raised. James, you had your hand raised and there was someone else. Go ahead, James. Yeah, well, my first question was the firewall as opposed to software versus hardware firewall. And then my other question was the use of VPNs for security. I wasn't sure if he was getting into that, so I didn't want to ask too much. But is that something that you're going to kind of dive into, especially with a lot of home use and that extra layer of security there? You know, I mean, I touched on it briefly. I should have mentioned that with the encryption information, but often one of the ways that people, you know, and let me discuss VPN, which stands for Virtual Private Network. And VPN use is when people are, you know, essentially, it was kind of developed because sometimes people who work away from the office, we need to get into their home offices and get to access to things behind the firewall. And so what the VPN did is connected them to their, you know, their work network, essentially, and allowed their home computer or remote computer to be within, you know, behind the firewall. Now, today, most traffic that happens, you know, to the internet happens over SSL. You know, that's why we have the HTTPS. That's in the URL of the websites we go to. That means it's happening over secure stock at layer technology, meaning that it's encrypted. However, it doesn't mean that if you're, you know, if you're on a public Wi-Fi, or if you're, you know, if you're working from a Starbucks, or if you're working somewhere where, you know, in your crowded city, that somebody can't hijack your, your, get into your network by latching onto the same Wi-Fi that you're on. And so where VPN is really critical for people to use is when they're in an environment where they're concerned about the possibility of somebody, you know, hacking into their network, meaning that their home network or their life, or if they're on a public Wi-Fi, because we're all sharing the network at that point. So by using VPN, it keeps essentially that, you know, what you're doing safe. That's when people should prioritize use of VPN. Now, VPN, you can, you can get as a service. Now, you can actually buy a service. There's NordVPN, there's other VPN services. And so, you know, and I do recommend that on TechSoup. We, we have a whole system that we've developed for people to use VPN and it's required for people when they're doing some of the work at TechSoup. And it's recommended for people when they're using, when they're at home and they're working as human employees. So that's, you know, that's a little bit about VPN. Was that helpful? Yes. Great. Excellent. Are there any other questions before I move on or anything I can address? Was there anything else on the chat that I missed? No, you can proceed. If I could real quick, I got on a few minutes late, so you may have already mentioned it, but I'm, I also work as a technology director. And one of the things that I've found, especially going into churches and helping them and other agencies, we talk about all the security and you're talking about the router and the things that were built in. One of the first things I found is that a lot of times people will get good high speed routers that have all the security, but they don't change the username and password. Right. That voids all of your other security features because anybody can hijack your router when you don't change those. Yeah. Anybody can look up the default ones and just go into it. Yeah, absolutely. You've raised a very good point. What else, what else have you found in that work that you, that were sort of gotchas and things, you know, that, that are things that you found. That was really helpful information because it's, it looks like you could have an experience in the sector. Is there any other tips like that that you'd like to show before I continue with, you know, my lens? No, that's, that's the biggest one. And the only other would be with routers, you have a range or distance that they can reach. And you do a lot of those have the ability for you to tweak that. So if you're in a small building, you don't want your router transmitting a half a mile. You know, so just, just like I said, those small things, because that gives people the ability to, we call it war driving, but they can kind of go out and look for those. But then it goes back to that same piece. If you didn't change those things to begin with, but you don't want your router or your network being transmitted further than it needs to. If all your stuff needs to be contained in the building, bring that down. Don't, don't add that extra distance out there, because that just gives people more opportunity. We're in an area where 50 meters from us, we have people's houses, you know, they can hijack our network if we don't take those other things into play. But a lot of the newer routers do give you that ability. So if you get a router, go in and check those features as well. See what, what is out there, what ability they give you, and some of those other additional security features, even for monitoring, everybody doesn't need to be on your network. So, and making sure your SSIDs, you don't need to broadcast all of those. You know, if you have a small organization, just give people the name of the SSID. If you broadcast it, that just gives people one more opportunity to figure out a way to get into it. So one of the, one of the other security features in routers, if you really want to lock it down, and you know the devices that are connecting to it, you could actually just limit the access to the router based on what's called the MAC address of the machine. And every computer has a unique identifier. And you can find it by, you know, typing into the command prop, you can look at this up the directions very easily. You can actually get it through the control panel, you can find out what's called the MAC address of your network adapter. And if you, if you put those in the router, nobody else, nobody, the router saying, look, these are the only authorized devices to connect to the router. That's another way to secure your, your network. If you're in a situation where you really want to lock down security, not broadcasting the SSID was, was a great, great, another sort of suggestion that you mentioned, and also locking it down by MAC address. And also just enabling, you know, obviously the highest level of security, which is usually like, you know, a web, you know, it's, you know, make sure that's just not, you know, you have to type in some password after you actually access it. So those are all good, good, good tips. Thank you for sharing. And I will get back to you. Oh, you know, actually, I'm going to address that real quick, because you mentioned about wanting to move to the cloud and willing some help. TechSoup has, can connect you with, you know, some services to, to help you figure that out. That's something that we offer. And I don't know, Reeth, if you want to, Arne, if you want to, you know, provide that link to that part of our product catalog that actually has sort of, you know, are some of the services and how you can get sort of some advice from, from our customer support, and they connect you with another group that can maybe help understand what and assess what you're, what you're wanting to do and then help you try to figure out what that would look like. So. Yes, I can do that. Thank you. I hope that's helpful. All right, so I'm just going to move on a little bit here. So this next thing is, I basically call it Know Your Systems. And this is a little bit about, we touched on this a little bit, because this is what I was going to, you know, and it was the conversation we just had about routers is a good segue into this, because if you, if you, if you understand your systems and sometimes that's like basic stuff, like maybe you just have, maybe it's simple, maybe you have some computers and they're kind of going through a, you know, a router and maybe just five computers and going through a router. If that's it, at least you know that, you know what you're working with. And then you can understand those systems and you can see things like in this picture, you can see there's a picture of a router that's going out to the internet. Now some systems, you know, and here's the PCs that are kind of usually going through a switch and sometimes the switch and routers are combined. But in bigger systems like in the TechSoup, we actually have switches and then we've got routers and they're, and they're dedicated sort of units for, for each, each different application that they're doing. Sometimes you've got servers, you know, and let me serve maybe something that's in a small little data room. And you need to understand that system because these are the systems, this is where your data is. And that's why, that's why it matters. If you're, and this is where your data is, how your data is moving around. If your data is not in the system, it's using that system to move it around or, or it's leveraging that somehow in your, in your system. And understanding that is going to help you understand then what are ways, going back to the other things I talked about, like the, your perimeter, you know, then you can protect it. If you know your systems, then you can create those boundaries. You can create that secure chicken coop that I talked about, because then you can know, okay, these are the things I'm working with here. And you can also leverage the features of those systems because they will generally have built in security features to the point that was raised earlier, you know, out of the box, sometimes they're not, they're not necessarily secure and they need, they need to be configured to be secure. And so, and that's also something where there's, you know, TechSoup has webinars and we have blog information about, you know, some of these things and I encourage you to go to blogs.techsoup.org and, and, and improves through that to, to look at what we've provided in terms of guidance sometime on actually configuring your systems. Sometimes your systems might be cloud-based. They could be Office 365 or they could be G Suite. And in those cases, or they could be Salesforce. And in those cases, those are still systems and your data is there. And so if your data is there and that's your system, then, you know, then you can start to understand and create a strategy for securing it. So, you know, these are the, this is one, this is an important facet of the work that we kind of, kind of needed to do. And then to this, that point, you know, are, you know, are they physically secure? I mean, you can have the best, you could configure that server in that closet perfectly securely. But if the, if the door is unlocked, or if it's, if it's not air-conditioned, you know, and it heats up or, you know, during the heatway and destroys the data, it's, you know, you haven't really protected it. Like, you know, or somebody could just walk in potentially and then actually stick a thumb drive in the computer and say, or, or in another system and just download data onto the thumb drive, you know, their little, or little mini disks and stuff. So, the other thing that's important about knowing your systems is that you should understand if they're being monitored or not. I mean, all these systems have logs or they have some way to keep you track of what's happening on the system. And so understanding that and understanding if their system is working, if it's being monitored, is it, are, you know, do you know if somebody is breaking into the system or not? You know, how do you, you know, and so understanding that is really super important to cybersecurity. And that, that means even if it's Office 365, you know, so there's somebody looking at the Office 365 threat logs in there, or, or are they sending alerts? Have you configured to send alerts? I know that at my house, for example, I use in my router, I kind of set it with, with, to use like an online service that actually kind of acts as a firewall and it sends me alerts if, you know, somebody looks like somebody's trying to get at my home network and such. So you can, like, it's important to understand the things we can monitor. Now, this is really important. And I, you know, I address this later, but are your systems being up to date and are they passed regularly? This is super important. Because one of the things that happens oftentimes with a, you know, a hack, as we call it, is that a system was, hadn't been updated. And so there was a known vulnerability that was discovered and somebody exploited it. Somebody took advantage of that known vulnerability. And they, you know, and they said, oh, and they, there's, there's robots out there that check to see if there's, you know, people have open ports, unsecured systems, and if they have no vulnerabilities, and then they try to see if they can find information on that system, like credit card information or email addresses that they can be sold or something, something of value to them. And then also knowing your systems, you know, besides one aspect of knowing your system is knowing who can access them, meaning, you know, and as goes back to the other thing, like, are they protected with, like, are they password protected so you can't get into them? Are there, you know, is there, are you, you know, you have to make sure there isn't like a sticky note with like a password written on the server. It says admin and then password has, you know, to get into it. So you have to make sure that you've restricted access to the systems that have sensitive data. And, and that's, and understand who can access the system. So the wanted to once again pause there because I've been enjoying the fact that we've been having some engagement and conversations. I want to find out if, if there's any questions. Oh, thank you for sharing some of the courses. Fantastic. I see. And there's some great resources that have been coming up. And if in this, anybody have any questions they can raise their hand. Hey, Mike, could you talk about a multi-factor authentication too? Absolutely. In fact, that was on my next slide. But so that's a good segue. I'll just go to that next slide and then what we can do is we can discuss it. The last thing that I was going to cover is essentially some of these basic sort of principles. And, but, you know, before I do that, I'm going to, I'm going to talk about these things a little bit. But before I do that, because I'm not going to discuss multi-factor authentication during that, but it looks like C James raised his hand as well. Yeah, if I could jump in actually going back to when you were asking if there were any questions. I want to just, there was a question that I saw come up in chat with the routers. They were asking if using a guest network provided any additional security. And I don't know if you want to address that, but one of the things I would say, it doesn't increase the security, but one of the things that would be recommended is, if you're going to use a guest network, limit the number of IP addresses that you allow to be used on it. And if you're making it publicly available, still password protected, but change that password often, because if you give that password to people when they come into your facility, when they walk out, they still have that password. So when they come back, or if they don't come back in that guest network is still part of your network. So now they can access that from outside of your facility. If you haven't done anything to secure that again. So it doesn't increase the security, but it gives you the ability to do some things. And I work at a church. All of our visitors don't need guest access on our network when they come in. So only our volunteers. So we limit the number of IP addresses they're given out. And we set that to release those IP addresses after about eight hours. So once they've done what they're needing to do at the facility at that time, even if they go out later and try to come back, that IP address is not valid for them anymore. And that password is not valid for them anymore. So that was one of the things I saw that question. I just want to just kind of throw that out there. I was actually absolutely the essentially all the guest network does is keep the, you know, it's like a separate network so that you can actually provide that as a service people. And when people are on that, they can't get to your systems. But it, you know, if they really work hard, they might be able to. So it's really important to practice to hear those principles. We change. At TechSoup, we change ours weekly, but we also limit them. And the same thing, we have the IP addresses time out. And so they would have to authenticate back in. And actually, you know, it's really important to understand that, you know, if you provide that as a service or, you know, to change out that password frequently. That's, you know, critical and also keep an eye on it. You know, and you could, you could, you know, and that's one of the things about knowing your system. You can actually go into the system and see what devices are attached and how long they've been attached for. And if you don't recognize that or you get a network, you can lose it off. Great. So appreciate that. Very smart. Somebody said, all this sounds great, but it seems like a lot of work if we do not have a tech savvy person to keep track of all this. How easy is this if you have no experience doing this? It's, you know, I think that you know, a lot of this stuff is not rocket science actually. And a lot of the products, like the ones that TechSoup has, we provide, we have, you know, information on how to do things that are pretty big, you know, the basic operations and how we configure these things. It's, it does, as I'm not saying it doesn't take time, but it's time well value. You know, there's a, it only takes one cyber incident to, you know, then you'd be spending, you know, 17 times more work trying to fix whatever happened because of the event, then you, then it took to then actually configure so the cyber incident did not happen. So it's worth the investment in that time because it, and it's not necessarily and if you're not tech savvy, then there are resources so that you can, you know, get the knowledge, the basic knowledge to do that. And it's, like I said, most of these systems are pretty consumer friendly. The systems that are, you know, for organizations, unless you're a very, very large organization, you can, you can get essentially some basic instructions and then, and follow the instructions and then, and also do some tests, you know, and see if that works. So thank you for that. To add on to Mike's point as well, I'm a security consultant with a 10 years plus of experience is that there's someone in your congregation that either has IT experience or is interested in IT experience and that person may just be a high school student that's looking to study computer science or IT in college. They will help you. You just have to start having that conversation with them and say, Hey, could you do this? Could you help with this? Do you know someone that can help with this? You know someone that can do it. I promise you, you just got to have to ask around and have those conversations. And if you're having trouble with finding someone, please feel free to reach out. I can find you an IT consultants, someone who's in college that needs experience in order to get that job, they will help you. I have hundreds of them. And our volunteers are a great resource to tap into. You know, just a word of caution, though, with volunteers is that they are, they should be vetted. You know, anybody who's accessing a sensitive data or that you get privileged access to, I'm going to talk about the principle of least privilege here in a minute. And maybe that's a good segue to move into this. And I appreciate your thoughts. Mr. Mr. Dean. Thank you. The, you know, we, we have consultants and we give them access to our systems. But what we do do is we ensure that the, that they're vetted, essentially that we, you know, they have references that they have experience. And also that they, you know, are trustworthy. And so just like anything, you know, volunteers should be treated like, like, like you're hiring a staff person, essentially, except that they're doing it for, you know, the generosity. And when I worked at the food bank, we had volunteers who would help came in, we had volunteers from Cisco. And we had volunteers, you know, people who came in and wanted help with their systems. And they would just make sure that they're, you, you, you do the same sort of reference checking that you would for anybody else. And so there's some really great resource department up in the chat, by the way. So let me talk about some basic principles, because some of these things that have been coming out have been, been discussed here. And I'm going to give you an example of the principle. The first, well, before I get to that though, you know, ensuring that your data backup and that you have a backup for your data, and then you have a way to recover that and that you test it is really super important. Oftentimes people set up a data backup system. You know, and maybe that's like, you know, your the QuickBooks, you know, daily backup that happens in your QuickBooks for your finances, but they never really tested. And it's been oftentimes what happens is that when you actually need to something happens, you have to recover that data. You have, you know, essentially, you know, you've realized that the system had been working or it's, it's, it's, you know, corruptive or something. So the other important thing is where you back up the data to should not be the same system that you actually, you know, are backing that has the backup system is where the data is. So you shouldn't like, for example, if you're backing up your computer, you should back it up to the computer, you know, because if something happened to the computer, you lose the backup. So you always back up something to a different device and preferably when that's off site, the cloud, or in a different, you know, or you actually it's in a different room or it's moved to different case or something, that's called site recovery. You know, you want to make sure that something happened to your building or we were, you'd be able to recover the data in case of a natural disaster in, you know, California, where I lived for many years, we had earthquakes. And so we're always concerned about this. We would move our data to Seattle someplace out of state, you know, just because we're so concerned about what I worth the feedback. MFA, multi-factor authentication. This was back to earlier. This is super, super important. Because if you, if somebody, you know, passwords could be essentially, people could use what's called brute force techniques to discover a username and password. They can go in just, you know, hammer system, you know, with an automatic source script or a robot that just goes through, you know, very, very quickly, randomize characters to figure out, you know, what a username and password is. But if they, if they get to it and they hit the right one without, without them going and then actually sending a text message to your cell phone or something, then, you know, that's something you have. So what MFA means is that the factor is something else, it's something that you either own or you have. A really simple example of MFA is when you go to a bank with your, when you actually go to a gas station with your credit card to fill up your tank. When you put the card in, that's something that you have. That's one factor. And then when it asks you for, you know, prompts you for your zip code or some other information, that's something that you know. So, you know, in usually what the way it works is when you, when you have a password, by using the password, that's something that you know, but then it sends a text message to your phone, that's something that you have. So that's what factors are. So that's why it's called multi-factor authentication. Two different things, you know, two different factors. So, so most systems, most, you know, all system, modern systems these days have the ability to set up MFA to protect it. And if your organization is using, you know, when you get to your, whatever your system they're using, using MFA, understanding that, figuring that is super critical to ensuring some of your systems. Office 365, super easy to set up MFA for. And also the other thing with that is, you know, keeping, you know, passwords, this sort of also ties in with passwords, having strong passwords, having password policies, making sure the passwords expire every 30 months and have to be regenerated. Going to a, using a password manager is an important tool. So this is multi-factor authentication. I should have just made this all things about passwords and authentication because understanding authentication and how, you know, it's super critical because if somebody could steal your credentials, you know, if you use sticky notes with username and passwords and have them on your computers, that's not good because anybody knows this isn't, it's, it's defeating the whole purpose of the password. That's why password managers are not, are handy. And oftentimes you can get free service or something very low cost through TechSoup to help you with some of this stuff. Principle of least privilege. So this is a, an IT concept that, you know, is super important. And what this means is that it's essentially the, the concept that only the people who you have to think about the access to data and who should, who really needs access to that data and apply the principle of least privilege. Meaning that, like for example, if you have a financial system, you know, you don't necessarily need everybody in the organization to access that financial system, you know, you would basically, you know, like if your, your QuickBooks system or, or whatever system that you're using for, to manage your finances, only the people who run the finance organization need access to that. And so the principle of least privilege also entails like higher levels of privilege within a system. So for example, maybe in that finance system, you have people who want reports, like, you know, they need, you know, a weekly report, but they don't need to, to actually go in and to the, to the general ledger and make changes. So what you do is you actually can set up a role within that system so that one role has access, has limited access, and the other role has higher access. And so, you know, that's understanding that is the principle of least privilege so that we have, okay, so, you know, in most systems, you can set up roles. And so there'll be the administrator role. You don't want to give the administrator role to everybody. You only want the people who are trained to do that, or, you know, to have access to the, to the admin features. That means they can add users, they can change like passwords for people. And then, you know, other people, maybe you only want to get read only access. That's sort of the concept of the principle of least privilege. And so understanding your system, understanding your data, and applying the principle of least privilege to them is a super important concept when it comes to cybersecurity. The next one is cybersecurity awareness. Oftentimes, you know, one of the most common ways that tax happen is that people are fooled by phishing emails or scans. And these things are, you know, links and emails and people have gotten very, very tricky with this through the years and have applied social engineering, behavioral, you know, techniques to trick people into thinking that there's, you know, something that they need to actually leak, that they need to click on in the button. I just want to check on time. How much time is you doing? We have less than 10 minutes. I just asked everybody to put their questions in the chat or use the raise your hand option. Great. I'm going to, I'm going to push along here. So then we're going to get to questions. Okay. I think the last two are pretty basic. So, you know, keeping your, we talked about keeping your systems updated and also ensuring that you have some sort of antivirus or malware protection on machines and devices that you have. These are some basic things. So I want to pause there because I know that there may be some questions. I wanted to leave some time for some engagement and conversation at the end here. Awesome. And I saw that James had his hand raised earlier. Any questions? Go ahead, James. Well, actually, I put in the chat one of the things that I was, we were talking about some of the sources and what we had done here is our high school has an internship program as well as our community colleges and these are all students who work or are training in the IT area. So someone was asking about, you know, it's a lot of work. Well, there's also, you could have students like that who are vetted by the schools that will also be able to come in and help you maybe once a week as an intern, they come in and update your software on your routers and that kind of stuff. Or they do the backups, they do the patches, absolutely. Exactly. You know, so that's one option. And then for us, we different churches, we work together. Our IT departments support each other. So if there's something I can't do, I can get with another organization and they will come in and either train me or provide somebody to help with that. So that's something that we can, networking in your community is always a great way to get some things done without a whole lot of cost. It's just a mutual sharing of knowledge and information. Yes, sir. We're stronger together. That's right. You know, that's really great advice. Thank you for sharing. Anyone else have a question? Devon, go ahead. I know you wanted to share some information. Feel free to share. A couple of things with MFA is that you really want to, everything that is on internet, your social media account, your email account, your sales force, anything that you use that you log on through the internet, make sure you put MFA on there. It's a really easy way to dramatically increase your cybersecurity. And it's really, really hard to break that feature, that control to secure your system. Another thing is having a plan for instant response. So when you get breached and you will get breached, there's no way to block every single attack, is having a plan in place that these are the people that you contact. This is where your backups are. This is what needs to be built. These are the things that you need to contain the breach. And you can just Google instant response, Google instant response plan. It'll come up with a template. And it's an easy thing that you can keep in the office and keep kind of your senior staff updated. And, you know, thank you for bringing that up. There's somebody sent a link earlier to thesans.org templates. And I really recommend, you know, we sent a lot of resources in that chat. But thesans.org policy templates, you know, are great ways of taking some of these basic things that I've talked about and giving into the details of them, such as things like, you know, policies, you know, I mean, I just touched on a few things today, but there's so much more. And, you know, and having instant response is a super important. Appreciate that suggestion. And the last one is about phishing. So attackers will send you an email, they'll send you a text message saying, hey, I need this, do this, click on this. That is usually the first sort of like a foothold attacker sent. And the way that you can determine that is look at the grammar. If the grammar is not perfect, don't click on it. Take a look at the email address. If the name does not match the email address, then most likely it's fake. If it's, you know, a name and then a bunch of strings at suchandsuch.com, that is a phishing email. Most importantly, if you don't feel safe, email the person who's contacting you to confirm that this is, you know, something that needs to be done. Just a simple text message. Confirm that that is a, that isn't something that you need to do. Thank you. Michael McCaddy said, still not clear on what least privilege means. You want to explain that before we close out? Yeah, let me just, one more time, reiterate the main sort of concept of that is that, you know, not everybody needs the same access to a system. So understanding, for example, you know, use the example of a finance system, because most organizations are using something like QuickBooks, that not everybody needs to be an admin in QuickBooks. You know, some people just need like read only access. And so that basically, and then only some other people need access to like the general manager, and some people don't. So the least privilege. So what you want to do is you want to provide people with the least privilege necessary to do their jobs, and only provide what we call elevated privileges such as administrative privileges or more advanced privileges, meaning they can do more things to the people who absolutely need them. Otherwise, they shouldn't have that access or privilege. So that's why it's called the least privilege, because you want to, you want to by rule, give people the least amount of authority to do just what they need to do to do their job and nothing else. And it's usually like one or two person that has those full privileges, those admin privileges. Exactly. Those are, and we call those, we call those elevated privileges or elevated permissions. If I could add one thing quick, and I'll just want to piggyback about the administrator, one of the things to remember if when you're giving administrative privileges for systems, you have to remember that those people also have those same privileges over the programs and software that you have on that system. So sometimes you need to check and we found that out here, because as a senior administrator, I have access to everything. So we have a policy in place. If I want to go into and even work on the finance system, I need to go to a senior pastor and get their permission to actually give myself permission to go into their system. So when you're giving administrative privileges, understand that for those elevated privileges, they have privileges to everything. You may say they're an administrator in an area, but on that system, they cover everything. So you kind of have to go in and some programs will let you go in and adjust those roles within the program. So you need to look at that because if you don't, then they will have privileges over everything. And so that's why we vet our administrators because like I said, those people can access anything in our network. If we don't lock things down. So don't just give people overall administrative privileges, make sure you lock it down to that area that they really need to have access in. Wow. Thank you, everybody. And you guys thought this was going to be boring. There's so many people who are excited and passionate about cybersecurity. Thank you, Michael, emails for your excellent presentation. That was a lot of information. I know that you guys will get the video so you can watch it on the replay and grab some of those nuggets. James, always great advice. Devin, thank you so much for chiming in. A lot of great questions. Again, everybody put in the chat room. Thanks to Michael, Naysan. Thank you for showing up for us. Andrew, thank you for helping in the background. Gail, if you're still here, thank you so much. Everybody, continue doing what you do, making sure that everybody in your community is taken care of and you take care of yourself. Bye-bye, everybody.