 Thanks for having me here. In this session, we'll be discussing data security fundamentals that would give us some knowledge on how we can potent the data we have, the data we create. This is just a short summary about who I am. My name is Samayla, and I work within the server security industry. My focus is on server security awareness and building a server security culture within organizations. I have a few qualifications there on the screen, and we can look at that in one time. So we'll be looking at, you know, the world, the working environment today, and how we've been forced to accelerate digital adoption across many countries in the world. We'll look at CIE triad. We'll look at how the server criminals operate. We try to understand their tricks and techniques. We'll also look at how cyber attacks affect us, the potential impacts that could occur if we become victims of cyber attacks. We'll learn about the self-critic pillars and then discuss the steps we can take to protect ourselves from this little guy on the right side of the screen. So yeah, this is where we are today. We're now in a world where we are forced to collaborate via the internet. We are now isolated from each other in a lot of organizations. We are forced to leverage technology to do virtually everything, right? We can't do anything or almost anything without technology, you know, from e-commerce to banking to gaming, entertainment, work, communication. I mean, you name it, anything right now, this is done online. And while the world is gradually getting where we are right now, you know, thanks to the COVID-19 pandemic, a lot of people who were not looking forward or were not yet ready to become digital natives or digital citizens were kind of pushed, you know, by reality to do that. So for instance, if you take my country, Nigeria, for instance, and many other countries in Africa. In fact, around the world, if I may say, we saw a lot of situations where schools who were not leveraging, for instance, video conferencing or were not leveraging online resources in terms of how they submit assignments and take tests and things like that were now forced to go that route. And what this meant or what happened was that a lot of these teachers who are not as tech savvy or who may be tech savvy but do not have security knowledge were all required to use the internet without necessarily getting any safety training or any internet security training. And this can also be applied to students as well. While they may be more tech savvy or more familiar with technology, many of them do not also have the required safety knowledge. You can apply this same concept to the work environment, whereas in the typical office where you have your IT department that secures the network and protects the endpoints of computers. In the work from home scenario, you are kind of partially responsible for some certain extent of security of your device and information that you're working with. And so what this has done is that we've seen where, like I said, people are forced to work from home. There's now increasing remote work. So we are seeing where people are, it's becoming easier to get jobs across borders. There's rapid technology like I mentioned without adequate preparation or training. We've seen a lot of companies adopting the cloud and other, you know, emerging technologies to get work done and done faster. There's also the downside where having more cases of people getting burnt out because maybe they are working for longer hours or they can't seem to separate work from personal stuff anymore and other things like that. And we're also seeing companies that have struggled, which has led to downsizing, you know, a popular example was in the football world in Spain where there was some downsizing and money missions happening. And there are so many examples around the world. But what this has done is that this guy now has many more targets. So I mentioned the students who do not have required safety training. The teachers who may not even be tech savvy in the first place, you know, and even parents and other groups of demographics, maybe the older people who are more vulnerable from I put it that way. And other targeted demographic and now are available online for this guy and his friends to target or to attack. So this is why this kind of discussion is very important so that we're not mistakenly or normally making ourselves easy targets for the bad guys. And so I will talk a bit about what information security is before we get into who the bad guys are and what they do. In information security, and some people call it, you know, they are variants and we will say digital security, cyber security, computer security, you know, these are in some way synonyms or siblings from a use that word. But it generally refers to the protection of data or information from damage, temporary, you know, abuse or unauthorized access in one word or the other, often theft as well. So when we're looking at this we consider three main things, right. And this is what we mean by the CIA mentioned earlier in the agenda confidentiality, integrity and availability, confidentiality refers to, you know, protecting. So we're granting access to resource to only those who are authorized to see it. So it has to do with keeping things private ensuring that only authorized people can access it. Integrity means only authorized people should be able to modify it or change it. So if someone that doesn't shouldn't have access kind of change something then that thing is said to not have integrity, because it has been tampered with or modify from its original availability implies that a resource is always available to who should have access to whenever they need access to it. Okay, so these three concepts are what we try to uphold in information security. So anytime any of them suffers or one or more of them suffers, then it is said that you know, you've not guaranteed or you've not ensured information security. Do I pause for questions here if any has come up. Thanks, Samela. Thank you for bringing this home. Personally, having worked with the nonprofits, I find the terms cyber security information security data security. A bit confusing and so it's great that you've touched on that. And on our step program that is something we might actually want to just simplify because I also noticed that our document some will say, you know, cyber security and the others that is information security. So if they so from what you're saying it's to mean that there's no big difference from those you can use them interchangeably. No, so I was just saying that people use them interchangeable. I guess the main difference is that if you look at the word digital, digital is basically cyber so digital and cyber to me mean about the same thing. Okay, and then if you look at the word information that's different from digital or cyber. Okay, so I think the main difference that information security refers to protecting or securing information in any form it is in. So it could be paper based information could be maybe something you printed on a sheet of paper something you wrote down. It could be something in physical for Mozambique in soft copy. While digital or cyber security is focused more on things within the digital sphere of digital space. However, as we're starting to see over time, there's a lot of people are now, like you said, mixing the words around and we're seeing where cyber is used to apply information security right or this is pretty used to apply for security. So, but I think the main variance the main difference is the kind of information they are protecting what format the information in. So if you look at computer security for instance my different situation of the computer itself. There's also a field called network security different situation of networks. So these are while they are equal to different, they kind of work together they're like a part of a bigger picture which is information security because information is stored on computers on networks in digital resources and Instagram so I think they all come together to make up information security. Right. Thank you for that. You're welcome. So do I go on or do you have any Tamara. I think we can move forward, but just wanted to say thank you for differentiating them because, as Lynette mentioned, we do use these terms interchangeably, and it can cause some confusion. Yeah, yeah, it's my pleasure. Okay, so now we're going to look at, you know, at the same bad guys bad guys, we're going to look at who the bad guys are in cyber lingo, we call them threat actors. These are the people that you know, take actions to cause some form of mayhem or abuse a system or disrupts a service, you know, auto damage a system or temporary information and things like that. This is say this like categories showing the different threats actors and their motivations. So I will start from the bottom, which is to me the most important threat actor is you and I really humans in our organizations the insiders where people who have legitimate access to resources in our organizations, but because of carelessness or ignorance or danger, you know, any other inducement or reason, we may decide to cause on will not decide what we cause may end up causing some form of danger to organizations. So the first like I said is insider threats. And in this, in this motivation that sees this content is referring to this ground to the employees, for instance, an employee that has been denied promotion, or has been demoted or denied some benefits. Or maltreated in one way or the other may feel pushed or feel, you know, led to do something wrong or cause some danger and they may not necessarily do it for any benefits. They may just do it just to spite the organization of their boss or something like that, right. So the point here is that they are insiders who can cause us some problems. The other side of it is like I said, other staff who may not mean bad, but because they're not aware, they're not aware of distance safety techniques or tips, or because of carelessness, they just care less stuff and they do things anyhow and then they don't take the right steps. And so they expose the organization to one danger or the other. We also have third party people, no consultants, suppliers, vendors, we use any other person that's partnering or working together with the organization for one person or the other, and has access to the organizations resources or data can potentially cause some form of insider threats, we won't do that sometimes you try to ask third party threats, but they're all some kind of insider or the other. The next category is the thrill seekers. So these are people that just want to try out things right they have access to some cool software, they have very nice computer or laptop, and they want to try and see what their knowledge has as we go together. And so in the process of trying out these things on different websites, they end up taking down some websites of causes and problems, which mean, which may not have been the actual intention right but that was the result of their activities. There's another group that people tend to put under this group which are called script kiddies, script kiddies. These are people that just again play around they don't have any in depth technical knowledge, they download tools by tools and they configure them and try to use them to try different things out. Sometimes they may do their own for negative reasons but the idea here is that most of them just do it for some sense of achievement or something else able to do this also to not to brag to their friends and other people to achieve this. So we generally call them thrill seekers. Then we have terrorist groups. They are quite a number across the globe right I'm not going to mention any names and their motivation is to just cause some form of violence in the digital space. They go beyond physical violence to try to change how people think change how people perceive or see them as a way of learning to join them. They are not able to be sympathetic to their causes or to encode understand why they are doing what they're doing. Right, so this has deeper implications for the society and for really people based on what we are consuming from them. So they are also relevant threat actor. We've also seen situations where these three groups try to attack, you know, critical infrastructure of countries or to attack people as well so beyond the ideological violence. They may actually try to perpetrate some form of cyber attacks on other organizations or government bodies. Next is activists. So these are as if you can tell is like a wordplay on hacking and activists. Right, so these are people who are strong feelings, strong beliefs about certain concepts and believe that, you know, things should be done this way for the, you know, for justice to reign or for the betterment of mankind and stuff like that. And so when a government or a group of people do something that is deferring or that is opposite to what they believe should be ideal, they can take some action. There's situations where countries have come up with, for instance, anti LGBTQ policies or laws, and you've seen some groups that have gone to attack those government websites, you know, take them down or to hijack them and even say, you know, they're going to be hijacked by this group, just to prove a point and to as a way of protesting because that's what activists do like the protest and push for policy changes and stuff like that. So that's their own way of protesting. So those are how to do this. Then we have, you know, the main bad guys that we're all familiar with the cyber criminals, these are the guys that try to do some form of financial fraud, always trying to get some money. Or if they can't get the money, you have to get the information that they will use to get money. So those are several criminals trying to hack people's email accounts, trying to get people's banks and stuff like that. Always looking for financial gain. And then the last on this is nation states. So these are what people call state-sponsored groups or individuals or government bodies themselves that may take certain actions in the cyber space for to gain geopolitical advantages or security over other countries. So you've seen cases where a country would create a malware to infect another country to cause maybe a slowdown in that countries, in a program the country, project the country to deal with damage, whatever they're doing, just so that that country doesn't gain any advantage over them. You've seen cases where countries have tried to get involved in what they call industrial espionage, trying to pay people or to spy on organizations to steal information that they can use maybe to build something or to be at an advantage on that country. These are the kind of things that nation states are known to do generally. I mean, the other thing that these are like the main ones to mention. I hope my explanations were clear and simple enough. Lynette. Yes, Amela and the inside attackers, the inside, inside the threads. That one. So thank you for shedding more light on that, especially around consultants and vendors and for nonprofits, you also see that you most nonprofits engage a lot of volunteers. Or even community, yeah, basically volunteers whether those are within the country of operation or even foreign volunteers and you find that in that interaction they are accessing very sensitive information regarding the community members that are being served. We've also seen cases where you know the whole thing around working from home. You find that in your laptop, you're working and you're living with someone else, a family member who comes and access is very sensitive information around the organization. And especially also financial information. We've had cases like those and even in human rights organizations where people have been exposed because you know they're working from home and their machine landed on the wrong hands. Yeah, so that for me that was such a highlight on the insider threads and the different forms that they take and also now a lot of nonprofits in in the last decade or so. You'll find most of them, they are fundraising entailed significantly the process of traveling abroad, you know, to meet with different funders go for these conferences as a way of networking and you know, getting to meet new funders. But with COVID-19 with no travel restrictions you find a lot of people now started relying on their websites and their social media to mobilize resources from all kinds of people. And you know when now it's on social media really it's borderless, you know, but then you'll find that a number of nonprofits have been come, especially through their spam mail, when someone, you know, pretends to be a funder. And, and, and luckily a lot of CSOs also in nonprofits, sometimes they send too many proposals, they can't remember who they sent it to. And so they see this email saying I'm so and so, you know, as so and so left a check of a million dollars in support of your work. And you know they open that email and it just goes downhill from that moment so insider threats are wide and especially in the nonprofits where a lot of resourcing is, you know, externally facing. Yeah, so thanks for that. It's my pleasure. I think we're at some point we're going to discuss a bit about those kind of threats, hopefully within the timeframe. Yeah, so this, this is just a diagram showing the typical steps the attacker takes. I'm not going to cover it in depth. The idea is just to have an idea and also a disclaimer is that you know not every attack follows the sequence. So this is just a general flow of how attackers work. The first thing they do is to gather information about who their potential target is and that's called reconnaissance or recon for short. So when they gather information, they kind of know, you know, the, for instance, kind of systems that I use the kind of tools the nation has the kind of applications have installed on their systems. And based on that, they're able to start, you know, planning, what kind of, you know, what, what kind of weak points they need to find. For instance, if you know that you're going to use these windows systems in the start looking, you know, doing some further research, doing some checks on what weaknesses or issues the windows systems have that they can exploit, exploit, sorry. So, and so that's where they get the weaponized to really start crafting, you know, tools they can use or code they can use to find and exploit vulnerabilities. So after, you know, creating what they want to use, they need to find it to deliver that malware or code to, you know, the user, and one of the easiest ways to be an email, which is what you've talked about, you know, people trying to scam through emails. It's not just useful scams, it's used to deliver malware for instance, or, you know, they can, they can learn somebody to a website come and fill in your NGO details that you can be considered for this grant. And the employers have been to that website, you know, the website is trying to download something on your system to affect your system, you know, and things like that. So there are different ways that they try to deliver this malicious code to the users and after they deliver it, they try to, you know, exploit the vulnerabilities that they found on that system so that the malware can be installed. And when it's installed, the attacker will be able to gain access to that system and take whatever actions the attacker wants to take. So this is typically true in a system hijacking scenario where the attacker's goal is to hijack your system, right? And all that kinds of attacks, like I said, they may not follow this sequence, but it's just giving some more insight into how attackers think and how they operate. And so because we understand these issues are around us and they're everywhere and that everyone is a target. Yeah, you know, we have this belief that it is not a matter of if, but a matter of when, when it comes to hacking and getting compromise, you know, we believe that at some point or the other, everyone potentially be attacked. You know, there's no, you can't accept you are not online. The difference is that how prepared are you? How resilient are you? Are you an easy target or an easy mark? Or are you resilient and difficult to, you know, follow the fixing? So we've seen, I'm using Nigeria as an example here, not because Nigeria is the country that faces these issues, but just because I'm Nigerian that I'm aware of, it's easy to find news on your own country. So, yeah, so we're seeing cases of, you know, financial fraud, including money laundering, what they call advanced fee fraud, where people ask you to pay to be part of a deal. And then they get a bit of your money and don't get back to you. Over someone tells you that you've won, you've been, you've been listed in someone's will, and you're supposed to inherit some $100,000, but you need to pay $2,000 to get access to them and things like that. You've seen those kind of scenarios. And we've seen where, you know, government infrastructure gets attacked, you know, and government websites and web applications and other critical national infrastructure gets attacked. And also, as you can see, as we're aware of in the Russian-Ukrain conflicts, there's been a lot of, there's a lot of cyber and to the matter, it's not just the physical attacks that we've seen, some cyber aggression as well. And so what is the impact of all these dangers I've mentioned and all these risks or threats? What is the potential impact on us as individuals and potentially as organizations? If organizations, typically there's reputational damage, you can imagine a bank that you have your life savings in when you hear that that bank has been hacked. You know, you potentially risk to the bank to go and empty your account. You probably even don't want to bank with anybody again, you just want to have the cash, like a money in cash, so you can see it and know that it's safe, right? So that means that a lot of people tend to not trust that organization anymore. They lose confidence in the organization. I mean, even the investors or stakeholders who may hold stocks and all that, they lose confidence in the organization, which we need to loss of money or loss of revenue, which can potentially need to bank, bankruptcy or even extinction of the brand. You've also seen scenarios where because of government regulation and one law or the other, there's some fines and potential bigger sanctions that may come from a regulator because of something they've done or something that led to his cyber attack that was their fault. You've also seen where because of this hacking or this breach, you've seen where session information or confidential corporate information, intellectual property as well, can be stolen or even resold or abused or used by the attackers. Right. So, there are so many things that have not mentioned but I think it's like the broad expected impact on organizations. Right. So, for the people side of things, you know, there's what we call a privacy breach where information that you hold the information like you typically don't want to be public domain can potentially now go to the public domain. Right. There's still the room for financial loss. There's still the room for identity theft where someone hacks your email and sends emails to the people as you've seen this happening in social media as well where they hack people's Instagram accounts and send direct messages to all their contacts saying, Oh, I lost my phone. I'm sharing this with can you send me in your just $10 so I can get a train ticket back home or a bus ticket back home. Money, you're not worried and it's your friend. So you help the person not me that is an attacker that's hacked the person's Instagram account and send that same message to the 1000 followers and potentially we get $10,000 is everyone response. So, these are the kind of things that can happen to individuals as well. Again, there are many other scenarios of potential impact you've seen where because of the embarrassment or things that have come out from the attacks. People have become depressed. People are potentially committed to suicide or, you know, change schools because of the embarrassment people laughing at them because the information they can stuff like that a lot of things have happened. So, they are, they are very grave impacts of these issues. Before I go on, do you have any questions on what we've covered? All clear from my end tomorrow. No questions. Awesome. And so when we look at, you know, the solutions or how to implement safety and safety measures we look at it from three angles. The angle of the people, the angle of the processes that you have in place and the kind of technologies you use what you can leverage. So, the people are looking at the users, the everyday staff are looking at the IT guys, the security guys, management staff, you know, the people who are involved or who have some form of interaction with our systems and our data. So, look at the processes, what kind of guidelines do you have? Do you have a mission policy that informs how users should behave or how staff should handle data or how staff should work? Are there international standards that you try to comply with or abide by? Are there government or government regulations or are there laws, you know, that you need to abide by? And then from the angle of technology, are there tools you can use to enforce some of these security measures or to protect yourself or to detect when something has gone wrong, you know, or to fix the problem when you find a problem? These are some of the things we try to look at under these issues. So, I will start with the people side of things, right? I mentioned that when the attackers pick someone as a target, one of the first things they do is to gather information. As you can guess, the average user today potentially has 15 and above online accounts. If you look at it from the angle of entertainment, people have Spotify, Netflix, Apple Music and so on. If you look at it from the angle of emails, people have work email and potentially multiple personal emails. They have emails from school as well. If you look at bankings and people bank with about three, four, five banks and so on. So if you keep counting, you easily get the average internet user with about 15 accounts. And so a lot of people have multiple social media accounts. The basic ones being Facebook, Twitter, Instagram, LinkedIn and so on and so forth. And one of the things we do on social media is to share information, right? We're either posting or reposting someone else's information. What we tend to forget is that over time, if someone is gathering this information, something that should be denied or should be not something that should be malicious can potentially be aggregated to form something that can be used against us. So for instance, you are always talking about how your kid, you know, your five-year-old kid is a genius, right? How is the best in the class? It's always performing, winning awards. And so after excitement, you go on Instagram and you post a picture of your child receiving yet another award, which you can't blame any parent for being proud of their child, right? And you post the child off. So you post the picture of the child, you know, maybe showing the child receiving the award. And the award has the name of the school, or there's a badge on the child's dress that shows the logo of the school. And potentially people already know where you live because you've complained about one issue or maybe there's no light or the road is bad or healthcare is bad. You potentially complain about where you live and people tend to know the city you live in. You've basically told any potential kidnapper, you know, where your child school is. And so if they can't get to you, the next thing is to get to your loved ones, right? Another example where I have on the screen here is that you talk about how your boss is traveling, right? It seems like just something normal to say, my voice is going for a conference to attend a UN discussion on, you know, climate change, for instance. Forgetting that you've also posted a picture of you and your boss, potentially people know who your boss is and anyone who is targeting your boss will be looking at you who are supposed to be their, maybe, PA or next in command. And so they potentially know that your boss is traveling. So if they're ambro boss, for instance, they know that the boss's house is potentially empty in that period, or the boss who may be, maybe the strongest person in the family is not going to be around. And so the family is vulnerable. So these are just ways that the simple, normal stuff we share can potentially yield negative impact if it gets into the hands of the wrong person. And, you know, the, the, the, the thing about internet is that it's not just used by good people, there's no filtering method. They don't come to check, do a new background check and ask you, who are you, have you come to the crime before, you know, anyone can create an account. In fact, we see quite a number of anonymous accounts on social media today. So we are sharing the internet with potentially very malicious people, murderers, pedophiles, robbers and all manner of bad people. And so we need to be careful, very, very careful what we share online. That's just the summary of this point I'm making. And so another important point, and why I keep talking about the people side of things is because, you know, you can't, you can't have security in that election. You can't spell security without you. So it implies that everyone has a role to play. If you look at the team at the bottom of the screen, there are three people, the guy in front, judging by the haircut and the nice to can assume is the boss, right. You can see that the boss is involved and the subordinates are involved. So basically, everybody in the team is working together to make sure they achieve the goal. And what is the goal? The goal is making sure your organization is not vulnerable to attacks, right. So everyone has a role to play organization. And so as we learn about the things we can do, the steps we can take, let's also think about how you can. I don't see domestic people domesticated and make it personal. What can I do in my own position in my organization, or in my family, for instance, to ensure that we are not vulnerable. Right. And at the top of my screen, there's an onion there. There's something, you know, there, there are so many ways to go about this issue. The idea is that there's no one single solution you can ever use the cybersecurity or the security to protect yourself. But you need different layers, you need multiple things working together, complementing each other to build that resilience, right. And so there are what we call controls, which are just like security measures. There are controls that you can use. And this is just for knowledge sake. This is more for the IT guys to know about, but I'll just mention it. There are physical controls, which are physical items that are used to enforce some kind of security measures. We tend to see them used in terms of access controls. So for instance, to get access to sensitive area means to provide your ID card to use it on the scanner or a fingerprint and things like that. And so those kind of sensors and devices are referred to as physical controls or like gates and other things like that. We have administrative control. These are things that are largely have to do with processes and documentation. So like your policies or guidelines or regulations and stuff like that are within the organization. Then you have legal controls. This has to do with outside the organization's jurisdiction in terms of will be in the state level or its country level or global level. There may be certain laws that you have to apply and you have to comply with. People don't separate legal from administrative but they decide to do that. And then we have technical control. These are tools or equipment you can use to improve your security like tools like anti malware or what they call firewalls to protect your networks and other solutions that are being used. Now at the individual level, I'm just going to run us through about 10 things we can do. Practical steps you can take. You know, so beyond those jaguars about physical controls and these are actual steps you can take to break it down. The first one is to update your devices and your applications. We tend to forget you can use that word to click on updates when it pops up on our phones. Maybe you're too busy doing something or you're working on a document in your laptop and you get the prompt that you have an update. And so we ignore the update and say I'll do it tomorrow or the next week. Not knowing that sometimes these updates are there to fix security gaps, trying to block weak points or strengthen big points and block gaps in your system security. And so when you don't, when you put off that update and don't install the update, you're leaving yourself vulnerable to any potential attack that may happen in that period. So it's very important that all your devices updates are not just to improve the features of functionality. There are a lot of times also to improve the security of that application or device. Next is for us to adopt the habit of using strong passwords. We want to make sure that you're not using a password that's easy to guess. We want to make sure you don't share your password with people. You don't just write it on a sticky note and put it on your table or the first drawer in your office. And now it's in a password that has to do with your name or your family name or your, you know, something that can be easily traced back to you. Don't use this kind of passwords. You want to make sure your password it has recently moved in. We're talking about 12 characters being the standard these days, you know. I'm talking about some level of complexity helping adding a few numbers and symbols to just to make it stronger. So these are some considerations when looking at strong passwords. We also advise that because of the multiple accounts we have, creating unique passwords for every account can become a hassle. In fact, it can become impossible to remember them. If not, you may end up just doing password descent every single time you want to log in. So what do we advise? Get what we call a password manager. This is a tool that helps us generate strong passwords to store the passwords for you securely so that anyone who gains access to your device cannot see the password. Right. You can potentially also use personal managers across platforms. So on your laptop, on your desktop, on your phone, on your tablet, you can access the personal manager and access your, you can access your password bank. All you have to do is just remember the master password that gives you access to this password manager. So it makes it easier and it's interesting to remember one password. However, this also means that it's a single point of freedom because if the person somehow gets your master password and has access to your device, then potentially they can gain access to all your passwords. However, it's not too common for that to happen because they need to get put your, they need to get both access to your laptop and access to the password manager. Next advice is to lock your devices. So many of us have our phones and laptops that do not lock. So they may be a password, but when we sleep it, for instance, it may not ask you to log in to come back. And sometimes we may decide to quickly answer somebody in the next office and leave our laptops when attended to. You know, we assume all our colleagues mean well. We don't know that there's potentially someone inside the organization that may be rogue and decide to commit a crime with your device, making you a potential suspect. So we need to be careful about devices. Always lock them. Same thing applies to our phones, our tablets. Always make sure they are locked. This is very helpful in the case of theft. If your device gets stolen, then the attacker cannot, the thief rather cannot use it or cannot see your information except they're able to somehow crack the lock, which is not too easy to do. Next is to enable what we call multi-factor authentication. What this does for you is that beyond the usual username or password requirement to log into most platforms, it acts for an additional piece of information. Now, this could be your fingerprint. It could be a code that will be sent to your phone or a code you can generate from another device, you know, and things like that. So the idea is that it's not just what you know, which is your username and password. The one is you want you to add another layer, which could be something you have like your token device that a lot of banks use, or it could be something about you, which is like your fingerprint or facial scan or retina scan and other things like that. So whenever you see this feature on any platform or any software, please make sure you enable it and use it. It's very, very important. Last five, try to get a trusted anti-malware solution. It's important that your devices are protected from malware. A lot of malware can cause a lot of issues and they can be used to gain access to confidential information. So we need to make sure we have them so our devices not get compromised. We need to back up your data. This is very important in case your laptop gets stolen or damaged or infected. So the same malware, for instance, called ransomware. What it does is that it scrambles your data so that you cannot use it. You can't access it. You can't understand what it is anymore. And so you can imagine an organization and the whole organization's data is scrambled. You can't work. You know, you can imagine it happening to like a bank. What will happen to that bank? It happens for just two hours in a day. What will happen? The potential losses that will happen. So it's important to back up your data so that in case anything goes wrong, you know, you have clean data that you can restore and use on your system. Something important to mention for backups, there are multiple ways to backup. You know, you can use cloud, which is online. You can use a hard drive or storage device to keep it offline. Or you can use a server or you can have a local backup within the organization. The organizations have a separate location to store their backup data in case of something like fire, for instance, if it burns the whole office, they say that the data is stored in different locations. So these are different ways to backup that organizations can consider. And very important to secure your Wi-Fi. Many times we buy, you know, we set up the Wi-Fi connection in the office and we just did the default credentials, you know, the same 12345678 pin or the same admin credentials for the backend. It's very important that whenever you buy a device or two, always change the default credentials. Never leave it with the default credentials. Always change it because that default is used everywhere. And so a lot of people know the default. Excuse me. So if someone malicious gets access to that device, they potentially know the default if you haven't changed and they will try it. So it's always important to secure your Wi-Fi because you do not want some of my initials having access to your network potentially trying to see what's happening on the network and causing one issue or the other. Next, okay, right off our default credentials it goes to secure your Wi-Fi. And the last is partly what you're doing, which is to enlighten the users. If you do not train your employees or your staff, you're basically making them your weakest point, you know. Technology can be, if the organization is configured well, it will do its job, its code, it will run its code as it should. If the processes are structured well, they will set the purpose. If the users, however, are not trained, no matter how good the software is or the processes, they would make mistakes, they will ignore some processes, and so you will still be vulnerable. So training your staff, training your users is like the most important of all these things I've talked about because a trained AI can be your first line of defense. So it's a very, very, very vital thing to do. And so just to round up key points, we need to take ownership of our security. You know, everyone has a role to play, everyone's responsibility. So like I said, whether it's in your office and your families, you know, you potentially have people victims of cybercrime or some form of cyber attack. So it's our job to enlighten them. In our organizations, you know, some people say, it's expensive, you can't do anything about it. Not necessarily. There are basic steps you can take. So giving us 10 examples of things we can do, about eight of them do not necessarily require to spend any money. You know, so start with the basics. Start with the simple things. We find a lot of people ignore the fundamentals, the basics, and they try to go for the expensive stuff and they just find themselves lost. So start with the basics. Try to stay current, you know. Try to understand what's happening in the industry. What kind of scams are the scammers running today? What kind of tools are people using to secure resources? What kind of trends are happening in this space so that you understand, you know, what kind of attacks are other NGOs facing so that you can potentially prepare yourself for those kind of things. It's important to stay current. And lastly, like we talked about one more time, you know, enlightening everyone, your colleagues, your friends, your family members, let everyone be cyber aware so that they can protect themselves. Thank you very much for this name and for giving me your ears and your time. Happy to take any questions you may have at this point. Yes. Thank you so much for this presentation. I've personally learned a lot. I have a few questions on my mind, but I guess the main one is, so if an organization is just getting started to apply these safety measures, what are your recommendations for, you know, top three fundamentals that they should... that they should... I know it is quite a few, but if you could choose three that the organization needs to implement when they're first getting started in this, what would your recommendations be? Yeah, that's it. That's it. Maybe it'd be difficult to narrow it down to three, but considering how... now organizations don't necessarily work in the same office. So securing a network now is more complicated because everyone has their own network at home, so I won't talk about that. I would say a key one is the use of multi-factor authentication. So generally, anything has to do with authentication. That's from using strong passwords to using passive managers to the use of multi-factor authentication because a lot of attacks, you know, when someone gains access to your email, for instance, it loads so many other things can happen. It may not necessarily be identity thefts. It could use your email to commit fraud. It could use your email to send malicious stuff to people. It could use your email to... So it's for funds, you know, it could reach out to vendors and say, oh yeah, you need to make this payment. Don't make it next week or make the payment for this month into this account. And so you siphon the money, you know. So anything that's the authentication is very important. And so the use of strong passwords, the use of passive managers and enabling multi-factor authentication so that people do not easily get access to your account even if they have passwords. You know, I would combine those three as one point. That's one very valuable point, right? The second I'll talk about is you need to update our devices and applications. So our devices, you know, they are software built by human beings. And a lot of times they may come with flaws that even the creators may not have seen at the point of putting it out in the public for use. But over time, as they use and as they get feedback from people and as they do their own research, they may come across issues and so they try to fix these issues. And that's why they put out a lot of these updates. And so when you do not do the updates, you're basically telling the bad guys who may now be aware of these issues because when they put out the update, they will explain this is why we are doing these updates. These are the things we're trying to fix. The bad guys also read those blog posts that Microsoft imposed, for instance, and they'll say, oh, so there's this flaw you can exploit. And so when they go around, they may by the end of the first week only 50% have done, meaning that the attackers have a week to potentially target 50% of people who may not. I'm using that as a raw figure, but I'm sure you may be hired and that we don't install in the first week, right? And so you are making yourself vulnerable because the bad guys now know the weaknesses and they are figuring out ways to exploit those weaknesses. Meanwhile, you've not done your update to make sure that you can't be a victim. Last, last, last. Again, talk since we have distributed teams our teams work across different locations. That means our devices are very important and our devices need to be secure. So I think my last or my third point would be to install a trusted and team aware solution. This will help you with a lot of attacks that you may not even see or spot it your eye. Some of them will get blocked automatically and just get it from that this has been blocked. So I think it's very helpful. Again, 3 is small, there's so many other things I don't want to go beyond the time. I think those three are for me will be the key things to start with. And you can get some free ones. Although the suggestion is always to do your research before you use any tool or software. Do your research. There are always people who have done reviews and people who have done comparisons. So make sure you're using something that's from a credible organization. You're not using something that says it's doing A. Me when it's doing B in the background, right? So always do your research before you get into or software install your organization. Thank you for that. I know it was difficult to pick just three since they are all very important. I do want to say that I really appreciate you highlighting the enlightening others and training your staff. I think that is a very important factor to this because you don't usually speaking, you're not aware of these things until someone tells you or this happens to someone else. Personally, before TechSoup, I worked at smaller nonprofits. And it was mostly emergency relief. So you don't really have time to talk about data security and data protection and all of these important fundamentals because those are things that can put your nonprofit at risk or even the people that you are serving at risk. And so I personally feel very thankful for TechSoup to have provided that training for us and hope to learn more throughout that training. But yeah, I believe that I think that's a very important point because you don't want to get to this happening to you or this happening to someone else in order for you to think that, okay, this is serious or organization needs to tackle this. Exactly. It's my pleasure. I do have another question. Do you and maybe this is open for discussion with Lynette as well. Do you feel that the nonprofit sector is impacted the same way as the corporate sector? Or there are some key differences in terms of physical threats or actors? I would say there are some differences. So yes, I agree that the nonprofit sector, I think because of the kind of money flowing through it and the kind of awareness people are gaining about nonprofits, there's more interest in what they do. Two examples are used. For instance, the cyber criminals that you guys are getting funding from. For instance, maybe Bill and Melida Gates Foundation from the UN, from all these big international global organizations. And they are foreseeing potential millions of dollars flowing from left to right to left and things like that. So they want to partake in the cake. They want to taste it. They want to have a share of the money. And so they potentially try to target those based on, usually you announce, oh, we're thankful maybe to Microsoft for sponsoring this, this, this, this. And you hail them and you're happy and you're LinkedIn. And the attackers are like, oh, they got two million dollars from Microsoft. And so they're potentially not targeting maybe your CFO or the CEO of the nonprofit or things like that. That's one side of the issue, the financial side. The other side is potentially a lot of nonprofits do things that a lot of governments from upon. So for instance, a lot of profits are reporting, you know, their media nonprofit civil society organizations, for instance, reporting about maybe election or about climate change impacts or about, you know, lack of diversity and or politics or, you know, different things like that. And these things are even something like good governance, you know, which people should ordinarily like, you know, but these things could offend certain governments or certain government bodies or even individuals within the government or who have access to state resources. And so they can decide to potentially target a nonprofit for that reason. And you've seen this happening across Africa, for instance, and even beyond where an organization reporting a particular issue suddenly starts getting their websites attacked or suddenly starts receiving a bunch of phishing emails to hijack, try and gain access to their email accounts and stuff like that. We've seen where websites are censored in the sense that no one from that country can even gain access to their websites. So you can't even go and read more about the news. The organization is talking about, you know, and these kind of things happen. And so I think potentially these are the two kinds of dangers that like beyond the general dangers you still face online. These are the two that I potentially see targeting nonprofit nonprofits and simply because of who they are affiliated with and what they do. So there's more reason for people who work in this industry to be very cautious, to be very careful and to learn more about digital security. Thank you. Yeah. Those are all very important points. Thank you for answering my question. Lynette, do you have any questions? No. I'm very thankful that we were to have this session. One of the practical things we can do on our end is just do a quick checklist on the 10 ways that Samela has given us, especially the ones that don't require any resources, financial resources. And we can have that in the step resource portal so that people can just go there and check, you know, have they done these basic steps before. So thank you, Samela. This was really good. It's my pleasure. Thank you for that suggestion, Lynette. I think that's a great idea. And thank you, Samela, for this presentation and for taking the time to meet with us. Happy to do this.