 Welcome everyone. Welcome to our webinar, Nonprofit Security Best Practices. Are they out to get you? We are thrilled to host this webinar today, and I want to give you a brief rundown on how our platform works. So you will have the opportunity to chat with us and Julian, our presenter today. We do use ReadyTalk, the chat box or the chat bar which is on the far left hand side of your screen. Is there for you to ask questions? You can also let us know if you are having any technical difficulties. I will receive those chats, and I will queue up any questions for Julian. During the event we will pause definitely at the end of the event or towards the end of the event to answer any queued up questions and possibly throughout the event when we have the opportunity. So don't worry if your question isn't answered immediately. We will get to it even if it is after the event itself. There is no need for you to raise your hand. Simply chat into the chat box with any of your tech problems or challenges or your questions for Julian. If you lose your Internet connection you can reconnect using the link that was emailed to you in your confirmation email or any one of the reminder emails. If you lose your phone connection if you are using your phone you can redial the phone number and just rejoin. For most of you sounds should come through your computer speakers. If for any reason during the event your audio fails or it cuts in and out or it does not match what you are seeing on the screen we recommend you try logging in again or simply call in by phone or through Skype. I have chatted out that phone number a few times in the chat box and I will fill again momentarily. Just so you know all your lines are muted so we can get a good clear recording. The webinar will be available on our website along with all of our past webinars at www.texsoup.org slash community slash events dash webinars. You can also view all of our recorded webinars on our YouTube channel. I will be sending you an email with a link to this presentation that Julian will share a recording and all of the links that Julian is going to discuss today within a few days. You can also tweet us at TechSoup or use hashtag TS webinars. Okay enough about our platform. I would like to introduce you to Julian. Julian is our speaker today. He is our expert. He has been working in the software and IT industries for over 20 years. And in 2003 he co-founded Freedom Solutions, Freeform Solutions, a not-for-profit organization with a mission to help other not-for-profits use technology more effectively. He is also the lead programmer of Formulize and open source software that lets non-programmers create database systems on their website, CMS, and mobile devices. We are very lucky to have him on this webinar today. I think you will find this presentation very engaging and informative. And I am Susan Hope-Bart. I'm the Training and Education Manager here at TechSoup. And I'll be on the back end queuing your questions and also answering any text challenges you have. A couple of quick things. You are here joining us at TechSoup. We are located in beautiful San Francisco, California. I'm going to ask you where you are joining us from today so you get to practice in the chat box. Tell us what city and state or what country you are joining us from. And as you are doing that I am going to queue up a couple of polling questions that Julian has put together to kind of gauge the audience's understanding of some security practices. So I see everyone chatting in lots of folks from California and the East Coast, a couple of folks from Canada as well. Welcome everyone. Here is our first polling question. What security technologies are you most interested in or likely to work on in the coming months? So go ahead and use your cursor to indicate which of these technologies you are interested in or likely to work on in the coming months. Training to avoid risky behaviors, payments, social media, are you ever really anonymous? Email and spam, URI's password, public Wi-Fi, protecting your website, the cloud, or protecting your computer. And I see we have 24 responses in. Get those fastest fingers going. We are now up to 45. I am going to give everybody 5 seconds. 4, 3, 2, 1. Wow! So we can see here Julian that we have lots of people looking at training to avoid risky behaviors. That is so funny because we were just talking about this, that people's behaviors, how can we influence or change individuals' behaviors? So this is great. This aligns with some of the things we will talk about. Oh, it looks like we also have Protecting Your Computer and the Cloud. Those are the top three. Thank you very much for answering that question. And we've got one more. The next one is we are asking about your role within your not-for-profit NGO or library. Are you with IT, Network Admin, your ED, or a board member, decision maker, program staff, non-IT? Are you a volunteer? Are you in operations or admin? Or is there something else you are? You can feel free to chat that in in the chat box. And you guys are much faster on this one. Wow! I am going to show results but I am going to leave it open for 5, 4, 3, 2, 1. Okay, it looks like a lot of you are in IT or operations. These are all great things to know. Great. So what I am going to do now is I am going to turn this presentation over to Julian who will take you through his Prezi and talk to you about security. Julian? Hi there. Thanks very much. So I assume that in a moment I will get some notice that I am in charge sharing my screen and you will all see my screen, I hope. Insertably sorry, technology is over here. Thank you everyone for coming today. It is always fun to talk about these things because the whole reason I like to work with technology is to help people use it for some purpose and it is all about people engaging with it. I like a good detailed tech problem as much as the next week but it is good to actually engage with people and this is all about how people deal with stuff in a very day-to-day regular way. And you may want to just double check. You are sharing your desktop, the top button on the top of the screen. It is okay. There you go. Got it. So privacy and security online. Good to see that a bunch of you are in the tech field. So some of this is probably review then and that is okay. I hope if you are in that kind of situation it is at least useful information to get you to help you communicate with your staff or whomever in your organization that you need to help understand these things better. And some of it maybe isn't review, just maybe some tips or ideas or things that you can use. And those of you who are less involved directly in technology, well hopefully there is more that you are less familiar with. Please do put questions into the chat and Susan will jump in on that because I can't see that as I am going through this. So if I am not trying to ignore you or be rude, that would be great to have some discussion going on because this is not meant to simply be a sermon from the mount that is for sure. So it is not being paranoid if they really are out to get you. In the last few years it has hopefully become more clear that there are an awful lot of people who really are out to get you out there and in a way a healthy paranoia is actually one of the baselines that can be a good defense as you will see. So there we go. So about me, Susan already introduced me, Freeform Solutions I co-founded many years ago now and they are still around helping nonprofits manage websites and systems online. And I have continued to do that kind of work independently since last year with a deeper focus on data management tools and things that are my stock in trade and preferred way of doing things. So that is me and just to jump right in because there is a lot to go through. It is a huge topic. There is a lot to know and it is hard to decide what you want to do about all this stuff. So we should start by setting some goals. As my friend Laura has said, I have a hard time deciding how far in the sand to stick my head when it comes to privacy and security. So let's set some goals so we can have a more measured approach than that. So I hope that you come away from this learning what you can control, learning how they out there are trying to get you. And then with that in mind maybe you can stick your head a little less far in the sand hopefully. So we'll see. I want to start with a little story. Tech folks may be familiar with this. It was well publicized a few years ago when it happened. Matt Honan, a writer at Wired Magazine. If you don't know Wired Magazine, it's basically like Rolling Stone for the geek set. He had a Twitter account at Matt and somebody took a liking to at Matt. They thought that's a cool Twitter account. I'd like to have that account. So in the beginning that was all that anyone knew. Anyone interested in hacking him knew that the Twitter account was at Matt. But in his Twitter profile he had a link to his personal website. So there's a little more information out there. And on his personal website he included his Gmail address. So now there's a bit more personal information out there that was just publicly available. So now the hacker got creative. They tried to reset his Google password, his Gmail password. And when he did that Google disclosed that the alternate backup address that it would send the reset messages to was m-something-something-something-n at me.com. The guy's name is Matt Honan. So a little bit of guesswork might reveal probably what that email address was. And me.com is a domain owned by Apple. Those are Apple email addresses. So that's probably tied to an Apple account. So nothing's been sort of classically hacked yet but they're zeroing in on what information is available and what to do about it. This is where it gets really interesting. And there's some security flaws here in Amazon's practices and Apple's practices that they changed after this event. But at the time it was possible for the attacker to call up Amazon on the phone and say, I want to add a credit card to my account. And Amazon did this. Hacker identified themselves as Matt. And they knew the name. They knew the billing address, presumably public information, what his mailing address was. And they knew his email address that was associated with the Amazon accounts taking a guess that it was either the Gmail one or the Apple one. So they identified themselves to Amazon and they were able to add a credit card to his account. Which you may think, well, why does that matter? Well, because Amazon at the time had a quirky policy where if they called him back or they called Amazon back, which they did, they then asked, I'd like to add an email address to this account. And some other operator on the Amazon phone line gleefully did this for them because they knew the name and the billing address, and they knew a credit card number that was on the account. Because they had just previously phoned them up and added a credit card number to the account. Now they could call them up knowing a credit card number that they had just added and ask, can I put an email address on the account? So Amazon did that too. So the email address is of course really important because now that they have an email address on this account, they can do a password reset on Amazon. And that allowed them to log in to his Amazon account. So now they're really getting somewhere. And in Amazon it doesn't show you all the credit card numbers you have on file, but it will show you the last four digits of every card you have on file. So why is that important? Because it turns out that at this time, Apple, if you called up Apple and they wanted to verify your identity, they will be satisfied that you are you because you provide your billing address and the last four digits of a credit card. So they'd seen all those credit cards on the last four digits of all those credit cards in his Amazon account. Call up Apple, say they're Matt. Apple believes them. And Apple Care then dutifully gives them a temporary password to log in and reset the password to get into his Apple account. So now, if you remember way back in the beginning, it was the Apple account that was tied to the reset of the Gmail password. So they can now get into the Apple account and the Gmail account. And then with access to the Gmail account, they reset his Twitter password and they could take over the Twitter account where this all started. And just to make it harder to see what they've done and cover their tracks a bit, they use the remote features that Apple provides to wipe the contents of his iPhone, his iPad, and his MacBook. And they also deleted his Gmail account. So that's where it gets really nasty because it's an awful lot of data loss besides the identity theft. And Apple did help recover the information off the laptop I believe after this, but it's a pretty damning situation. So it's a crazy story. It all happened really fast. The whole thing went down in like an hour, less than an hour. But I think it illustrates a lot of great points. And the one I like to emphasize the most is was there some super evil genius programmer that wrote some crazy virus that infiltrated everyone's computer and took over the world? No, it wasn't like you see on the movies. It was just simple social engineering so-called. And that's always been the most potent tool in any hacker's arsenal. Even today, a story from a couple of years later, someone just called up a server company in Ottawa where a company called Canadian Bitcoins had a bunch of servers. Bitcoins being this digital currency, cyber currency that each Bitcoin is worth a fair bit of money. And this person just called them up at no point was ever challenged to prove who they were. And the tech support person that they were talking to basically granted them access to the servers of Canadian Bitcoins company. And this attacker just transferred Bitcoins out to their own account, valued at around $100,000 just because he asked nicely and sounded authoritative. So like social engineering goes really far. And it's one of the things – the biggest defense against that is simple caution or paranoia, some would say. Great book by Kevin Mitnick called Ghost in the Wires. He has a lot to say about this and all the hacking that he used to do when he was wanted as a major hacker. But so much of what he did was actually non-technical. So here's a survey of all the sort of nitty-gritty topics we might get into. And based on the survey responses there, it sounds like protecting your devices and email and spam and the cloud were a couple of the big things that people wanted to talk about. To start with, I'll focus on those three, but I'd like to start with URLs because it's highly relevant to the email and spam topic and to a lot of things in general. So briefly, indulge me to go through URLs and we'll dive into the others too. URLs, things to know about this to help you understand or explain to people how to keep themselves safe. Hopefully if you're interested in this topic and you're here, this is mostly review, but anyway, you'll see. So URLs, links, addresses, site names, they're more and more hidden these days. Whenever I talk to people, guide them through something, I say go to the address bar of the browser. Half the time people don't know that there's an address bar on the browser because their browser opens up. It goes to Google. They type in the website that they want into the Google search box. The Google search results come up and then they go to the website they want. They sort of bypass the address bar entirely, but hopefully everyone here is aware that there is an address bar in the web browser at the very top and you can type in an address for a website directly and go there. And everything on the Internet has an address and it's the number one backstop that you have against being in the wrong place, giving the wrong information to the wrong people to understand the addresses. So look at a simple address. Those of us who know these things, it's like, oh my God, this is so remedial. But when you think about it, there's actually a fair bit to know to understand how to read this properly. The first thing is everything after the slash, you can ignore it. It's totally irrelevant for figuring out the validity of this address. And then from that point you read it backwards towards the beginning. So the top level domain, .com or .net, .cagov, et cetera, there's a zillion of them now. You can pay about a quarter million dollars and run your own top level domain registry if you want to. It could be fun, depends on what you want to offer, I guess. After the top level comes the actual domain name, Google. So that's the key part right there. Beyond that, you get into what's called the subdomain, and that's mostly irrelevant. There might be more than one. Sometimes you see websites that are like something, .something, .google, .whatever. It doesn't matter how many there are, they're all kind of irrelevant for figuring out where you are. And then at the very beginning is what's called the protocol, but it's not even usually shown. Oftentimes a web browser if you are looking at the address bar, it'll just show you the subdomain, the domain, and the top level, and it'll met the protocol. So that's what the address is. And it's important to know how to dissect that. And if you knew all that already, hopefully that's at least the useful illustration you can show to some other people. Now to learn what the actual URL is, like this is the thing, you get all these links in websites or emails or wherever. To learn what the URL is, a lot of people say, okay, you can look on the status bar on the bottom of the browser. If you didn't know this, the browser will show you. If you hover over a link, it'll show you something at the bottom. That's true, and most of the time that's correct, but those can be spoofed. Lots of things can be faked on websites and on the Internet, and those can be as well. So if I'm going to give you some advice about the number one way to be sure where this thing goes, if you're looking at something that's like, if I click on this, what's going to happen? Is this really what it says it is? If you right-click on the link or control-click on a Mac, you get the little pop-up menu, like what's shown here. And if you copy the location, or in different browsers it might say copy the address, copy the URL, copy the location or destination or address that this link belongs to, and then paste that somewhere. Then you're not activating the link, you're not going to where it actually is going to take you, but you're seeing where it's going to take you if you click on it. And it's just a simple step to actually see what's going on. But you have to be able to read the link for that to matter. It doesn't help if you can't read it. So yeah, and as I said, the status bar at the bottom is common advice, and it's good advice, but it can be spoofed. The thing is, if you look at the status bar and the link is garbage, then great, you're done. You know that this is not something you want to click on. But it might look good and still be bad. That's why the copying is the most reliable thing to do. So we'll see how on the ball you all are. We don't have to do this as a poll. You can just tally in your own mind. Which one of these is the real link for the real bank? Taking into account the little run-through of URLs, can you read this? And can you say to yourself confidently, I'm going to click on one of these things and type in my banking username and password, and I'm not going to lose any sleep at night. Which one? Top one or the bottom one? Well, if you haven't figured it out by now, that's a bad sign. And the top one is the real one. The bottom one is not. And there's why. It's because right before the first slash, TD.com, it belongs to TD Canada Dressed. And this one, right before the first slash, it's banksite.cc, run away fast. It's not a real website. Well, it's a real website. It's just not the ones you want to go to. So from there, sort of following on that theme, let's look at email and spam then. Because understanding that stuff is really critical I think to understanding email and spam attacks. Now the advice you always hear and everybody says is, don't open suspicious attachments. Well, yeah, but what counts as suspicious? Because here's the thing, if your friends get viruses, the virus is going to send messages to everyone in their address book. So if you get a message even from someone you know, but the content isn't really unique and speaking to you directly is not saying things that only that person would really know or say, then it counts as suspicious. Anything is suspicious. This is the paranoia theme again. So yeah, tell your kids to love the world and be friendly and trust people, but everyone on the Internet is a stranger with suspicious candies. So it's sad, but that's the way you've got to look at this. And the bottom line is the links as we just saw. See the URLs, this whole thing. And you can do this in email, in your email program you can do the same kind of thing. You can right click on a link and you can copy it and there you go. And if that domain and TLD doesn't look right, then don't click on it. Now it's a whole lot of education, but honestly I think the only solution to a lot of this, well you can put in all kinds of firewalls and software and things that some organizations put in place to prevent people from going to certain places. But that's sort of an endless game of whack-a-mole because the way these spam things work these days is the attackers just hack some new website, dump all of their suspicious stuff onto that website in some hidden folder, and then direct you there through their spam. So I think it's really understanding and education is the only way out of this. It is easy to fake emails, but as sort of a final thing I just want to point out you can also look at the headers of email. All email programs will give you some option to view headers or see the full text or the source of the message. And in the headers they look something like this which looks really scary. But again I think the importance of understanding URLs and addresses is once you know what they look like you see them all over. And whatever that stuff at the beginning is, this is subdomains, three of them, it doesn't matter. It's uterano.ca. So I know that this message started at the University of Toronto and there's a history here of where it was sent and received between different servers at the university. And then eventually got picked up by Google and at the time Google still manages the freeform email system. So from Google it got passed on to me at Freeform. This was real headers from a real message. So a lot of that stuff is hard to read, but most of it's irrelevant. When you know what you're looking for you can actually quickly do a validation. And that's true of lots of things online. So looking at protecting your devices, that was the top thing that people were concerned about. And some aspects of this I think is kind of boring. Number one advice about protecting your devices is backups because it's going to be lost, stolen, hard drive is going to fail, some fool is going to install something on it that renders it unusable, who knows. So you want to back up everything that's important. And you all have backups running right now on all of your important things. I'm sure you do. Before you sat down to the webinar it was the last thing you turned on. But well, of course, sadly that's probably not true. Backups are often the last thing that people think about because it's just not part of your day-to-day routine. But there's nothing more important than having a backup plan or backup copy especially of data that's sitting on any device, especially mission-critical ones that's for sure. And then virus scanners, keep that kind of thing up to date. It's one thing to have it installed, but if it's not being regularly updated and they can all be set to automatically update now, then it's not much use because the thing that's going to get you is not something that came out like five years ago or whatever. It's going to be something that's new on the scene and you want to be updated ASAP. And well, the other thing just to understand sort of the importance of securing your own devices and why virus is just so bad is that especially on – well, Windows has got better than it used to be, but it's still true that generally speaking software that's on your computer will have access to what your computer is doing to a greater or lesser degree. As an example, I want to run through a useful tool here called Prey. If you haven't heard of Prey, you can install Prey on your computer or your phone and basically it's in original purposes to monitor your device if it's stolen. So you can see where it is, when it's turned on, when it's connected to the Internet and it will sort of phone home to the Prey servers and send you a notice saying, hey, your device has popped up online and it's at this location and so on. So that's kind of handy. And certainly I would recommend that kind of software on any laptops that you have that are actually owned by your organization and that are leaving the home base and circulating out there and are going to get stolen out of the backseat of somebody's car who knows what. So this is useful, but it helps show you some of the things it does and it's kind of freaky. So I installed it on my laptop a while ago to create this. And one of the first things that popped up when I generated a report about what my laptop was doing and what had happened to it is it showed me this map. And I thought, that's really cool, but wait a minute, my laptop has no GPS. So what's going on? Well, the fact is that even without GPS, a device connected to the Internet can be geolocated just based on the Internet connection it's using. Google and other services keep giant databases of where all the IP addresses in the world are actually physically located. So when you connect, they can tell, oh, that's a Toronto address, or that's an address like right there on my street that map is quite accurate. That is just about precisely where my house is. Now Prey will also do things like, well, show you the snarling face of the nefarious person that stole your laptop because the software can access the resources including the camera files that can see what you're typing. There's a screenshot there, part of a screenshot of what was on the computer at the time this report was sent to the Prey servers. So this is handy from a security point of view, a little freaky as well, but handy. And viruses are software, just like any other piece of software. They could be doing all of this, but without your consent. So some people I think don't, oh, your computer's got a virus. Oh, well, I'll just have to wipe it or clean it or whatever. It's a big deal. Like if your computer is compromised, a lot can go wrong. A lot could potentially happen. Not necessarily, it might be nothing, but you just don't know. And it's something that people should take very seriously. I think if they took it as seriously as it potentially is, there might not be so many security problems. Another thing that's important to do for your own devices is encrypt the contents of them. So here's a program called TrueCrypt that you can install on your computer, and it will basically scramble all the information in your hard drive. It will encrypt it, the technical term. And that's so that it can't be read if it's stolen. Or even if it's not stolen, there are people who work in, for example, human rights nonprofits, and they don't want the governments of countries they're visiting to be able to seize their laptop and see what's on there. And there's even people concerned about that and not so far flung places. So TrueCrypt is useful for that, but at a risk here, there's no future versions of TrueCrypt planned. The team that was working on it has disbanded. So as far as is known from a software audit that has been done on it, there's no serious issues with software. It's worth using. It's still good, but it's not going to be maintained into the future. So there's some other alternatives here. VeraCrypt is a fork of TrueCrypt that some other people are carrying on. There's another software called DiskCryptor which is the similar things. And the thing is there's also built-in tools in the operating system now for all the major operating systems. You could use those to encrypt your device. Not everyone trusts those because it depends on your level of paranoia, right? A lot of these things depend on your level of paranoia and sort of which risks are worth how much inconvenience. So the risk that there's backdoors built into windows for the NSA is a concern to some people and to others it's not. And you can decide if it's worth using these things for yourself or not. Now what about your phone? A lot of that stuff is all primarily for your laptop, although Prey will work on your phone. But certainly device encryption, well the sad news is there's no equivalent of TrueCrypt for your phone. There's no really sort of robust like just going to work can make a general recommendation for anybody. There's no equivalent third party independent software that you can use to encrypt your phone. So if you've got tablets or phones or other things that are leaving your office and you need to keep them secured, well you're kind of stuck with what Apple gives you since iOS 8 iPhones are fully encrypted. If you use a passcode to lock them and there's encryption features in older iPhones as well. Android encryption because so many different manufacturers and versions and things, it varies quite a bit what you can do from device to device. But generally speaking there is some device level encryption you can turn on in most of them all new ones these days. So you kind of got to go with what you're given. It's like going with the Windows version of encryption on your laptop, which is if what you're concerned about is someone stealing the device and being able to read information off it, this is probably good enough. If you're concerned about some point of attack from a government or some other organization with similar resources then hopefully none of this is news to you. Anyway, I've been zipping through a lot of stuff here. I was going to jump into the cloud next, but I thought I'd ask Susan if there's any questions or other discussions or things that are worth revisiting or taking into. Yeah, great. We have. We've had a couple of questions. The first is from Craig. He's asking, do you need to backup files on Google Drive? Haha! Do you need to backup files on Google Drive? I don't myself so I guess that's an implicit validation for not doing it. The thing is the infrastructure that Google and other cloud services have, and I'll talk about that next, the infrastructure that they have is it's not like in the old days it would be like, oh we have a file server and it's like this computer under Sally's desk that's running 24-7. And then one day the hard drive fails and it's like, whoops, did we have a backup of that or not? The Google infrastructure is obviously still the exact opposite of something like that. They're the largest buyer of computers in the world because they have just so much stuff. And there isn't really a computer out there that your Google files are sitting on. There are probably multiple copies of them throughout this sort of ecosystem of servers that Google has. Now that's not to say of course that something won't go wrong somewhere at some point and some file you have in the Google cloud might become corrupted or who knows what. More likely would be some situation where say you've got multiple people who are accessing a file and somebody overwrites the file with something else by mistake or who knows what's going on. The file essentially becomes damaged because somebody did something to it rather than the file being lost. Now Google has great revision history on all your files as well. So even if that happened you should be able to go back and find the version that you liked and sort of revert to that. So I think it's always good to have backups but I don't think it's necessary for the cloud stuff. The other thing about backups is the reason people don't do them very often as often as they should is because it's often hard to institute a regular recurring backup policy. What's the process by which we're going to go through to back up everything? I'm backing up stuff off Google. The best thing you can do if you don't know already for all these services, Dropbox, Google Drive, etc., you can download a program from them to install on your computer and it will mirror the contents of the Google Drive to your hard drive or to your laptop or whatever. That's very handy because then you can interact with the files if they're not just say Google Docs files but if they're just regular old files. You can interact with them off the hard drive of your device and you make some changes say in Microsoft Office to this Excel sheet, save it, and then the Google software will sync that back into the cloud. That's kind of an implicit backup already because then you've got it sitting there in the cloud plus you've got the copy on your hard drive. So that would be what I'd really recommend when it comes to that. Sorry, long answer but there you go. Yes and no. Great. Thank you. And one more question before you go back to your presentation. This comes from a nonprofit that says they purchase a lot of their necessary items online. Their credit card has been stolen twice. What can they do to prevent this? What can they do to prevent this? Well, not as much as you might like to. Maybe I'll just do a quick detour into payments because there's not a lot to say about this. But when you're doing payments online the thing is HTTPS, the protocol at the beginning of the address. You want an S on the end of that and your web browser will have the lock symbol. If you're doing a lot of purchases online, hopefully this is not news to you. You want to see that lock. You want to know that the connection is encrypted so no one's going to steal the communication in transit because that's what it means. You want a secure connection that no one sort of eavesdropping and no one's going to steal the credit card number as it travels over the internet to the store. Now here's maybe something that might help. Don't ever store your credit card information on the website. That would be my recommendation. It's not a law. But the thing is they all have this, save your profile information, save your payment information to make it easier next time, or check out faster, etc. What that means is though if you do that, that means that they have a copy of all that information including your credit card number. I just don't think that's ever a good idea because if their system gets hacked, and this is the thing, I don't know how your card's been stolen, but there's two ways most likely for how it's got stolen. One of them is the servers of the system where you're buying this from, they got hacked and your credit card got stolen out of their database. If you don't store it on their website, they don't have a copy of it so it's not going to get stolen that way. Now caveat to that, maybe you want to store credit cards on PayPal because PayPal's business is like, I'm sort of throwing this out there as an example, like this is a thought provoking kind of thing, because essentially how much convenience is worth, how much risk? Is PayPal better at securing things because their whole business is built around payments and online commerce and stuff? And are they better at this than some random shopping website out there? I think they probably are, but are better than some certainly. And if you can check out using PayPal instead of giving your credit card information directly to a website, does that sort of put a layer between you and this potential attack vector? How much convenience is worth, how much risk? Something I alluded to earlier. When it comes to payments, that's kind of all there is to it because you're really kind of at the mercy of who you're engaging with at the time when you're making that transaction, but you can give them as little information as possible. The other thing, if you found that information has been stolen a couple of times, then well questions to ask are how many people know that card number? Like was it actually stolen through technical means? Or was it just because it was written down on a sticky note on somebody's desk and the cleaning lady noticed it or something? I mean not to cast this version on cleaning ladies in general, but an example that you just, there's lots of ways that potentially could have been taken. On a technical level, maybe the browser has saved the information or someone's phone has saved the information. And the thing is if you have secure information, important information like that on a laptop and you're making connections to wherever, but then say that laptop gets infected by a virus, remember what we were just looking at about protecting your device? Well, a virus could read files and other things off the hard drive and might find the credit card number that way. So for a lot of things, not just stealing credit card numbers, but for a lot of things in general, a basic question is how exposed is this information? How widespread is it? Is it stored on the servers out there or is it only known by you? Is it saved on the laptop or do you type it in every time? So like the less exposure any bit of information has, the less likely it is to be taken through whatever means. Great, thanks. I think some of the other questions talk about cloud servers like Office 365, SharePoint, and things like that. Okay, well let me dive into the few things I have to say about the cloud and if there's sort of more beyond that, then we'll see it. We're quarter to the hour too, so we'll zip through here. The cloud, so yeah, it's probably more secure than so-called local storage systems, the extreme counter example being the server under Sally's desk, and that's because these cloud systems, they're always going to be up to date with security patches, firewalls, people are monitoring the logs, the data center is physically secured, and so on. Like all of those things are not necessarily true of non-cloud alternatives that people have used in the past. And it's really convenient to be able to access your stuff wherever you are, what I described before, or if you have your laptop syncing to Google Drive and so on, then it's sort of effortless in a way once you get all the parts all synced up. But there's obvious privacy implications. And it also changes, there's an economic aspect to it as well because the licensing models are different in how you pay for access to some of these things is different, although TechSoup can help with that in some cases, and I'm focusing primarily on the security and privacy, not the financial aspects. And from that point of view, there are privacy implications. They're promising never to look at your data, but it's not on a computer you control anymore, and it's known that all of these companies, all the big companies are forced by the US government to turn over whatever information they might want at any point in time, or at every point in time. So it's a balancing act, again, like I said before, how much convenience is worth, what kind of risks. To some people, those risks are not relevant. To some people, depending on the line of work or the information that they're concerned with putting in the cloud, that might be really, really relevant. So these kind of services are here to stay. I think, like it's clearly for years now, it's been a model that the industry has moved to wholesale. We're not going to ever go back to the way it was when you bought disks at the store and had that kind of control over things, but even then you didn't have that much control unless it was open source because you're stuck with whatever they're giving you on the disk. So it's a different model, and it has some benefits, but it's a different set of tradeoffs than it used to be. Was there specific things in people's questions that, you know, nuances beyond the general there? I think folks really were looking at Office 365 SharePoint. Thank you, Covert, that one question was, if you have a cloud server, is it possible to encrypt that server, or is a firewall sufficient? So I think that's a kind of nuanced question, yeah. So yeah, if you have stuff in the cloud, then you're basically relying on the security of the, well, stuff. I don't necessarily know what stuff exactly you're talking about, but I'll give two examples of different sides of this. Generally speaking, if you have like a SharePoint server in the cloud that you're leasing from Microsoft or whatever the arrangement is, or you're just using Office 365, part of what you're buying, part of the convenience there is the security that they're providing. They're basically guaranteeing that the Office 365 website is not going to get hacked, that your files in there, Google does the same thing with Google Drive. They're basically saying, yeah, we're not going to get hacked and your files are not going to end up on the front page of the New York Times. And you kind of got to trust them on that. And the premise is that you can probably trust them better than you can trust a lot of other people because like the PayPal example, their whole business is built around this, and they have people whose job it is to make sure things are patched up to date and so on and so on. And yet we do hear about these hacking stories and all that. But the thing is if you want to do it better, that's kind of what it comes down to. Could you do it better? Could you hire people to do a better job than the people that Microsoft has hired to do that for them on Office 365? Probably not. It depends what kind of organization you are and who your staff is and so on. But that's what you buy into. Now the other thing is if you're talking about just sort of cloud servers in general, beyond the services that you buy in the cloud, you can just buy a server, a machine or an imaginary machine floating around in the cloud somewhere there. And what about encrypting that or protecting that? If you're running your own servers in the cloud then yeah, essentially hopefully you have some server admin people on staff who know how to keep those kind of things secure. Because if you're running your own machine, whether it's a cloud server or a dedicated server or whatever kind of thing it is out there, it will need certain things done to it to make sure it's secure. Maybe on that point I'll just jump briefly through protecting your website. There's a good old fashioned hacked website page. It's what you don't want to have happen but that's not really what happens anymore. People hack websites is not to deface them like this. It's sort of quaint now to see things like that. Because these days they want to actually take over the website and use the space for their own purposes because they're putting up fake pharmacy websites behind your website that they're directing people to from spam. Anyway, to protect against all that stuff and this applies to cloud servers and any sort of technical service you're running yourself really on the web. You need to have those people who know what they're doing and how to keep things up to date with security patches. Most of the attacks that are going to happen are automatic attacks. It's not some kid sitting there behind a keyboard figuring out your password. It's some automatic process that takes advantage of known security holes. So you want to make sure you're up to date with all the known fixes for those security holes. As I was saying before about the credit card example, make sure that all the computers where anyone is making changes to the website are completely clean and secure. Because if the website that has the FTP password for the website and that's where someone logs in and makes changes to the website and that computer has got a virus on it, chances are it's maybe stolen the password to the website. So you want to make sure that your systems are clean because everything connects to everything else. Never mind if it's like a website or server that you're running yourself. It could just be your Office 365 password or your SharePoint password. This is why viruses and protecting your own computer are really important because it's not just your computer that's going to necessarily be compromised. It could be anything that that computer has touched is possibly tainted at that point. Strong passwords for all your access points to the website, whether that's the Server Control Panel FTP administrator accounts on the website. We may not have time to jump through the whole password section of this but I'll just throw in here while we're on the subject. Use two-factor authentication, not just strong passwords. Two-factor authentication is where you can have a Google or whomever company or whoever runs the password. Like you have a password for Google, you have a password for Microsoft, you have a password for Apple, etc. These companies can turn on two-factor authentication where you can turn it on. It's part of your profile, part of your account settings with them. And it means that they will send you a code on your phone as well as you're typing in your password. To oversimplify it, you could think of it as double the security. It's really more like 20 times the security. And it's just turn on two-factor authentication wherever you can. Just do it now. It's the best device you'll get. Make sure that the people who are managing your website or building these things, they understand what these technical terms mean. I won't explain them although I can't after because you have to have people who know what's going on running the show. And be prepared to pay for what you get. You get what you pay for and doing this stuff costs time and money. It's not going to happen for free. That's why the subscription services in the cloud are so popular because you don't have to employ people to do that stuff. You're just trusting. That's the thing. How I learned to stop worrying and love the cloud. You either go for it or you don't. Thanks, Julian. We do have quite a few other questions that I'd like to get to before we close for the day. You obviously have a lot more information to share as well which we will be sharing out your Prezi with everyone. And I'll just emphasize about that. The Prezi is sort of self-documenting sort of or self-explanatory. You can run through it yourself and hopefully it more or less explains the basics of everything that's in there. It doesn't require someone to talk through it although that helps. And you can email me anytime. I'm happy to chat with anyone about this stuff whenever. That's no problem at all. Great. And I will include your email in the follow-up email for everyone. Fabulous. Okay, so I want to get to a couple of these questions. The first is from Allison. And I think some of this will be taken care of in the follow-up email, but she is a relative IT newbie. And she needs to educate herself. And she's not completely unfamiliar with technology but she's now newly responsible for a lot of the day-to-day training. Yes, a common nonprofit story. Exactly, the creep of scope of work. Could you recommend resources or reading in addition to the ones that I'm going to share out with everyone via the chat that I've already done or in the follow-up email? Is there somewhere we could point her? That's a great question. And I wish I had a better answer or any answer really because in my travels I never come across such things in my own work or day-to-day running and just doing things. Yeah, I'm sorry. I can talk about most things if I have to, but I'll save time and just say I don't really know. I'm sorry. And I've chatted out some URL to an article that we have on TechSoup. TechSoup does have quite a bit on security, so I will try to include those links as well in the follow-up email to help Allison. So thank you. Lisa asks, is there a particular virus protection that the presenter recommends? Not strongly, as in I don't monitor that space closely or keep super up to date on how things are going. But in the past, too, that I have used and been pleased with and I like the model that they follow are Avast, A-V-A-S-T, and also one called Malwarebytes, Malware-B-Y-T-E-S. I've had good success with those. Keeping with the paranoia theme, it's good to run more than one because some will catch things that the other doesn't and vice versa. The thing with virus software is some of them really slow down your computer because they're sort of double checking every single thing all the time and it's just really annoying. And there can be other sort of annoyances through using them. So yeah, if you find one that is not quite to your liking or there's things that are bugging you about it, that's fine. Go find another one. There's lots out there. But those are two that I've used before and been happy with. Great. This question, I apologize for this coming a little late because Michelle did ask it earlier, but I wanted to make sure I understood it. And Michelle is asking, are email headers just as useful when so many organizations use MailChimp and those types of services? I think she's going at detecting the risk. Yeah. Well, email headers in terms of detecting the source of the message, they will reveal somewhere in there will be some clue that it came from MailChimp. So that's still useful in terms like the mail headers basically just tell you unless they've been tampered with. But the thing is most spam messages and fake messages, they're preying off the lowest common denominator. They're not trying to trick Edward Snowden into clicking on the link. So they're not going to spoof anything and everything and make it sort of indetectable. They're hoping that your grandma is going to like the proverbial grandma. We always pick on the grandma using technology. What do they know, those old folks? But some of them are smarter than you think and they're pretty savvy. But they're trying to trick somebody into doing this who doesn't know a whole lot about it. So if you start to look under the hood like at the headers, you're probably going to see some fishy stuff going on. But if it's actually from MailChimp, you would see that. So it is still useful. It gives you the path that the message traveled from MailChimp to you. So that's always useful. More information is more power in these situations. Great. Thank you. I am actually going to close the question and answer session because we are right at noon. So I wanted to let everybody know about some upcoming webinars and events. And if you could, just before you jump off and please take our survey, if you could just chat one thing you learned, we are having another security webinar tomorrow. And it's very specific to the Microsoft Cloud. So I think that if you came to this and you are additionally interested in these security topics, please join us tomorrow. We also next week will be having an event about Adobe Illustrator and also something about digital storytelling. I'd like to thank Julian for volunteering his time and his expertise to share this information with you. I am now sufficiently not scared, but I am definitely wiser for having taken this webinar alongside everyone on the call today. So thank you Julian. We really appreciate this. This was super. This was really awesome. I want to thank all of the learners joining us today. We know your most valuable asset is your time. So thank you for your hour today. I hope you have a great rest of your week. And a special thank you to ReadyTalk for providing this platform for us. So thanks and hope to see you on our next presentation, perhaps tomorrow. Thanks Julian. Bye-bye.