 Sorry, can you see the screen? Okay. Yes, I can Very good Great. Well, thanks everybody for joining today. We're talking today about information security or as well as information Insecurity depending on if you're a glass half bowl type person Oops going real fast here Learning how to navigate there we go My name is Eric Leland. I'm an ideal where expert trainer. I'm a founder at five paths Which is based in northern california. You can find us at five paths.com. We do a lot of webinars for ideal wear and other groups on a whole variety of topics we build and design websites and databases Including a drill bull and sales force systems I'm happy to be here and great to I'll be facilitating today We also have a color commentator today Would you mind doing a brief introduction of yourself? Sure. Thanks, Eric. So my name is Elliot. I'm a researcher writer and editor at the legal services corporation And my job is primarily just to highlight and share best practices and innovations in legal aid And then I just wanted to You know have a shameless plug. I have a blog innovations and legal aid on medium So I encourage you to go there and check out the new posts and resources And I'm just looking forward to talking to you guys today and just feel free to reach out anytime with questions Or if you want to work together. Thanks. Thanks, Elliot And we're also joined today by Angela Angela trip Angela would you mind doing just a brief introduction about yourself? Sure, I'm the director of the Michigan legal health program, which is Michigan's Resources for self-represented but against our primary resource is the michigan legal health website We also have 18 brick and mortar self-help centers around the state Where we try to bring extra resources for self-represented but against who Want to use michigan legal help to get the information and legal forms that they need And just a quick quick note. We dropped the link to innovations in legal aid In the chat so it is there Great. Thank you Great and then Angela you'll be speaking a little bit uh towards the end here about some of the uh toolkits That we'll be talking about today So thanks for being here for that right um good so uh this webinar is uh Helped tremendously by folks from tech impact and ideal where ideal where is uh now a project of tech Impact. So this is a recent uh positive change um ideal where is bringing lots of um trainings uh as well as reviews of software And best practices around technology for NGOs If you haven't checked out their resources you should check them out after this webinar at idealware.org And again, they're they're now a part of tech impact. So tech impact org as well as a good resource to check out There's lots of free and low cost resources written reviews short and longer comprehensive reviews as well as recorded webinars and live webinars and all kinds of topics So check them out As I mentioned, uh, we'll be talking a lot about information security and a lot of tools that are available in the legal aid toolkit Um, so there's a free download For this uh toolkit That you can check out. I will be referencing some of this as well So ideally, um, you can kind of get your hands on that toolkit. Um, and I'm gonna Make my screen small so that I can give you this link And put it in the chat here. Here we go Uh, this is Angela. I'll just add that um that this webinar is also part of uh a legal services technology Grant funded project um that created four toolkits for legal aid And this webinar is based Largely, um on the information security toolkit that you can see here and download There are three other toolkits that are part of this project And I'm going to talk more about them at the end of the webinar as well Awesome. Thanks, Angela So here's what we'll cover today. Uh, we're going to look at uh, why security needs your attention Now not only now but in the future and ongoing Looking at risk. How do you figure that out? Checking out some examples of risky practices so you can kind of understand and think about what are those are things that are going on in your organization Looking at policies and processes for helping to you know manage mitigate those risks as best as you can As Angela mentioned kind of diving a bit into the legal aid tech toolkits that have a lot of resources for helping out Making these kinds of decisions and some additional resources as well Um, so that's today. But first I want to hear from you Maybe you can use the chat if you wouldn't mind in the uh webinar software here On a scale of one two four, let's say because there's not a fifth choice Are you very concerned number one all the way down to no concern number four? For data security So if you're very concerned number one number two number three or four for not concerned at all if you wouldn't mind chatting that For any folks that are listening. I'll give us a little sense of what you're thinking of here today just as a quick note the Dropping into the questions box will be able to see it and I've already got a somewhat Concerned and a two as responses so far Let's see having seen some of the problems. I would say yeah Okay, good. So, uh, yeah, I've got the questions open now great That's a great place to drop it in so I see a couple of two somewhat concerned. Nobody's like super concerned Um, and nobody is also thinking this is meaningless. That's great. That's a healthy place to be We don't want to be overzealous. It's not the problem. We just want to have our heads on straight and start thinking through this um, so Let's take a look uh and dive in at um, you know, what we're talking about here A false sense of security. Let's kind of mitigate kind of how we might be thinking about security Um, and kind of get our heads on straight about pragmatic approaches to sort of what's really going on with information security Um, you know in general, it's not a question of if you'll be hacked or compromised, but when? um, that's not meant to be uh extremely scary, but it's meant to just be reality um newer technologies Um, especially as they're on the cloud of becoming more ubiquitous in terms of being able to be used sort of wherever whenever you are working Um opens up new avenues for attack So it's just you know based on that alone You can imagine if you're able to access it anywhere with ease Probably other folks are able to try to hack it from anywhere with ease um So just because that's true doesn't mean you don't want to use it right so let's not go that far We want technology. We need technology But let's just understand the risks and be smart about it security breaches as you know probably from the news cost time and considerable money Certainly can ruin brands And really create a lot of havoc in organizations um Some of you might remember in 2000 earlier in 2018 in atlanta The government computer files. They were essentially held hostage. They were what's called a ransomware attack ransomware the type of attack where malware so virus or other kinds of bad things gets into the computer system locks down all the files So that's the organization in this case atlanta couldn't access any of their government files So it basically this attack encrypted in other words hid a big chunk of the city's files To unlock all the files the hackers demanded ransom Approximately $51,000 in bitcoin and cyber currency And basically the city was left in chaos. They couldn't access their files. So work kind of came to a essentially a standstill And it was one of the biggest cyber attacks against the major u.s city Ultimately they spent over 2.6 million dollars in just emergency efforts to deal with this attack I mean that's way more than even the ransom asked for right In dealing with this So it's just an example of like if we're not prepared And we're not speaking through our strategies these really really big problems. They might be big problems anyway But with a with a plan in place they don't have to be quite as big You know We might have a false sense of security that let out on extreme ends We either don't care at all about security or it's so important or We're so scared of it that we tend to do things that you know remove Features and and processes that we really need So let's not be overwhelmed by possible threats. Let's just recognize what they are Let's also not just gamble that we won't be targeted like it hasn't happened to me yet. It's not going to happen to me Right So this thinks through that Elliott I'm wondering if you have any thoughts on just some of the threats maybe that we should be aware of like what kinds of groups Or who's trying to harm us Yeah Well, I just wanted to for I think now is a good time to just define I know you just mentioned You know that really no no organization is safe from threats or attacks And that ransomware is is a very real threat. It's um, you know, I'm not present today But so just to review a cyber threat is really any malicious act that tries to gain access to a computer Or also a computer network with without authorization or permission from the owners And the numbers don't lie. There's really a lot of numbers Out there that that show that cyber security is something that you don't want to take lightly So these threats they really come actualized and they end up costing people in organizations Around 450 billion per year globally. Actually, I saw that number and and that's about a 200 increase 200 increase in costs from 2010 to 2015 So in just those five years, um, you know the just the cost of cyber threats and uh cyber security has really grown And there's also about a million cyber attack victims daily And to put that all in perspective even more If cyber crime had been a country in country in 2014, it would have been the 27th largest economy So on the subject of successful attacks themselves 90% 99% of them are successful Because people in organizations fail to do the basics right Whether you think you're doing the basics right You know, but you're doing them wrong or you just have no idea It's it's really a widespread problem And when I say basics, I'm talking about just up-to-date antivirus software I'm different in changing passwords patches and update cell systems Switching on anti spam and anti phishing options and email Implementing security layers and regular straff staff training and reinforcing a culture of security And which is very important. It's it's very important to have repeated staff training As an organization throughout the year Um, so what can you do to eliminate any false sense of security is to really educate yourself Um on the security threats and risks Have a thorough understanding of the basics to build resilience And this whole thing, um cyber security, it's not going to go away It doesn't solve itself with a snap of the fingers and Also, your organization needs to be really equipped to deal with the security concerns That this digital ecosystem presents Uh, and one thing that was mentioned just one line from the toolkit that I want to highlight right now Is that what was true 100 years ago is still true today? Most security breaches are caused by natural disasters or improper activity by employees And that improper activity it could either be an intentional act by employee um for an affairious purpose because Over a quarter about 28 of the tax involved insiders Or it could be simply someone who has clicked on a phishing campaign You know a victim of social engineering or spoofing emails It's very very common Which is about four percent of people in total. Um, and then these numbers are from A report from Verizon and Incredibly the more phishing emails someone has clicked the more likely they are to do so again. So Cyber security is it's it's very important Good Ali could you explain what phishing means? Yeah, so basically, um the attacker will try to get um, we'll try to get you to click on a link or Well, it'll most likely be in an email or a link And and uh, you know, it's it's common to ransomware too and They'll just try to get you to do a specific action that will most likely end up in You know you paying them. That's that's that's a common result Great. Thank you Good so You know avoiding security, um, it's not going to protect us remaining ignorant of the risks is not going to protect us As elliot said we need to do some planning. We need to really figure out and start mitigating our risks and giving some better practices in place Some of us may remember the Hack of Equifax 148 million americans had their personal data stolen um And in the case of Equifax, especially in those early days when when that when the hack was revealed Some of the argument from Equifax is Came out as we didn't know any better or it really wasn't our responsibility kinds of conversations That didn't work Definitely wasn't something that was pleasing to certainly the people that were hacked and a lot of the regulators involved Um, so that's not a legal defense. It's not a defense. We should be using here either Um, so some of the vectors for attacks vectors being sort of where they're coming from how they're trying to attack you Uh, elliot mentioned some of these, you know physical access to your system User error, right? It's like we do something wrong because we're not following best practices as people Uh malicious user acts. We're intentionally doing something wrong Uh, you know stealing credentials logins that sort of thing Uh installing software exploiting security holes that exist Um, these are all kinds of things that can uh, you know, can be vectors for attacks um, you know hackers, uh Generally speaking are pros. Um that that this doesn't necessarily mean that they're uh, you know Have taken sort of, you know, college level classes in hacking per se, but they're focused, right? Um, they know what they're doing They know what they're looking for And and they're not necessarily Carrying one way or another what the site particularly is they're looking for valuable information So they're not filtering out whether you're a nonprofit do get doing something good doing something Otherwise in many of these cases If there's valuable information, they'll take it Um, so if you maintain financial information, you know donation amounts and addresses pledge information credit card information banking information You maintain sensitive information such as, you know, health information disability Uh, you know personal lifestyle orientation political affiliation Maybe you have contact information just for folks mailing addresses phone numbers email addresses This is all valuable information. These are things you need to protect They go for a large amount of money when they're stolen and sold to others Um, and so you might be a target Just and definitely be a target just because of the valuable information You may also be a target because of your mission itself. You know highly, uh, dedicated advocacy organizations For instance folks working on real hot button issues might be particularly target targets So more susceptible to malicious attacks of various kinds Um, so be aware of that As far as vectors Um, our small nonprofits attractive targets, uh, yes, they are attractive targets Um, in general small organizations not necessarily just nonprofits Are assumed and it's often true to have less levels of protection that larger corporations will have Just as a as a bias. So they're seen as low hanging fruit. Um, again, a lot of the attacks are not necessarily Directed at specific small businesses or nonprofits, but they'll might be Sweeping the web with code trying to find vulnerabilities and they'll tend to find those in systems That haven't been protected as well, which which will be smaller organizations Um, so it kind of goes both ways smaller organizations tend to be not as well protected So they're vulnerable and discovered Uh, they're also targeted because they may in fact be more vulnerable and easier to break um Elliott, I wonder if you have any thoughts about targeting and specifically kind of small organizations and nonprofits to share Yeah, I just wanted to thanks erga. I just wanted to frame this a little bit more. Um, you mentioned A few minutes ago just the whole, uh, government attack in atlanta. Well, there have been a couple ones recently particularly that pertains to law and legal aid So last year in the summer of 2017 The global law firm dla piper was hit with a not pet yet ransomware attack Which some of you may have heard of It was a huge attack actually commonly referred to as the most devastating cyber attack in history and You know, it really crippled the firm's office here in washington dc And put roughly 3,600 attorneys and support staff across 40 countries on lockdown And it was really spread out the incident and recovery efforts lasted for weeks Um, and during that whole time the telephone service their email Um, and other vital systems were all affected And in total the attack cost the firm millions of dollars in downtime loss business and bad publicity Um, and more recently as a snapshot, um, just actually last month in october Ransomware took down at least three law firms in florida In just a span of a few short weeks So why are law firms small businesses and non-provids attractive targets? According to verizon's data breach investigations report, which I just mentioned 58 percent of victims are small businesses um, and that's because You know, non-provids collect we collect sensitive data social security numbers confidential emails health and financial information and and much more that's really attractive To hackers and attackers And in many cases non-provids are targets because they're less likely to have sophisticated security measures One that was another attack was also on this small nonprofit called little red door And this was in 2017. They had their data stolen from their server and held ransom for it was another bitcoin ransom for 50 bitcoin, which at the time was about 40 000 dollars give or take If the nonprofit paid the hackers claim then they would return their data and not publish it And non-provids leadership weighed their options and decided thought that they didn't have any data that was too sensitive So they didn't pay But actually that kind of backfired because the hackers took to twitter posted the the private grief letters to the families of clients who had passed away So needless to say the organization was traumatized And this this just all goes to show that non-provids need to recognize that they're more vulnerable to cybercrime and security risks than they probably think And while possessing sensitive data makes them attractive targets What really does them in like I said is their security infrastructure Which is often characterized by common pitfalls such as Delegating the security problem to it only Throwing a bunch of resources at the problem and treating it more of a more as a compliance issue Great. Thanks, Elliott. Um, yeah, so a lot some of these Ideas of sort of how to deal with process And mitigating these risks we'll touch on again As we move forward and then the next sections So overall what we need to understand is, you know, sort of how to assess risks. What are your risks? Um, you know to stay on focus not too much focus not too little focus We assess the risk within our own organizations and determine the actions we need to take to mitigate them So that's what I want to move into Um at this point is what does it look like to assess Our risks as or nonprofits First of all, um, it's a process Uh, we you know, you have to start looking deeper into your systems and processes for managing information to even begin to determine your risk Um, so it's a deep dive Where is this information being stored? Um that you're dealing with um and and sort of how is it being stored and managed? Um, Elliott do you have experiences or sort of best practices to share around sort of, you know getting started with assessing and and and the process of learning about risk? Well, I actually do have a long metaphor if that's okay And that's where this is this is um, gonna be my only long metaphor of the day and it's kind of round about um, it's not It's not, you know directly applicable But uh, just bear with me. It'll get there So if you're a sports fan or live in Philadelphia, you're familiar with the Philadelphia 76ers The nba team they last won the nba championship in the early 1980s 1983 And they were good again when Alan Iverson played for them and since then they've been mediocre at best for a long time um And the thing is in the nba if you're mediocre, uh, you might be good enough to make the playoffs, but then you'll lose a really good team and But then in turn you uh miss out on having a good pick in the draft and picking a really good player So the 76ers were mediocre and in 2013 they hired this guy Sam Hinky um from another team and he's this kind of quirky analytics first guy And he's he basically says, uh, we're you know, we're gonna strip this team for parts And he pretty much got rid of all their good players Um, and they were terrible the next year. They won 10 games out of, you know, the whole season Uh, they had the third worst record in the nba history But the thing is and and this is applicable You know to legal organizations and cyber security is that he had the buy-in the resources and he saved the course He drafted he drafted this guy named Joel and bead who A few years before he got drafted was living in Cameroon didn't speak English didn't play basketball He drafted him already knowing he was going to miss his first season. He actually missed two And then the next season he drafted Ben Simmons This Australian kid who looked really good on tape Played in a very marginal basketball conference got injured completely missed his first year After being drafted just like in bead and then the 76ers were terrible But then in bead came back. He was amazing Simmons was healthy for a second year And then now the 76ers are in a position to compete Thanks to Hank Hinky and trusting the process So the takeaway here after all this is to really trust the process It might take a while and there might be several or more than several big expenses, but it'll be worth it in the end And the Hinky experiment worked because it involved the whole the whole organization Like I said, he had buy-in and he looked at the data ESPN named Hinky's six years in 2015 as the major professional sports franchise at most embraced analytics And the same goes for legal aid programs But but your organization really needs to be vested in IT governance Which will help lower your security risk and will also help you properly respond to a security incident Yeah, that's great. And I think it's uh, it's great advice to stay the course sort of dig in And play the long game here because best practices over a longer period of time will be substantially beneficial for improving security You know getting to this point just sort of getting into the pragmatics here The toolkit as we've mentioned earlier Has a lot of good resources. There's a worksheet on page six. In fact of of the First volume of the toolkit that just helps you organize your data So you can go In your organizations find where the data is Describe it on this sheet and then start really kind of thinking about it You know, how much how important is it? What happens? What would happen? Should it go away? How likely is it to be compromised? You know various elements like that? So you can start thinking through what this data really means to you What's the sort of the the risks involved should the data be compromised in some way? So that's in the toolkit Um, as we've said, you know inventory your data You can think of different ways to do this Just figure out where you keep your data You know, you might want to do this as a group There's lots of data that's formalized in the system that you know Everyone in the organization kind of knows about there's the database or whatever you call it There's gonna often be lots of data in informal locations that you don't know about So a certain staff person has a with bang way to deal with some data It's not in the main system and no one really knows about it Right. We want to know about all sources of data because we want to understand how critical is it Uh, what's it's sort of a likelihood that it might be compromised in some ways Whether it's by user error or some kind of malicious act or all these other vectors Uh, you can get together the team, you know, put them right down all the sources You know, maybe you can use sticky notes or whatever method you want to do But the idea is to kind of find where the data is group it together in terms of systems You can figure out which systems kind of have all your important data Perhaps or a lot of it and some systems may not right So that can help you kind of from a systems point of view say well, the system isn't as critical But this other one is um, that's you know a way of scoping your efforts as well So this inventory step is pretty important part of the process Um, we should also uh try to define um Did I skip on here we go. This is what I want to show. Uh, we want to uh classify the information So basically further defining how essential your data is along these metrics such as how confidential is it How integral is it should it disappear on you? In other words, if you don't have access to the information Is it integral to the work you do or or not so much? Um, and how available must it be for critical functioning is it sort of all the time real time information You got to have it a moment to know that this is not so much like that Um, so you can kind of rate and classify your information on those metrics to understand essentially how important it is Um You'll also want to consider risks Um, you know work with your colleagues really to discuss these potential risks You want to do this as a group so that you can kind of share and collaborate on folks experiences As well as the kind of data you're using and how important it is for their work at the organization You can use these kind of questions on the slide to help guide that conversation Um, you know, what could happen to your data? How likely is it to happen? How bad would it be if something were to happen? Have those conversations? Um, you know figure out what could happen, you know, are you guys concerned about identity theft and fraud? Um from maybe, you know, even staff from folks that are walking into the office Is it lost time lost productivity in certain cases? Maybe uh equipment might get damaged because you run, uh, you know a public access system where folks are coming in and out of your location Um, maybe increased expenditure is is a big concern or legal liability Based on perhaps losing donors and having to announce to all your donors. Hey, I'm sorry, but you've been compromised Destruction of reputation loss of funding this sort of thing Um, so consider the risks as as part of a group Um, Elliott, just curious if you if there's any other kind of risk you would kind of want to throw out there If folks are meeting as a group to kind of, you know, determine what might be a risk to them um No, not too much. I just say, uh, you know just to Consider your onsite risks your off-site risks um, and you know just I guess just be cautious of uh, you know, social engineering and Um spoofing and that's about it Yeah, I agreed. Um Thank you Let's let's move in then to uh talking about actually that some of the risky practices the seven risky practices that Y'all may be engaged in um, uh, or at least some of these and we'll make make you aware of them And sort of what they mean and what we can do about them in terms of taking action to mitigate these risks Uh, so looking at the first one unmanaged personal devices Um, essentially to ask yourself the question do do your staff use personal devices for work? Um, it you know, it often organizations will have some practices in place to help secure Uh, your equipment that's on premise already. So the the perhaps the laptops or the work stations Uh devices that your organization's already providing as part of your work That might have some policy in place for your teams But that often leaves out the other devices that folks are increasingly bringing in we have smartphones laptops tablets You know all kinds of internet enabled devices that people are bringing in now You know ask yourself are these the source of insecurity for your organization? um likely the answer is yes um It's important to realize that what my folks are bringing in these these systems that um are you know Often consumer level systems that are meant to be really easy to use share information to get messages in and out. They're quite powerful Um, you can't control access nearly as well When folks bring in their own uh systems and you haven't thought through necessarily processes and systems for managing those So a personal device, uh, such as a phone or a laptop or whatever may have other users who can access data um, you know terminated employees May have you know, they retain knowledge of course, of course their usernames and passwords They might have information that's stored. That's you know part of your organization. That's also on their private devices Um personal systems often have poor passwords and password management Folks might set an easy password and sort of never change it Uh, and it's not subject to the management that you might have in place for your other systems inside your organization Um, so all of these can sort of lead to compromises that can then infect, you know, your nonprofit system Just because folks brought these in Um, so there's some things to think about there, you know, there there are tools for helping control this Um, there are a software tool called mobile device management systems. Um, the acronym is m v m mobile device management, uh the software, uh can be implemented to help Uh, sort of for devices that folks are bringing into the organization the software can kind of Be put onto those devices and help govern sort of how those devices work within the organization Right that allows you to have some level of control or access Around how those are used or not used as it were Uh in the organization So something to think about it can feel a bit like big brother on one hand But you know with the right kind of adjustments to settings or whatnot that can be a really valuable way to control Outside uh technology being brought into the office Uh, there's of course virus and malware risk. Uh, this is something that that a lot of us understand more intuitively From years of experience of dealing with emails Um, but you know on personal devices, uh, often they don't have antivirus installed Or maybe they did at one point or still do but that that the software hasn't been maintained So it's quite out of date Uh, and they even be running, uh, but not really doing anything Um, so the security software itself might not be really credible In other words, it's not like a good cleaner for virus or malware even if it is up to date Um, because your team has decided there's a certain credible tool, you know, the tools being brought in are not Um, so, you know, how do you know personal computers and devices have these basic protections? Um, you really don't unless you're doing some management process around this Something that folks don't think about um as much at least in my conversations. This is the ownership of software. It's a different sort of risk Um, you know staff using personal devices may install software that you've paid for as a nonprofit You know, because they want to work on it anywhere And maybe they don't have that capacity with equipment that's on at the nonprofit or it's just easier for them to use their own Personal laptops. So, you know, you buy the software they install it on the personal laptop Uh, now, you know, you uh have bought the software as a nonprofit But the personal the staff person actually personally owns the license, right? It's like literally on their laptop Um, also that means that there's you know, obviously going to be more information that's stored on the laptop That's not there. It's the nonprofits, right? So, you know, just be aware of software management So you might be purchasing the software by not controlling the license That leads to to risks and information getting out So just on this topic on the first, uh, uh, risky behavior, what can you do? Um, you can, you know, look at providing virus and malware software I definitely want to have these licensing practices as we just talked about Uh, so, you know, sort of who's getting licenses and how they're being sort of installed and managed and maintained Uh, if you can provide devices for work so that folks aren't tempted to use their own or at least that's reduced That's a great thing Maybe mobile device management systems You can use these software There's a note here that they can be quite expensive. Uh, they're If they're actually becoming more accessible now, uh, microsoft office 365 Has a built-in mobile device management, uh, uh, system that's more affordable Uh, and the google cloud g suite another sort of, uh Uh, uh productivity suite, uh google cloud also has Um, an mdm software as well and there's a variety of others. So Uh, don't write it off. I might have some expense. Some are very expensive But some are becoming more and more affordable As we move forward All right, let's look at another bad habit lack of password management Uh, you know, this I like this chart because there's always these passwords that sort of year after year after year Are in the top ten one two three four five six And then you know one two three four five six seven eight and then one two three four five six seven So anyway, you can see where a lot of folks are just uh, whatever I just want to type in a password, right and we've all been there. I'm ashamed to admit I've been there Um, but you know if a lot of folks are using weak passwords Uh, then it's going to be very easy for the systems to be compromised with very little effort right, um, so, um It's funny to note that uh, I love you has come back into the top 10 in 2018 as a password Uh, it's always fighting for a spot in the top 10 there Um, how do we know this by the way? There's an internet security firm called us flash data that's published a list of sort of top 10 passwords from 2011 are they hacking systems of cigarette is out? No, they don't need to because there's so many systems that are being hacked Right, they're looking at data from millions Of leaked passwords and data breaches mostly in north america and western europe to come up with these lists, right? Um, so let's not have bad passwords Um, some other bad habits around passwords Um, I'm definitely been guilty of some of these sharing passwords of co-workers. Uh bad habit We want to get folks to not do that as part of a culture change Not changing the default passwords. Um at home, uh, you know, probably even in many of our workplaces We might have internet routers or modems installed Maybe someone installed them for us and they or we don't bother to change your passwords I can't tell you how many times in the past five years. I've helped troubleshoot someone's modem or router at their home And the password has been left at password pss w o r d Pretty simple one to guess, right? Um, and you know, and that's a that's a point of Insecurity the internet device the router and the modem is literally what's letting in The worldwide web, you know into your home or your office Um, so look at this problem. Are you sharing default passwords? Are you sharing passwords at all? Are you changing your passwords? Are you writing them down and leaving them? Uh, trying to keep things too simple. Let's get out of these bad habits What can you do about this? Uh, this risk factor, um, you can definitely implement password management software There's past password management software such as, you know, one login Uh, other options are dash lane last pass keeper Thinking log me once is another one And these these systems allow you to really, you know, you want to have complex Passwords you want to change them on a regular basis, but it's almost impossible probably impossible for nearly everybody To remember all these passwords you need So you use these password management softwares to help you do that They're meant to be secure And a way for you to use and deploy these passwords when you need them Uh, you know, they're not immune to being hacked too. So like anything else we need to be concerned about Security in fact the one mentioned on the slide one login Uh, I believe I don't know Elliot if you know more about this maybe you do but in 2017. I believe they were hacked Um themselves It's quite embarrassing for a company that's supposed to be managing passwords securely Um, aliyah, have you heard of that one? No, no, I haven't actually okay. Yeah, so last pass what's hacked As uh, although they did notice at the time and helped people update A lot of people have said well, I don't want them in a central place because then there's a target here But the chances are that people have been hacked and they don't know it So having that third party that is going to be more likely to notice And monitoring things I think is much more secure Yeah, I agreed. So it's not meant to say oh my god. I can't trust anybody, right? Like these these password management systems are are strong tools It's just you know, you always want to be prudent about understanding and reading and exploring Just what they're doing with with with their management practices around security All right, so they can at least be aware of them make sure that The policies and procedures that you have in place Great. All right. Let's look at the next one. So number three consumer grade cloud storage um so You know to be clear the risk is consumer grade storage any kind of cloud storage Ultimately, you know, I might argue is more secure than on-premise storage not always But the idea is that commonly our on-premise storage like in within our Organizations, we're not going to have nearly sort of the security protocols in place as these consumer grade or and In business grade cloud storage of any kind just because it's part of the fundamental part of their businesses to have Increased security probably more so than an individual not popular have in most cases Having said that consumer grade storage has problems from a management point of view So for instance, if if you're using, um, well, I don't know, you know dropbox or or google Google cloud for file storage or a number of these tool box things like this Um, if you're using on a consumer level, there isn't really a way to deal with Knowing sort of audit logs like who's touched what files? Um, there's there's not a way for administrators to learn, you know, whether a user has changed and added Or so forth. Um, you know, typically they allow full access So users that are using these systems are sort of fully able to add delete and math files Right, which might not be something you want to do because that with compromising information um So just be aware that consumer grade cloud cloud storage may not have enough of the tools you need to help manage and mitigate some of the risk Um, these business controls can help you control sort of how and whether the data moves, you know, according to your rules Uh, so something to consider also these these sort of cloud storage systems are becoming quite easy to set up So they can sort of pop up, you know, at anywhere at any time within the organization So, you know, again, you seem to be aware that there's technology going around the organization sort of Because it's easy and it's a very low hanging fruit and so you kind of need to start thinking and talking about that on a regular basis Um personal accounts, uh, these cloud storage areas might be free You know, so they can start to be, you know, very inexpensive and seems like a good way to go financially But of course, you know, if you're not managing your security Then you're increasing your risk and and as we've seen in some of the previous stories these risks can be quite cataclysmic if security is breached because You know, very important data is stored in and relatively unmanaged systems So, uh cheaper is not necessarily at less expensive So what can you do about this, uh issue? Uh, definitely we want to um, you know Think about if we're using the cloud storage that we're going to use business grade And what we're really looking for when we're looking for sort of the business level, which will cost more in most cases Is what are those management tools management tools around sort of access to the data audit users and a variety of tools where we can mitigate Uh and understand sort of what's going on in these cloud storage systems Let's establish policies on what kind of content can be stored in these cloud platforms if you decide that they have risk great and and But you still want to use them for certain purposes. You may not want to use them for other more Sensitive purposes, right? So in what circumstances are these best applied? Again, make sure you're educating everyone who's using these about the risk so that folks know how to use these tools Appropriately and that you keep keep doing that over time so that folks aren't forgetting um There's a couple of tools are helping manage these cloud services. Uh the few that I know of um better cloud Is that is the name of one? Cloud manager is another one There are tools that that sort of you can layer on top of like maybe google cloud software For instance, you can layer these tools on top of that to help you manage some of these security concerns You know as a as a separate service that you buy um, so so there's other ones that that do You know add some management layers So you can kind of look at those as well if you're finding that these cloud services Especially somebody's consumer level ones are really important for your work and you'd want to mitigate some of those risks certain things you can do great number four poor backup infrastructure um, so it you know in in california i'm i'm Working out of northern california and in california across 2018. We've had a series of really devastating wildfires. It's been a Uh several nonprofits that i've been working with um that you know had fully burned down So their offices are gone And in one particular case the organization actually had a Backup strategy they've been using for many years But unfortunately they didn't account for their entire office burning down right So they thought they had a good strategy But in fact They really didn't because they weren't thinking about backups being somewhere else right besides their office Luckily a director had accidentally put a system backup in their bag and brought it home about a week before the fires hit Which is I find it to be an interesting story because you know on one hand you can look at and be like well How the heck is this you know director to sort of willy-nilly getting a backup of the entire system sort of in their bag Like that's kind of a security risk on the other hand you can look at this positively and say they had enough Of a process in place that you know by some luck But also because they had a process of getting backups at all they actually still had a backup right And they brought it home And it's just sort of a story to say that having some processes in place are certainly better than none at all In this case, they got really lucky their process actually worked and their insecurity in one case actually worked to their benefit But let's remember that we want to have backup structures we want to understand what will happen in a disaster What kinds of disasters are likely to happen that you have those conversations? And figure out how to handle your backup strategy, you know, we want our backups to be in a safe place If you can store it, you know physically off-site, you know cloud Solutions is a great way for doing backups because you can have backups that are stored on premise You can have backups that are stored sort of in the cloud meeting not on premise um, you know, if you want to do a Third you can have someone sort of be you know putting those cloud backups somewhere else But locally and within reach Um, but in that case you're you're making sure that you're covering your bases around there uh, you want to think beyond um the backup so You know in one story, um an organization I was working with had backups for years and years and years a very sophisticated system Um, they had backups in three locations and so forth Um, you know, they ran rolling backups for like a couple of weeks and then one a month when they had these sort of archives for Quite some time. Well, what they didn't do is actually test their backups Right, so they were backing up and these files are being created, but the files are corrupt Right, so the backups actually could not be restored Um, and so when they had a cataclysmic break several years ago and needed to restore from backup None of them worked for a good two years Um, so think beyond the backup, you know, what will you do if the data is unavailable? Do you know actually how to restore from backup? What's your process in place for they're not only dealing and getting those backups and making sure they're working and understanding How to use them uh in a crisis, right? Um, it's pretty important stuff So what can you do definitely regularly schedule backups? Um, a lot of system servers and And uh in workstations have built-in tools for doing those backups There's cloud-based backup systems that can you can run and automate to make that happen Your websites and so forth um often have web hosts that will provide backups as well understand how those work Run them and practice actually using those backups Um, and make sure you're checking from time to time that the systems are working Right, so that you feel confident going forward that folks not to use them and that they in fact are working Uh a couple things you can do there Let's look at another risk for software management Software requires frequent maintenance. There's threats against software All the time that's constantly evolving to be more effective at breaking in And software vendors or open source communities or whomever is sort of helping to drive this software forward Is constantly putting out updates and patches to try to guard against this Um, so so make sure that you're asking the question is the software your team using say like how you know Who is looking at the software? Nobody is somebody doing it. What are their practices? Explore that and figure out what's missing um So, you know software that requires you to choose to do the update the security update is probably overall not very secure Many of us will just put off the update until later and then quite often later never comes Um, I've been guilty of that my Mac always relays me to update and I say Um, and then it asks me what do you want to schedule it? And I say no Um, so don't follow that model like we want to do updates Um on on a regular basis. We want to be on top of when security releases are happening keep in mind That when software is released And a security update is released Particularly that's also identifying a security hole if folks didn't already know about the hole They now do right because there's been a security update Um, and so if you didn't patch with the security update then somebody else inevitably trying to you know Exploit that hole that's now been described to them. Uh, so that's why it's good to keep on top of these things Um, so hackers are keeping up to date. They're always looking for opportunities to exploit them They're going to be on it right away. So you can be on it as well And to be timely with your updates Keep in mind that poor software management also means that folks might be installing Applications you don't want. Um, folks might be oh, I don't know downloading music They might be uh watching videos or storing lots of files Maybe they're mining cryptocurrency bitcoin to try to make millions. Um, and that's creating a lots of computer cycles and In using up a lot of resources Maybe some of the applications being downloaded actually have some adware or malware in it because you know Just hadn't thought about that. Um, so again, these could be intentional or unintentional problems from unwanted applications So having having some thought about what you're installing is important So basically what it comes down to is we want to have these established patch management procedures Let's make sure that our software is being kept up to date on a regular basis Know the schedules if you're running say like a Drupal CMS website, for instance Drupal releases updates every Wednesday, right? Know that schedule so you can work that in other software might release on other kinds of basis or sort of all all the time ongoing They might have criteria for what's really insecure and what sort of insecure We can kind of respond differently to defending on how severe the problem is the status of those procedures Manage those software installations, whether it's your own patch procedure But more importantly what other folks might be installing or just what you how you decide What is going to be installed across the network or on individual workstation? Uh, make sure you're doing a regular tune-up how well our computer is working Uh with the software are there being sort of generally updated even with non critical updates I keep in mind that if folks computer systems start to work poorly That's when folks will start to have work around like if there's some easier quicker solution to getting their work done My computer doesn't work so well and there's another application that helps You know, I'm going to be inclined to use it and maybe not look at the security issues Let's look at number six physical security is your office protected itself. It goes back to the fires, right? So folks are working in these fire prone areas, you know, you may have a fire Is your office protected? Maybe not probably you can assume that it might get totally burned down Uh, so you have to deal with that Um, I asked a web hosting vendor years ago to send me as I was doing some review to send me some documentation on their physical security practices And they sent me back, you know a page that was describing all their physical security at their web hosting facility And they also sent me this giant photo of a heavily armed man with a Sub machine gun standing in front of the building where their servers were, right? I think that was supposed to be impressive Of course, I asked what they did was how they protect the back door because that was the front door But sort of all humor aside the the physical security is pretty important You might have folks walking in and out of your workplace at staff certainly But you might have others uh folks working at night in the building Cleaning or the maintenance crews building management. You have volunteers and clients coming in potentially You might even have folks if you're in a shared environment you have folks from other offices or so forth kind of wandering around Um, of course intruders like maybe uh, you're in a situation where there might be a lot of crime or folks trying to come in Um, so think about that Would it be easy for folks to steal computers? You have a bunch of computers right at the doorway Uh, you know, what if someone walks into the door? Uh, think about physical security Um, you know, we want to keep not only uh, the malicious people from getting computers But you know, we also want to keep the quote honest people honest as well, right? If it's easy to sort of swipe the computer. Let's make it not so good. Let's make it not so easy So what can you do about this? Um, establish secure areas Where non staff members are are not allowed, right? Um, so make sure you understand who's there And that you're controlling kind of access generally to your office Check out policies for when folks are using shared devices or other assets at the organization make and lock computers things like this Um Elliott i'm wondering on on this one or any of the other sort of tips, uh, do you have some recommendations or ideas around physical security? Yeah, well, I just wanted to highlight um three things that uh, that are in the ideal where information security toolkit And that's that you should really have your well your physical space should really be configured to keep your data secure and You know, and that's by three things locking the door securing equipment and logging off of machines These are the most important things you can do and So which leads to the question, um, you know, I want you to Just take a second and think about you know, what physical security controls processes and procedures Do you guys have in place at your organization? Yeah, um, and it is important to take that second or minute or hour actually to think about those procedures and Logging out is very important. We hadn't mentioned that previously. So thanks for bringing that up earlier um Good well, let's talk about the seventh one. Um unsafe wi-fi that we kind of put in this earlier But is your connection to the internet secure? You know wi-fi is great. It's all around you Um and because of that you can connect wherever you are in range, but of course anyone else Um, who's picking up that wi-fi signal can also potentially connect Um, so we need to make sure Our wi-fi is protected um You know, again, you can't just sort of plug in these systems and expect that it's just going going to be fine It'll probably work. They're being sold to just sort of work as much as possible out of the box But that doesn't mean they're secure So you want us to configure those right you want to select the highest level of encryption available on your router your modem your combination units Ensure that the passphrase is first of all that you change them And second of all that they're long and more complicated um You know, you can also uh establish zones basically as zones where staff devices are granted more access Than non-staff devices right so you can kind of let those device let those internet devices know which which um computers Are sort of more allowed or less allowed um And as I said, there's a lot of these uh basic infrastructure on wi-fi that that tend to be Not configured at all for security around offices and homes so to see aware of that You know working on public wi-fi can be uh pretty risky Ideally you're you can try to limit publicly available wi-fi usage for uh laptops Mobile devices that will be coming in and out of the office If you do use them you can use those that you trust Um, it's important that when you do use them that you're visiting uh resources So if you're sitting in the coffee shop and you're going to a website You're using sort of the the publicly available wi-fi you want to go to websites that have encryption So they you know have https as the beginning of their web address Which just means that you're communicating to the website Your information is coming to you and going towards that website Encrypted so that it's very very difficult to read So they can't snoop what you're doing Um try to avoid public wi-fi to ask a lot of personally identifying information just to put a get going Especially when not encrypted sometimes you just to sign up You have to give them a bunch of information and you're not on https So then that information can all you know be looked at by someone else um Also something to consider that you the computer you're using in a public wi-fi space might have what's known as um frictionless file sharing basically this concept that you want to you know To be easy um an efficient. It's great that you can kind of seamlessly share files from your tube tutors or something else Um, but that can allow folks that are on a on the same network to kind of see Maybe even grab or share with you files that you don't want to Um, so it's fairly straightforward on your pc or mac to kind of turn off some of these sort of file sharing features You can look up frictionless file sharing online and if you're in a coffee shop to sort of shut that stuff down um while you're using it There's something to think about so what can you do again? Make sure you're you're protected um if you're using these modems and routers You know that you got the firewall enabled that you got the password change um highest-level encryption set that you can try to avoid working in an unsecured environment or work as securely as possible within those unsecured environments um, so some things to think about Um, let's just find out from you. I think we did a we did a poll earlier I think you'd put it into the question section. So if you wouldn't mind I just sharing with us What risky habits you're guilty of by number You have unmanaged personal devices in your uh nonprofits during your past lack of password management Any of these items that you could share just the kinds of uh, risky habits that might occur to you Um by number one two three four five six seven in the chat Uh, so I have a couple uh answers here One unmanaged personal devices. This is really really common and pretty unavoidable Maybe not so much the unmanaged part, but certainly having personal devices Um, it is is becoming very common Uh, and the organizations I'm working at still lack of good password management is happening Um, a lot of applications that can be configured to help with password management Like a lot of organizations we're working with are using Salesforce CRM Which has a lot of great password management tools, but they're not turned on So they're not forcing changing passwords and things like that So yeah, that's a big one Okay, great. Um, so that gets us to the uh, the the seven risky behaviors But of course there's there's another one. Uh, the eighth is probably the most important Inadequate security training Really your your staff members folks working organizations are the most important security measures Um, you're only a security weakest link You know making sure your staff is not the weakest link that they're really sort of up to speed with the With the best case uh security practices that you put in the place and that does become a culture of actually behaving in a more secure way Right like you're kind of reinforcing and re-reinforcing over time how to behave more securely so that it becomes inculcated as part of the community Um, I think Elliott you may have said this earlier about the security lapses. I think that figure I've seen recently you Like roughly 70 of security lapses are ultimately a result of user action not necessarily mysterious But just sort of not following necessarily best practices. Is that jive with what you've heard? Yeah, it's pretty high pretty high. Yeah Um, yeah, so just be aware of this um awareness can present a lot of incidents Just make sure that this team is aware that what can be insecure kind of like what we talked about today Um, a lot a lot of times these sort of threats are completely unknown the staff. They tend to be fairly interesting to talk about Um, and and in my experience folks can have like a lot of aha moments like oh my gosh, I've heard of that or Really that can happen. I didn't even know And so You'll find that a lot of staff want to do the right thing. So go pay attention Build this awareness and just by doing that alone, you'll have folks kind of thinking through lots of best practices just by talking about it Want to really be aware we talked about social engineering be aware You know folks trying to get you to do things you shouldn't do Attempts to deceive your users to do the wrong thing Now this email as you can see in kind of the graphic is is asking for some It's demonstrating social engineering and there's a lot of clues as to You know why this how you can detect it is a social engineering You know the the email For instance, it isn't actually coming from where it's purported to coming from so that sort of arrow number one So there's there's sort of bad english There's links that are hidden behind sort of blue squares So when you click on review recent activity or whatever it'll send you to somewhere, but you can't see where necessarily when you click on the button There's no microsoft logo is it really from microsoft to this sort of thing So it's it's great to take You know, we all recognize some level of spam But it's great for folks that have seen like a lot of different emails that's trying to socially engineer you to do Something nefarious something wrong To show those as part of a team and just have these quizzes right like what's going on With this email, what's wrong with it? How can you know that it's bad? You know different emails some emails might be you know more more subtle It might seem on first glance that that the email is Has a quick response. Looks like it's really coming from someone. I know it's coming to me But on further study you might again find out that the email address Is a personal aol account. Maybe that's not usual Lots of clues like that so just bring these emails to folks's attention So they're not downloading Attachments that they shouldn't be from people. They don't know What they can do if they just even have a question about an email like what's the procedure for handling that and getting things resolved Things like that So regular training sessions regular short making sure folks really know what to look for and how to deal with security issues on a Really important Make sure you're incorporating security discussions into your already the meetings. You already have we don't have to make a whole new process here But we're bringing it in when we're talking about sort of best practices around the organization It's just a bullet in that conversations that those conversations that you already have So it becomes part of your culture not sort of an aside or a meeting have to go through separately, you know over time great So that that gets us to those kind of risk factors that we want to we want to mitigate So then how do we dive into establishing these policies? So I just want to kind of quickly go through this stuff around policies and procedures so that we can Let's look at some of the toolkit stuff a more depth towards the end here and leave some time for questions First let's form a committee Make sure you've got a sort of a diverse array of folks working into The first Kind of access to your information Folks that are coming from multiple angles so that you can have smart ways to approach issues I'm wondering Elliott just in terms of sort of establishing policies in this committee What are some of the benefits you see for nonprofits and having sort of a strong committee from the start? Yeah, of course. Well first, I just wanted to frame this a little bit. Um at the uh this year's and from innovations and technology conference in january The new york state permanent commission on access to justice They're well actually their technology assistance project They presented the results of a survey. They did on information security and among the results Were that 20 of the participants have limited or no security policies in place Um, so on the high end six have acceptable use policies Five have mobile or electronic device policies five have tech information policies And on the low end only one program has social media Computer security voicemail encryption or remote access policies Um 90 of the participants don't have security awareness program and 15 of the response Don't have a process in place um to keep patches current so You know that that's a relatively small sample, but we see here the need to like really form committees and We need to form committees to establish policies Um and communities that meet regularly to keep those established policies up to date Uh, so one place I might start once you have a committee is by checking out, uh nis resources And that's the national institute of stands or technology. Um, such as their cyber security framework And then also a resource that um Google, uh, just launched a couple days ago. It's called web.dev And it's a bet of various website reporting tools that lets you examine your website load times Your network resilience security Um, how easily you can be discovered and your accessibility That's great. And uh, yeah, I just saw that uh that google research as well. Thanks for uh bringing that out. Um Cool. Yeah, so make sure you're asking tough questions. Uh, ask the hard question. What would you do if Um, you know, make sure the team is aware that you're looking for Better ways to manage security that means you're going to find ways where your team feels they're deficient It's not it's not meant to be a blame game. This is that for everyone to just say here's where we're at And we all want to help to make it better, right? That's what we're talking about Um, so make sure that's clear to folks or folks feel free to speak Um What we'll prevent a breach, uh, you know brainstorm with your team how might a breach occur What kind of blocks will you throw up to prevent those from happening? And you know, think through these brainstorm them And start thinking about how you can create processes and procedures for mitigating those sort of before the breach happens But we also want to look at what's going to happen after the breach So let's make a plan. Um, when we're in urgent or emergency situations It becomes a lot more difficult to think through all the issues You're kind of reacting and the point of having a really solid plan in these situations Is to think through a lot of it Heady issues and the and the operating procedures in front of that crisis so that you can kind of focus on all the Other kinds of unexpected things that come up. You've already planned for the planned things That really helps a lot You also want to make sure you're you're writing your own, uh, you know user guide user guide for You know bring your own device as scenarios or you're allowing that probably Um, you'll want to continue to allow this in the age of smart devices But let's make those guidelines consider mobile device management and how that's set up Um, you know and and so you feel safer and that folks are aware of what you know What their responsibilities are for when they're actually introducing these devices Uh into the office Uh just from the toolkit and angel will talk about this in a in a few minutes here, but um Just briefly to point this out the toolkit. Um on page 24. I has a personal device policy template Um, so it just helps you walk you through those questions And exposes you to um, you know just a framework for getting those answered and then you can Eventually you come out with your own, you know, acceptable use policy that can help guide your organization So check that out Remember that um, even processes require maintenance similar to software So just make sure your team knows what the processes are and knows them well. So that means conducting refreshers Uh often and for the long term critique your processes and make them better over time So you want to update them, uh, just to make them better even if systems don't change But as systems do change, they'll definitely need to be updated so that you're handling those kind of new technologies and processes and procedures that For managing the information itself For policy examples, you can go to this, uh, this bit.ly link. Um I noticed a couple of those, uh, links, um Aren't aren't working. Um And I'm not familiar with the resources. I just wanted to share a couple of the links that um That some are included on that list and some aren't so that I like I'm just sending those out now So but anyway, just some resources there Um For a security policy examples for for making your own policy documents in addition to what's in the tool kits themselves Okay, great. So now we're at this Section where we wanted to talk a little bit more about these legal aid technology tool kits um and uh Angela, I'm thinking that maybe you'll be in a good position to talk about this now I could probably drive the slides for you if you want just because I have it all up up and ready That would be perfect. Thank you so, uh In 2016, uh my program the michigan advocacy program Applied for a technology grant from lsc And it was awarded and the what what came of that is a joint effort between idealware And the michigan advocacy program to create four tool kits to help legal aid organizations Evaluate and implement specific technology solutions many of which are recommended by the lsc technology baselines The tool kits can help program leaders understand the benefits of specific operations and service delivery technologies The tool kits demystify the implementation processes and help people make smart decisions for their programs The tool kits also serve as roadmaps For any organization considering adapting the featured technology or looking to improve or update an older technology or system We created four of these tool kits. One is on modern information security, which you heard a lot about today The other three cover triage and online intake Knowledge management and hotline call center technology Can you move the slide forward? Each toolkit provides a brief explanation of the technology and the benefits from implementing it It walks you through key decision points organizations might face as you move forward Including goal and requirements definitions Defining processes and business rules hardware and software selection Implementation managing staff input during the process training and user adoption and maintenance planning The tool kits have checklist case studies You can go back go back one Oh my bad Yeah Here we go Yeah, so we wanted them to be really practical guides and so they have worksheets As you can see here and you saw a little bit earlier. We have quizzes Temple or sorry templates and samples of key documents Checklists sample policies and lots of other just really practical tools that can help You on the ground if you're working with these Let me say a little bit more about The other three tool kits triage and online intake covers online triage online intake in various in the different iterations that they appear And with it has case studies from different organizations Showing different models and some best practices Knowledge management looks at brief banks sample pleadings electronic access to practice guides document assembly And again looking at some things that are in place and hotline call center technology goes through sort of Phone technologies, but even beyond that to programs that are using texting doing Using hotline call centers and combined with online intake and things like that Each of these tool kits was thoroughly researched here. You can see a page from One of the tool kits all the all the people who the authors talked with in creating the toolkit and they're really specifically made for legal aid programs The primary goal of the tool kits is to engage directors of legal aid programs So we wrote the guides very conversationally and you don't have to have a lot of technical experience to to really benefit from what they have to offer We hope that Directors will read these review them and and if they want to implement them Pass them on to their IT staff contractors And others who will actually do the work The tool kits are available on the lsn top website. They're also available on the ideal wear website We shared them through email and every executive director of an lsc funded program Should have gotten a short booklet sort of explaining the four the four different tool kits and where they're available The tool kits have information that can be used by organizations of all sizes And all budgets so Go forward one more slide They are portable. They're downloadable as PDFs. We do have we do have as part of the grant we have We will form committees of people To review them periodically to make sure the information is still up to date because technology changes So rapidly and we wanted them to be online resources because so that we would be able to make updates and modifications as the world changes but they're also Very easy to print And take home and read if paper is a better option for you or for someone in your program who you'd like to influence All four are available now and if you do Read them or use them. Please take a minute to give us feedback. There are surveys linked With the downloads, you know, it's a tib project. So we have to collect feedback and pass it on to Not just lsc, but our lsc's funders. So please let us know If these toolkits are helpful to you if you use them We may contact you to talk a little bit more about Um, you know, what projects you went on to do after reading the toolkits And if anyone has any questions, they should feel free to reach out to me And that's it. Thank you Thank you so much for going through all those toolkits. Those are great resources. I want to um Let's just have a moment. Um for for folks that that are on online live now To ask questions or and also be it's the interesting to share if you can if you're going to take security steps now You're thinking about some security steps you want to take Maybe you can chat those as well But it's certainly if you have questions chat those ask the question or share with us as well Any security steps you're going to be taking? Um, I'm going to Um Get some links as well that I want to put up put out there in the chat While you're asking your questions if there are any So these are some additional resources that should be helpful to the folks today Yeah, so one of the things we've done here at lsm tap. We went for a team version of last pass That we're using internally and then also with contractors and then we also did at our all staff a five minute Short talk about password managers and pointed out three of the free ones and then have offered For anybody who decides to use one of those to kind of walk them through help them set it up So we're starting to get a little bit of adoption there. I still think a best practice would really be to use an enterprise Version internally because when you Remove staff it is or when staff leaves It's so much easier to clean that stuff up the amount of time that you save As opposed to going and having to check all accounts or See who shared passwords and which ones need to be changed is so much easier But it does have that outlay of cost per seat or cost per user for the enterprise versions Yeah, that's great. And then here's um the additional resources. I just put in these these uh hyperlinks Actually, I just put into the chat. So, um, but here's the titles For those as well. So these are some other uh resources from some from ideal or in some externally as well That you can check out And just as a you know a reminder maybe just a sort of Just putting a little bit of sanity or practicality in here, you know, a perfect security, you know, isn't possible Um, we want to make sure that we're taking small steps and we're thinking about long-term continual improvement You know, really we want to work on changing bad habits and the good ones if we can get some few simple important, you know, good habits going Uh and folks keep doing those good habits then then you've really done a very long-term solution to To some security problems So don't beat yourself up if if you feel like there's a million risks and you're only mitigating a couple of them That's great and just keep working So as far as reaching out To to find idealware you can go to idealware.org again lots of great trainings there And and write-ups on all kinds of technology topics facebook.com slash idealware or at idealware on twitter Um, you can find me. I'm at five paths.com Can write me at eric at five paths.com. Uh, if you'd like to ask me any questions That that's great as well. I wanted to thank everybody for uh being available today I'm listening in and especially, uh, thank you, uh, aliet and uh, Angela for speaking today and the offering all your resources really appreciate it Definitely. Thank you guys so much I'd also like to offer that we talked a lot about the kit here But for youtube, I would be happy to kind of condense Some of the key points into kind of a five minute video at some point To kind of do a promotional on our youtube channel for Any of the kits that we're looking at but including the security kit in particular I think it's a very useful resource and whatever we can do to promote it and get it out there to more people We're happy to do That would be great. Thank you so much sir Yeah, thank you to all of our speakers. Um, there is a survey coming after this We are about to start accepting proposals for next year Uh, so if there are topics that you want to see Look for a survey that we're going to send out to the entire community here in the next week or so asking for What topics you're interested in upcoming webinars for next year Hey, well, thank you very much everybody. Have a great rest of your day All right, you too