 Thanks for joining our meeting today, our Zoom meeting. I love our chats. This is an open forum we're gonna chat and just talk about today's topic. That says it's easy to stay safe online. And maybe I should have put a question mark behind that because is it? So there's nothing more scary than you getting a notice from the social media account or hospital or worse, your bank that says that your information quote unquote may have been compromised. And we know that many of you serve, you know, organizations that are vulnerable, like victims of domestic violence, senior citizen youth, and the list goes on on everybody that you serve. I know you value their privacy. Today our guest speaker is gonna share how you can make sure that you and your organization is safe online. So I want you to be a part of the conversation as well and share what you're doing or maybe you're not doing anything and you needed this information today. I'm Aretha Simons. I'm the webinar producer here at TechSoup. If this is your first time joining us, I just want to let you know that since this is a Zoom meeting, feel free to be on camera or off camera, but please keep your microphones on mute unless you are ready to speak after the speaker. Use the raise your hand option at the bottom of the screen. Also, we are recording this so you'll get the recording within 48 hours. And I'm gonna move out the way and introduce our guest speaker today, Michael Enos. Michael wears a lot of hats today. He's going to be our cybersecurity person because he specializes in that and knows a lot about that. So Michael, thank you so much for being here today. Well, thank you. This is a great privilege. I love doing presentations for the community. You know, just a little bit about me and my background. I've been in the social, the civil society sector since graduating from college. It's Santa Cruz at UCSC and went on to get my MBA at Santa Clara. And so, and you know, began working, you know, first as a social worker for a nonprofit that worked with developmentally disabled adults, helping them live more independent lives in the community. And it was there that I learned that there was a real need and a gap with technology in the sector. And so I went into, I became the technology manager, which we didn't have and have been doing that since after my second role as the CIO for Second Harvest Food Bank in Silicon Valley where I was in that position for over a decade. And, you know, essentially, which is in that food bank in California is one of the largest in the country. And I learned a lot about data and keeping data safe. I mean, it was super important. You know, and in that, I sort of learned that, you know, civil society is critical infrastructure. I mean, the organization's nonprofits and NGOs worldwide are part of our critical infrastructure. And as such, it is super important that we keep the data of our constituents safe. Our constituents will include people like, you know, donors and some of the most vulnerable populations in the world. So I'm gonna get into that a little bit. Now, to go over today's topics, first I wanted to give sort of an overview of cybersecurity frameworks, which is essentially, and this is important, especially for people in leadership to understand that, you know, us in, you know, at TechSoup, my role is I've been with TechSoup for eight years and my role at TechSoup, I do wear a lot of hats. I oversee our enterprise infrastructure. We have platforms globally. And I also oversee some software development teams. And I also oversee our cybersecurity program and our InfoSec program. And so when people ask me, you know, where do you get guided? You know, where do you learn the stuff? Who, you know, where can I get information about, you know, how this all works? We do, you know, use frameworks, you know, that are specified and industry best standards. And we, that's our guidance. That's like the ruler by which we measure ourselves. And that's what gives us guidance. So it's not like Michael says we need to do this or this. It's like, oh, this is what the framework said. I'm here to help implement it and deploy this in the organization. I'll talk about that in a little bit. And I'm gonna talk about the sort of some easy, for easy sort of things that could instant make that really could be, should be priorities for an organization in terms of being safe online. And this is, so this is, you know, cybersecurity is a big topic. And today we're gonna be kind of focusing and narrowing in on, you know, not think so much like, you know, you know, stuff like security forensics or things that are really deeply technical. These are the things that users can do to help them be safer online. And it's important because these are the sort of the essentials and they apply not just to your organization, but also just the practices that you employ because with more and more people working remote, you know, you're using the same device to go to your bank account. And, you know, then you are to probably go online to work with your constituents information, indeed it in some software as a service tool, you know, online fundraising tool or platform or do platform for client services program. You know, so it, you know, so these things are important because this keeps you safe online and what you do online affects everything else that you're doing online. So if you're doing a lot of engagement with your community or constituents and working with their data, the safety there, it should be, you know, can be applied everywhere. So those four topics, multi-factor authentication, privileged access and password management. They are sort of two different things but they're very much related. And so I'm going to talk about them sort together. The importance of keeping systems up-to-date, that's critical. And then also I'm going to talk about security awareness training, which is something that's very important to understand, you know, what, you know, how to be safe. So this is, in some ways, this is almost like a security basic, security awareness one on one. So why is it that, you know, the types of cyber threats that NGOs face, and this is why it's important to be safe, because if we're not safe online, being safe online is one of the ways we can mitigate some of the cyber threats that we see, you know, as targets, you know, some of our organizations can potentially be targets for, you know, somebody who is looking for valuable data if they're looking to just, you know, cause disruption. And in some cases it's more serious, it's targeted because there's something that they don't like about your organization. So, and the things that can happen as a result of that is, you know, you can not only have a, you know, disruption in, you know, your mission, but, you know, worse you could have, you know, a data breach and then have to deal with reputation and other factors. And so these are some of the broad sort of areas that we, you know, oftentimes to talk about. And as I mentioned earlier, you know, it's important that we protect our data and our safe online because, you know, we do, we're working with financial information, donor data and some of the, you know, populations won't have personal information. So this is why it's critical that we sort of, you know, kind of keep this as a priority and a focus with an organization, especially as more and more activity and cyber, it's easier and easier for people to conduct cyber terrorism essentially. The tools are, you know, ubiquitous, they're cheap and anybody can, you know, go off and wanna, you know, hack something in order to turn it into a crypto mining operation or to try to find if there's some valuable information or data or something that they could then sell like a username and password or some bank account information. And so there's robots, there's bots that go across the internet and just scan things. And what they're scanning for, I'll go into a little bit because that's why it is, that's why it's really important to stay safe online because these, you know, it's like, it's sort of, you don't see them, they're sort of invisible, but they're out there and we track that stuff at TechSoup and our hundred platforms that we monitor, we have thousands and thousands, I mean, hundreds of thousands of events every single day. People, you know, hitting our stuff, trying to say, hey, is there a crack here? Is there a crack there? Trying to find that weak link that they could then leverage it. And we have, at TechSoup, we have very sophisticated tooling, but that's a topic for another day, what this is about is really about, you know, staying safe online. So I'm going to jump in, we're going to talk a little bit about, and after each one of these, I'll open it up for questions so that we can, you know, I can answer questions as we go along. It'll be a time at the end, but I want to make sure that it's moving through. I don't want to just be talking ahead here. So, you know, it's important that we have this be a discussion. TechSoup and many organizations use a framework called NIST. It's the NIST cybersecurity framework. And this dance for the National Institute of Security Standards Technology. And, you know, they put together this framework and what's important about the framework is they kind of, it provides an organization with a basic, you know, concepts for how to then practice cybersecurity safety, not just, you know, stay in safe online that folks in this organization about this webinar, but also other things like what kind of policy should you have in place? You know, what do you do in case of a security incident? How do you make sure your data is backed up and stored? What's, how does a safe way to do that? And it provides policy guidelines. And so we use this and there's some these, I'm going to quickly go over these five areas because then, because what we are going to, because each one of the things we're going to talk about in terms of data safety, actually are connected to these different kind of governing principles. And these are things that was like I said, we're not going to go into the details on every single one. But, you know, when I do topic, when I do presentation, sometimes I'll just focus on one of these, like data like resiliency, you know, business resiliency, I've talked about more on, you know, identify and recover aspects of it. And then other times it's, you know, going to be on response. But essentially these basic principles sort of outline a framework by which to think about it. And so we're going to provide, you know, there's going to be links to this available. And so, you know, in your spare time, which we all have plenty of, you know, take a look at this and think to yourself, where do we have potential gaps in our organization, the way we think about cybersecurity? You know, so for example, maybe you've, you know, you have people working very sensitive data and they have, you know, like for example, financial information. You know, are you doing background checks, you know, but when they're higher? Um, I'm going to talk, and what I'm going to talk about later is requiring individual user accounts for agency employees. That's what I call basically a privilege access management. So, you know, then we have, you know, this, the whole section of this is sort of dedicated to business resiliency, you know. So, you know, how do you essentially protect your systems and ensure that there's data being backed up that you've tested, that the data works, that's been backed up. That's oftentimes something that gives us a big gotcha. It's like, oh, we thought we were backing up our systems and, but nobody has really checked. And part of this is, and then the other thing is, you know, which is very important. Number four is something we, you know, kind of really try to impress up on our community to, you know, think about is the last thing you want to be doing, if a security incident happens, if they then have to come up like, what do I do? You know, how do I respond to this? How do I respond to my community? How do I get the right people in the room to talk? And also then, how do I communicate this, you know, to the public? Is this going to be a, you know, a marketing nightmare? And so, you know, what's important to have a plan in place and also just to remember that transparency is always going to be your friend when it comes to this. There's one of the mistakes that some organizations do, they try to push something underneath a rug like there's been a cybersecurity incident. And that's the exact opposite of what you should be fully transparent because that will help ensure that your trust maintains with your community. They'll say, well, it's not, you know, this happens to everybody. And so it's how you respond. And we kind of know that in this sector because it's, you know, things happen in the world and we have to be realistic about them and professional about them and maintain that sort of accountability. And oftentimes, you know, civil society organizations have to be more accountable than even private sector organizations. You know, we have to submit our financial information to IRF. And if there's a data breach, it's very important that we let our constituents know and it also do the effect of what that is. And then of course, we need to ensure that there's ways to detect, you know, things like, you know, using ant, that's better, you know, making sure you have up to date antivirus, that you're monitoring systems. And then you have some way to be able to detect something. And then, well, I kind of went out of order, but a protect is some of the stuff that we're actually gonna be focusing on today, essentially, such as patching your systems, being ensuring that you have, you know, you know, systems, some of these, I'm not gonna go into like encryption, I could do an entire, you know, webinar on. But that's why I'm providing this because this is, you know, because I'm focusing most of the presentation on just online safety. I always wanna present sort of like the big picture and then say, okay, now we're gonna talk about particular aspect of this. So, so that's, you know, I'm gonna pause there and ask if anybody has any questions about cybersecurity right now. So there's a question from Lenore. Did you wanna ask him or did you want me to read your question? I'd like it when you guys ask because it's in your voice, I may say it wrong. So would you like to unmute yourself and ask your question? Oh, she said reads, please. Okay. Do you have a draft language that can be shared to add to the website privacy policy to ensure that communication, that this is communicated within the policy? Excuse me. So... You know what? So at the end of this, there's gonna be a link to an organization called fans.org. So if you go to sannf.org or if you go to fans.org, cybersecurity policy templates, and Rita, maybe you could type that into the chat because that, if you put that in a search, Google search or, you know, whatever browser you use, you'll see that that organization fans.org provides templates for everything you would want in terms of information security and privacy protection. And that's what, that's usually where I point people if they're asking, do you have a template for this? I mean, because if we said you are, you would just have, that's what we did, you know, essentially, I mean, you also have to kind of custom modify it to your own purpose. I hope that helps. And are you saying S-A-N or S-A-M? F-A-N, as in Nancy. Great. That's what I'm saying. F-A-N, yes. Okay. Sure. Yep, that's it. Yeah, and at the end, there's gonna be a link to some other resources too that are, you know, to be good to review as well. Okay, so moving on, Alyssa's other questions. No, no other questions at this time. Great. Okay, well, I'm gonna dig right in and then talk about multi-factor authentication. Now, I know that there's a couple of words for this. Sometimes people say it's two-factor authentication. Essentially, the way that I like to describe this is you need to use the simple analogy of what everybody does when they go to, assuming you have a car and you go to a gas station or you have an ATM and you go somewhere to get cash out. Essentially, you may not know but you're actually using multi-factor authentication when you do those things. Because what the factor is, what it's called multi-factor is that a factor is two different types of data points. Like, for example, it's something that you know and then something that you have. So it's not just two things that you know. You know, like, what's your password and what's your mother's maiden name? Those are two things you know, but it's not something that you actually have. And so the reason why multi-factor authentication is important is because it's sort of a, there's a check and balance there. So you actually have something physical with you. So like when you go to a gas station, you actually physically put your card in. So that's something you have, but then it asks you for your zip code or some other piece of information, at least it should, or it's reading your chip. But if you go to a bank to go get a cash out, it'll ask for, you know, you have your card with you, but the card didn't ask for your password. And so those are two different factors. And so enabling this more and more, I mean, almost every place that you could go online accounts the ability to set up multi-factor authentication. In fact, many times you don't have a choice. And this is super important because if, you know, there's, you know, our email address, for example, is almost, unfortunately, it's almost, you know, public information. And a lot of sites are scraped for information about, you know, our data. And so, and when a security breach happens. So for example, when, you know, this I'm not gonna name a company, but you know, when a famous company was, you know, like that social media platform was hacked or it's data stolen, you know, they have access to your username and maybe a password. And they can maybe unencrypt that password. But they may actually have that password. And so we're gonna talk about password management a little bit later, but the reason why multi-factor authentication is important because even if they just have your username, they go, oh, look, you know, I'm gonna try to brute force a system by hammering it with every single permutation of this person's name, what they're, you know, that they know your birthday, you know, what they're, you know, things that they may think and it's automatic and they have these things that'll run very, very quickly. And some systems don't have a rate limiting protection and so they'll allow something just to randomly did it thousands of times a second to try different username password combinations. And then at some point they just let that run and at some point it could crack, you know, and then find that. And by the way, I don't need to scare anybody today. I mean, it's kind of a scary topic, but this is why we're teaching this, you know, it wasn't important to, you know, if it wasn't kind of scary, there wouldn't be a reason for me to be up here, you know, blabbering the way you do. So some of the things here that they talked about is, you know, some important, you know, some of the things that are mentioned, you know, are super, like these are super good guidelines, you know. The, you know, a, you know, one of the, you know, there's different ways that we could use multi-bacterial authentication. Oftentimes it's with your phone, which is good with an SMS text, you know, so you get a text and then you type in a code on there. I think we've all done that right now, but there's also a bit more sophisticated ways, such as using an authenticator app, which, you know, Google makes one, Microsoft makes one, and there's other versions, but the authenticator app is a little bit better because it's not going over the, you know, and the way that works is that it's, it randomly generates codes, and what you do is you go to open up your authenticator app and you type in that code that's on the app. And the reason why that's a little bit better than just using your phone is because SMS is still wireless technology and it's still being transmitted. And there's, some people have been starting to figure out ways to sort of hack those systems that then actually generate those SMS text messages. And if they can do that, then they can get hold of the codes that are being generated and sent to you, whereas with the authenticator apps, those are randomly generated, and they match the certain types of codes that are used by the software program. And then they're updated, not in real time, but they're updated in some frequency. No, the authenticator apps are free. So you can go to Google Play. Now, not all systems supported, but for example, if you use Google G Suite for your organization, or if you use Microsoft M365, even when you set up the security and MFA in both of those systems, then you could essentially have the option to use an authenticator app instead. And it's often times what they do is they have a QR code. You point your phone to the QR code that's provided by Google or Microsoft, and then it says, okay, and now you're connected. Your authenticator app is connected to us. It's really pretty easy to set up, so it doesn't cost anything. Good question now. So, and the other thing is that if you have, we use is the people who are in, you know, who have access to privileged systems, use something called a UVT. And I'm gonna show you what this is. I don't know if you've seen these people have these things, try to get it in focus area. And this is a hardware device, and this plugs into my USB port. And so what happens is that when I'm using certain systems that allow for this, at some point it'll prompt me, it'll say, you know, insert your security key. And I just touch this, and says, oh, you know, and because this key is registered, there's special information on this key that's registered with that software company. This is pretty much the safest way to do things. But, and these are, we don't have a, unfortunately we don't have a program with TechSoup yet that offers, but they're not that much. This is maybe a $30 device. Maybe they range, but you know, you get them at like from $30 to $60, you know, these keys. And so these are, is that, you know, the other thing is oftentimes your phone will have a, you know, biometric thing. So, you know, a base recognition. And that works, you know, as well. This one looks like it's open. So basically, if you, if your key gets replaced, how can the information be accessed? But it gets misplaced. You know, what's interesting is that you can generally have a, you know, because other than you can read, you'll probably have something called in-orbit access system, and then you can reset it on your phone. For us, who are managing those, we have to have access to blocks available. Okay, Yubi. Why Yubi? Well, thank you for that. You know, what I had moved in my phone, is that probably better with your apologies? Thank you. I do want to mention the closed caption is on. So yeah, thank you guys for mentioning that. If you can't hear him or the closed caption is on, just type on the CC at the bottom of your screen. So go ahead, Mike. I'm sorry. Okay, no worries. Okay, so, all right. So moving on, any other questions about multi-factor authentication? You know, what can this key be used with QuickBooks? You know, I've never explored that. We don't use QuickBooks, but that's a good question. And I imagine that if you went to, into its website, I would imagine so, but I can't speak to that. I'm sorry. So may I ask a question? What the key that you showed us, what is the purpose of it again? I know it's a security device, but I have a Mac and I don't have the USB drive on my Mac laptop. So I'm troubled about that. You know, what can I use? They have other types of UV that company. That's just one company. I mean, it's essentially, it's called a security fee. And there's other companies that make them as well. And there's different ways that they can transmit to your computer. For example, if you have USB-C or if you have any other sort of port or an adapter, you know, they kind of will work with any device. So you could, you can, you kind of can match it. And this, like I said, this is a really sophisticated way, but it is something that is become, probably will become more and more, you know, prevalent as people become, you know, more systems become more and more. Sure, but I also think that, you know, you're using SMS as a basics. I mean, I just recommend starting there. If not, you need anything, start with SMS. And then if you are, you know, feel as though, you know, you know, at some point you've learned enough about MFA to move on to something more sophisticated, then that's the time to move to an authenticator app. And then the more advanced thing is, is something, is something like a security fee of some type. May I ask another question? Because you got my book right now. So when you're missing the SMS, that's text message. So Google is automatically sending me a text. Did you log in? It was at you, but if we, how can we set up our own for other accounts? That's probably, I don't know if anybody else had that question or we're thinking about that, because, you know, we're used to somebody automatically making us do it like the bank or Google. Right, I mean, you know, the best thing to do is usually in your account settings, in any application there'll be something called account settings. Okay. And if you go to account settings, there's probably something that says privacy or security. And there that's where you can do things, for example, like change your password. But also there's, you know, that's how you can check to see if they also enable MFA. And it'll say, you know, would you like to enable, then if you enable MFA, those apps will then kind of walk you through the process online in terms of how do you want to do it? What option do you have? And depending on the sophistication of that particular application will depend on whether or not they allow you to use just SMS, SMS, or whether they also might use authenticator apps, or even better if they allow you to use security. But not all systems, you know, are there yet with that. Okay, now I get it. We have to turn it on. Yes. I mean, unless some companies mandate it, you know, and like, you know, I mean, some companies are saying, you know, no, you need to do it. And, you know, that's more and more becoming a problem. At TechSoup, we, you know, how our staff have to do it. They don't have a choice in terms of their M365 accounts. So I'm going to move on in the interest of time. Password management. Look at that, okay, great, thanks, Michelle. So password management, this is, you know, this is pretty, you know, basic stuff, but it's really actually one of the most important things. Because we're still using passwords in today's world. They haven't figured out a way around that yet. I mean, one day maybe, they'll figure out how to make, you know, a password list for worm. But it's complex because then the more and more systems you use online, the more and more passwords you use, and a lot of people will use the same email combination and password, you know, for everything. And then, and it becomes stale. And like I said, if you use 20 different apps a day and you're entering your same username and password 20 times, it just increases the chance of that exact combination of username and password getting stolen. And at some point, one of those systems is going to get free, they're going to get your username, they might actually get your password too. So, you know, or, and so the thing is, is that with people having to use passwords, change them all the time. We recommend number one, to make sure you have a strong password. And oftentimes web browsers these days will actually allow you to automatically generate a password. And, you know, so the problem is that you can't, it's a random string of characters and you can't memorize it. So you either have to cut and paste it, but that's the problem about that. So you can't paste it and stick it in a notepad or something on your computer, like a text application. You know, if your computer is hacked, then they've got actress to offer passwords. So what we recommend is to use a password manager. So what a password manager does is stores them all in a safe place online. And there's many different, you know, companies that have password managers. We don't, like, you know, we think people should, you know, find the one that fits with them and we don't really, in these webinars, to endorse particular, this is about education. And so, you know, it's, what is important though, is to employ the practice of using a password manager and also using strong detailed passwords. If you have to make one up yourself and not use, you know, randomly generated string characters, then make sure it's complex that it combines, you know, characters, you know, special characters, numbers, words, letters, and you can be inventive just a way to create a mnemonic about how to memorize that. So you don't have to write it down. The worst case scenario is that, you know, you write it down on a sticky note and put it on your computer. That defeats the whole purpose. Anybody walking by your computer can see that sticky pad and then break in. And so it's, you know, these are some basic things but they're super important. And then refreshing your password at a minimum every three months. And so that's why it's, you know, really hard. The password managers make it a lot more easy in today's modern world to manage these things. So, you know, you look at a password manager, they're all, like, you can look at reviews, they're all pretty, they wouldn't be in business if they weren't good. I mean, that's their job, right? So it is to do that. So anyway, so, you know, that's where, you know, it's important about, as I mentioned, you know, the, you know, what we see and there's websites that you can go to and actually look to see if your password has been breached. And I think Google actually provides that now as a service and some other companies provide that as a service. And you've been pawned as one of them. And it's a database, people create databases and then excel this information on the dark web. And then they, people get access it's public information when this step is breached. And so it's, like I said, it's kind of scary but it's important to know these things so that you could then understand why we, you know, what we, you know, want to educate our community to the community on these sorts of practices. So any questions about password management? I have a question, if no one else has a question. Yeah, okay, please, yes, please. Yes, I have, I see you have popular password managers examples, can you select that so we can see what those examples are of the popular password managers? You know what, this, I'm sorry, this will be provided, this will be provided here. And so, you know, there are, you know, I could just say that there's like, you know, if you type them in, yeah, thank you. If you know, community wants to share those, that'd be great just because we're, yeah, thank you. Somebody put in the, have I been pawned website that that's what I was referring to earlier. I love these discussions because I like what people actually dare and add to my dialogue, so. So this is great. What are the chances of a password manager getting hacked? It seems like there would be something. I tell you, the people who manage these passwords, they have very interesting ways that they protect their cybersecurity. And they, for example, will have multi-layered sort of approaches to their systems. They, you know, because it's their business, it's the focus of their business. And so they spend more time and money on ensuring, you know, everything's about time and money. And so if that's your business, you know, that then, and they are a target and they know they're a target. And so as a result, they have huge security operations teams that do nothing all day long, but to see who's knocking on their door. And they have multiple safeguards in place. You know, they ensure that any data that's there is seen only by the people and can only be seen by the people who have special access to that data. Like nobody inside their company has access to that information. So if nobody inside that company has access to that, to your information and your data, then there's, you know, the only person who could get it is you. You're the one who, you know, could only compromise the data that would be necessary to then get into that password manager. Hope that makes sense. Any other questions? Oh, thank you, appreciate that. Awesome. Yeah, but I think that, you know, one of the things that helps, and this, I will bring this up because I think I saw something made reference to it, is one of the things that, you know, it's even though it's a little bit off-topic that it's related to this, is when you're in a public setting, like, you know, at the coffee shop, and you're using public wifi, it's, you know, one of the things about using public wifi is that it's great, it's free. However, you're sharing the network with strangers and it's not necessarily a secure network or you can't, you know, you don't know what the efficacy is of that. So I would encourage, like, you know, people to use a VPN when they're in public settings and that's a great policy. And there was a link up there earlier about getting a VPN. And so what that does is that encrypts the data so that somebody, you know, they saw you on the same network and they tried that, that's a sophisticated tool to hack your, you know, into your computer, they could because they would, you know, it's not encrypted. It's, you know, probably it could be just what we call pre-tax. And so they can intercept your data and your passwords as you enter passwords and go online. Does TechSoup offer VPN service? That's a good question. If there's anybody from TechSoup on the call that could answer that, that would be great. In my role at TechSoup, I manage our internal, our VPN, but not so much our product catalog offerings as much. Like there might be some who's more up to date with that stuff on the... Hey, Michael Gale here. How are you doing? Hey Gale. Good, good to see you. I have been lurking and in chat, I just put a whole bunch of information about Dashlane, which in the US is our clear provider of password creation, curation, and they have a really robust VPN service. You know, it's one of those great ones where you can go, I'm in England, I'm in Uzbekistan, whatever. And so you can use that as an automated service and they add new layers to this. And right now we're in the middle of our own cyber, we kind of promotion for them. So through, let me take a look real fast here. It's from the 17th through the 28th, you also save on the admin fee. And it is one of those things where if you don't have password management, you know, to Michael's point, you're really needed. And in my role of Chief Business Development Officer here at TechSoup, I've been trolling for this kind of stuff. And so if anybody has suggestions on other resources you'd like to see or that you really wish were here, I've also included a link to the technology wish list. Feel free to let me know and I'll add it to the list. So Michael, I'll let you get back to your presentation. Michael, please give permission. Sorry, before I let this one go, Gail, sorry. We have other VPN and offerings on the catalog as well, which are part of the promotion and the Norton 360 is another one of them. It's a new product we have brought to the catalog. It has a VPN, password manager, firewall, and all the other plus endpoint security, all the other things that Michael is gonna hit in this presentation. Majority of our security offerings are gonna be on a 50% discount for this week and next week. So if you can go check them on our website, we appreciate it. You know, that's great. Thank you so much, Asin, for coming online. I'm really glad to have the folks with those who do that work at TechSoup on the call with me. And so thank you so much and I'll go ahead and move on. We've got a couple more topics. This is critical, keeping the software up to date. I'd say nine out of 10 times, the reason why an incident happens that's cyber related is because a system had a known vulnerability that there's known information about how to exploit. So in the cybersecurity language, we call them essentially CVEs, which are essentially known vulnerabilities. And so after software has been up and running for a while, at some point, there's some mistake that's been found in the code. And what people are constantly doing is trying to see if they can break things. And then they'll find some small crack in the code and then try to see what kind of damage they could do. And this happens constantly by security researchers, the people who make a living doing this. And what they do is they actually, this is something that they're called security researchers and they're making a living independently. And what they do is they, and there's programs that these Microsoft has these programs, Google has these programs where if you find a security bug, they'll pay you. So it's big business. And this is how people find it. And then they find because it helps them, it's kind of outsourcing their application security to the community. So there's white hackers, we call them white hackers. And what they do is they constantly look for mistakes that have been made, not mistakes that remain code, but things that have happened. And so that's why we get these, that's why Microsoft has patch Tuesday that happens because they still have downloaded software. And so like their Windows operating system and such, not everything's in the cloud. So things that are in cloud oftentimes updated automatically, that's why you get the alerts from like on Zoom, when you use Zoom it says, oh, updating software is not just for features, but it's to address security gaps. And likewise, your browser is the target because your information as you type in your password, it's sort of happening through your browser. And so people have figured out a way to crack that code and to see if they can hack into your browser. And then see what kind of, what we call cash, meaning stored information is in your browser's system memory and people are trying to get access to that because that'll continue your passwords. And so keeping your systems up to date is critical. And so when you get reminders to update your systems, it's important to take the time to update the systems. And if you have a company that has systems that are need manual updating, then your organization should have a policy to and security patching policy. And as everybody from TechSoup knows, we have the monthly, we have every single month we do patching on our systems. And so we have a patching process we follow. And where we go to our different environments or different systems and then we send alerts out to the staff saying, look, we're gonna have, the system's gonna be down for a few hours, what guys, we go through this very, very important security patching. And it's a, I guess, it's a better, even though it's not great that there's this sort of disruption, it's better than the alternative. And so, and taking the time out of your work and ensuring that you have your systems up to date is really super critical. And that's, and it's not just because there's a bug in the system, it's that the, sometimes it's because what'll happen is that the, they'll be, as features get out of date, the libraries change. The underlying code gets updated. Even if the code was perfect, at some point, the code that they use to develop the application is older. And people, even though it was perfect at the time, it's not perfect anymore. So, and what's really, thank you, Aneeson, for putting this out, but using a patch management tool can really help in this process. Because what it can do is it can collect the assets of an organization. So with TechSoup, what we do is we have a patch management system. It's sort of an enterprise level one. And it goes in, it does, it collects all the inventory of all our systems. This is, hey, these systems are out of date. And because we're a large enterprise company, we have some very sophisticated tooling, but there's stuff that's added for every single size organization, there's patch management tools that can be used. What's great about them is that it does work of finding out on your network what things are out of date. And then you could, if you have a, if it's an enterprise type of tool, you could update everything at one time. All everybody, you don't have to call people up on the phone or you send them an email saying, look, will you update your system? It's out of date. It happens automatically. And so we run that on our client machines. Their antivirus gets updated, and we ensure that, and we do an inventory to make sure that's happening. So in the years to come, we have one more topic. And so I want to move on, and then we'll have some questions at the end. Because I didn't want to breeze over this topic. This is, I think, the most of all the other things. I mean, you could have, because everything we talked about before is kind of related to security awareness training. But this is often, when we talk about security awareness training, oftentimes what it is, is essentially being able to recognize if there's a, you know, in an email that there's some sort of something specific. If you get a suspicious email, there's going to be a link in it, and if you click on that link, it's actually going to do something actionable. If you've acted on something. And that could then create a whole cascading effect of harm to your systems, to your organization systems. And this is probably, this is the most common way that security instance happens through a phishing scam. And in the last, you know, in the last most recent years, the people who do these scams have gotten very, very sophisticated in social engineering. And they've created some very interesting techniques that are where they go to your company's LinkedIn profile. And they'll scrape the data from that and find out who your executive director is, your CFO, or your, you know, human resources director. And they'll impersonate them in an email. So to try to get you to then sort of lure you to do something or to click on a link, you know. And sometimes there'll be things like, you know, an email possibly from an executive director, say, hey, you know, I need to get them into the bank account today if it's urgent. Is there any information? You know, I can't seem to find the username and password for our bank account. And people, you know, kind of just, you know, in their day-to-day stuff, you know, kind of just see it. They see the email. They see, oh, gosh, you know, this is the boss. I got to, like, hack on this right away. And then they, and then the second they do that, it's too late. You know, it's like, you know, you can't really go and undo that except go and say, oh, gosh, I better go change the password. So, oh, somebody's asked that a question about, are the interests of the process of building a new website address? This is sort of, I don't think we're going to have time for me to discuss that in depth, because I'd like to understand first. But I think TechSoup has some resources available to help with this. So, if you can send us, you know, an email or something or contact us somehow and maybe, Rita, you could reach out to this organization because we do have some blogs and some other things available to talk about this. And I think that might be some good, provide some good information there. So, you know, in terms of security awareness training, there's certain tools that are available and that we offer TechSoup to be able to go in and actually provide security awareness training. There's quick videos, videos that provide this. Most organizations now have mandatory security awareness training that happens when they're on board so that we, you know, you actually know that employee understand, you know, how this works so that, you know, they aren't, you know, duped into a tricky message or a fake message. But, you know, just the basics of it is that, you know, just because it says it's from, you know, somebody important or for some company like PayPal, by looking at the actual email address itself, if it doesn't say, you know, PayPal.com, if it says something like PayPal, you know, management.com or PayPal bankinginformation.com then that's not PayPal. It's most likely not PayPal. And if you question it, then don't do it. You know, if you get, you know, I mean, the best thing is to be, to be worn on the safe side and then try to, you know, essentially send it to somebody in your IT department and say, look, I think there's been, you know, I think I've received this phishing email. Can you verify that it's a real email or not? Always ask somebody in your organization who could validate it or the person who you think sending you the message. You know, if you think that, you know, if you get something from PayPal or something, don't just click on the link. Go to the actual application and go to the website and then look to see if there's a notification there. That way you know whether, if they're sending you an email, there's gonna be information on your account online about whatever they're sending information about. You know, so, you know, but don't click on the link. It's from, you know, something like a financial institution. And so the, anyway, so I wanna leave a little bit of time. So are there any questions that we can discuss regarding the presentation today? And you guys have been a great audience. We really appreciate the participation and the discussion and the helpful links and the sharing of ideas in the chat. That's super. This is why we love to do these things. Yeah, feel free to unmute yourself. Michael, this was excellent. Excellent. Feel free to unmute yourself to ask Michael question directly. I see your hand is raised or there's something, is it Timis, Jen? I can't pronounce your name, I'm sorry. Go ahead and unmute yourself. She's doing it from her phone so she's trying to unmute her phone. While she's doing that, anybody else have a question? No, this is Mariela. Yes, I wanted to say thank you very much for all the information. I grab very good pointers and ideas to implement. I am in Connecticut and I'll be contacting TechSoup very soon. Thank you very much for all the info. Thank you for that. You're welcome. So there's a question from Vicki. How do you discern if a prompt to update is authentic? Very good question. That's a really good question. Whenever I see one of those, I sort of have to kind of say, well, is this coming in? There should be, because there's user account controls on your computer, if you were to be questioning it, then you can go to the actual website and say, what is the latest version that's available? And so if it matches the version that they're asking me to upgrade to, then it's gonna be safe. So for example, if you get something that says, Chrome wants to update the version 5.6, you can just go to Google and say recent Chrome update and then it'll let you know that that's what's happening. It is good to validate that. I had a prompt this morning asking me to remove an older Java library on my computer and so I checked and it's like sure enough, it was an old version. So I went in and felt safe enough doing it. So that's a really good question, but that would be my advice. Right, and Michelle, I'll see your hand raised and then Tabitha, I'm gonna read your question. Go ahead, Michelle. Thank you. I was wondering, and you may have said it already, but like for those of us that have employees and other volunteers, how often should we ask them to change their passwords? Like what policy should we have on how often they should change them? The general guideline on that is at least every three months. Every three months, okay. On everything, email included? Yeah, everything. Okay, thank you. Okay, I got you Tabitha, but I see Tim, I don't know if I'm pronouncing your name right, but Ash- Okay, can you hear me? Yes, yes. Yes, thank you so much, okay. My question is that nowadays we all have many, many, many passwords, from word, personal, all that, all that. How can we minimize with all these many ways, I mean, passwords and keep updating them, changing them? It's becoming so difficult. Any idea? Yeah, so earlier in the presentation, we talked about password managers, and I think Gail mentioned Dashlane and there's some other ones that we employed, but a password management function, there's FreePass, BlastPass, and I think that it's, that's why people invented these and actually build companies and some are, and all of them, like I said earlier, are, they have very, very strong security compliance because that's their job, is to do that. And it does make life a lot easier. And so that's why we recommend that. So password manager. Password, sorry, one more. Is Kasper's key legit? Do they have password management tool? Is it? I don't know, but I don't, I haven't heard sort of that, but I don't know everything and every company that produces everything. I would say that there might be better guidance in terms of which tool to use by doing, and I suggest that you look up sort of the ratings and also the what is reviews on things. Somebody's providing some good recommendations down below. Okay, okay. Thank you. Thank you. Okay, last question from Tabitha. She said, do you have any advice for small operation, two person operation on keeping up with all of this, maybe an order of importance for what you discuss? I don't know how you're gonna do this, Michael, but you got it. You know, I think that, you know, I think there's a blog article that's coming out at TechSoup that I just wrote that actually is like something that's for some forcible ways, keep your organization safe. And I go through some basic points. And so keep an eye out for that blog article because I think that it does sort of try to prioritize things in terms of the things that an organization should focus on. I mean, and that's just still down to the essentials, so to speak. And so... That's super. Is there a book that I could recommend? Because of the, you know, this stuff changes so quickly. At the end of, you know, I think that one thing that would be good to do is to go to NIST. And NIST, which is that reference that I did earlier, that NIST, and there's, you know, the information is in this presentation. NIST will, yeah, thank you. NIST will have essentially recommendations around, you know, and it's really pretty straightforward. It's not complicated. It's in good, you know, easy language. And so it's sort of, you know, you don't have to be technical, I guess the one I'm trying to say in order to understand it. So for a smaller organization, I may not have technical staff, at least, you know, it kind of breaks it down in some very easy ways. And they keep that up to date. And so I would recommend online resources over, you know, a book on cybersecurity and kind of changes. So often a book was written six months ago, it might be out of date. Yeah. Well, thank you again, Michael. Excellent as always. I do want to remind everybody, we have the Future of Work conference coming up. It's free to register. There's a link in the chat room. Thank you for your question. I learned a lot from you and everybody, as you're taking care of everybody else, please make sure you stay safe and take care of yourself. Bye-bye, everybody.