Book Your Complimentary Consultation Book Your Complimentary Consultation
Home / Seminars

Seminars

Umbrella IT Monthly Cyber Security Awareness...

Hello, everybody, good afternoon and welcome to another cybersecurity awareness seminar hosted by myself, Jake, from Umbrella IT. Very excited to get started today with everybody and start covering the very exciting topic everyone wants to talk about on a Friday afternoon, cybersecurity awareness. So really appreciate everyone joining in today. Really appreciate everybody, again, taking the time. So I want to be respectful of time. We'll just kind of jump into it while people roll in. I appreciate everyone here being a little bit early, being right on time. Thank you so much. If you do have any questions as the seminar is going on, feel free to throw them into the chat. I'll be monitoring that and I'll be able to answer your questions as they come in or at the soonest appropriate time. And your questions, I can promise you, are not silly questions. They're going to be appreciated by everyone else in attendance. And I promise you that people are going to appreciate you asking that question. So without any further ado, we'll go ahead and jump into it here as people are joining in. So again, thank you all so much for taking the time. My name is Jake from Umbrella IT Services, and today we're going to be talking about cybersecurity awareness. So the goal of today's seminar is to just bring awareness to the threat landscape in 2024. We want to arm small business owners, small business managers, small business staff with the knowledge of the threats that you are going to face this year and then provide you with some tools that you can use to recognize these threats and mitigate them inside of your organization. So we'll jump right into it here very quickly. Just have to go through a disclaimer with everyone. Again, the seminars are general information and educational purposes only. Implementation or adaptation of these materials does not mean that I am now an advisor to you or your company. For that, we need a managed services agreement. Again, if anyone is interested in pursuing management. services, we would be happy to help with that in a different discussion. But we also accept no responsibility in case I missed a statistic or if there's any errors, emissions or inaccuracies in the content. I spent a long time researching this using tools like Norton and there's a lot of other private studies that occurred regarding these statistics. Webroot is quite a good resource. There's a lot of other companies like Verizon that are doing a lot of good research that I've referenced here. We're also going to accept no liability for any damage of any kind incurred if you do use some of the advice we provide here. The seminar is also going to refer to different products, services and strategies. And simply because I mention them does not mean that we are actually endorsing those strategies. And finally, use your own judgment, confer with your own professionals, your own group of experts before you implement anything. And please remember that cybersecurity is a shared responsibility. across your organization from the bottom all the way up to the very top. And let's all try and stay informed and stay secure. So to get things started, we're gonna jump right into the 2022 and 2023 cybersecurity statistics. So this is the front loading of all the boring stuff. We're gonna get into the fun stuff after this, but I just wanna make sure everyone understands statistically what is the reality of the world we live in. I don't wanna talk about people's anecdotal experience. I obviously have a high exposure to cyber threats and attacks and things like this. And I really wanna focus on the statistics instead of going through anecdotal evidence. So in 2022, 63% of cyber attacks were caused by insider negligence, which means that people knew what they were supposed to be doing, and they took actions that they knew were incorrect resulting in a cybersecurity attack being successful. So it's a big difference between an accident and negligence. So very important to keep that in mind. The average cost of this negligence was $7 .68 million Canadian to organizations with 500 employees or less. So again, that means that half of the attacks cost more than that, which is something to keep in mind. And again, these are small businesses being targeted. 60% of organizations get shut down permanently within six months of being attacked. And this is for a multitude of reasons, one of them being that the average recovery time from ransomware is four to six weeks for a small business. So it takes four to six weeks to get back on your feet, back in operating, communicating with clients, doing things like that. So very, very important to keep in mind that you will be experiencing downtime of four to six weeks in the event of a ransomware on average. So we really wanna make sure again that your business can withstand that. You have things like backups in place. So that recovery time turns from four to six weeks and to maybe 40. 60 percent of organizations that were attacked in 2022 also didn't think that they were going to be attacked. They believed that they were not a big enough target. For whatever reason, they think that they're not going to be attacked. So if you do have someone in your organization, they don't think they're important. They don't think they're going to be targeted by these malicious actors. They are most likely statistically the person that will cause this attack through their negligence by assuming that they're not going to be a target. Another interesting statistic here is that small businesses are subject to 350 percent more social engineering attacks than enterprises. I'm sure everybody has heard about the ransomware attack that took place against London Drugs. I believe it was a ransomware attack. But I'm sure no one has heard about the local electrical company or the plumbing company or the school supply company that were shut down last month that I've heard about through my network. Those ones don't get the same attention. But again, almost every day. multiple small businesses are taken down by malicious actors, either through social engineering attacks, ransomware attacks, or multiple other types of malicious activity. So we'll talk about that a little bit more later on in the presentation. And the final thing to focus on here is that only 53% of employees can correctly define phishing. And we're gonna get into that definition, and I'm gonna make sure everyone that's attending today is able to confidently define phishing by the end of the seminar. One last thing I wanna touch on very quickly is the attack vectors that are being used against small and medium organizations. The number one here, almost 40% of the time is phishing, which is where somebody impersonates a trusted source to collect sensitive information or install malicious software. So again, they're impersonating a trusted source to install malicious software or to collect sensitive information. So that is the attack being used 40% of the time. And there's another alarming statistic that we'll go over later on in the presentation. Final thing here is that there's been a 4900% increase in cyber attacks between 2017 and 2022. The other thing that's crazy is since 2022 to 2023, there's been a 90% increase. And then since the beginning of 2024 till now, there's been a 98% increase. So we've essentially seen a 4900% increase from 2017 to 2022, and then basically doubling every year since then. So with the use of AI automations and all these other tools, these malicious actors are now able to essentially automate their attacks, which is very, very alarming. They're becoming significantly more complex. And there's a lot of other kind of threats that we're gonna talk about today, but that's all the fun stuff out of the way. We can move on to some definitions. Now we can start focusing on what it is that you'll be facing day to day and how you can recognize these types of attacks. And then we'll talk about how to defend yourself shortly afterwards. So what is information security? If you were to come to me... or go to another cybersecurity specialist and you were to ask them is my file server secure? Is my database appliance secure? Is my QuickBooks file secure? These are the four pillars that I would look at before I tell you yes. So the first thing I want to make sure of is that your information is confidential. Let's use a QuickBooks database as an example. Is your QuickBooks database file confidential? Can your retail front desk staff access that database when you don't want them to? Have you set up the appropriate permissions inside of your organization? From an outsider perspective, do you have a firewall protecting this? Is your computer protected? Does your computer have a Trojan virus on it? Does it have something screen capturing? Does it have a key logging virus on it? Is the data inside of that QuickBooks database confidential? The next is how you maintain the integrity. of that database. Are your 2023 numbers accurate or have they been tampered with? Have certain numbers added to zero? Has it zero been removed from other numbers? Again, if you have this data, but the integrity has been compromised, it's as good as useless. In some cases, it would actually be more dangerous than not having it at all. The next question I would ask is, is it available all the time? When you need your QuickBooks database, can you remote into your network? Can you go into the server that's hosting it? Can you access it? Can you go to QuickBooks Online? Can you sign in and access it? Wherever it is that you're hosting it. But it needs to be available. If you open your computer and it has ransomware on it, and you can't even access the internet or go into your QuickBooks database file, then I would not call that secure. And the final thing that we wanna look at is accountability. So we want to have an audit log of who signed in to what computer, what computer was able to access the QuickBooks database file. What did they modify? When did they modify it? And how did they modify it? So if that account were to become compromised, we can then pick a date, reverse, run a backup, reverse the damage that was done. And then again, reverse that damage by just restoring one of those backups and making sure that we understand who logged into the database. When did they log in? What did they interact with? What did they see? What did they edit? What did they make comments on? And we can undo that stuff if it was done by a malicious actor or we can simply keep track of activity that's happening throughout the organization. And you wanna have these four different pillars in place for all of your staff, for all of your workstations, your desktops, your Macs, your PCs, your iOS devices, your Android devices. You wanna have that in place for your server infrastructure. You wanna have that in place for your network infrastructure and you wanna have that in place for your cloud services and business applications like Google Workspace, Microsoft 365. If you're in the medical space, maybe the Jane app. If you're in a construction, maybe that would be your jobber. application or service fusion or any of these other CRM platforms, Zoho, things like that. But you want to have these four things in place, and then you can actually start to talk about how secure your organization is. You can then start to move on to the next phase, which we'll talk about later on in the presentation, which would be the tools that you can put in place to add on additional proactive security measures. So one thing I want to highlight here is the top 10 targeted industries for these malicious attacks in 2024. The number one is industrial goods and services. I'm sure a lot of people have heard about the hydro plants and the other power plants in America that have been getting targeted like crazy in Canada. Thankfully, I don't believe we've had any. We might have had a couple, but I haven't heard about them. But industrial goods and services are being targeted. Manufacturing, power plants, things like that. Technology companies are under attack frequently. Construction, travel and leisure, healthcare, education, government especially, legal services, food and beverage and consulting. So again, no sector is really safe from this. We have retail companies that we manage. They're actually getting more social engineering attacks in my experience than some of the professional services businesses that we're managing like accounting firms and law firms. So again, if you think that your business isn't important enough to get targeted, if you're a retail shop, if you're a food vendor, things like that, you don't know what these people are trying to get a hold of. Maybe they're trying to get a hold of the email list of all of your clients that you sent email receipts to. And then they're going to impersonate your business and send those people something to collect sensitive information or to install malicious software. So these are the top 10 targeted industries. Another quick thing I wanna talk about is liabilities and consequences of these types of attacks. So if you are targeted by a ransomware attack, by a social engineering attack, some sort of malicious activity, a lot of people think that you're gonna have downtime, you're gonna have to pay a ransom and then you're gonna be back up and running. You gotta pay some IT guy to get your stuff fixed and then you're back on the floor. It doesn't matter. Some things that people don't really think about are tied together here. That would be the reputational damage, loss of trust, vendor partner disputes and legal and regulatory fines. So for example, if you are a personal injury law firm and you were compromised and you start emailing some of the MRI clinics and doctors that you work with and you send them more copies of ransomware or you send them Trojan viruses or you send them fake invoices or you send them payment updates, letting them know that the wire transfer accounts they normally send payments to have changed and someone uses AI to copy your voice and the MRI clinic sends a payment somewhere else because they received an email on a phone call from you. That results in a lot of reputational damage that can result in a lot of loss of trust. And you can get into some pretty heavy disputes over different issues here. So very, very important to keep this stuff in mind that it's not just a matter of you got hit by a virus, you got to pay some, got to clean your computer up and you got to start over from the beginning of the week when you got hacked. You can still experience data loss. We've seen certain accounting firms call us. They've lost three months of data at the end of April. So if you are in the finance industry, much of a headache that is having to redo the entire tax season for all of your clients is an absolutely monumental operating expense, let alone the fact that again, you're going to be down for four to six weeks while your entire fleet of computers, all of your Sage and QuickBooks databases are being restored. All this other sort of technical work that needs to happen, it can be absolutely devastating. Obviously the financial losses of being down, having to pay out 50 ,000, a million, $2 million to these people holding your business ransom. The reputational damage, again, of your staff talking about all off work for four weeks because we got hacked, we didn't have proper security in place. Your clients talking about how they can't email you, they've been getting weird emails, they've been getting weird phone calls, things like that. Again, your staff and your clients talking about a lack of trust. And then again, if you're being negligent, especially if you're in the healthcare space, any sort of professional service advisor, accountant, law firm, chiropractor, you know, things like this, you could be subject to legal or regulatory fines for being negligent. And again, we've already talked about the cost of downtime, data corruption, restoration costs. And again, if you go to renew your cyber insurance with Beasley or things like that, you're going to be facing some pretty heavy increases when that time comes. So something to think about there. This is something that I'm not going to go into into too much detail. I'll let folks take a screenshot if they'd like here. But this is simply a list of different threats that each section of your internal infrastructure does face. So again, for your people, things like negligence and malicious user and ex staff member being manipulated by a trusted source, somebody impersonating a trusted source. And again, these other type of threats here. For your devices, the most common ones I would just talk about very quickly are outdated software hardware, very important to keep your systems up to date. Very important to have a proper antivirus solution in place. I'll talk about some recommendations later. But just offhand, I would recommend Sentinel -1 or silence. C -Y -L -A -N -C -E is some good alternative solutions. I personally don't trust things like Norton Antivirus or McAfee. So keep that in mind. And you would also want to have a good backup on your devices to make sure if anything does go wrong, that stuff is covered. Finally, your networks. So you can have a couple of different things go wrong with your network. You could have somebody connect to your network and investigate your traffic. They can kind of soak up the things that you're sending over your network. network, most of that is going to be encrypted. It's not much to worry about. But you can also have somebody break into your network and simply take it down. They can shut down your network and you won't be able to access things anymore. That would be more of an active threat versus a passive one where someone is just connected to your network, they're siphoning data and they're kind of doing that kind of thing. Finally here would be your cloud services. This is probably the most relevant to a lot of folks today. As I mentioned before, medical professionals are starting to use things like the Jane app along with their other EMR solutions. You have people that are in the construction industry that are starting to use tools like Jobber and Service Fusion. They can have a technician go on site. They can take photos of the things that are on site. Their scheduling and dispatch goes through these cloud services. Essentially all of these small businesses are now starting to centralize all of their data and their systems. inside of these cloud platforms, even things like Microsoft 365 and Google Workspace where you have your calendars, your files, your contacts. And we need to make sure that we're putting the proper security measures in place for these platforms. So things like two factor authentication, making sure that we can't install third -party applications inside of our 365 platform, for example. But it's very important that if we're gonna be centralizing all of our data inside of these cloud services, that we are aware of these types of threats that can happen to those cloud services. This is the most important part of the presentation, I would say here, aside from the cheat sheet that I'll be going over with everyone at the end. This is the most prevalent threat that a small business faces in 2024. This is the social engineering portion of the presentation. Social engineering is when someone tries to hack you instead of hacking your technology. It is very difficult for me to brute force the HTTPS encryption that most websites use nowadays. It would require a supercomputer in a hundred years for me to decrypt your web traffic. However, it would be very easy for me to impersonate one of your employees or a vendor or a client or someone that you trust, again, any trusted source, and then manipulate you to get sensitive information or to get you to install malicious software. So we'll go break these down really quickly and then we'll move on to how you can keep yourself safe from these threats. I'm gonna be giving you guys a lot of examples of each of these types of threats, just so everyone can identify them and keep themselves safe. And then we'll go into the actual tools to proactively protect yourself from these. So 98% of cyber attacks in 2023 and 2024 leverage social engineering. So again, if we are not being negligent and we are being actively conscious of what we're clicking on and what information we're giving out, we're going to be able to reduce 98% of cyber attacks that occurred in 2023. in 2023 and 2024. So the first one I want to talk about with everybody is a phishing scam. So as we talked about before, a phishing scam is impersonating a trusted source using fraudulent communication, and they're trying to collect sensitive information, or they're trying to get you to install malicious software. So again, fraudulent communication using email, text, phone, or web. And the other two things I really want to focus on here are it's going to spark an emotional response, and then it's going to include a call to action. So for example, your PayPal account has been compromised. You need to sign in right now to undo the damage. Your Microsoft password is about to re -reset. You're going to lose access to your account. You need to sign in right now and reverse the damage. That's what they're always going to do. They're going to be bright red, scary lettering. Here's a big problem, but in nice blue lettering, here's the solution, just click here. Just give me the phone number, click the link in your password, open the webpage, download the ransomware, do this now. We're going to go over some examples of this later. Bating is another very common one for the older folks here, like myself, we have the, you are the millionth visitor to this website. Congratulations, you just won a million dollars. And then for a more modern example, we have you just won $150 Amazon gift card. All you have to do is click on the link in your email, fill out this form, and then you'll be able to get that. So again, they could either have the link that you initially click on, install viruses on your computer. They could have the form that you fill out be used for identity theft. They could add you to another email list where they start to do more complex attacks. It could add you to a list where they start looking at you and kind of going into your LinkedIn and into your social media accounts and learning about your network. Maybe they can use the data that you just gave them to go after someone in your network, things like that. With Proquo is an exchange of services for critical data. So that would be an example of the old school Microsoft support scam that was going on quite popular two to three years ago. Older folks would be getting calls from Microsoft. Microsoft would be letting them know that their computer had been compromised and they needed remote access to the computer to help them clean it. So people would be calling these older folks impersonating Microsoft, getting remote access to the computers, installing screen capture software, installing Trojan viruses, installing things to monitor what they're typing on their keyboards. And then they would be charging these older folks $200 plus for that service. And then they would be monitoring them. And as they go into their banking or they email their kids or their grandkids or they do whatever it is they're doing on their computer, they can then blackmail them or again contact those people or get access to their bank accounts. And a lot of trouble would occur from that. So again, people trying to exchange services for critical data is another thing we want to keep in mind here. Usually impersonating a trusted source or a technical expert. Another one here is piggybacking. This is usually in real life. phishing attack. So again, I've seen this happen a couple of times throughout my 11 -year career where people have impersonated a Shaw technician or a TELUS technician. They've come into an office to steal equipment or to install equipment that is going to provide them with insight into activity in the office. So what they'll normally do again is impersonate a trusted professional. They'll ask you to hold the door. They forgot their key. They're so -and -so's partner. They need access to the server room. They need access to so -and -so's office, things like that. They might plug in a USB stick that lets them bypass your Windows computer's password. Again, they might just steal things back in the day they used to steal phone cards, which were quite expensive. But again, summon impersonating a trusted source in person, trying to get physical access to a sensitive area. And the final one is pre -texting. So again, you've been summoned. Someone is calling you from a law firm. You're being targeted that way. Again, they create a fictional scenario. So -and -so has been in a car accident. You need to pay their hospital bill, you know, anything at all. I've seen a million different types of scams like this where somebody creates a fabricated scenario, they're impersonating a trusted source. And again, they're trying to collect sensitive information or they're trying to install malicious software. And unfortunately, because of the rise of these AI tools, and a much more common threat that's been going on these days is people using AI to call you. You pick up the phone, hi, hello, who is this? What's going on? They could just take a recording of me talking on YouTube, run it through there. And now they have my voice. They can feed that into an AI. They can replicate my voice. And now they can call whoever and impersonate me. If they have enough information about me, they can now impersonate me, call someone, hey, the building's changed or this update or whatever it is that's going on. And now they can create a fabricated scenario, run a client or someone else through this loop. And then again, collect sensitive information, collect money or get them to install malicious software. And I've seen multiple different examples of that. We're going to go through those in a little bit. So for the phishing scams here, again, we have deceptive phishing, spear phishing, whaling and phishing and smishing. So again, very high overview. We'll move on to the examples after this is deceptive phishing. So for deceptive phishing, what we're talking about is anything that is targeting a large group of people. I liken this to a shotgun blast. They're trying to hit everyone in your organization and they want to see who falls for the scam. So again, they'll impersonate Microsoft and impersonate PayPal, whoever. They'll send a big email out. It'll hit everyone in the organization and 2% of the organization will fall for the scam. Now they have their target. Now they can go spear phishing. So what they're going to be doing now is they're going to be targeting these 2% of your organization that fell for the scam. They're going to be going on their LinkedIn, onto their Instagrams. They're going to be emailing them to see if they have holiday reminders up. They're going to be digging into these people to get more information on them. Once they have more information on them and there are people of interest, they can simply target those folks. If those people of interest are in that person's network, then they can start to go after them. So for example, if you're a manager of a retail store, if you're the operations manager of a finance firm, or if you're just, you know, middle management or entry level position in a company, you can then be leveraged to get access to a whale, one of the big fish inside of the organization. So what'll happen again, is they'll send out a big shotgun blast, they'll get 2% of the organization, they'll target those people and either drill into them and get information out of them, or they'll use them and compromise their email accounts, for example, to then email the big fish, or they'll do multiple other types of impersonation to get to the big fish. Then the final type of phishing scam is a voice phishing scam, which again, with AI very popular these days, or an SMS or a text message phishing scam, again, very common. with people doing something called SIM swapping, where you call Roger Telespell, you say, oh, I lost my SIM card. They'll give you a new SIM card. And now you have the access to this person's phone number. And again, final thing before we get into some examples is the types of communication these folks are gonna be using. So again, this could be official communication coming from inside your organization, need your payroll information. We're setting up a new payroll system. Here's the new benefits package. We've got a COVID exposure, whatever it is that they're gonna do, it's gonna impersonate official internal communication. Shipment notification, UPS needs payment, Canada Post tracking information, whatever it is. Nonprofit requests. This one is particularly nasty, in my opinion. They'll usually break into a nonprofit. They'll get their donating or charitable email list. And then they'll email all of them saying, it's that time of year again, make sure you donate here, just click the link. They'll go to PayPal, they'll go to Square, they'll punch in their credit card information. And now all of a sudden they've donated all this money to hackers instead of to the people that actually need the support, happens all the time. Another one here is application notifications, like we talked about, PayPal, Microsoft, they've been compromised, give us your password right now to fix it. And again, more important announcements. So again, this can kind of be linked directly to the official communication where people are impersonating again, HR, legal, your boss, people underneath you, whatever. And the thing that all of these have in common is that they're usually going to be last reminders. They're gonna be laced with urgency and they're gonna give you that fixed right away. You're not gonna get paid unless you give me your social insurance and your banking number right now. You're not gonna get access to your Microsoft account unless you reset your password right now, things like that. So here are some examples. We're gonna get into these examples and then I'm gonna be giving you guys that cheat sheet so that you can implement these proactive tools to keep your organization secure. So the first thing I wanna talk about up here, high severity alert, very important. It's mentioning my email by now. name so I can see here right out of the gate, we've got action required. It's a high priority and just like I talked about, we're going to have that nice blue calming solution right there. Some things to look for to identify how this is a scam would be the e -mail that it's being sent from. Now, people can spoof certain e -mail accounts, so you want to use specific tools to filter that out. But again, this is a really easy one to detect. There's no way this is a Microsoft e -mail account. This is obviously not the Microsoft logo. I've never seen it in this aspect ratio. I've never seen this color of brown with the Microsoft logo. If I hover my mouse over these links, I'll see where they're bringing me. When you hover your mouse over them, you don't want to click on it. It'll show you the website that it's bringing you to. I can promise you this would not be bringing me to Microsoft365 .com slash user accounts, whatever it is. Again, just to take one more look at this quickly, high severity alert sent from, it's got the word Microsoft in it. my password is going to expire today unless I go ahead and click the Keep Password button. I'm required to keep my password to avoid login interruptions. So again, sense of urgency, giving me the call to action right there, and it's all encapsulated inside of one email. Another example here would be spear phishing. So again, let's say that I managed to break into Jane's email account. Jane is in charge of the operations or an account, and then Gareth is in charge of accounts payable. So Jane's account's been compromised because these malicious actors were trying to get to Gareth. So now they can get into Jane's account, send Gareth an email, and they can get them to process that wire transfer. Now, what's particularly nasty about this is that people are starting to use AI voices to accompany an email like this with a phone call. Now, I've seen this happen twice to two new clients of ours resulting in a total amount of damages of $80 ,000 before they signed on with us. So what happened was, again, they received an email like this. Hey, we got to send $40 ,000 out. Okay, let's send it. Got a phone call. Hey, did you get the new wire transfer information? $40 ,000 a lot of money. Yeah, of course, I did. Thank you. And then they sent the money off without a second thought. It's very important to make sure that you have a policy in place, such as a financial approval policy where anything above $1 ,000 that you're sending out means approved, or whatever number you want to pick. But the way to protect yourself from these types of social engineering attacks is through policies that are properly developed and regularly reviewed with your staff. It doesn't mean you need to waste an hour a day going over policies. It just means that you need to have little reminders in place for folks. So again, very easy to identify if you were to just call Jane directly on her personal line instead of getting a phone call from a weird number where someone's impersonating her. So again, have these policies in place, have procedures in place where you can verify and protect yourself from these types of attacks. This is my favorite. I have a couple newer ones that were not going to go over today, but this is my favorite example. This is the personal injury law firm and the MRI clinic that I gave the example of in the previous slides. So in this example it's actually reverse of the example I gave before. So at the bottom we have the original email coming from the law firm going to the MRI clinic. So the law firm says, hey, we got your letter. The file hasn't settled yet. When it settles, we're going to pay you. Here's the invoice. I've resubmitted it to our accounting department. You're going to get paid ASAP. Have a great day. The MRI clinic, unbeknownst to this law firm, was compromised. So the MRI clinic was being controlled by malicious actors. The MRI clinic had no idea that their email was down. The hackers had total control of their emails at this time, and they responded to the law firm. There was three lawyers and one support staff, I believe. And they said, hey, you need to take a look at this and tell me what you think. I feel like these calculations are incorrect. Tell me if we need to redo this. And again, if the lawyers had hovered over this link, they would have seen it was not a OneDrive link. It was not a SharePoint link. It was a malicious link. Unfortunately, all four of the staff clicked on it. And thankfully they had that AI antivirus I talked about before sent on a one or silence on their computers. And it was detected and it was mitigated and nothing happened. They had a scary flashing red computer screen for a couple of seconds. We got a lot of tickets on our end telling us that a virus had been detected and we were actually able to notify this MRI clinic that they'd been compromised. They didn't know. They had been actively taken over about four to five hours before and whoever was in control of their emails was going through everything that that account had sent and received in the last six months, whatever time period. And they were responding to people with attacks like this to spread the infection and compromise more people. So very, very important to have email filters in place. Very important to have antivirus in place. Most importantly, important to have common sense and good policies in place where we're not just clicking on random links that we trust. So again, this is one of my favorite examples of a wailing attack again. And then finally we have phishing and smishing. So again, I'm sure everyone's received emails like this. They're not very complex text messages, excuse me. UPS needs your credit card information to deliver a package you didn't order. Netflix is gonna expire unless you click the link here and obviously not a Netflix link. And the thing everyone's been waiting for is the cybersecurity cheat sheet. So these are the things that I would highly recommend for every small business. This is gonna take care of 80% of the threats that your small business is going to face day to day. And I say that just as a professional, it's my professional opinion. Security is a game of cat and mouse. You're never gonna have 100% security. Anyone selling you that is not being entirely honest, in my opinion, I believe security. and IT are all just a different house of cards. And it doesn't matter who's building the house of cards. There's always a way to knock it over. You can go crazy with the expenditures. There's gonna be a way to bypass things. You can go cheap and there's gonna be a way to bypass the things you put in place. So the first thing that we'll talk about today is the three, two, one backup structure. So this would be for backblaze or backupify. This is a very cheap solution for people that are not dealing with sensitive information. This is a five to $10 a month solution that'll backup all the files on your computer. Just as a quick example, again, you wanna make sure you're backing up your computer. You wanna make sure you're backing up your cloud data. You wanna make sure you're backing up your network infrastructure, your server data, all of this stuff. Just because you have your data inside of Microsoft 365 or Google Workspace does not mean that it is being backed up. We get phone calls all the time from companies that have accidentally deleted 40% of their Google Drive, 80% of their SharePoint. Somebody moved a folder where it shouldn't have been, things like that happen all the time. And thankfully most of the time they can recover the data, but I would say about 10% of the time they can't and they've lost 40% of their files. So do not think that just because you built your house on Microsoft and Google's lawn, that that house is yours and you own that data and they're caring about it the same way you would. It's very important to have a backup policy in place. And again, you can use something like Backblaze or backup a file for $10 a month. We have certain solutions that we're offering for again, as little as $10 a month as well. You can also get a full cloud backup from us for as little as $100 a month where we backup your data three times a day. But I just wanna bring this up so people are aware of what's out there. Down things to consider when you're setting up your backup and then we're gonna zip over to endpoint email security. I'm gonna spend a lot of time on backups because this is the most important thing. If you have all the security tools in the world and you don't have a good backup, you're gonna be in trouble. Because at some point someone's gonna bypass something, someone's gonna accidentally delete something, you need a good backup. Things to consider would be your downtime tolerance. How long can you be down when something goes wrong? If I spill coffee on my computer, can I just wait a day and go to Apple or go to the Windows Store to go to Best Buy, pick up a new computer? Am I okay with that? Do I wanna have a spare computer in my office that I can just pull out of storage and set up right away? Do I wanna have to wait for Lenovo to ship me a $2 ,400 carbon that's gonna take two and a half weeks to arrive? What's my downtime tolerance? Same thing, if my QuickBooks database file is down, do I have to download it from the cloud? What kind of downtime tolerance do I have for each part of my infrastructure? If I can't send or receive emails because Microsoft is down, how long can I tolerate that for? Phone systems. How long can you tolerate your phone system being down? Things like that. How long can you tolerate your network being down at your office? Things to consider. Critical versus non -critical data. I've seen people spend 10 -15 times as much as they need to on a backup because they're backing up files that haven't been used in two years. They're backing up, I need eight terabytes of backup, believe me, it's super important. And they back up eight terabytes of data a month, every single month for no reason. In reality, they're using 20 gigabytes of data. So figure out what the critical data is, get that backed up as often as you can. Don't worry about the archive video footage that you have. If you haven't touched since 2016, just focus on what your active critical data is, get that into the more expensive backup, and use something like Backblaze to backup the archival footage and this other low sensitivity data. Frequency of backups. Are you okay with your backups taking place once a month? If your backups break and you have an issue where your backups actually go down, and let's say again, you restore from a backup like this accounting firm did, and you lose. Three months worth of work, is that okay? Would you rather you have your backups take place every day, which is going to be significantly more expensive? Do you want them to happen multiple times a day, once a week, multiple times a week, multiple times a month, etc. It's very important to figure that out as well. How frequently are you going to be taking backups? Another thing to consider is your data retention length. Are you going to take a backup and then throw it away three months later? Because in my experience, hackers usually take down about 90 days worth of your data. So you want to have backups running at least one year. Some people go for seven years because they're regulated. Again, financial advisors, law firms, things like that. Anybody that's dealing with health data, you need seven years with the backups as far as I'm aware. So it's important to consider how long you're going to be retaining these backups for. Another thing to consider is, is your backup going to be taking place on -site or off -site? Because I see people do this all the time, I have a backup, it's this hard drive right here. It's got all my data on it. I don't need to worry about a backup. It backs up every day, yada, yada. They have a fire, they have a break -in, something goes wrong on -site, there's ransomware. The hard drive is connected to the server when the ransomware hits, all their data is wiped, it's all gone. So you need to make sure you have an off -site backup as well. Another couple of things here are, are you backing up the files on your systems, on your computers, on your servers, or are you backing up the full system? A lot of people, again, they go with a file -only backup, like backblaze for their server. And they say, all my files are backed up, I'm totally safe, I got nothing to worry about. And then when they go to restore their backups, they have to reconfigure their CRM software. So if you're using a piece of software, any sort of SQL database, you know, it could be QuickBooks, it could be anything. I won't give some client -specific examples, but if you're running software on your server, you need to make sure that the full system is being backed up, including the software, not just your file- because if only the files are being backed up, when you restore from that file backup, we still need, you need to bring in an IT team to restore the software. They need to reinstall the software, they need to reconfigure it, they need to reconnect all the individual workstations to it. They might need to rebuild your active directory where all of your staff are listed and all the file server shares are listed and all these other objects are listed and everything will have to be manually reconfigured. Very important to decide on what type of backup you're going to be taking there. Couple other things, you need to make sure you're regularly testing your backups. I see that happen all the time. I've been running backups for three years. Don't worry about it, we're good. And then we go and we say, okay, well, let's test the backup. We go to open up the folder and it turns out the backup manager crashed two years ago. Nothing's happened. Or we go to restore the backups and the backups have been corrupted all the way back to six months for whatever reason. So very important to regularly test them. Again, I would bring that up to the frequency of backup. So how frequently are you taking them? how frequently are you testing them? And then the final thing is to assign responsibility inside of your organization, because we get called into new clients all the time and they're talking about, oh, we got hacked, but we had all this stuff in place and da -da -da. And I say, okay, well, who is responsible for the backups? And the three people at the table go like this and no one takes responsibility for it because they thought the other person in the office was handling. So it's very important to make sure that everyone in the organization understands who's responsible for that. It could be a company like us. It could be an individual. It could be an IT manager. It could be an operations manager. It could be the owner of the company, but you need to assign responsibility. And all of this stuff put together comes up with what we call a three, two, one backup solution, which means your data's in three different places at all times across two different mediums. So again, it could be backed up offline and on a hard drive, on a computer, in the cloud, whatever. And one of those locations is offline. So three different locations, two vendors, two mediums, or one offline storage solution. You need to have all of those things for us to be able to tell you that you have a secure backup. That protects you from theft, ransomware, viruses, corruption, pretty much anything that can happen. A three, two, one backup should cover you again, 80% of the time plus, I would say 99% of the time. Couple last things, endpoint security. Again, top of the list there, so you wanna make sure that your computers, your servers, they are protected. Make sure you have backups on them. When you're using your computer, make sure you're using a non -admin account. That's a very easy free step everyone in this seminar can take right now. So again, if you're using a computer and you notice that you have an administrator account on your computer, that means that if you go to a bad website or if you open up a bad Microsoft Excel file or someone sends you a piece of ransomware, it can just run because it's already in an administrative environment. So what you wanna do is have a user on your computer that's a local. account if you're using a Mac or a PC that's a non -administrator. You use that as your day -to -day account, and then whenever you're doing something on your computer that requires administrative permissions, you'll be prompted to type in an administrative password. It is a bit of a pain in the butt, you know, you got to type that password in maybe once a day, once a week, but if that pop -up comes up when you're not doing anything out of the ordinary, you're just opening an Excel file, why would I need an administrator password for that, you know something is wrong, and then you can prevent that ransomware from taking place on your computer. You can prevent that software from running with administrative credentials without your permission. So very important, take the time, go into your control panel, add a user, make a local account that doesn't have administrative permissions, set that up for yourself, have your IT department do that if they're not already doing it, do it on your home computers, do it for your kids and their school computers, do it in your personal and your professional life, it will save you a ton of headache. That's a super easy fix. that'll protect you from a ton of different types of attacks. As I mentioned before, we highly recommend Sentinel -1 or silence antivirus. The reason for that is it uses AI and it usually detects unusual behavior. Why is the game that your kid plays trying to encrypt your OneDrive files? Why is Google Chrome trying to download two terabytes worth of information? It'll detect unusual behavior and block it at the stop, it'll warn you about what it's doing, and then you'll be able to proactively deal with things. Tools like McAfee and Norton, they use more reactive databases where someone's reported something, they identify it as a reported threat and then they block it, but Sentinel -1 or silence is fantastic at being more of a proactive antivirus solution. Final thing, make sure you're doing your Windows updates, you're doing your macOS updates, you're doing your third -party updates. There was a bad update for macOS a few years ago where you could get into any Mac account by typing in the password R -O -O -T, and you would get into any Mac account. I might be misremembering the details on that, but something to keep in mind that you do want to always stay up to date with the latest and greatest software updates, especially for those third -party applications like Adobe and AutoCAD, and these other tools that we're using all the time, Google Chrome, for example, just patched a huge exploit where people were getting hacked because of a bad outdated version of Google Chrome. Again, make sure you're keeping up to date on your servers and on your desktop computers. Final couple of things here, e -mail security. Very, very, very easy. Number one, again, backups. Make sure your e -mails, your contacts, your calendars are being backed up. You can do that for very, very little these days. Again, we can provide that service for 100 bucks a month. You can go to other places that'll be two, three times as much and you go to some places that'll be two, three times cheaper, but just make sure if you're using Google Workspace, you're using Microsoft 365, you're getting that data backed up every day, especially if you're using an e -mail provider that is not Microsoft 365 or Google Workspace. Another thing I would highly recommend for every day, everybody is multi -factor authentication. If you sign in to your e -mail account from it, or your Jane account, or your QuickBooks Online account, or whatever it is that your Cloud Surface account is, you need an unrecognized device, you need to be getting a secondary code sent to an app on your phone or a text message to your phone. I highly recommend you use the apps. There's so many ways to get around the text message verification. Make sure that you are setting up all of your Cloud accounts with multi -factor authentication on an app like Authy, Google Authenticator, Microsoft Authenticator, etc. Make sure that when you sign in on an unrecognized device with your password, they can't get into your accounts without that six -digit code that's being generated on your smartphone. Very, very important. Next thing here would be iron scales or Sophos e -mail security. These are great e -mail filters. Anyone here that's using a regular e -mail provider. I'm certain that you've gotten a spam email in the last week. It's almost impossible that you haven't. It's so prevalent these days. If you set up a tool like IronScales or Sophos, you can get these for as little as $8 a month, that will prevent spoofed emails, that will prevent malicious links, that will prevent malicious files, that will prevent things that'll cause data loss, it'll prevent emails that have been sent through suspicious servers. There's a million different things that these tools will protect you from, much better than the Microsoft or Google Workspace spam filters will. Again, they use AI. We have property managers that receive hundreds of emails a day from Craigslist, from random Gmail accounts, and the only ones that get filtered are the malicious ones. Again, very, very important to put in place an email filter. In my opinion, if you have an email filter and you have a backup for your users, for your workstations, for your servers, for your networks, for your cloud services, you've pretty much won the battle 98% of the time, right out of the gates. You can add in all this extra stuff, and it's going to obviously help you out a lot. I'm not trying to take away from those other solutions, but for a small business, having an email filter, having multiple good backups in place, and having some basic antivirus, you are set. Final other thing here, account access restrictions and device access restrictions. If you're in a very regulated industry, if you're dealing with sensitive data, if you're a mortgage broker, if you're a healthcare provider, if you're a law firm, if you're getting sensitive information from people, just set it up so that your account can only connect to a device that you give permission to. It can only connect to your MacBook or to your Lenovo computer or to your smartphone. It can't connect to anything else. Just make it way easier to do that. Set up account access restrictions. If you have an entry -level employee, do they really need access to your HR folder? Do they really need access to your finance folder? Do they really need access to these different things? As a business owner, account need full admin credentials to your Microsoft or to your Google platform? Or should you set up a secondary account called flowers at your company name so it's not too suspicious? And then that is the full administrator account that you use. You don't want your day -to -day account to have full admin credentials. So in case your day -to -day account gets compromised, now whoever took account and took control of that has full access to your entire platform. You want to have a different secure account that only gets used for administration. Again, it goes back to the accountability that we talked about in the beginning of the presentation, being able to audit who signed in from where, doing what. We want to be able to track all that stuff with these different restrictions. And then the final thing here, so everyone will be receiving copies of these policies and some other ones. The most important IT policies, I think, for small businesses are acceptable use. So what is acceptable use for your Jane account, for your Google account, for your Microsoft 365 account? for your work computer. Can your partner jump on your work computer and do some of their work or some of their studying on it? Can your kid use it? Because I've seen a kid use a producer on an Apple production, shut down an entire Apple production for three weeks because they were trying to play Roblox on it. I've seen somebody's partner using an admin account on a computer shut down an entire retail store. I've seen an accountant have their business get shut down, be cutting again, they recover, but it got shut down because somebody was checking up on the Canucks roster several years ago on a work computer. What is acceptable use? What is not acceptable use? Access authorization, like we talked about, does HR need access to finance? Does finance need access to HR? Figure out who needs access to what, where, when? Do they need access to these different platforms, to this data, things like that. Bring your own device. If someone's telling you, I'm not using your work computer, or if you don't want to spend money on getting that personal work computer, can they watch adult video content on their home computer? Can they play games on it? Is it an admin account? Is it not an admin account? What rules are you gonna put in place so that your organization is protected? Especially if you're doing work with contractors, it's very important to have a basic minimum for bringing your own device. If you're a contractor, you have to have Sentinel -1 installed. End of story. Most people aren't going to a job, oh, I get free antivirus with AI. It's not spying on me. It's just gonna work on my computer and keep my computer safe. Cool, that's fine. It's important to figure that stuff out and define it ahead of time. So when you do bring these new employees in, you can have these security standards in place. Things like business continuity. That means when your business crashes, something goes wrong, how are you gonna continue operating? Again, it goes back to your backups. Basically, again, what's your downtime tolerance? How frequently are you taking backups? If we're talking about your devices, and again, I spilled coffee on it, and it gets hit by ransomware, what's my business continuity plan for my... what's my business on continuity plan for my laptop? So it's my business continuity plan for my servers, for my network, for my cloud services, for my productivity app, for all the pieces of infrastructure in your business, your phone system, things like that. What are you gonna do to keep that stuff up and running when you sign into your Microsoft account and all of a sudden it says that your password doesn't work anymore and your clients are calling you saying they're getting weird emails? What's your business continuity plan? What are you gonna do to be able to get back online, get your emails going? Disaster recovery, very similar to business continuity. I won't waste too much time on it. Business continuity, more of an accident. Disaster recovery, more of a big problem. There's been a fire at the office. What are we doing? There's been a ransomware attack. What are we doing? Business continuity, disaster recovery are usually together. It's called the BCDR solution. And then security incident responses are usually the prerequisite to that. So you have a security incident response and then you have a business continuity plan linked right below that. Remote work, people want to work remotely. Can they use other computers? Can they use non -work computers to access their work accounts, et cetera. You want to go through one of our templates or a different template that you have access to and make sure you have a proper remote work policy in place. Staff onboarding and onboarding. Okay, we just had a client go through this. They fired someone two years ago and they contacted them and they said, hey, I still have access to absolutely everything you guys are doing. Should I get rid of that? Because the work laptop that you gave me that you never collected is still syncing all your SharePoint files. And we got a call from this new client and that was the reason why they called us. They said, we just figured out we need a proactive IT department because we didn't have a proper off -boarding plan in place. And now we have this ex -employee who thankfully left in a very agreeable way, but they've been accessing and able to access all this sensitive data, the confidentiality of the data's out the window because we didn't have a proper off -boarding plan. They view off -board a staff member because they quit or because you fire them and you forget to turn off their phone system or you forget to remove their permissions to their Google workspace stuff, you could have a potentially huge problem. Again, they could sell that data. They could leak it. They could mess with the integrity of it. They could do nothing with it. Again, we're talking about one in a million chances here of something going wrong, but it's still something to consider. So very important to have proper onboarding where you give people all the permissions and the platforms they need. You show them these policies. You get them set up with the proper training on their platforms, things like that. And then you have proper off -boarding policies in place to protect your organization. You also want to make sure you have a security incident response plan, like I talked about before. Okay, I received a phishing scam. What do I do? I typed in my password. What do I do? My computer has ransomware on it. What do I do? Do you have to notify your clients? Did your clients stay to get leaked? You don't have to consider all these things and build a policy for it. Final thing here, not going to get into this. This is the big boy. This is everything that we recommend. This is most of the stuff we go over when we're looking at businesses that we manage. Again, if you want to get a screenshot of this, bring this up with your existing provider. That's great. If you feel like you're not getting this from your existing provider, we are giving away free consultations, so we can go through your organization, provide you with a report, let you know what you need, what you don't need, things like that. But this is pretty much everything we recommend. There's a little bit of stuff that's been left out, but this is about 95 percent of what an organization could use to stay secure, in my opinion. Again, not going to go through this individually. If you are taking security super seriously, you want to be proactive. This is what I would recommend again to protect your devices, your networks, your Cloud services, your people, and to have proper backups in place. That about does it. Again, if you do want to set up a free complimentary either side security consultation, if you would like to do a free managed services consultation, feel free to scan the QR code and I'll help you out there. If anyone has any questions or concerns, we're coming up right to that hour mark, so I'm happy to stay late. Please do not feel inclined to stay late. If you are busy, you have other appointments, things like that, running out of lunchtime. But if anyone does have any questions, feel free to throw them in the chat. I'll hang around for the next minute or so, killing time until people do throw their questions in. And if there are no questions, then that's fantastic. Really appreciate everyone taking the time today. Very, very happy to host everybody. I hope you find it valuable. I hope you learned a couple of things and I hope you learned some new strategies for your businesses. I hope you all have a great weekend. No problem at all, Chris. Chris says thank you very much, Jim, as well. Happy for the refresh run, all things security. Luke saying thank you as well. So again, I hope you all have a great weekend. And again, we're always happy to help folks out if you ever have a quick tech question. So no problem at all, Kate. Thank you for coming in. I can see a couple other folks chatting away, but again, I hope you all have a great weekend. Thank you so much for attending the seminar and I will be sending out a recording of the seminar. You'll all be receiving a copy of the IT policies and we'll be sending that cheat sheet over as well. Judy, no problem at all that you relate. Happy you're here. I hope you found it valuable. And a shout out to the folks at the Kitsilano Business Group there. Make sure to hit up Judy and the Kitsilano Business Group. Steph Snow, fantastic question. Stephanie is asking about a good password manager. So I would highly recommend something called Bitwarden for one reason. And that is that Bitwarden allows you to self -host their solution. So you don't lump in what the mass is. You don't go into their main general admission area where you have millions of people are using their platform that could and probably will be breached at some point. You can have your own private server that you can set up that gives you the same two -factor authentication, gives you all the password management stuff. You can share things with your staff. You can keep a private list for yourself. But I highly recommend. Bitwarden. Another reason I recommend them is because they actually are very high. They're very, very good at responding to people when there's an incident. A company like LastPass has taken several months to let people know whenever there's a problem. So if LastPass is compromised, LastPass took several months to respond to people. I think it was in December they got compromised. They sent out several security updates to clients immediately. As soon as they find out something's going on. That's the one there, Jim. Bitwarden .com. So I highly recommend Bitwarden as a password manager. They seem to have very high levels of communication. They seem to have a very high security standard. Again, they allow for self -hosting. So in case the general admission fraud gets compromised, you can have your own private server that's not going to get compromised. Again, that comes with its own costs and things like that. but if you do want to be completely secure, again, cat and mouse, but I would highly recommend Bitwarden. It's not gonna give you 100% security, but it's gonna be a lot better than things like Dashlane or LastPass, in my opinion. So thank you very much for that question, Steph. Judy, for sure, you'll get a copy of this recording over your email. You're also gonna get a little SharePoint link that's gonna give you access to all these different IT policies. You can copy and download those, and we're gonna send you some other resources as well. But Steph, thank you so much for that question. Judy, same to you. And again, thank you to everybody else that attended today. I hope you have a great weekend, and I'll cut it off here. Have a great day, everybody.

Umbrella IT Monthly Cyber Security Awareness...



 

All right. Good afternoon, everybody. Hello. Hello. Thank you all for taking your time today to join us. Really appreciate it. Really want to make sure that we're respectful of everybody's time today. So again, big thank you to everyone for attending right now. This meeting will be recorded. The chat is open. Your mics and your cameras are not just for privacy purposes, but feel free to post some questions in the chat throughout the seminar as things progress. And again, thank you all very much for attending today. Really appreciate it. So I'll just go ahead and jump right into it here. So my name is Jake from Umbrella IT services. We are a local managed IT services provider in the Greater Vancouver area. We provide IT management consulting and support services to small businesses, enterprises, government offices, and of course nonprofits in the Greater Vancouver and the Calgary area. We do support both British Columbia and Alberta based clients. So I've been doing seminars like this for about six, seven years now. I've trained thousands of different employees across the private sector. I've trained thousands of people across the government and public sector, and I've worked with dozens of nonprofits. So again, I hope you do find this valuable. The topic of today's seminar, as you can see, is cybersecurity awareness. So the goal of today's presentation is to make sure that you're aware of how to protect yourself personally and professionally. Your team will also be able to protect themselves personally and professionally after watching this, and I want to provide you all with a couple of resources that you can implement in your organizations once the seminar is done to prevent any sort of malicious activity or actors for being able to affect your organization. So I'll just go ahead and dive into it here. So first thing I need to go over with everyone is this disclaimer. So this seminar is for informational and educational purposes only. Just because you're here today does not mean that I am now your IT advisor. We do not have a built -in relationship and I just need to make that very very clear. We do not accept any responsibility in case some of the information in here today is outdated or wrong or anything like that. We don't have any liability related to your organization or any sort of loss or damage that's incurred if you do implement this stuff. And we do mention a couple of different platforms and solutions here. I am not sponsored by these. I am not sponsoring them. I'm not endorsing these products. I'm just making sure you guys are aware what's out there and what's available to you and your team. Again, that's our main purpose. The same way my accountant wants me to take pictures of all of my receipts and I take pictures of probably 80 percent of them. I'm going to provide you all with a ton of information today than if you can implement 80 percent of it. everyone's going to be very happy. Again, make sure that you're exercising your own judgment when all I'm providing this education and information to you. Please consult with any existing IT providers, any other professionals, lawyers, anything like that in your organization, people that you trust before you start to implement this stuff. Just again, make sure that's best practice for everybody, and please don't forget, cybersecurity is a shared responsibility, and let's all stay informed and stay secure. We'll get the fun stuff out of the way with the first slide here. The very first thing that we're going to be talking about is statistics. We're going to front -load this stuff so that we can focus on the practical information later. I just want to make sure everyone is aware what is actually happening around us. These are statistical facts. This is not anecdotal evidence. This is not, well, I've never been hacked, no one I know has been hacked, or everyone I know has been hacked, or several of my friends have been hacked. This is statistical evidence from 2022 and 2023 that we're going to be talking about in review across the presentation, just to make sure again that everyone is up to date. Couple of things I want to highlight for everybody as we jump into this here, is that 63 percent of cyberattacks in 2022 were caused by insider negligence. I always like to highlight the word negligence here because the negligence is very different from an accident. Negligence is knowing that you should be doing something, neglecting to do it, and then facing the consequences of that action. Very important to keep in mind that basically two -thirds of cyberattacks in 2022 were caused by negligence. The average cost to an organization with 500 employees or less is $7 .68 million. Personally, as the president and founder of Umbrella IT, I don't have $8 million in a drawer laying around. If that's my average cost, I can't imagine the 49 percent of costs that were higher than this, but I think it's going to be $7 .68 million. but I would personally be devastated if I were to face a $7 .68 million ransom, or if I had to pay that amount in legal fees, or if I were to lose that in reputational damage or many other ways that I could face those costs. So very important to keep in mind that that is caused by negligence. 60% of organizations shut down permanently within six months of a breach. The reason for this again is financial repercussions, but also four to six weeks of downtime is the average recovery time it takes when an organization is hit by ransomware. So again, if I had to shut down my operations for four to six weeks, I would most likely be okay, but I know a lot of small, medium businesses would not be able to survive no income, paying expenses, paying fees to rebuild their business, things like that, while shutting down for four to six weeks. So that contributes quite a bit to the 60% of organizations shutting down number here. Another number I really wanna highlight here is 60 percent of organizations believe that they're unlikely to be attacked. If you're here today, you're being cautious, you're being concerned about cybersecurity, you're not in this 60 percent, which is great. But there are a lot of people that don't think that they're going to be a target. Those are the people that are targeted. Those are the people that are, again, being negligent and those are the people that face the consequences. When it comes to small businesses, they are 350 percent more likely to be targeted than enterprises. This is because the malicious actors of the world understand that we are all understaffed, overworked, things like that. We're stretched very thin as small business owners. We do not have an $100 ,000 a year budget for an IT security personnel. We don't do regular cybersecurity training. We can't afford those fancy tools that those enterprises like Walmart and these other places can afford. It's very important to keep in mind that they are 350 percent more likely to go after small businesses than enterprises. While we do have incidences with organizations like London Drugs allegedly being compromised by cyber attack, I hear dozens and dozens and dozens of stories every single week from small businesses being targeted. But we very, very rarely hear about Air Canada, London Drugs, Sony, these other large enterprises that do get hacked and it does happen to these large enterprises. But it's much more common to hear about a school supply company or a small accounting firm or things like this getting targeted and taken down. Keep that in mind that if you are a small business, you are 350 percent more likely to be targeted by these attacks. Another concerning statistic I thought everyone should know about is that 53 percent of employees can properly define phishing. In my experience, anecdotally, it's significantly less than this when I provide these seminars. But again, it's anecdotal. Statistically speaking, according to TechTarget here, only 53 percent of employees can correctly define phishing. A final thing that I want to bring up is that in 2024, there has been a, according to Stats Can, Statistics Canada, there has been a 41% increase in identity theft in 2024. So keep that in mind, that affects people personally and professionally. As we'll notice up here, the attack factors that are used against small and medium organizations is essentially phishing. Phishing is bigger than all these other ones put together just about, others up here as well, but we'll ignore that for now. But phishing is the number one way that these malicious actors are going after your organization. Phishing is when I impersonate a trusted source to collect sensitive information or to install malicious software. So again, I'm going to impersonate a Shaw technician, I'm going to impersonate a family member or a friend or a coworker or a client, and I'm going to collect sensitive information or I'm going to distribute malicious software. I'm gonna repeat that a lot over the seminar here, but that is the number one attack factor being used. Another thing here, this is a very nice chart if this is the S &P 500 or your stock portfolio, and unfortunately that is not what this is. This is a 4900% increase in cyber attacks against small businesses from 2017 to 2022, and this number has done nothing but go up since 2022. 2023, this number has gone up 91%, which is very alarming. So again, we're facing technically a 9800% increase. It's a little bit lower than that, but I'm not going to try and do math live, so let's just call it 9800% increase from 2017 to 2023. So keep that in mind. This is ever -growing. Tools like AI have allowed these people to target more people in a more high -quality fashion, much more quickly. So we'll go ahead and move away from all the fun stuff. We've made it through. Now we can focus on the practical information for you and your organization. So I want to focus on the four main components of cybersecurity. When people ask me things like, is my QuickBooks data secure? Is my network secure? Is my server secure? And I ask them, what do they mean by secure? People don't really know. They just mean, can I make sure my stuff is private? Can I make sure that it's not going to be messed with by someone? Can I make sure it's always going to be available and I'm not going to get taken down by ransomware? Can I make sure that when Susie or Steve accidentally deletes all of my files or they move something somewhere it shouldn't, I can figure out what happened. And those are the main components of defining cybersecurity. So for example, I'll go back to the QuickBooks database file here, a Sage file. We could talk about a server with files on it, things like that. We could talk about, again, a workstation, anything. We'll specifically talk about a computer, a server that's running QuickBooks database file. So the first thing that we want to be concerned about is confidentiality. Can people access this QuickBooks information that should not be able to... taxes as QuickBooks information. That could be an employee, that could be a malicious actor, that could be a family member, that could be a child, that could be anybody. So the first thing we wanna define is confidentiality. We want to make sure that the confidential information remains confidential. The next thing that we wanna focus on is the integrity of that data. So if I go into your QuickBooks file and I remove all of your expenses, or I say that you've paid taxes that you've haven't, or I start to mess around the integrity of that QuickBooks data file, it's basically worse than useless, it becomes damaging. So again, we wanna make sure that the data has not been modified, it's not being deleted, it's not being corrupted, and the integrity of the files that we're working with is also protected as part of our cybersecurity strategy. The next thing we wanna focus on is availability. Very, very important that when you're going into a meeting at 3 p .m. and you're about to open up that file, or you're about to bring up that estimate, or that proposal, or whatever it is you're gonna show your client, or your co -workers. that that file is actually available to you. If Microsoft is down because they were hacked, or if your network is down because it was experienced a hardware failure, or if your computer is down because of ransomware or some other problem, that is just as much of an issue as, again, the file no longer being confidential and the integrity of the file being compromised. We want to make sure you have 24 -hour uptime using things like business continuity strategies and disaster recovery solutions. We're going to talk about those a little bit more later, but we want to have things in place to make sure your data is available when you need it. The other thing we want to focus on is accountability. So we want to make sure we have strict permission sets in place and logging solutions so we can see who did what, when, where, how. So again, if the QuickBooks file's confidentiality is compromised and a malicious actor gets access to the file, they compromise the integrity of it, and they delete the file, or they move the file, or they do something to it where it's no longer available, we need to have tools in place so that we can go in, we can see what account was used to access the QuickBooks file, what changes they made to the QuickBooks file, when they made them, how they made them, and then we know what we need to do to reverse the damage that was done by that malicious actor or by that person that accidentally, again, just did something that they didn't think they were supposed to do and accidentally caused the damage. So we want to make sure we have these four types of systems in place, and then we can actually confidently call something secure. I hope that makes sense to everybody. If you do have any questions before I move from slide to slide, feel free to pop into the chat and just ask a clarifying question, and I will be happy to answer that. Just to move on here for targeted industries, I want to make sure people know what the top 10 targeted industries of 2024 are so far. In order from left to right, industrial goods and services is the number one targeted sector so far. of 2024, which is quite interesting. Lots of farms, lots of heavy -duty machinery, lots of production commodities, things like that. Next up would be technology companies, then construction, travel and leisure, healthcare, education, government, legal services, food and beverage, and consulting. Notice this is pretty much every type of sector. Obviously, there's a few missing, but it is a very wide net of sectors that are being targeted right now, and it's important that every kind of sector considers a cybersecurity strategy for their infrastructure, their data, and their team, regardless of the industry you're in. Just because you're running a bar doesn't mean that you're any less of a target than, say, a law firm or a government office. Keep that in mind. Next thing I want to go over with everybody is the liabilities and consequences that your organization may face if you do face any of these types of security breaches. So a lot of people just worry about data loss. They worry about downtime. And that's about it. They say, I don't want to get hacked. I can't afford to pay a ransom. I can't afford to do all this work twice. I can't afford to do things like that. And that's kind of where they leave it. But if you think about it, for example, if somebody were to break into my email account and start emailing my clients more malicious files, so let's say someone breaks into my email, and they email my clients an updated invoice at the end of the month. Or they say, hey, everyone, I got new security software. You need to install this file on your computer right now. And they go through my email, and they see I was emailing this person, and I was emailing that person. And they organically respond to the people that I'm communicating with. And they organically insert, again, this malicious software into the email threads. Maybe I'm going to start being subject to legal and regulatory fines for being negligent. Maybe those people aren't going to trust me when I send them emails in the future. Maybe people are going to start talking about how their ITI spread malicious software and infected their computers and got their emails hacked and had their business get shut down for a long time. Maybe that's going to result in a little bit more financial losses for me than just the fact that I have to pay ransom now. Again, maybe I just lose my data, which is by itself devastating. If you're an accounting firm and you get hacked in the middle of April, you're going to have to redo all your tax season work. No one wants to do that. That's going to be absolutely devastating. The cost of downtime, again, being shut down for four to six weeks is just obviously not ideal either. Data corruption is something that can happen as well. Somebody can break into your systems and then cause some issues for you later down the road. And again, vendor and partner disputes. If you're a personal injury law firm and an MRI clinic that you're working with sends you compromised information, you're going to run into some serious problems legally here. If you're infecting clients, taking health data, taking social insurance numbers, if you're a mortgage broker handling information like this. Again, these are very, very sensitive pieces of data that people just email about. and forth every day, and it's absolutely critical that we all avoid being negligent in protecting the sensitive information. We also have to be conscious of restoration costs, again, how much is it going to cost to rebuild your server, get all your files recovered, set your computers back up, get things up and running again, make sure that the malicious software and the malicious things inside of your network have been cleaned out and you're not going to get hit by this a second time. And also again, when you go to renew your cyber insurance with easily or another provider, that number is going to go way up if you've been targeted by cyber tech. Andrea is asking for an example of a social engineering attack. We're going to get into that in about two slides. So I'll give you that information as soon as I can, Andrea. Great question. Thank you very much. And we're going to get to that in about five minutes here. So some unique threats that small businesses face. Again, I want to make this very clear that these are unique threats that small businesses are going to face. would be negligence is the number one here for your people. These are the things that you have to be worried about with yourself and with your staff. I've seen C -level executives. I've seen founders. I've seen presidents. I've seen everyone fall for phishing scams. I've seen staff. I've seen people in the mail room fall for staff. So it doesn't matter if you're the VP or if you're just an entry -level person, everyone needs to do their part. Everyone needs to pay attention. Everybody needs to be diligent when it comes to this kind of stuff. So negligence is the number one threat. You can have disgruntled employees. You can have people that are working for your company that don't know that their kid is using their work computer to play roadblocks. I've seen that shut down in movie studio for six weeks. I've seen someone's partner using their computer for school that's supposed to be used for work, take down retail stores for three weeks. I've seen all sorts of stuff happen over the last 11 years. And again, insider threats doesn't necessarily mean someone malicious. It just means someone being negligent. Again, they know that they shouldn't have their kid using the work computer and they know that it's not a machine to play roadblocks on. And the kid thinks they're just downloading an extension to the game. They download some malicious software. It infects a Dropbox file, it syncs everywhere. And then away you go. Lack of policies and training is a huge threat to small businesses. So I'm glad to see everyone here today to kind of fill those gaps. Same thing with a lack of skilled IT security personnel. Again, we don't all have 80 to 120 ,000 a year to pay for a security person to work inside of our business. Low security awareness, weak passwords, and of course, reputational damage are some of the risks that face small businesses. For your devices, you can have software or hardware failure. You can have exploits. So again, if you're not updating your Google Chrome, for example, Google found out, I believe three months ago that their versions of Google Chrome that had not been updated were susceptible to bot attacks. So again, a computer can just detect that you're running an older version of Chrome and inject malicious code into your computer. so make sure your stuff stays updated there. Again, viruses are ransomware, everyone's familiar with those. You can have security or data breaches. Your device can be lost or stolen. People can actually access your device. You might just have a hardware failure where you lose data, but there's a million different ways you could lose data on your device. And of course, SIM swapping. So again, tell us Roger's Bell. It's very easy to call them, have them send over a SIM card, and all of a sudden your phone loses service and people can take advantage of your two -factor authentication passwords. But again, I don't want to get too technical or off topic here. For your networks, you can have passive or active network threats. People can just hack into your network and watch what's going on. People can actually shut down your network. You can have people intercept your traffic. It's called a man in the middle attack. If you think you're sending data to and from Shaw, it could have somebody in the middle that's intercepting that data or in between you and Telus collecting it, things like that. And then again, you can just have failures. You can have the inability to function. Again, that availability thing that we talked about. And then for your cloud services, if you're going to be centralizing all of your data inside of Google Workspace, inside of Microsoft 365, inside of an automation tool like Jobber, or like Service Fusion, or like EasyLaw, any of these cloud -based platforms for your specific profession, it's very important to keep in mind that you've now centralized all this critical data somewhere. You also have to be wary of security and data breaches. Again, someone could break into your Microsoft account, and then what do they get access to? They get access to your emails, your files, your calendars, your to -do lists, your everything. So it's very important to keep that protected, your contact lists, et cetera. Denial of service. Again, someone can take down Google. They can take down Microsoft. Very important to keep that in mind. You can have data loss in there. People can delete things by accident. Google accidentally deleted, I think it was a government office last week, and then they were deleting Google Drive files for people by accident, I believe in November of last year. They were deleting thousands and thousands of gigabytes of private information by accident. So again, just because it's in the cloud doesn't mean it's backed up. It means that you're building your house on someone else's lawn, and you're trusting that they are going to take care of your data. So we're gonna talk about that a little bit later as well. People can also give non -secure applications access to their cloud services. So for example, if you sign into a service like Grammarly with your Microsoft 365 account, you're going to be giving Grammarly access to, and request this, your calendars, your files, all these other sort of pieces of information in your Microsoft account. So if Grammarly would ever be compromised, that could potentially put your Microsoft information at risk, et cetera. Moving along here, just to answer Andrea's question, there are several different types of social engineering attacks that your business can face. So 98% of cyber attacks in 2023 are leveraging cyber. Social engineering is when someone hacks you instead of the technology that you're using. So it's much easier for me to hack a human being to engineer someone socially than it is for me to get past the encryption standards that Google has put in place with Google Drive. It's a lot easier for me to manipulate somebody than, again, impersonate a trusted source or get them to install malicious software than it is for me to brute force the encryption being produced by 20 ,000 Google engineers. So the main thing we're going to focus on today are these five types of social engineering methods, the first of which is a phishing scam. I'm sure most people have seen a phishing scam at some point in your career. So essentially, a phishing scam is a piece of fraudulent communication that's using email, text, phone, or web to impersonate a trusted source, spark an emotional response. including a call to action to fix whatever problem is giving you that emotional response. Again, they want you to install malicious software or collect information. We will be giving some specific examples of a phishing scam in the next slide, but that's the brief definition. A quick example would be, you get an e -mail from Microsoft, your password is about to be reset, you're about to lose access to your account unless you click the button here, then you can reset the password yourself instead of having it get automatically reset, and then, again, statistically, people just reset it to their old password with an extra number at the end of it, and then those people will use the password that you gave them to get access to your other online accounts that they've gathered. Bating is another one. This is a lot less common these days. This was very popular in the early 2000s. This is, you are the millionth visitor to this website. You've won a million dollars. All you have to do is click on the link, or you just got an Amazon gift card. You've won $100. All you have to do is click on this e -mail, and now you're gonna be able to get access to your $100 gift card. So, again, they're offering you a prize. They're baiting you. They wanna give you something digital, something physical, and once you click on that, once you engage with it, once you give them your credit card, once you type in your address, once you click on the link, it's going to, again, try to collect sensitive information from you, or it's going to try to install malicious software. Quid pro quo is something that is not so common anymore from my anecdotal experience. This could still be happening quite frequently, but this is where Microsoft calls one of your older relatives, and they offer to get that virus that they didn't know about off of their computer. All they have to do is give them their credit card information, and give them remote access to the computer, and then this Microsoft representative can jump in and start working on their computer for them. This was a very common scam, probably about four or five years ago, especially during the height of COVID. People were jumping in to older folks. computers. They were then installing spyware, and they were not doing anything. They were just clicking around on the computer a lot, charging them $200 on a visa, committing credit card theft, and leaving the spyware on the computer. So again, it's usually when someone is exchanging services for critical data, or again, sensitive data, or again, the ability to install malicious software. And they're usually going to be impersonating a trusted source or a technical expert, which kind of relates to pre -texting. I'll skip over piggybacking for now and get into pre -texting. So pre -texting is very similar to quid pro quo, but instead of providing a service, they're mostly focused on impersonating somebody. So again, it could be a TELUS technician. It could be a SHA technician. They could be impersonating your lawyer. They could be impersonating your accountant, your spouse, again, family, friends, whoever. They're going to impersonate a SHA technician. They're going to give you a phone call and say, hey, this is TELUS. This is SHA. We've got a brand new offer for you. I just need to verify your address. I just need to verify again, whatever information they want to collect from you. It could be a credit card, could be an address, could be a contact, things like that. So they're going to impersonate a trusted source, create a fabricated scenario, try to manipulate you into, again, giving them a sense of information or giving you links that you need to click on so that you will install that malicious software. And the final one, which is an in real life phishing technique, I've actually seen this happen two or three times, is called piggybacking. So piggybacking is when someone is running behind you in the office, you've never seen them before, and they say, hold the door, you let them into your building, when there's supposed to be a file of access, things like that. And again, they're going to impersonate a trusted source. So in my experience, I've seen fake Shaw technicians, so people will get a Shaw polo. They went into a law firm that we manage. This was a corporate law office, and they were impersonating a Shaw technician while I was working, it's probably several years ago at this point, and they wanted access to the server room. And they had a little USB stick that they wanted to plug in. So I was already on site. They notified me Shaw was there. I spoke to them for a couple of seconds, and they said they forgot something in their car and they had to leave, and then they never came back. And I had a very weird feeling about that person. And I later found out that this was a quite a common scan is people would want to get access to a network room. They would install some hardware that would collect stuff. Sometimes they were just stealing hardware out of the office, but what they were doing was they were impersonating a trusted source. It could be, oh, I'm so -and -so's partner. I'm a TELUS technician. I'm a plumber. I'm your lawyer. I'm whoever. And again, they're trying to get physical access to your systems. Again, it could be someone impersonating a cleaning lady that wants to plug in a USB stick that's gonna let them wipe your computer's password and view your system's information. This is very uncommon in my experience, but I have seen it twice in 11 years. Moving on to the phishing scams. Again, I really want to highlight phishing scams. in particular here, so these are the four most common types of phishing scams that I've seen. And I'm gonna go over how these relate to each other very quickly. So phishing scams, the first one is called a deceptive phishing scam. And I kind of liken this to a shotgun blast. What these people do is they will target a group of people. It could be a million people online that were hacked because they had an AOL email. The hackers got AOL emails, and now they're gonna send out a big blast to all those AOL emails. It could be that they're targeting the company that you work for, and they're gonna email everyone inside of the company, and they wanna see who the weak links in the organization are. So what they're doing is they're targeting a group of people. They're impersonating a trusted source with fraudulent communications. And again, they're trying to install malicious software or collect information. So what they'll do is they'll email your entire business. They'll hit 20 people with that email, and then two people will just say, Sally and Steve will fall for that email. And now the hackers know who to target, so they'll move on to the next phase. And these four things aren't necessarily linked. They don't usually happen in order. I'm just giving you an example to keep the examples linked and moving together here. But the next thing that they would start to do is start spear phishing. So now they understand that Steve and Sally have fallen for this initial scam. They clicked the Reset Password button. They downloaded the file. They opened the email, whatever metric these malicious actors are using, they've fallen for it. So now what they're gonna do is they're gonna go online and they're going to start highly specific targeting of Sally and Steve. They're gonna look at their Instagrams. They're gonna look at their LinkedIn. They're gonna email them and see if they have a holiday responder. They're going to start digging up dirt on these people. One of our partners is a cybersecurity firm. They've told me that this has gone so far that they've actually seen people look up where people's kids go to school. And they've called schools about whether the kids are in there or not. They've seen fake RCMP officers show up at people's door collecting information. This happened in West Vancouver. So again, there's really no limits to how targeted this will go. Again, maybe you're someone in the financial industry. You've got a very sensitive client that people might be interested in. They will go after you. They will go after your kids to get access to the computer that you use that manages that person's information. Again, they will do as much digging as they need to do on social media and on the internet. And then they will target this person. So again, proactive data collection, highly specific targeting. Again, they're gonna impersonate a trusted source. Again, they're gonna use fraudulent communications to compromise that data and to install malicious software. So again, instead of just a general Microsoft password reset, now they're gonna say, hey, this is your child. I am locked out of the house. I need you to do this. Or hey, this is your employee. I need you to reset this password. Hey, this is your boss. I need you to buy a gift card, things like that. They're gonna get, again, whatever they... Their desired end result is they're going to start targeting this person leveraging the sensitive information they've already been collecting either maliciously or through services like LinkedIn, Instagram, TikTok, things like that. So now they're going to be using the next level of social engineering. They're going to have sensitive information or private information that the public generally doesn't know about that they can then leverage to get closer to you. The final thing here would be whaling. So this would be when you go after the big fish inside of an organization. So again, someone that's a president, someone that's a CEO, someone that's a founder, someone that's an operations manager, a bookkeeper, an accountant, an accounts payable, things like that. Someone that holds the keys to the kingdom. It could be, again, sensitive information. It could be monetary. It could be legal. Anyone that has some levers of power related to the confidentiality, integrity. and availability of the systems in the business. So wailing is when they target the big fish inside of the organization. The next thing here would be phishing and smishing. I'm sure everyone here has received a phishing threat. This is simply a text message and smishing. Sorry, smishing is a text message, phishing is a phone call impersonating someone. With AI, the phishing, the phone calls have gotten out of hand. I've had five clients over the last year tell me that they've gotten calls from people where they were not the person they thought they were talking to. There was someone using some form of AI voice masking, or it sounded like the person they were talking to. So very important to keep in mind to not be handing over sensitive information or taking direct orders like payments and things like that without a second layer of verification, which is crazy to think about nowadays. That's why we have these policies for you all at the end of the presentation. Final thing here before we get into some examples and start wrapping up, it'll be the deceptive phishing attacks. Number 1, they're going to impersonate these six main methods to try and get you to give them sensitive information or to download that malicious software. What they want to do is impersonate official communication. Again, we have a new payroll system. All you have to do is give me your blank check, give me your social insurance number, and you're going to get paid on Friday. No worries. Shipment notification. Everyone's gotten these, I'm sure. You get that text message or that email from UPS, FedEx Canada Post, your package was delayed. We can't deliver it unless you put a deposit down. You owe us a balance on a shipment that was recently delivered. Here's the tracking information, all these things. They're going to get you to click on those links, give them your credit card, give them your address, things like that. Non -profit requests is for the scum of the earth, the lowest of the low in my opinion. They will breach a non -profit. They will get the list of everyone that donated to a specific event or a specific charity, and then they will reach out to those people saying, hey, We're doing another fundraiser. Would you like to donate to this nonprofit again? Then people will give their credit card information to these scammers usually taking money again out of Sick Children's Mouth or other nonprofit organizations with specific missions. Again, it's the lowest of the low in my opinion. Application notifications. Again, we get these all the time. Your Microsoft account password needs to be reset. Access to your PayPal account has been revoked. Your bank account has had suspicious activity. All you need to do is click on the link, sign in and everything's going to be okay. That's what those usually look like. Again, important announcements. This could be we've got a COVID outbreak in the office. It could be anything related to your organization again. And again, it's usually something that's laced with urgency and it's implying serious consequences. They really want you to get that initial cortisol rush. And then they want you to click on the button. It's going to make all your problems go away. So we'll go ahead and give you guys some examples here. So in this situation, this is a fake email. This one is the application notification. So this is that the password to Jake and Umbrella has expired today and action is required. So some basic psychology they're using here, lots of red, lots of exclamation points, priority high. And then I've got that blue calming. It's gonna solve all my problems button right here. It's very similar to those 90 commercials where it would be the pain medication. And you would see the person who's covered in red pain, they would take the pain medication and all of a sudden they would turn blue and they wouldn't be dragged down by their pain anymore, it would just go away. So that's what they're doing here. Red problem blue solution. And usually these social engineering threats are confined. They are one shot. They are problem solution. They want you to immediately get that, my password is gonna expire. And once your password expires, then you go in, you click on keep password. And then they're gonna again, collect that sensitive information from wherever that link leads to, or this link might try to install malicious software there. Yap has a great question. I'm gonna answer that during the Q &A at the end here. We're just gonna get through the rest of this. So looking at the spear phishing side of things again, this is somebody who is now targeting Gareth. They understand that Jane is in charge of Gareth. That's a manager employee relationship. And what they're doing here is a combination of spear phishing and whaling. So Jane has been hacked or Jane is being impersonated and they are emailing Gareth and they're just saying, hey, are you at your desk? I need you to process an urgent wire transfer. Please get back to me ASAP. So again, this is something where Gareth might just email Jane back and say, hey, then you heard you needed me to send a wire transfer. Where am I sending it? Who am I sending it to? And again, I see people all the time. I'm too smart for this. I'm not going to fall for this. This is like old news that I fell for this 10 years ago when it was an iTunes gift card. I'm not going to fall for this. We've had two clients send out a total new client now of $80 ,000 in the last three months because of a hack like this. So they received an email from a vendor that was hacked. They then received a phone call powered by AI. Hey, just making sure you got the information that the new invoice that we sent you is being sent to a different account. Want to make sure you got that information. $40 ,000 is a lot of money. Yeah, click. And then they send the money off a month and a half later. The actual company calls them. Why haven't you paid the invoice yet? What's going on? Well, we sent the money. No, you didn't. All these kinds of things. And then you find out that company has been hacked for three months. And then every once in a while, their emails that come in get deleted. They get responded to by the hacker. They delete that email. and they're directing their accounts payable somewhere else. There's so many examples, different types of methods of attack here, but the main thing to focus on again, is that these people are going to get this information that's available online through your holiday responder, through your LinkedIn, through your Instagram, things like that, and they're going to target other people in your organization, in your family, in your friend group with, again, to get a means to an end. This is my favorite example here. This is one of our clients. What ended up happening here is a law firm is working with an MRI clinic. The law firm sent an e -mail off to the MRI clinic and they said, hey, this file hasn't settled yet, we're going to pay you once the file settles. The MRI clinic was compromised and the law firm had no idea, and the MRI clinic said, hey, you need to take a look at this and tell me what you think. I feel like your calculations are wrong. Tell me if we need to redo this. Again, they're talking about paying a bill. The MRI clinic is already hacked by somebody, and now the hacked e -mail account is responding to them. Everyone would click on this. If I sent an e -mail off to one of my clients two days after an e -mail was sent out, and I say, hey, sorry, I sent you the wrong copy of the invoice, here's the right one, click here. Or if they e -mail me back and they say, hey, Jake, appreciate the invoice, I think you guys messed up this month, there's some labor that shouldn't be there. Can you check it out for me with the link? I'll probably click on that as well. That's why it's very important to have specific tools in place that we're going to talk about later that will protect you from these malicious links, these malicious attachments, these compromised e -mail servers, all sorts of different threats. What ended up happening here was three out of three people at this law firm clicked on this link. We used AI antivirus to protect them. All the different computers that were affected immediately had the virus nullified. We got notifications of what was going on, and this law firm immediately implemented the e -mail filters that we're talking about. That's what usually happens is people are negligent, they get burnt, then they want to be proactive. Again, it's great to see everybody here today trying to be a little bit more. proactive, we'll keep it moving. But this is a real world example. Again, we're not talking about text messages like this that are obviously fake. These people are getting a lot more crafty. So this is an example of a Vishing scan. Again, your Netflix premium subscription's canceled. All you gotta do is click on netfatiffafix .com, enter your credit card information, and then you're gonna be able to watch movies again. So again, keep in mind these people will use all sorts of different attack vectors. So here's the solution part. We're through the fear, we're through the uncertainty, we're through the doubt. This is what everyone came here for, I'm sure. This is your cybersecurity cheat sheet. This is everything that your organization needs, in my opinion, to stay safe from 80% plus of the types of threats that you will face. Everything we talked about earlier, those unique threats. So the first thing that is absolutely crucial, everyone needs to implement it pretty much immediately, is a three, two, one backup solution. What a 3 -2 -1 backup solution is, and people have different definitions of this, is a backup where your data is in three different places at all times. It's in Microsoft 365, it's backed up on a hard drive, and it's also being backed up live to another Cloud account. It's in three different locations across two different vectors. Again, it's online in Microsoft 365, it's live backed up to a second location online, and then it's offline on a hard drive somewhere. So if those two online versions are compromised, we have that offline archive. Multiple different mediums, multiple ways to back things up. Then we have one of those copies being offline. So three different versions of your data, two different mediums, one of them being offline. Absolutely crucial, everyone does that. People panic about the cost of backups. If you're not subject to PIPA or PIPEDA, so you're not handling financial or health data, there's a couple of other restrictions there. But if you're not subject to data that needs to be held in Canada, for example, if you're just a regular roofing company, you're an electrician, you're a professional service that's not handling sensitive data like that, you can use a service like Backblaze for $5 a month, that will take your data off your computer and back it up in their Cloud for $5 a month. There's services like Datto that will charge you several hundred dollars a month. They will keep your data in Canada. They will make sure that it's available for you. They will have things like very low downtime guarantees, where sometimes you won't even experience downtime. If you're building where to burn down, or if you were to have theft or there was a hardware failure, things like that. There are several levels to the spectrum of a backup solution. But what's very important is that people keep in mind that their data needs to be in three places across two different mediums, one of them being offline. Next thing you need to consider while you're configuring a backup is... what platform you're going to use. So again, in this case, back plays back up a fly. Those are just inexpensive. Those are things for you to look up. You can look up competitors of them. That'll give you the idea of what platform is best for you. You can reach out to us. We can talk to you. We can kind of help you make a decision, talk to your IT people. They'll help you make a decision, et cetera. Talk to your 14 year old, niece or nephew. They will also give you some ideas, I'm sure. And then you'll come find a professional after that happens all the time as well. Downtime tolerance is another one. You need to figure out what is your downtime tolerance. If you're going to be uploading everything to Backblaze, are you okay that you're not going to be able to work for a full day while you redownload all those things? That kind of stuff. Critical versus non -critical data. I see people back up data they haven't used in years and they're super concerned about backing up two terabytes of data. It needs to be backed up every day. Their backups are taking two or three days to happen. And then we do an audit and we find out only 2% of their data is used in the last year. And of that data, they only really care about a handful of files. So it's very important for you to identify critical versus non -critical data when you're selecting what's going to be backed up because that could be the difference between you paying $900 a month and $5 a month. You also need to figure out your frequency of backups. So again, I'll use the example of an accounting firm to get hit by ransomware in the middle of May. Do you want to have to redo everything because you only take backups once a month to keep your cost down? Or should you be backing up your data three times a day? And that way that if you do get hacked, you're able to restore and only lose about two hours of work instead of two weeks or two months or two days. So it's very important to figure out where you sit on the spectrum of how frequently you want your backups to take place. The other thing to keep in mind is data retention length. A lot of people do backups. They do backups for 90 days, and then they stop there. They go, ah, if I lose anything, I'm going to know within 90 days I need it. Well, what happens if you get hacked and the hackers take their time, they just sit inside of your systems for 90 days, and then they spring, they infect everything, and the ransomware that they installed infects everything back to 90 days ago. All of a sudden, your backups are useless. I've seen that happen before as well. So it's very important to make sure your data is being retained for at least, in my opinion, minimum one year. I personally do infinite retention with our solution for our clients. But again, if you are also working in a health care sector, anything regulated by PIPA or PIPEDA, you may be required to do seven years of data retention. And again, never hurts to back up that critical data infinitely if you can afford it. Again, for $5 a month, in some cases, you could do that. Also need to figure out are you just going to be backing up the files on your computer, on your server, or are you going to be backing up the full system? Again, if you have a server and it was configured by an IT guy six years ago, you don't know what it's doing. All you know is it has your licenses for AutoCAD on it. It probably runs a computer. maybe that your Quickbook bookkeeper runs into, they remote into it once a week, you think. Maybe you want to back up the entire system, which is going to cost a lot more money, than just backing up the files. A file backup like Backblaze is five bucks a month. A system that backs up the entire system, including your software, including the configuration of the settings, including your files, could be several hundred dollars a month. But that several hundred dollar increase could reduce your recovery bill, reduce your downtime, and allow your data to be more available. So again, those are a couple of things to consider. Two final things, make sure you're testing your backups. If you're not testing them, they don't exist. I've seen that happen all the time. Oh no, I got everything right here on this hard drive. It's been backed up every day for the last three years. I was promised by my brother -in -law that it's done. No worries. I go, okay, cool. Let's check the backup. We open it up, empty hard drive, plugged in in the middle of 2016, never done a backup. Oh, we go to the backup manager they set up. Oh, it failed the first day you set it up. No one ever checked it. Great, let's start backups today. Let's make sure we're testing them once a week. We're testing them once a month. We're testing them once a year. Whatever you want as a policy, we're gonna give you a policy to manage that stuff. But you have to make sure you're testing your backups or they do not exist. Final thing, assign responsibility. My favorite thing, not really, it's quite sad. When we go into a place that was hit by ransomware, we're sitting down with either the operations manager or the owner, and we ask them, well, who was responsible for managing the backups? And everyone at the table goes like this. And they say, well, I thought she was managing it. He thought she was managing it. She thought he was managing it. And no one's actually responsible for security. And you end up with this crowd psychology where no one jumps into action. No one does anything because they think everyone else is responsible for it. So make sure you assign responsibility. Make sure you're doing three different types of backups across two different platforms. One of those being offline. Make sure you figure out what your critical data is, where you're gonna back it up, how often you're gonna back it up, when it needs to be available in case you need it, and how much downtime you can tolerate. Again, happy to talk about that in more detail anytime. Endpoint security is pretty straightforward. Gonna move on to endpoint. Endpoint is a fancy word for device. Device is a fancy word for iPhone, Android, Windows, Mac, server, any of the devices that you use. Again, we wanna make sure if we wanna call a computer secure, we're backing up the computer. We're using a non -admin account. Now, I'm pretty sure 80% of the people inside of this organization right now, if you're using a Windows computer or a Mac, 100% of people on a Mac are in an admin account. What that means is your account is an administrator. It has total control of your computer. If I inject malicious code into your web browser, your computer will just run the malicious code. If you're using a local account or a non -admin account, account, then it will prompt you with a password. It'll say type in an administrator password to install this piece of software. Type in an administrator password to open up this restricted file, things like that. So you always want to use a non admin account to restrict the access of code running on your computer. Yeah, very easy to do that. You create a new admin account, you change the existing one to non admin, you're done. Takes very little time, very easy to do. Again, something we can help you with, something your existing IT department can help you with. Next thing here, again, two examples of AI powered antivirus, Sentinel One and Silence AV. Very low resources, they work on older machines, they don't use a lot of resources, they don't slow your computer down, they are not Norton antivirus. Avoid Norton, in my opinion. You want to stick with things like, again, Malwarebytes, Bitdefender, Sentinel One, or Silence. These are all different tiers, some people will get upset that I recommended those and they'll be very happy to recommend Norton. It's again, an anecdotal game in IT. Those are just my preferences, but I would highly recommend using Sentinel -1 or silence antivirus with something called Huntress to protect your devices. These are AI powered. What that means is that they're using behavior tracking, they're figuring out things that are normal and not normal. And then they're adding another layer instead of just being reactive like other tools where someone gets hacked, it gets reported, then the antivirus software adds that hack that virus to their list of things to block, and then they start to catch it for people. These can catch it proactively because they're like, why is Roblox .exe trying to encrypt all the files inside of Dropbox? Let's put a pause button on that really quickly. Let's look into this. So that's why you wanna use these more advanced tools. And again, just at the risk of oversimplifying, that's the example I'll give with that. Final thing, make sure your devices are being regularly updated and make sure you do have logging software on them. So make sure they're being remotely monitored or managed so that you're getting logs on them. So again, if someone does compromise it, you can see what account was compromised, when, how, where. Email security, again, like we talked about, that is 91, 98% of cyber attacks in 2022, 2023. Very important to make sure you're using something like iron scales or Sophos email filter for your Google workspace, for your Microsoft 365, for your hosted email. That will filter out malicious emails. It will filter out malicious links. It will filter out attachments, bad senders, spoofing attacks, people that are impersonating your clients, people that have breached your clients that are sending you malicious information. And again, I recommend iron scales and Sophos because they also use AI and they realize that if you're a property manager, it's normal for you to receive 500 emails a day from Craigslist and they're not gonna filter those out and cost you thousands of dollars. They're just going to block what is malicious. Very important. You also... to make sure that you're backing up everything inside of your email account, your contacts, your calendars, if it's 365 or Google Workspace, your files, all these things. Just because it's in the cloud does not mean it's safe. Make sure you're backing that stuff up. Make sure you're protecting your cloud accounts with multi -factor authentication. Use an app like Microsoft Authenticator, Google Authenticator, Authy, these other platforms. You really don't want to rely on text messages. It's very easy to get hacked that way. I was talking about that on CTV five years ago at this point. Make sure you're using multi -factor authentication. So if someone guesses your password, they need another six digit code that changes every 30 seconds that's generated on an app on your phone or on a piece of hardware in your desk drawer. Very important. Also make sure that not everyone in your instance of 365 and Google Workspace has access to everything. Make sure that you have the proper account restrictions in place. Does your new employee that works in the mail room need full access to your accounting files? Probably not. Do they need to have full administrative control of everyone's email passwords? Probably not. Make sure that you're putting restrictions in place as needed. Same thing with mobile device swipe. If you're going to be using tools like Google Workspace, Microsoft 365, make sure that you can wipe those files off of someone's computer remotely as soon as possible. Make sure you can remove access from that phone by clicking a button inside of 365. If someone does take control of the phone, they can't go in and start deleting SharePoint files or accessing SharePoint files. Make sure you're removing that access right away. One of the last things I want to talk about is the IT policies and SOPs. I know we're coming up on the deadline here, so we'll be very careful of that. Alicia is mentioning that she's lost sound. Can everyone still hear me all right? Michelle, can you hear me? Yeah, I can hear you perfect. Okay, excellent. Alicia, could you hear Michelle there? We can't hear you, so just make sure to put it in the chat if you need to reply. Yeah, perfect. Jake, you just muted yourself. Thank you. Last thing I want to talk about, IT policies and SOPs. Thank you, y 'all, for confirming you can hear us. Just be cognizant of everyone's time again. I know we're running out. With these policies, these are probably the most important part of everything that we've talked about today. I would say the backups of the number one, email filters number two, endpoint security is number three, and IC policies is contending all of those for each of their spots. These are the main policies that I would highly recommend everyone. Acceptable use. What is acceptable use for your company's email account, for any of its online accounts, for the devices that your staff are using? Can I go sign up for pokerstars .net? Maybe, maybe not. Can I go on Facebook? What if I'm using Facebook chat to talk to potential clients? What if I'm playing games on Facebook? What if I want to set up Grammarly on my account? You know, so very, very complicated and very intricate and very unique restrictions can be put in place there. Alicia, I will be publishing this online. So you might have to watch the last few minutes of it. I apologize. So acceptable use is very important. Understand what is okay for your staff to do with these digital accounts, these physical devices, your data. Can they share it to their personal Gmail account? Can they share it to their spouse's account when they just need to use their computer really quickly because they're on vacation? What is okay? What is not okay? Do you want to have that person get terminated or they quit? And then three years later, their spouse's email gets hacked and they still have access to your accounting files? These are things to think about that do happen in the real world. Access authorization. Alicia's back, glad to hear it. So access authorization, this is another thing here. Who gets access to what? Who is going to be able to reset passwords? Who is going to be able to get access to people's email accounts? Who is going to access your accounting files? Very important to make sure that you're restricting these resources by groups. And then you are putting users and staff into these different groups. When people are bringing their own device, this has become increasingly common with remote work. People are saying, I want to use my Mac. I don't want to use your computer that you're giving me or vice versa. They want to use their Windows computer. They don't want to use the company issued Mac. So what is okay if they're going to bring their own device? Can their spouse that's studying at UBC use the computer for work? Because I've seen that shut down a retail store. Can their partner watch the Canucks game on an illegal website on that computer? Because I've seen that take down an accounting firm. These are things to consider. And then the final example I'll give is can their kid use it to play Roblox on it? Because I've seen that shut down in movie studio. So you really have to think about when they're bringing their own device, is it okay for them to download and sync all of your Dropbox, your Google Drive, your Microsoft files to that device? Is it okay for them to type on the keyboard when it might have a key logger virus on it that's soaking up that information and sending it out to those malicious actors? Is it okay for them to be accessing that information on an admin account and then giving it to their spouse? And then their spouse is using the computer on an admin account and they're watching naughty videos that are again, can infect the machine and give it all sorts of viruses and collect all sorts of information. So it's a very uncomfortable conversation to have with people, but it's very important to understand that if you are going to give them access to your company's data and infrastructure, that they are going to respect the fact that that data and infrastructure has value and they are putting that infrastructure at risk. by using a personal device that doesn't have an antivirus on it, that doesn't have the updates happening automatically, that doesn't have the restriction of a non -admin account, that doesn't have the proper restrictions put in place on the device, that has multiple users that don't have security training, don't understand the systems that they're using, are going to also be accessing that device. Very important to keep that stuff in mind. Business continuity, this is very important as well if you're concerned about your business having downtime. So business continuity is when your device fails, let's just talk about again, that server that has QuickBooks on it, or you could talk about Microsoft 365 email, you could talk about your work laptop, having coffee gets built on it. What is your game plan to keep your business running, to keep your business continually operating? It's very important that you look at each piece of your infrastructure, I organize them in terms of people, workstations, servers, networks, cloud services, backups, security, and phone systems. What are you going to do for each part of those pieces of your infrastructure? So what is your plan B? When your staff member calls in sick, what are you going to do? When your workstation gets coffee spilt on it, what are you going to do? When your server goes down, what are you going to do? When Shaw has their internet line cut, what's your backup plan? Very important to think about all those things. Then again, working with someone like myself or another professional, they'll be able to look at things, give you some templates, figure out what your exact needs are, and get you up and running. Again, you don't need to spend $20 ,000 a month on this if you're an electrical company, but it might be worth spending $14 ,000 a month on this if you're a 150 person law firm. It depends. The cost of downtime, reputational damage, and all these other things for a 150 person law firm is significantly higher than an electrician with two technicians having his dropout gets hacked and he can't function for two or three days. He'll be fine. He's not going to be too concerned about it. He's got to redo some estimates, not a big deal. With that 150 person law firm, that could be $10 ,000 a day and wages being lost. It could be an insurmountable incalculable amount of money being damaged from the reputation from those emails being sent out to their clients. Anyways, very important to make sure you have a business continuity plan for each part of your infrastructure. Disaster recovery is directly linked to business continuity. Sometimes it's called a BCDR solution, business continuity and disaster recovery. It's the same thing, but we just want to consider what are we going to do if there's a fire? What are we going to do if there's a terrorist attack? What are we going to do if there's a power outage? What are we going to do if a disaster happens? How are we going to recover? Final couple things, remote work. Are they going to be working from home? Are they going to be talking to your clients on the phone, repeating credit card numbers to people while their roommate's in the back room with a friend that you don't know? Are they going to be working at home with their spouse? Are they going to be working in Mexico using public computers? What are they doing? We need to figure that out. We need to have acceptable and not acceptable behavior, put inside of a policy so that you can have proper remote work things in place. And I believe Pierre is in the chat here. He'll be able to help you with all of the HR side of those things as well. If you're looking for more policy related things for your staff, but these are just the direct IT policies. Yap as well, a fantastic business consultant. He'll be able to help you develop different policies to scale your business securely as well. Final couple of things here, staff onboarding and off boarding and security incident response. Security incident response plans. Let's put that back up with the business continuity and disaster recovery plans. The security incident response plan is your email just got hacked. You just found out that you emailed 80 of your clients a malicious link. What are you gonna do? Or you just found out that your internal estimating system was compromised. Now you've got to tell all your clients that their phone numbers and their e -mails are being controlled by some malicious actor. You had a security incident, how are you going to respond? You need to again define those categories I listed before, users, workstation servers, networks, Cloud services backups, and then again detail a security incident response for each of those pieces of infrastructure. Final thing, staff onboarding and off -boarding. We had a client, they let their operations manager go about a year and a half ago, and they just found out that that operations manager still had access to their old computer, that was live synced, it had full access to the company's data, and thankfully that operations manager has a very good relationship with her old boss, and they were able to just let them know that they had that, and they asked them, what do you want me to do with it? Should I sign out when you want me to do? And now this boss is going to be working very diligently on an off -boarding procedure. So again, make sure that you have proper onboarding, so you know again, what access am I giving this person? What groups am I putting them in for permissions? What software platforms are they going to get access to? And then when they leave the company, what am I revoking? What am I taking away? Am I getting the computer back? Are they using their own device? Are they using a company -issued device? Are they taking over someone else's device? When am I giving them this information? Am I resetting their password? Am I allowed to remote into their personal device? Am I allowed to put antivirus on their personal device? You need to think about all these types of things. And again, these policy templates that we've made for you do consider all that. Final thing here, we're not going to go into this because we don't have another hour, but this is the be -all end -all, in my opinion, of cybersecurity solutions. If you want to go absolutely crazy, you want to put on the tinfoil hats, burn your fingerprints off, stay inside, close the windows, this is what you need to do to cover all of your bases. If you want to cover all of your staff, you can follow these solutions and strategies if you're going to work with a professional. professional and you want to have an IT company or you're working with an IT company, you want them to secure your business. In my opinion, this is everything in the kitchen sink that you can throw at your cyber security solutions. Again, this is a cheat sheet. This is good enough. This is that 8020 rule of 80% coverage for your small business. This is what you can do yourself pretty comfortably as a small business with 15 employees or less. This is the big leagues. This is what you should be considering if you have 15 or more employees, I would say even five or more in today's world. But if you have 15 or more employees, you need to be using I would say 80% of these. Again, it comes down to the 321 backups, it comes down to all of these different security measures, again, to protect the confidentiality, integrity, availability and accountability of your cloud services, your networks, your devices and your staff. This is everything that you need to do. Again, a little bit overkill. But I would say 80% of these are what your IT manager should be doing. If they're not doing all of these, ask them why not. Again, it could be a cost restriction, things like that. But again, using the policies we're going to be sending out, plus these strategies you guys should be able to develop some solutions to keep yourself safe. And that's about it. Really appreciate everyone's time. My apologies for going a little bit over. Those that know me know I know I have no problem talking. So my apologies. Yap asked a great question earlier. If anyone else has any Q &A, feel free to throw them into the chat now and we will answer your questions for the next, let's say, 20 minutes. If people are done early, we'll sign off before then. But I'll just answer Yap's question. We'll give it another minute after that. And if no one asks any questions, we'll start signing off. You'll all receive a copy of this seminar via YouTube. We'll send a link over. We'll also send you a link that includes all the policies we've talked about today and a couple of other resources as well. So I want to thank you all so much for your time today. Thank you for coming in on a Friday before a long weekend to talk about the super fun topic of cybersecurity. So really appreciate everyone's time. Now Yap is asking that he's getting more and more worried about unsubscribing to unsolicited recurring emails. How can I make sure the unsubscribe link is not malicious? Great question. So number one, great idea. Be proactive. Take your email out of places it doesn't need to be. Get off of those lists. Make a secondary fake email. Send that to people. Send that to public events. Send that to your networking clients. Don't give people your primary email. Have a secondary fake one. Change your LinkedIn sign into that other email. Now, how can you make sure the unsubscribe link is not malicious? You can install a tool like Ironscales or you can install a tool like Sophos email filter. Those will detect a malicious link and prevent you from even getting the email in the first place. If you do receive an email that you think is suspicious and you want to avoid it, what you can do... is you can go to the primary source. If MailChimp is emailing you saying you want unsubscribe, if SportsNet, if PokerStars, whatever is emailing you asking you to unsubscribe, you can go to pokerstars .net and unsubscribe from there. You can go into MailChimp, unsubscribe from there. You can choose the platform, go to their website directly and unsubscribe. You don't have to react to the piece of media that you were sent by the platform. Could be the malicious actor, who knows? Yap, I hope that answered your question. If anyone else has any other questions, speak now, forever, hold your piece, whatever people say there, and we'll start to wrap up. So again, really appreciate everyone's time today. Hopefully you found it valuable and we will see you guys next time. If you do ever need any IT advice, feel free to send me a quick little question here. Send me an email directly, hit me up on LinkedIn, anything you need. Always happy to provide free advice to folks, get you started on your cybersecurity journey. If you need help with IT management, we're always happy to help as well. And again, I hope you all have a great long weekend. Looks like we're not getting any questions. So Karen, no problem at all. Glad you found it valuable. And again, I hope you all have a great long weekend and I hope to not hear from you about cybersecurity needs from getting burnt. Hopefully just have proactive questions in the future. Thank you all for attending. Have a great week. We'll see you later.