Book Your Complimentary Consultation Book Your Complimentary Consultation
Home / Seminars / Umbrella IT Monthly Cyber Security Awareness Seminar June

Umbrella IT Monthly Cyber Security Awareness...


All right. Good afternoon, everybody. Hello. Hello. Thank you all for taking your time today to join us. Really appreciate it. Really want to make sure that we're respectful of everybody's time today. So again, big thank you to everyone for attending right now. This meeting will be recorded. The chat is open. Your mics and your cameras are not just for privacy purposes, but feel free to post some questions in the chat throughout the seminar as things progress. And again, thank you all very much for attending today. Really appreciate it. So I'll just go ahead and jump right into it here. So my name is Jake from Umbrella IT services. We are a local managed IT services provider in the Greater Vancouver area. We provide IT management consulting and support services to small businesses, enterprises, government offices, and of course nonprofits in the Greater Vancouver and the Calgary area. We do support both British Columbia and Alberta based clients. So I've been doing seminars like this for about six, seven years now. I've trained thousands of different employees across the private sector. I've trained thousands of people across the government and public sector, and I've worked with dozens of nonprofits. So again, I hope you do find this valuable. The topic of today's seminar, as you can see, is cybersecurity awareness. So the goal of today's presentation is to make sure that you're aware of how to protect yourself personally and professionally. Your team will also be able to protect themselves personally and professionally after watching this, and I want to provide you all with a couple of resources that you can implement in your organizations once the seminar is done to prevent any sort of malicious activity or actors for being able to affect your organization. So I'll just go ahead and dive into it here. So first thing I need to go over with everyone is this disclaimer. So this seminar is for informational and educational purposes only. Just because you're here today does not mean that I am now your IT advisor. We do not have a built -in relationship and I just need to make that very very clear. We do not accept any responsibility in case some of the information in here today is outdated or wrong or anything like that. We don't have any liability related to your organization or any sort of loss or damage that's incurred if you do implement this stuff. And we do mention a couple of different platforms and solutions here. I am not sponsored by these. I am not sponsoring them. I'm not endorsing these products. I'm just making sure you guys are aware what's out there and what's available to you and your team. Again, that's our main purpose. The same way my accountant wants me to take pictures of all of my receipts and I take pictures of probably 80 percent of them. I'm going to provide you all with a ton of information today than if you can implement 80 percent of it. everyone's going to be very happy. Again, make sure that you're exercising your own judgment when all I'm providing this education and information to you. Please consult with any existing IT providers, any other professionals, lawyers, anything like that in your organization, people that you trust before you start to implement this stuff. Just again, make sure that's best practice for everybody, and please don't forget, cybersecurity is a shared responsibility, and let's all stay informed and stay secure. We'll get the fun stuff out of the way with the first slide here. The very first thing that we're going to be talking about is statistics. We're going to front -load this stuff so that we can focus on the practical information later. I just want to make sure everyone is aware what is actually happening around us. These are statistical facts. This is not anecdotal evidence. This is not, well, I've never been hacked, no one I know has been hacked, or everyone I know has been hacked, or several of my friends have been hacked. This is statistical evidence from 2022 and 2023 that we're going to be talking about in review across the presentation, just to make sure again that everyone is up to date. Couple of things I want to highlight for everybody as we jump into this here, is that 63 percent of cyberattacks in 2022 were caused by insider negligence. I always like to highlight the word negligence here because the negligence is very different from an accident. Negligence is knowing that you should be doing something, neglecting to do it, and then facing the consequences of that action. Very important to keep in mind that basically two -thirds of cyberattacks in 2022 were caused by negligence. The average cost to an organization with 500 employees or less is $7 .68 million. Personally, as the president and founder of Umbrella IT, I don't have $8 million in a drawer laying around. If that's my average cost, I can't imagine the 49 percent of costs that were higher than this, but I think it's going to be $7 .68 million. but I would personally be devastated if I were to face a $7 .68 million ransom, or if I had to pay that amount in legal fees, or if I were to lose that in reputational damage or many other ways that I could face those costs. So very important to keep in mind that that is caused by negligence. 60% of organizations shut down permanently within six months of a breach. The reason for this again is financial repercussions, but also four to six weeks of downtime is the average recovery time it takes when an organization is hit by ransomware. So again, if I had to shut down my operations for four to six weeks, I would most likely be okay, but I know a lot of small, medium businesses would not be able to survive no income, paying expenses, paying fees to rebuild their business, things like that, while shutting down for four to six weeks. So that contributes quite a bit to the 60% of organizations shutting down number here. Another number I really wanna highlight here is 60 percent of organizations believe that they're unlikely to be attacked. If you're here today, you're being cautious, you're being concerned about cybersecurity, you're not in this 60 percent, which is great. But there are a lot of people that don't think that they're going to be a target. Those are the people that are targeted. Those are the people that are, again, being negligent and those are the people that face the consequences. When it comes to small businesses, they are 350 percent more likely to be targeted than enterprises. This is because the malicious actors of the world understand that we are all understaffed, overworked, things like that. We're stretched very thin as small business owners. We do not have an $100 ,000 a year budget for an IT security personnel. We don't do regular cybersecurity training. We can't afford those fancy tools that those enterprises like Walmart and these other places can afford. It's very important to keep in mind that they are 350 percent more likely to go after small businesses than enterprises. While we do have incidences with organizations like London Drugs allegedly being compromised by cyber attack, I hear dozens and dozens and dozens of stories every single week from small businesses being targeted. But we very, very rarely hear about Air Canada, London Drugs, Sony, these other large enterprises that do get hacked and it does happen to these large enterprises. But it's much more common to hear about a school supply company or a small accounting firm or things like this getting targeted and taken down. Keep that in mind that if you are a small business, you are 350 percent more likely to be targeted by these attacks. Another concerning statistic I thought everyone should know about is that 53 percent of employees can properly define phishing. In my experience, anecdotally, it's significantly less than this when I provide these seminars. But again, it's anecdotal. Statistically speaking, according to TechTarget here, only 53 percent of employees can correctly define phishing. A final thing that I want to bring up is that in 2024, there has been a, according to Stats Can, Statistics Canada, there has been a 41% increase in identity theft in 2024. So keep that in mind, that affects people personally and professionally. As we'll notice up here, the attack factors that are used against small and medium organizations is essentially phishing. Phishing is bigger than all these other ones put together just about, others up here as well, but we'll ignore that for now. But phishing is the number one way that these malicious actors are going after your organization. Phishing is when I impersonate a trusted source to collect sensitive information or to install malicious software. So again, I'm going to impersonate a Shaw technician, I'm going to impersonate a family member or a friend or a coworker or a client, and I'm going to collect sensitive information or I'm going to distribute malicious software. I'm gonna repeat that a lot over the seminar here, but that is the number one attack factor being used. Another thing here, this is a very nice chart if this is the S &P 500 or your stock portfolio, and unfortunately that is not what this is. This is a 4900% increase in cyber attacks against small businesses from 2017 to 2022, and this number has done nothing but go up since 2022. 2023, this number has gone up 91%, which is very alarming. So again, we're facing technically a 9800% increase. It's a little bit lower than that, but I'm not going to try and do math live, so let's just call it 9800% increase from 2017 to 2023. So keep that in mind. This is ever -growing. Tools like AI have allowed these people to target more people in a more high -quality fashion, much more quickly. So we'll go ahead and move away from all the fun stuff. We've made it through. Now we can focus on the practical information for you and your organization. So I want to focus on the four main components of cybersecurity. When people ask me things like, is my QuickBooks data secure? Is my network secure? Is my server secure? And I ask them, what do they mean by secure? People don't really know. They just mean, can I make sure my stuff is private? Can I make sure that it's not going to be messed with by someone? Can I make sure it's always going to be available and I'm not going to get taken down by ransomware? Can I make sure that when Susie or Steve accidentally deletes all of my files or they move something somewhere it shouldn't, I can figure out what happened. And those are the main components of defining cybersecurity. So for example, I'll go back to the QuickBooks database file here, a Sage file. We could talk about a server with files on it, things like that. We could talk about, again, a workstation, anything. We'll specifically talk about a computer, a server that's running QuickBooks database file. So the first thing that we want to be concerned about is confidentiality. Can people access this QuickBooks information that should not be able to... taxes as QuickBooks information. That could be an employee, that could be a malicious actor, that could be a family member, that could be a child, that could be anybody. So the first thing we wanna define is confidentiality. We want to make sure that the confidential information remains confidential. The next thing that we wanna focus on is the integrity of that data. So if I go into your QuickBooks file and I remove all of your expenses, or I say that you've paid taxes that you've haven't, or I start to mess around the integrity of that QuickBooks data file, it's basically worse than useless, it becomes damaging. So again, we wanna make sure that the data has not been modified, it's not being deleted, it's not being corrupted, and the integrity of the files that we're working with is also protected as part of our cybersecurity strategy. The next thing we wanna focus on is availability. Very, very important that when you're going into a meeting at 3 p .m. and you're about to open up that file, or you're about to bring up that estimate, or that proposal, or whatever it is you're gonna show your client, or your co -workers. that that file is actually available to you. If Microsoft is down because they were hacked, or if your network is down because it was experienced a hardware failure, or if your computer is down because of ransomware or some other problem, that is just as much of an issue as, again, the file no longer being confidential and the integrity of the file being compromised. We want to make sure you have 24 -hour uptime using things like business continuity strategies and disaster recovery solutions. We're going to talk about those a little bit more later, but we want to have things in place to make sure your data is available when you need it. The other thing we want to focus on is accountability. So we want to make sure we have strict permission sets in place and logging solutions so we can see who did what, when, where, how. So again, if the QuickBooks file's confidentiality is compromised and a malicious actor gets access to the file, they compromise the integrity of it, and they delete the file, or they move the file, or they do something to it where it's no longer available, we need to have tools in place so that we can go in, we can see what account was used to access the QuickBooks file, what changes they made to the QuickBooks file, when they made them, how they made them, and then we know what we need to do to reverse the damage that was done by that malicious actor or by that person that accidentally, again, just did something that they didn't think they were supposed to do and accidentally caused the damage. So we want to make sure we have these four types of systems in place, and then we can actually confidently call something secure. I hope that makes sense to everybody. If you do have any questions before I move from slide to slide, feel free to pop into the chat and just ask a clarifying question, and I will be happy to answer that. Just to move on here for targeted industries, I want to make sure people know what the top 10 targeted industries of 2024 are so far. In order from left to right, industrial goods and services is the number one targeted sector so far. of 2024, which is quite interesting. Lots of farms, lots of heavy -duty machinery, lots of production commodities, things like that. Next up would be technology companies, then construction, travel and leisure, healthcare, education, government, legal services, food and beverage, and consulting. Notice this is pretty much every type of sector. Obviously, there's a few missing, but it is a very wide net of sectors that are being targeted right now, and it's important that every kind of sector considers a cybersecurity strategy for their infrastructure, their data, and their team, regardless of the industry you're in. Just because you're running a bar doesn't mean that you're any less of a target than, say, a law firm or a government office. Keep that in mind. Next thing I want to go over with everybody is the liabilities and consequences that your organization may face if you do face any of these types of security breaches. So a lot of people just worry about data loss. They worry about downtime. And that's about it. They say, I don't want to get hacked. I can't afford to pay a ransom. I can't afford to do all this work twice. I can't afford to do things like that. And that's kind of where they leave it. But if you think about it, for example, if somebody were to break into my email account and start emailing my clients more malicious files, so let's say someone breaks into my email, and they email my clients an updated invoice at the end of the month. Or they say, hey, everyone, I got new security software. You need to install this file on your computer right now. And they go through my email, and they see I was emailing this person, and I was emailing that person. And they organically respond to the people that I'm communicating with. And they organically insert, again, this malicious software into the email threads. Maybe I'm going to start being subject to legal and regulatory fines for being negligent. Maybe those people aren't going to trust me when I send them emails in the future. Maybe people are going to start talking about how their ITI spread malicious software and infected their computers and got their emails hacked and had their business get shut down for a long time. Maybe that's going to result in a little bit more financial losses for me than just the fact that I have to pay ransom now. Again, maybe I just lose my data, which is by itself devastating. If you're an accounting firm and you get hacked in the middle of April, you're going to have to redo all your tax season work. No one wants to do that. That's going to be absolutely devastating. The cost of downtime, again, being shut down for four to six weeks is just obviously not ideal either. Data corruption is something that can happen as well. Somebody can break into your systems and then cause some issues for you later down the road. And again, vendor and partner disputes. If you're a personal injury law firm and an MRI clinic that you're working with sends you compromised information, you're going to run into some serious problems legally here. If you're infecting clients, taking health data, taking social insurance numbers, if you're a mortgage broker handling information like this. Again, these are very, very sensitive pieces of data that people just email about. and forth every day, and it's absolutely critical that we all avoid being negligent in protecting the sensitive information. We also have to be conscious of restoration costs, again, how much is it going to cost to rebuild your server, get all your files recovered, set your computers back up, get things up and running again, make sure that the malicious software and the malicious things inside of your network have been cleaned out and you're not going to get hit by this a second time. And also again, when you go to renew your cyber insurance with easily or another provider, that number is going to go way up if you've been targeted by cyber tech. Andrea is asking for an example of a social engineering attack. We're going to get into that in about two slides. So I'll give you that information as soon as I can, Andrea. Great question. Thank you very much. And we're going to get to that in about five minutes here. So some unique threats that small businesses face. Again, I want to make this very clear that these are unique threats that small businesses are going to face. would be negligence is the number one here for your people. These are the things that you have to be worried about with yourself and with your staff. I've seen C -level executives. I've seen founders. I've seen presidents. I've seen everyone fall for phishing scams. I've seen staff. I've seen people in the mail room fall for staff. So it doesn't matter if you're the VP or if you're just an entry -level person, everyone needs to do their part. Everyone needs to pay attention. Everybody needs to be diligent when it comes to this kind of stuff. So negligence is the number one threat. You can have disgruntled employees. You can have people that are working for your company that don't know that their kid is using their work computer to play roadblocks. I've seen that shut down in movie studio for six weeks. I've seen someone's partner using their computer for school that's supposed to be used for work, take down retail stores for three weeks. I've seen all sorts of stuff happen over the last 11 years. And again, insider threats doesn't necessarily mean someone malicious. It just means someone being negligent. Again, they know that they shouldn't have their kid using the work computer and they know that it's not a machine to play roadblocks on. And the kid thinks they're just downloading an extension to the game. They download some malicious software. It infects a Dropbox file, it syncs everywhere. And then away you go. Lack of policies and training is a huge threat to small businesses. So I'm glad to see everyone here today to kind of fill those gaps. Same thing with a lack of skilled IT security personnel. Again, we don't all have 80 to 120 ,000 a year to pay for a security person to work inside of our business. Low security awareness, weak passwords, and of course, reputational damage are some of the risks that face small businesses. For your devices, you can have software or hardware failure. You can have exploits. So again, if you're not updating your Google Chrome, for example, Google found out, I believe three months ago that their versions of Google Chrome that had not been updated were susceptible to bot attacks. So again, a computer can just detect that you're running an older version of Chrome and inject malicious code into your computer. so make sure your stuff stays updated there. Again, viruses are ransomware, everyone's familiar with those. You can have security or data breaches. Your device can be lost or stolen. People can actually access your device. You might just have a hardware failure where you lose data, but there's a million different ways you could lose data on your device. And of course, SIM swapping. So again, tell us Roger's Bell. It's very easy to call them, have them send over a SIM card, and all of a sudden your phone loses service and people can take advantage of your two -factor authentication passwords. But again, I don't want to get too technical or off topic here. For your networks, you can have passive or active network threats. People can just hack into your network and watch what's going on. People can actually shut down your network. You can have people intercept your traffic. It's called a man in the middle attack. If you think you're sending data to and from Shaw, it could have somebody in the middle that's intercepting that data or in between you and Telus collecting it, things like that. And then again, you can just have failures. You can have the inability to function. Again, that availability thing that we talked about. And then for your cloud services, if you're going to be centralizing all of your data inside of Google Workspace, inside of Microsoft 365, inside of an automation tool like Jobber, or like Service Fusion, or like EasyLaw, any of these cloud -based platforms for your specific profession, it's very important to keep in mind that you've now centralized all this critical data somewhere. You also have to be wary of security and data breaches. Again, someone could break into your Microsoft account, and then what do they get access to? They get access to your emails, your files, your calendars, your to -do lists, your everything. So it's very important to keep that protected, your contact lists, et cetera. Denial of service. Again, someone can take down Google. They can take down Microsoft. Very important to keep that in mind. You can have data loss in there. People can delete things by accident. Google accidentally deleted, I think it was a government office last week, and then they were deleting Google Drive files for people by accident, I believe in November of last year. They were deleting thousands and thousands of gigabytes of private information by accident. So again, just because it's in the cloud doesn't mean it's backed up. It means that you're building your house on someone else's lawn, and you're trusting that they are going to take care of your data. So we're gonna talk about that a little bit later as well. People can also give non -secure applications access to their cloud services. So for example, if you sign into a service like Grammarly with your Microsoft 365 account, you're going to be giving Grammarly access to, and request this, your calendars, your files, all these other sort of pieces of information in your Microsoft account. So if Grammarly would ever be compromised, that could potentially put your Microsoft information at risk, et cetera. Moving along here, just to answer Andrea's question, there are several different types of social engineering attacks that your business can face. So 98% of cyber attacks in 2023 are leveraging cyber. Social engineering is when someone hacks you instead of the technology that you're using. So it's much easier for me to hack a human being to engineer someone socially than it is for me to get past the encryption standards that Google has put in place with Google Drive. It's a lot easier for me to manipulate somebody than, again, impersonate a trusted source or get them to install malicious software than it is for me to brute force the encryption being produced by 20 ,000 Google engineers. So the main thing we're going to focus on today are these five types of social engineering methods, the first of which is a phishing scam. I'm sure most people have seen a phishing scam at some point in your career. So essentially, a phishing scam is a piece of fraudulent communication that's using email, text, phone, or web to impersonate a trusted source, spark an emotional response. including a call to action to fix whatever problem is giving you that emotional response. Again, they want you to install malicious software or collect information. We will be giving some specific examples of a phishing scam in the next slide, but that's the brief definition. A quick example would be, you get an e -mail from Microsoft, your password is about to be reset, you're about to lose access to your account unless you click the button here, then you can reset the password yourself instead of having it get automatically reset, and then, again, statistically, people just reset it to their old password with an extra number at the end of it, and then those people will use the password that you gave them to get access to your other online accounts that they've gathered. Bating is another one. This is a lot less common these days. This was very popular in the early 2000s. This is, you are the millionth visitor to this website. You've won a million dollars. All you have to do is click on the link, or you just got an Amazon gift card. You've won $100. All you have to do is click on this e -mail, and now you're gonna be able to get access to your $100 gift card. So, again, they're offering you a prize. They're baiting you. They wanna give you something digital, something physical, and once you click on that, once you engage with it, once you give them your credit card, once you type in your address, once you click on the link, it's going to, again, try to collect sensitive information from you, or it's going to try to install malicious software. Quid pro quo is something that is not so common anymore from my anecdotal experience. This could still be happening quite frequently, but this is where Microsoft calls one of your older relatives, and they offer to get that virus that they didn't know about off of their computer. All they have to do is give them their credit card information, and give them remote access to the computer, and then this Microsoft representative can jump in and start working on their computer for them. This was a very common scam, probably about four or five years ago, especially during the height of COVID. People were jumping in to older folks. computers. They were then installing spyware, and they were not doing anything. They were just clicking around on the computer a lot, charging them $200 on a visa, committing credit card theft, and leaving the spyware on the computer. So again, it's usually when someone is exchanging services for critical data, or again, sensitive data, or again, the ability to install malicious software. And they're usually going to be impersonating a trusted source or a technical expert, which kind of relates to pre -texting. I'll skip over piggybacking for now and get into pre -texting. So pre -texting is very similar to quid pro quo, but instead of providing a service, they're mostly focused on impersonating somebody. So again, it could be a TELUS technician. It could be a SHA technician. They could be impersonating your lawyer. They could be impersonating your accountant, your spouse, again, family, friends, whoever. They're going to impersonate a SHA technician. They're going to give you a phone call and say, hey, this is TELUS. This is SHA. We've got a brand new offer for you. I just need to verify your address. I just need to verify again, whatever information they want to collect from you. It could be a credit card, could be an address, could be a contact, things like that. So they're going to impersonate a trusted source, create a fabricated scenario, try to manipulate you into, again, giving them a sense of information or giving you links that you need to click on so that you will install that malicious software. And the final one, which is an in real life phishing technique, I've actually seen this happen two or three times, is called piggybacking. So piggybacking is when someone is running behind you in the office, you've never seen them before, and they say, hold the door, you let them into your building, when there's supposed to be a file of access, things like that. And again, they're going to impersonate a trusted source. So in my experience, I've seen fake Shaw technicians, so people will get a Shaw polo. They went into a law firm that we manage. This was a corporate law office, and they were impersonating a Shaw technician while I was working, it's probably several years ago at this point, and they wanted access to the server room. And they had a little USB stick that they wanted to plug in. So I was already on site. They notified me Shaw was there. I spoke to them for a couple of seconds, and they said they forgot something in their car and they had to leave, and then they never came back. And I had a very weird feeling about that person. And I later found out that this was a quite a common scan is people would want to get access to a network room. They would install some hardware that would collect stuff. Sometimes they were just stealing hardware out of the office, but what they were doing was they were impersonating a trusted source. It could be, oh, I'm so -and -so's partner. I'm a TELUS technician. I'm a plumber. I'm your lawyer. I'm whoever. And again, they're trying to get physical access to your systems. Again, it could be someone impersonating a cleaning lady that wants to plug in a USB stick that's gonna let them wipe your computer's password and view your system's information. This is very uncommon in my experience, but I have seen it twice in 11 years. Moving on to the phishing scams. Again, I really want to highlight phishing scams. in particular here, so these are the four most common types of phishing scams that I've seen. And I'm gonna go over how these relate to each other very quickly. So phishing scams, the first one is called a deceptive phishing scam. And I kind of liken this to a shotgun blast. What these people do is they will target a group of people. It could be a million people online that were hacked because they had an AOL email. The hackers got AOL emails, and now they're gonna send out a big blast to all those AOL emails. It could be that they're targeting the company that you work for, and they're gonna email everyone inside of the company, and they wanna see who the weak links in the organization are. So what they're doing is they're targeting a group of people. They're impersonating a trusted source with fraudulent communications. And again, they're trying to install malicious software or collect information. So what they'll do is they'll email your entire business. They'll hit 20 people with that email, and then two people will just say, Sally and Steve will fall for that email. And now the hackers know who to target, so they'll move on to the next phase. And these four things aren't necessarily linked. They don't usually happen in order. I'm just giving you an example to keep the examples linked and moving together here. But the next thing that they would start to do is start spear phishing. So now they understand that Steve and Sally have fallen for this initial scam. They clicked the Reset Password button. They downloaded the file. They opened the email, whatever metric these malicious actors are using, they've fallen for it. So now what they're gonna do is they're gonna go online and they're going to start highly specific targeting of Sally and Steve. They're gonna look at their Instagrams. They're gonna look at their LinkedIn. They're gonna email them and see if they have a holiday responder. They're going to start digging up dirt on these people. One of our partners is a cybersecurity firm. They've told me that this has gone so far that they've actually seen people look up where people's kids go to school. And they've called schools about whether the kids are in there or not. They've seen fake RCMP officers show up at people's door collecting information. This happened in West Vancouver. So again, there's really no limits to how targeted this will go. Again, maybe you're someone in the financial industry. You've got a very sensitive client that people might be interested in. They will go after you. They will go after your kids to get access to the computer that you use that manages that person's information. Again, they will do as much digging as they need to do on social media and on the internet. And then they will target this person. So again, proactive data collection, highly specific targeting. Again, they're gonna impersonate a trusted source. Again, they're gonna use fraudulent communications to compromise that data and to install malicious software. So again, instead of just a general Microsoft password reset, now they're gonna say, hey, this is your child. I am locked out of the house. I need you to do this. Or hey, this is your employee. I need you to reset this password. Hey, this is your boss. I need you to buy a gift card, things like that. They're gonna get, again, whatever they... Their desired end result is they're going to start targeting this person leveraging the sensitive information they've already been collecting either maliciously or through services like LinkedIn, Instagram, TikTok, things like that. So now they're going to be using the next level of social engineering. They're going to have sensitive information or private information that the public generally doesn't know about that they can then leverage to get closer to you. The final thing here would be whaling. So this would be when you go after the big fish inside of an organization. So again, someone that's a president, someone that's a CEO, someone that's a founder, someone that's an operations manager, a bookkeeper, an accountant, an accounts payable, things like that. Someone that holds the keys to the kingdom. It could be, again, sensitive information. It could be monetary. It could be legal. Anyone that has some levers of power related to the confidentiality, integrity. and availability of the systems in the business. So wailing is when they target the big fish inside of the organization. The next thing here would be phishing and smishing. I'm sure everyone here has received a phishing threat. This is simply a text message and smishing. Sorry, smishing is a text message, phishing is a phone call impersonating someone. With AI, the phishing, the phone calls have gotten out of hand. I've had five clients over the last year tell me that they've gotten calls from people where they were not the person they thought they were talking to. There was someone using some form of AI voice masking, or it sounded like the person they were talking to. So very important to keep in mind to not be handing over sensitive information or taking direct orders like payments and things like that without a second layer of verification, which is crazy to think about nowadays. That's why we have these policies for you all at the end of the presentation. Final thing here before we get into some examples and start wrapping up, it'll be the deceptive phishing attacks. Number 1, they're going to impersonate these six main methods to try and get you to give them sensitive information or to download that malicious software. What they want to do is impersonate official communication. Again, we have a new payroll system. All you have to do is give me your blank check, give me your social insurance number, and you're going to get paid on Friday. No worries. Shipment notification. Everyone's gotten these, I'm sure. You get that text message or that email from UPS, FedEx Canada Post, your package was delayed. We can't deliver it unless you put a deposit down. You owe us a balance on a shipment that was recently delivered. Here's the tracking information, all these things. They're going to get you to click on those links, give them your credit card, give them your address, things like that. Non -profit requests is for the scum of the earth, the lowest of the low in my opinion. They will breach a non -profit. They will get the list of everyone that donated to a specific event or a specific charity, and then they will reach out to those people saying, hey, We're doing another fundraiser. Would you like to donate to this nonprofit again? Then people will give their credit card information to these scammers usually taking money again out of Sick Children's Mouth or other nonprofit organizations with specific missions. Again, it's the lowest of the low in my opinion. Application notifications. Again, we get these all the time. Your Microsoft account password needs to be reset. Access to your PayPal account has been revoked. Your bank account has had suspicious activity. All you need to do is click on the link, sign in and everything's going to be okay. That's what those usually look like. Again, important announcements. This could be we've got a COVID outbreak in the office. It could be anything related to your organization again. And again, it's usually something that's laced with urgency and it's implying serious consequences. They really want you to get that initial cortisol rush. And then they want you to click on the button. It's going to make all your problems go away. So we'll go ahead and give you guys some examples here. So in this situation, this is a fake email. This one is the application notification. So this is that the password to Jake and Umbrella has expired today and action is required. So some basic psychology they're using here, lots of red, lots of exclamation points, priority high. And then I've got that blue calming. It's gonna solve all my problems button right here. It's very similar to those 90 commercials where it would be the pain medication. And you would see the person who's covered in red pain, they would take the pain medication and all of a sudden they would turn blue and they wouldn't be dragged down by their pain anymore, it would just go away. So that's what they're doing here. Red problem blue solution. And usually these social engineering threats are confined. They are one shot. They are problem solution. They want you to immediately get that, my password is gonna expire. And once your password expires, then you go in, you click on keep password. And then they're gonna again, collect that sensitive information from wherever that link leads to, or this link might try to install malicious software there. Yap has a great question. I'm gonna answer that during the Q &A at the end here. We're just gonna get through the rest of this. So looking at the spear phishing side of things again, this is somebody who is now targeting Gareth. They understand that Jane is in charge of Gareth. That's a manager employee relationship. And what they're doing here is a combination of spear phishing and whaling. So Jane has been hacked or Jane is being impersonated and they are emailing Gareth and they're just saying, hey, are you at your desk? I need you to process an urgent wire transfer. Please get back to me ASAP. So again, this is something where Gareth might just email Jane back and say, hey, then you heard you needed me to send a wire transfer. Where am I sending it? Who am I sending it to? And again, I see people all the time. I'm too smart for this. I'm not going to fall for this. This is like old news that I fell for this 10 years ago when it was an iTunes gift card. I'm not going to fall for this. We've had two clients send out a total new client now of $80 ,000 in the last three months because of a hack like this. So they received an email from a vendor that was hacked. They then received a phone call powered by AI. Hey, just making sure you got the information that the new invoice that we sent you is being sent to a different account. Want to make sure you got that information. $40 ,000 is a lot of money. Yeah, click. And then they send the money off a month and a half later. The actual company calls them. Why haven't you paid the invoice yet? What's going on? Well, we sent the money. No, you didn't. All these kinds of things. And then you find out that company has been hacked for three months. And then every once in a while, their emails that come in get deleted. They get responded to by the hacker. They delete that email. and they're directing their accounts payable somewhere else. There's so many examples, different types of methods of attack here, but the main thing to focus on again, is that these people are going to get this information that's available online through your holiday responder, through your LinkedIn, through your Instagram, things like that, and they're going to target other people in your organization, in your family, in your friend group with, again, to get a means to an end. This is my favorite example here. This is one of our clients. What ended up happening here is a law firm is working with an MRI clinic. The law firm sent an e -mail off to the MRI clinic and they said, hey, this file hasn't settled yet, we're going to pay you once the file settles. The MRI clinic was compromised and the law firm had no idea, and the MRI clinic said, hey, you need to take a look at this and tell me what you think. I feel like your calculations are wrong. Tell me if we need to redo this. Again, they're talking about paying a bill. The MRI clinic is already hacked by somebody, and now the hacked e -mail account is responding to them. Everyone would click on this. If I sent an e -mail off to one of my clients two days after an e -mail was sent out, and I say, hey, sorry, I sent you the wrong copy of the invoice, here's the right one, click here. Or if they e -mail me back and they say, hey, Jake, appreciate the invoice, I think you guys messed up this month, there's some labor that shouldn't be there. Can you check it out for me with the link? I'll probably click on that as well. That's why it's very important to have specific tools in place that we're going to talk about later that will protect you from these malicious links, these malicious attachments, these compromised e -mail servers, all sorts of different threats. What ended up happening here was three out of three people at this law firm clicked on this link. We used AI antivirus to protect them. All the different computers that were affected immediately had the virus nullified. We got notifications of what was going on, and this law firm immediately implemented the e -mail filters that we're talking about. That's what usually happens is people are negligent, they get burnt, then they want to be proactive. Again, it's great to see everybody here today trying to be a little bit more. proactive, we'll keep it moving. But this is a real world example. Again, we're not talking about text messages like this that are obviously fake. These people are getting a lot more crafty. So this is an example of a Vishing scan. Again, your Netflix premium subscription's canceled. All you gotta do is click on netfatiffafix .com, enter your credit card information, and then you're gonna be able to watch movies again. So again, keep in mind these people will use all sorts of different attack vectors. So here's the solution part. We're through the fear, we're through the uncertainty, we're through the doubt. This is what everyone came here for, I'm sure. This is your cybersecurity cheat sheet. This is everything that your organization needs, in my opinion, to stay safe from 80% plus of the types of threats that you will face. Everything we talked about earlier, those unique threats. So the first thing that is absolutely crucial, everyone needs to implement it pretty much immediately, is a three, two, one backup solution. What a 3 -2 -1 backup solution is, and people have different definitions of this, is a backup where your data is in three different places at all times. It's in Microsoft 365, it's backed up on a hard drive, and it's also being backed up live to another Cloud account. It's in three different locations across two different vectors. Again, it's online in Microsoft 365, it's live backed up to a second location online, and then it's offline on a hard drive somewhere. So if those two online versions are compromised, we have that offline archive. Multiple different mediums, multiple ways to back things up. Then we have one of those copies being offline. So three different versions of your data, two different mediums, one of them being offline. Absolutely crucial, everyone does that. People panic about the cost of backups. If you're not subject to PIPA or PIPEDA, so you're not handling financial or health data, there's a couple of other restrictions there. But if you're not subject to data that needs to be held in Canada, for example, if you're just a regular roofing company, you're an electrician, you're a professional service that's not handling sensitive data like that, you can use a service like Backblaze for $5 a month, that will take your data off your computer and back it up in their Cloud for $5 a month. There's services like Datto that will charge you several hundred dollars a month. They will keep your data in Canada. They will make sure that it's available for you. They will have things like very low downtime guarantees, where sometimes you won't even experience downtime. If you're building where to burn down, or if you were to have theft or there was a hardware failure, things like that. There are several levels to the spectrum of a backup solution. But what's very important is that people keep in mind that their data needs to be in three places across two different mediums, one of them being offline. Next thing you need to consider while you're configuring a backup is... what platform you're going to use. So again, in this case, back plays back up a fly. Those are just inexpensive. Those are things for you to look up. You can look up competitors of them. That'll give you the idea of what platform is best for you. You can reach out to us. We can talk to you. We can kind of help you make a decision, talk to your IT people. They'll help you make a decision, et cetera. Talk to your 14 year old, niece or nephew. They will also give you some ideas, I'm sure. And then you'll come find a professional after that happens all the time as well. Downtime tolerance is another one. You need to figure out what is your downtime tolerance. If you're going to be uploading everything to Backblaze, are you okay that you're not going to be able to work for a full day while you redownload all those things? That kind of stuff. Critical versus non -critical data. I see people back up data they haven't used in years and they're super concerned about backing up two terabytes of data. It needs to be backed up every day. Their backups are taking two or three days to happen. And then we do an audit and we find out only 2% of their data is used in the last year. And of that data, they only really care about a handful of files. So it's very important for you to identify critical versus non -critical data when you're selecting what's going to be backed up because that could be the difference between you paying $900 a month and $5 a month. You also need to figure out your frequency of backups. So again, I'll use the example of an accounting firm to get hit by ransomware in the middle of May. Do you want to have to redo everything because you only take backups once a month to keep your cost down? Or should you be backing up your data three times a day? And that way that if you do get hacked, you're able to restore and only lose about two hours of work instead of two weeks or two months or two days. So it's very important to figure out where you sit on the spectrum of how frequently you want your backups to take place. The other thing to keep in mind is data retention length. A lot of people do backups. They do backups for 90 days, and then they stop there. They go, ah, if I lose anything, I'm going to know within 90 days I need it. Well, what happens if you get hacked and the hackers take their time, they just sit inside of your systems for 90 days, and then they spring, they infect everything, and the ransomware that they installed infects everything back to 90 days ago. All of a sudden, your backups are useless. I've seen that happen before as well. So it's very important to make sure your data is being retained for at least, in my opinion, minimum one year. I personally do infinite retention with our solution for our clients. But again, if you are also working in a health care sector, anything regulated by PIPA or PIPEDA, you may be required to do seven years of data retention. And again, never hurts to back up that critical data infinitely if you can afford it. Again, for $5 a month, in some cases, you could do that. Also need to figure out are you just going to be backing up the files on your computer, on your server, or are you going to be backing up the full system? Again, if you have a server and it was configured by an IT guy six years ago, you don't know what it's doing. All you know is it has your licenses for AutoCAD on it. It probably runs a computer. maybe that your Quickbook bookkeeper runs into, they remote into it once a week, you think. Maybe you want to back up the entire system, which is going to cost a lot more money, than just backing up the files. A file backup like Backblaze is five bucks a month. A system that backs up the entire system, including your software, including the configuration of the settings, including your files, could be several hundred dollars a month. But that several hundred dollar increase could reduce your recovery bill, reduce your downtime, and allow your data to be more available. So again, those are a couple of things to consider. Two final things, make sure you're testing your backups. If you're not testing them, they don't exist. I've seen that happen all the time. Oh no, I got everything right here on this hard drive. It's been backed up every day for the last three years. I was promised by my brother -in -law that it's done. No worries. I go, okay, cool. Let's check the backup. We open it up, empty hard drive, plugged in in the middle of 2016, never done a backup. Oh, we go to the backup manager they set up. Oh, it failed the first day you set it up. No one ever checked it. Great, let's start backups today. Let's make sure we're testing them once a week. We're testing them once a month. We're testing them once a year. Whatever you want as a policy, we're gonna give you a policy to manage that stuff. But you have to make sure you're testing your backups or they do not exist. Final thing, assign responsibility. My favorite thing, not really, it's quite sad. When we go into a place that was hit by ransomware, we're sitting down with either the operations manager or the owner, and we ask them, well, who was responsible for managing the backups? And everyone at the table goes like this. And they say, well, I thought she was managing it. He thought she was managing it. She thought he was managing it. And no one's actually responsible for security. And you end up with this crowd psychology where no one jumps into action. No one does anything because they think everyone else is responsible for it. So make sure you assign responsibility. Make sure you're doing three different types of backups across two different platforms. One of those being offline. Make sure you figure out what your critical data is, where you're gonna back it up, how often you're gonna back it up, when it needs to be available in case you need it, and how much downtime you can tolerate. Again, happy to talk about that in more detail anytime. Endpoint security is pretty straightforward. Gonna move on to endpoint. Endpoint is a fancy word for device. Device is a fancy word for iPhone, Android, Windows, Mac, server, any of the devices that you use. Again, we wanna make sure if we wanna call a computer secure, we're backing up the computer. We're using a non -admin account. Now, I'm pretty sure 80% of the people inside of this organization right now, if you're using a Windows computer or a Mac, 100% of people on a Mac are in an admin account. What that means is your account is an administrator. It has total control of your computer. If I inject malicious code into your web browser, your computer will just run the malicious code. If you're using a local account or a non -admin account, account, then it will prompt you with a password. It'll say type in an administrator password to install this piece of software. Type in an administrator password to open up this restricted file, things like that. So you always want to use a non admin account to restrict the access of code running on your computer. Yeah, very easy to do that. You create a new admin account, you change the existing one to non admin, you're done. Takes very little time, very easy to do. Again, something we can help you with, something your existing IT department can help you with. Next thing here, again, two examples of AI powered antivirus, Sentinel One and Silence AV. Very low resources, they work on older machines, they don't use a lot of resources, they don't slow your computer down, they are not Norton antivirus. Avoid Norton, in my opinion. You want to stick with things like, again, Malwarebytes, Bitdefender, Sentinel One, or Silence. These are all different tiers, some people will get upset that I recommended those and they'll be very happy to recommend Norton. It's again, an anecdotal game in IT. Those are just my preferences, but I would highly recommend using Sentinel -1 or silence antivirus with something called Huntress to protect your devices. These are AI powered. What that means is that they're using behavior tracking, they're figuring out things that are normal and not normal. And then they're adding another layer instead of just being reactive like other tools where someone gets hacked, it gets reported, then the antivirus software adds that hack that virus to their list of things to block, and then they start to catch it for people. These can catch it proactively because they're like, why is Roblox .exe trying to encrypt all the files inside of Dropbox? Let's put a pause button on that really quickly. Let's look into this. So that's why you wanna use these more advanced tools. And again, just at the risk of oversimplifying, that's the example I'll give with that. Final thing, make sure your devices are being regularly updated and make sure you do have logging software on them. So make sure they're being remotely monitored or managed so that you're getting logs on them. So again, if someone does compromise it, you can see what account was compromised, when, how, where. Email security, again, like we talked about, that is 91, 98% of cyber attacks in 2022, 2023. Very important to make sure you're using something like iron scales or Sophos email filter for your Google workspace, for your Microsoft 365, for your hosted email. That will filter out malicious emails. It will filter out malicious links. It will filter out attachments, bad senders, spoofing attacks, people that are impersonating your clients, people that have breached your clients that are sending you malicious information. And again, I recommend iron scales and Sophos because they also use AI and they realize that if you're a property manager, it's normal for you to receive 500 emails a day from Craigslist and they're not gonna filter those out and cost you thousands of dollars. They're just going to block what is malicious. Very important. You also... to make sure that you're backing up everything inside of your email account, your contacts, your calendars, if it's 365 or Google Workspace, your files, all these things. Just because it's in the cloud does not mean it's safe. Make sure you're backing that stuff up. Make sure you're protecting your cloud accounts with multi -factor authentication. Use an app like Microsoft Authenticator, Google Authenticator, Authy, these other platforms. You really don't want to rely on text messages. It's very easy to get hacked that way. I was talking about that on CTV five years ago at this point. Make sure you're using multi -factor authentication. So if someone guesses your password, they need another six digit code that changes every 30 seconds that's generated on an app on your phone or on a piece of hardware in your desk drawer. Very important. Also make sure that not everyone in your instance of 365 and Google Workspace has access to everything. Make sure that you have the proper account restrictions in place. Does your new employee that works in the mail room need full access to your accounting files? Probably not. Do they need to have full administrative control of everyone's email passwords? Probably not. Make sure that you're putting restrictions in place as needed. Same thing with mobile device swipe. If you're going to be using tools like Google Workspace, Microsoft 365, make sure that you can wipe those files off of someone's computer remotely as soon as possible. Make sure you can remove access from that phone by clicking a button inside of 365. If someone does take control of the phone, they can't go in and start deleting SharePoint files or accessing SharePoint files. Make sure you're removing that access right away. One of the last things I want to talk about is the IT policies and SOPs. I know we're coming up on the deadline here, so we'll be very careful of that. Alicia is mentioning that she's lost sound. Can everyone still hear me all right? Michelle, can you hear me? Yeah, I can hear you perfect. Okay, excellent. Alicia, could you hear Michelle there? We can't hear you, so just make sure to put it in the chat if you need to reply. Yeah, perfect. Jake, you just muted yourself. Thank you. Last thing I want to talk about, IT policies and SOPs. Thank you, y 'all, for confirming you can hear us. Just be cognizant of everyone's time again. I know we're running out. With these policies, these are probably the most important part of everything that we've talked about today. I would say the backups of the number one, email filters number two, endpoint security is number three, and IC policies is contending all of those for each of their spots. These are the main policies that I would highly recommend everyone. Acceptable use. What is acceptable use for your company's email account, for any of its online accounts, for the devices that your staff are using? Can I go sign up for pokerstars .net? Maybe, maybe not. Can I go on Facebook? What if I'm using Facebook chat to talk to potential clients? What if I'm playing games on Facebook? What if I want to set up Grammarly on my account? You know, so very, very complicated and very intricate and very unique restrictions can be put in place there. Alicia, I will be publishing this online. So you might have to watch the last few minutes of it. I apologize. So acceptable use is very important. Understand what is okay for your staff to do with these digital accounts, these physical devices, your data. Can they share it to their personal Gmail account? Can they share it to their spouse's account when they just need to use their computer really quickly because they're on vacation? What is okay? What is not okay? Do you want to have that person get terminated or they quit? And then three years later, their spouse's email gets hacked and they still have access to your accounting files? These are things to think about that do happen in the real world. Access authorization. Alicia's back, glad to hear it. So access authorization, this is another thing here. Who gets access to what? Who is going to be able to reset passwords? Who is going to be able to get access to people's email accounts? Who is going to access your accounting files? Very important to make sure that you're restricting these resources by groups. And then you are putting users and staff into these different groups. When people are bringing their own device, this has become increasingly common with remote work. People are saying, I want to use my Mac. I don't want to use your computer that you're giving me or vice versa. They want to use their Windows computer. They don't want to use the company issued Mac. So what is okay if they're going to bring their own device? Can their spouse that's studying at UBC use the computer for work? Because I've seen that shut down a retail store. Can their partner watch the Canucks game on an illegal website on that computer? Because I've seen that take down an accounting firm. These are things to consider. And then the final example I'll give is can their kid use it to play Roblox on it? Because I've seen that shut down in movie studio. So you really have to think about when they're bringing their own device, is it okay for them to download and sync all of your Dropbox, your Google Drive, your Microsoft files to that device? Is it okay for them to type on the keyboard when it might have a key logger virus on it that's soaking up that information and sending it out to those malicious actors? Is it okay for them to be accessing that information on an admin account and then giving it to their spouse? And then their spouse is using the computer on an admin account and they're watching naughty videos that are again, can infect the machine and give it all sorts of viruses and collect all sorts of information. So it's a very uncomfortable conversation to have with people, but it's very important to understand that if you are going to give them access to your company's data and infrastructure, that they are going to respect the fact that that data and infrastructure has value and they are putting that infrastructure at risk. by using a personal device that doesn't have an antivirus on it, that doesn't have the updates happening automatically, that doesn't have the restriction of a non -admin account, that doesn't have the proper restrictions put in place on the device, that has multiple users that don't have security training, don't understand the systems that they're using, are going to also be accessing that device. Very important to keep that stuff in mind. Business continuity, this is very important as well if you're concerned about your business having downtime. So business continuity is when your device fails, let's just talk about again, that server that has QuickBooks on it, or you could talk about Microsoft 365 email, you could talk about your work laptop, having coffee gets built on it. What is your game plan to keep your business running, to keep your business continually operating? It's very important that you look at each piece of your infrastructure, I organize them in terms of people, workstations, servers, networks, cloud services, backups, security, and phone systems. What are you going to do for each part of those pieces of your infrastructure? So what is your plan B? When your staff member calls in sick, what are you going to do? When your workstation gets coffee spilt on it, what are you going to do? When your server goes down, what are you going to do? When Shaw has their internet line cut, what's your backup plan? Very important to think about all those things. Then again, working with someone like myself or another professional, they'll be able to look at things, give you some templates, figure out what your exact needs are, and get you up and running. Again, you don't need to spend $20 ,000 a month on this if you're an electrical company, but it might be worth spending $14 ,000 a month on this if you're a 150 person law firm. It depends. The cost of downtime, reputational damage, and all these other things for a 150 person law firm is significantly higher than an electrician with two technicians having his dropout gets hacked and he can't function for two or three days. He'll be fine. He's not going to be too concerned about it. He's got to redo some estimates, not a big deal. With that 150 person law firm, that could be $10 ,000 a day and wages being lost. It could be an insurmountable incalculable amount of money being damaged from the reputation from those emails being sent out to their clients. Anyways, very important to make sure you have a business continuity plan for each part of your infrastructure. Disaster recovery is directly linked to business continuity. Sometimes it's called a BCDR solution, business continuity and disaster recovery. It's the same thing, but we just want to consider what are we going to do if there's a fire? What are we going to do if there's a terrorist attack? What are we going to do if there's a power outage? What are we going to do if a disaster happens? How are we going to recover? Final couple things, remote work. Are they going to be working from home? Are they going to be talking to your clients on the phone, repeating credit card numbers to people while their roommate's in the back room with a friend that you don't know? Are they going to be working at home with their spouse? Are they going to be working in Mexico using public computers? What are they doing? We need to figure that out. We need to have acceptable and not acceptable behavior, put inside of a policy so that you can have proper remote work things in place. And I believe Pierre is in the chat here. He'll be able to help you with all of the HR side of those things as well. If you're looking for more policy related things for your staff, but these are just the direct IT policies. Yap as well, a fantastic business consultant. He'll be able to help you develop different policies to scale your business securely as well. Final couple of things here, staff onboarding and off boarding and security incident response. Security incident response plans. Let's put that back up with the business continuity and disaster recovery plans. The security incident response plan is your email just got hacked. You just found out that you emailed 80 of your clients a malicious link. What are you gonna do? Or you just found out that your internal estimating system was compromised. Now you've got to tell all your clients that their phone numbers and their e -mails are being controlled by some malicious actor. You had a security incident, how are you going to respond? You need to again define those categories I listed before, users, workstation servers, networks, Cloud services backups, and then again detail a security incident response for each of those pieces of infrastructure. Final thing, staff onboarding and off -boarding. We had a client, they let their operations manager go about a year and a half ago, and they just found out that that operations manager still had access to their old computer, that was live synced, it had full access to the company's data, and thankfully that operations manager has a very good relationship with her old boss, and they were able to just let them know that they had that, and they asked them, what do you want me to do with it? Should I sign out when you want me to do? And now this boss is going to be working very diligently on an off -boarding procedure. So again, make sure that you have proper onboarding, so you know again, what access am I giving this person? What groups am I putting them in for permissions? What software platforms are they going to get access to? And then when they leave the company, what am I revoking? What am I taking away? Am I getting the computer back? Are they using their own device? Are they using a company -issued device? Are they taking over someone else's device? When am I giving them this information? Am I resetting their password? Am I allowed to remote into their personal device? Am I allowed to put antivirus on their personal device? You need to think about all these types of things. And again, these policy templates that we've made for you do consider all that. Final thing here, we're not going to go into this because we don't have another hour, but this is the be -all end -all, in my opinion, of cybersecurity solutions. If you want to go absolutely crazy, you want to put on the tinfoil hats, burn your fingerprints off, stay inside, close the windows, this is what you need to do to cover all of your bases. If you want to cover all of your staff, you can follow these solutions and strategies if you're going to work with a professional. professional and you want to have an IT company or you're working with an IT company, you want them to secure your business. In my opinion, this is everything in the kitchen sink that you can throw at your cyber security solutions. Again, this is a cheat sheet. This is good enough. This is that 8020 rule of 80% coverage for your small business. This is what you can do yourself pretty comfortably as a small business with 15 employees or less. This is the big leagues. This is what you should be considering if you have 15 or more employees, I would say even five or more in today's world. But if you have 15 or more employees, you need to be using I would say 80% of these. Again, it comes down to the 321 backups, it comes down to all of these different security measures, again, to protect the confidentiality, integrity, availability and accountability of your cloud services, your networks, your devices and your staff. This is everything that you need to do. Again, a little bit overkill. But I would say 80% of these are what your IT manager should be doing. If they're not doing all of these, ask them why not. Again, it could be a cost restriction, things like that. But again, using the policies we're going to be sending out, plus these strategies you guys should be able to develop some solutions to keep yourself safe. And that's about it. Really appreciate everyone's time. My apologies for going a little bit over. Those that know me know I know I have no problem talking. So my apologies. Yap asked a great question earlier. If anyone else has any Q &A, feel free to throw them into the chat now and we will answer your questions for the next, let's say, 20 minutes. If people are done early, we'll sign off before then. But I'll just answer Yap's question. We'll give it another minute after that. And if no one asks any questions, we'll start signing off. You'll all receive a copy of this seminar via YouTube. We'll send a link over. We'll also send you a link that includes all the policies we've talked about today and a couple of other resources as well. So I want to thank you all so much for your time today. Thank you for coming in on a Friday before a long weekend to talk about the super fun topic of cybersecurity. So really appreciate everyone's time. Now Yap is asking that he's getting more and more worried about unsubscribing to unsolicited recurring emails. How can I make sure the unsubscribe link is not malicious? Great question. So number one, great idea. Be proactive. Take your email out of places it doesn't need to be. Get off of those lists. Make a secondary fake email. Send that to people. Send that to public events. Send that to your networking clients. Don't give people your primary email. Have a secondary fake one. Change your LinkedIn sign into that other email. Now, how can you make sure the unsubscribe link is not malicious? You can install a tool like Ironscales or you can install a tool like Sophos email filter. Those will detect a malicious link and prevent you from even getting the email in the first place. If you do receive an email that you think is suspicious and you want to avoid it, what you can do... is you can go to the primary source. If MailChimp is emailing you saying you want unsubscribe, if SportsNet, if PokerStars, whatever is emailing you asking you to unsubscribe, you can go to pokerstars .net and unsubscribe from there. You can go into MailChimp, unsubscribe from there. You can choose the platform, go to their website directly and unsubscribe. You don't have to react to the piece of media that you were sent by the platform. Could be the malicious actor, who knows? Yap, I hope that answered your question. If anyone else has any other questions, speak now, forever, hold your piece, whatever people say there, and we'll start to wrap up. So again, really appreciate everyone's time today. Hopefully you found it valuable and we will see you guys next time. If you do ever need any IT advice, feel free to send me a quick little question here. Send me an email directly, hit me up on LinkedIn, anything you need. Always happy to provide free advice to folks, get you started on your cybersecurity journey. If you need help with IT management, we're always happy to help as well. And again, I hope you all have a great long weekend. Looks like we're not getting any questions. So Karen, no problem at all. Glad you found it valuable. And again, I hope you all have a great long weekend and I hope to not hear from you about cybersecurity needs from getting burnt. Hopefully just have proactive questions in the future. Thank you all for attending. Have a great week. We'll see you later.