Umbrella IT Monthly Cyber Security Awareness...
Hello, everybody, good afternoon and welcome to another cybersecurity awareness seminar hosted by myself, Jake, from Umbrella IT. Very excited to get started today with everybody and start covering the very exciting topic everyone wants to talk about on a Friday afternoon, cybersecurity awareness. So really appreciate everyone joining in today. Really appreciate everybody, again, taking the time. So I want to be respectful of time. We'll just kind of jump into it while people roll in. I appreciate everyone here being a little bit early, being right on time. Thank you so much. If you do have any questions as the seminar is going on, feel free to throw them into the chat. I'll be monitoring that and I'll be able to answer your questions as they come in or at the soonest appropriate time. And your questions, I can promise you, are not silly questions. They're going to be appreciated by everyone else in attendance. And I promise you that people are going to appreciate you asking that question. So without any further ado, we'll go ahead and jump into it here as people are joining in. So again, thank you all so much for taking the time. My name is Jake from Umbrella IT Services, and today we're going to be talking about cybersecurity awareness. So the goal of today's seminar is to just bring awareness to the threat landscape in 2024. We want to arm small business owners, small business managers, small business staff with the knowledge of the threats that you are going to face this year and then provide you with some tools that you can use to recognize these threats and mitigate them inside of your organization. So we'll jump right into it here very quickly. Just have to go through a disclaimer with everyone. Again, the seminars are general information and educational purposes only. Implementation or adaptation of these materials does not mean that I am now an advisor to you or your company. For that, we need a managed services agreement. Again, if anyone is interested in pursuing management. services, we would be happy to help with that in a different discussion. But we also accept no responsibility in case I missed a statistic or if there's any errors, emissions or inaccuracies in the content. I spent a long time researching this using tools like Norton and there's a lot of other private studies that occurred regarding these statistics. Webroot is quite a good resource. There's a lot of other companies like Verizon that are doing a lot of good research that I've referenced here. We're also going to accept no liability for any damage of any kind incurred if you do use some of the advice we provide here. The seminar is also going to refer to different products, services and strategies. And simply because I mention them does not mean that we are actually endorsing those strategies. And finally, use your own judgment, confer with your own professionals, your own group of experts before you implement anything. And please remember that cybersecurity is a shared responsibility. across your organization from the bottom all the way up to the very top. And let's all try and stay informed and stay secure. So to get things started, we're gonna jump right into the 2022 and 2023 cybersecurity statistics. So this is the front loading of all the boring stuff. We're gonna get into the fun stuff after this, but I just wanna make sure everyone understands statistically what is the reality of the world we live in. I don't wanna talk about people's anecdotal experience. I obviously have a high exposure to cyber threats and attacks and things like this. And I really wanna focus on the statistics instead of going through anecdotal evidence. So in 2022, 63% of cyber attacks were caused by insider negligence, which means that people knew what they were supposed to be doing, and they took actions that they knew were incorrect resulting in a cybersecurity attack being successful. So it's a big difference between an accident and negligence. So very important to keep that in mind. The average cost of this negligence was $7 .68 million Canadian to organizations with 500 employees or less. So again, that means that half of the attacks cost more than that, which is something to keep in mind. And again, these are small businesses being targeted. 60% of organizations get shut down permanently within six months of being attacked. And this is for a multitude of reasons, one of them being that the average recovery time from ransomware is four to six weeks for a small business. So it takes four to six weeks to get back on your feet, back in operating, communicating with clients, doing things like that. So very, very important to keep in mind that you will be experiencing downtime of four to six weeks in the event of a ransomware on average. So we really wanna make sure again that your business can withstand that. You have things like backups in place. So that recovery time turns from four to six weeks and to maybe 40. 60 percent of organizations that were attacked in 2022 also didn't think that they were going to be attacked. They believed that they were not a big enough target. For whatever reason, they think that they're not going to be attacked. So if you do have someone in your organization, they don't think they're important. They don't think they're going to be targeted by these malicious actors. They are most likely statistically the person that will cause this attack through their negligence by assuming that they're not going to be a target. Another interesting statistic here is that small businesses are subject to 350 percent more social engineering attacks than enterprises. I'm sure everybody has heard about the ransomware attack that took place against London Drugs. I believe it was a ransomware attack. But I'm sure no one has heard about the local electrical company or the plumbing company or the school supply company that were shut down last month that I've heard about through my network. Those ones don't get the same attention. But again, almost every day. multiple small businesses are taken down by malicious actors, either through social engineering attacks, ransomware attacks, or multiple other types of malicious activity. So we'll talk about that a little bit more later on in the presentation. And the final thing to focus on here is that only 53% of employees can correctly define phishing. And we're gonna get into that definition, and I'm gonna make sure everyone that's attending today is able to confidently define phishing by the end of the seminar. One last thing I wanna touch on very quickly is the attack vectors that are being used against small and medium organizations. The number one here, almost 40% of the time is phishing, which is where somebody impersonates a trusted source to collect sensitive information or install malicious software. So again, they're impersonating a trusted source to install malicious software or to collect sensitive information. So that is the attack being used 40% of the time. And there's another alarming statistic that we'll go over later on in the presentation. Final thing here is that there's been a 4900% increase in cyber attacks between 2017 and 2022. The other thing that's crazy is since 2022 to 2023, there's been a 90% increase. And then since the beginning of 2024 till now, there's been a 98% increase. So we've essentially seen a 4900% increase from 2017 to 2022, and then basically doubling every year since then. So with the use of AI automations and all these other tools, these malicious actors are now able to essentially automate their attacks, which is very, very alarming. They're becoming significantly more complex. And there's a lot of other kind of threats that we're gonna talk about today, but that's all the fun stuff out of the way. We can move on to some definitions. Now we can start focusing on what it is that you'll be facing day to day and how you can recognize these types of attacks. And then we'll talk about how to defend yourself shortly afterwards. So what is information security? If you were to come to me... or go to another cybersecurity specialist and you were to ask them is my file server secure? Is my database appliance secure? Is my QuickBooks file secure? These are the four pillars that I would look at before I tell you yes. So the first thing I want to make sure of is that your information is confidential. Let's use a QuickBooks database as an example. Is your QuickBooks database file confidential? Can your retail front desk staff access that database when you don't want them to? Have you set up the appropriate permissions inside of your organization? From an outsider perspective, do you have a firewall protecting this? Is your computer protected? Does your computer have a Trojan virus on it? Does it have something screen capturing? Does it have a key logging virus on it? Is the data inside of that QuickBooks database confidential? The next is how you maintain the integrity. of that database. Are your 2023 numbers accurate or have they been tampered with? Have certain numbers added to zero? Has it zero been removed from other numbers? Again, if you have this data, but the integrity has been compromised, it's as good as useless. In some cases, it would actually be more dangerous than not having it at all. The next question I would ask is, is it available all the time? When you need your QuickBooks database, can you remote into your network? Can you go into the server that's hosting it? Can you access it? Can you go to QuickBooks Online? Can you sign in and access it? Wherever it is that you're hosting it. But it needs to be available. If you open your computer and it has ransomware on it, and you can't even access the internet or go into your QuickBooks database file, then I would not call that secure. And the final thing that we wanna look at is accountability. So we want to have an audit log of who signed in to what computer, what computer was able to access the QuickBooks database file. What did they modify? When did they modify it? And how did they modify it? So if that account were to become compromised, we can then pick a date, reverse, run a backup, reverse the damage that was done. And then again, reverse that damage by just restoring one of those backups and making sure that we understand who logged into the database. When did they log in? What did they interact with? What did they see? What did they edit? What did they make comments on? And we can undo that stuff if it was done by a malicious actor or we can simply keep track of activity that's happening throughout the organization. And you wanna have these four different pillars in place for all of your staff, for all of your workstations, your desktops, your Macs, your PCs, your iOS devices, your Android devices. You wanna have that in place for your server infrastructure. You wanna have that in place for your network infrastructure and you wanna have that in place for your cloud services and business applications like Google Workspace, Microsoft 365. If you're in the medical space, maybe the Jane app. If you're in a construction, maybe that would be your jobber. application or service fusion or any of these other CRM platforms, Zoho, things like that. But you want to have these four things in place, and then you can actually start to talk about how secure your organization is. You can then start to move on to the next phase, which we'll talk about later on in the presentation, which would be the tools that you can put in place to add on additional proactive security measures. So one thing I want to highlight here is the top 10 targeted industries for these malicious attacks in 2024. The number one is industrial goods and services. I'm sure a lot of people have heard about the hydro plants and the other power plants in America that have been getting targeted like crazy in Canada. Thankfully, I don't believe we've had any. We might have had a couple, but I haven't heard about them. But industrial goods and services are being targeted. Manufacturing, power plants, things like that. Technology companies are under attack frequently. Construction, travel and leisure, healthcare, education, government especially, legal services, food and beverage and consulting. So again, no sector is really safe from this. We have retail companies that we manage. They're actually getting more social engineering attacks in my experience than some of the professional services businesses that we're managing like accounting firms and law firms. So again, if you think that your business isn't important enough to get targeted, if you're a retail shop, if you're a food vendor, things like that, you don't know what these people are trying to get a hold of. Maybe they're trying to get a hold of the email list of all of your clients that you sent email receipts to. And then they're going to impersonate your business and send those people something to collect sensitive information or to install malicious software. So these are the top 10 targeted industries. Another quick thing I wanna talk about is liabilities and consequences of these types of attacks. So if you are targeted by a ransomware attack, by a social engineering attack, some sort of malicious activity, a lot of people think that you're gonna have downtime, you're gonna have to pay a ransom and then you're gonna be back up and running. You gotta pay some IT guy to get your stuff fixed and then you're back on the floor. It doesn't matter. Some things that people don't really think about are tied together here. That would be the reputational damage, loss of trust, vendor partner disputes and legal and regulatory fines. So for example, if you are a personal injury law firm and you were compromised and you start emailing some of the MRI clinics and doctors that you work with and you send them more copies of ransomware or you send them Trojan viruses or you send them fake invoices or you send them payment updates, letting them know that the wire transfer accounts they normally send payments to have changed and someone uses AI to copy your voice and the MRI clinic sends a payment somewhere else because they received an email on a phone call from you. That results in a lot of reputational damage that can result in a lot of loss of trust. And you can get into some pretty heavy disputes over different issues here. So very, very important to keep this stuff in mind that it's not just a matter of you got hit by a virus, you got to pay some, got to clean your computer up and you got to start over from the beginning of the week when you got hacked. You can still experience data loss. We've seen certain accounting firms call us. They've lost three months of data at the end of April. So if you are in the finance industry, much of a headache that is having to redo the entire tax season for all of your clients is an absolutely monumental operating expense, let alone the fact that again, you're going to be down for four to six weeks while your entire fleet of computers, all of your Sage and QuickBooks databases are being restored. All this other sort of technical work that needs to happen, it can be absolutely devastating. Obviously the financial losses of being down, having to pay out 50 ,000, a million, $2 million to these people holding your business ransom. The reputational damage, again, of your staff talking about all off work for four weeks because we got hacked, we didn't have proper security in place. Your clients talking about how they can't email you, they've been getting weird emails, they've been getting weird phone calls, things like that. Again, your staff and your clients talking about a lack of trust. And then again, if you're being negligent, especially if you're in the healthcare space, any sort of professional service advisor, accountant, law firm, chiropractor, you know, things like this, you could be subject to legal or regulatory fines for being negligent. And again, we've already talked about the cost of downtime, data corruption, restoration costs. And again, if you go to renew your cyber insurance with Beasley or things like that, you're going to be facing some pretty heavy increases when that time comes. So something to think about there. This is something that I'm not going to go into into too much detail. I'll let folks take a screenshot if they'd like here. But this is simply a list of different threats that each section of your internal infrastructure does face. So again, for your people, things like negligence and malicious user and ex staff member being manipulated by a trusted source, somebody impersonating a trusted source. And again, these other type of threats here. For your devices, the most common ones I would just talk about very quickly are outdated software hardware, very important to keep your systems up to date. Very important to have a proper antivirus solution in place. I'll talk about some recommendations later. But just offhand, I would recommend Sentinel -1 or silence. C -Y -L -A -N -C -E is some good alternative solutions. I personally don't trust things like Norton Antivirus or McAfee. So keep that in mind. And you would also want to have a good backup on your devices to make sure if anything does go wrong, that stuff is covered. Finally, your networks. So you can have a couple of different things go wrong with your network. You could have somebody connect to your network and investigate your traffic. They can kind of soak up the things that you're sending over your network. network, most of that is going to be encrypted. It's not much to worry about. But you can also have somebody break into your network and simply take it down. They can shut down your network and you won't be able to access things anymore. That would be more of an active threat versus a passive one where someone is just connected to your network, they're siphoning data and they're kind of doing that kind of thing. Finally here would be your cloud services. This is probably the most relevant to a lot of folks today. As I mentioned before, medical professionals are starting to use things like the Jane app along with their other EMR solutions. You have people that are in the construction industry that are starting to use tools like Jobber and Service Fusion. They can have a technician go on site. They can take photos of the things that are on site. Their scheduling and dispatch goes through these cloud services. Essentially all of these small businesses are now starting to centralize all of their data and their systems. inside of these cloud platforms, even things like Microsoft 365 and Google Workspace where you have your calendars, your files, your contacts. And we need to make sure that we're putting the proper security measures in place for these platforms. So things like two factor authentication, making sure that we can't install third -party applications inside of our 365 platform, for example. But it's very important that if we're gonna be centralizing all of our data inside of these cloud services, that we are aware of these types of threats that can happen to those cloud services. This is the most important part of the presentation, I would say here, aside from the cheat sheet that I'll be going over with everyone at the end. This is the most prevalent threat that a small business faces in 2024. This is the social engineering portion of the presentation. Social engineering is when someone tries to hack you instead of hacking your technology. It is very difficult for me to brute force the HTTPS encryption that most websites use nowadays. It would require a supercomputer in a hundred years for me to decrypt your web traffic. However, it would be very easy for me to impersonate one of your employees or a vendor or a client or someone that you trust, again, any trusted source, and then manipulate you to get sensitive information or to get you to install malicious software. So we'll go break these down really quickly and then we'll move on to how you can keep yourself safe from these threats. I'm gonna be giving you guys a lot of examples of each of these types of threats, just so everyone can identify them and keep themselves safe. And then we'll go into the actual tools to proactively protect yourself from these. So 98% of cyber attacks in 2023 and 2024 leverage social engineering. So again, if we are not being negligent and we are being actively conscious of what we're clicking on and what information we're giving out, we're going to be able to reduce 98% of cyber attacks that occurred in 2023. in 2023 and 2024. So the first one I want to talk about with everybody is a phishing scam. So as we talked about before, a phishing scam is impersonating a trusted source using fraudulent communication, and they're trying to collect sensitive information, or they're trying to get you to install malicious software. So again, fraudulent communication using email, text, phone, or web. And the other two things I really want to focus on here are it's going to spark an emotional response, and then it's going to include a call to action. So for example, your PayPal account has been compromised. You need to sign in right now to undo the damage. Your Microsoft password is about to re -reset. You're going to lose access to your account. You need to sign in right now and reverse the damage. That's what they're always going to do. They're going to be bright red, scary lettering. Here's a big problem, but in nice blue lettering, here's the solution, just click here. Just give me the phone number, click the link in your password, open the webpage, download the ransomware, do this now. We're going to go over some examples of this later. Bating is another very common one for the older folks here, like myself, we have the, you are the millionth visitor to this website. Congratulations, you just won a million dollars. And then for a more modern example, we have you just won $150 Amazon gift card. All you have to do is click on the link in your email, fill out this form, and then you'll be able to get that. So again, they could either have the link that you initially click on, install viruses on your computer. They could have the form that you fill out be used for identity theft. They could add you to another email list where they start to do more complex attacks. It could add you to a list where they start looking at you and kind of going into your LinkedIn and into your social media accounts and learning about your network. Maybe they can use the data that you just gave them to go after someone in your network, things like that. With Proquo is an exchange of services for critical data. So that would be an example of the old school Microsoft support scam that was going on quite popular two to three years ago. Older folks would be getting calls from Microsoft. Microsoft would be letting them know that their computer had been compromised and they needed remote access to the computer to help them clean it. So people would be calling these older folks impersonating Microsoft, getting remote access to the computers, installing screen capture software, installing Trojan viruses, installing things to monitor what they're typing on their keyboards. And then they would be charging these older folks $200 plus for that service. And then they would be monitoring them. And as they go into their banking or they email their kids or their grandkids or they do whatever it is they're doing on their computer, they can then blackmail them or again contact those people or get access to their bank accounts. And a lot of trouble would occur from that. So again, people trying to exchange services for critical data is another thing we want to keep in mind here. Usually impersonating a trusted source or a technical expert. Another one here is piggybacking. This is usually in real life. phishing attack. So again, I've seen this happen a couple of times throughout my 11 -year career where people have impersonated a Shaw technician or a TELUS technician. They've come into an office to steal equipment or to install equipment that is going to provide them with insight into activity in the office. So what they'll normally do again is impersonate a trusted professional. They'll ask you to hold the door. They forgot their key. They're so -and -so's partner. They need access to the server room. They need access to so -and -so's office, things like that. They might plug in a USB stick that lets them bypass your Windows computer's password. Again, they might just steal things back in the day they used to steal phone cards, which were quite expensive. But again, summon impersonating a trusted source in person, trying to get physical access to a sensitive area. And the final one is pre -texting. So again, you've been summoned. Someone is calling you from a law firm. You're being targeted that way. Again, they create a fictional scenario. So -and -so has been in a car accident. You need to pay their hospital bill, you know, anything at all. I've seen a million different types of scams like this where somebody creates a fabricated scenario, they're impersonating a trusted source. And again, they're trying to collect sensitive information or they're trying to install malicious software. And unfortunately, because of the rise of these AI tools, and a much more common threat that's been going on these days is people using AI to call you. You pick up the phone, hi, hello, who is this? What's going on? They could just take a recording of me talking on YouTube, run it through there. And now they have my voice. They can feed that into an AI. They can replicate my voice. And now they can call whoever and impersonate me. If they have enough information about me, they can now impersonate me, call someone, hey, the building's changed or this update or whatever it is that's going on. And now they can create a fabricated scenario, run a client or someone else through this loop. And then again, collect sensitive information, collect money or get them to install malicious software. And I've seen multiple different examples of that. We're going to go through those in a little bit. So for the phishing scams here, again, we have deceptive phishing, spear phishing, whaling and phishing and smishing. So again, very high overview. We'll move on to the examples after this is deceptive phishing. So for deceptive phishing, what we're talking about is anything that is targeting a large group of people. I liken this to a shotgun blast. They're trying to hit everyone in your organization and they want to see who falls for the scam. So again, they'll impersonate Microsoft and impersonate PayPal, whoever. They'll send a big email out. It'll hit everyone in the organization and 2% of the organization will fall for the scam. Now they have their target. Now they can go spear phishing. So what they're going to be doing now is they're going to be targeting these 2% of your organization that fell for the scam. They're going to be going on their LinkedIn, onto their Instagrams. They're going to be emailing them to see if they have holiday reminders up. They're going to be digging into these people to get more information on them. Once they have more information on them and there are people of interest, they can simply target those folks. If those people of interest are in that person's network, then they can start to go after them. So for example, if you're a manager of a retail store, if you're the operations manager of a finance firm, or if you're just, you know, middle management or entry level position in a company, you can then be leveraged to get access to a whale, one of the big fish inside of the organization. So what'll happen again, is they'll send out a big shotgun blast, they'll get 2% of the organization, they'll target those people and either drill into them and get information out of them, or they'll use them and compromise their email accounts, for example, to then email the big fish, or they'll do multiple other types of impersonation to get to the big fish. Then the final type of phishing scam is a voice phishing scam, which again, with AI very popular these days, or an SMS or a text message phishing scam, again, very common. with people doing something called SIM swapping, where you call Roger Telespell, you say, oh, I lost my SIM card. They'll give you a new SIM card. And now you have the access to this person's phone number. And again, final thing before we get into some examples is the types of communication these folks are gonna be using. So again, this could be official communication coming from inside your organization, need your payroll information. We're setting up a new payroll system. Here's the new benefits package. We've got a COVID exposure, whatever it is that they're gonna do, it's gonna impersonate official internal communication. Shipment notification, UPS needs payment, Canada Post tracking information, whatever it is. Nonprofit requests. This one is particularly nasty, in my opinion. They'll usually break into a nonprofit. They'll get their donating or charitable email list. And then they'll email all of them saying, it's that time of year again, make sure you donate here, just click the link. They'll go to PayPal, they'll go to Square, they'll punch in their credit card information. And now all of a sudden they've donated all this money to hackers instead of to the people that actually need the support, happens all the time. Another one here is application notifications, like we talked about, PayPal, Microsoft, they've been compromised, give us your password right now to fix it. And again, more important announcements. So again, this can kind of be linked directly to the official communication where people are impersonating again, HR, legal, your boss, people underneath you, whatever. And the thing that all of these have in common is that they're usually going to be last reminders. They're gonna be laced with urgency and they're gonna give you that fixed right away. You're not gonna get paid unless you give me your social insurance and your banking number right now. You're not gonna get access to your Microsoft account unless you reset your password right now, things like that. So here are some examples. We're gonna get into these examples and then I'm gonna be giving you guys that cheat sheet so that you can implement these proactive tools to keep your organization secure. So the first thing I wanna talk about up here, high severity alert, very important. It's mentioning my email by now. name so I can see here right out of the gate, we've got action required. It's a high priority and just like I talked about, we're going to have that nice blue calming solution right there. Some things to look for to identify how this is a scam would be the e -mail that it's being sent from. Now, people can spoof certain e -mail accounts, so you want to use specific tools to filter that out. But again, this is a really easy one to detect. There's no way this is a Microsoft e -mail account. This is obviously not the Microsoft logo. I've never seen it in this aspect ratio. I've never seen this color of brown with the Microsoft logo. If I hover my mouse over these links, I'll see where they're bringing me. When you hover your mouse over them, you don't want to click on it. It'll show you the website that it's bringing you to. I can promise you this would not be bringing me to Microsoft365 .com slash user accounts, whatever it is. Again, just to take one more look at this quickly, high severity alert sent from, it's got the word Microsoft in it. my password is going to expire today unless I go ahead and click the Keep Password button. I'm required to keep my password to avoid login interruptions. So again, sense of urgency, giving me the call to action right there, and it's all encapsulated inside of one email. Another example here would be spear phishing. So again, let's say that I managed to break into Jane's email account. Jane is in charge of the operations or an account, and then Gareth is in charge of accounts payable. So Jane's account's been compromised because these malicious actors were trying to get to Gareth. So now they can get into Jane's account, send Gareth an email, and they can get them to process that wire transfer. Now, what's particularly nasty about this is that people are starting to use AI voices to accompany an email like this with a phone call. Now, I've seen this happen twice to two new clients of ours resulting in a total amount of damages of $80 ,000 before they signed on with us. So what happened was, again, they received an email like this. Hey, we got to send $40 ,000 out. Okay, let's send it. Got a phone call. Hey, did you get the new wire transfer information? $40 ,000 a lot of money. Yeah, of course, I did. Thank you. And then they sent the money off without a second thought. It's very important to make sure that you have a policy in place, such as a financial approval policy where anything above $1 ,000 that you're sending out means approved, or whatever number you want to pick. But the way to protect yourself from these types of social engineering attacks is through policies that are properly developed and regularly reviewed with your staff. It doesn't mean you need to waste an hour a day going over policies. It just means that you need to have little reminders in place for folks. So again, very easy to identify if you were to just call Jane directly on her personal line instead of getting a phone call from a weird number where someone's impersonating her. So again, have these policies in place, have procedures in place where you can verify and protect yourself from these types of attacks. This is my favorite. I have a couple newer ones that were not going to go over today, but this is my favorite example. This is the personal injury law firm and the MRI clinic that I gave the example of in the previous slides. So in this example it's actually reverse of the example I gave before. So at the bottom we have the original email coming from the law firm going to the MRI clinic. So the law firm says, hey, we got your letter. The file hasn't settled yet. When it settles, we're going to pay you. Here's the invoice. I've resubmitted it to our accounting department. You're going to get paid ASAP. Have a great day. The MRI clinic, unbeknownst to this law firm, was compromised. So the MRI clinic was being controlled by malicious actors. The MRI clinic had no idea that their email was down. The hackers had total control of their emails at this time, and they responded to the law firm. There was three lawyers and one support staff, I believe. And they said, hey, you need to take a look at this and tell me what you think. I feel like these calculations are incorrect. Tell me if we need to redo this. And again, if the lawyers had hovered over this link, they would have seen it was not a OneDrive link. It was not a SharePoint link. It was a malicious link. Unfortunately, all four of the staff clicked on it. And thankfully they had that AI antivirus I talked about before sent on a one or silence on their computers. And it was detected and it was mitigated and nothing happened. They had a scary flashing red computer screen for a couple of seconds. We got a lot of tickets on our end telling us that a virus had been detected and we were actually able to notify this MRI clinic that they'd been compromised. They didn't know. They had been actively taken over about four to five hours before and whoever was in control of their emails was going through everything that that account had sent and received in the last six months, whatever time period. And they were responding to people with attacks like this to spread the infection and compromise more people. So very, very important to have email filters in place. Very important to have antivirus in place. Most importantly, important to have common sense and good policies in place where we're not just clicking on random links that we trust. So again, this is one of my favorite examples of a wailing attack again. And then finally we have phishing and smishing. So again, I'm sure everyone's received emails like this. They're not very complex text messages, excuse me. UPS needs your credit card information to deliver a package you didn't order. Netflix is gonna expire unless you click the link here and obviously not a Netflix link. And the thing everyone's been waiting for is the cybersecurity cheat sheet. So these are the things that I would highly recommend for every small business. This is gonna take care of 80% of the threats that your small business is going to face day to day. And I say that just as a professional, it's my professional opinion. Security is a game of cat and mouse. You're never gonna have 100% security. Anyone selling you that is not being entirely honest, in my opinion, I believe security. and IT are all just a different house of cards. And it doesn't matter who's building the house of cards. There's always a way to knock it over. You can go crazy with the expenditures. There's gonna be a way to bypass things. You can go cheap and there's gonna be a way to bypass the things you put in place. So the first thing that we'll talk about today is the three, two, one backup structure. So this would be for backblaze or backupify. This is a very cheap solution for people that are not dealing with sensitive information. This is a five to $10 a month solution that'll backup all the files on your computer. Just as a quick example, again, you wanna make sure you're backing up your computer. You wanna make sure you're backing up your cloud data. You wanna make sure you're backing up your network infrastructure, your server data, all of this stuff. Just because you have your data inside of Microsoft 365 or Google Workspace does not mean that it is being backed up. We get phone calls all the time from companies that have accidentally deleted 40% of their Google Drive, 80% of their SharePoint. Somebody moved a folder where it shouldn't have been, things like that happen all the time. And thankfully most of the time they can recover the data, but I would say about 10% of the time they can't and they've lost 40% of their files. So do not think that just because you built your house on Microsoft and Google's lawn, that that house is yours and you own that data and they're caring about it the same way you would. It's very important to have a backup policy in place. And again, you can use something like Backblaze or backup a file for $10 a month. We have certain solutions that we're offering for again, as little as $10 a month as well. You can also get a full cloud backup from us for as little as $100 a month where we backup your data three times a day. But I just wanna bring this up so people are aware of what's out there. Down things to consider when you're setting up your backup and then we're gonna zip over to endpoint email security. I'm gonna spend a lot of time on backups because this is the most important thing. If you have all the security tools in the world and you don't have a good backup, you're gonna be in trouble. Because at some point someone's gonna bypass something, someone's gonna accidentally delete something, you need a good backup. Things to consider would be your downtime tolerance. How long can you be down when something goes wrong? If I spill coffee on my computer, can I just wait a day and go to Apple or go to the Windows Store to go to Best Buy, pick up a new computer? Am I okay with that? Do I wanna have a spare computer in my office that I can just pull out of storage and set up right away? Do I wanna have to wait for Lenovo to ship me a $2 ,400 carbon that's gonna take two and a half weeks to arrive? What's my downtime tolerance? Same thing, if my QuickBooks database file is down, do I have to download it from the cloud? What kind of downtime tolerance do I have for each part of my infrastructure? If I can't send or receive emails because Microsoft is down, how long can I tolerate that for? Phone systems. How long can you tolerate your phone system being down? Things like that. How long can you tolerate your network being down at your office? Things to consider. Critical versus non -critical data. I've seen people spend 10 -15 times as much as they need to on a backup because they're backing up files that haven't been used in two years. They're backing up, I need eight terabytes of backup, believe me, it's super important. And they back up eight terabytes of data a month, every single month for no reason. In reality, they're using 20 gigabytes of data. So figure out what the critical data is, get that backed up as often as you can. Don't worry about the archive video footage that you have. If you haven't touched since 2016, just focus on what your active critical data is, get that into the more expensive backup, and use something like Backblaze to backup the archival footage and this other low sensitivity data. Frequency of backups. Are you okay with your backups taking place once a month? If your backups break and you have an issue where your backups actually go down, and let's say again, you restore from a backup like this accounting firm did, and you lose. Three months worth of work, is that okay? Would you rather you have your backups take place every day, which is going to be significantly more expensive? Do you want them to happen multiple times a day, once a week, multiple times a week, multiple times a month, etc. It's very important to figure that out as well. How frequently are you going to be taking backups? Another thing to consider is your data retention length. Are you going to take a backup and then throw it away three months later? Because in my experience, hackers usually take down about 90 days worth of your data. So you want to have backups running at least one year. Some people go for seven years because they're regulated. Again, financial advisors, law firms, things like that. Anybody that's dealing with health data, you need seven years with the backups as far as I'm aware. So it's important to consider how long you're going to be retaining these backups for. Another thing to consider is, is your backup going to be taking place on -site or off -site? Because I see people do this all the time, I have a backup, it's this hard drive right here. It's got all my data on it. I don't need to worry about a backup. It backs up every day, yada, yada. They have a fire, they have a break -in, something goes wrong on -site, there's ransomware. The hard drive is connected to the server when the ransomware hits, all their data is wiped, it's all gone. So you need to make sure you have an off -site backup as well. Another couple of things here are, are you backing up the files on your systems, on your computers, on your servers, or are you backing up the full system? A lot of people, again, they go with a file -only backup, like backblaze for their server. And they say, all my files are backed up, I'm totally safe, I got nothing to worry about. And then when they go to restore their backups, they have to reconfigure their CRM software. So if you're using a piece of software, any sort of SQL database, you know, it could be QuickBooks, it could be anything. I won't give some client -specific examples, but if you're running software on your server, you need to make sure that the full system is being backed up, including the software, not just your file- because if only the files are being backed up, when you restore from that file backup, we still need, you need to bring in an IT team to restore the software. They need to reinstall the software, they need to reconfigure it, they need to reconnect all the individual workstations to it. They might need to rebuild your active directory where all of your staff are listed and all the file server shares are listed and all these other objects are listed and everything will have to be manually reconfigured. Very important to decide on what type of backup you're going to be taking there. Couple other things, you need to make sure you're regularly testing your backups. I see that happen all the time. I've been running backups for three years. Don't worry about it, we're good. And then we go and we say, okay, well, let's test the backup. We go to open up the folder and it turns out the backup manager crashed two years ago. Nothing's happened. Or we go to restore the backups and the backups have been corrupted all the way back to six months for whatever reason. So very important to regularly test them. Again, I would bring that up to the frequency of backup. So how frequently are you taking them? how frequently are you testing them? And then the final thing is to assign responsibility inside of your organization, because we get called into new clients all the time and they're talking about, oh, we got hacked, but we had all this stuff in place and da -da -da. And I say, okay, well, who is responsible for the backups? And the three people at the table go like this and no one takes responsibility for it because they thought the other person in the office was handling. So it's very important to make sure that everyone in the organization understands who's responsible for that. It could be a company like us. It could be an individual. It could be an IT manager. It could be an operations manager. It could be the owner of the company, but you need to assign responsibility. And all of this stuff put together comes up with what we call a three, two, one backup solution, which means your data's in three different places at all times across two different mediums. So again, it could be backed up offline and on a hard drive, on a computer, in the cloud, whatever. And one of those locations is offline. So three different locations, two vendors, two mediums, or one offline storage solution. You need to have all of those things for us to be able to tell you that you have a secure backup. That protects you from theft, ransomware, viruses, corruption, pretty much anything that can happen. A three, two, one backup should cover you again, 80% of the time plus, I would say 99% of the time. Couple last things, endpoint security. Again, top of the list there, so you wanna make sure that your computers, your servers, they are protected. Make sure you have backups on them. When you're using your computer, make sure you're using a non -admin account. That's a very easy free step everyone in this seminar can take right now. So again, if you're using a computer and you notice that you have an administrator account on your computer, that means that if you go to a bad website or if you open up a bad Microsoft Excel file or someone sends you a piece of ransomware, it can just run because it's already in an administrative environment. So what you wanna do is have a user on your computer that's a local. account if you're using a Mac or a PC that's a non -administrator. You use that as your day -to -day account, and then whenever you're doing something on your computer that requires administrative permissions, you'll be prompted to type in an administrative password. It is a bit of a pain in the butt, you know, you got to type that password in maybe once a day, once a week, but if that pop -up comes up when you're not doing anything out of the ordinary, you're just opening an Excel file, why would I need an administrator password for that, you know something is wrong, and then you can prevent that ransomware from taking place on your computer. You can prevent that software from running with administrative credentials without your permission. So very important, take the time, go into your control panel, add a user, make a local account that doesn't have administrative permissions, set that up for yourself, have your IT department do that if they're not already doing it, do it on your home computers, do it for your kids and their school computers, do it in your personal and your professional life, it will save you a ton of headache. That's a super easy fix. that'll protect you from a ton of different types of attacks. As I mentioned before, we highly recommend Sentinel -1 or silence antivirus. The reason for that is it uses AI and it usually detects unusual behavior. Why is the game that your kid plays trying to encrypt your OneDrive files? Why is Google Chrome trying to download two terabytes worth of information? It'll detect unusual behavior and block it at the stop, it'll warn you about what it's doing, and then you'll be able to proactively deal with things. Tools like McAfee and Norton, they use more reactive databases where someone's reported something, they identify it as a reported threat and then they block it, but Sentinel -1 or silence is fantastic at being more of a proactive antivirus solution. Final thing, make sure you're doing your Windows updates, you're doing your macOS updates, you're doing your third -party updates. There was a bad update for macOS a few years ago where you could get into any Mac account by typing in the password R -O -O -T, and you would get into any Mac account. I might be misremembering the details on that, but something to keep in mind that you do want to always stay up to date with the latest and greatest software updates, especially for those third -party applications like Adobe and AutoCAD, and these other tools that we're using all the time, Google Chrome, for example, just patched a huge exploit where people were getting hacked because of a bad outdated version of Google Chrome. Again, make sure you're keeping up to date on your servers and on your desktop computers. Final couple of things here, e -mail security. Very, very, very easy. Number one, again, backups. Make sure your e -mails, your contacts, your calendars are being backed up. You can do that for very, very little these days. Again, we can provide that service for 100 bucks a month. You can go to other places that'll be two, three times as much and you go to some places that'll be two, three times cheaper, but just make sure if you're using Google Workspace, you're using Microsoft 365, you're getting that data backed up every day, especially if you're using an e -mail provider that is not Microsoft 365 or Google Workspace. Another thing I would highly recommend for every day, everybody is multi -factor authentication. If you sign in to your e -mail account from it, or your Jane account, or your QuickBooks Online account, or whatever it is that your Cloud Surface account is, you need an unrecognized device, you need to be getting a secondary code sent to an app on your phone or a text message to your phone. I highly recommend you use the apps. There's so many ways to get around the text message verification. Make sure that you are setting up all of your Cloud accounts with multi -factor authentication on an app like Authy, Google Authenticator, Microsoft Authenticator, etc. Make sure that when you sign in on an unrecognized device with your password, they can't get into your accounts without that six -digit code that's being generated on your smartphone. Very, very important. Next thing here would be iron scales or Sophos e -mail security. These are great e -mail filters. Anyone here that's using a regular e -mail provider. I'm certain that you've gotten a spam email in the last week. It's almost impossible that you haven't. It's so prevalent these days. If you set up a tool like IronScales or Sophos, you can get these for as little as $8 a month, that will prevent spoofed emails, that will prevent malicious links, that will prevent malicious files, that will prevent things that'll cause data loss, it'll prevent emails that have been sent through suspicious servers. There's a million different things that these tools will protect you from, much better than the Microsoft or Google Workspace spam filters will. Again, they use AI. We have property managers that receive hundreds of emails a day from Craigslist, from random Gmail accounts, and the only ones that get filtered are the malicious ones. Again, very, very important to put in place an email filter. In my opinion, if you have an email filter and you have a backup for your users, for your workstations, for your servers, for your networks, for your cloud services, you've pretty much won the battle 98% of the time, right out of the gates. You can add in all this extra stuff, and it's going to obviously help you out a lot. I'm not trying to take away from those other solutions, but for a small business, having an email filter, having multiple good backups in place, and having some basic antivirus, you are set. Final other thing here, account access restrictions and device access restrictions. If you're in a very regulated industry, if you're dealing with sensitive data, if you're a mortgage broker, if you're a healthcare provider, if you're a law firm, if you're getting sensitive information from people, just set it up so that your account can only connect to a device that you give permission to. It can only connect to your MacBook or to your Lenovo computer or to your smartphone. It can't connect to anything else. Just make it way easier to do that. Set up account access restrictions. If you have an entry -level employee, do they really need access to your HR folder? Do they really need access to your finance folder? Do they really need access to these different things? As a business owner, account need full admin credentials to your Microsoft or to your Google platform? Or should you set up a secondary account called flowers at your company name so it's not too suspicious? And then that is the full administrator account that you use. You don't want your day -to -day account to have full admin credentials. So in case your day -to -day account gets compromised, now whoever took account and took control of that has full access to your entire platform. You want to have a different secure account that only gets used for administration. Again, it goes back to the accountability that we talked about in the beginning of the presentation, being able to audit who signed in from where, doing what. We want to be able to track all that stuff with these different restrictions. And then the final thing here, so everyone will be receiving copies of these policies and some other ones. The most important IT policies, I think, for small businesses are acceptable use. So what is acceptable use for your Jane account, for your Google account, for your Microsoft 365 account? for your work computer. Can your partner jump on your work computer and do some of their work or some of their studying on it? Can your kid use it? Because I've seen a kid use a producer on an Apple production, shut down an entire Apple production for three weeks because they were trying to play Roblox on it. I've seen somebody's partner using an admin account on a computer shut down an entire retail store. I've seen an accountant have their business get shut down, be cutting again, they recover, but it got shut down because somebody was checking up on the Canucks roster several years ago on a work computer. What is acceptable use? What is not acceptable use? Access authorization, like we talked about, does HR need access to finance? Does finance need access to HR? Figure out who needs access to what, where, when? Do they need access to these different platforms, to this data, things like that. Bring your own device. If someone's telling you, I'm not using your work computer, or if you don't want to spend money on getting that personal work computer, can they watch adult video content on their home computer? Can they play games on it? Is it an admin account? Is it not an admin account? What rules are you gonna put in place so that your organization is protected? Especially if you're doing work with contractors, it's very important to have a basic minimum for bringing your own device. If you're a contractor, you have to have Sentinel -1 installed. End of story. Most people aren't going to a job, oh, I get free antivirus with AI. It's not spying on me. It's just gonna work on my computer and keep my computer safe. Cool, that's fine. It's important to figure that stuff out and define it ahead of time. So when you do bring these new employees in, you can have these security standards in place. Things like business continuity. That means when your business crashes, something goes wrong, how are you gonna continue operating? Again, it goes back to your backups. Basically, again, what's your downtime tolerance? How frequently are you taking backups? If we're talking about your devices, and again, I spilled coffee on it, and it gets hit by ransomware, what's my business continuity plan for my... what's my business on continuity plan for my laptop? So it's my business continuity plan for my servers, for my network, for my cloud services, for my productivity app, for all the pieces of infrastructure in your business, your phone system, things like that. What are you gonna do to keep that stuff up and running when you sign into your Microsoft account and all of a sudden it says that your password doesn't work anymore and your clients are calling you saying they're getting weird emails? What's your business continuity plan? What are you gonna do to be able to get back online, get your emails going? Disaster recovery, very similar to business continuity. I won't waste too much time on it. Business continuity, more of an accident. Disaster recovery, more of a big problem. There's been a fire at the office. What are we doing? There's been a ransomware attack. What are we doing? Business continuity, disaster recovery are usually together. It's called the BCDR solution. And then security incident responses are usually the prerequisite to that. So you have a security incident response and then you have a business continuity plan linked right below that. Remote work, people want to work remotely. Can they use other computers? Can they use non -work computers to access their work accounts, et cetera. You want to go through one of our templates or a different template that you have access to and make sure you have a proper remote work policy in place. Staff onboarding and onboarding. Okay, we just had a client go through this. They fired someone two years ago and they contacted them and they said, hey, I still have access to absolutely everything you guys are doing. Should I get rid of that? Because the work laptop that you gave me that you never collected is still syncing all your SharePoint files. And we got a call from this new client and that was the reason why they called us. They said, we just figured out we need a proactive IT department because we didn't have a proper off -boarding plan in place. And now we have this ex -employee who thankfully left in a very agreeable way, but they've been accessing and able to access all this sensitive data, the confidentiality of the data's out the window because we didn't have a proper off -boarding plan. They view off -board a staff member because they quit or because you fire them and you forget to turn off their phone system or you forget to remove their permissions to their Google workspace stuff, you could have a potentially huge problem. Again, they could sell that data. They could leak it. They could mess with the integrity of it. They could do nothing with it. Again, we're talking about one in a million chances here of something going wrong, but it's still something to consider. So very important to have proper onboarding where you give people all the permissions and the platforms they need. You show them these policies. You get them set up with the proper training on their platforms, things like that. And then you have proper off -boarding policies in place to protect your organization. You also want to make sure you have a security incident response plan, like I talked about before. Okay, I received a phishing scam. What do I do? I typed in my password. What do I do? My computer has ransomware on it. What do I do? Do you have to notify your clients? Did your clients stay to get leaked? You don't have to consider all these things and build a policy for it. Final thing here, not going to get into this. This is the big boy. This is everything that we recommend. This is most of the stuff we go over when we're looking at businesses that we manage. Again, if you want to get a screenshot of this, bring this up with your existing provider. That's great. If you feel like you're not getting this from your existing provider, we are giving away free consultations, so we can go through your organization, provide you with a report, let you know what you need, what you don't need, things like that. But this is pretty much everything we recommend. There's a little bit of stuff that's been left out, but this is about 95 percent of what an organization could use to stay secure, in my opinion. Again, not going to go through this individually. If you are taking security super seriously, you want to be proactive. This is what I would recommend again to protect your devices, your networks, your Cloud services, your people, and to have proper backups in place. That about does it. Again, if you do want to set up a free complimentary either side security consultation, if you would like to do a free managed services consultation, feel free to scan the QR code and I'll help you out there. If anyone has any questions or concerns, we're coming up right to that hour mark, so I'm happy to stay late. Please do not feel inclined to stay late. If you are busy, you have other appointments, things like that, running out of lunchtime. But if anyone does have any questions, feel free to throw them in the chat. I'll hang around for the next minute or so, killing time until people do throw their questions in. And if there are no questions, then that's fantastic. Really appreciate everyone taking the time today. Very, very happy to host everybody. I hope you find it valuable. I hope you learned a couple of things and I hope you learned some new strategies for your businesses. I hope you all have a great weekend. No problem at all, Chris. Chris says thank you very much, Jim, as well. Happy for the refresh run, all things security. Luke saying thank you as well. So again, I hope you all have a great weekend. And again, we're always happy to help folks out if you ever have a quick tech question. So no problem at all, Kate. Thank you for coming in. I can see a couple other folks chatting away, but again, I hope you all have a great weekend. Thank you so much for attending the seminar and I will be sending out a recording of the seminar. You'll all be receiving a copy of the IT policies and we'll be sending that cheat sheet over as well. Judy, no problem at all that you relate. Happy you're here. I hope you found it valuable. And a shout out to the folks at the Kitsilano Business Group there. Make sure to hit up Judy and the Kitsilano Business Group. Steph Snow, fantastic question. Stephanie is asking about a good password manager. So I would highly recommend something called Bitwarden for one reason. And that is that Bitwarden allows you to self -host their solution. So you don't lump in what the mass is. You don't go into their main general admission area where you have millions of people are using their platform that could and probably will be breached at some point. You can have your own private server that you can set up that gives you the same two -factor authentication, gives you all the password management stuff. You can share things with your staff. You can keep a private list for yourself. But I highly recommend. Bitwarden. Another reason I recommend them is because they actually are very high. They're very, very good at responding to people when there's an incident. A company like LastPass has taken several months to let people know whenever there's a problem. So if LastPass is compromised, LastPass took several months to respond to people. I think it was in December they got compromised. They sent out several security updates to clients immediately. As soon as they find out something's going on. That's the one there, Jim. Bitwarden .com. So I highly recommend Bitwarden as a password manager. They seem to have very high levels of communication. They seem to have a very high security standard. Again, they allow for self -hosting. So in case the general admission fraud gets compromised, you can have your own private server that's not going to get compromised. Again, that comes with its own costs and things like that. but if you do want to be completely secure, again, cat and mouse, but I would highly recommend Bitwarden. It's not gonna give you 100% security, but it's gonna be a lot better than things like Dashlane or LastPass, in my opinion. So thank you very much for that question, Steph. Judy, for sure, you'll get a copy of this recording over your email. You're also gonna get a little SharePoint link that's gonna give you access to all these different IT policies. You can copy and download those, and we're gonna send you some other resources as well. But Steph, thank you so much for that question. Judy, same to you. And again, thank you to everybody else that attended today. I hope you have a great weekend, and I'll cut it off here. Have a great day, everybody.