Nonprofit Leaders Webinar

Transcript

Marty Bird: Hello everyone, this is Marty Bird with JMT Consulting. We’re happy to have you here with our webinar and our guests. We’re going to wait about a minute to let everybody in and then we’ll we’ll proceed with housekeeping so let’s wait about one minute.

…

All right, let’s go head and get started. This again is Marty Bird with JMT Consulting. We’re happy to have you here today on this uh very topical subject today on cyber security given that October is Cybersecurity Awareness Month. We’re happy to have you with us I am here to cover some housekeeping and then turn it over to John and Bart. So, let’s take a look at the housekeeping that some of you might be familiar with we’re using the zoom webinar interface so when you have a question please use the Q&A box to ask those questions. Normally, we hold those questions towards the end of the webinar and make sure to cover those in the last 5 or 10 minutes, so be patient with us we will get to your question towards the end and as you might know this is being recorded everybody who’s attending and registered will get the recorded um presentation as well as the slides. On the next slide this is the requirements reminder for CPE credits you are eligible for one credit as long as you do the following respond to three out of the four polling questions we will pause for those questions and they’ll pop up on the screen um most of them are multiple choice and they are contextual meaning that uh relevant to the content that we are presenting for those who are earning those CPE credits there is also a questionnaire that pops up at the very end of the conference so make sure that you stay on for the duration of the webinar if you have technical issues with the CPE uh please contact the email address you see there. All right, let’s turn it over to Bart who will introduce himself and then John and Bart will get us started. Bart, have a great webinar.

Bart Holzer: Thank you so much Marty. I appreciate you guys having me here today. I’m Bart Holzer, Chief Information Security Officer for Affinity Technology Partners. We’re based just south of Nashville, Tennessee and I’m excited to share some cybersecurity information with everyone in Cybersecurity Awareness Month. Super excited!

John Tiso: Right, well thank you so much Bart for being here and hello everybody. I am John Tiso, JMT’s Director of Client Services, and I am very excited to be talking about this very relevant subject for all of us. A little bit about JMT Consulting: we have over 2,000 nonprofit clients that we work with exclusively and we serve across the entire country in a number internationally as you can see we are head quartered right in Nashville, Tennessee. We have a lot of concentration of organizations in the Northeast but they are spread out all over providing a variety of different services and support. We were founded in 1991 by a woman, Jacquline, who had worked as a number of years at nonprofits and realizes that there’s so much potential an opportunity for good to support them in helping them achieve their missions. We again support over 2,000 organizations and that number is growing every day and there is quite a bit I think we might be able to do to support you, too. So that support comes in a variety of different forms we can assist you in transitioning and upgrading any of your back office tools and systems you might be using both for ERP and budget management. Maybe you want to get rid of your accounting services altogether and streamline your focus and attention on more of your fundraising efforts. We also provide outsourced accounting services altogether you may want to keep them inhouse and find out how can we do what. We do even better we provide services around assessments for process and business so we will attempt to assist and support any non profit in any number of ways that we can and we work with a number of other partner organizations and other tools and systems to help you be as successful as possible. I also want to bring up I am super excited about this we have our annual innovate conference for our clients that we host every year this year or next year’s rather in 2025 is going to be right in Nashville, Tennessee. It is multiple days of pure training and education networking opportunities meals there’s parties it’s a blast and there is a full day of preconference super dedicated training that happens before the conference begins and that is I’ve never actually been able to get to attend it myself but I have heard easily 99% raving reviews about the precons I they won’t let me go in anymore they won’t let me into them but I have heard wonderful things the conference is my favorite part of every year I look forward to it and I hope I get to see all of you. All right Bart, bring the magic!

Bart: Well, I don’t know about magic but I’ll start with a little bit about Affinity the the company for which I’m the the CISO. We are a managed services provider, so we provide outsourced it support but in addition to it we do a lot of security and compliance services. Affinity is currently the MSP for JMT which is why I’m here. I’m going to cover the learning objectives which is about our CPEs today. We’re going to talk about the cyber threat landscape and the new and most concerning threat that I’m seeing in cyber today. We’ll talk about leadership’s role, and we’re going to talk about building cyber resiliency – which is a very timely topic today. And, we’ll briefly mention how an ERP can assist in your cyber program. The agenda follows the same, so I’m going to keep on rolling.

All right, we have a lot of good sources of information when it comes to cybersecurity and the the general threats that are out there. The best resource that I think that is available to us here in the United States is the FBI and their cyber crime complaint center. That is the IC3 and what you see here is the cover for the report that was released this year. So, it’s the 2024 report which summarizes all of calendar year 2023. A quick note about this report: it is what has been reported so we don’t know what has hasn’t been reported. So again, without mandatory reporting we can assume these numbers are low. Here’s what we’ve got this past year 2023. We had 12.5 Billion dollar in losses over that many number of complaints and you can see that the complaints are hovering just under 900,000 but the losses keep going up.

Now you know if this was our growth chart for a company probably pretty good but it’s disheartening that this is the losses that we’re suffering and again this is in the United States not worldwide. All right, the top five well the top four really losses by dollar amount: number one being investment fraud at 4.6 billion. The next three are business email compromise, tech support, and personal data breach. What does that mean well for us in the nonprofit space? We are susceptible to at least three out of the top four cyber threats based on last year’s number. Business email compromise, if you don’t know, that’s where your email account gets taken over by a bad guy. They may use that account for a number of purposes. Usually, what we see is some sort of funds redirection where fake invoices are sent, bank change requests are made, and money ends up going to the wrong place. If you haven’t suffered that yet at your organization, you probably know someone who has. It has been rampant across all Industries but also in the nonprofit space.

Now, tech support has been around a while but it really got famous this past year with the hack on MGM Grand Casino. The casino lost about a hundred million is the estimate based on a bad guy calling into the tech support line and getting passwords and MFA reset just by what I would say “sweet talking” the tech support team. You know a huge business with lots of security controls in place but it was the human element that that allowed that breach to take place. Now, we here at Affinity have processes in place to validate users to hopefully prevent this from happening. But, as we often say you know human beings are our greatest asset and our greatest weakness.

For every org, personal data breach affects everyone in every industry. The best way I can communicate this is if you have your personal data stolen or finances stolen in your personal life it is going to affect your business life as well. Because, cleaning up from a data breach or financial fraud takes a lot of work and a lot of time and it’s very dis you know it’s very disruptive to to the workplace. All right, John, are you doing the polls?

John: Not me but they’re kind…

Bart: Not you? Oh, here it is it popped up all right. Great! So, we have a poll: “what actions are your leaders at your organization taking to support cyber security needs?” And I think you should all have a popup. All right, thanks to everyone who voted. It looks like coming in at the top percentage at 29% “we hired a consultant.” “Hired a security person” was second and then some “unsure” answers as well. Thank you.

When we talk about the threat landscape and what we’re facing today, there’s a few things that I’d like to point out that really, hopefully demonstrate how difficult it is to build a good cybersecurity program – starting with the lack of personnel. The Cyber Skills Gap has been reported on for a number of years. We just don’t have the top tier talent for a number of reasons. One, it’s it’s folks like me who have been in industry for 30 years. We did security when it wasn’t called cyber and we just didn’t do a good job of mentoring and and forming that pipeline of Security Professionals and guys like me we have to take partial ownership of that. What also kind of iimpacts that pipeline is the lack of educational opportunities and the lack of degree programs. For example, in cybersecurity that’s all taking place now. It’s a huge wave, an influx of of people into the Cyber field because it is an interesting, exciting, and well-paying field. But, most folks entering the game today are younger folks and we don’t have the long experienced experts that we need. In some cases, it’s the high cost of talent because of the lack of availability makes it very difficult to recruit and and pay for top tier talent.

The second thing I want to point out is it used to be that it was the really good hackers you had to worry about. The good hackers would build tools, they would attack say an industry, and they would whatever their purpose was whether it was to make money or gather intelligence. And, it was a lot of people defending against a few. Well, the folks doing that traditional hacking, who are really skilled at building hacking tools, decided it’s less work and they can make more money if they simply sell their hacking tools. And, they don’t hack anymore. And, what we’re seeing is the commoditization of hacking tools. Anybody on this call, if you know how to get onto the dark web and go to a marketplace can buy a tool today. Pick what it is you want to do. Do you want to do ransomware? Great, pick a ransomware tool, pay your subscription / license fee, download the tool, and start executing fishing campaigns tomorrow. It‘s that simple, and you can start making money if successful hacking on your own. But, using a tool built by a very sophisticated hacker, from our perspective in the industry, is super scary: so now we have, instead of a few high talented individuals, we’ve got anybody who can download a tool and pay a couple hundred dollars a month can now do sophisticated hacking without any skill set whatsoever. Back in the day we used to call inexperienced hackers – we would call them “script kiddies” where they would just run a script and it might execute some some tool or some routine. What is happening today is way beyond that. These are very sophisticated tools using the latest technology, and it gets updated by the really good hackers because they’re providing a service.

Now, I’ve used this description many times in my presentations and and I hope it it conveys what I’d like to convey. And that is: the waves of cyber attacks that we see hitting all kinds of Industries and specific to this group nonprofits. The nonprofit industry has been hit in the last few years by a tidal wave of cyber crime. Now we’ve seen that in the government, we’ve seen that in municipalities, health care. Recently, we we saw it with casinos. But, there are these tidal waves of attacks that hit a particular industry and the bad guys will move on from one industry to the next hoping to find an easier target. What I do want to point out is once the tidal wave hits, it doesn’t really abate. The waves keep coming. So, as Industries get hit, the attacks keep coming on that industry and then new Industries are attacked along the way. So, we are today facing a real serious threat for nonprofits.

The last thing I’d like to point out is the attacks on supply chains. Some professional services companies may not appreciate what a supply chain is to their business. You know, we think about the car industry and and the supply chain for the manufacturing process involves everything from nuts and bolts all the way up to building that final car. Well, in today’s world we’re all… most of our companies are online in professional services. My business is almost all online. My third parties are the SaaS products – the software the tools that I use for my business – and the same is true for you. We could call that third party risk, we can call it supply chain risk, but the risk is there to be sure. The data that we are interacting with on a daily basis may not be within our control because it’s in a third party system. It’s held in some cloud computing environment somewhere. So, we have to take special care in selecting the vendors so we know where our data is being stored. And, it’s a good question to ask: is my data being stored in the United States if I’m a US-based person and a US-based company? That is a serious question to ask.

I’d like to spend a minute or two about the latest and most serious threat that I’ve seen in cyber and this is called the “token hijacking attack.” Without getting into the nitty-gritty details, the thing that’s super important to note here is that this attack is broad, widespread, and it is related to what we talked about with business email compromise and what is super scary is is it circumvents multi-factor authentication. Now, multi-factor is something security guys like me have been talking about for a long time and we have typically relied on MFA to prevent account takeovers. Because, it’s very hard to get around MFA. But, today we have attack vector that actually can circumvent it and…

It looks like I’m up on time for my initial presentation because we have a pop quiz! If everyone is able to connect to the Q&A section in Zoom, I have a question for you and the person who answers this question first correctly is going to get a prize. Folks on the JMT side, do I need to preface anything else or are we ready to go?

Marty: Nope, that sounds good – should just be able to use the Q&A, yep.

Bart: All right, everybody get your get your fingers on your keyboards and be ready. So here we go. This is question number one… pulling it up here. All right, the Internet Archive: it’s an online service that archives every website on the Internet. Users can look up old sites and submit their own site for archiving. Now, some of you as old as me you may remember it used to be called “the Wayback Machine.” So, the question is: in Millions, so this is a number, in millions how many user accounts were leaked during the recent hack of Internet Archive? So, we’re looking for a number. All right, I see a few answers. We’ve got a wide range here. Lower. You guys might… you can feel free, it’s an open book quiz. There we go! Garrett, you got it. Yes, 31 is the answer. 31 million user accounts were recently leaked due to the hack of Internet Archive. It’s crazy that that number of people… I wouldn’t even know that they used Internet Archive. So yeah, Garrett, you are a winner and I… the JMT folks are going to follow up on your prize in a bit.

Okay, so you know I talk about a technical issue that we’re facing today – the token hijacking. I don’t want to get into how it how it works. It’s a method that intercepts your authentication token. You know while you’re connected in your web page and, if you guys use 365 and you log into let’s say Outlook online then you switch to say SharePoint you’ll notice that sometimes when you switch and you connect to a different Microsoft service you’ll notice that the transition is seamless. That authentic authentication token allows you to go to different sites because you’ve already authenticated. Well, the bad guys are stealing that and they’re going to use that token to log in as you to Outlook online. So, it’s a type of account takeover and I’m surprised that more people aren’t talking about this because there are reports and here’s one of them. Proof Point is a vendor. They do email security. In their latest report they put out every year – it’s called State of the Phish – their latest report, 2024, they indicate that they see a million token hijacking accounts per month and that is a scary number considering the success of this tool. So, don’t freak out if you guys are a Microsoft shop – I’m sure many of you are – there is a way to help protect against token hijacking and that is to implement Conditional Access. So, if you take away anything today it is make sure in your 365 environment, in Microsoft 365, you have Conditional Access policies enabled and enforced along with multi-factor. We still recommend that.

Ah, looks like we’re at poll number two already and there it is. Okay, poll number two: I know someone who suffered a business email compromise they lost and then a selection. All right thanks everybody who answered that poll. It looks like “less than 100K” appears to be the top answer tied with “I don’t know anyone who suffered it.” I’ll will share anecdotally that in my consulting work I have two main groups of victims: the smaller companies who who may have had an invoice you know redirected typically lose around $30,000. Larger victims, certainly real estate and those other different types of fraud, are usually in the $300,000 range. So, I see both small and midsize losses.

All right, we talked about some of the threats – at least the main one I’m concerned about today – and some of the concerns about cybersecurity and the landscape today. How do we build a cyber secure culture within our organization that helps combat the threat given that we have high cost of talent, we’ve got commoditization of tools, we’ve got some really sophisticated attacks happening? How do we keep ourselves safe? So here is my advice. In terms of building a culture of cybersecurity, and that is coincidental with building a a really good security program, so when building a program we want to start at the top and work our way down and have a security mindset. And, we’re going to do a few things in terms of building the program which is align to a framework and focus on continuous Improvement. Sounds simple. It’s hard to do. Now when we talk about starting at the top what does that mean? Well, have you ever seen a strategic initiative really succeed without support from the top? It’s very rare. And when we talk about major initiatives, certainly it requires that but even midsize projects and smaller initiatives sometimes fail just because of lack of Interest or oversight from the top leaders. So, when we talk about security and we talk about building a culture or a program it has to come from the top in a sincere way. Security has to be critical to the success of the organization and it’s it’s a tough thing to incorporate when operating budgets are thin and expertise is low but rest assured. You can build a beautiful organization that does a lot of great work and have it taken down in an instance by one major cyber attack. So, it needs to be – depending on the size of your organization – it needs to be at the CEO, President level, or the board level and reported to. If you are in a large corporation with a board: at a minimum an annual brief by the security person. But, I’m guessing most of us areSMBs on this call and so it’s really a question of your executive leadership team or those senior leaders that need to take an interest and make sure things are progressing in the world of security at your organization.

Now, given that it comes from the top and there’s interest and buy-in, we need to take security through our organization and that includes all departments all the way down to every employee. And, you know I’ve I’ve heard people say in sales – I’ve got friends that do sales – you know I’ve heard the the words “you know, well everybody’s in sales.” Everyone represents the company; everyone sells the company. The same is true for security: everyone’s in security. Everyone has an impact to the organization and everyone is you know a vulnerability, frankly, and can be used to gain entry into the organization. Anyone with access has access that can be stolen. So, we need to have a good culture that comes from the top all the way down and usually that’s where some of my clients stop. What needs to happen is it needs to go out from there. So what about your contractors, what about your vendors? When we talk about third party risk, what about your partners – what about some of the interactions where your data or your customer’s data may be leaving your organization and you may not know where it’s going or how they’re protecting it? And, it could be some complicated Cloud software provider or it could also be the printers that you’re sending envelopes to because you’re doing a mailing campaign. Are they protecting your customers’ names and addresses? It’s worth asking the question. And so we want to go from the top to down to out and make sure our data is secure.

So I’ve got a couple things here in terms of mental models. How do we frame our mindset when we’re building a security program? And, there’s two things and in almost every talk that I give I talk about these two things: we have people, processes, and technology. Not a new concept, not specific to security, but when it comes to security the importance is in that order. We got security wonks like me: we love to sell tools, we love to talk tech, and we start on the T part and that is wrong. We’ve got to start with people: they are the greatest asset they are the weakest vulnerability. By far. Processes are second. We have to have good processes in place and training so our employees know what to do and what is expected of them. And, lastly, the technology can be used to help enforce the policies that we have and the actions that our people are taking. A great example of this is Accounts Payable: if we don’t have a good accounts payable process, money could go to the wrong place even with technical checks in place.

So, the next mental mindset, which also relates to Accounts Payable, is the “two is one, and one is none.” So, in security, if we have one copy of the data we basically have no copies. If it’s encrypted or stolen or lost or deleted and can’t be recovered it’s gone and gone-gone. Now, this is a military kind of concept where “two is one” we always have backups. But in in the military world, it’s backups to backups to backups. So, in security – at least in the programs I build – we typically go for three. Three is two; two is one; one is none. So, in Account’s Payable you have one person with the checkbook. If they can make all the decisions and they can write checks without any any checks or balances, fraud is more likely to happen there than if you had a two-step process. Certainly want to recommend because it’s so dominant today. We have a lot of bad guys who are submitting – in the Accounts Payable process – they’re submitting bank change requests and so the typical invoicing all flows the same but they have managed to change the banking information for your largest client or they’ve changed your information at your largest client and the money goes to the wrong place. That change request needs to have two checks performed to make sure the change request is valid and is coming from the right person at the actual company with the authority to make the change – not a bad guy pretending to be. All right, in security we have all kinds of examples: MFA is a great one. We we need to have more than just a password. That second step is multi-factor authentication.

All right, I think we’re time for another trivia question! This one’s going to be easier, I hope. Make sure you have your keyboards ready and Q&A pulled up and this question is: all right, so “in general, I do not like hacker movies because they really are not realistic at all. There’s a handful, maybe, of good hacker movies. So, in the Q&A section, name your favorite hacker related movie.” Love it! Rose, you made my day, that is excellent. So feel free to keep answering because I love to see the answers, folks. I’ll read a few of them. I expected “Hackers.” “The Matrix,” yep that’s on there. So, for me it’s “War Games.” “War Games” has got to be the towards the top. “Black Hat” is a good one. “Oceans 11,” love it. “Fifth Estate.” “Swordfish.” I appreciate your guys’ participation in that. So, I believe Rose was first. If I’m wrong, JMT will correct it but thank you Rose forthat and thanks for indulging me in my trivia today.

All right, okay, so we’ve talked about the threat, we’ve talked about getting in the mindset of building a culture of cybersecurity, and now we’re going to talk about building resiliency. This resiliency is within the framework of our security program whether or not we have a dedicated security person or if we’ve got some functions assigned. If you’re an SMB, that’s probably the case. This is for every organization from from the smallest to the largest. The the easiest thing for me to recommend as a security professional to you at your organization is to select a framework and align your security program with that framework. The Frameworks are excellent. In general, they’re free. I’m going to point out one specific for this call. What is really good for SMBs is the Center for Internet Security – the CIS. For self assessments, the CIS is all free. They have tools and spreadsheets and all the stuff available for download that any person can access and utilize to self assess their organization. All the recommendations in any of these Frameworks are going to include the really important fundamentals of building a good security program including the resiliency part.

A word about resiliency: this is kind of a newer concept in the cyber world. We we always want to come up with new things, of course, you know like most industries. What I do want to point out is we we, in general, have spent and as an industry a lot of money on prevention – spent a lot of money on detection. So, how do we identify? How do we detect? How do we stop hacks from happening? And, the reality of it is a lot of it either is ineffective or it doesn’t have all the coverages that we need, to stop everything and it isn’t to throw our hands up and say “ah, we can’t – we just can’t do it.” It is we expect it to happen. We’re going to detect it. We’re going to intercept it. We’re going to mitigate it. We’re going to lessen the impact of whatever the bad thing is. No, we’re not going to stop it all but we’re going to minimize it and lessen the impact on our business and the quicker that we can respond then the less impact – the less serious – any sort of incident’s going to be. So, the idea of resilience to be able to respond quickly to an incident. If something bad happens, even that’s not security-related, you know if a hard drive crashes: can we recover quickly? That’s a part of business continuity and resiliency as well.

So, we’ve picked a framework. I’d recommend the CIS. Downloaded all the stuff and performed our assessment. So, once we have that, it gives us an idea of what we need to do and we can pick the low hanging fruit. Let’s do the highest impact, lowest cost, and shortest time. All right, as I mentioned, resiliency is about focusing on our ability to respond and down here at the bottom we have.. this is the NIS framework for a general security program or the life cycle of an incident. We have Identify, Protect, Detect, Respond, and Recover. Now, what I’m asking today is as we’re building our program don’t just focus on the beginning where we want to buy tools – focus on that Detection and Response capability within our organization.

All right, poll number three: “Is your ERP system optimally configured to strengthen your internal controls?” All right, looks like “could improve” is the leader at 42% and “well configured” is second which is great to hear.

John: Oh yeah, so why the question, though. Why does that matter? Well, you know we’re we’re all using our ERP systems every day and that they contain absolutely critical information not only to each of your organizations individually but also down to each of you individually and so major components of your ERP system providing and contributing to your security first and foremost is going to be on the data in itself is it encrypted on your end is it encrypted during transmission and is it encrypted at the Landing point on whatever servers are holding and housing that data whether they are yours or a cloud provider like Sage Intact there’s also the user authentication and access management not only in terms of basic stuff like password but Bart has referenced numerous times multi-factor authentication even though it’s uh not you know guaranteed to cover everything anymore it’s still absolutely critical to have it and maintain it to be further layers that have to be overcome uh IP security filtering for location management who can sign in from where all audit Trails tracking who can do what this is a big part in terms of incident response something happened a powerful and complete audit Trail will allow you to find out exactly who did that thing when and where and how integration with cyber security tools multi-factor is a in a way an example of that you could say it integrates with our phones for example uh but there’s also single signon utilizing Microsoft aure as another function of that uh and then segregation of Duties that’s less about the tools capabilities and more about how it’s set up but it’s just as critical we you know a common example is we don’t want someone to be able to process and approve payments and submit requests for those payments UPF front and a properly configured Erp system in this area is going to ensure that every member of the team has that segregation of duties has that redundancy in terms of controls to ensure that multiple eyes are on everything and there’s more examples of this we’d love to talk with any of you about it it’s very very important so we’re here.

Bart: Yeah, thank you for sharing, John. Yes, everything that I said leading up to this builds into what John just said. Certainly, having roles defined and and having multiple checkpoints along the way. It’s all about checks and balances, as you guys know. Cybersecurity and Finance, I think, have a lot of overlap and when we talk about controls there’s a lot of commonality in in our two areas of expertise. So, I believe we have some final wrap up – yes.

John: All right, Marty…

Bart: Is this you, Marty?

Marty: Yeah, I can take care of this. We just know as a webinar attendee that you might be interested in our calendar of events. So right here you see what we have coming up so please join us you can see and register for these at jmtconsulting.com. Just click on the events navigation button and you can register there.

There’s the last poll question. This is it all right. Well, thanks for that last poll. We don’t normally share the results of this poll because we just follow up with those that like to be followed up with and otherwise we don’t follow up with you.

So what kind of questions do we have in the Q&A slot that we can take care of today? I see that the quiz answers and questions are there so with no further questions, Bart do you have a wrapup statement that you’d like to give us”

Bart: Well, to quickly answer Garrett’s question: yes, “Live Free or Die Hard” is a hacker movie. Bruce Willis brings in a hacker to do some of his adventures in that movie, so yeah that totally counts, Garrett.

To convey, again, Cybersecurity Awareness Month – it is our time of year to really shine, whatever that means. Usually, it’s some some additional training so I’m happy to be able to present today. I really appreciate the time that you all have allowed me to share some cyber tidbits with you all and… all right, it looks like we got a question while talking. So, Garrett’s asking: how about elaborating a little on PII. I’m going to interpret your question a little bit. When it comes to PII, this is one of the most difficult top topics for me to really convey to my clients. I’m going to start by saying there really is no definition of PII. By that, I mean there are too many definitions. The federal government has multiple. I’m going to use the state of California as an example. So the state of California has a couple different laws on the books including CCPA which is the privacy protection within the state of California. The two different laws have two different definitions of PII. It’s very frustrating as a non-lawyer to understand what’s happening here. What is important to know about PII is this: if you have PII – whatever that is, and that will certainly include things like social security number but depending on the state it could be your name and address, it could be your name and address and birthday, but whatever that definition is – if you have the PII of a citizen of that state and you lose it, you lose the data and it goes outside your organization: you may have legal requirements for your organization. California 100% you do. So you have to notify the folks whose data you lost and if you don’t there can be serious penalties. It makes it a little more complicated in that if you have the PII of an individual who is a resident of the State of California, that person has the legal right to ask you “what data of mine do you have?” and you have a certain amount of time that you have to respond to that person and say here’s the data elements that I have: your first name your last name your street address your birthday your social whatever is in your system. You need to be able to answer that. That person has the further legal right to say “I don’t want you to sell my data” or “I want you to delete my data” and again you have a legal obligation and a timeline to do that – to either not sell the data or delete it. It is frustrating in that depending on which state we’re talking about – and I’m going to go by memory here: I think we have seven different states that have laws on the books; there’s quite a few in the works and they have different reporting requirements – if you have data, PII from citizens of the EU you have GDPR to be concerned about. And there are requirements based on where that person lives, it isn’t where your headquarters is. Unfortunately, it is where the person lives, so PII is something when we talk about maintaining data is something we have to consider all of the where those people could be residing which means we have to even track where they reside. Did that answer your question Garrett? I I hope so and feel free to hop on or Q&A me back again. I do see, okay.

Garrett says we perform audits. We have clients that have sent us sensitive information, tried to stress the importance of using share files. Yes, okay. Yeah, it’s really difficult to enforce other people sending you sensitive information in email and it is it’s especially difficult and and we see it all the time in real estate in between you know realtors and closing attorneys and all that stuff. That is where I see the most. To get into the practice of sharing data through a portal, and it sounds like you do have a share file, to enforce that through when you send data to a to a customer encouraging him to send it back. There are technical solutions that are in place that can help block or delete if it detects some PII. There are tools built into Microsoft now that might be taken advantage of, but in general it’s very difficult to stop it.

Is there a rating service for cybersecurity organizations? Okay, this is a question from John. There is… so we don’t have a… there’s not like an industry – I’m trying to think like a Dun & Bradstreet equivalent or anything like that. Certainly, I know that there are ranking organizations on the financial world. In the cyber world there’s one or two two options: there’s a self-attestation meaning that you know we as an organization would publicly publish and say “look, we align to pick-a-standard and we vouch that we adhere to all the security controls within that standard.” Kind of buyer beware. The other option is an accreditation. When it comes to SaaS providers, I think SOC 2 is probably the gold standard and that is something that the company – the vendor – has to, and probably a lot of you know this, has to have an actual auditor come and perform the assessment and write a letter of attestation. That letter certifies that the organization aligns to SOC 2. ISO 27001, there’s actually quite a few ISO standards – 90001 might be one that you’re familiar with, and they have a variety of standards what that are audited and you actually get an accreditation. I believe that there’s some other standards in progress – sorry, certifications – in progress that are more accessible to SMBs. But, we’re kind of waiting and seeing where those are and if they’re going to take hold. So, I would say SOC 2 is what you’re going to look for in a vendor. ISO is what you’re going to look for in a big partner.

Marty: Thanks so much, Bart. I think the next slide has contact information for both Bart and John if anybody has last minute questions they want to put in the Q&A we can certainly get those to Bart or John. We want to thank everybody for attending today. On behalf of JMT Consulting, thank you Bart, thank you John, thank you, thanks everybody, thanks all, appreciate you. Bye.