Help Me With Sign Maryland Banking Presentation

Industry sign banking maryland presentation secure

[Music] hi everyone thank you so much for attending this webinar today i am so proud to be able to represent cpa charge at this year's macpa event um you know we wish that we could be there with all of you in person at uh an in-person event but you know we're glad that everyone is staying safe and we're so happy to be able to still participate even if it is virtually in some way and i'm really excited to talk to you about this topic it's something that i'm really passionate about um and i think we're gonna have a lot of fun and learn a lot of good stuff along the way for those of you i haven't had the pleasure of meeting in person um i just wanted to let you know a little bit about me my name is amy mann and i am the director of creative services here at cpa charge if you're not familiar with cpa charge we are a proud macpa member benefit and we are an online payment solution helping cpas and accounting professionals accept client credit debit and ach payments online um we're headquartered here in austin texas where the weather can't really decide if it wants to be summer or fall we kind of every day go through about two to three seasons and about a 20 degree temperature swing so um because of that i will apologize i'm probably gonna have to take a few breaks during this webinar to get some water because my allergies are catastrophic um so apologies in advance if you hear me go silent for a second i promise the audio hasn't cut out i'm just taking a quick refresh of water um but i know my background is in education which is why i love doing these kinds of webinars and these kinds of events it really harkens back to um you know my first profession before i got into professional services it was in education and so when i get to talk about something i really love and i'm really passionate about i get super excited so i really do want to just extend a heartfelt thank you to um macpa and also all of you for attending this webinar and giving me a chance to share um a little bit with you today this is this is really great um and uh finally i'm a proud dog owner and lover i have to put that on every slide um in every presentation that i do i have three rescue dogs at home they are the loves of my life and absolute monsters so i'm actually recording this in my office today uh where it's empty and silenced so you will not be hearing them chime in throughout the presentation today so uh just know that they're at home probably eating up eating my books or something but um for us today we're gonna shift gears and we're gonna talk about cyber security and cyber liability and what that means for professionals like you now granted we're going to be talking a lot about how how liber cyber liability intersects with the payments industry but i want to throw it out there right now that everything we're going to be talking about today is really applicable for just data security best practices no matter what type of data or information you're dealing with we're going to be talking about easy to implement best practices that every professional should have in their office because the reality is you know we see headlines like this all the time with increasing frequency over the years it feels like these types of breaches and cyber attacks are becoming you know really commonplace in our interconnected digital world and it used to be that some of the big retailers and big box stores were the ones that we were mostly hearing about when it came to data security and payment security breaches you know i still remember the target breach a few years ago the home depot breach you know they're getting these names almost like hurricanes getting named um but increasingly you know hackers and would-be cyber criminals are going after individual professionals and their offices because if you really think about it professional services providers are prime targets for data data theft primarily because the very nature of the job that you do requires the constant handling of sensitive and confidential information and you can look here on the screen for a few you know just glaringly obvious examples you know from personal information and personally identifying information about your clients to their financial and tax details all of these are are you know kept in in order for you to sufficiently and efficiently do your jobs and it's not just cpas we're seeing this across the spectrum of professional services lawyers often have access to the same type of information medical professionals and family physicians offices have a lot of this information on tap and are increasingly being seen as a path of least resistance to gain access to this type of information in order to exploit it now obviously with the loss of this kind of information you know there's going to be an immediate and tangible loss whether that is the loss of finance you know finances if there's a a bank breach or a financial breach it could be the loss of physical information you know especially if it's a physical loss if somebody's taking physical files or physical data or physical objects out of your office um that's kind of the the first type of loss that we're looking at however you know it really spirals out from there to a lot of other types of losses that can come from these breaches um one of the largest being a loss of reputation and trust um being the victim of this type of attack really does shape confidence and it shakes up the confidence of of your clients which can result in um a lack of new clients coming into your business or the exiting of existing clients even those who might not have been directly affected by the breach um this in turn leads to a loss of competitive and economic advantage um and then finally you know mitigating a a breach like this and the loss of sensitive information all of this um really does you know take a toll in terms of the amount of in-person work required uh for investigations for auditing for um just kind of crisis management and so this business disruption um absolutely can't be overstated um as well as the accompanying liability that could come from such an investigation or an auditing process so the stakes are high um just you know we're kind of setting the stage for there is a level of loss beyond just what is immediately stolen in a cyber security breach you know these these breaches do account for real financial devastation um in 2018 ransomware attacks cost businesses more than 8 billion dollars and a lot of this came through increasingly sophisticated fishing attacks which are those really targeted um either text messages or email attacks where someone is spoofing um a person's name or email address or both and attempting to get someone to engage with them in order to um solicit financial assistance from them so this could be the form of you know somebody pretending to be a family member and asking for money for travel or for i've heard of people um targeting elderly folks and asking them you know saying like that i'm your grandkid and i'm in jail and i need bail money can you help me um this can also take a lot more kind of less uh what's the word i'm looking for um kind of uh less serious natures and so i uh was was targeted in a phishing attack about a year ago i got an email from the ceo and founder of my company saying hey it was on a weekend and the email just said hey is anybody online right now i really need help with something and it was just like short and sweet and to the point and felt like something that that she would send and so i responded i said yeah i'm online what do you need and she was like oh great i need to buy some gift cards for some clients and for some reason i can't find my wallet do you think you could help me out and i was just like okay hold up hold up i've been trained in this i i'm just gonna double check so i texted i texted her and i was like hey did you just email me about some gift cards and she was like no but you are the third person who has reached out to me and it was done in a very low-key way it felt very organic it was very conversational um so these types of attacks are getting more and more sophisticated and more and more commonplace and so because of this in 2018 the irs came out and they issued a press release specifically speaking to accounting firms and saying look these types of attacks are on the rise this is something you absolutely need to be cognizant of and take steps to educate yourself educate your staff um so that you can keep your information and your clients sensitive information um safe and secure and so um i want to talk for a second about kind of the the the side of cyber liability that a lot of us don't often think about and that's the threat of insider mischief and insider mistakes now we are all imperfect human people um and we are capable of misplacing things losing things accidentally revealing information that we didn't mean to um sharing passwords for for access to information and most of the time this isn't done maliciously this isn't done with cruel intent this isn't done you know specifically to to hurt someone else um it's just because we're not perfect we're humans we make mistakes i cannot tell you how many cell phones i have set down like in a bathroom to wash my hands in a public space and then just walk out the door um sometimes i get them back sometimes i don't um but these types of mistakes happen and so um the threat of just well-intentioned insider mistakes is an absolute threat when it comes to cyber liability um it's not always you know a hooded kind of mr robot figure sitting behind a computer screen in a dark room somewhere trying to you know penetrate your firewall to steal sensitive information a lot of times losses and breaches come from honest-to-goodness mistakes and oversight um additionally this insider threat and in-house mischief is a component that also needs to be examined and addressed disgruntled employees who alter or erase or steal company data can be attributed to one in five attacks across the country and it's a it's a very real threat and can often be difficult to prevent largely because people aren't thinking about it people aren't trying to put barriers in place and try um to prevent access to this stuff so this is absolutely something that we're going to address in our presentation today as we talk about ways to protect your firm's sensitive data as well as the sensitive information um of your clients so we've laid the foundation right we've looked at the scary stuff hopefully we're all taking it seriously what should we do should we shut down your our emails and and go back to just kind of cash under the mattresses um i mean obviously not this is clearly um you know granted i am a self-proclaimed catastrophizer and so in my heart of hearts i'm like yeah let's just shut it down let's just shut it all down and let's just go back to face-to-face communication and keep everything under lock and key and then nothing can ever happen right unfortunately that is not pragmatic that is not efficient and that is not conducive to a growth-oriented business because people expect to have digital virtual access 24 7 365. and this was true in a pre-2020 and covid19 era right but now even more so than you know nine months ago the world is experiencing what it's like to be primarily contacted and connected through virtual means we're doing this this whole summit right now virtually because we have to but what it's doing too is it's reinforcing patterns and availabilities and capabilities and so a lot of people are are realizing more so now than ever that digital communications and technology allows for levels of interconnectedness even when operating virtually that before they might not have taken the time to really explore or to provide to their clients and again even prior to 2020 this was on the rise companies like netflix and uber um and amazon have really shaped our our processes and our minds to the point where we are growing increasingly accustomed to and expecting of every convenience when it comes to being able to run almost every facet of our lives from the phones in our hands and so you know pulling the ostrich move and sticking our heads in the sand and just being like well i'm not gonna i'm not gonna risk this digital breach because i'm just not gonna engage with it um i feel like every minute that goes by that is just becoming more and more off the table it's less of an option and especially if you're looking to you know run a growth oriented business giving people convenience meeting people where they are and on their terms and providing them every opportunity to engage with you is really the the level of convenience that people are looking for which means we have to find ways to mitigate these cyber risks and and provide people the flexibility that they're demanding while also ensuring their security so thinking just specifically about payments um you know again people aren't backing off of of digital payments and online payments there are 183 million americans with credit cards right now and most of them have more than one because you can see there's 1.27 billion billion with a b cards in use um in 2016 a thesis study found that 81 of respondents identified credit and debit as their preferred payment method and that was in 2016 and y'all those numbers have not gone down in the last four years they have only gone up um and people feel like it's safe both for in-person and online payments the majority of people feel that credit and debit are the safest way to pay and more than 50 of people don't use or rarely carry checkbooks so providing the convenience of online payments is essential um but so too is is protecting that information and again i want to reiterate a point that i made at the beginning of this presentation we're about to start talking about payment card industry data security standards the pci dss and this is a set of security standards that the the major card brands set visa mastercard discover those guys um in order to ensure that all companies that accept process store or transmit credit card information do so in a secure environment and and in a way that protects that information and we're going to talk a lot about this in terms of um credit cards because those were the parameters around which these standards were set but these are again best practices for data security in any form it doesn't matter um if we're talking about financial data it doesn't matter if we're talking about personal personally identifiable information or if we're talking about card payment card information what we're going to go through right now is best practices for data information security full stop and so regardless of what types of information you have in your office this is going to be valuable for you to know and to keep in mind um we're going to start looking at this at a really high level um and then as we move forward we're going to get into more and more specifics so if we say something like it's your responsibility to protect you know payment information no matter what and you're like great amy what what does that even mean don't worry i promise we're going to get granular um but we want to start really high level how do we mitigate our risk what can we do in order to maintain data security and payment security well pci dss gives us a really good outline for for sort of the road map we can lay down when it comes um to building a more secure office and a more secure solution for ourselves and for our clients so these are the these are the six main pillars of the pci dss um and and these are the requirements for anybody that handles credit card or payment information in any way shape or form so step one build and maintain this secure network two protect card holder data no matter what three maintain a vulnerability management program four implement strong access control measures five regularly monitor and test your networks and then finally six maintain an information security policy so what do these all mean let's start with number one um build and maintain a secure network so a few ways that you can build and maintain a secure network in your in your office is to install and maintain a firewall configuration in order to protect cardholder data or again any type of sensitiv data this is going to keep prying eyes from outside of your office from being able to look in at your network and kind of poke around and see what's on the other side of the veil there we're going to talk incoming slides a lot about passwords we're going to talk about tools that exist for helping you manage your passwords as well as layering extra levels of security on top of it um but kind of the big three things you know if you're just going for super easy takeaways when it comes to passwords um one don't use vendor supply defaults you make sure that you reset your passwords for absolutely every single thing that you get if you get a new piece of hardware reset the password if you install new software reset the password if you sign up for a new service or system or solution reset the password number two don't share passwords i know that oftentimes there are financial expenses tied to this and the easiest way is to share multiple uh is to share a single account for something across multiple people but just as much as is possible don't do that get out of that habit sign up individual people for individual accounts on a system and then number three when it comes to you personally don't use the same password for everything that you use don't use the same password across websites don't use the same password across systems across um pieces of hardware come up with new unique strong passwords for everything you're using and then finally just a couple you know working from home tips thrown out there since a lot of us are working remotely or working from home these days um try to not share your uh to share your home network outside of your household um this is true if you know maybe you've got a neighbor or you've got um you know friends who live nearby if you're if you're talking to people you can trust people who who you know what they're up to and what they're doing sure but if you if you're doing work work work on a public network or an open and shared network um that's really risky right because even if it's somebody else's and you trust that person you might not know who else is accessing that public or shared network so make sure that everything is password protected and that that password is only shared amongst people you trust who you understand what they're doing and that they're doing things safely if you're going to be putting your work hardware your work software connected to that network um the second step in the pci dss is protect card holder data no matter what um i love this because i feel like protect card holder data no matter what sounds like super i don't know like game of thronesy like i can picture you know jon snow with a broadsword protecting cardholder data you know come what may at all cost um but what this really means is be smart about um about where data is and how it's shared um you know data is is is constantly in motion and it's often in transit um and so you want to make sure that in all of it states whether data is in motion whether data is at rest whether data is in the cloud that it's being properly protected and that it's being protected uniquely based on the state that it's in so if you have physical data in your office payment details payment information uh clients social security numbers financial information you want to make sure that that if it's a if you've got a physical manifestation of that that it is kept secure under lock and key in a file cabinet and not you know a file cabinet that locks and the key is like dangling out of the lock you know 90 of the time or like hanging on a hook next to the desk where the file cabinet is you need to make sure that it it's really protected um if it's being stored online or stored on a on you know a computer or a hard drive you want to make sure that those devices are encrypted full they are fully encrypted so that in the event that somebody snatches that hard drive out of the office or if you leave your laptop on a plane you can't see but i'm i'm raising my hand because i did that one time um you want to make sure that the those devices are encrypted so that even if somebody grabs that laptop they're not able to access the data on the other side of it and then finally be thoughtful about how you're transmitting data if you need to share data um digitally make sure that you're using in encrypted and secure communication channels um the the too long don't read of that is stop emailing credit card information stop emailing social security numbers you need to make sure that you're using secure communication channels if you need to transmit sensitive data from one place to another um and an email just isn't that secure so we need to get out of the habit of transmitting information that way number three maintain a vulnerability management program this is the first of many times i'm going to say that cyber security is not a one and done thing it's not that you can just put some things in place and then hit go and bing bam boom you're secure for all time um you need to make sure that you're using and regularly updating certain tools and systems that have been put in place to keep information secure so for example antivirus software is a really good example of that which needs to be constantly run it needs to be updated um and then develop and maintain secure applications and systems so we're going to look in a minute at what that looks like and how to do that in your office implement strong access control measures all right this is where we're going to start to get into um mitigating some of that insider threat or that insider risk i'm going to take a quick sip of water there is a principle in cyber security called the principle of least privilege and what that says is that the folks in your office should only have access to the systems and tools they need in order to do their jobs you don't need to give everyone access to everything at the same level so even within a particular software you might have some folks that need admin level access to that information whereas other people could very successfully do their jobs with just you know read-only access to that information so make sure that information is is relegated to the people and at the levels that are appropriate for them to do their jobs this is really going to cut down on a lot of risk for your company when it comes to protecting sensitive information again assign a unique id to each person in your office who has computer access you want to be able not just to make sure that you know you're not at risk of you know passwords and things like that being hacked but also in the event that something does happen and you kind of need to reverse engineer a sequence of events to figure out what happened where or what went wrong or you know what what happened you need that access information in order to be able to reverse engineer the process and to know who to talk to um and then again restricting physical access to cardholder data and and other things in your office the more you can keep that securely protected the better shape you're going to be in overall um uh so keeping financial details under lock and key keeping you know the the the technology that runs your office in a locked cabinet keeping your router um that controls your network behind a lock cabinet things like that remember that even though we are talking a lot about cyber security in the digital realm um there are still going to be physical items you need to back up in your office as well again not a set of and forget it thing you need to regularly monitor and test your networks to make sure that everything is working the way that you you need it to work make sure that everything is updated and that that there aren't new patches available that there aren't new system updates available that the systems that you're using are working together in the way that you expected them to and then finally maintain an information security policy um this is a really great way to make sure everyone is on the same page with you know what these best practices are in the first place again a lot of mistakes and a lot of of damage comes from really well-intentioned misunderstandings or lack of insight or again just errors people don't know what they don't know um and so sharing an information security policy with everyone in your office is a really great first step just to help make sure that everyone is on the same page when it comes to what are best practices around information security um what am i expected to do or not do from a data security standpoint in this office um and and having such a policy is also now required um as as part of form w12 and we've got a little snippet of it here on the screen um this is the type of thing that from a liability standpoint you you might want to include with um you know maybe if you have a company handbook or something like that that you ask people to read and verify you know with a signature that they've they've seen it that they understand it um this is a great thing to have on hand it's also a really great vulnerability management program in the event that something does happen um your information security policy can outline okay if this happens here's who you need to contact this is your first call so rather than wasting time like who do i call about this do i just call my boss and have them escalate the situation or do i reach out to this person or this person knows a lot about computers should i just call her um it's a great way to kind of triage communications if anything happens and it's kind of outside of someone's realm of comfort or expertise it lets them know exactly what their responsibilities and expectations are so that you can move quickly to mitigate any damage that might result from that situation all right so those are our big six we've talked about what each of these kind of mean but again i i really want this to be an informative and actionable presentation so let's talk about kind of going one level deeper and saying like okay great we know that we want to install you know we don't want to use vendor supplied passwords what does that mean um so let's talk about the nitty gritty of how you can set yourself up for success and really equip your office with everything you need to meet these best practices and so step one if you're a list maker you're gonna love this if you are not a list maker you're gonna hate this stuff um but the first thing you need to do is is inventory your assets right again i just said a minute ago we don't know what we don't know and it's really hard to protect things that we haven't taken into account in our office and the reality is that so much of our technology just supports us in the background that you're probably not thinking all the time about the very detailed systems and solutions that are powering your office and so taking the time to sit down and document all of the cyber assets in your office in your practice who owns them who uses them who has access to them in the first place is going to be a really important step in setting yourself up for success you want to cover things like your network how many networks do you have who connects to it and how do they connect to it the physical computers and hardware that might be sitting around your office software and data and then all the way down into users and individual accounts to access this information your your network is going to be a huge part of this right and you probably um especially in larger offices are going to have multiple networks running and and might have multiple of these options in place right you might have a a staff wi-fi that most people use but there are going to be certain people in the office who are wired into the network um so you want to be able to identify who and what systems are connected to which networks who configured these who's responsible for that configuration and keeping it updated um is there a guest wi-fi and if so how do people access it and who has access to it um and then again going another level down and looking at the the software and data in your office what applications are you using and are these critical to business and are they accessing any confidential or sensitive information if so do you have licenses for each copy of that application and who all has access to it and at what levels um again it's it's really easy to just set everybody up as an admin on every new piece of software it certainly requires less work but it's also infinitely riskier and it's worth the time to note and really designate roles for people who need to access sensitive information you want to detail what applications are are responsible for what information is managed with them within them where that information is stored is it local to in each individual computer is it a cloud-based application where you know data's stored there um or is it stored internally on a server or a network that you have in the office and and make sure that you include backups are you backing data up and if so where who has access to it is it internal in your office or are you using something like amazon web services to back that up so make sure you detail all of this information and then finally like i mentioned the individual users um access you want to make note of everyone who has accounts on your system what privileges do they have and are these privileges necessary and and just a quick tip um if you're in a situation right now where you're kind of hearing what i'm saying and you're like oh yeah you know what everybody in our office pretty much has access to everything and maybe we don't want to do that maybe we don't maybe we need to scale that back i would recommend making a i would recommend doing that i think it's it's it's absolutely necessary and two i'd recommend making a plan so that you can do it all at once and this is just you know sharing from experience if you start piecemeal taking people's access away from things or reducing the level of access they have to certain applications people are a lot more likely to get defensive and to take it personally and to feel like it's reflective of either them or their job or their performance whereas if you do it all at once and just say hey y'all we're kind of resetting things for um you know for cyber security purposes this is a great time to roll out your information security policy to the company and just say we're really gonna adjust things um so you're probably gonna see some stuff changing in the next few days if you lose access to something that's absolutely critical to do your job talk to this person talk to this manager um and and what you'll find is that people are all gonna be going through some degree of this at the exact same time and so it's gonna feel less personal it will feel more like a company shift is happening and it's going to be a lot easier to swallow i'm sure you'll get a little bit of pushback but it'll it overall it'll be fine rather than if you go application by application or person by person that's gonna start to feel a lot more targeted and people are a lot more likely to bristle uh um as a response to that so just a little best practice for you to keep in mind when it comes to things like that all right so now that we've got our it inventory we're ready to start going into those tools systems accounts applications and doing something to actually strengthen them so examples of strengthening these applications include replacing weak passwords updating your wi-fi configurations and securing connections to them and then finally ensuring that systems are up-to-date and less prone to viruses so one of the easiest ways to do this is to make sure that your passwords are are unique and strong for everything that someone might have to log into and access this includes your networks your wi-fi email and other accounts subscription-based solutions common websites that are used by people in your office or you might have some like outside um agencies or uh systems that you use that somebody else manages that system entirely but you log into it make sure that you're using safe and strong passwords for all of these because you know one week password could give a would-be you know cyber criminal access to just a treasure trove of information so you want to view absolutel every single touch point as a way to reinforce security in your office a really great way to do this is to enlist the help of a password manager um these tools have really evolved over the last decade i don't know if any anyone out there who's my age probably remembers the first gen of password managers they came out they were like a big clunky um thing that looked kind of like a label maker almost where they had like that qwerty keyboard and you could literally log into this external device with one password and then you could keep a list of all of your different passwords um it was great for what it was at the time but the good news is they have gotten way more sophisticated most of them are you know uh just digital tools that you can install on your computer or site that you can log into and that follow you around and what they do is they don't just store all of your passwords they can generate strong unique passphrases for every site you visit everything you ever log into and then store those and all that's required of you is to remember a single unique master password and once you can do that the password manager will manage everything else for you and keep all of your systems protected um there are varying levels of these that exist out there there are some that can operate uniquely on a single device so maybe you want to go really strict access control for your work computer but at your at home or on your phone you don't want to deal with it cool there's an app for that um or maybe you want something that's like it doesn't matter where i'm working i want this thing to follow me i want it to manage all of my passwords and so it needs to work on my work computer and my personal computer and my phone and you know my spouse's computer great they have those too so there's a lot of solutions out there i would do a little research if you need recommendations feel free to email me my my email address will be at the end of this presentation um and i'd be happy to make some recommendations for you um but this is a great way to just really streamline password management and take the burden off of you additionally some people will enlist the use of multi-factor authentication to lay an extra level of security on top of what they're doing um a lot of us are familiar with multi-factor authentication in um certain situations for example if you've ever had to reset the password for a website or a a solution that you use because you forgot it you most likely have used mfa because you've been texted a one-time code or sent a one-time link that you can click to reset your password that's great but you can also use that same technology even if you don't need to update your password if you remember what it is and and just say like in order to access this website or in order to access this software people are going to have to have a memorized password and then a one-time access code in order to to log in um it's kind of the same thinking behind using a a debit card or an atm card right something that requires a pin it requires a combination of something you have and something you know and so when you put those two things together it adds a layer of security that makes it really hard to hijack an account um but i really want to reinforce um mfa isn't a silver bullet so don't stop using strong passwords even if you're using some form of multi-factor authentication you still want to make sure you're coming to the table with super strong unique passwords now moving on to fortifying your network um there are things you can do to significantly reduce the risk of access through your company's wi-fi um number one let your password manager set the wi-fi password um that's a huge one right don't include common phrases or like the name of your company in your wi-fi password um that's gonna be really easy to hack um so let your password manager generate a strong passphrase that's you know some absolutely nonsensical combination of upper and lower case letters numbers weird symbols on the computer um and that's going to set you up for a lot of success again make sure that you're requiring network authentication um and you can do this when you're setting up your network by selecting the wpa2 personal or sometimes it's just appearing as uh wpa2psk or wpa2 um and and this is kind of what that looks like in your router settings um you can you can select that from available authentication methods so pairing um network authentication requirements with a a secure passphrase is a really great way to boost your network security additionally if you have frequent visitors or guests to your office consider using a separate guest wi-fi um most wi-fi routers today will support one or more guest networks you still want these to have a good a good um password attached to them you still want to make sure that you're enabling authentication for this network but it's a great way to keep your absolutely most vulnerable information kind of isolated on an internal system only while guests and visitors to your office can still access the internet can still get online but they're not connected to the same systems that that house that sensitive information and so to that point you want to make sure that every office system your printers your file servers all of that is connected to your private wi-fi network and not the guest wi-fi network um and i really appreciate what our team does here at cpa charts i think they've got a great system in place all of our internal computers that are you know company company provided are connected to the internal system are connected to our internal server so that we can access the information we need to do our jobs but we also have guest wi-fi and so if you come to work so i'm sitting here in the office with my work computer which is connected to the internal system and then i have my cell phone and my cell phone is connected to the guest wi-fi so even though i'm a staff member even though i work here not all of my devices need to be connected to that critical system it's perfectly fine for my cell phone to be connected to the guest wi-fi because i don't need to access our file servers from my cell phone so keep that information as secure and private as you can um and and again keeping your home office network private is is also a good idea maybe you know if you work on really sensitive stuff at your house and you've got you know teenagers who are you know do i don't know what the kids do these days fortnight they're playing their video games and they're doing the tick tock um you might want to consider keeping their network separate from your network and so enabling a guest network on your wi-fi and you don't have to call it guest network because you know that's a little belittling to the family but um maybe you just say like you know home entertainment and office or something like that but separating those networks out is a good idea just to make sure that if you're you know if you're vpning into your office systems and accessing file servers remotely or sensitive information like that you do want to take that extra step to make sure it's safe and secure whether you're in your office or you're working from home protect your office systems now this is one um that was kind of a shocker to me when i first uh started reading about it but a lot of damage is done through known vulnerabilities for which updates have already been released and um i'm not saying that you know this specific example is responsible for it but you know as an example we've all been in the situation where we like go to start working and we go to login to our our computer and we get you know uh the pop-up that says um you know do you want to up there's a new update for microsoft office do you want to do you want to do that now and i'm like no microsoft office i need to use word literally this second to do my job and i dismiss it and i say exit or something like that um again i'm not saying that microsoft is like the source of hacks and stuff but that's a good example for you know all of the software we use is constantly being updated it's constantly being patched there are new things being pushed through and a lot of times i just dismiss it because i view it as an inconvenience and not a potentially you know really impactful cyber security solution so an easy way to mitigate this enable automatic updates just make let it set it and forget it as much as you can and let it happen in the background um don't give yourself the option to dismiss have these systems update automatically as soon as updates become available similarly make sure that you're making use of installed antivirus and anti-malware software on all of your systems you want to have this running in the background constantly but then also enable full computer scans weekly at a time that's convenient for you maybe you're you know you've got a standing meeting with your boss and you know that you're not going to have your computer in front of you at that moment maybe there's a lunch that you go to every week or regularly or a set lunch time maybe you go home to let out a dog or something like that find these times when you know you don't need to be glued to your keyboard and schedule weekly scans of your computer so that it just happens and again you're not giving yourself the chance to to not do it on that given day um you're going to want to enable your operating systems firewall in order to prevent external connections now whether you're on a mac or pc there are going to be built-in firewall solutions on your operating system you just need to make sure that they're enabled make sure that sensitive data is encrypted at all stages again you can find data at rest in motion in the cloud so make sure that wherever it is it's secure and so if you're using you know if you're online if you're um on the internet make sure that the web addresses that you visit start with https and that they are um secure sites that you're visiting if you go to a website and you get a pop-up that says you know the security certificate for this website has expired are you sure you want to proceed say no get out of there don't do it it's not worth it um and make sure for devices or for information at rest that you have whole drive encryption enabled on all of your devices for your cell phone for your for your computer do this for your personal devices too forget you know this is stuff that you need to make sure should you lose it should you forget it should it get stolen that the information on the other side of it is protected and that you're insulated um from from the peering eyes of would-be fights would be cyber criminals this is one that i love um you know don't handle unnecessary sensitive information and handle might be a little bit um too strong of a word but the reality is you are going to have to interact with sensitive information to do your job um it's the nature of the beast it's the nature of what what you do it's the nature of what i do i i can't avoid it working in payments now just because i have to interact with it and use it doesn't mean i have to store it doesn't mean i have to be the one to protect it and keep it safe and secure there are trusted vendors out there with way more cyber security knowledge than any of us have that have protections and levels of security in place that i don't even understand um and this is across across the board for anything you might need to do when it comes to you know data storage when it comes to communication when it comes to payments this is the type of thing that you know with the proliferation of cloud-based services you can store this information externally with someone who has way more cyber security knowledge than you and then you reap the benefits of being able to access it literally anytime anywhere it's not tied to a physical device that you have to protect it's not tied to a single system where you know your ability to use it is predicated upon connection to that singular device so as much as possible find trusted vendors find people who are doing things at a level that you could never expect you that i could never expect to and trust them with the sensitive information make the responsibility of of protecting it their primary responsibility your responsibility is to find someone you trust to find someone that is able to protect it at that level so vet your sources vet the vendors that you might work with any vendor who has access to your network or any of your confidential data needs to have a clear privacy policy and they should be able to prove you know proof their cyber security chops to you so don't be afraid to ask for their privacy policy keep keep a version of that on file for yourself um and really just as much as possible remove that liability remove that risk get it out of your office and put it into someone else's hands so just a few you know final thoughts before we go um a connected world creates so many opportunities it creates opportunities for collaboration for communication for connectedness but also also for breaches and the reality is that the way that our world is changing and the the trends and consumer expectations for information for communication for online payments these aren't going anywhere in fact we're we're only going to become increasingly connected through digital means and so taking data security seriously coming up with solutions for monitoring and protecting information is absolutely essential um today we've gone over a lot of things that you can do in your office and in your time in order to to do this but also find trusted vendors who can do a lot of the heavy lifting for you that you can develop a lasting strong partnership with so that you know that your information and your clients information is protected and secure and so with that i just want to again issue a very heartfelt thank you thank you so much for inviting me and inviting us to be a part of this event again i wish we were doing this in person and that we could be you know going back and forth asking questions having a blast um i'm hopeful that that's what next year will bring but for now thank you so much for joining me here virtually my email address is on the screen if you have any questions about anything we talked about if you need recommendations for software for vendors for anything don't hesitate to reach out i would love to keep talking to all of you um and with that i hope you have a wonderful event i hope you are safe i hope you have a wonderful holiday season coming up and i hope more than anything to talk to you very soon thank you so much