Sign Iowa Banking Notice To Quit Secure

Industry sign banking iowa notice to quit secure

see welcome to our webinar today this is focused on security and compliance for the remote workforce and so we're gonna be talking about what you can do to manage the extra risks that come from having your entire workforce working from home and how you can improve your data security at the same time so we'll have some time at the end for you to ask your questions you can drop those into the chat or the Q&A at any time during the presentations here we'll get around to those in just a bit and feel free to ask us questions about what we're saying as well as some things that are on the periphery like does your workforce have to does being remote put your workforce out of compliance through industry requirements what does it mean for specific standards that you might use like HIPAA or high trust and questions about kind of training best practices some other things so here with me today I've got Darren Gallup the CEO of security and Darren can you introduce yourself hey there buddy great seal' thanks for coming in I'm the CEO security and we specialize in helping businesses build implement and manage information security and disaster planning for small to medium sized businesses predominantly I'm a certified information system professional with a long track record in history as an entrepreneur so I know the security side and very well as well as the business side and also today we have a guest with us today mr. Craig salmon who is the president of symbol security and he's actually gonna start off introducing himself and he has a couple of things he's going to share with us that would be very applicable to this topic great Thank You Darren and thanks Shannon yeah Craig salmon so president of a company called symbol security we are a security awareness training platform so we focus on user education as I mentioned to Darren a Shannon as we were warming up here simple security does not actually prevent any malicious activity or malicious emails from the outside end with technology we trained user populations to help build up what we call your human firewall and help your company mitigate risk in that way so I think Darrin and Shannon you know it's a it's an incredible timing to be talking about this stuff because of the amount of cyber activity that's happening out there and I'd be happy to start and just kind of share a couple examples that we're seeing in the market if you like yeah so so as I was saying you know before we got started here cyber criminals they they mark it and they target on an event basis so you know you see this in the trade rags and and we talk about it certainly from a training focused perspective that as as seasons change and as events change so change the targeting of cyber criminals to companies and to users right so when it's holiday shopping season we see a lot of malicious emails targeted around sales and discounts and gift cards when the the calendar turns to January in February and we start getting into tax season we see a lot of tax fraud and you know tax filings with Realtors and real estate closings we see a lot of activity around fraudulent wire requests so as a home closing is coming together and you have six or eight different parties you know four on one side four on the other all communicating to each other about a large financial closing that's about to happen it only takes one corrupted email you know with potentially a cyber criminal watching the dialogue going back and forth to insert you know a fraudulent wire information at the last minute like something along the lines of you know hey unfortunately we've had a change in the last minute we now need the closing proceeds to be wired to this account not that account and needs to be done in two hours or else we won't be able to close tomorrow right that kind of a thing all year long all day long cyber criminals are you know seeking out the events at the urgency and we're in the middle of two incredible events right now from a you know just a surge in cyber criminal activity the first is Cova 19 and the corona virus and the second related is it's the work from home surge that's happened as well where we have millions and millions of users now working from home leveraging tools and systems in a different way than many of them are used to many of us are very used to working from home and what that entails others are not and so it creates a sea of confusion which opens up the the doors for cyber criminals and a lot of cyber criminal activity comes in the form of phishing emails so we've all heard of phishing what I'm gonna do is I will actually I want to show a couple of examples of how how fishing often occurs and we'll just get a look at at some samples so I'm gonna share my screen here and I've seen a lot you guys see your you looking at my desktop or yes so what we're looking at here is a couple of emails from HubSpot what's interesting about assessing the dangers of phishing emails and potentially determining if there's there's anything that needs to be that anything that's concerning what I hear a lot is you know is you know be careful right or you know it carefully interrogate your your email make sure it's there's nothing suspicious about it and those are good suggestions but unfortunately for most people they're actually it's very difficult for them to understand well what does that mean and so frequently in in webinars and in training sessions we'll put up a couple emails right next to each other and we'll ask people you know which one's fake and which ones real and we get a lot of different answers in fact there was on a webinar the other day and I had you know a group tell me that the email on the right was fake and I had a group telling me that the email on the left was fake and one of them's real and one of them is fake so it you know we see things like hey the logo on the left it looks a little bit funny and you know the message on the right well you know the the ID here seems like it's a little too much information the reality is you know there are some safe places that users can interrogate emails and there are you know some some dead giveaways so I'll just walk through these real quickly in this case if we click on the sender name we can we can validate a sender name of HubSpot calm and and that's that's a pretty good sign it's not a foolproof sign but it's a pretty good sign in this one we have we have a sender name of no reply at HubSpot dot records confirmations calm and and this is oftentimes where people get in trouble and where cyber criminals are very smooth it's it's a strategy of putting a generic domain name you know a ten days trusted name in the in the subdomain now those of us are a little more technical in nature we know that a sub domain you know has absolutely no meaning towards the the domain but many users will look at this and say oh I can see how spots there so it must be their records confirmations Department and this trick goes on and on and on so this is once one place where we try to train users to look it's a very common tactic and the other tactic with within the emails is simply hovering over or a URL or an action button I call this an action button here this email on the left is legitimate it still has a little bit of a suspicious URL though because hub spots using a different a different URL than their corporate URL to track the clicks and and an activity so their the URL they've advertised is epi on how they P i.com which you know unless I'm very familiar with hub spots messaging I'm probably not gonna click here I'd go to my hub spot account and I'd log in and I would would see if I had notifications that indicated that my passwords been updated or anything along those lines if I come to the email on the right you know I get a very long URL when I hover now this is just a marketing service SendGrid so theoretically you know it's not guaranteed malicious but it's also not taking me to hub spot so Darren and chin and I wanted to share a couple examples there so you know we could we could talk through some of the ways that that emails can get manipulated as we continue to receive emails and wonder hey is this is this legitimate or you know is this not and two quick methods they're checking the sender name validating domain versus sub domain and then hovering over a URL generally those are very effective at eliminating not every single issue that you would see but many of them yeah and one thing I just wanted to add into like when you're talking with the subdomain for those who aren't very technical like basically when you see like the at HubSpot dot something else the domain is literally only the words that are directly before the before the dot-com or dot Co or dot CA so like like where I own security comm I could very easily go right now and create a subdomain called HubSpot and that would be then the URL hubs by dot security calm so like it's just really critical to understand and I think that's a really really really good good example there and and like what I found funny like I'm playing the same game as the listeners while you're showing those are trying to guess which one is is is the good one in the bad one and I hate when I see like hub API because again like the thing thing is like wait a minute that's the hub spot so it kind of gets the flags the flag going and a lot of the times like what I'll do is if I don't recognize URL I'll actually just extract the URL piece and I'll Google the URL and if it's something that's commonly used either maliciously or positively you'll generally really get a pretty good indication from a quick google search it's the same as phone number sometimes like when you're getting these random phone calls right the phishing phone calls and you google a phone number and then all of a sudden you see like do not answer right right no absolutely you know it is it's yeah the more just a little bit of Investigation can can go a really long way and you're right those are those are two very common tricks I also wanted to share something that we're seeing a lot of with respect to coronavirus and and some of the targets of coronavirus so CDC World Health Organization have probably never been more popular in terms of you know their the amount of airtime they're getting right so so if you think of coronavirus CDC and World Health Organization you know again all three of those terms are very widely used I don't have the numbers in front of me but the number of domain names now surrounding coronavirus or you know it was eighty three weeks ago that was it at three weeks ago there was yes something in 14 16 thousand or something along those lines so now you have to wonder okay which one of those domains is legitimate which one is it but I wanted to share with you guys here one second I want to share with you guys some examples of what we're seeing in terms of CDC and and World Health Organization manipulation so I'm just share screen so again same trick this one on the left here credit to Kaspersky for for this particular one here but but here we go again so the CDC's actual email address or URL is down here it's it's CDC gov that's the legitimate CDC URL up here in the sender name they've manipulated very crafty to write CDC - gorg when you see you know gorg and you or you see the words gov and org you know those trigger pretty safe feelings for people however this is manipulated to be CDC - gov right so CDC - gov becomes a domain name dot or it becomes extension not dot orgs not overly regulated so you have an opportunity to have a lot of manipulation in in this leveraging the CDC initials and then something else org so that's that's one that was picked up earlier in the month and then down here you have what looks an email address you know that looks to be fairly legit although this is screen shot so we haven't you know been able to click on the sender here and actually see what's underneath that but down here in the URL we've got sorry we've got a link that this is a little bit small so you may not be able to see it but it's not taking you when you hover over this link it's not taking you to CDC gov it's taking you to healing - why you I - to three.com which is obviously not where you're intending to go so those are a couple examples of of emails that we've seen and there's many many more if you google CDC or World Health Organization phishing emails you'll see a ton of them one after another after another after another and it's just it's the same thing we mentioned it's cyber criminals manipulating a situation but again the principles we talked about hold true validating sender name and hovering on URL and validating the URL destination both those tactics even though these emails may have slipped through email security systems if you are able to conduct those manual tests as a user you'll you'll be okay we saw one a couple of weeks ago actually that was using foreign languages and that have symbols that are different than the common you know alphabet that we use in in in English and Latin languages I think it was a Russian character that looked like an A but wasn't and so they were able to create a replicated URL where they implemented this character that looks like an a burden I don't know what it is it'll speak Russian but they were able to actually implement a character that wasn't a but that and a quick look look like an A like really be like like very keenly scrutinizing these things especially when there's all those other signs like sense of urgency and you're talking about divulging information and things like that right - certainly like be pretty cautious I think like Cova nineteen people being stressed out not sleeping well working really hard trying to get a depth at that whole chaos and commotion really creates an environment where careful maybe not be you know the thing you're being all the time and you know taking that slowing down just a little bit especially when something is is asking you questions or looking for things that are not you know straight up usual or or that seem to have a sense of urgency apply to them I've also seen phishing we've also seen some fishing examples come through where it looks like you're it's coming from your boss or someone the company yeah even from I got one that looks like it was coming from Darren from a personal address and it was a hundred percent a phishing email asking for for me to provide personal information the you can also get them you know be skeptical if you ever get an email especially that's unexpected from someone in your company saying hey download this right now even it might be trying to be legitimate by saying download this anti-virus software that we're implementing and it's not an anti-virus software it's an actual virus that it's sending you to in the end and so those are they can get very tricky okay I think it's similar lucky when you and I talked last week about doing this panel and when you're talking about how like the hackers are also trapped in their homes so that's like all of a sudden the hackers have more time and like some of them are new to hacking cuz they used to have a real job which they don't have but now they're now they created a new job and it's acting so it's not only the question of like the chaos and the opportunity there but it's also like there's more players putting in more time you know after hacking stations right now as well yeah you know one of the things I think about too and when so your your company's helping to develop and maintain security policies for companies right some of those security policies have you know verification or validation components to them and they may extend beyond you know the actual security policies the more process but a lot of the the verification or validation piece you know extends beyond just just analyzing the characters of an email and to what Shannon was saying let's say that situation Darren and Shannon between he was you know was not just asking you for information Shannon but it was like a request you know it was a it was a wire transfer it was you know something of maybe more potentially damaging scenarios you know those are opportunities to go back to the foundation of the company which is you know your policies and your processes as well too so part of I think par of the training at a time like this is understanding what to look for at a technical level couple technical tips and the other is listen even though we're sitting in our living rooms and our dining rooms you know the same verification still applies right so if I'm requested to do something you know I may be sitting in comfortable clothes and a comfortable couch I still have to be really on my toes and follow process so you know if I see something like a request for something that I know requires a phone call with you know certain approver in the business I still have to adhere to that yeah like we we build that into policy and procedure for herself and for our customers as well things like that like if there's if there's wire please wire ten grand into this thing this account this number we always have that process where there's a text a text comes in as a second validating piece so different device different different protocol and it's like hey just want to confirm that you want me to wire X to Y yeah and then you know hopefully they say yes absolutely proceed or it's like what the hell are you talking about thing yeah you're being fixed yeah right a lot of verification to can help on avoiding malware as well - so Shannon to your point some of those urgent messages you know great we've discovered of all their ability please download this as soon as possible so you could be protected you know if it seems a little like that to me that would trigger a mmm okay maybe I'll just call IT hey I'm getting this email you know am I really supposed to do this and you know I think a lot of the verification reality's put an extra strain on helpdesk and IT in that way you get a lot more phone calls a lot more questions what we've seen is in organizations maybe they get one or two phone calls from people that are you know being good stewards and they say hey I'm just want to make sure am I supposed to be doing this I'm supposed to be clicking on this email and downloading this path yes you are and then hopefully two minutes later an email goes out to the entire corporation all right we've received ten phone calls we just want to clear things up this does need to be downloaded it is coming from the company right and that's good that's a healthy that's a healthy exchange it's a healthy you know proud circle of communication there you know first email went out maybe it didn't go out with enough explanation you know a couple users flagged it verified it and now you know IT and helpdesk communicating out in a different way saying look I understand we've caused some confusion let me clarify thank you to the you know to the ten individuals that you know called to confirm this this is legitimate but these situations now were you're not in an office and you can't walk down two cubes and say I just got this from you is this what you want me to do now you're a phone call away which is a little harder to do sometimes but you still have to make the the verification and so I think the verification becomes kind of the next level of okay so you know I checked out the set under name I checked the URLs kind of looks legitimate but I've never I've never had to download a patch before it's always just been pushed to me or whatever the case might be so yeah verification and across all forms simple phone call right that's all it typically takes to ensure that you know that you're doing something that you're supposed to be doing yeah and so in just a second I want to open up for for questions from the audience so if you can start dropping your questions into the chat or the Q&A box there I'll be collecting those and reading those off in just a moment so you can start dropping those in right now yeah and while you're doing that Shannon there's a couple of things to you that I thought would be you know um one of the things that that we do is with companies that have worked for weather that are implementing work from home which is now almost everybody we one of the things that we do is have like a network configuration baseline that we recommend having your work from home policy and it's really just some high-level key things that can substantially improve the security hiding of the network and the first one is updating the firmware on the router and and this is something like if you're not technical that might sound like a big thing but really it's very simple to do that and chances are if you haven't done it or if you don't know how to do it and particularly if you've owned the router for quite some time and there's a high probability that that router is not up-to-date and that from because it's not up-to-date there's probably substantial vulnerabilities that can easily be executed by a hacker so learning how to do that like if you just go to your if you just literally go to your router and look at the model and model number there and go on Google and like literally how do I update the firmware on that you know this this links this whatever you know it's usually you're usually gonna find a video or some sort of content there that go walk you through it it's all like you know it's it's just logging into an interface and and it you don't have to like type codes or knowing it no it had to write like command line or in life that's pretty straightforward and then like you know why you're in your router go through and have a little look around like do you have wpa2 personal encryption versus WEP and and you know it's it that all that should be pretty standard as well that would be in your Wi-Fi settings or your radio settings and and then your password hygiene like if you haven't if you've had the same password for a really long time and you give it to everybody who comes your host this would be a great opportunity to change that password now that you're doing more critical stuff and you're working from home and you know don't let the password be your dog so like have a real password that's 12 to 14 16 even characters I think mine at home is 16 you know and it's not the dog's name it's a little bit it's fairly complex we don't have to memorize it because we put it in the keychains and our enters in our devices or devices know it and then we just have the guest network which has a more laid-back you know when we're allowed to have guests back at her home you know the other thing too is like with your devices keep the OS and the applications up to date so you know all the computers iPads iPhones you having them up to date a lot of those updates are designed to patch critical and known security flaws so you know the quickly I keep that up to date the better it's gonna be and then you know having an anti-virus and endpoint protection of some sort is a really great tool as well if your company doesn't have one or if that's not something that that the company invests and even using a free one is better than nothing although that the paid ones now have gotten really sophisticated and they can even manage things like configurations like notifying you know notifying senior management or the security team if for example a device isn't patched or if it's not configured using proper configurations and then you know the other one there if you really have like four companies that you know I've talked to a lot of companies in the last couple of days that have like HIPAA compliance or sock to compliance or even or even PCI DSS compliance and in those cases they have very strict requirements that they have to make sure that they're able to still follow all their forces remote and most of those cases we're recommending people use a VPN so that would be you know you still secure your home network but then on your work computer when you're when you're working you have the VPN there which just creates another layer of security and like I use P ia personal there's a private Internet access but there's several out there you know just look them up and check the reputation but those are like that's not all the stuff you can do you can totally narrow your home network and put advanced firewalls and all that stuff but as a minimal sort of viable best practice you know and like what I always say when I present an idea to people like hey we want you to do this to your network I always try to present that also in the context of this is not just for the company or for me this is for you and your family too like these these practices of keeping your network up to date and in securing the network is reducing the potential that somebody could hack you personally how family member you know have cameras on your network or access a child's computer or I pad or whatnot so like you know it really is your by helping by helping your yourself and securing your own home you're not only sick you're not only helping your work environment be more secure but you're also actually securing your family as well I'm just gonna ask a question to Darren because I come up a couple of times so a lot of people are working from home a lot of these people have children lottie's children are at school from home now right so there's sometimes sometimes you're competing for devices so can you talk a little bit about security policies and how corporate devices and personal devices you know can how you can stay out of trouble with regard to that and the scenarios I'm thinking of is you know my kid needs to get on to do their assignment and you know I'm on a video conference on this oh here's my here's my work laptop just log in there right so maybe you could talk about that too because I think that's the situation that a lot of people are gonna encounter that they never have had to deal with before yeah that's a really that's a really great point and so this down comes down to so the first thing I'll say is the quality of your router so there's a very big difference between a $25.00 piece-of-crap router that you bought eight years ago or five years ago from Best Buy to say a $300 router for example which is what I have a more modern router and you know so even just on it's amazing how many devices you can have in a home so if you have like a family of five and you have some IOT devices you got your TV on there you've got some Apple TVs you got your security cameras and each kid in the house has a person the house has a phone there's a couple of tablets there's a bunch of computers like it gets pretty big gaming systems like I've been in people's homes and like what you're just like do a network search and there's like 52 devices on a home network that's like I've been in small businesses that have less devices on the network than this this home right so when you get into that scenario right obviously like looking at your bandwidth it may be time so on you think about the sort of chain of command all the different things you have a pipe that's your internet speed right which is your up speeding your down speed so you know looking at that if you if you have a poor internet connection and your provider provides an increase in in up speed and down speed that's might be a good time to make that investment and a lot of companies I'm seeing or giving discounts based on the kovat 19 in terms of upgrading that bandwidth so that's kind of like your pipe coming into the wall of your house then the router itself if you have a lot of devices buy a good router especially if this is important stuff like the DHCP I don't want to get too too technical because I know that the audience ranges but the ability for a cheap crappy router in general to manage a lot of device circulation is usually poor and when you upgrade your your-your-your you know the quality you get an improvement I've seen many cases where without even changing the the bandwidth at the pipe coming in from your provider I've just improved a better router being an improvement and then when you get into the routers at have more functionality you have the ability to then designate IP addresses or MAC addresses so instead of all devices just going like onto the network and then the DHCP allowing them an address you could say hey this is my work computer and it's more important than the video games the kids are playing in the basement or it's even more important than if there's a lag and the assignment upload that my my child is doing right so then you could then dedicate thresholds and service requirements in the router and every read is different there's different namings around this but there if you go through your router if you google how to do that you can dedicate some some bandwidth and controls around that so you can prioritize and then depending on the router like some will do it by service so you can prioritize zoom for example so if you have multiple devices that in my case sometimes I use my phone for calls sometimes you use my computer downstairs sometimes may use my computer upstairs so I can dedicate zoom as a priority over another service so there's a little bit of learning curve there I think it's a great you know as you bring it up I think it's a great actually like it really would be really great topic for a webinar to go into a router and basically do all these can decorations that I talked to and cute including quality of service that's QoS is one of the terms that you'll see it in a router where you're basically you're prioritizing devices and/or services in creating you know creating a hierarchy so you know because because it can't happen like maybe you've got three kids downloading like videos and now you can't have a call and like obviously like kid like you know and you can tell them not to but they may not listen to that so so so determining that in in your device thing we did it in our home network we did it for a TV because we're like hey we don't really we weren't really working at home at first so originally before we were kind of forced to work from home we had it set up so nothing anyone does on their computer will interrupt the quality of the 4k Ultra HD 5 I already know I'm streaming but now we've changed our priority so we flip that around and zoom is now kind of above that these are a lot of these are topics that can I think a lot of teams can really do it internal webinars team trainings virtual lunch and learns to really dig into these topics answer questions from their users and really make sure that everyone other team and understands is my home network secure is my family safe what can we do to make sure that everyone who's using our our router is set up for safety so I've got a couple questions here actually for something that you mentioned there Darren about VPNs so I've got two questions that are kind of related so one is I'm curious about the necessity of a VPN for at-home workers if so do you have recommendations for an easy to implement VPN less than 50 employees that won't bog down their daily work and the second question which is an X alone is how safe are free VPNs like proton these are great these are great questions so so that I think there's two very like when people talk about VPNs the first thing I try to understand is what they're trying to achieve so originally a VPN was basically something that was applied in the low area network in your office and it was a method that people would use to be able to access office resources back in the olden days when everything was not in the clouds but we're actually in your office in a server so it would be a way of creating an encrypted you know credential eyes connection to the office environment which would give you access to all or some of the local area network services in the office so that when you're thinking about a VPN from that context if you have if you have assets that you're trying to access within the office environment that's a very different set of vendors and and often in times in an advanced router you'll get that in the router itself so it'll have VPN technologies with the ability to use a variety of different encryption protocols in there when you're talking about a workforce that's generally cloud focused so like for us at Sakura see our office is is pay well it's just it's it's a room basically it's a bunch of rooms with a network connection that's Wi-Fi and desks and lights and and in plants like there's literally no technology so when everybody goes home at the end of the day they call their lapt ps home no hardware they are other than the router and then the V and the firewall and the IDs and a couple of the technologies around our network but there's no there's no data host it there so so so for us everything we do is in the cloud we have you know hub spots where our leads and stuff is we work in our application which is cloud-based in AWS environment so we have four in that case we're using a VPN for different for a different reason the VPN is to make sure that nobody can sniff packets within my own network so so where we use VPNs I don't use a VPN all the time at home I'm not using a VPN now because I've secured my network substantially enough for our security policy that I don't use it but where I really use VPNs and where we push the use of VPNs is when you're in a coffee shop working which obviously is not going to be too much of a problem right now either or an airport or hotel because in those environments now you're in this network and like you know sometimes I run scans on networks just for fun to see how big they're and how unsegregated their and you know you run a network scan in a hotel and you see like there's like 600 700 devices all on this network right so in that environment you are now exposed to other like people that could be hacking and that's that's another form of hacking where hackers go into very popular environments where people are networking in a shared open on protected network and then they're able to go in there and do a kit sniffing which for the non-technical folks because it's basically whether they can grab pieces of data and then they can use that to basically to man-in-the-middle attacks do all kinds of different ways either capture that or then emulate what you're connecting with so emulate your bank connection or whatnot so so in that environment so I think you know the question becomes like if you secure your home network a VPN is another layer that you can use I use P ia I believe they have and when it comes down to like looking at you know the number of people or your units I would look at like you know if you just Google cuz I just have taught my head I don't really I don't really have a bunch of vendors I don't know if you and have any in mind Craig but like reputable vendors I'm not a fan of free I'm also not a fan of using something like a VPN unless you go through a process of due diligence like look them up thoroughly have they had any hacks is there what's the community saying about them do they have reputable customers are they still customers versus just logos like like like a VPN because you have to think like you're when you're using a VPN like when I connect the PIAA now I'm I'm basically putting my trust in that piao on their side are not doing anything wrong full or malicious or not lacking in security controls and their own and their own and and it's hard to have a hundred percent confirmation to trust anything or anyone but I look at it like this I trust P ia a reputable company that's used by a lot of people around the world that has a pretty good reputation I trust that versus the 800 random people I don't know in the hotel so it's like which is which is more secure obviously that's that's probably the better suggestion I'm not a fan I'm not a huge fan of the idea of VPN as a free service I haven't used much of it the reports that I've heard is slow so like also back to sort like being secure is great but being really slow is not good so like you're also like security should be a thing that is there to keep you secure while you're working it should not be an obstacle like the minute security controls or practices you're implementing slowly down or make your work significantly less enjoyable or or or doable or efficient then the security controls are bad or the tools being used or bad there's very likely a better way of doing that absolutely and just kind of I'm gonna drop some links to some of these ones that were name-dropping here for PII I've also and familiar with companies that use Nord VPN which I believe does have a free version and in general if you are gonna look at free my my experience with free products is the free versions are usually better if they also have a paid version they have more incentive than to make sure that they're giving you a good experience and providing you with reasons to upgrade free that has no paid upgrade is probably not a I wouldn't I would avoid it if you can and and so I I just I just Google to remind myself just because I haven't thought about VPNs in a while but perimeter 81 is a really good one as well and I've actually met some people from that company recently expressvpn is another one that gets really great ratings as well I mean you know good ratings good performance and you know and and good price too obviously is something to consider just kind of a short answer who should be using VPNs for home users then people that are on home networks that are working on home networks that they don't have control of would certainly be one so if you're in a case where like you know you're sharing and network with other people you know that would be one if you have really complex activities in your network so I have a friend who's like super nerdy and he has like jailbroken iPhones and he's got like like like Frankenstein compute that he's built that he builds weird servers and like uses old retro games and all kinds of wack things and he's got all kinds of weird IOT devices that are from like brands I've never heard of that he uses for like his garden is indoor garden and stuff so if you're into all kinds of if you got weird stuff like that going on you know if you do have a really old router and you don't go through and you're not willing to take on that practice of securing the network that's another another factor and then like obviously if you're doing things that are very like if let's say for example like you're processing credit card information and like doing stuff that's applicable to like PCI DSS or something like that then I mean aside from the fact that PCI DSS would would mandate that amongst other things in that case if what you're if they're that high level of confidentiality and you feel you know you feel that you should have that extra layer then you can do that like say I don't use VPN in my home but I manage the security of my home I have a very simplified Network environment we all need a leak all over all of our systems only download applications from the App Store or trusted vetted you know providers we auto update on everything like all that kind of stuff and I just for me the performance is so critical and again like everything I'm accessing is also through other encrypted services so I'm using HTTPS accessing all the different websites and things that I that I use so it's really a you know it's a it's a weigh it out thing like I say for us for security we allow people to configure their their network to the network policy very simple basic thing to do and then that way everybody has good performance but like I say as soon as you go into that network that you're not a hundred percent sure of or you know or were you know there's potentially compromising activities or devices then then to firon up at VPN is is a highly recommended approach for sure darren i would also say to similar would be the the use of password manager password management systems also so those are often you know for fee sometimes there free versions of them but one of the one of the things I I struggle with is the gap between recommendations of passwords and past phrases and the reality of how many different systems people are using today it's just it's impossible to not have you know a system to use because your your next option is either to commit you know hundreds of unique pass phrases and complex pass phrases to your head which is you know for 99% of us that's not possible the other option is you have a word file that says passwords on it and or excel file that has passwords on it has all your passwords so neither of those from really good options but LastPass and dashlane and others offer I think really clean easy solutions they're similar to VPN rights just another layer of fairly short expense that you could do to protect yourself and for me right behind that is from a safety perspective is and this is less than it's not a system but this is more of just the best practice with applications it's two-factor authentication or multi-factor but generally it's two-factor authentication if they have it use it it just it's you know it's a little more painful now all right you have to have your phone with you if you're gonna get into an application but generally it's so quick it's fairly painless to leverage two-factor authentication but it's worth it for the one time you get that two-factor authentication request on your phone and you weren't just logging in so right yeah we use we mean we have a policy also internally that to multi-factor authentication is applied and every service that has it and if a service doesn't have it that would have come up in the security teams review of the service so we would we would adjudicate whether or not you know that might change the way we use it or it might actually if they don't have it as a feature it might actually make it that we don't approve it on the security side for the company we also go a step further and and recommend that you don't use your phone number as the validator that you use a Google Authenticator just because there are some there are some tricks hackers can use out there to to to to lift that I mean you know two-factor or multi factor is not 100 percent bulletproof but like we say like really nothing is honorable of proof I always make the analogy it's like it's like in your car right so like if you if you if you if you are sober and your car's looked after and you're driving the speed limit and you're paying attention and you're not texting each one of these things are best practice that's improving the likelihood that you will arrive alive and will get the car accident first is you know six beers a joint you know don't have a license you know you're driving twice the speed limit and like when you're not doing any of these practices you're kind of that person barreling down the highway with complete disregard right so having those pieces in play will will reduce the the factors for sure and like password manager II I could not live without a password manager I think like probably in work I've got about thirty different passwords I don't even and to be honest and personally probably another thirty or forty and so like I don't know any of them I didn't create them my password manager created them which is great because it's a big long thing that I'd never remembered it's put pretty much unhackable but the good thing is like then you only have to really know the password to get into your computer the password to get in your password manager and then the password to get into your phone that's three passwords I can do that sixty not a chance so then you end up with these things like using the same password for more than one thing which is like one of the worst things you can do we are coming up on time here it looks like we are at 115 right now so we're going to take just a moment to answer another question or two for those who have to skedaddle because they're at their time thank you so much for attending we're gonna stay stay here and answer just a couple more for those who have questions that haven't we haven't had a chance to get to so far so for password managers we've got a question here about password manager applications you recommend as you mention it we have a couple that we recomm in our security marketplaces that are among our favorite Darrin and Craig do do you want to give a shout out to any password recommendation managers they you're really a to already mention it yeah the one that's soso LastPass and and - Lena are definitely big contenders and there's another one there's a Canadian provider that's actually really good as well called one password and yeah so you know they're there they've had a lot of great traction and work really well they're also good too because it allows you to share passwords so like one of the great things like we used LastPass currently and one of the things and we implemented our business continuty plan and we realized like okay well what are we gonna do if the CTO gets ill or his wife gets ill and he's not available like who's gonna access certain things so so what we did is we came up with a protocol where he shared some key passwords for key infrastructure with myself and my co-founder via LastPass again we don't know the password but we have access to that in the last pass vault and if we have to and if something happens to him then there's another individual in the organization that we can then authorized to proceed to access the database they've been trained and some whatnot so you know it gives you that ability like generally you don't share passwords but in certain cases you share passwords like if there's a single wpa2 you know password to access your network then you would share that with people that are accessing that network at work for example right or or you know sometimes there are things like that that becomes a shared password so it gives you a really safe way to share passwords and a lot of them have vaults as well where you can where you can actually share encrypted other pieces of information that might be critical to your business like a safe password if there's a physical safe that includes you know a mandatory backup to a database or something in your in your building then you know and you need somebody else to have access to it then you that the password manager could give you a really great way to share that in a safe secure manageable way and you can revoke that access to people at any time as well and all right I've got one another question here on really around communication and via Craig and Aaron I know both of you have some some thoughts on this one it's the question is around how do you communicate out to the workforce who aren't as familiar with router set up and communicate these best practices and tools and does it involve more training to help them get a handle on setting up the home network being fully remote staff and rolling out these requirements to update your remote staff and check their home networks and things so really it's on the you know how do you go about this communication and this training process for people who are suddenly remote that's a that's a great question and and I've seen a lot of cases where people you know depending on the level of sophistication and technical capacity of the staff like for us it's pretty easy we have a very technically inclined team but there's certainly companies out there that don't have that and as much as I say hey it's not that hard to go into your router and access the administrative credentials and find the router IP address and go in and activate these things if you have a hard time you know logging into Facebook if you're like if you're really for people that really struggle and aren't very aware that it's obviously going to be a bigger feet than it is for somebody who's already used to using like common modern applications and generated user interfaces right so you know and I've seen cases where companies have realized that hey this we can't expect people to go through and implement a home security program and update firmwares and manage and administrate all the devices on their network or ever manager you know their kids are their kids understand the technology better than them you know the kids are just gonna go in and undo stuff or change stuff or you know in those cases I think that's when sometimes the VPN conversation comes up again and then we know when when you you have to look at it incest your assess your team and like not every departments equal as well so there might be some departments that have access to more critical information or than others so you might be more concerned about the security of your development team than you would be maybe of your sales team for an example and then so I think you can assess you can also have different protocols for diffe ent departments too and and like I say if you have people that your concern you think it's too complicated then that might be where the easiest way to do it is just go in there and find go on in those VPN sites and buy the 50 licenses their ever many staff or you know and implement that or if you do Italian figure hey we've got 15 people that we just can't ask them to do this is not reasonable let's put them on VPN these other you know 10 people here where we want their their internet to be fast and nothing else in that chain that can slow it down like the people doing sales pitches let's walk them through and and that's another thing like you can actually walk people through things so you could walk people through the process obviously have 50 employees that's really challenging see I think I think you really need to look at your own culture and and how confidential and how you know how secret is the data and how do you assess that in terms of your assessment of risk and make the decision but a VPN again that is the tool that generally I pull up like you know in in our policy it's like if you don't want to do this to your network because technically like Who am I to tell you how to set up your own home network so if you don't want to if you don't want to do this in your home network then you have to do this VPN if you can't do either well then I have to let you go because as a company and I have a requirements to my customers and I need to implement a certain level of security so the VPN can be sort of that catch-all of basically then you're just treating the home network the same way as you treat the coffee shop the hotel the airport and then they just turn their VPN on you have anything anything that you'd add to that or anything any context around that Craig that no I think that's great I really I do think that's great I think for people working from home you're gonna have all different levels of skill and some you may be able to walk through so you know Darrin you would say hey maybe we'll do a you know a webinar on configuring a home router right and I think you know that would be really helpful for people that have some base level of understanding but if you coming from no level of understanding that may not even be good enough and so therefore it may just have to be a VPN that that solves a security problem for you so I think that's a really good assessment and because you may you may actually not be able to in this distributed environment get everybody up to you know secure standards at the router level because they just may not be able to do it themselves yeah I think there's some things that you can definitely do around this to really make it feel like company-wide initiatives I've worked for I used to work in the financial industry and they would roll out like a big communication saying hey we're gonna do this thing warning people in advance that we're gonna be launching this thing it's coming down people kind of feel to know that this new training is coming they offer up they'd say we're gonna do this training there's videos and tests and things that you'd go through for people who are not comfortable with the subject after having watched a prepared video or gone through the test or maybe the fishing simulation then you have the live webinar that you can do QA and people can really come and say hey I didn't understand that and that can really help if you're providing that way to really captions because you know that people are gonna have them yeah wonderful all right do we have any other questions or wrapping up comments Darren and Craig um I'll start there and maybe you can close it yeah I guess my my message would be we didn't hit on this entirely but you know as I mentioned cyber criminals are effective marketers and they also play on on psychology and psychology is both you know is really kind of the inner workings of your brain that trusts things maybe for the wrong reason so we didn't talk about it we didn't show this the some of the visual spoofs but it is so and incredibly easy to spoof a logo or a landing page I mean if you've ever logged into Microsoft service it's just like a you logging into a beautiful mountain scape right it's visual and you know it's very nice it's also incredibly simple to spoof so I think you know the ability to separate the visual and the logo from urine from trust in your brain is really important and that will lead you back to you know actually interrogating the email the way that it's supposed to be interrogated which is you know send her name and hovering over URLs and things like that so that would be my closing cautionary statement and in general I think you know the questions were great today and daeron all brought up some really fantastic suggestions for home but you can reach out to me at any time and I think there's a lot of great information out on the web as well yeah for sure I mean I would I would echo that same sentiment you know obviously what I always say is you have to like the message that I put out to my team may not be the right message to your team and so you really do have to look at your team like we're a security company we talk about information security all the time we use complicated tools you know we so it's it's a different question for me to say hey here are the 10 steps to secure your router then it would be to somebody who you know really doesn't use computers to that level so that's an example of really assessing the environment and you know I think I think when you put things in the context of like hey here's something you're gonna do that's gonna help you not just the company I think that kind of helps I know and all the times I've done presentations and I've talked about let's start talking about like here some really bad hacks that have happened but I would always try to make sure that at least half of them were hacks that happened to people not hacks that happen to companies just to put it in perspective that like these same practices that would help protect your company from an information security perspective are also the same ones that help you so you know any little bit of any gain that you can do in terms of improving people's awareness improving what they do like even if they can't do all the things on the network even the fact that they looked at their router and realized hey this is the router that Uncle Joe set up ten years ago like maybe it's a good idea for them to make it you know to consider improving on that and buying something more secure like more modern equipment 10 tends to have reputable modern equipment tends to have more security by default than older devices so like some routers nowadays have update firmware as a default like it's it's Auto update and things like that and so so newer tech is generally if it's from a reputable vendor a better option but like I say if you look at that and say okay I've got 50 people and this I don't really see it reasonable for me to give them you know get them all to do that then you can push the VPN model around that as well wonderful well thank you so much everyone for coming that wraps up all of the questions I hope that everyone got the answers that you came for today we'll have a recording of this that is going to be available on demand so if anybody wants to go back and take a look at some of the things that we dropped into the chat or that we mentioned that you didn't quite catch along the way you'll be able to go back and reference this as well thanks everyone for coming today thanks everybody thank you stay safe out there