TiHS Episode 30: Kassia Clifford – on personal and organizational cybersecurity

45:39
 
שתפו
 

Manage episode 306896662 series 1828638
על ידי Technology in Human Services התגלה על ידי Player FM והקהילה שלנו - זכויות היוצרים שמורות למפרסם, לא ל-Player FM, והשמע מוזרם ישירות מהשרתים שלכם. הירשמו כדי לעקוב אחר עדכונים ב-Player FM, או הדביקו את כתובת העדכונים באפליקציות פודקאסט אחרות.
TiHS-Episode-30-Kassia-Clifford

Welcome to episode 30 of the Technology in Human Services podcast. In this episode I chat with Cybersecurity professional Kassia Clifford. LinkedIn has become a great place to learn from others and make new connections. Kassia and I recently connected, after I’d been following her excellent sharing for some time. She shares practical, useful, and urgently important tips about cybersecurity. She calls herself a “Cybersecurity Interpreter,” an important skill set and attitude that she uses to share what she’s learning about cybersecurity risk, in an accessible way.

I’ve learned a lot from her and when she shared a particular post about free and easy ways to improve security, I knew I wanted to chat with her on the podcast. I think you’ll find it useful and you’ll leave with some practical next steps to make sure your online activity is secure.

Here’s that post and what she wrote:

  1. #MFA : block #hackers who gain access to email creds ??
  2. #Passwordmanager : store complex pswds in a safe place?
  3. Auto-updates : keep the latest #security patches on your OS??
  4. #Antivirus scanner : detect threats proactively??
  5. Full-disk encryption : #reducetherisk if a device is lost/stolen ??
  6. #Awarenesstraining : make #cybersecurity a part of the convo
  7. Access mgt: MFA, limit admins, team drive

If some of those hashtags make you scratch your head, don’t worry. All is explained in this episode!

Some core questions we started with:

In spite of moving services online over the past year during the pandemic, and even before, many nonprofits have low literacy when it comes to online privacy, security, confidentiality, and knowledge of encryption. On your site you describe yourself as a “cybersecurity interpreter.” I think many nonprofits could use someone with a title like that! Can you describe what that means?

You share great tips and what you’re learning on LinkedIn. Recently you shared practical and easy ways to improve individual digital security. Can you go over those tips and explain why they’re important?

What would your advice be to nonprofit leaders about steps they need take when it comes to risk assessment and security in their agencies. In particular, I’m thinking about social service agencies that interact with clients and lots of their personal information.

How should nonprofit organizations and workers go about learning about cybersecurity? What baseline skills, attitudes, and approaches should they be taking to ensure they work safely online and with client data?

Resources:

Kassia was nice enough to provide a list of useful and important resources that will be useful for you as your explore and learn about cybersecurity:

General Cyber Awareness Training:

  1. Securicy
  2. Wizer
  3. Udemy
  4. RBC Kidsplanation Videos: (Easy, light 1 minute videos, could have a Lunch and Learn with an entire team, watch and discuss together)
    Email Phishing
    Malicious Software
    Password Hacking
    Social Engineering

Compliance and Governance:

Industry best practice for Managing Cybersecurity
NIST

Processing Payments
PCI

Handling Health Care Info
HIPAA

Service Organization Controls Framework (reviews security, availability, confidentiality, processing integrity, privacy)
SOC2

Personal Information Handling in Ontario
PIPEDA

Standard web application awareness (Top 10 web app vulnerabilities that hackers could use to exploit your app and how to remediate)
OWASP Top 10

Machine-Generated Transcript

What follows is an AI-generated transcript of our conversation using Otter.ai. The transcript has not been edited. It may contain errors and odd sentence breaks and is not a substitute for listening to the audio.

Marco Campana 0:00
Welcome to Episode 30 of the technology and Human Services podcast. In this episode, I chat with cybersecurity professional Kassia Clifford, LinkedIn has become a great place to learn from others and make new connections, Cassie and I recently connected after I’ve been following her excellent sharing for some time, she shares practical, useful and urgently important tips about cybersecurity. She calls herself a cybersecurity interpreter, an important skill set an attitude that she uses to share what she’s learning about cybersecurity risk in an accessible way. I’ve learned a lot from her. And when she shared a particular post about free and easy ways to improve security. I knew I want to chat with her on the podcast, I think you’ll find it a useful conversation and you’ll leave with some practical next steps to make sure your online activity is secure. Welcome to the podcast. Thank you so much for joining me Kassia, can you maybe give a little bit of an introduction in the background about you, and how you came to work in cybersecurity?

Kassia Clifford 0:55
Sure, happy to thanks for having me, Marco. So my my background is a bit eclectic. Coming into cybersecurity. I started my career in social services work actually working with women and children who were in domestic violence situations and then military families. At base petawawa. I was doing crisis intervention with families while their members were overseas serving in Afghanistan. So I started doing quite a bit of risk assessment and safety planning. However, it was more with people and less with information. And then I moved around in my career to the private sector back to public sector work to the family business. And how I ended up getting my intro into cyber was actually through a social enterprise startup, I helped build a chapter in New Brunswick called venture for Canada. And they place entrepreneurial new graduates with startup companies with a goal of making a positive impact on the local economy. And I ended up meeting David Shipley, who’s the CEO of both run security. And there are a Cybersecurity Awareness firm. They do phishing simulations, risk management, and it’s all math, the NIST framework. So he had hit me up later, whenever our team was growing. And I joined them as a director of marketing and really got my first taste. They’re both the problems in cybersecurity, which I had an inkling about from an IP and a business course I took at the University of New Brunswick, however, he really helped to drive at home, whenever you’re working with folks who’ve been in the business and are trying to solve problems, and see a lot of business leaders struggle, you know, there’s, they often have the weight of the world on them. So I remember thinking, this seems like a big problem. And, and all the people I speak to, are really technical, and they have a lot of subject matter expertise. And it’s challenging for me to really understand that. So I saw that as being an opportunity for me to come and support the industry as well as learn more about something that was really relevant today.

Marco Campana 2:57
I love that you came at it from a very different background than then like those it those technical folks that you described, because I think so many people get intimidated with the notion of online privacy and encryption and security. And even though it’s gotten easier and easier than ever before, I mean, they’re they’re baked into some of the apps that we use. Now, there’s still a lot of hesitation, a lot of sense that, oh, I couldn’t possibly understand this. And because of that, there’s a lot of vulnerability in the way people use the technology. So in my sector, I work mainly immigrant and refugee serving sector. And over the last year, I mean, everybody shifted online during the pandemic. And what we found is that there is there’s a hesitancy in a very low literacy or when it comes to all of those things online privacy, security, confidentiality and knowledge of encryption. And, and I know that you describe yourself in one way as a cybersecurity interpreter. And I really liked that. Because I think that that takes some of the stigma away. And it’s like, there are people who can help you understand this. Because you need to do it, not just in your professional life, but in your daily life. So So can you tell me a little bit about how that that that’s evolved for you? And I mean, you know, you and I have interacted on LinkedIn, I find what you post extremely useful and practical, because you’re saying, Oh, I learned about this. Now let me share what I’ve learned about this, and how you can implement it in your work or your life or whatever it means. So cyber sir, cybersecurity interpreter. What is that? What does that mean to you?

Kassia Clifford 4:17
For sure, thanks. And I’m so grateful to connect with you on LinkedIn macro. And for that to lead to this opportunity for us to put something together, create something and share it with more people. That certainly has been one of my biggest motivations. You know, I used to I used to lifeguard as a teenager. And so I have this civic duty kind of built in me that those of us who have a skill set right if you have a skill set to be able to perform first date and someone’s in distress. Well, you have a civic duty to say, Hey, I can help you can I help you? And I see the same, you know, the same parallel here in cybersecurity once I started learning, and I realized for myself, the deeper somebody is in the industry, the more challenging, more challenging it can be for them to explain that in humans. terms for someone who has a low cybersecurity or technical literacy as you mentioned. So in my mind, though, it means I really needed to push myself to be very vulnerable to share with my network, I just like this, this thing about access management or whatever it ends up being, um, I know that that’s providing the most value to people who are interested in also learning. So cybersecurity interpreter to me that term means I have currently have that ability to understand both the business side and the information security side of strategies that we can put in place to help reduce or mitigate cyber security risk. And, and it’s interesting when I first started out in the field, I read a quote from Daniel miser who’s pretty well known in the space, I’ll share it with you if that’s cool, because I’ve had it out of posted for several years on my wall, wherever I’ve lived.

Marco Campana 5:54
I saw you reach back. That’s awesome. I love that you’ve got it right there.

Kassia Clifford 5:58
Yeah, easy access, because it’s a good reminder for me, anytime I feel like I’m getting out of my depth, to bring it back to what’s the what’s the, you know, what’s the value prop that I offer this community and this industry. And so what he said was, the bigger problem is we don’t have a common language that bridges infosec. And business. Since security, people can’t quantify their risk as money. And business people ultimately see everything in those terms. This is why people who can translate between the two are in such demand. Now, I know for you, you’re serving nonprofits. So when we look at the nonprofit space where I spent a ton of my career, oftentimes, it’s not necessarily the revenue we’re looking at, but it’s, you know, the clientele serve, how many people have we supported aligned with this mission statements, right, or what we’re here for? And so, yeah, I certainly try to continue to, to be that voice and break it down into practical stuff that we can we can just action and make happen.

Marco Campana 6:53
Yeah. And I mean, like you said, the LinkedIn brought us together here. And part of that was because of a very practical post that you put together, which I found, again, just resonated for me professionally, but also personally talking about easy ways to improve your digital security. And I think you had maybe six or seven particular tips that, again, you sort of you see in different places, there’s lots of articles written about it. But even then people are still unsure of how to even get started, it feels overwhelming, even though, you know, I find I’ve done most of them. And I find that it’s helpful to have done that. And at the end of the day, it wasn’t that difficult. It did take some time to do it. But I’m wondering if you can, if you can kind of go over like, let’s think about it as a baseline for individual online security and privacy. What are some of those tips? And why are they important for people to start using?

Kassia Clifford 7:43
For sure, thanks. Thanks for that, Marco. So that one, I’ll say those tips are certainly things that I’ve put in place in my in my personal devices, and they make me feel more secure. Because when we’re talking about the digital threat landscape, and even you’d mentioned earlier, with everyone working from home since COVID, it has really changed how we engage with work, the number of attacks or cyber, the number of cyber attacks has increased by 400%. And so that’s significant, right? Like it’s a it’s a field day right now, because there are more devices, like home devices being used for work purposes, and vice versa, you’re on home Wi Fi, the kids are around, you know, it’s just um, yeah, opens up the opportunities. So I’ll say, these are seven free things that you can do. The first one is getting multi factor authentication. And what that means is most most software products these days, you can set up MFA, there are very few that don’t have it. And it basically means you would enter a password. Whenever you create an account somewhere you enter a password. And as a second layer of verification, you would either get a text message sent to your phone where you enter the code into the software platform, or perhaps there’s an authenticator app that you download on your phone, and then you just click Yes, that was me. And what that means is, if a hacker were able to expose your credentials and get access to your password and your login information, they still can’t go further without having your device in their hands. So right away, it’s a super easy way that really is just administrative in the back end of the application whenever you’re signing up, usually, for something simple, or something that many of us have. If you have a Gmail account, and you just click on the Security tab, you can see there’s a place there to set up MFA and it’s added a nice pop up comes up that says stop the bad guys from getting in. You’re like, yeah, I want to do that. Perfect. So So that’s number one. And I asked,

Marco Campana 9:43
actually, if would you recommend if the if there are options between texting and authenticator apps would is there one that’s more preferential because I’ve heard different things about getting a text being less secure than using an authenticator app and I’m not what what are your thoughts on that?

Kassia Clifford 10:00
Well, I think I’m having anything as a second layer of verification. It’s better than nothing at all. I try not to get too much into the weeds. I did some addictions counseling at one point in my life. So I’m all about harm reduction. And if we’re talking about what are the basics, I try and just stick with let’s get a second layer a verification to put it out there. You know, there’s, it’s interesting, I went for a late night kayak a couple nights ago, and I thought, Hey, you know, like, I’d like a new phone soon. This one’s pretty old. But if I lost it, I basically would be screwed getting into any of my applications right now. Not only because even if I don’t have it being an SMS coming to my phone, the the authenticator app is downloaded on my phone. Right? So I still need that second device. Yeah, so I haven’t really worked my noodle around that one yet. I figured that future kaseya can solve that problem. But I’m happy to come back for a second because it’s,

Marco Campana 10:54
the message is one of those is better than none of those, right?

Kassia Clifford 10:58
Yeah. And, and try not to get wrapped around the axle. That’s easy to happen when you’re doing anything technical, but just to know you have something in place. Yeah, um, another one. So the second suggestion I had here was a password manager. Now, this is something I’m working on getting my mom on, she’s not quite ready for it. But she does have a lot of inner security inside her. She’s been burning things with her address on its side as a kid. So I know that God instilled in me at a minimal online footprint, right? through online banking, she’s like, accurate, right? All cash. So it’s, it’s funny, when I look back to see that I’m in this space. Now, it makes a ton of sense. But a password manager is basically one home, it’s like, imagine it’s a safety deposit box online, where you would put all of the passwords that you have for your account. So safety deposit box, put all your monies and your jewels in there, you don’t want anyone to touch it. And then there’s a key, and perhaps a second key that the bank has, right. So something like LastPass or one password, there are a few out there that are pretty well known and that are doing quite well. And what’s great about this, it’s interesting, it took me a while Marco when I first started in security, and I thought this just seems like a lot of work. Like no one is really explaining why I should do this, you know, like, I think I’m fine. Who’s gonna get me, right? Those are all the normal human reactions that we have, whenever we think we have to do something that seems like work. But that’s it. And so, what I realized, well, it helped I later worked with a pentesting team. So ethical hackers, and, you know, I got I got real up close and personal with what it’s like that we were doing there, you know, looking at finding vulnerabilities and applications for fast growing startups in in Canada during COVID whenever these companies were really growing, because there was just more business going online. And that was what really motivated me to adopt this. And really, it’s so easy. You can set up one password. So you basically choose a long phrase, something that no one would guess. So it can’t be something you say. So if I say things like, yes, this, they’re amazing, you know, this is a year for all my dreams to come true. Hashtag money, well, then don’t use those things in your password, right? So it needs to be something unique, that somebody wouldn’t be able to scroll through your social media accounts. And guess that that’s the phrase you use. And then that’s the only password you ever have to remember. And everything else you can auto generate really complex passwords, you can set how many characters they are, how many numbers there are. And that way, you’re not doing something like saying hummus, five, or 106 exclamation points, or hummus, seven exclamation point smiley face star, which is also lots of people thinking that they’re gaming the system, and you can find them, you know, you can find a place where you can actually just type in like how hard is it to crack your password. And you’ll see passwords like that they can get hackers can get in them instantaneously. Right? And and and they’re not just looking for your information. They’re looking for your company’s information, maybe your wife’s information, your wife’s company’s information, whatever they can get soon.

Marco Campana 14:09
Nice. Yeah, I have I use LastPass. And I found out something recently that I hadn’t even remembered. When I did all the setup, one of the things I think you can do is restrict the geography so that if you put in the password, but you’re not in the place you usually are, it’ll give it yet another layer of checking with you basically. So I was at my parents place. And I just kept I kept trying to sign in and it kept saying, We’ve sent you an email, and I was like, why that’s the right password. And then I went and I realized, oh, it recognizes I’m not in Toronto. So it’s saying, Here’s another layer of authentication. I thought brilliant just again, it does some of the thinking for you. If you set it up the right way, right, which is really Yes.

Kassia Clifford 14:50
Oh, that’s awesome. I love hearing that I found out LastPass will also do a security check with you. So they’ll if you’ve ever You know, if one of the things you’re doing is importing all of your passwords, say from Google Chrome, if that’s where you store them, and you want to get them out of there, and then be able to autofill using LastPass, it will flag if you reuse the password or if some of your passwords aren’t that complex. So you can still do that harm reduction model, right? Get the password manager and get maybe your most at risk accounts secured, like your bank account, or into your work device or anything like that. And then still work through continuously improving your security, which makes it more manageable as well. And it’s bite sized. Right, right. Yeah, the third thing I suggest is auto updates on your device. So on your laptop and your phone every time, you know, a pop up comes up and says oh, we’re going to install, you know, the latest operating system and you’re like, nevermind, you click out of that, right, like, that’s what we want to avoid. Because what that’s doing is saying that Microsoft or Apple has found a vulnerability in in, you know, their code, and they found a patch for it. And so then this new operating system is going to help get that patch out to you and your device. And And oftentimes, some of your other applications won’t end up working as well, if you don’t update your operating system. So there’s a super easy way that you can just enable auto updates on your computer, and then you don’t have to think about it. And with that, I will also say it’s a great habit to shut down your computer every once in a while or restart it something that a lot of people don’t like doing. What I’ve deciphered is they do not like losing all their tabs.

Marco Campana 16:35
Oh, yes, you know,

Kassia Clifford 16:37
that good old bookmark feature can really help, then you avoid your computer just crashing in the middle of a meeting because they can’t take it anymore, right are becoming really slow and you maybe being paranoid that something’s wrong, or there’s a virus on it, when really you just need to restart your computer. It’s like imagine you never go to sleep, and you just keep working and and being active with your family. You never never sleep at some point, you’re gonna fall down. Computers doing the same thing. That’s great analogy. I’m glad you like that one. So the fourth one I added here was the antivirus scanner. So this is going to detect if there are any threats proactively, you know, there can be some is a good thing to do. It’s not a standalone, I remember being young, you know, my mom like really getting intense on Norton Antivirus. And I thought like, What is she talking about? But again, she gave me some of that security training at a fairly early age. And so this is one part of the puzzle that’s important, it’s easy to do, you can find a ton of free reliable enough software’s to do this as well, where you’re not necessarily needing to pay for licenses for seats if you’re looking at nonprofits that maybe have 50 employees and no budget for security or a minimal tech budget, right. So that’s something that can be helpful. And that will just continuously run in the back of your device or your laptops, and full disk encryption as well. That’s something you can easily enable well, easily except if you’re on Microsoft home, which we put the link.

Marco Campana 18:05
Right. That was that was our conversation on LinkedIn. It’s killing me I have to do it still. But it’s so many extra steps now. Oh, Microsoft. I know.

Kassia Clifford 18:14
And and believe you me, I’ve put all of these strategies in place at the company that I’m with now and anyone who was on a home iPod come now I have a lot going on on my plate and sort of these people, we do not need five more steps to take. However, what what’s so fascinating about the human brain, I studied sociology in university for my undergrad, and that’s a great fit with this kind of work, isn’t it? That’s awesome. Yeah, it is because there’s a ton about human behavior when you’re looking at not only what are hackers looking for in us, which is usually curiosity, sense of urgency, excitement, fear, that’s what they’re playing on to get us to click right like that phishing email that comes through that says, This is urgent. Your boss needs you to call them right now or whatever it ends up being, um, you know, we we make decisions that way. Like we’re emotional beings, humans, right. And then the other flip side of it when you’re looking at training people and educating people or interpreting a dense topic like cybersecurity, really intelligent people don’t necessarily know everything about every discipline, however, we often don’t like feeling like we don’t and that fear can come up and the brain turns off or when we see something where it’s like 10 more steps to get my disk encryption. Oh, future Mirko is gonna deal with that. So good news, you’re human. And that is a normal thing. However, for many other so for regular for other Windows users, it’s really easy. To enable for Mac, it’s super easy to enable. And this, again reduces your risk. If a device is lost or stolen, that any of that confidential information, it’s less likely that whoever has access to your device is going to be able to access the information on it, which is something that your nonprofits and even for yourself, you’re going to want to know. You know that you’re protecting your own information. The sixth thing I had on here was awareness training. So making cybersecurity part of the conversation and part of the regular conversation. Now, this is one area where I think organizations families can make the biggest difference is, it’s not like, okay, we’re gonna do all these things. kaseya we’re gonna take it off the list, and then it’s done. And I never have to think about again, so that was hard lesson, I understand why I did it. Right. Um, well, you know, again, that’s a great first step. However, what helps us change behavior? Well, when we want to become healthier, we if we go for a five kilometer walk on Monday, but then we stay on the couch every single day, for the rest of the week, you know, we’re probably not going to get see a lot of that one five kilometer walk, it was good that we did that. So cybersecurity training and making it part of the ongoing conversation. You know, there are ways of doing that at our company. I’m, you know, I’m talking about security in our weekly team, since we did a full big lunch and learn whatever to share with everyone, hey, we’ve got some massive changes that we’re going to be rolling out, it’s going to be a fast turnaround time, that’s going to be a lot, but this is why we’re doing it. And it’s important to us to protect our clients information as well as our own. And this is kind of the nature of business today, right? And then, whenever other individuals have questions about something, if they get a phishing email, or if they’re asking about setup for any new software we have, or why are we doing it, sharing that information with the rest of the team, so that somebody who may have been afraid to ask or just too tired to ask but doesn’t understand gets the information another way. And then lastly, access management. So this one is is a project I’ll say that. And what it really means is, whenever you have software, a variety of different software that you’re using, you want to reduce the number of people who have administrative access, which would be higher quality leads for a hacker to go after. And also put the company at more risk because they have access to more confidential information if you’re worried about insider threat, or just reducing, improving privacy and improving your data security.

Marco Campana 22:29
Yeah, that one’s actually super important. And I find in the nonprofit’s I work with because so often, they’ve got volunteers who come in, who do kind of tech work for them, because they don’t have the budgets or funding to do it. And those people get tremendous access to things to the point that I’ve worked with people who can’t update their website, because the only person who has the password is to volunteer, and they’ve gone off somewhere, and they’re not responding to their emails or phone calls anymore. And that’s, like, comical on the one hand, but there are huge privacy potential implications for that. If it’s, you know, their their client database, for example.

Kassia Clifford 23:02
100% Yeah, and it’s, um, it’s, it’s interesting, because most organizations, you want to have some level of redundancy where you can prepare if that one person has administrative access, and then they’re going on holidays. You know, what do you do around that? Well, you can provide temporary access to their backup for the person that comes in and shifts to cover. Now how, how normal is it for us to be thinking that way? Well, unless you’re building a security program, and it’s part of your everyday conversation, it’s not normal to think about that, right? The person before they go on vacation is thinking about all the stuff they have to check off their list before they go and ride off into the sunset. And when you’re looking at nonprofit organizations, relying on volunteers, I’ve worked with several nonprofit institutions where I’ve done big access cleanup. And this was this was before I really even knew that I was doing some level of cybersecurity, or information security management, I just thought, Well, those people shouldn’t have access to this anymore. So you see that in a lot of organizations that have high turnover, too, right? And if there’s part time positions, where there, there’s high turnover, and all of those accounts, so why Access Management matters. All of those accounts are open doors, it’s basically like you leave a window open with just a screen and and the hacker could just kick that over and come right on in and use that to get to other places that have more confidential information within the organization of that volunteer also had access to other you know, a CRM with client information that may have health records or or perhaps baking information or that kind of chocolate.

Marco Campana 24:39
Yeah, I mean, a lot of our agencies are serving clients that are collecting tremendous amounts of personal identifiable information, not health, but like, you know, sometimes social insurance numbers, definitely permanent resident numbers for their immigration process, you know, names addresses, birthday, it’s all stuff that accumulate into you know, stuff that that someone could use maliciously. And I did the seven tips. But it feels like the first five are like the visible tip of the iceberg, where, you know, everyone should be doing this. And it’s clearly a baseline, that is not only important, but also very doable. It requires a bit of time going into the settings. But But as you said, with Gmail, for example, they’re increasingly making it easier to do that. And the last to the awareness training and the Access Management feel like they’re almost a little bit more in depth a little bit below the surface that I think you use the word security planning. And and I wonder for like a nonprofit manager or leader who’s looking at this, what we’ve been hearing in the sector, we did some, some research recently, where we were asking people about the future of what we’re calling hybrid service delivery, and everyone’s calling it that we’re partly online, partly in person, you know, that kind of stuff. And security and risk assessment came up with something, they’re still feeling really unsure about really vulnerable. So when we talk about security planning below the iceberg, I would say, you know, what kind of suggestions would you have for an organization who feels like they’re, they’re still getting started with this, they can probably do the tip of the iceberg, the stuff that’s visible, but they’re not sure where to start with planning, they’re not sure to start with their access management or their awareness training even.

Kassia Clifford 26:13
So, yeah, great question, I would say, it’s important to do a bit of a risk assessment or analysis of where the current status of the organization is. And so if possible, you know, having a consultant that has some of that experience, and there are some who will do pro bono work. There are other templates that you can find online as well, if you’re kind of Jimmy rigging something together, which, you know, that’s that’s how things start, right? And he goes, Yeah, yeah, that’s why when we’re working without a budget, and when it’s something new, you find the person within the organization who has the most technical savvy and the willingness to do that. So ideally, you find your security champions within an organization, I’d suggest put a committee together. So you’re looking at it from all angles, which means it’s not just your IT person, or perhaps the office administrator, who also seems to be savvy, you’re going to have someone from finance in there, someone from human resources, someone from part of your programming, get involved. So get a little committee stuck together, and then do a risk assessment and of where, you know, and some of that could could simply be how do we do business today? What information are we gathering? Where are where are the people that were gathering that information from? Because there are regulations based on geography for how information is stored and processed. So so so even just starting there, like, what information are we gathering? And then what are the processes for sharing that information that can be a baseline to figure out what are you doing? And then certainly, I’ll say educating your entire team is a super place to start as well. Because the earlier you can get the conversation going. And the more you can change the mindset within an organization that it’s not like, Oh, that’s something the IT person does over there. It’s something that we all carry a level of responsibility for, because we have an email address and access to our accounts under a work domain. So therefore, that’s a shared responsibility, right? That’s, it’s not something that we can just put in the corner anymore. And those are two things and there’s a ton of free cybersecurity training stuff. I will say like I can write off a bunch of stuff here. I don’t know how helpful that is, but I know that I’d love your tips. Yeah. Okay, cool. So, so you Debbie, which is has a bunch of free stuff on cybersecurity law, Introduction to cybersecurity. So I’ve I’ve purchased like behavioral, cognitive behavioral therapy stuff and like I’m like the changes in behaviors and and you know, I can get like an $11 course that’s usually a couple 100 bucks, but they do a bunch of free stuff for cybersecurity as well. RBC put out a bunch of kids explanation videos on cybersecurity A few years ago, those are excellent for adults also, because it breaks it down their three minute videos. So you can find that on YouTube very easily. Just Google RBC kids planation cyber security and it talks about passwords. It talks about phishing simulations, it talks about some basic stuff that you can do that’s educational, and it makes it fun and cute to other institutions like sans. We’ll put out some other information sans scns is a well known organization for Cybersecurity Awareness and training for different designations that you can get into future learn interested cybersecurity. That’s another course that’s free as well. I can provide a list to you if that’s helpful for anybody who reaches out afterwards.

Marco Campana 29:42
Great. I can include it in the in the episode post as well and so people can can get the link directly from there. That would be super helpful for sure. Okay. I think that’s that’s, that’s some of the things we hear about is like, yeah, there is increasingly actually a lot of information, but because people don’t feel they have the knowledge. They don’t know where to Where to even start. So even those first few links that you just gave, like coming from someone who, you know, we know, as a cybersecurity interpreter, you’ve got your finger on the pulse, you’re looking at these, you’re evaluating them in a way that I would do very differently than that how I might, because I’m not sure. So that’s a huge, a huge starting point for a lot of organizations right out of the gate to say, okay, of course on Udemy, the RBC stuff, the sand stuff, maybe a couple of other links, they’re good starting points for people to say, Okay, I can get what I need, at least to start there. And then, yeah, ideally, I think, you know, having someone like you as a consultant coming in to help them do that initial plan, and then give it life. But I really liked that your that that you talked about is everybody’s responsibility, because it’s not a one time thing. We don’t implement security, and we’re done with it. Right? It’s a constant constant.

Kassia Clifford 30:49
You got it. Yeah, there’s a nice saying that security isn’t a sprint, it’s a marathon. Right. And, and so and that’s, that can be challenging, even for me, right? Like I love, I love hitting goals and crossing stuff off a list. And I am definitely aware that it’s just ongoing and security, which is also very exciting, because it means that you can always improve, if anybody is working on releasing attachment to outcome, and enjoying the journey. While security is a super place to do that. You’re never gonna get to the end. So there’s always a place to continue growing. And I will say I appreciate the the words of affirmation there, I will say, whenever you’re looking at any topic that’s really dense, and then you go online, it can be even more overwhelming to know how to sift through what’s going to give me good advice and what isn’t. So I’m happy to share some of those resources for you to know I appreciate

Marco Campana 31:38
that. Because again, you do this already on LinkedIn. And I find that so valuable. And it’s one of the reasons why I was excited to have this conversation. Because you I mean, I went on to your, your your consulting side, and it was exciting to see that you’ve worked in nonprofits as well, you’ve got kind of this, this very rare kind of experience of not coming into it as a techie of coming out of a nonprofit experience of having that that notion of I want to help people understand this. And you know, with the admission that you’re still learning, and like you say it’s a marathon and in so many ways that some that’s a parallel to the work we do in our sector, because many people come into the services and immigrant and refugee sector, because of lived experience. Some of them come out of social services, Social Work backgrounds, and specific educational backgrounds. Some people just kind of meander in and out, and they bring stuff with them. But there’s a constant learning, there’s a constant, it is a marathon as well, like settlement is a lifelong thing for most immigrants. So there’s a nice parallel there to the way you’re describing security, that I think I hope will resonate with some people, because it’s very similar to the work we do. You’re, you’re constantly improving how you provide employment information to somebody, you’re constantly improving how you help navigate how you help people navigate the resources in a new community, for example. And so security, just adding, adding to that as part of that kind of ongoing marathon, I think would make a lot of sense to people. I think it’s removing some of that intimidation, which which I feel like you’re you’ve been doing a lot of even just in this conversation, but certainly in the way that you share stuff. So that you know, at the at the leadership level, as well as the frontline level, they can get their heads around that. Yeah, it’s not only a responsibility that I now have in a way that maybe I never thought I did before. But it’s also something that’s not insurmountable. It’s something that I can I can I can do, I can set things up, but I need to be constantly vigilant as well. So that’s super helpful.

Kassia Clifford 33:28
Thank you. Awesome. I’m glad to hear that.

Marco Campana 33:31
Yeah. So I mean, I think I think with those links, that would be great for if you can send those. Is there anything? I’m wondering because again, I’m you know, I don’t know what I don’t know, around this space, either. Is there anything that I haven’t asked you about that you think would be important for people to know about when it comes to ensuring security in the work that they do with their clients information and with their own?

Kassia Clifford 33:52
Um, well, I guess, I think that something this might seem very basic, but whatever you do, I would encourage you to document that. Because

Marco Campana 34:03
that’s, that’s great. That’s

Kassia Clifford 34:05
Yeah, documentation and tracking that these are things that you’ve put in place to build the security program not only helps remind you, and all of your stakeholders what what you’re doing it ideally, if you attach it to a why, like anything, that’s hard, why are we doing that? So, you know, if we’re entrusted with new arrivals, sin numbers and personal information to support them as they’re getting used to this community and building a life here? Well, we want to demonstrate that we’re respecting that trust they’re giving us and, and protecting their information. And that’s a commitment that we’re making. So that’s, that might be a why that drives the behavior change you’re asking for. And then whatever you’re doing, I would say find a way of tracking that. So that can be very simple. People do stuff where they’re building it in Google Docs or sheets or Microsoft Excel. your PC guy, no shade, but you know. And you build that out and you put your dates for whenever that’s done tracking information, like an asset inventory, we haven’t really talked about that. But that’s important too. So basically, you know, this is kaseya, she has a, this version of a Mac, this operating system, here’s her serial number. And then she’s done her Cybersecurity Awareness training. She’s got MFA on, she has a password manager, she’s done auto updates, antivirus disk encryption, and has unlimited access, you know, so that so you’re managing that, that really helps. Because at some point of growth with any organization, nonprofits included, you may have a funder, who asks, How are you managing data privacy or security? And and when you get that, you know, it could be overwhelming to think, how do I even respond to that, where if you’re documenting, and keeping track of the program that you’re building, you have something to prove to show that, and I’m all about getting the biggest ROI for the investments of time and energy in this life, right. Those are, those are finite resources. So you know, being able to share that with your stakeholders is really important. And that, again, helps keep the conversation going with all of your organization, like the leadership, the folks on the ground, everybody in between. So that security is part of the everyday conversation. I think that’s super important. And that helps us remember that we can keep improving as well. Right?

Marco Campana 36:35
Yeah, I mean, as you’re, as you’re talking about that, too, what comes to mind, for me is also the onboarding process for new hires, if you’re documenting, it just becomes naturally part of how you orient them to the systems, because there’s a system in place, and therefore they need to be taught about the security, that below the iceberg that feeds that system, or even that checklist. I mean, let’s make it less intimidating. It’s a checklist of all the assets and stuff like that. But that that means in our sector, like a lot of nonprofit sectors, there’s a lot of turnover. So you can’t, you can’t assume that someone’s coming in with security literacy. And so what the what the expectation is, if you’ve got these, this, this very simple system that you just outline, you will bring him up to speed because you have to, because that’s your system. So I love that it’s like a default thing that just occurs naturally, after you’ve implemented it.

Kassia Clifford 37:22
Yeah. And then what’s what’s lovely about that is that you would also have a mirrored offboarding list. So if you’re going to

Marco Campana 37:29
Oh, yeah, I love that. It’s so important.

Kassia Clifford 37:31
So that pulls us back to the access management piece. And and so this is something where every new employee can do part of your security training. And if you have a designet, that walks them through that, so for me, at knack where I work, when we’re serving big enterprise, we’re really fast growing startup. And so I have about an hour meeting with every new employee, as we scale, I’m probably gonna have to make a video and get that video out there. So I don’t know if I’ll be able to meet with everybody for that long, I hope I will be able to. But I always asked what’s your what’s your, you know, have you done cyber security training before Have you used some things just to get a baseline of what we’re working with. And then I have a ton of resources that we kind of jam through and go through. And then we have an onboarding procedure as well, where it’s automatic. So whoever owns that software, then makes sure that that account is closed, and that we’re closing that gap. And then the devices returned, you know, any passwords or keys for your physical security are also returned. Yeah, so I think onboarding, onboarding is a big piece and documentation, those are two that we just covered. Now, that can make a big difference for any of these organizations to get their program in place.

Marco Campana 38:37
I love that. I think that’s huge. And as we’re talking, I have one more one last question comes to mind, because it came up earlier, and then I forgot, but you mentioned regulation. So a lot of what we’re talking about, feels like it’s the carrot that will lead you these are all the things you should do. And they’re the right things to do. But what about the stick when it comes to like the law? And one of the things that I talk about with my clients is let’s aspire to the highest levels of everything. Right? So for example, we’re we’re not in a field that has a regulatory body, right? Whereas social workers do we have some people who are social workers, but the the sector as a whole there isn’t an expectation or the you know, the health sector. So I say like, look at the regulatory mandate of you know, the the Ontario Council of social workers, they have certain ethical regulations that you need to adhere to. So why not just adhere to those and some they have some around digital, for example. And then we’ll always be covered will always be exceeding the expectations of our own sector, our own funders, and we’ll be following someone who is setting those expectations and changing them. So, you know, we don’t even have to think about it their role will just learn as as they’re doing things. So I know that we have Pepita in Canada and fippa in Ontario, for example, around health information, you know, is that something that agency should become aware of around like their their, the regulatory expectations around privacy of personal information

Kassia Clifford 40:00
For sure, yeah, and excellent question. And and it’s interesting, after my first couple of roles in security, I realized, you know, I was I was working really hard to sell the value of security. And that is challenging to make that case to an organization that’s very busy with minimal budget that’s moving quick, that’s focusing on, you know, excellent customer service, and building a product or a company or an organization. So that that sparked my interest in compliance, which you know, focuses more on your frameworks and regulation, because I thought, it’s more tangible, you can touch that you can touch the Privacy Act, and it’s a piece of paper, it might be really dense and hard to read, but it exists, and it’s real. And you can see it, right. And so anytime we can bring something into our physical reality, when we’re talking about what seems abstract or bigger picture or complex or far out there, that makes it easier to buy into, I think, and also does help ensure that we are like it is a way of getting your ROI, in a sense, because you’re going to be aligning to a well known framework. And so something that I’m working on right now with our company is becoming sock to compliance. This is a really well known highly regarded security framework that has a ton of different controls on how you’re looking at your confidentiality, security, availability, integrity, all that good stuff. And it also helps us be able to say to our clients while we’re doing this to this standard, so there’s less questions for them, there’s more trust that way. And it also whenever you’re looking at stuff like HIPAA, for health information, or PCI for credit card information, or financial information, you know, there is or you’re legally bound, if you’re doing business, that way, you’re operating that way to follow those frameworks. So good to consult with either, again, a lawyer or a privacy consultants in those spaces. Totally, we’re doing that. And, you know, I don’t have all the answers here. But I have a really good network of information security professionals, but I’m happy to refer people to for anybody who is looking for that kind of support. And, yeah, so I would say compliance is a it’s a great thing. And I think we’re gonna keep seeing more and more growth in that part of the sector.

Marco Campana 42:19
That’s great. So compliance, for sure. And if you don’t mind sending that talk to a link for that kind of information, when you send all those other links, that would be great. Because, again, I think for in some cases, you know that the carrot will work for some organizations, but it may need to be the compliance side for other organizations to say, you know, we don’t have a choice, we’re doing this because, yeah, it’s the right thing to do. But we also have, you know, responsibility that’s legal around doing some of this. And let’s again, because there were in that gray area, as a sector that were not covered by one of those necessarily, like financial or health, you know, we can look to those frameworks as guides for us and then say, Okay, this is what we’re going to comply with. And as that if those regulations change in any meaningful way, we will continue to change with them. And then at least we’re, we’re following a framework that that others are following and are keeping up to date with with changes in security as well.

Kassia Clifford 43:11
Yeah, it’s a great way to point your compass, that’s for sure. Right? Even if even if the requirements are not on your shoulders, because it’s a big effort to get there. Or if you’re not, you know, creating an application, if you if it’s more of a, like, I’ve looked at them, you know, that that may apply more for an organization that’s building an application building an app or software themselves. However, even just understanding some bits and pieces of that I’ve used that to support another consulting agency, just to know, hey, these are best practices under this framework, and that feels good to them to know Okay, well, it’s not just coming out from Casio, she’s pulling out a vertical drunk, you know, she’s she’s getting this from a framework that’s well known, perfect, let’s align here, even if we don’t do all the other things that are really outside of our business model, or organizations, you know, service model.

Marco Campana 43:59
But again, it’s aspirational and interesting, as you bring up applications, increasingly, agencies are moving into this digital space. And some of them are creating, you know, mobile apps, and other you know, online portals even but also digital system, increasingly, we’re gonna have more digital systems. And so that, you know, this becomes something that we need to look out for compliance as well, then,

Kassia Clifford 44:20
for sure, yeah. And I hope that there will be more and more pockets of funding made available for nonprofits and smaller organizations to tap into so they can. So it can be affordable for them to reach out to the consultants and to get that support and build these programs. But again, like everything else, it is not a sprint, it’s a marathon and security and change does take time. And, yeah, I’ll be happy if this information serves some of the organizations that you work with.

Marco Campana 44:48
Absolutely. I have no doubt and that’s a great, that’s a great note to end on that this is something you’ve got to at least start but then it’s something that you’ll be continuing to evolve and improve on. So thank you so much for The time this has been such a great education for me. And I know that people that I work with and connect with are going to find this really valuable as well. So it really appreciate you sharing your knowledge and experience with us today.

Kassia Clifford 45:11
My pleasure. Thanks for having me, Marco, it’s great.

Marco Campana 45:15
Thanks so much for listening. I hope you found this episode interesting and useful for you and your work. You can find more podcast episodes, wherever you listen to your podcasts are also on my site marcopolis.org I appreciate you listening and if you have any tips, suggestions, ideas or want to be interviewed or know someone who wants to be interviewed, please drop me a line through my website, or marco@marcopolis.org Thanks again.

Transcribed by https://otter.ai

52 פרקים