Community IT Innovators Nonprofit Technology Topics
Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com
Community IT Innovators Nonprofit Technology Topics
Cybersecurity Awareness Training Tips pt 2 with Matt Eshleman
Are your staff as ready as they can be for the next attack?
Our cybersecurity training team manages hundreds of clients and shares our knowledge on what works to keep your staff prepared, not just scared.Matt Eshleman, our CTO and cybersecurity expert answers your questions on how to manage frequent, timely, and engaging training.
Part 1 covers the cybersecurity landscape and types of threats facing nonprofits, our framework for how to think about cybersecurity and where staff training fits in your strategy, and the basic philosophy of security awareness training. Pt 2 gets into the details and examples of a typical cybersecurity training program, and Matt answers audience Q&A.
Cybersecurity Awareness Training Tips
We often say that staff training is a foundation for cybersecurity protections. As the risks are always evolving, your training needs to be current too. Gone are the days when your staff could be adequately protected by watching an hour long video with a quiz once a year.
But managing more frequent training is difficult. We will discuss the tool we use, KnowBe4, which makes it easy to stay up to date and administer training to all staff. There are other training tools out there that work for nonprofit staff – the most important tip is to commit to training and to prioritize it as a team. Your staff and leadership are your best defense of the organization you care about.
In addition, with new auditing requirements SAS145 your auditor must assess IT risks to your financial processes – and it will be necessary to demonstrate staff cybersecurity training in your audits.
Learn about these issues and more with our experts! If you’ve been putting off implementing a comprehensive cybersecurity awareness training regime, don’t wait any longer.
Join CTO Matthew Eshleman and host Carolyn Woodard to learn how to implement an up-to-date and flexible cybersecurity awareness training program this year.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community. There are multiple cybersecurity awareness training vendors with products that work for nonprofits. We will be discussing the tool we have selected and use, KnowBe4, which offers nonprofit discounts, but our insights and tips will be useful no matter what training program you are using, or if you want to create and run cybersecurity awareness training in house.
Many questions asked at registration or live at the virtual event will be answered in the transcript. Check back after the webinar for additional resources.
_______________________________
Start a conversation :)
- Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
- email Carolyn at cwoodard@communityit.com
- on LinkedIn
Thanks for listening.
Carolyn Woodard: Cybersecurity Awareness Training Tips. My name is Carolyn Woodard. I'm the Outreach Director for Community IT.
I'll be the moderator today.
Matt Eshleman: My name is Matt Eshleman.
Carolyn Woodard: KnowBe4 is the tool that we use. It provides a full range of resources that are available to users. So, Matt, would you like to talk about KnowBe4?
Matt Eshelman: Yeah, so, as Carolyn said, we use KnowBe4. It gives us a lot of tools to automate and really streamline the training process.
Levels of Cybersecurity Approaches
For the folks that are in that no training or an ad hoc approach, you’re in that level one, maybe low level of maturity.There is the likelihood that risk for your organization is a lot higher. Because most organizations are in the cloud the risk of ransomware is relatively low, but the risk for account compromises, which are often initiated through clicking on a malicious link that’s stealing your credentials, that’s very high.
Organizations are getting those wire fraud messages or you’re interacting with maybe a compromised account on the other end from somebody you know and you trust, that verification process and looking at all of the other email recipients can be missed.
So, starting off at that basic level of compliance, the risk of the organization is a lot higher.
I think as you move into those categories where if you can make cybersecurity something that the organization is working at intentionally, having a formal program for new staff, or as Carolyn said, unfortunately, you’ve got a good example to share that, hey, this happened to me (on my first day,) watch out. And I think that can be really effective as a tool for other new staff to hear, oh, yeah, this is not just the video, but it’s my colleagues also reminding me.
But then that can build into these more mature levels that are identified here from having more robust scheduled trainings, maybe tailored trainings based on the work role, who’s clicking on stuff.
And then that feedback loop, I think is important. So, it’s not just IT that makes everybody take all these trainings, but IT is really a partner in keeping the organization secure and staff are helping IT by reporting suspicious behavior, reporting those weird messages that make it through the spam filters, because the technical solutions are imperfect. And it’s an important way to build culture, to build relationship from the staff and the IT services.
You can work towards building that overall sustainable security culture, where it’s something everybody’s working together. It’s NOT just operation staff and executives don’t have to participate, but it’s really building a culture across the organization to make sure that the entire organization is secure.
Carolyn Woodard: Building on that idea of education, improving your training standards, and helping to improve the overall cybersecurity maturity of your organization. These are some helpful tips to increase the effectiveness of your program. Of course, each organization, every nonprofit is a special flower and has its own unique culture. There are a range of tools and trainings that you can find. But these are some of our tips.
Cybersecurity Training Tips
Providing kudos, we know executive involvement is key.
You want the training to be focused on positive things to do. It helps improve the organization’s security. So always approaching it in that message rather than “I’m going to have to do this because it’s required, but I think it’s a massive waste of time.” Trying instead to encourage the staff to feel that they’re protecting this organization, that they care enough about to work for. So, putting them all in the same army, protecting your organization.
Every organization is different. There may be a mandated baseline training, but you may find that your organization is really competitive. So having quizzes or having some kind of leaderboard might work for you. Or if your organization is more co-operative, having games or having mini trainings is better because your schedule is so hectic all the time.So, trying to identify the culture and the style is helpful.
Remedial training, of course, calling it remedial may be difficult, but it should be quick, it should be relevant, it should be instant. As Matt said before, when you click on the thing, immediately getting some information and education about what was wrong with that email, that was a fake phishing attempt and what you could have looked at to see and just so that you’ll know next time. That really helps benefit the people who are the clickers.
And then practice, practice, practice. Familiarity with the types of attacks and scams is more than half the battle.Doing those micro trainings, having the phishing emails come right to your email, doing frequent trainings also helps you introduce new scams as they’re kind of coming online, so hopefully you can train your staff before they get a real one from the wilds that’s that new scam that they don’t know about.
A couple of months ago, last summer, we did a webinar on being a learning organization that I think was just really helpful.
We’re going to move along and go into analyzing a suspicious email. So Matt, you were going to talk a little bit more about phishing.
Analyzing a Suspicious Email
Matt Eshleman: Yeah, so I think some of the terminology is important. We’ll talk about the specific steps that you can take to critically look at a message, check for those red flags, and then an encouragement always to be able to ask someone or submit a ticket. That feedback loop and that engagement with IT is a really important aspect of the whole process.
Carolyn Woodard: You never want to make it so that people feel afraid to tell you that they’ve clicked on something wrong or made a mistake, because the longer it lasts, the worse it’s going to be.
Spam Vs Phishing
Spam versus phishing, we’re going to talk a little bit about spam being those unwanted communications for goods or services. They’re sent in bulk, you’re just on a list, you’re getting something from a legitimate company where they’re hoping that you’re going to order something from them or what have you, versus phishing, which is a type of social engineering in which the attacker pretends to be someone you know, to gain access to something you have.
Often with phishing there is a link, there’s something that they’re trying to get you to click on or give your information to them so that then they can use it for something else.
Matt Eshleman: Thanks for providing that definition. I think a lot of stuff gets blobbed together, but it is pretty clear.
Spam is just unwanted messages, it’s pretty clear who it’s from, you just don’t want it. It’s okay to unsubscribe, it’s okay to delete. All those things are important steps to take.
With phishing, there’s often these red flags that you can see in the message, and that should trick your spidey sense to analyze the message and look at it in more detail. There’s often this appeal to human emotions, a sense of urgency, maybe that authority gap, maybe some threatening language or maybe even unrealistic promises or free money. “Hey, this great deal, click on this, this limited time offer, right?”
We see these techniques in a range of engagement messages that we get. But I think the phishing messages particularly use this technique because they’re relying on us to take that action.
There’s often this vague or generic greeting, or maybe a formal greeting, if they’re scraping your information off of LinkedIn, maybe they’re going to refer to you as Matthew, not Matt, or dear user, or just “greetings.”
Go over the misspellings and grammatical errors, this still does happen, although I must say, with the advent of all these AI tools that are free and easy to use, well-crafted, sophisticated messages with good tone and proper grammar are the rule now. And some of those things we used to be able to rely on just aren’t the case anymore.
Then, obviously look for suspicious attachments. What we are seeing often is that there will be some kind of… The link itself isn’t maybe malicious, but the link goes to a document, and in the document, then there’s another link to go to or some other instructions to follow. And so, it avoids the virus scanners that are in your email tools, but then takes you to another location, maybe that isn’t as well protected. And then, they’re going to try to get access to your information through there.
The things that we’ll really look at, and we have some examples here in the next slide or two, is the information that doesn’t match right at the sender’s name, email address, or the logos, URLs. You know, those are really the bedrock techniques to really understand, is this message coming from who I think it is or who it says it is?
And then the follow up, right? Click on the link and sign in, all those requests, those call for actions, really, are the beginnings of many scams to try to intercept your credit cards, your password information, to take those next steps down towards a financial attack.
Carolyn Woodard: So, here’s an example.
Hover Over the Links
Matt Eshleman: I’ve used this in a couple of presentations, right? This was sent to me. It was actually a while ago at this point. Online Invoices is a real company. This is their branding. Everything looks correct. All the links in this message are accurate.
Except for if you hover over the “view invoice,” instead of it going to Online Invoices, it’s actually going to corporatecatererscleveland.com, which is not Online Invoices.
And then if you notice up in the from field, the display name is Online Invoices, Inc, all rights reserved. Very formal. The actual reply email address is yourinvoiceatmedsdirectinc.com.
So, what that tells me is that perhaps there’s problems both with corporate caters cleveland.com, right? Their website maybe has been compromised and these threat actors are now using it to host a malicious web page. And at the same time, medsdirectinc.com, maybe that’s a domain the hacker set up, maybe it’s a compromised account, but they are using that obfuscation to target me.
I pay a lot of bills. I get a lot of invoices, right? And so, it wouldn’t be unusual for me to get an email from Online Invoices. But in this case, because of hovering over the links and looking at the reply-to address, we can determine that this is indeed a phishing email that’s designed to take me down the road of making a payment to a vendor that doesn’t exist.
No Links but Still Suspicious
What about when you don’t have links to look at, right? This is something that we see on and on. It’s really frustrating that these things sneak in through the spam filters, but there’s just not that much to go on, right, for a spam filter to analyze this.
So, this is an example, right? “I need you to run a quick task. Let me know if you’re available.”
Again, we see those elements of a sense of urgency. There’s a little bit of that authority power dynamic, where the executive director is asking a subordinate to do something. “Don’t bother me. I’m in a meeting, do a quick task.”
But if you would interact with this, then there’s probably a call for “Hey, I’m out. I’m in a meeting. I need some gift cards for this purpose or that purpose. Can you just do it? I’ll reimburse you, or you’ll get reimbursed whenever you get back into the office.” And then away goes the gift card money.
Wire Fraud
And then again, the same thing, moving up from gift card scam, which is often denominated in the hundreds of dollars, the wire transfer fraud is really prolific. The bad guys figured out it’s way easier just to ask you for $50,000 than to write a sophisticated virus that needs to be deployed on a system and encrypt your files, and you got to buy Bitcoin. And so, it’s just easier to say, “Hey, can you process a wire? Here’s the updated information. We’re having tax issues with our bank.”
IRS Fraud
I would completely foresee that in the very near future, the bad guys are going to know, right? 8,000 IRS workers have been axed. You’re going to get a whole bunch of emails that say, “Hey, we’re having problems. I’m from the IRS. We’re having problems processing your tax information. There’s been a problem. We’re understaffed. Here’s the updated information to make your payment.”
I guarantee you that those messages are going to start landing in your inbox soon. Again, the bad guys know it’s just a lot easier to ask. Again, the wire transfer, that sense of urgency.
Prevention: Follow Your Established Procedures
So, it’s important to have these pre-established systems in place. How does your organization change? Make wire transfers, who’s authorized? How do you verify the destination that you’re sending it to? Is it trusted and is it legitimate?
And that really should involve something other than email. Because it’s very likely that even if the sender address, even if this Tom person is from an organization that you know, it’s possible that their account is compromised.
We see that being a technique that the threat actors use, is that they will compromise an account and then they will use that compromised account to reach out to trusted organizations in your address book, that you know, on your website, they know who you interact with. And so, it’s important to have those pre-established processes in place.
I think we have a whole webinar about financial fraud.
Carolyn Woodard: Yeah, I was just going to add in, don’t do those workarounds. Make sure you follow the processes that you have. They’re there for a reason.
Matt Eshleman: And then here, finally, so this is an example of the message from the KnowBe4 platform. In the platform, you can toggle to see the red flags. And if we would do that here, you can see that right from it says Microsoft, it’s actually from microsoftsecure.net, right?
That’s not the correct thing. We see that call to action, “Here’s a QR code, right? Scan this link, take this additional step.”
All those are some red flags that would call us to be critical in terms of evaluating the message and its legitimacy.
Carolyn Woodard: So, we only have a little bit of time left. I think we’re going to have to go quickly through this so we can get to a couple of Q&A. But we did want to talk about what do you do after you find a suspicious email?
What Next After You Find a Suspicious Email?
How do you make staff aware of the resources they have and what their next steps should be? Remembering that the cover-up is always worse than the crime. Staff should always feel safe reporting mistakes and they should know not to try and fix the problem themselves.
Matt Eshleman: I think that’s exactly right. I think having a trusted relationship between IT and the staff is really important. Again, if somebody clicked, it’s okay. IT wants to know about it so we can remediate it. Often, we reset passwords, maybe we’re going to scan the computer, we’re going to look at some other things just to verify that that click didn’t turn into access. There’s a couple of different tools.
We use KnowBe4, which gives us a super easy and integrated way to use what they call the official button, so that staff can be instructed to just click official alert, and then it gets submitted to an email address that you define. For in-house IT departments, we would just suggest making that a separate mailbox that gets reviewed or checked once a day, just to verify and see what’s going on. It gives you that ability to engage with your staff, see what they’re seeing, identify what’s being reported, what’s being sent, and maybe what’s not being reported.
This is something KnowBe4does really well, and I’m sure that there’s other tools available from other vendors that have a similar style. If you’re just getting started and you don’t have a way to programmatically do this, the ability to forward as attachment is actually on that slide, right? So, you can forward a message, instruct your staff to forward an attachment, and that will preserve the message and its headers. As an IT person, you can evaluate that message, just to get a little bit more information for future investigation.
Whenever we have our clients submit that phish alert, we want to make sure that it’s suspicious for review. It’s not a way for your staff to send you all their junk mail instead of unsubscribing it, you know? It’s an educational piece, right?It’s defining (for staff,) hey, there’s spam, and it’s benign, let’s unsubscribe, let’s clean it up or mark it as junk.
If it’s suspicious and you want somebody to review it or evaluate it or report it because it may have impacted other folks, then that phishing classification is justified.
And so finally, think before you click. If you’re unsure about who an email is from, don’t click on it as links or attachments found in the message.
For those of you that are just getting started, there are lots of great free resources. Staysafeonline.org is a federal resource. I think it’s still up, but it’s a great resource for some of those security awareness trainings as you’re just getting ramped up.
If you’ve done the free stuff, maybe you need a bit more integrated tools. There’s a lot of different security awareness training platforms out there that will help automate and streamline a lot of these processes.
As you’re reflecting on your own program and all the stuff, I would just encourage you to do one more thing, right? If you are in a category, where maybe you’re annually doing training, maybe be more intentional about giving your staff a way to report suspicious messages to IT.
If you already have KnowBe4, using that official or button can be great.
If you’ve already got that in place and you’re only doing monthly or annual training, I really think that quarterly cadence is probably a good next step, it’s our minimum, right? The quarterly cadence just to get in a rhythm of reviewing, evaluating, and learning new stuff.
If you’ve already done that, start a monthly newsletter, maybe a staff meeting moment for IT, that can be a great way to get engaged or go all the way up to doing monthly trainings that really are in line with your organization’s culture. Maybe it’s fun games, maybe you want to use the mini-series option, which is in KnowBe4, which is a surprisingly fun thing that we’re getting feedback on.
But again, I would just encourage whatever you’re doing right now, look at taking one more advanced step or maybe two to get more engagement with your staff and more fully embrace the security awareness training platform at your organization.
Carolyn Woodard: To learn more about Community IT’s cybersecurity offerings and schedule time to talk with Matt for a free assessment or just to ask him more of your questions, please go to communityit.com/cybersecurity and you’ll find more information there. We also have a lot of cybersecurity resources on our website, including a free download Cybersecurity Playbook for Nonprofits that talks more about how we think about cybersecurity and where staff training fits in your cybersecurity strategic planning.
Q&A
We had a couple of questions.
Compliance Requirements for Nonprofits
One that I thought was maybe we could get to is that from a compliance point of view, are there specific legal requirements for nonprofits, compared to banks, healthcare, insurance companies which all have very specific compliance that they have to go through? Do nonprofits have anything like that in the United States?
Matt Eshleman: I mean, probably the short answer is no, although we are starting to see more compliance requirements come through the financial audit aspect. So, if any formal compliance requirement exists, it’s going to be coming through that angle right now.
Carolyn Woodard: Here is a podcast that we did not very long ago on that new auditing requirement. It’s called SAS 145. So, you can find out a lot more about it there.
Matt, we have a couple more questions.
Using VPNs Securely
One was about VPNs. We are an orchestra. We use a VPN when logging into our ticketing software, which also processes credit cards. Our other process is to use Square whenever we’re at a concert. So people, I guess, can buy the ticket right there.
So, which is better? Do they have to choose or does that sound like a pretty good setup?
Matt Eshleman: I mean, I think that sounds like a good setup. I think with credit cards now you get into what’s called PCI compliance. One of the aspects of PCI compliance is that basically any interaction with the card data holder environment needs to come under additional scrutiny.
Using a VPN may be a way to funnel down which systems need to be scanned or help to meet some of that PCI requirements. As with all things PCI, consult your own policy and legal guidance for that. But again, certainly with some of those security standards, that could be a good use case for the use of a VPN.
Again, I would just make sure that if you are using a VPN, it’s not a consumer grade product, because that can bounce you around and just make it complicated to monitor. You want a business class system, maybe you’re buying a dedicated IP that’s always assigned to your organization. That can be an effective way to clearly articulate that traffic from this address, this IP, that’s valid going to these systems.
Carolyn Woodard: That sounds good, especially where there’s money involved in people’s credit card information.
How to Report Junk Mail Vs Unsubscribing
We have another question that asks, it’s always best to report as junk instead of unsubscribing, correct? When you unsubscribe, can that lead to a connection to a scammer?
Matt Eshleman: I know that this goes back and forth and some of the guidance is don’t unsubscribe. That just confirms the bad guys.
I will say, I mean, our experience has been in general, if you’re receiving, I don’t know, legitimate spam, and in most cases, right, it’s that you signed up for something a long time ago and you forgot about it. I mean, my experience has been pretty good that clicking the unsubscribe button within a message does in fact, remove my address from those lists.
If you’re getting something that seems extremely scammy, like misspelled Viagra ads, maybe that unsubscribe is not going to work. But if you’re getting marketing newsletters for stuff that you’re not really interested or relevant anymore, the unsubscribe stuff, I think, works fairly well there.
I mean, I know on the other side, sending newsletters, the bar is pretty high to make sure that the tools that we’re using include a valid and active unsubscribe process. If you’re receiving mail from HubSpot, MailChimp, all those big mail services, those unsubscribe processes are going to work and be effective.
Carolyn Woodard: Yeah, those are required by law in the United States, at least, that you have to be allowed to unsubscribe. It has to be pretty easy and obvious. I would say also that if you do try to unsubscribe from something and it turns out not to be a real unsubscribe, the block button is your friend. You can block that address and then if you get more that are associated with it, just go ahead and block those too because now you know.
Training Templates for Staff Training
Someone says, where can I find information to use as training materials for staff? Do we have training templates that clients use?
That resource that we gave earlier, the Stay Safe Online, do they have any information on training or do you have any free resources that might be? We do not have any on our website, so I’m just wondering if there’s somewhere else that people can find those sorts of things.
Matt Eshleman: Yeah, I mean, Stay Safe Online, that’s the National Cybersecurity Alliance, has some good foundational resources to help you get started. I think that’s a great place.
Techsoup.org. I’m not sure if it’s free anymore, but I did a two-part Security Awareness Training course for them that was free for quite a while. But again, there could be some additional free resources there.
I think if you use Google Searching, you’re going to find free resources to get started.
I think the benefit of getting a Security Awareness Training platform is that it ends up automating a lot of that, and it’s not going to be relatively that expensive to do. Even if you have no money at all, there’s free resources out there.
But again, getting Security Awareness Training automated plan is again, a pretty affordable thing in the grand scheme of things.
Carolyn Woodard: Yeah. Now that makes sense. We have another question.
Can KnowBe4 Send Test Text Messages
KnowBe4 can perform testing with the email attachment, there’s URLs, QR codes. I believe the question is, can KnowBe4 send a test SMS message to see if they can get people to click on it and then give them the training?
Matt Eshleman: No, not anymore. They actually used to have it as a module. You could load up all these, vishing or voicemail, they would call or text messaging.
But they actually don’t or can’t do that anymore. There are some FCC regulations about unsolicited texting. So KnowBe4 is a company that follows the rules, they don’t (text anymore.) I know that we’ve worked with some specific pen testers that will build some custom stuff and do it. But in terms of whatever commercial off the shelf, security awareness training tools, I think that’s one thing that isn’t really available anymore because of some of the other federal regulations about communication standards.
Carolyn Woodard: So, you can just do those micro trainings on, “if you were to get this kind of text to your phone, this is how you would handle it to click on it.”
Where to Get the Presentation?
Eric is asking, where can I find the presentation? So, this has been recorded and it will be a video available on our website.
I also put it out as a podcast, so there will be a transcript from that. And then the transcript I will also put up within about a week usually. It takes a little bit longer to get the transcript up, but the video should be up within a day or two. All of our webinars are available there. There’s no paywall. You don’t have to sign in or anything.
We really believe that helping our community have these resources and you can search for all different topics. There’s a ton of cybersecurity stuff there, but there’s also webinars on leadership. We’re doing this one on Microsoft versus Google Workspace.
So just have a look at our resources and hopefully that can help you. Okay, we have one more question. I think this will be the last one.
Are Soft Phones (VOIP) Secure?
What about the use of soft phones that are installed on a laptop but need connection to the PC to manage calls? Is that a voice over IP thing?
Matt Eshleman: I’m not sure. I know a while ago, especially the receptionist phones, some of the soft phone software was kind of antiquated. We had to maintain several older versions of Java to support the local attendant console. But hopefully, I mean, there’s lots of great cloud-based solutions that can do all of that in a secure manner.
Carolyn Woodard: So, I would guess if you’re using an official voice mail system for your voice over IP for your organization, that they would have security built in because they’re a vendor and you’re subscribed. But it would be something maybe to look at that vendor and just ask them about the security or if there are vulnerabilities.
So, I think that’s it. Thank you so much, Matt, for your time. Thanks for staying on a minute or two later. Thanks for everybody who stayed with us for an extra few minutes to get these questions in. And as I said, they will be in the transcript.
Learning Objectives
I’m going to go ahead and go over our learning objectives quickly. We went over the cybersecurity landscape and framework, why it’s so important, the importance of training, and then we gave a couple of examples of training and practice.
Next Webinar
I want to make sure to mention that next month, we are going to be answering this perpetual question of whether Microsoft or Google Workspace is a better platform for nonprofits. If you are going to start a nonprofit from scratch tomorrow, which should you choose? What are reasons to switch platforms? Can you manage a hybrid of the two platforms together, or is that a recipe for disaster?
Join us next month on March 19th at 3 p.m. Eastern, noon Pacific, when our CEO, Johan Hammerstrom, and our Director of IT Consulting, Steve Longenecker, are going to draw on their experience to talk about these two platforms. And you can register for that now on our website.
And Matt, thank you so much for making us smarter today about training. We really do believe that your staff are your eyes and ears. They’re the ones that are going to be the first to be attacked in this way with phishing emails or these other kinds of social engineering scams. So, making sure that they know what to do is really a very basic thing that you can do. And it doesn’t have to be expensive, but it does have to be intentional. You have to have leadership involved and really make that a learning environment, not punitive “you’re going to get in trouble,” that sort of thing. Trying to get everybody on the same page to protect your organization, I think, would be our overall tips.
And then we really just like this tool that we like to manage. It’s called KnowBe4, but there are other tools out there. So Matt, thank you so much again for your time today.
Matt Eshleman: Great. Thank you.
Carolyn Woodard: Thank you, everyone.