Community IT Innovators Nonprofit Technology Topics

Cybersecurity Tabletop Exercise for Nonprofits with Matt Eshleman pt 2

Community IT Innovators Season 6 Episode 31

Learn how to run this valuable training tool from Community IT Chief Technology Officer and resident cybersecurity guru Matthew Eshleman, who explains how to carry out a cybersecurity tabletop exercise for your nonprofit and why this type of active testing is so valuable to your security planning. 

In pt 1, Matt and Carolyn go over what a tabletop exercise is and how they fit into your cybersecurity planning for your nonprofit. In pt 2, Matt describes 3 scenarios specific to nonprofits that you can use, and reviews general lessons learned and best practices from his work with clients.

Make regular cybersecurity tabletop exercises part of your nonprofit incident response plan.

Do you regularly practice your nonprofit’s cybersecurity incident response?

If you haven’t had a cybersecurity incident yet, count yourself lucky. If you have, you probably encountered some questions you wish you had had the answers to before the incident began to unfold.

That’s where a cybersecurity tabletop exercise for nonprofit has enormous value. A cybersecurity tabletop exercise simulates a cybersecurity incident in a controlled environment so you can practice your response and discover weaknesses before they become damaging. 

For example, a staff member alerts you that they clicked on a malicious link in an email and now their laptop is “acting funny.” Do you have a phone tree of the people you need to contact? What if someone important is on vacation, who do you contact then? What if everyone’s laptops are frozen, can you still access important contacts? What do you do next? 

Cybersecurity tabletop exercises can be elaborate or simple, run by a consultant or run from within. It is surprising how many nonprofits that regularly review and evaluate their programming never use the same principles to evaluate their basic cybersecurity preparedness.


How can your nonprofit get started on this practice?

If you’ve never walked through a cybersecurity tabletop exercise at your nonprofit, you may be intimidated at the prospect or have trouble prioritizing it and carving out time on everyone’s calendar. In this webinar, Matt introduces some popular resources, describes common examples of tabletop exercises, and explains how to adapt this skill-building exercise for nonprofits. 

Matt Eshleman has run through cybersecurity tabletop exercises with many nonprofit clients and guides you through best practices and first steps to get started. Don’t wait to introduce this valuable training tool to learn where you can strengthen your practices and better protect your organization in these challenging times.

As with all our webinars, this presentation is appropriate for an audience of varied IT experience.

Download the free eBook on Cybersecurity at Nonprofits: https://communityit.com/download-cybersecurity-readiness-for-nonprofits-playbook/

_______________________________
Start a conversation :)

Thanks for listening.


Carolyn Woodard: Welcome, everyone, to this Community IT Webinar Cybersecurity Tabletop Exercise for Nonprofits with Matthew Eshleman, who is going to explain how to carry out a cybersecurity tabletop exercise for your nonprofit and why this type of active testing is so valuable to your security planning. My name is Carolyn Woodard. I'm the Outreach Director for Community IT.

Matthew Eshleman: My name is Matt Eshleman. I'm the Chief Technology Officer here at Community IT.

Carolyn Woodard: Now I think we’re going to go on and the moment you’ve all been waiting for, actually talk about how you would do it. 

Unfortunately, we cannot do breakout rooms today in this webinar and actually have you sit and do it. 

And also, that probably wouldn’t be something that you would do with strangers from other organizations. It’s something really that within your organization, you need to identify those stakeholders, identify the key players and have them all in the room together. 

I tried to find some scenarios available online if you don’t know where to start. And it’s really hard to find them for nonprofits specifically. The scenarios that are out there just don’t seem to really fit a lot of what we’re seeing and what our organizations do. 

So, we prepared a few, they’re here, or you can create your own. It’s actually probably a good thing for nonprofit organizations to be mindful and surface things that they’re really concerned about, and you can create a scenario out of that.

If you’ve got something that keeps you up at night or you’re wondering about, what if I clicked on the wrong thing in that e-mail? Do that as a scenario and find out if your response plan can handle it. 

And you could get people from other departments involved, the stakeholders thinking about like the things that they worry about.

Being creative can help get your conversation started. 

Usually this would be around a tabletop. You would have a meeting room or a Zoom call with the stakeholders and representatives. You give them a scenario and a time limit and have them try to respond. 


Scenarios for Tabletop Exercises for Nonprofits

So Matt, do you want to read through some of these scenarios?

Matthew Eshleman: We have a couple of scenarios that we’ve identified that certainly give me heart palpitations. And as Carolyn said, this is a good opportunity to really test out those scenarios, right? The proverbial question like what keeps you up at night? Those can be great places to start to say, okay, well, what if this happens? How do we go ahead and respond? 


Files are unavailable

This is under the heading of cybersecurity. We have a scenario here, some of which may have been initiated by a malicious external actor, and some may be done accidentally. The first one is files in the HR library are unavailable

In that scenario, what does that mean for your organization? Is this kind of something that you have defined in your incident response plan? How severe is it? What type of response does this dictate?

Loss of access to information; you can fill in the blanks. This could be files in the HR library are unavailable. Why is that? Maybe the permissions are just missing, or maybe they have been deleted, or maybe it’s been encrypted. 

I think for the tabletop exercise, it’s actually good to start with a relatively basic top-level description, and it provides the opportunity to discuss some of the different scenarios that may be contributed to this case.

In that discovery, you may have different responses. A data unavailability issue. That’s one scenario to talk through.


Contacted by threat actor claiming to have your CRM database

Another scenario, and we can see this sometimes, you’re contacted by a threat actor who claims to have accessed and downloaded a copy of your CRM database.

So obviously, that raises all kinds of red flags, ranging from how do we confirm that is in fact true? 

Maybe we need to verify the type of information that they claim to have. If we’ve done a good system inventory, we would know what kind of data is in there. Do we have any personally identifiable information? Are we keeping social security numbers as part of our CRM, or driver’s license, or banking information?

You can kind of build it out to your unique scenario to decide how big of a deal is this? 

This is maybe a scenario where if this is in fact confirmed, you actually need to contact and provide disclosure to all of those constituents that, hey, we lost your data and here’s what we’re going to do as part of that response. 

Maybe you have a reporting requirement in your jurisdiction. So again, loss of data, right? We know this is out there. It happens.


Compromised account sending emails out

And then a third scenario that is probably not that in common, but maybe a compromised account at your organization. And that account is now sending phishing emails out to everybody on their contact list. 

We have a known threat actor, has taken over an account that’s trusted, and now that account is sending well-crafted messages to everyone in their contact list. And that number is in the thousands.

The incident response plan ideally would have some guidance in terms of what those initial steps would be for various levels of severity of potential cybersecurity incidents.


Add a Twist

Carolyn Woodard: I know when we do these as an actual exercise, you usually add a twist, right?

Matthew Eshleman: Yeah. It’s never as easy as it first seems. I think adding the twist, and I think this goes to the preparation for these scenarios and thinking through what are some likely or maybe extra challenging scenarios to highlight.


Lost data twist

So maybe in your first scenario is, oh, we lost our HR data, that’s no problem. Here’s our backup and disaster recovery plan. We’re going to follow that.

It’s all detailed in our incident response plan. But hey, what if the twist is, well, wait, it’s actually not just the HR files that are missing, but we actually realize our whole policy library is now gone or inaccessible.

And that’s where the incident response document was. Does this document exist anywhere else, right? Do we even know who to contact because we had our insurance provider on there and we needed to reach out, but now we actually don’t know what that number is because we don’t talk to them that much. 

Adding a little bit of a twist can help to surface weaknesses in a plan or identify areas that maybe aren’t fully complete.


Threat actor claims to have CRM data twist

You know, kind of in that second scenario where we said that we lost the CRM data, or the CRM information is no longer available. It turns out the director of the development department that manages that platform is away on vacation. Who has the backup, you know, what if other directors are unavailable? Is there any redundancy or resiliency in the plan?

Or does your incident response plan really hinge upon maybe one key person? And if that person is unavailable, how does communication flow? Are there other people that are aware of what needs to happen next?

Are there other people in the organization that have the relationships and connections with maybe external partners that would be a resource to help in this case? 


Compromised account twist

Then the third scenario here is that, well, it turns out that it’s not just a compromised account for our executive director, but we’re locked out organizationally

It turns out the executive director was also a global admin, so they have permissions to the whole tenant, and the hacker just locked everybody out of the whole Office 365 environment and so now, instead of relying on maybe Teams messaging to chat and coordinate a response, we’re locked out.

So as an organization, do you have the ability to contact staff through other means? Is that something that you have access to outside of your primary system? 

A couple of these little twists can help identify weaknesses in the plan and maybe areas for improvement or revision.

Carolyn Woodard: I think also I’ve seen it where that time limit you give people; you’ve only got 10 minutes to respond now that we’ve added this twist. You give people a little bit of an urgency in playing the game or doing this response, trying to work through, strategize what you’re going to do and how you’re going to do it. And that gives people just that extra like, oh, now what do we do? And I think it can help.

Matthew Eshleman: Oftentimes, initial scenarios are probably things you thought about before, that probably has a clear next step that you’ve also already thought about. Adding in a little bit of a twist or additional bump in the road can help jar some of those static assumptions aside and give you maybe a new perspective on how you’d respond, especially if maybe you were the person that wrote the Incident Response Plan, and you were thinking about things in one way. Having something come out of the blue to really challenge those starting assumptions can be helpful in just making sure you’ve got a more complete view of the overall situation.

Carolyn Woodard: Especially finding those single points of failure, where there really is one person that you’re expecting to be able to do it all, and that person can never go on vacation then. 


Common Lessons Learned Doing Tabletop Exercises with Nonprofits

We’re going to hit a few of the lessons learned. If you want to share with each other, if you’re new to this idea, what is it making you think of?

Are you already taking away maybe some lessons that you’re newly thinking about? 

Matt, you’re going to tell us about some common learnings. There’s no one size that fits all. The value of the tabletop exercise is to your organization, your specific risks, your staff and how they would respond, your response time, your response plan, your insurance broker, who you’re going to, who’s on your phone lists, all of those different things.

We do these types of exercises with our clients a lot. So Matt, you were going to tell us some of the things that come up a lot when we did these exercises.


Too Narrow in Scope

Matthew Eshleman: Having gone through these a number of times, I think some of the common weaknesses that we see in an organization’s incident response plan is that often, it’s too narrow in scope. They think of IT issues as just maybe a few well-defined scenarios, a compromised account or if you did a ransomware. I think the full breadth of the organization’s data is often not included in these incident response plans, I think particularly if they are rooted in the IT department doing it all. 

Make sure that the incident response plan itself encompasses really responding to all of the organization’s information systems, not just an IT email files, that kind of thing. Making sure that the incident response plan covers a variety of scenarios and really the full breadth of the organization’s data. 


Single Points of Failure

As Carolyn kind of connected the dots there, often the incident response plans have lots of single points of failure. There is one contact, the office manager or the operations director, they do everything.

And so, if that’s the case, and they’re on vacation or they’re out of the office or they’re not reachable for whatever reason, if the entire incident response plan really hinges on one person who has the relationship with the internal IT department or the vendor, if you use a managed services provider or the insurance provider. Yeah, so lots of cases. 

For organizations that are small to mid-size, it is hard to build in that redundancy and resiliency in a plan.

But again, think through – that could be your twist. The one person that is really responsible for everything, yeah, they’re unavailable. What do you do next? And maybe some time framing around that is an important thing to include. 


Relies too Heavily on Outside Partners

Again, maybe the plan relies too heavily on outside partners. As I mentioned it before, Community IT, as a Managed Services Provider, we have an incident response role for an organization, but we are not our client’s incident response plan.

We’re a part of it. We don’t do it all. Organizations need to have the different roles that they need to have filled right in terms of communication, maybe a cyber liability insurance provider has a role, maybe a data team has a role, maybe the board or oversight has a role.

And the answer can still be, well, we’re going to contact our MSP partner and they’re going to do the technical remediation. And then our communications team is going to handle the public messaging. And here’s how we’re going to keep our board up to date, and here’s how we’re going to keep the cyber liability insurance provider up to date.

All of those different elements should be included as part of the incident response plan. Doesn’t have to be hundreds of pages of documents, but it should be a pretty clear and concise way of engaging with all the different roles that are required whenever you’re responding to a security incident. 


Roles not Defined or Understood

And then again, some challenges with those plans.

The roles aren’t clearly defined, or maybe that the person whose name is associated with the task doesn’t really understand or maybe can’t fulfill those requirements. And so that can be another challenge. If you find your name on an incident response plan document for your org, hopefully that’s not a surprise to you.

And so that can just be going through this tabletop exercise and say, hey, all right, Carolyn, if this happens, here’s your responsibility. And you can say, oh, I knew that, that was really clear. I’m well prepared. Or, wait a minute, I didn’t realize I was supposed to do that. It could be an opportunity for that conversation to occur.

Carolyn Woodard: I love that. I love that in the course of doing the exercise, you can be strengthening that response plan. That’s really good to think about it.


Common Incident Response Flow

We’re going to talk a little bit about some of the common incident flow that we see when we have incidents that we have to respond to at clients. And again, just say, this is kind of the generic overview of what the flow might look like generally. And we have a flow chart on the next slide showing it as well.

But when we respond to incidents, Matt, do you want to say a little bit about how it usually tends to happen?

Matthew Eshleman: We’ve got the incident identified. That could be something, again, a person at the organization noticed like, oh, I’m getting all these bounce backs. People ask me why I’m sending them this message, or maybe you have some proactive security tools that have identified and maybe block that, so we know something has happened that really shouldn’t. 

Then there’s often an internal scoping or boundary of, here’s the scope of the issue that we’re aware of right now. 

The next step often is to contact the IT partner, if that’s you, as part of an internal IT resource, or maybe you have an external IT partner to help, I think, confirm or affirm whatever the project scope is.

For us at Community IT, we’re able to go in, and identify the scope. Is it, yeah, it turns out it’s just this one person’s email that was compromised. We can identify that it was compromised 30 minutes ago. We know they sent seven messages. They didn’t log in anything else, right? 

And we can say, all right, this is self-contained and we’re going to reset the credentials, reset the MFA, evict the bad guy, make sure everything’s locked down, reach out to the people that were emailed and say, hey, this was sent in error, please don’t open it, right? 

That could be the extent of it. 

But in the case of, maybe your IT partner gets involved, maybe you’re an organization that has, for example, a HIPAA compliance requirement and the data involves disclosure of a privilege or personally identifiable information. Well, now we have a whole different scenario on our hands.

And so then at that point, after doing that initial analysis, we say, this account was compromised. The compromised account access, person identifiable information. This looks like a data breach.

We need to bring in our legal counsel to help scope this and handle a more comprehensive response that’s going to involve cyber liability insurance, maybe an incident response vendor

It is helpful, especially if you’re in organizations that have more sophisticated compliance requirements, to understand where those levels are. Because it can be pretty significant gap between walking out a compromised account to maybe having the disclosure of person identifiable information.

Carolyn Woodard: Something that I didn’t know until we did that webinar about cyber insurance, cyber liability insurance is that often, your cyber liability insurance broker is one of your resources, and they see this throughout their clients, and they also know the next steps that you need to take, how you assess, how serious it is, when you have to alert authorities, all those steps, and they have resources that are available to you. It’s part of what your insurance pays for, so make sure that you use them. 


Other Resources 

We have a few additional resources, Matt, you were going to talk about. We covered a lot very quickly today. If you do want to pursue doing this exercise with your organization but you have some more questions, there’s some additional resources. Matt, you were going to talk about this.

Matthew Eshleman: I think just to maybe put a final point on some of those external resources. Again, another, I would say, common lesson learned is that organizations, maybe they have the cyber liability insurance piece, but maybe they don’t have an incident response retainer, or if something really, really bad happens, the capacity to respond to that incident may exceed what your in-house IT team or even your IT partner can do, right?

Community IT, we’re a great managed services provider. We can do really good first-order response, but we can’t do everything. If there’s a really serious breach, our clients would work with their cyber liability insurance vendor to get another incident response in place.

And depending on the contracting at your organization, that may be something that you identify as our contracting process takes six weeks to complete. If something really bad happened, we want to have some of those business relationships in place ahead of time. And so that whenever we have an incident, we have a clear process, we already have the business relationships in place that will help us handle that and respond fully.

External Legal Counsel can be a great resource and often have extensive experience in this area. Some of the best tabletop exercises that I’ve been a part of, I did not lead but was a participant that was led by Legal Counsel because as something that really involves the entire executive leadership of the company, they have that external, that gravitas that can really be helpful in these scenarios.

Taking advantage of your Cyberliability Insurance Providers, they may provide this as a service or they may have, again, some resources and toolkits available to help you get started to make that a really meaningful and productive time together. 

There are other resources, right? CISA has a whole bunch of resources. It’s pretty big, it’s pretty broad, but again, can be good to help cherry pick some of their content to help design a scenario on your own. 

And then if you’re on the IT side, Backdoors and Breaches is a kind of a gamification version of this, and that can be a fun way for IT teams to kind of play through different scenarios. There’s kind of an online card game; there’s physical decks that can be used. That can help you think of these different scenarios, think of how your organization would kind of respond, or particularly if you’re an IT team, how your IT team would respond, think about how they include some of the randomness, right? There’s kind of a dice roll as part of it to be like, oh, like, we’re going to go to backup. You can roll the dice. Oh, our backups aren’t available, or oh, we’re going to go to the logs to see what happened. Oh, you have log files, now you can investigate. 

Backdoors and Breaches is probably more focused on the IT team specifically but can be a good way to just kind of think through different scenarios, making sure that you’ve got all of those pieces in place to be able to respond effectively. So again, a great resource to use.

Carolyn Woodard: Susan had put in the chat a resource that they did a gamification, the Inside Man New Recruits game. I mentioned that as well. She said it was a great resource.

And if you remember back to that graphic that we showed at the beginning about how we think about cybersecurity, that security awareness training for staff is a really big, important pillar of that, layer of that. 

They are the other half of the incident response plan, right? Or the initial part is, do your staff recognize that something weird is happening? Or if they get an email and they do click on it, and they, sometimes you instantly are like, oh, I shouldn’t have clicked on that. Do they know how to tell? Because, right, that’s going to be the incident, the real-life incident, that then is going to start everything in motion with your response plan.

It is kind of a related piece of it, of making sure that staff have that training. 

I want to go on and let people know what our cybersecurity offerings are. You can find more information on our cybersecurity services at communityit.com/cybersecurity.

You can find all of our previous webinars, our downloads, our articles on cybersecurity on our site, including information on insurance controls, the downloadable cybersecurity playbook that we mentioned, resources on training your staff. 


Our Cybersecurity Services

Right now, I want to make sure that we have some time for Matt to answer a couple of questions. But if you don’t get to your question or you just have more, or more specific questions that aren’t appropriate really in a webinar, you want to talk to him specifically, you can schedule a free assessment with him.

And like I said, we just started our Reddit Community, so you can go over there and ask your question too. But Matt, you want to tell us a little bit about this slide and what the sort of things that we do for clients are. 

Matthew Eshleman: I’m glad you highlighted a lot of our online resources. I think a lot of the content that we put out really is rooted in what we’re sharing with our clients. I definitely-

Carolyn Woodard: It’s free. It’s free on our site. 

Matthew Eshleman: Yes. We do have some free resources to get started.

If you need to assess your organization’s cybersecurity readiness, we do have a free online security survey that uses the NIST framework. That can be a great place to get started for organizations that are really maybe new to developing some of these cybersecurity practices. 

We also do much more in-depth cybersecurity assessments to help build out some of those roadmaps and identify maybe security controls to put in place.

Community IT has also built out a full range of managed cybersecurity services that are aligned with a lot of the controls that we see at a foundational level, complying with the cyber liability insurance applications. That’s a consistent set of recommendations that those entities are making. We’ve tried to align our services to help organizations be able to check the yes box for a lot of those things. Beyond just being able to check the box, they do make a real difference to the security that organizations are able to protect their staff and their organization data. 

Then we also have a pretty well-defined and effective managed cybersecurity training for staff. I did recognize that Insider Man, that’s I think a KnowBe4 specific training. That’s a great way to engage staff on some different cybersecurity topics. 

I would say that’s part of your overall security plan is to have training that engages, and then hopefully work towards being able to bring all those pieces together and finally, run through some scenarios to test it out, to make sure that everybody is aware of and is able to respond to an incident whenever it does occur.

Carolyn Woodard: I wanted to jump in and mention too that there’s a new piece of nonprofit auditing what you may have heard of, the SAS 145, which is new guidelines on the annual audit that your nonprofit needs to go through for financial reasons. 

Starting this year, actually, I think it started last year, but this is the first year they’re going to actually check on it, is they have to also assess your IT risk, because we know that that’s a financial risk. If you click on the wrong thing, wire the money to the wrong place, or have to respond to an incident and you have to use that insurance, those are all financial risks. You may be getting questions around that as well. Your tabletop exercise could help you say, we have an incident response plan, and it is robust. We know what we’re doing if something happens. That’s always something that you can do. 


Q&A

One question was how to describe a tabletop exercise for a small nonprofit or a nonprofit that has never done one and doesn’t really know what it is. I feel like we’ve hit that pretty strongly, but I wondered, Matt, if you could talk a little bit more about ways to talk about it that don’t scare people and that help them overcome those barriers of having the time, making it a priority.

What do you say to clients when they’re trying to get this going?

Matthew Eshleman: Yeah, I think time together as an organization, especially executive leadership, is really precious. We’re all really busy and doing the work to support the mission of the organization. 

I think some ways to frame this is in that proactive way of making sure that we have our bases covered, so that whenever that security incident does happen, and we know it’s not a question of if it’s going to happen, but when, that we’re able to be proactive and respond as opposed to really be reactive and scrambling. 

I think at its highest level, appealing to the proactive and planning nature of organizations can be helpful.

Sometimes organizations need to be maybe shocked or jarred into action. It’s also okay to use current new scenarios. I just saw in the news that there was a Minnesota Housing Nonprofit that basically had to liquidate because they had wire fraud that took all $800,000 of their organizational assets and got disappeared. 

It’s also helpful maybe to point to other organizations, hey, this organization had this happened to them, like how would we respond? What would we do?

Maybe some organizations respond a little bit more to the stick approach. Then then kind of the planning approach, but, you know, so I think framing it in a way that says, hey, like we really need to take this step because we care about our organization. We care about the staff that work here. We care about the people that we work with. And we just want to make sure that we’re as protected as we can be using the resources that we have available as a way to address that.

Carolyn Woodard: I was talking with Jenny Huftalen, who also deals with a lot of clients, and she used the metaphor that it’s a lot more expensive to go to the ER than just go see your doctor every year. I think that that might be another way to think about is, you’re going to save money compared to if you had to respond to an incident.

I want to go back over our learning objectives and whether we covered everything.

We wanted to learn what a tabletop exercise is. I hope you have a better grasp of how it works now. 

Learn why regularly doing a tabletop exercise is so valuable. Like I said, it’s inexpensive compared to having an incident that you don’t respond to well. 

Walking through a sample tabletop exercise, Matt walked us through a couple of scenarios and how you would add that twist and maybe add some other time limits on it, and then 

Discuss the lessons learned and next steps for introducing or improving tabletop exercises at your nonprofit. We know it’s hard. If it were easy, we wouldn’t even have this webinar because everybody would be like, oh yeah, I just did that last week. It was super easy.

The fact that you’re here in this webinar and trying to learn more about it and being able to do it at your nonprofit, you should be proud of that and you’re taking a step. 

We hope that we gave you some information and some examples that you can use to go back to your nonprofit and talk about doing it for real.


How To Nonprofit AI Webinar

I’m happy to announce that next month, we are going to learn how to non-profit AI with a special guest, Brenda Foster from Vanguard Communications.

She and I did a podcast together about a month ago, and I immediately invited her back to do a full webinar. I wanted to share some of her experience, her hands-on advice on how to use AI tools at nonprofits. She’s going to dig in with a lot of use cases.

She has hundreds of nonprofit clients, so she’s seeing what they’re doing and how they’re using it. She’s going to share some of that with us. Also, what she’s doing herself and how she’s been teaching herself AI, better prompts, other things it can do, how it can summarize, how it can do this, how it can do that.

This webinar is going to be pretty hands-on around actually using these tools and practical, and I hope that you’ll join us for that as well. It’ll be at 3 PM Eastern, noon Pacific on Wednesday, August 27th. You can, in fact, register for it right now.

I just published it today on our website, so I’m going to share that link with you here in the chat, and it will be on our website, of course, communityit.com. 

If you want to join us on Reddit, we’re going to be there for a few minutes now, and then over the next couple of days, so that’s at Nonprofit IT Management, and I will share that link with you too if you’re on Reddit. If you’re not on Reddit, I’m brand new to it, so we’ll learn more about it together.

And then I just want to thank you, Matt, for sharing all of this expertise and information with us. You know, we had so many people answer that poll that they had not done this yet, so I hope everyone on this webinar, you feel empowered, you feel like you can go out there and do this. 

Of course, get in touch with us if you have more questions or want more resources. We have all of our links here that you can reach us on. And you know, your time today, an hour of your time today was a gift. We really appreciate you spending that time with us when you have tons of other things to be thinking about and doing, but maybe by prioritizing this time to do the webinar today, you can help your organization prioritize the time to do the tabletop exercise.

We wish you luck, we wish you success in doing it. And Matt, just thank you again so much for helping us think through it.

Matthew Eshleman: Yes, thank you. It’s great to be able to be here. And finally, start talking about the stuff where we really put it all together. It’s great.

Carolyn Woodard: Thank you.