Unlocking Cybersecurity Love: Your Business' First Date with Resilience

Jara Rowe: Okay for us to go ahead and get started. I am Jara Rowe, Trava's content marketing specialist. I am here to help set the stage for Marie and Christina as they are going to share information about cyber security risk assessments and some other things as well. Just a couple housekeeping items. We do have the Q& A active, so if you have any questions throughout the presentation, please feel free to add that in the Q& A and there is time to answer at the end. And the recording will be sent in a few days, so if you have to leave earlier, just want to refresh your memory, or share it with a colleague, you will have that in your inbox soon in a few days. All right, Christina and Marie, I will go ahead and kick it off to you.

Marie Joseph: Awesome. So going into Unlocking Cyber Security Love: Business's First Date with Resilience. Want to do some quick introductions of ourselves and then we'll jump into the substance of today. I'm Marie Joseph, I'm a senior security solutions engineer at Trava. Been here almost a few years now. I do help a lot of people with their compliance journeys here, so probably have worked with some of you, if not all of you at this point. And if you need help with compliance, I'm always here. And then, Christina?

Christina Annechino: Yeah, awesome. Hi, I'm Christina Annechino. I'm the cyber security analyst here at Trava. I also work on compliance engagements. I've done a bunch of our tabletop exercises with customers, so you might've seen me on a couple of those. And I also work on support for our Trava platform.

Marie Joseph: And this is what our agenda is going to look like for to today. So we'll really dive into risk assessment and compliance, two areas that Christina and I work closely with and that Trava really emphasizes in. And then we'll also have time for question and answers at the end, for that Q& A section, but feel free to ask questions whenever throughout this webinar.

Christina Annechino: Great. So jumping right in, let's discover the heartbeat of security. So you're going to be hearing us mention this topic throughout our webinar today a lot, what we consider to be the steady heartbeat of security. In other words, a foundational core of an organization's security program is a risk assessment. It constantly checks for potential threats and evaluates their impact and helps prioritize actions. So like a heartbeat, it keeps the body healthy. A risk assessment keeps the organization's digital environment secure and resilient and also healthy. But let's get into a question of what exactly is a risk assessment? So this is an outline detailing best practices and standard processes designed to completely assess an organization's security posture. And by security posture, what I mean is how protected all network systems and assets currently are. With this assessment, it's possible to establish a baseline of cybersecurity measurements that can be used in the future to track improvements in how company, employee, and customer data is secured. The primary objectives of this document is to ensure networks, applications, data, and assets are well protected where comprehensive measures are implemented to guard against future threats. We're going to continue to hear about risk assessments more throughout the webinar, but I also want to define exactly what a cyber risk specifically is so we know explicitly what we're going to be reviewing within a risk assessment as a whole and the documentation. So a cyber risk is the potential destruction and/ or loss of assets where the confidentiality, integrity, or availability of regular business systems is negatively impact. Basically, risk assessments in cybersecurity are like a security checkup. They help find and prioritize potential problems, making sure our digital stuff stays safe from cyber attacks. And we can move to the next slide, where we're going to be going over cybersecurity as a protector. So along with having a strong heartbeat, it is good to have a shield around that delicate heartbeat. So what we mean by this is there are safeguards very typically used to protect digital assets and data in the tech industry. These safeguards can be used to prevent potential breaches, reputational, financial, or data loss, privacy concerns, and extensive threat landscape just to name a few. So I'm going to go through a list of common safeguards we regularly see to have a substantial impact on the overall safeguarding of all types of digital assets. So the first one I'm going to talk about is strong passwords and 2FA. So strong, distinct, unique passwords are an absolute must when it comes to any and all company user accounts, as well as enacting a second layer of security such as 2FA or MFA to be specific. Next we have regular software updates and patches. This is a very common attack vector for hackers is exploiting known vulnerabilities and present out of date software. This may seem like a very trivial action to accomplish, but updating devices and software can really minimize the area of attack hackers have when scoping your organization's security flaws. Next we have encryption of sensitive data. So this is a very effective data protection process that defends against brute force and cyber attacks, including malware and ransomware, which are big two. Next, role- based access control. So this is used to assign user permissions based on an employee's role within the organization. It's a very manageable approach for general access management. Using role- based access controls can really minimize any errors when assigning permissions out individually to each user in your organization. Next I have here is incident response plans. So having a very laid out incident response plan and corresponding run books can help with your organization from initial discovery of an incident to post- incident activities to ensure all possible actions were taken to ensure all assets are protected and restored while identifying gaps in security. Next is regular backups and data recovery testing. So conducting regular backups can really verify all data is up to date in the event of an incident that was just previously mentioned. So you're effectively creating and storing copies of data should there be any occurrence where data is lost or damaged. And then finally, employee security awareness. This is really beneficial all around in terms of protecting digital assets. Knowledge is power and the more your employees know about how to best protect personal company and employee information, the better the whole organization will be in terms of efficiency. So, to wrap up, cyber security acts as a digital shield safeguarding an organization's valuable assets. It protects against unauthorized access, data breaches, and cyber threats. So like a guardian, it ensures the integrity, confidentiality, and availability of digital resources to find the organizations against potential risks and disruptions.

Marie Joseph: And now moving on to unveiling the cyber security love language. The relationship your peers have with cyber security on a daily basis truly drives your security posture. Your people are both your weakest link and strongest link when it comes to security depending on their understanding of security in general and technology. The cyber security jargon can be pretty intimidating to some people and that's because a lot of it includes foreign words to them and a lot of abbreviations. This can make it intimidating to others, specifically people within your organization that do not know much about tech and security in general. So educating them is one of the most important things. It is important to make your company comfortable with the concept of security and roping it into their everyday work lives where it becomes less intimidating and more so a habit of best practice. People are usually like creatures of habit and making it seem really normal is the best approach and people should want to keep their own personal data safeguarded on a daily basis. So this can easily drive the reasoning of protecting your company and customer data in general, since everyone wants their own privacy and security with typical things like their banking information and other personal items. It should drive what they do with others' privacy as well. So there are some different techniques and questions you could ask yourself and your employees when evaluating one's relationship with security and the security program in general within your organization. So some of those questions could be how knowledgeable are your employees and technology in general? This should really craft the approach you go with educating them and giving them that better understanding and increasing the understanding as you continue to go throughout the year. And then another thing to ask would be, are employees familiar with the designated security team? Your security team should be readily available at all times with your employees. So allowing them to feel like they have a relationship with you is a key factor there. Another question, or a couple questions you could ask is, do they know how to report an incident? And most importantly, do they feel comfortable reporting suspicious activity on a daily basis? So whether it's something that actually is a threat to your organization or something they just think is a little fishy, having that relationship with all of your employees and making them feel comfortable coming to you is one of the first steps on that approach because you don't want some of that suspicious activity happening without you knowing. So if some people are reporting it on a consistent manner, that gives you a better chance to stop it before something bad actually happens. And then one other thing you could easily ask are, are there easily accessible channels to bring technical security questions about the organization systems and softwares? So having something like if you use Slack or Teams, having a channel specifically where you can come and ask those questions or honestly where your security team could provide resources about current threats that are out there and warn people about suspicious activity that's been happening throughout the organization will really help drive the security program and just typically friendly reminders to everyone that security is important and you should really love it because your whole organization should be kind of surrounded by it. Your peers' relationship and understanding of cybersecurity is all driven by important reasons to keep data secure and private. So as I mentioned before, you want all of your own data private and so do all your peers and customers around you. Data is truly one of the biggest gold mines of this generation. So we wanted to recommend a tender approach to the digital wellbeing of your organization. Its employees and customers and all of their other data. Digital wellbeing is driven by security best practices, delivering the importance of protecting data in one's privacy has to be delivered in a way to make people less anxious and give them the understanding of why it is so important. We listed here on this slide some of the best practices and approaches. So I'm going to go through some of these. The careful evaluation, it is important to evaluate your security posture on a regular basis, identify areas that are lower in maturity, and make plans to progress on these areas throughout the year to prove the importance of loving and protecting your data and others' data. The balanced resource allocation. While every department wants funding, making sure security has a decent budget is really important and funded, but it doesn't necessarily have to be over the top in budget. So also evaluating, is your budget being used effectively? Are there tools you don't necessarily need? And kind of making sure it is all allocated in a way that you're not overdoing it because you can still operate effectively without spending too much money in security. It really just depends on your team and your culture. As you said, people are already salaried, as I've said before, your people are your best asset here. Then there's cultivating that cybersecurity culture, which is kind of what I was just touching on. So the culture drives your whole program. The way your people perceive the importance of security and why it should be important will drive how they act in their everyday lives, whether that is in their professional or personal lives. Adapting to evolving threats. People should want to continue to educate themselves and others for new and common threats that could impact their security and privacy. So your security team should be keeping your organization up to date on these and they're ever evolving, changing, and threats technology's changing every day, so your security should be changing every day too. So it kind of goes back to having some sort of channel where everyone can communicate about what's happening in the security area to better educate all of your people. And then protection of digital assets. So making sure your policies, processes, and tools are all in place to protect any assets within your company. This includes physical and digital assets and then any intellectual property your company may own. Protecting all of that is your gold mine technically. Respect of privacy, that's something you probably hear in your personal lives. It should also be taken into your professional lives too. Privacy is one of the hottest topics out there these days, behind security too. But following those best practices is super important. This can be led by just respecting the privacy of all people in businesses and how you handle their data, making sure you handle their data with care. And then building trust with stakeholders. So presenting your stakeholders that you're holding your security and your security posture as a priority throughout the year is super important. A lot of your stakeholders like to see a plan, so where are the improvements you've made in the past and how are you going to make improvements in the future is super important to them because they have clearly stake in your company. So demonstrating to them that you love security and protecting your organization is very important. And this can be done by improvements throughout the year in your security program and I think all of the things above is how you can show improvement as well. So the wellbeing of your company is truly driven by protecting data.

Christina Annechino: Awesome. Well, I'm going to step into some techniques of care and risk assessment. So enhancing the relationship through assessment. Here we're going to be exploring various ways risk assessments can be utilized to get the most out of evaluating the overall security posture of your organization while also exploring what is addressed when completing a risk assessment. So first topic I'm going to talk about is identification of vulnerabilities and prioritization. So if this is featured in your risk assessment, you will be able to get insight to the most critical vulnerabilities from scans conducted on various assets such as external IP addresses, company domains, your web applications, any cloud or Office365 environments where it'll be clearly expressed where software configurations need to be addressed. Next, incident prevention and enhanced incident response. So when drafting or modifying incident response plans, it can be beneficial to have the structure that a risk assessment provides, showing a general sense of where improvements should be made to be able to respond to broader incidents should they occur. Cost- effective security investments. So really I have this here just to point out, getting a sense of where efforts need to be placed within your organization when meeting with higher- up teams. Regulatory compliance. Risk assessments can help with maintaining compliance in certain security frameworks by showcasing continual efforts to minimize risk and additionally evaluate threats and vulnerabilities. Next I have continuous improvement. So generating risk assessments on a specified cadence. Normally this is on an annual basis, it exemplifies progress, reassessing risks over time, and identifying new risks and also evaluating the effectiveness of risk response strategies actively in place within your organization. Then finally, I have here stakeholder confidence and reputational protection. So having the representation of a risk evaluation on company assets specifically where customer data is managed and stored will describe any security gaps that may lead to potential incident- triggering events. So this provides a clear understanding of the likelihood and impact of risks. And then on our next slide we're going to be talking about exploring assessment techniques. So let's take a look at some more specific techniques and how they're utilized when going through the process of formulating a risk assessment. So what the section is really going to cover is how risk assessments can be tailored to focus on what is most applicable to your organization's infrastructure as well as some best practices we recommend are carried out for the overall risk assessment process. So number one is risk identification, and this is brainstorming, documentation review, and system analysis. It's really an essential first step in the risk management process. I want to put some emphasis here because without conducting some form of risk identification, it might be difficult to determine the complete range of all potential security risks your organization faces. So one way this process can be simplified is with tools built into the travel platform, which I will get into in a bit later. Next, a risk assessment analysis. So qualitative and quantitative analysis. The focus here is on negative consequences that could result in something happening to your organization's data. Vulnerability assessment. This is covered through automated tools, manual testing, and system scans. This can actually be a component within your risk assessment or an independent assessment in and of itself. It will cover the most critical system vulnerabilities and enable an organization to identify what is the most critical overall. Threat intelligence. So a risk assessment that is more threat- based will evaluate different types of cybercrime and prioritize the urgency, impact, or importance. Having a risk assessment with this type of focus will help direct your current resources towards remediating and protecting against your most severe threats. And the next I have is asset valuation. The focus here is to really examine each system or resource individually, getting more tailored or a more specific outlook as to what you are going to be tackling within your risk assessment. Risk mitigation planning, so implementing security controls, creating incident response plans. This gets into the compliance aspect which Marie has touched upon and is going to continue to be talking about. Continuous monitoring, and this is carried out by real- time monitoring tools and periodic assessments. So when we talk about risk assessments, we do want to highlight how often an assessment should be updated, which I previously mentioned is on an annual basis, but just to highlight that here as well again. Documentation and reporting, risk registries and dashboards. I will get into this a bit more in detail because Trava does provide some resources in order to conduct this. And then review and update. So regular reviews and updating any changes to your risk assessments in the event that they need to be carried out.

Marie Joseph: Awesome. So as Christina was mentioning, those risk assessments really drive compliance. Any framework you end up picking, you typically need some sort of risk assessment to be conducted on you on an annual basis at least. So I'm going to jump into the navigating compliance for regulatory love. So talking a little bit about compliance and regulations that you typically see out there. If you've joined any of our webinars or listened to some of our podcasts in the past, we typically reference how much security and compliance are different. So I'm going to briefly touch on that a little here. So compliance is basically just a governing body deciding which security best practices are best to follow, and that is something that I think is super important because they're not the same. So just because you're being compliant in something doesn't mean you're doing the most when it comes to security. In some ways it's kind of like you're hitting that baseline, so then focusing more on security, you're going above and beyond that compliance certification. Compliance frameworks are all different with some focused on security, some focused on privacy, and moving past data, there's an abundance of different compliance frameworks out there. So different security best practices fall under different security compliance frameworks. And two of the most common one SaaS companies hear are SOC 2 and ISO 27001. There's also a lot of different ones out there depending if you're doing government work, like you would typically hear CMMC or FedRAMP. And then besides that, there's also privacy regulations. So like I said earlier, privacy is becoming a lot more relevant these days. So you're probably being asked about both your security and privacy programs right now and finding the balance between the two is really important in understanding which one to prioritize right now. And some of those common ones are like GDPR and CCPA, which CCPA recently had a change too, so that you'll also be hearing CPRA too. So they had some minor changes with that regulation and more states are creating their own privacy regulations now too. So it's just something to continuously stay aware of and as I said before, changes every day basically. So making sure your technology's there, your security systems are there because it's something you need to monitor on a daily basis honestly. So a business becoming compliant and/ or certified to a framework becomes a driving factor as you grow to gain more business and prove to your prospects and customers that you take security seriously. It reassures organizations that you have some sort of security program in place that has continuous monitoring, which Christina touched on. So having that continuous monitoring with little to no error is what you're trying to prove to your prospects and current customers. Your risks become your customer's risks depending on functionality, which is why this becomes so important. And no one wants to do business with someone that puts their own business at risk of an attack. So that's why these compliance frameworks are so important because it's proving that you are doing some of those best practices. You have that third party telling you and kind of grading your controls and that you do them in an effective manner. There are many ways that you can strengthen both your security and compliance posture and they often go hand in hand. So as Christina was touching on earlier, and we'll continue to talk about, risk assessments is a very big one. It drives a lot of those frameworks. It is typically a control you need for any of those and these items listed here are best practices that fall under some security and privacy regulations already anyways. And these are topics your company should be assessing on a regular basis if you're not doing so already. I want to dive into each of them a little bit, kind of give some ideas of typical cadences that some of these controls would also be running on, just to give you an idea because a lot of people don't typically know some of the best practices that they should be doing all of these. So understanding applicable regulations, this is something you should be doing as a team on a quarterly basis at least. So bringing in the people that you work with on a daily basis, whether it's your sales, your CEO, operations, you should all be meeting and seeing what other people are asking that you be compliant in on at least a quarterly basis. Trava helps a lot of our customers with this. We meet with them on a quarterly basis. We hold quarterly security council meetings with some of our customers and this is when we typically talk about what other ideas are being thrown out there, what are you hearing? And I think that's when most people are willing to speak up and say, " Well, I've had this customer say they really want to see us be compliant in this, or why aren't we following this privacy regulation of this country or this state?" That becomes pretty important. Then there's the review of internal policies. You should be completing this on an annual basis and if you don't have a policy set already, it's definitely something I recommend making your first priority with any compliance journey. These annual policy reviews have to happen on an annual basis. Auditors are going to look for that, making sure you have employee sign- offs, so that's also one of those best practices. Then conducting a compliant gap analysis. This should be an ongoing throughout the year, but an official one should be conducted at least annually. You'll typically hear this be called an internal audit. We help a lot of our customers with that aspect, but you can do this on a more frequent basis. A lot of people do their checks of all their controls on a monthly basis just because that's typically one of the smaller cadences, if not weekly could be even better. Documenting controls and employee trainings. So training is typically done at least annually, but monthly trainings is really recommended, especially from a security lever standpoint. It's just a friendly reminder to everyone to hold security as a priority in their everyday life. And it's really something, yes, you should be doing as your organization, but it's even better to put into your personal life too because your personal data should just be driving why you should want to hold security as a priority. Whether you're a security or technology expert, even if you're in a different realm like marketing or sales, you should want to hold your own data to be secure and private. And then ensuring incident response readiness. So this should be conducted at least annually, people like to hold tabletops for incident response or business continuity and disaster recovery, at least an annual basis. Everyone needs to know what they should be doing in case of an incident. So having this several times a year can also be helpful if you have the time to do that. But once a year is good too. And then protecting data and privacy. This should really just be an ongoing everyday activity, like evaluating it pretty often. So privacy regulations are growing rapidly these past few years, so you should be keeping up to date with some of those ever- changing things that are applicable to your organization and the humble plug- in right here is Trava's really good at keeping people up to date. So if you ever need advice on that, we do have the tools and resources to give you that advice on a continuous basis. Assessing your vendors and third- party compliance. This is kind of going back to when I was even talking about your stakeholders and everything and any of your vendors. So this should be conducted at least annually on all your vendors and any new vendors before signing with them. If they're not certified in any security framework that you approve of, then they should be filling out some sort of security questionnaire so that you can evaluate if they actually have a good security program in place because their risks are your risks. So doing business with someone that's a little risky, that allows for some sort of failure in your own security posture. And then conducting periodic risk assessments. So one of the main topics of this whole webinar, this should be done at least annually with more frequent vulnerability assessments being conducted at least monthly for best practices. From a compliance standpoint, most frameworks like to see you run vulnerability scans on a monthly basis. And not only running those vulnerability scans, but also assessing them and making improvements is super important. Because they want to make sure you're actually seeing the results and trying to make changes or have a plan to make a change. That is where some people tend to fail is not making sure they're actually using the results they're getting from those scanners. And then establishing audit and monitoring best practices. This should be at least annually with at least a monthly monitoring check- in that I was talking about earlier. So building security into your everyday routine and making it a habit really helps here, should be something that's always on your mind and it should really just be on everyone's mind in general. Focus on documentation and record keeping. Anyone that's been through an audit before knows that documentation is huge. So having those documents becomes really easy once you hit that continuous monitoring phase and get through your first audit, you already have all the documents, you just need to do some sort of reviews or minor changes typically. And every once in a while you'll need to do major changes to all those documents, but it's kind of, as you grow those documents will change and grow too. So making that part of your routine is, once again, helpful in making a habit out of checking those and keeping up to date with them. And considering external audits or consultants, this is something I think any of you that are Trava customers probably have had some experience with, especially if you have more of our consulting advisory services. So it helps to have an outside eye review your program and let you know it's truly running effectively or not. And you can take those reports that you get from those external audit firms or reports that consultants give you and give these to your prospects and customers to prove, we do have security. Here's what our program looks like now. Here's what our plan is for the future. So if there's areas you're kind of lacking on, you can show them that you are going to hold it as a priority in the future and that it won't be a risk to them. And lastly, I just want to talk about the emphasis on continuous improvement. I think it kind of falls into all of the areas I was already talking about and some of the areas Christina was talking about, but once you have a steady program, focusing on how you can make it better is huge. That's what people want to see. They don't want to see it stay the same because as I mentioned before, technology is changing on a daily basis, which means your security needs to change on a daily basis too. So improving your security program regularly helps you combat the cyber criminals out there. And then...

Christina Annechino: Awesome. Yeah. So let's get into nurturing security with risk management romance. So, as we've kind of highlighted already, and I've talked about a bit, risk assessments are very key in becoming much more knowledgeable in your overall security posture, managing risks in general. So what I want to talk about right now is we have a general checklist for what you should accomplish for risk assessment to be efficient. So some things that a risk assessment should really... What you should do to prep for generating a risk assessment and then moving forward with it is to first identify valuable assets so you can develop a comprehensive program for their protection and management. So here you would want to gather all data hackers would have the capability to target, including web servers, cloud storage, client contact information, everything should be laid out in this initial step of your checklist to create a risk assessment. Next is determining potential consequences so you know exactly what's at stake when various types of attacks could be potentially exposed. And then next, understanding threats and the dangers they pose. So this will really help with the prioritization of each risk ranging from natural disasters to human error. So this can be very different for every organization. So really prioritizing what risks are the most applicable to your organization. The next step would be to identify and address vulnerabilities. So for similar purposes of prioritization and planning, this is really to identify where your security would potentially be lacking. And then the next step would be to then conduct a risk assessment. So after the steps that I mentioned previously have been reviewed and completed, you would then be ready to go through the process of conducting a risk assessment. After a risk assessment is conducted, we would then want to see a plan created. So this will help keep your security team on track with clear goals for protecting all company assets. And then finally building a strategy for mitigation. So including how you'll monitor your risks as well as new ones that arise to minimize overall potential impact. So I've mentioned a bunch of different steps that you would take to have a risk assessment generated, conducted, but moving forward, I do want to now talk about how Trava could help you effectively in rating risk assessments for you. So previously mentioned how there are different ways risk assessments can be tailored to best meet your needs, and then the different techniques that can be used to create a risk assessment. But here at Trava, we provide a risk assessment tool that does all the manual work I mentioned previously for you. So our baseline, talking about our baseline cyber risk assessment, it evaluates a survey that you completed, your responses, against 18 functional security areas that are aligned with industry best practices found in the Center of Internet Security, CIS, Control Catalog. So these cyber security best practices are proven to protect your organization and data from known cyber attack vectors, while also enabling prioritized actions that can be performed to continually improve defense posture and reduce the cyber risk. The survey covers all CIS controls and safeguards and will help identify how closely our organization is currently following the CIS control framework. We'll then generate your risk assessment that contains maturity scores for each of these controls and provide steps and recommendations for improving maturity for each of the designated security controls. Within our baseline cyber risk assessment, or BCRA as we call it, we also include a vulnerability assessment that has the most critical vulnerabilities detected by each of our scans run within the Trava platform. So you have all the information you need in one place. Along with our BCRA, we include a risk register mitigation roadmap that can be easily accessed within our platform as well. The risk register will greatly help with the risk identification process, which I previously noted to be really one of the integral steps in the risk assessment process. All of your risks will be housed in one location where you can assign impact, likelihood, total risk, as well as priority. So this list is always up to date. The risk mitigation roadmap can be used in tandem with the risk register, helping organize how to go about managing each of the known security risks within your organization that have been identified. So tasks can be marked as completed so you have a record of your progress in your total risk management program. And then finally, to wrap up as a whole and tie in our Valentine's Day theme, matters of cybersecurity envision resilience as a lasting love story. Continuous risk management becomes the daily commitment, the small gestures that keep the relationship strong. It's like nurturing a love that evolves and adapts, ensuring that our security remains steadfast, just like a love that grows stronger with every shared experience and challenge.

Marie Joseph: Awesome. And now we can open it up. Sorry, Jara, I'm stealing your thunder. You can say it.

Jara Rowe: No, it's fine. You go for it.

Marie Joseph: Now to wrap it up, we have time for Q& A. So if anyone has any questions, you can drop them into the chat or I think there's even a Q& A button too.

Jara Rowe: Yeah. So I actually have a few, you mentioned, Christina actually, you were just talking about CIS controls. What is a CIS control?

Christina Annechino: Yeah. So those are the standard practices that have been identified by CIS to be in compliance with to make sure that all your data and security is well secured. So that's why we include those controls within our survey as well as keeping that in our baseline cyber risk assessment because it's a really complete evaluation of where your organization stands in terms of overall cybersecurity.

Marie Joseph: And to add on that one, with the CIS, there's three implementation groups too. So we typically start our customers on the implementation group one. And then as they mature, they move on to the group two and group three. So the group one really has some of those best practices for small, medium sized businesses too.

Jara Rowe: Awesome. I have another one as well. So you were mentioning company culture and the importance of security awareness training, but how often should a company conduct a training for their teams?

Marie Joseph: It really just depends on your company. You know your people more than any consultant is going to, typically. So a lot of people's culture, you just know your people, you know they're not going to do them on a monthly basis, and is it really going to be something that you can manage and keep track of? So I think as companies grow, a lot of them tend to move to more of an annual basis just because, if you have 100 + employees, it's hard to monitor and track all those people down that aren't doing them. There's always those few people that you just can't track down to complete them on a timely manner or they're super late on them. So just having that annual time to get everyone, like you have a month to complete these, please watch this hour of training and complete whatever tasks are with them. So, yeah, it just really depends on your people. Here at Trava, since we are a security company, I can say we do ours on a monthly basis just because we love security and to remind people to also love security, our peers should want to love it too. And if you can do it, do it on a monthly basis.

Jara Rowe: All right. Well, if there are no other questions, before I let you go, I want to give a quick plug. The three of us here, me, Christina, and Marie, just had a podcast episode release today about cybersecurity compliance buzzwords. So if you would listen to that to learn about some other key terminology, you can find it on your favorite podcasting platform and our podcast is called the Tea on Cybersecurity.

Marie Joseph: Yeah, listen to it. It's fun. All of the episodes, not just that one.

Jara Rowe: Oh, yes. Listen to them all. All right. Thank you. Have a good day.

Marie Joseph: Bye, everyone.

Christina Annechino: Bye.