The top security issues we see today and how to fix them

Alan McBurney:

Good morning. Thank you for attending the webinar. We're just waiting for a few more people to join this morning and we'll get started.

Alan McBurney:

(silence).

Alan McBurney:

I think we're good to kick off. So again, thank you everybody for attending HTG's inaugural webinar today. What we're going to be discussing today is the top security issues that we see across our customer base and what we're seeing in the industry as whole, and some signed advice on how to fix the issues.

Alan McBurney:

So, quick introduction. I'm Alan McBurney. I'm the Chief Innovation Officer here at HTG. I've been around the technology space for well over two decades, focusing predominantly inside the Microsoft sphere. And we're also focusing heavily within security today. I'm also joined today by my colleague, Kevin Howell, and I'll hand over to Kevin for a quick introduction.

Kevin Howell:

Good morning, everyone. I'm Kevin Howell, I'm the Founder and the CTO of HTG. We've been established since 2005. I've got over 25 years experience delivering these IT solutions across some of the largest clients in Europe. So we've got that good pedigree and we're also a Microsoft advanced specialist partner and security partner. So, we've done quite a few of these security deployments, of course, so hopefully this advice will be helpful for you.

Alan McBurney:

So today, what are the things that keep people awake at night when it comes to security? For me, it really has to be around things like ransomware. Ransomware today really terrifies me. The ransomware as a whole, there's no stop to this. If anything, it's increasing. The profits are huge, we're seeing there. We're also looking at things like data loss, reputational damage, compromised accounts. Kev, when it comes to, so you're a business owner, what's your experience and what keeps you awake at night and what are customers talking to you when it comes to cybersecurity about?

Kevin Howell:

Well, quite a lot keeps us awake at night. That's why my hair's white and I'm only 46. You know what I mean? So yeah, there's a lot of stuff going on. So keeping your systems up to date is critical, with COVID everybody's had to go working from home. So as a business owner, it's keeping your staff secure, keeping your systems secure. It's all in things around there. So obviously we've got good systems in place, we're a technology company, but I know a lot of people weren't adapted in that way. So when we had to go work from home, they don't have that, the modern security that we do, so stuff around compromised accounts and having your compliance and security and all things around that. It's a big thing.

Kevin Howell:

And if you do get compromised, how does your business survive? If people go back to pens and paper, how long can you survive like that? And how would you recover from that? And also, the last even 24 months ransomware is in the news every day. And it's big money, isn't it? So you see all that and it's how do you keep your staff up to date? What's happening and how do you keep your system up to date? So all that stuff keeps me awake at night, there's a lot of stress around that. And if you do get compromised, how is that going to impact your customers? And how do you keep your... I don't know. The reputational damage around that, once you've been hacked and your system's down, that gets out there and you're trying to sell a security system, I don't know, it's hard to recover from that.

Alan McBurney:

I suppose one thing we're looking at, as the global pandemic has hit, I think it's safe to say that technology permeates every business now. So within the UK, if you think about it, traditional bricks and mortar, you can take something like a pub where cash was king. During COVID, if you couldn't order online, you couldn't take digital payments, you were out. So what we're seeing is nearly every company out there and every business is susceptible to cyber risk.

Kevin Howell:

Oh, and also you're seeing all the stuff around data leakage as well. Any IP gets out there, I think the financial damage around that. Yeah, it's a mine field when someone gets a hold of another business' financial data to see what the profits are, what the accounts are. So there's lot of things around them. The hybrid working bit as well. I think people are just scrambling, got any bit of equipment because we've got shortages and using USB drives and using SaaS apps and Google Drive and data's all over the place, and it's just wide open. So there is a lot going on there. Like I say, hopefully by the end of this, we can cover some five key pillars in the security stack that would address 98% of the risks of most businesses today. So that's what we're going to talk through today and we're going to share some insights on that.

Alan McBurney:

Thanks, Kev. So if we look at ransomware, why is ransomware so prevalent across the industry? If you're looking at this, it's relatively high profit with low cost to entry. Really what the ransomware is there to do, you're getting double extortion coming from it. So when the bad actors community or organisation, they'll typically be in the organisation for weeks, if not months before the ransomware payload has been detonated. And what they're doing is they're moving throughout the network trying to work out who the accounts that they need to target are, where it's best to deploy the payloads that... They're looking at this as a business model today. They're doing financial research across the companies and they're trying to work out what they can actually extort from you for the highest value that you're able to pay.

Alan McBurney:

They will also exfiltrate the data, very, very sensitive data, which could be financial records or customer records, and they will threaten to publish these on the web if you don't pay them. Kev, if we think about some of the customer conversations we have been having with customers who have been hit by ransomware, can you give us a few insight into that and what the actual cost to the business is?

Kevin Howell:

Yeah. So we've had some global clients and enterprises, we've had a mining company and they were global and they got a ransomware, quite recently was in the public news and was about 50 million pounds of ransomware, which they didn't appear to manage to recover, but it got the stage where their systems were down for four to six weeks. And basically, the minds were producing what they'd do and the stuff that's coming out at the end, they didn't know where to take it to, and we were going to back to pen and paper on all these orders. The whole business was ground to a halt, couldn't work.

Kevin Howell:

Luckily they managed to recover it by they found one PC that wasn't on the network and wasn't compromised and they managed to get it back, otherwise it was build from scratch. All their partners were compromised and everything, so that was major. [inaudible 00:07:25] had a few education clients that will be connected to council networks, and for some reason they haven't been doing system updates and they've been compromised and again, they've had ransomware attacks and they're not just going for big enterprise clients, they're going for whatever they can. They're targeting schools and primary schools, secondary schools, wherever they can, we'll get in there to get that ransomware. And it is, it's a hot topic at the moment.

Alan McBurney:

Yeah. And one of the things we're saying there, it's high profit and low cost, I was able to find what we're seeing today is we're seeing cyber crime for sale. So you no longer need to be a programmer or a hacker, you can go out there and you can get these cyber crime as a service. And what we're looking at here is we're seeing ransomware kits in the wild from as little as $66 for that, or if you're still that way inclined, you can have an affiliate model with the kit creators where the kit creators will take 30% off the profits that you're able to extract from your customers.

Alan McBurney:

So, really what we're trying to put across here is, this is becoming commodity. We're not seeing a decline withinside ransomware and extortion, if anything, we're actually seeing an escalation of that. So really what we're trying to do is highlight this to businesses, and then we'll go to how we can actually mitigate the risk from that.

Alan McBurney:

So, some of the key actions that we can take from that is really you've got to prepare a recovery plan. So you need to make it harder for the hackers to get into your organisation. You need to back up all your critical data. You need to be having your disaster recovery business continuity plans. Microsoft do produce a Security Best Practise Guide, where you can go and create your recovery plan. And it's a very, very detailed depth, what we'll do is we'll put the link to the recovery plan into the notes, and we'll send those out with the slide deck later on.

Alan McBurney:

Really, you also want to limit the scope of the damage. So what we're looking at here is you want to make it harder for the hackers to come in and harder for the hackers to actually extort. So by putting in your antivirus, putting in your backup products, you want to make it as hard as possible so the return on investment for the hackers doesn't seem so attractive, and hopefully they'll leave you alone and move on to the next person. In terms of actually allowing the exfiltration of data, there's some things that you can do to mitigate your risk around that. So you can actually encrypt your data at risk. Encrypting your data at risk won't stop the encryption if it does hit it, but it will actually make the data less likely to be exfiltrated so that you won't be hit by double extortion on that.

Alan McBurney:

It's little things like following basic cybersecurity hygiene, making sure your systems are patched, making sure you're applying system updates and using malware, or sorry, not malware, anti-malware withinside that.

Kevin Howell:

Also on that I would just say as well is, don't pay the ransom because there's a lot of companies who go along, who've paid the ransom and going, "Oh well, I've got a 50K, I'll pay 50,000, it's worth doing it." They do that. And then remote access the finance [inaudible 00:10:57] or not my pictures folders or something like that, and then it's 50 grand unload, another one, another one. They just, once they know you'll pay the ransom, they'll just keep going and keep coming back. I know you're on the hook, so don't do that.

Alan McBurney:

And that's another reason why this is such a high profit, because the governments, they haven't made these payments illegal so they're actually incentivizing the bad guys to keep this kind of activity up. So as companies are paying the ransoms, then there's profit to be made so they'll keep doing it.

Alan McBurney:

The next thing we're seeing is a huge rise withinside phishing and malicious emails that are out there. The phishing does remain the biggest risk to the business. It's typically coming in with email. The systems are designed to trick users into sharing sensitive information, such as using them in passwords. They want to harvest this, and we're seeing very, very sophisticated attacks where things like your Google, your Gmail, your Office 365, you're getting a link which is taking you to a compromised system, but it looks like your Gmail, like your Office 365. You're putting your identity into that and the bad guys are harvesting your credentials, and they're getting very, very intelligent with this. Once they harvest your credentials, what they're doing is passing you back to the legitimate website, the Office 365 or the Gmail, and the users typically don't know what's going on there.

Alan McBurney:

A couple of really easy ways that you can mitigate that is by deploying things like multifactor authentications so that if a user does get the credentials, they don't have all the credentials to get into the systems. Some of the other things we're seeing is gift card scams and bank transfer scams where you're getting business email compromised where possibly you're getting an email from your CEO. I apparently get emails from Kev all the time asking me for my WhatsApp details and to procure gift cards and send him the codes. And in some circumstances, we've had customers where, through no fault of their own but possibly one of their suppliers who have been compromised, that they've been asked to do a bank transfer. And all of a sudden, it's legitimate email that's coming, but once they're going to make it, they've been asked to change the sort code and bank number, and actually goes to the bad guys in that instance.

Kevin Howell:

And also on that, comes back what's happening. So as a business owner, people working from home now, if they're in my office we'll go to somebody else's desk and go, "Can you just check this email? I'm not sure about this." They haven't got that capability now, they haven't got that water cooler conversation. From home, "What do I do?" You can go and just click next and that's it, you're compromised, it's easily done. So, we're seeing a lot of that as well. So, yeah.

Alan McBurney:

Thanks, Kev. So some of the things we can do to mitigate those phishing attacks coming in. Simple things that you can do from your IT teams is they can tag any external email as being external. We use this for this at HTG. So any external email has a tag on it which says, "External. This has originated from outside your organisation." So you know if people are trying to impersonate your CEO or your finance director, and that email has originated from outside your organisation it's relatively easy to see that.

Alan McBurney:

Typically people will also use bypass lists or whitelists and put email addresses and IP addresses into that. What you're doing there is, best practise around this is don't be using those bypass and whitelists because you're actually creating an easy way in for people where you're saying, "I implicitly trust these senders and I trust these IP addresses. I don't check anything." The biggest thing around it there is probably user education, simulations, training your users how to report phishing attacks to your IT teams. Kev, could you talk about some of the training that we use internally in HTG to educate our staff around spam?

Kevin Howell:

Yeah. So we've got security teams, so they have techniques and workshops they do. So they would simulate these regularly over a month and basically the staff aren't aware of it, and it just goes out there and they do it. And if someone gets compromised, "Why have you clicked on that? Are you aware of this? This is the report and structure." So we go through at the end if the user doesn't report it correctly, that's flagged, it comes through, they get training and that's done. And that's all tracked by the security team and it works well. And we'll have a bit of fun around [crosstalk 00:15:56]. So it's almost like you've got an extra 50 minutes on your day because you have to have security training, so it's all done in light jest, but it is important that we do that.

Alan McBurney:

Yeah. And we've got an example, sorry, wrong way. We've got a example, employee phishing awareness here where we're looking at utilising simulations, how we can take training and then how we can take user reporting for that as well.

Alan McBurney:

Hybrid working. Hybrid working, everybody's aware of hybrid working today, the impact that that has had. It also brings a risk to your organisations today as well. Kev, do you want to talk a little bit around hybrid working and what we're seeing there?

Kevin Howell:

Yeah, so obviously hybrid work, we talked about COVID, we've always done remote work on solutions, but obviously with COVID everybody had to scramble at home and provide work and solutions, that compounded with the shortages of kit, so people going, "I'd normally use a thin client. Now I need a laptop. I'll go buy a laptop." Buy a laptop, oh, six months lead time and then you need a [inaudible 00:17:00] set up. So, how do then people continue to work? They start going, "Oh, well, my son's got a laptop. Can I use that laptop? Or I've got a PC at home, can I use that?"

Kevin Howell:

Then all of a sudden they start using these bits of shadow IT. "Where do I get my files? I'll download the Google Drive," that sort of corporate way that we do business, and they start using the shadow IT scenario. And that's putting risk in this, or sensitive data and documents outside of the organisation and it's at risk so we've got data loss and risk that's out in the public domain now and it can be tracked, so sensitive IP. We have some really sensitive clients in the finance and engineering sector and if any of that IP or design information got out in the public domain, there'd be a lot of trouble for them clients. So there's some risks around there. So, that's one of the issues we've got.

Kevin Howell:

Working inside that walled garden, the traditional firewall in the office and you're secure isn't like that anymore. It's like, they're at home and you're outside that firewall and the protection isn't there anymore, so it's almost like they need to be a mobile fortress from home, they need to have that protection around them. But a lot of companies think, "Oh, I'm secure because people are in the office," and they're not in the office anymore. They're working from home and they've got all this and they don't have the same security to control. So, are businesses aware of that? Because temporary is what that was security had this firewall, but now they're from home and got all this data on a laptop at home. What is that? And what's the risk around that? And if you've got compliance with 27,000, what are all these sort of things? What risk is that to your business and governance? If you've got sensitive data there at home, somebody's walking past at home and all that sort of thing. There's a whole pile around that.

Alan McBurney:

Yeah. And we're seeing huge problems with supply chain as well. We're getting customers and they're trying to get stock of laptops. They've got new staff starting. They could have 10, 15, 20 people starting. They need to get kit for them, they're trying to source the laptops. Certain circumstances we've had laptops on back order for four or five months because you simply can't get them. People are starting in a business and what do you do? You say Kev, they're just grabbing whatever kit they can.

Kevin Howell:

Well, if you need GP, use anything, not just for payments, but we've got designers and designers run... We've got a big aerospace company and they've got designers all around the globe and all their designs are very sensitive and they need high performance computers. How do you get that?

Alan McBurney:

Yeah.

Kevin Howell:

And even if you've got a high-performance work station at home, they're working on this stuff, they've opened it up. The 25, 30 gig files to pull down just doesn't work, so using a virtual desktop in the cloud or high-performance GP, you can put that on there, turn out, that's a elegant solution that's secure. So that works well for them clients is just making the people aware of what their technologies are and keeping them secure and whether they can do their day to day work is a key thing.

Alan McBurney:

Yeah. And what we're seeing from our customers as well, our customers are falling into two accounts. You've got customers who pivoted to the cloud relatively early on and they're using things like modern device management, and these methods of management of IT were designed to be used across the internet. And we're seeing the flip side of that where people are still within, if you like traditional, on premises, the active director, they haven't really made to move to the cloud. They've got their entire workforce working from home using virtual private networks from coming back in.

Alan McBurney:

And in certain circumstances, what we're seeing there is that all the data from people's homes are tunnelling back down the VPN, back into the corporate headquarters, and what they're saying is, "If you're on the end of the VPN, we trust everything that's coming there," and it becomes a real problem because instead of having one office to manage, you've got 200, 500, 1,000 offices because everybody's home environment is their office today.

Kevin Howell:

And at home as well, having devices on that network, you've got the kids on Xboxes, you've got the PCs, you've got everything, the streaming TV, it's just mine field, isn't it?

Alan McBurney:

Yep. So, what are we saying around this? Really a couple of key things there, it's just around the patching and the systems update again. It's moving to modern device management. It's using things like Microsoft Engine, which is designed for the internet where you can actually patch, you can deploy, you can maintain your systems, which are connected to the internet without the need for virtual private networks within there. We're seeing a huge uptick in zero-trust architecture. You'll get a lot of companies, they'll tell you they'll sell you zero trust, but zero trust isn't a product, it's really an architecture there. So when it comes to zero trust, what we're saying is, don't trust anything and implicitly verify everything. So we want to verify your identity. We want to verify that you're coming in from a corporate device. We want to verify that that corporate device is up to date and you're using malware, oh, sorry, anti-malware, you've got your drives encrypted inside there.

Alan McBurney:

And we're seeing quite a lot of customers come to us at the minute and want to get started on this journey. And Kev, is there anything you'd like to add to that, what we're seeing?

Kevin Howell:

I think you've covered it quite well there, Alan. But like you were saying, I think the main thing is you don't want to be giving people access to data that they shouldn't have access to. I know we've thought about that in a later slide, but if they don't... You educate the users, but they don't have that opportunity to leak that data, share that data, use a device that's... Basically it's having that conditional controls around it. So as a business owner, don't give them their permissions to do that and educate the users and then take it from there. But the zero-trust architecture is the best way to do that from day one, and there's a lot of tooling available if people already have these skills, it's part of the M365 technologies, they're enabled by default, you just need to turn them on. So a lot of people aren't aware what capabilities are in there.

Alan McBurney:

Yeah. Yeah. And you've got things like conditional compliance and controls inside the Microsoft 365s that want to come in or validating who you are, making sure that you're employing multifactor authentication. Really what we never want to do is actually stop people working. We want people to be able to work, but in a very, very safe manner. And you're able to do that with this zero-trust architecture.

Kevin Howell:

That's a key thing is legacy [inaudible 00:23:23] security must stop. I know it, wasn't it? It's like, find that good user experience and a good security footprint, getting them two together is your tool, yeah, and I think that's what we're trying to get here. So, people can do their jobs elegantly without being compromised, and that's hopefully where we can offer some suggestions around that.

Alan McBurney:

Yeah. And one of the last areas we're seeing is coming from insider threats. So what we're saying here is the threats don't emerge only from outside the organisation, but they're also from with inside the organisation. Kev, you alluded to there around sensitive information, people will typically not maliciously, but they'll take personal information or sensitive information, put it on their personal USB drives, they'll share it inadvertently with people they shouldn't be or they're sending that information outside the corporate boundary, if you like.

Alan McBurney:

And what we're really seeing here is we get malicious intent, I'm not sure people who are stealing your IP, maybe bad leavers who are taking company data with them to a competitor, or you're getting those inadvertent leaks which are typically by, you talked about distracted employees, people are working from home, they're trying to do more and more. And either that, or the users are simply unaware that their practises are unsafe. And thankfully, what we are seeing is that the majority of threats are falling into the latter category of they're inadvertent.

Alan McBurney:

And one of the big things that we're seeing there is around establishing security-first culture. So we need to educate our users on how to protect and classify data and don't make them feel like they're under the microscope or that their privacy is being invaded. You can use things like, you can pseudo anonymize data so that if the leaks are coming up that the usernames are being hidden and then you can do an investigation, then it's only later on that you actually need to reveal who the use there is and if it's actually a valid case.

Alan McBurney:

And you've got to remember that your employees always, they want to be protected, they want to do the right thing. And what we're saying there is, assume positive intent from your employees but mistakes do happen.

Kevin Howell:

No, no. And like I say, we see third-party contractors going in in some cases, they just come up, turn up with their own laptop, and then they're putting stuff into OneDrive, well not OneDrive, they're going into their own Google Drive and they're pulling stuff down locally on that device, see it on a virtual machine, then they go back to another site and they've got that data, that IP it's just been took off that site. So, they need to be, in a secure manner, stop that leakage from happening.

Alan McBurney:

So withinside HTG, we employ what we call information protection levels and policies. So we get our users to classify the data, whether that's personal data, whether it's customer data, whether it is confidential data. And then you can take those with data loss prevention policies, and then you can stop that data from actually exiting the business if it is confidential.

Alan McBurney:

Okay. I've got some of the key takeaways. You want to talk about the cybersecurity bell curve here?

Kevin Howell:

Yeah. Yeah. So this is Microsoft's bell curve. So these are the five core areas where Microsoft say, if you address these five core areas, that would address 98% of your security problems. So, if you can cover these 98%, the hackers are going to leave you alone. They're going to go for easier targets. So, these are what we covered. So basically, what we're looking at there, the first one, I can't see what's the first one there?

Alan McBurney:

It is utilising anti-malware.

Kevin Howell:

Anti-malware. Yes. We'll call that, get the anti-malware in there, that's the standard stuff in there. So basically we can talk up through your M365 suite you'll be using 3884 if you've already got them, they're available to go.

Alan McBurney:

And what we're seeing there as well coming from Microsoft today is with inside your M365 products, M365 E3, or if you're on the academic, A3 or Business Premium SKUs is that you're getting the Microsoft Defender now bundled with that. So Microsoft is starting to give away their antivirus products, that's part of your subscription.

Kevin Howell:

Yeah. And what's the next one? Excuse me, apply these-

Alan McBurney:

Least privileged access.

Kevin Howell:

Yeah. So that's common sense, and so you do want level one worker accessing directors, like SLTs, financial data. So just address it to people's personas. Whatever their role is, make sure they've got relevant permissions to that data and then have stuff like payment, they need privilege identity to go and access them, that has to be authorised.

Alan McBurney:

And that even comes down to your privileged identity with inside Office 365, Kev. So, not everybody in your ITeam needs to be the global admin. You give them the rules that they need to get their work done.

Kevin Howell:

Yeah.

Alan McBurney:

And Microsoft does a very, very good job at segmenting all the different security profiles that you have, so it does require a little bit of work, but really by limiting that exposure and using products like the PIM, the identity management tool from Microsoft then you can hopefully mitigate a lot of this. And then we're looking at, in the third takeaway action here is to enable multifactor authentication.

Alan McBurney:

I was reading a report recently from Microsoft. So Microsoft's customers, I don't know what the exact number is, but you're talking about hundreds of millions of users with inside Microsoft 365. They have all the telemetry, they're able to tell how many users are implementing multifactor authentication. And I was shocked by this, that only 20% of Microsoft customers have MFA enabled. It's a shocking stat, I know. Absolutely.

Kevin Howell:

Considering how easy it is to enable it, but it's not just MFA with a Microsoft, it's MF on any of your SaaS products. We use HubSpot, Zoho, all that sort of thing, MFA's there, even your Facebook, enable MFA. Everyone's got a mobile phone, just get it done. You know what I mean? Like you're saying, 98%, how many percentage of these hacks come from password compromises they've attacked, switch it on. It's a neat, quick [inaudible 00:29:37].

Alan McBurney:

And it's not that I think most Microsoft customers are being willfully negligent by not turning on multifactor authentication. I think a lot of them are still struggling with transitioning their identities to modern identities and utilising things like Azure Active Directory. So there's people, if you think about a bell curve of user adoption, you've got the lead adopters, you've got the early adopters, and then you've got the general wave of adopters. And it can be difficult transitioning to hybrid or, sorry, to modern-based identities, but I would encourage all organisations to look at this because the security benefits from that transition to a modern identity just brings you so much more assurance of that you're secure on the internet.

Kevin Howell:

The user experience is so good for us, [inaudible 00:30:29] laptops are in there, 10 seconds log in, work from anywhere, Teams or phones, it just we work from anywhere on any device, it just works.

Alan McBurney:

Really, the panacea here is moving to a time when you don't have a password. Genuinely, I couldn't tell you my password. I don't know it because we have employed and deployed passwordless authentication withinside HTG. And I think the last time I used my password was maybe four or five months ago.

Kevin Howell:

I think all your help desk managers love you, want you in the [crosstalk 00:31:00], no more password reset calls coming in, yeah?

Alan McBurney:

And really, how do you get started? We've covered quite a few bits today, but you need to understand your security risk and you need to be able to benchmark and take proactive measures, put mitigations in. And one of the places you can start with this is with your Microsoft Secure Score.

Alan McBurney:

So your Microsoft Secure Score is available to every organisation that utilises Microsoft 365. And you've got a simple scale from zero through to 100. The higher up that scale, the more secure you are. We've got a quick look at HTG's here. We're sitting, this was pulled yesterday, we've got a Secure Score sitting there 80. We were up as high as 87, Microsoft released some controls around December, which we're working through the implementation, which will push us back up there. But you're looking at improvements, which are in three main categories.

Alan McBurney:

So Microsoft is categorising identity, how secure is your identity? Then they're looking at your devices, how secure are your devices? And then thirdly, how secure are your applications? Those three come together to give you a cumulative score, which is known as a Microsoft Secure Score. And you do get a lot of recommendations and actions that you can take. It does take a little bit of time, but it's there, if you're utilising Microsoft 365 technology, please take a look at it.

Alan McBurney:

Another thing that we can do, Kev, do you want to talk a little bit around the Cybersecurity Assessment?

Kevin Howell:

Yeah. So the Cybersecurity Assessment obviously is a lot more deep dive. That goes about two years, where we would work with Microsoft and would do a full assessment of your entire estate, and that reports back. You get a 40 page report there, and that's a full report across the entire end to end architecture and will show where your risks are and goes against industry benchmarks, such as NIST, and it's a really comprehensive report. And if you're a certain company and you meet the criteria, that would be funded by Microsoft. We're a partner, we can help with that. If that's something you're interested in, we can certainly help with that.

Kevin Howell:

But fundamentally what Alan said, going back to the Secure Score and the CSAT is, it's getting that baseline. It's a bit like an MOT for your IT. So where are you today? And knowing tech, you can go and run a Secure Score and say, "That's where I am. I'm 20 today. That's bad." So it's easily done, the tools are there, you can quickly do it without having weeks and weeks of audit and somebody taking weeks and weeks to generate a report. You can go and do that Secure Score today and it's a quick win. Again, if you need any help with that, we're happy to point you in the right direction to help you with that.

Alan McBurney:

And the great thing from a CSAT report as well is the report that comes out the other end is digestible by your security teams, by your risk and audit teams, by your board members as well. And it gives you a place of where you are today. You got to remember that cybersecurity isn't the destination, it's a journey, and you're always on this journey and you've always got to be evolving with cybersecurity and mitigate against the latest threats.

Kevin Howell:

No, no, that sums it up pretty well.

Alan McBurney:

Yep. Thank you all for attending today. If there was any questions, Megan, do we have any questions? No? No question then. So like to thank everybody for attending.

Kevin Howell:

No, no, I appreciate your time and hopefully that information was useful. We'll wrap that up today and we'll get these slides sent out with all the attendees, we appreciate you attending today. So, thanks.

Alan McBurney:

Thank you.