Sharing and Solving Session: Cybersecurity for the Arts
Apr 21, 2021 17:32 · 8049 words · 38 minute read
- Hello and welcome to the Cybersecurity Sharing and Solving session for the Arts.
00:05 - My name is Benjamin J. Allard. I am the project manager for the Independent Media Arts Alliance.
00:11 - Today, we brought together participants from the art world who wanted to talk about cybersecurity in their organizations.
00:18 - We’ve worked upstream to find common issues, and now we’re going to try to address them.
00:24 - So you have a privileged window into our virtual meeting.
00:28 - If you’re interested in learning more about cybersecurity or digital risk management, we invite you to visit Cyber safe and sound website.
00:37 - It’s a resource that brings together basic knowledge and slightly more advanced protocols for art organizations.
00:45 - You can find the resource at imaa. ca/cybersecurity.
00:51 - We’re also fortunate to have with us two of the experts who helped us to create this resource: Jean-Philippe Décarie-Mathieu and Geneviève Lajeunesse.
01:00 - So, thank you for joining us. So I was telling you that we worked in small groups on concrete issues.
01:09 - And we’re going to tackle three of them today.
01:12 - So to present those issues, we have Peter Sandmark, Tori Fleming and Matt Watterworth.
01:18 - Thank you very much for playing the game and being the spokespersons for your groups.
01:23 - So in turn, they will present their challenges, and the other participants will comment.
01:29 - And then we’ll go back to them to find out what they remember.
01:33 - So without further ado, let’s go to our first speaker: Peter Sandmark.
01:38 - And here, I invite you to share the first challenge you have for us today.
01:46 - - Yes. Thank you, Benjamin. Yes, we were talking in our group about, you know, access to data, the fact that, as public organizations, media-arts organizations, we have different levels of… you know…
02:00 - usage… creation of data and also usage and access to data.
02:04 - So for example, we have staff, but we also have members or artists creating works that might be saving data on our…
02:14 -… gear or distribution centre, clients who want to view videos and things since everything is turned into data now.
02:22 - So we find ourselves with multiple… And then, of course, backing up because of the importance of having backups. We have multiple backups of our data.
02:35 - And then we don’t know whether, you know, we can get rid of some stuff.
02:39 - We do need to also know, in terms of access, what are the best practices in terms of insuring access to the data that people are creating.
02:53 - So, for example, using cloud storage so that people, members can access data, or that staff or board members can access data across… you know, working from different devices.
03:06 - So there’s a multiple… multitude of issues that we’re facing.
03:12 - - Great, thank– Yeah, thank you very much, Peter.
03:14 - So now, we have a two minutes for the consultants.
03:18 - So that is our two cybersecurity experts but also the other spokespersons to just investigate with Peter– you know, if you have questions for him– to understand a bit more what the challenge is here.
03:30 - So we have two minutes here. - So, my first question would be what is the challenge in knowing which of the data set is the original one? Do you have any sort of concerns into somebody inserting the wrong type of data into a data set or is it more of a… we need to have historical records of what we’re doing so we need to know version 2 isn’t version 2 or is it Friday version 2 slash… you know? Know what I mean? When these files just kind of multiply on their own.
04:04 - - Yeah. That’s a good point. And, uh… obviously…
04:08 - if, you know, like many people, you often look at the date, you’ll say, “Oh, that’s the most recent, so if it was changed, it might be the one that’s necessary. ” I don’t know. It’s also ‘cause we, as organizations, we’re sort of archiving data.
04:21 - You know, we’re archiving, whether it’s, you know, minutes…
04:25 - Especially now, as we move more and more toward digital stuff, you know, we have to keep track, we’re obliged to keep data.
04:32 - So, you know, like I mentioned in our group, I err on the side of caution.
04:37 - I keep, you know, multiple copies of everything anyway.
04:41 - So we have… Data storage is somewhat cheap, so we can do that. But even then, we run into the problem of sort of, uh…
04:49 - you know, managing it and accessing and everything.
04:53 - I don’t know. You know, I don’t even know if there’s an original document.
04:58 - - We’ll have the time for maybe… We have 30 seconds left for this round.
05:01 - So other questions to Peter before we give advice and thoughts? - I have another one if no one has one.
05:11 - - Yes, go ahead. - So you say you have too many clouds; has there… Like, what is the challenge in consolidating your data? You could just…
05:21 - Why hasn’t this happened is my question. - Ah. Uh, I don’t know.
05:26 - I guess because, you know, we’re like… Even shifting to the cloud…
05:31 - cloud services because of ease of facilitation…
05:34 - And this has increased over the past year because we’re, you know, working remotely and working together remotely.
05:40 - So, you know, there’s all the different ones and then we haven’t decided on, you know, using one or another.
05:48 - And so you end up using multiple, and then there’s passwords for everything.
05:52 - So there’s password management as well. And like, what would… A little summary is like there’s levels, there’s, you know…
06:00 - backups, and then there’s access to all that data, and then there’s levels of access.
06:05 - I think this has been summarized in the cybersecurity documents too.
06:09 - But we’re still trying to chart our way– like, what is the best practice– out of this.
06:14 - I mean, you know. - Mm-hmm. Well, I think that’s a good… Thanks. So we are on a schedule now; we don’t want to, you know, use too much of your time, so I propose that we go right away to the consultant advice.
06:27 - So we have around six minutes here. Geneviève, Jean-Philippe, Tori and Matt, what do you think of this case? Does that ring something that is, you know, familiar? Do you have some suggestions? More questions? So here we go.
06:44 - Peter, you listen for this next round, and I’m looking forward to hearing all your advice. So here we go.
06:52 - - So, having overlapping and multiple solutions within a technology stack is something that’s very common.
07:02 - Most businesses or organizations will have between… between 40 and 70 different applications for the various tasks that they use on any given day, so don’t feel bad about it.
07:14 - If you don’t know where to start, that’s a common issue also.
07:18 - Right now, what you do, you seem to have an issue…
07:20 - I don’t know the budget of your organization, obviously, but, uh… I…
07:26 - a low-cost solution will be to just write down all of the solutions that you’re using right now, who has access to what, and how are those accesses controlled, essentially.
07:40 - Matching data sets on multiple devices is not an issue as far the feature is concerned because most if not all major cloud providers provide granular permissions on given files or folders and/or… and…
07:59 - sharing capabilities to people outside your organization.
08:03 - So I mean, whether it’s Amazon or Google, you’ll find something to fit your need, but the data sets, how they’re organized, how they’re accessed, that’s in your purview, and that’s something you have control over.
08:16 - So a good old pen-and-paper activity that you can do is just write down everything you’re using right now, who has access to what and start consolidating.
08:25 - You probably don’t need to have a Google Drive and an AWS bucket and a Dropbox account shared with about 20 people in a 5-to-10-year period, that some people may still have access to while they shouldn’t have.
08:44 - So, it’s, it’s, uh… it’s sort of an analogue discovery that you need to do on your technology stack.
08:52 - That’s probably where I would start. That would probably resolve…
08:57 - well, several of your issues: too many cloud providers, lack of consistency in accessing data internally…
09:08 -… and, uh… As far… Well, that’s… You made a good point, Peter, saying that…
09:13 - Is there even such a thing as an original document anymore? That’s… that’s… that’s a good point.
09:18 - You will also find, usually, that cloud providers provide historical copies of your documents, so you don’t need to manually copy and create different documents.
09:32 - A lot of cloud providers have versions and controls in-house, so to speak, so that does the…
09:41 - that does the trick for you. - Great. Thank you very much, Jean-Philippe.
09:45 - We still have some time to hear from other consultants.
09:50 - Other thoughts? - Yeah. I’d add that…
09:53 - Think of it as a journey. So if you were to embark on a journey and you’re, you know, packing your bags, then you need to know what you have.
10:01 - You also will tend to maybe pack light. So for some cloud providers where there’s maybe a higher cost, you want to evaluate if that’s where you want to go.
10:11 - Well, don’t… Like, have a plan for what you’re putting in there, so that you can pull it back if you feel this decision doesn’t really fit your organization.
10:21 - There are some specialized tools that would do things like data discovery and the duplication, so you definitely can look for tools that do that.
10:32 - And you really need to… You mentioned the devices in your original question; really take this into account in how you map out what you’re going to do.
10:41 - So, will you need to be accessing this from tablets, from phones frequently, where are you going to be editing the documents, if you’re going to be inputting some data in the field because that will orient the choices that you make.
10:54 - It’s fine to have multiple clouds if–maybe a thing for resiliency– but you need to have some way to account for… Well, for example, we know accounting data is always going to be on that cloud, and it’s going to be managed with a named account, not with an individual’s account, so that if there’s a change in the organization, we don’t lose that access.
11:17 - And yeah, that would be what I’d add to that.
11:20 - - Thank you very much. I’m very curious also about the other consultants at the moment.
11:24 - So, in your organizations, right, so you have arts organizations, have you faced some similar issues and how have you… went about solving them? Tori? Matt? Matt, yes.
11:39 - - (Tori): I do. - (Matt): Yeah, I know… Oh, please.
11:42 - - I was gonna say that I think that this relates a lot to the question that is gonna crop in number 2 because I think a lot of it is overlapping.
11:51 - We used to have internal servers, which I found solved a lot of cybersecurity issues and a lot of these where-are-things-kept issues, but it just became…
12:02 - It’s impossible in a current, like, pandemic setting when we need to be working from home, and even was becoming impossible before that with employees travelling.
12:13 - So managing the cloud continues to be an issue.
12:17 - And also, another issue is we have to kind of keep up with it as Google changes or as… whatever we’re using changes.
12:27 - So I don’t have solutions necessarily, but I do have sympathy for the problem.
12:31 - - Thank you very much. Matt, your turn. - Yeah. One thing that that sort of brings to mind for me is that making…
12:41 - you know, film content where we’re generating a lot of video content, and just data sizes in general are a challenge to solve.
12:50 - I mean, you could get a one-terabyte Dropbox plan, and actually we probably have quite a lot more data than that if you were to gather up all the video content that we have at a very high resolution. So… so yeah, it’s not easy to…
13:07 - For us certainly, it’s not a one-stop shop.
13:10 - And… and… Peter also mentioned the… the…
13:15 - a bit of security around that, which, I think, my group is also concerned about.
13:22 - So, yeah. And it’s interesting. Tori, I’ve been in another organization where we did the same. We had our own server in place, and then it became, OK, how do we access that offsite, even prior to COVID, and that was not nearly as easy as we had hoped, and…
13:40 - Yes. Also, also, um… sympathetic to this challenge for sure.
13:46 - - Great. Thank you very much. So that was our first round of advice.
13:51 - Peter, I’d like to return to you. Is there anything that rings some bells, that you can put in your backpack and bring into your journey with you? - Yes, definitely.
14:03 - I’ve been taking notes in good old-fashioned pen and paper.
14:07 - So that’s the first step. Yeah, I think… You know, it’s just…
14:12 - it’s just getting a handle on it. And this cybersecurity thing is a great tool for helping to focus.
14:18 - You know what? We were just about to get a password manager, and I was just looking for which one to choose, and, uh…
14:27 - I think, you know, we sort of stumbled into… the increasing amount of data that we’re creating and then the need to back it up, the need to share, the need to control access, so this is all very helpful in terms of us, you know…
14:41 - So I’m gonna actually… I think I could… drawing it out on paper and doing a sort of grand view of where we’re at, and then sort of seeing how we can sort things out will really help.
14:53 - And I should just add onto what Matt said. You know, we’re just getting into… We have 4K cameras now, and very few people…
15:01 - You know, we’re just getting into 4. We have computers that can do 4K editing, and it just, like, exponentially booms the amount of data storage that… we’re running into. Haha! - I was on a set yesterday, and we were treating 6K.
15:15 - - Oh! Wow. (Peter laughing) And it will not get any better, right? It’s just gonna continue that way.
15:23 - Well, thank you very much, Peter and everyone, for this first round. We’ll go to our– - Thanks to everyone for your comments, so thank you on behalf of our group.
15:31 - - Mm-hmm! Yes! And you will stay on as well because now you’re transforming to a consultant for the second topic presented by Tori… Tori Fleming.
15:41 - So I had little birds told me that some questions might be very similar, but as you are different people with different organizations, I propose that we keep those challenges the way you have written them, and we’ll be able to look at different perspectives or continue on an issue with topics 2 and 3 as we go along.
16:05 - So, um… Tori, now it’s your time.
16:09 - Please… please introduce us to your challenge.
16:14 - - So our challenge was how might we make sure no passwords are shared to the wrong staff member and what to do when the staff member is no longer working for the organization, given that our organization frequently uses contract staff and has semi-regular turnover.
16:29 - And I think that maybe something to expand upon in this question, within CFAT’s context is, um…
16:37 - that… it’s not just contract staff. Something we come up with a lot is our…
16:42 - We have a working coord who holds a lot of important roles with us too, so…
16:46 - Between all of those people, contract staff or the in staff, there’s a lot of people who are coming and going from our data.
16:54 - And we also are using a lot of cloud servers.
16:59 - And we have no real process from when somebody is not holding their role anymore or for when they leave.
17:08 - And if they leave slowly, we often do that process or come up with some form of a process slowly, and if they leave abruptly, it often feels very panicked to get all of the things back.
17:22 - And the last one I wanted to expand upon for this was…
17:26 - Another issue with that is sometimes when we are trying to make sure that we change the passwords and everything like that, the actual owner of the cloud documents can become an issue.
17:39 - And then we’ll realize that maybe somebody is the owner on their personal account, and it didn’t appear that way, and it feels like we’re constantly managing, pulling back CFAT’s documents into our actual possession.
17:53 - - So I see a lot of heads nodding in approval.
17:57 - So, now we go to the question round to understand a little bit more your topics. So, Tori, you can answer briefly to the questions that consultants may have.
18:12 - Geneviève, I think you are muted. - Excellent. So my first question would be: oftentimes, when we see things like this, where a lot of personal accounts are being used, is there a budget and is there a plan to acquire a solution that would enable the sharing, creation of documents internally? - Yes. So we’ve recently bought a proper G Suite account, so that we can use Google Drive.
18:42 - But the thing that I have found has happened is a lot of… workers, especially the contracts or the contacts, have a lot of Google Drives, and they have a lot of e-mails connected, and I think it just becomes one of those things where maybe it’s just a matter of more due diligence, but when you get the little e-mail that says, “Tori would like to request access,” I think, often, people don’t see “Tori at Gmail would like to request access,” they just see my name, and then they say yes.
19:09 - So I think there’s an honest slip-up that happens, but that’s the best solution we have so far is having a proper…
19:16 - Like, our @CFAT e-mails connected to G Suite, so that keeps it in-house, at least with the core staff, but not so much with board members.
19:28 - - (Benjamin): Mm-hmm. - And… yeah. - Now, we are keeping for the question round. So are there other questions to understand better this challenge? Peter, would you like to… to ask a question? - Yeah. First of all, I’ve shared this inexperience.
19:53 - So you have to… So I’ve had to do that: change passwords or remove staff members’ e-mails from access to certain services.
20:04 - And I guess the question would be, you know… how is…
20:09 - But I think this is a question for our experts; what… what would be…
20:14 - the best process to set up so that you’re prepared for…
20:18 - You know, it seems like we’re doing… inventing it each time because by the time you have a turnover staff, you’re using different software or you have different passwords.
20:27 - This past year, I’ve seen a multiplication of password, you know, creation for different… multiple different services.
20:34 - So, uh… uh… Is the use of a password manager going to simplify this task? If a person…
20:44 - You know, if you change the access to the password-management software, does that work too? So you don’t have to change all the passwords or…
20:53 - - So, maybe the question here is, Tori, rapidly, do you have a password manager? - We just got one very, very recently.
21:04 - So it’s new to us. Seems to be going well.
21:08 - But we also haven’t had any turnover since we got the password manager, and I think that that was actually a reaction to having turnovers.
21:17 - So, we haven’t dealt with any of these issues in the two-weeks experience we have with our password manager.
21:26 - - Great! Well, thank you very much. That was the time for the questions.
21:31 - So now I propose that we go into the consulting moments.
21:35 - So, Tori, you can listen to all this advice that our wizards of data management have for us.
21:44 - Yeah, I open the floor for the consultants for six or seven minutes.
21:48 - - Well, on the folder and file ownership, that’s…
21:53 - Well, the head nod, the initial head nodding was because we’ve seen that many, many times in the past, and we’ve had this issue on our hands also in the past, and it’s a common topic.
22:04 - The simple fact that you’re highlighting this as an issue shows great awareness, so that’s good on you, and it’s a great first step of improving your posture.
22:13 - Account ownership… Not account ownership, but folder and file ownership, if you want to solve or at least improve that issue, it needs to be associated with probably, I would say, a title and not a person.
22:27 - Say… associated with a Gmail account, directorofIT@gmail. com instead of JohnDoe@gmail. com.
22:35 - That requires obviously a bit of an… initial process building and constructing on your structure, internal structure, but that’s gonna solve you a lot of headaches down the road.
22:48 - Especially if you switch cloud providers. We have many cloud providers.
22:52 - That will solve the issue of having an account owned, or a folder or file owned by someone who’s now outside your organization, who may have left on bad terms and who may have access to information that he or she should not have.
23:10 - So that’s probably my first reflex, I would say, it is probably, like, associate it with a generic account or title type, and whoever needs to have access to that Gmail account or whoever… whatever account is associated with, you can easily manage it in a directory service, like Microsoft Azure or an LDAP system or whatever you use internally to manage users and group policy objects and stuff like that, which you may or may not have.
23:43 - Password managers? That’s great, that’s always good.
23:46 - You can manage actually the account passwords for those title-related accounts.
23:55 - So that’s good, especially if your password manager has a shared option for sharing passwords between multiple users of the same password manager.
24:03 - That’s always a big one. Yeah, I would start with this, definitely.
24:08 - - Perfect. Thank you. Other thoughts? - Yeah. I’d look to how you can craft policies around sharing with external collaborators.
24:17 - You might want to not do that and give consultants accounts in your organization, depending on cost and how practical that is.
24:26 - And I just want to bring to your attention that password-list authentication exists.
24:31 - There’s more and more vendors that are moving into that space where you’re essentially using some sort of continuous session or some other attestation that… the person at the other end is who they say they are.
24:44 - And so you don’t have to manage a password, you don’t have to give them that credential.
24:49 - So you can cut the access at the service level, and you delight your users ‘cause they’re not having to remember yet another password, which… that also gives you that, you know, no reuse there.
25:03 - So of course, if you’re using a password manager, that’s less of a problem, but there’s always this one account that someone wants to try just for something, and they’ll use sunshine123 for it, and the next thing you know, in six months, you have a data incident, so… Yeah.
25:18 - - Thank you. Matt, Peter, do you have similar questions for your own organizations or faced some… something? What are your words of advice? - I’m actually… I am a contract employee sort of right now in this capacity.
25:41 - I have been a past vice-president of our organization as well.
25:45 - So I love it, and I am thankful for the trust that I received from our permanent staff.
25:53 - But the… But now in this role, this is the first time I’ve ever used a password manager, and yeah, I do see some value in it, but that was really great to hear because the other thing is, I, as a contract employee, I…
26:08 - We’re using a password manager and it has its own password, but I can still see all the passwords that are associated with it, so I would be worried that…
26:16 - It sounds like that’s a solution to that. Geneviève, is that right? - It can be. You always have the problem of having… do you have the right admin at the right place in your flow.
26:29 - Oftentimes, organizations are shocked when they hear that, you know, my system admin can read my e-mails.
26:35 - Of course, but that’s not always a known thing.
26:38 - So you really need to have a policy for this.
26:41 - So for example, we know we’re going to need to do password resets, who has access to this and what is the process to get to that? Is it through a particular, you know, end point that you need authorization from a manager to open… ? Like, it can be…
26:56 - it can be anything that fits the organization, but you need a process.
27:01 - - We need a process. That could have been an alternative title for Cyber safe and sound.
27:06 - Peter, do you have some thoughts about that? - Um… yeah.
27:14 - I think… I think one of the key interests I had coming into this session was policy.
27:22 - Precisely what Geneviève is talking about. Like, what’s our… How do we set up? What, you know? And so when you’re setting up a policy, then you’re putting together what will be a process for all the different staff and stuff.
27:34 - And I think to some degree… Well, we use Google for Nonprofits, and so we switched all our e-mails over to that.
27:42 - So it’s possible to… you know, as staff go, we could create and also, you know, delete an e-mail.
27:50 - We chose to personalize all our e-mails, so that if people are contacting us, they know who…
27:56 - You know, it’s not director or something like that.
27:58 - But then, we can still change the… If a staffer leaves, I mean, we can remove that e-mail from the Google for Nonprofits account and so on.
28:09 - I don’t know, I think… I think… . the issue for me is what data is extremely sensitive? And a lot of our data is maybe not so sensitive– it’s just, you know, archive– but for certain things, like accounting or… , and yes, they’re operating on different services, in fact, that are not accessible to other…
28:31 - even to all the staff. So I guess it’s… it comes back to what’s the policy and finding the different questions.
28:38 - And I’ve heard some good ones already in terms of, you know…
28:41 - well, password authentication and lists, so…
28:46 - It’s just getting a handle on the whole thing because it seems to have mushroomed.
28:50 - Digital use has mushroomed so much. But I’m hoping to come out of this with a plan for creating policy for our organization.
29:01 - - Mm-hmm. So we’ll very quickly, very soon move to the third topic, but are there any other final words about this particular situation? No. Great. So I propose we return to our original client, Tori.
29:21 - So, is there anything that you thought that was particularly interesting in what our consultants told you? - Uh, yeah. I think that…
29:32 - having a proper data policy, I think there’s a lot of agreement among our core staff, of which there’s only three of us, about how to handle data, but I’m not actually sure that’s a conversation we ever have with people like board members who have access to all the board documents.
29:46 - So maybe expanding the idea of what our policy is and who it’s for seems really important.
29:52 - And also, I mean, now it seems kind of obvious, but the using of people’s titles rather than their names could be a very simple fix to a lot of problems.
30:01 - Even just like on a very short-term thing. I just came back from maternity leave, and for a whole year, everything that was created was with somebody else’s name, even though she had the same title as me.
30:11 - And, uh… now I have to take back those accounts back to my name, and that does seem like a very simple thing that we could just do.
30:22 - So yeah, good to hear. - Great. Yeah. We have to see cybersecurity not as a huge thing that we need to eat all at once– a huge cake, right– but like some little changes that we do and we tweak here and there, and… yeah.
30:38 - And let’s go to the third topic for other little things that we can tweak here and there.
30:43 - So presented by Matt Watterworth, we have a third and final topic.
30:51 - So, Matt, here, please present your challenge.
30:57 - - Yeah, sure. So, yeah, I’m just…
31:01 - Sorry, I’m gonna go back to… - Yes, it is also in the shared screen that you– - Yes, I see that.
31:09 - Sure, OK. So, uh… so really, I think our sort of overarching topic is about passwords, and it seems like we’ve maybe touched on some of this, but, obviously, there are different… different roles in our organizations, and, obviously, certain data should be available to those peoples and your people, and certain data should perhaps not.
31:36 - And of course, similar to Tori’s topic, the short-term employees or contract employees create complexity for us around the security of those files, and, uh…
31:53 -… definitely, potentially, some of these organizations are working with budget that maybe cannot maintain a proper password manager.
32:03 - So, um… So I think, yeah… some of the same topics here, but would love to have a discussion around it.
32:11 - - Yes. Thank you very much. And even if we have a same issue, two perspectives and two organizations might have different solutions, right? And I think that’s a useful thing to do.
32:25 - So for the next two minutes, I invite our consultants to ask you questions to understand more your challenge.
32:32 - - So, how many people in your organization? That’s one. And two, do you have any kind of…
32:38 - active “directory… esque”… directory service to manage policy or… and user or accounts? Do you have any of that? - Yeah. I’m…
32:51 - I can actually speak from sort of a unique position, I think, being a current… as I said earlier, current contract employee but also a past board member because having been a past board member who is no longer, I actually did have access to…
33:09 - folders on… We use a service called Box that, uh… that I probably shouldn’t have had access to once I was… once my term was completed.
33:20 - So we have, of course, our board members which, I believe, is around 10, and then sort of our permanent staff is around 3, and then we bring in all manner of interns or STEP students or, you know, summer students as well, so…
33:37 - And it can be, you know, over the course of the year, quite a lot of coming and going from the non-permanent staff.
33:44 - - Mm-hmm. Other questions? - Hmm… So does everybody need to edit the files or can you have more of a… some people really need to know what’s in the file, but they don’t need the edition rights? - Yeah. I mean…
34:00 - I… For me, that… I can’t really speak to that too heavily.
34:05 - I wonder if someone else in our group is maybe the spearhead on that particular point, but, um…
34:09 - I see exactly, it does feel, at least in my time on the staff…
34:17 - sort of pre… Our roles are pretty well defined, and so we’re not really going into each other’s sort of digital worlds very much.
34:26 - Unless we do and we’re collaborating on a document.
34:29 - And that is Google Docs usually, so… So yeah, access around that, I don’t know if I’m speaking for my group as well.
34:41 - If there’s anything in particular, don’t know if they’re allowed to chime in, but there may be other points there.
34:46 - - And am I hearing this correctly, that you’re using multiple cloud services to have those files? - I guess we are, yeah.
34:55 - Sort of… sort of without… Because of course, Google, the services we use are on Google, is one, and then Box as well for sure.
35:02 - And who knows what other staff may be using something independently in.
35:07 - - So I propose that this will do for our questions period, and I invite our consultants.
35:14 - So here is Peter and Tori to… Peter, Tori, just help Philippe and Geneviève to, you know, think with this challenge and see what kind of advice we can give.
35:27 - First advice I would give is you need to map out those user groups and have main persons that are accountable for making sure that these are maintained in a way that’s up to date.
35:37 - So most of the cloud providers, if not all that we’ve named today, allow, when you have a paid account or, you know, the account that’s granted for nonprofits, to have group permissions.
35:50 - So you’ll want to create those groups, and then you can, for example on Google, you can remove some services for certain user groups.
35:57 - For Box, you can change the permission level on edition, so maybe they’ll have only access to some files.
36:06 - But that would be my first thing. Like, to have that Venn diagram of…
36:09 - I sit here. Do I need finance? Do I need IT? Do I need contracts? Do I need, you know, all of that? - Yeah, and, and…
36:19 - that actually brings an interesting governance issue.
36:24 - I’ve seen a bunch of places… Just because some guy is the CEO doesn’t mean he needs to have access to everything.
36:34 - And this is more common than most people may think.
36:39 - Yeah, there’s a reason why there’s a granular aspect to access.
36:44 - It sounds… You really need to operate on a need-to-know basis.
36:48 - Just because you have the right to know does not mean you need to know or you need to have access to certain things.
36:56 - For the company I work for, the CEO doesn’t have access to most of the stuff I have. I have way more accesses than he does.
37:02 - And you know, that’s fine, that’s my job. You know, that’s not his. His is to shake hands and get contracts and the political aspect of it, so…
37:11 - You need to have the C-level… Well, I mean, obviously, I’m speaking from what I know or whatever the equivalent of C-level executives or suits or decision makers that you have on your side for this ‘cause there’s definitely a trickle-down effect on this.
37:27 - If the top brass don’t really play by the rules, you will see an issue trickling down with the…
37:36 - on the baseline definitely. There’s always a governance aspect that you need to…
37:42 - keep in the back of your mind. It’s never the most fun aspect to deal with, but it’s, uh…
37:49 - there’s no way you can just go around it. So just keep that in mind also.
37:55 - - I’ll jump in with one last thing. The… If the budget is too limited for a commercial password manager, that’s perfectly fine, but you need to find a way to mitigate for those passwords that people are going to reuse from their personal lives.
38:09 - So you can set these platforms, again, to require some multifactor authentication.
38:16 - It can be an app that an employee has on their personal devices.
38:20 - It can be some hardware keys. I’m trying to show one to the camera, and it’s not going to work because of the background, but…
38:26 - These cost around $20. It would be an investment on the employee or contractor’s part, but they’re going to reuse them everywhere in their life. They can secure their Facebook account with this. It’s…
38:38 - Once you get on board with these things, you use them everywhere.
38:41 - - And you will end up saving money in the long run.
38:44 - Like, way more than you will have for the initial expenses of them, of rolling out a password manager or hardware-based two-factor authentication or stuff like that. It’s really not that expensive, like, versus what you need… you’re gonna end up dealing with in process and then back and forth and lost accounts and lost data and stuff like that.
39:05 - It’s gonna cost way more than that. You just need to just, like, basically prove it to the brass, and that works every time.
39:13 - - Or they can use personal devices. And you’re going to get something that will, you know…
39:19 - It doesn’t add much friction, and if you need to temporarily disable it for security reasons, you’ll have a policy for that, but you’re at least protecting against somebody who’s just done with passwords and done with that and have this one good password that they reuse everywhere.
39:35 - So, that’s… that’s a very low-cost one that adds not too much friction and gets it done.
39:43 - - Great. Thank you. Do we have other ideas from Peter or Tori? Or perhaps an angle that you’d like to invite Matt to consider this problem from? - Peter here. I’ll add a comment.
40:02 - ‘Cause hearing Jean-Philippe talk about the process in a sort of more corporate structure, it strikes me. And also hearing Matt talk about, you know, limited budget for software, for commercial password management and so on, that also means that our organizations, media-arts groups, don’t have a budget for an IT person.
40:21 - We don’t have IT departments. So what we’re talking about today is distributed among, you know, all the different…
40:27 - But it kind of suggests that kind of role has to be assigned… or someone should pick up that role in the organization.
40:36 - In other words, assessing the layers of secure access to files and the security issues.
40:44 - So, it’s like we have to become our own IT consultants.
40:49 - And it’s possible since I’ve just become a consultant today.
40:53 - I didn’t know how that happened, but… there you go. So we have to take it on. Hahaha! - Thank you very much. Tori? - Yeah. I think what you’re just saying about not having an IT department, that was on my brain too, but particularly if you’re in a place where there’s primarily contract stuff…
41:16 - Like, I know, as full-time staff with permanent jobs, this sort of thing often falls to the bottom of our list, and we’re here all the time.
41:24 - Let alone if you’re a contract staff and you’re there to complete a very specific project, it would fall even further to the list.
41:30 - So I’ve been thinking, within our context, about maybe making some sort of actual schedule of… these are the days that we review this stuff and make sure that everything’s where it needs to be and making sure that there’s a deadline for it.
41:46 - Because we’re always gonna get our grants in on time because there’s a deadline that somebody’s asking for.
41:50 - But this sort of thing can always go to the bottom of the list, so maybe we need to be our own bosses and force these sorts of deadlines on ourselves.
42:00 - - Yep. - Yes, exactly. And we have some comments from the chat here.
42:05 - Someone asking maybe more precision or a list of some of these low-budget solutions.
42:11 - So, I propose perhaps that we… since this is a given, that, from this particular challenge, maybe you can orient a little bit some of the advice and seeing that in terms of a low budget for the one or two minutes remaining.
42:29 - - Uh, well, I’m not exactly sure what low-budget solution precisely we’re referring to, but anything that has to do for a multifactor authentication for example.
42:39 - There’s free applications that do that. Google Authenticator, for example, would be one of these.
42:45 - In terms of the… Anything that has to do with group management.
42:50 - So if you’re part of the Google for Nonprofits, I do believe this is included in the accounts.
42:56 - And otherwise, it’s really… define low costs because for some organizations, 5$ per seat might seem like a low cost, and for another organization, it might be too much of a cost for the benefit that’s perceived.
43:10 - So I’d say, for this, run through the actual budgeting of this.
43:16 - So if you’re saying, “Well… “this password manager is too expensive, it’s $150 a year, we don’t have it,” how much time will somebody who’s…
43:28 - is not their main job description are going to be, you know, spending fixing password issues for other people and not providing the value that they’re there for? So I find that oftentimes, when we go through the rings of doing this, then the picture shifts a little bit.
43:46 - And also, when we look to software licenses, sometimes, you might have some duplication.
43:51 - Maybe you’re using three services that do essentially the same thing, and if you were to consolidate, you’ll save there.
43:57 - And if you consolidate, you remove some of the complexity for the cybersecurity, so maybe that’s an extra value.
44:03 - That’s how I’d look at it. I always feel uncomfortable recommending specific solutions because this is a…
44:09 - like, it shifts really fast and the decision that you make today, in six months, might sound a little bit outdated.
44:15 - So the one advice piece I have there is you need to put some time into your strategic planning to look at, you know, is our software serving us well, is there anything better on the market, right now, are we happy with the way things are going.
44:31 - This will pay for itself in spades. - Thank you very much. Jean-Philippe, I think you had one last thought before we go back to Matt.
44:39 - - Well, I think Geneviève pretty much said what I wanted to say. Like, there’s a multiplicity of solutions in your tech stack usually.
44:46 - That’s when you spend time on actually sitting down and saying, Oh, we’re using this, this, this…
44:50 - Well, we’re paying for this and this and that, and we’re not actually using it. So you might find your…
44:55 - Even though you may have… you may be on a limited budget, you may find, actually, some leftover cash lying around for applications or solutions that you’re not actually using.
45:06 - So you may have more money than you think so.
45:09 - And just… it needs… As always, it’s baby steps, and it’s fine if it’s baby steps.
45:15 - It’s a marathon, it’s not a sprint. It’s a gradual improvement that you need to do in your posture, and this is gonna solve you a lot of headaches down the road.
45:27 - It’s fine if it’s not perfect. It’s never gonna be perfect.
45:31 - And if the steps are… Just awareness is already a massive step forward.
45:36 - And if you can solve one issue in a year, that’s one less headache that you’ll have down the road. So it’s fine.
45:43 - - Thank you so much. So let’s return, finally, with Matt to see if this conversation inspired you with your challenge.
45:53 - - Uh, yeah. I would say absolutely. I’ve got some good notes here, and…
45:56 - I think what it comes down to for me and all three of these conversations we’ve had so far is that we really need to create best practices.
46:07 - Also, the word policy is coming up a lot. We really, yeah, seem to need a strong process.
46:15 - Especially when someone leaves, especially if it’s not on good terms, that’s concerning to me, for sure.
46:20 - So, a clear process around that that everyone who’s new to an organization knows going in, ideally, would be my preference.
46:32 - And maybe it’s sort of part of the sign-out, so…
46:36 - Yeah, policy and procedure and some best practices are what I’m away, for sure.
46:42 - - Thank you very much, Matt. And, guys, these were all the topics we prepared for you, so I hope you enjoyed them, and hopefully you learned some things.
46:53 - So thank you for listening to this conversation.
46:55 - Also, if you are curious about a first step or perhaps a first draft of those policies, well, you can find a lot of ideas and resources on cybersecurity on Cyber safe and sound, so please visit…
47:11 - please visit it, right? It’s at imaa. ca/cybersecurity.
47:17 - So, yes, we have a lot of those drafts and procedures to help your art organizations with cybersecurity issues.
47:25 - So my name is Benjamin J. Allard, and on behalf of the Independent Media Arts Alliance’s team, I wish you a wonderful end of the day. .