2024 Security BSides // Sue Richards

all right hey everybody thank you for sticking with it for after lunch so want to make sure that these slides okay perfect they work oh I'm sorry I'm one-handed here there we go okay perfect all right now I got the technical stuff out of the way you can tell I'm not a technical person I am more of a project manager uh compliance person so you're in the right session if you're not looking for something like how to code and and get rid of bugs my daughter was asking the other day she's like yeah she goes I don't know how much you code or don't code and I gave her a graphic that said um my my life in information security is

meetings and then meetings in blue you know it's a little pie chart so I was like yeah I'm I'm the meeting Queen but I'm so glad you're all here um and we are going to definitely have security tea time um one of the when I first was putting this presentation together I was so happy to know that um I was coming to the Cayman Islands um knew it was British controlled or British ruled at one point you drive on the wrong side of the road I'm sorry I'm just going to put it out there being from the US um it's it's been an adjustment to do that um and so one of the things I thought for

sure was that tea would be such a big part of the culture here in the Cayman Islands um and lo and behold we get off the off the um airplane we're standing in baggage claim first ad I see Starbucks Starbucks come on let's get some tea going so you're here this afternoon for a secure tea party but if you're a coffee drinker you're still welcome so here's what we're going to go through we're going to go through the current state of cyber security awareness training won't spend long because it's boring we're going to try and talk about some new strategies I'm going to give you some actual case studies things that have worked with me

and some of my clients in the past as well as um your next steps so who am I I go by the the title sucurity um it was born just a a couple of short years ago um I had just started at a very small startup was going through the onboarding through the the security training through all of that and um reading through the mission and values and it was you know don't uh oh what was it um take chance is don't be afraid you know that that type of thing and so day two still trying to figure out all the the training that I'm going through and the um the teams were getting hacked where a a text message

was coming up from reporting to be from the CEO saying hey you know give me a call when you get out of your meeting I really need to talk to you and it wasn't obviously the CEO so my boss comes to me and he says okay need you this is day two I need you just send out an email to everybody introduce yourself and tell them not to click the link or not to respond to that text message so you know I had been so many years in corporate and I was like okay but I'm at this startup and it's you know be bold be brave to lead you know stay over the ride so um that's where I

said you know hey I'm Sue Richards AKA security sent that out you know said you know please here's here's the text message do not pay attention to it 30 minutes later my boss comes over and he's like I'm going to have that email res sended I was like why he's like um you spelled there's there's spelling error I was like I checked it three times I I mean I this is day two and he's like you spelled security wrong like it's and you could tell he was so embarrassed like he's you know the board is gonna be like nice nice pick you know and I said no I did that on purpose and he's like but

why so I called my husband um he's here he can attest to it I called him and I was like I made a big mistake I don't know if I don't know if this culture is ready for me um i' had been so often in corporate culture that I was like ready for a startup and all of that before I got home the marketing department and somebody from the people team had called me and texted me and said this is brilliant I love it welcome security I get it so that's kind of where security was born um I'm a community Builder and I am a consumate tea drinker and it's nice to be in a place that we actually

put milk in the tea I'm from the US um I live in the south now and tea in the south is iced and sweet and I'm used to milk and a little bit of honey in my tea so it's nice to be around friends all right so current security awareness training and I just want to level set so we're understanding what I'm talking about there's the information security training and that's where we have a little bit of leeway we have the ability to you know talk about ransomware and uh you know don't click the link and business email compromise and things like that we have leeway as far as making that fun compliance training that's your government

regulations they usually have exact rules about how you can the format that you can present it in how many different slides and how much boring content needs to be in there so we we really can't do much with compliance training if you are regulated by a government or industry entity compliance training is here to stay then what we can do is kind of dress around the rest of it and then there's also fish tests and I I um I actually don't like the term fish tests um I had somebody come to me um and and say you know I my my stomach clenches every time I'm opening up my inbox because I'm afraid I'm going to

get one of your stupid emails and then I'm gonna have to take some stupid training and I was like you know when I first got there we were doing fish tests as 20% off Maui Jim sunglasses well 80% of the people didn't care about that anyway and so the The Click rates looked great what we ended up moving to was an email from your boss saying you've got a typo in this document please fix it and of course you're going to jump on that a lot faster than you're going to jump on Maui Jim sunglasses so I was telling her I said please don't think of it as a as a test that you fail think of it as

weight training if you upt your weight and you couldn't do all the repetitions that you used to do with a lower weight you wouldn't consider yourself a failure you'd look at well here's the times that I could actually do this weight and maybe I can't get 10 repetitions of it but I can get eight and I'll get to 10 so I said think of it that way as more of a of a weight training or fish training all right so why am I here well we've got um why do we do information security training we've got those regulatory requirements a lot of times we have to pass annual audits um I do a lot of compliance Readiness for

customers and information security It's usually the same that they've done year one year two we passed the audit with it let's keep going um but we also want to have it evolve I mean we need it to to evolve as hacker um hackers get more sophisticated as chat GPT comes in and removes all those spelling errors from those business email compromises Etc and you know at the end of the day we want people to not click the link but right now this is what people do when they say hey it's time for your annual security awareness training these are usually the reactions am all right kind of getting the reaction right now all right so because this is a tea

party and we need everybody to be social we're going to do some exercises um and again it's not anything strenuous I promise um but I'm going to look for a volunteer there's a series of exercises I'm going to look for a volunteer for each one of them and I want you to all break into different groups like at least four or five in groups and you can kind of do that I think you're kind of set up that way so you can of if you're if you find yourself yeah if you find yourself kind of a lone Island join a group but we need at least four or five people per per group um and like I said there's

going to be a series of these now I just recently went through um our local our local police department in Brentwood Tennessee does a pol a Citizens police academy and we had Patrol night one of those nights and it was what you think we we got into the squad car we had our we had our uh little police badges on had an actual officer in the past passenger seat but we got to pull over a perpetrator and each scenario was different and so those of us that weren't driving the squad car at that time got to watch and the other scenarios as they played out and when the the police captain asked for volunteers I was like yes everybody

looked at me like why are you volunteering and I'm like they're only going to get harder so with that in mind pick a volunteer to do this first exercise introduce yourself spend a minute just talking to your group who you are why you're here what you're passionate about go come on it's a tea party we social hey Chris

it's a little to hear you it's just I'm so close to you [Music]

all right I hear a lot of laughter which is good

all right I give you 10 more seconds to wrap that up and we'll go on to the next

exercise all right we're on to the next one next one is it going to be even more fun ready all right so pick a different person not the same person that was the leader that time tell a story we just had a right before we had lunch break we had a person in here talking about storytelling so you can use any one of these you can use a headline you can use a personal hacking story that you know of but tell tell everybody in your group a story and spend another minute or two doing that [Music]

when

[Music]

[Music]

all right we'll give everybody 10 more seconds on this

exercise all right we're ready for the last exercise last exercise pick another person in your group that's going to lead this one demo a tool now I've got my husband out down here at the front if you need a tool like if you're if you're just you need a a physical thing he's got a couple little like little squeezy balls and things like that if you actually need like a visual tool but talk about a tool that may you may use in your in your day-to-day um whether that's software tool or you know something that you do but if if you need inspiration he's got a little goodie bag down here so just raise your hand I'll

be happy to pass him out oh there's one

[Music] and they're goofy tools they're they're not serious cyber tools

[Music]

that's okay

all right coming to a close on this on these exercises all right so just a wrap up give you a couple more seconds um just to wrap up so be thinking of when you were the leader which one of these would you was like you were dreading versus which one of these was a little more comfortable for you so think back of you as put yourself in the place of the person who was leading telling about yourself the spotlight on you telling about you know a hack or or kind of why you do what you do or using a tool to talk about how you do what you do kind of figure out for you personally which

one was more comfortable and then also as an audience member as the person who was listening to whoever was was doing each of these exercises which one was more entertaining which one is going to resonate with you and you're going to walk out of here going ah I didn't think about using that little cat bulldozzer as a as a way to you know collect password sticky notes you know or something like that so just be thinking about that because again um kind of the way the previous speaker right before lunch was talking about know your audience you know know how you communicate and what's comfortable for you as well as know what what's entertaining and and

engaging for your audience um funny story about that that same Brentwood citizens Police Academy um we we had one night which was SWAT night which is special weapons and tactics now these are the Elite police officers these are the ones that work out they have an extra Fitness level they have extra tests they have extra training pretty int intimidating and they had said that night they were like okay we're going to do a presentation about what the SWAT team does and then the whole second half of the evening is going to be talking with the SWAT team and I was like we're getting to get out here early because I mean who's going to engage these guys are tall and you know

just and they don't smile because you know they're they're trained to to be intimidating and what they did was they brought a lot of their tools they brought the the lock the what they used to pop the locks um the battering rams they brought the body armor that they use they brought the jackets and some of the Tactical pants that they use that room it was hard to get everybody out I mean the room was loud people were laughing people were engaging it was just because those those tools were there we were able to try things on we were able to really connect with what it is that the SWAT team goes through and and it was amazing to me because I was

like I'm going to be so intimidated there's no way that anybody's going to you know we're all just going to kind of sneak out and but it was it was one of the most fascinating nights because we got to see the tools and how they use them and talk with them firsthand about that all right so you can take your seats what the the demo part of this is over but thank you for participating thank you so much all right so we've got a new approach first and foremost security awareness training can't be just once a year you can't relegate it to once a year or once a month with a fishing test Etc it really has to be built into your

culture and in order to do that you really need to be present in meetings um incorporate it into your your daily life as you go through your organization um as well as your your home life um our our kids are very well-versed um we have three in in college right now they're very well versed in in scams but even they you know sometimes will will you know call me and say hey is this really you know is is the University saying they're going to you know drop my um my my user ID and I'm going lose all my emails and all of my you know course history and I was like when has the university ever done something overnight

you know they don't give you 24 hours they give you a semester so um but you know everybody can be susceptible to that um find advocates in your business teams so not it necessarily but in your Finance team Etc um I I remember thinking I was going to find Advocates because I had my the security wearers training that was mandatory everybody had to do it and then I put some fun optional training in there and I said to my boss I was like you know we're gonna I'm gonna find out who my Advocates are because they're going to go through that optional training and he's like nobody's going to do that it's boring nobody is

going to do it and I was like ah we'll find it he was right nobody did it six months nobody did any of the optional training so what I had to do was I had to go have conversations in the break room with people have um you know just that social time get top of mind on people's meetings um if I knew the marketing team was going to be having their All Hands meeting hey can I have have five minutes to just talk about something that is relevant to the business and them so um that was really uh very helpful to just secure by walking around you know you always hear that that term managed by walking around

well secure by walking around you know let people know who you are that you're approachable they can ask you anything um and make it relevant to your business um there's some case studies that I've got uh coming up that that will kind of help drive that point home um and improve their personal security you a lot of um a lot of kids you know college kids high school kids they're pretty pretty secure they're pretty socially aware but their parents might not be and so instead of having to learn from their kids how to be safe this would be something that you know to be able to put in you know hey it's Halloween you know personal safety is a big thing it's

holiday season you know if you're shipping packages don't be fooled by scams Etc so you know kind of make it relevant to the to the Time of the Season over you know most of all make it fun I mean put yourself in that position if you think it's going to be fun Try It Out On A A Team or two and if they're like then you know try something else all right so here's the first uh use case or case study um an insecure workstation this can really drive home in a physical sense what we mean by when we say clear desk clean screen and so you can set up if you if you're in a

physical location you can set up a cubicle or a work desk an empty work desk um put it in somewhere that's that's kind of a hi traffic area um put you know a password sticky note on the on the screen or under the keyboard put you know fake documents that say top secret sitting out on the on there put something in the waist basket that should be shredded um and just put yellow caution tape around it and then invite people to see you know find find The Faults find find what's wrong with this because that way you're not picking on them um but you know use things that you've seen in your when you are walking

around and so that way it's kind of a nice way to to drive that point home oh I'm not supposed to do that I'm supposed to shred that without calling somebody out and and you know making it a big deal for them all right next one I'm from Nashville Tennessee Dolly Parton's kind of a big deal um country music is is um you know is we're definitely considered music today I was having that conversation at lunchtime um and so one of the things I I I've aspired to do this I haven't done it yet because I'm here for Halloween but um is to spend in the US October is national cybercity awareness month so to do a

whole theme the whole month about what would Dolly do um you know we have Dolly partner for president t-shirts that they sell in some of the local stores so I mean everybody's dol's an icon and so I've always had this dream of of doing that you know having a an entire month dedicated to what would dolly do and then coming in on Halloween dressed and and I don't think I can do the whole costume but I can do the wig I can definitely do the dolly wig so you know dressing up that that way and just you know making it fun making it memorable um there's if you go online there's all kinds of national days um just a few

here Global Beatles day so if you're a Beatles fan dress up as one of your favorite Beatles characters um Elvis Week um and these are these are just more the the you know the the music venues but you know anything that's relevant to your particular industry or your particular culture would be fine and yes you will feel like this is the first time you do it I mean look at me you know I'm I'm feeling a little bit out of my element but the more you do it the more comfortable you're going to get with it and it's fine and it humanizes you um you know it it really helps people go oh okay she really she's

really passionate and serious about this so maybe I should maybe I should pay attention and you know sometimes they're laughing at you sometimes they're laughing with you but they're laughing so go with it um this is a use case that I did in for the dental industry I knew dentists and hygienists oral hygiene is like huge for them well cyber hygiene is huge for me so I made it real for them and so I had a series of these just fun things you know don't use the same toothbrush to clean the grout or the toilet that you use to clean your teeth you know if it gets if it gets compromised you drop it on the floor

change it you know so so things like that but just kind of silly um you know fun little things to just kind of drive that point home this we actually put on the company intranet so we would have you know um and I put it in my newsletter once a week so I have a different one um once a week and then a recap at the end um but figure out for you and your industry what matters most to your industry and what matters most to your end users and use that um right now I'm working with a pharmacy client so I can very easily adapt to this password management to the prescription pads because they'll get into an awful

lot of trouble if somebody's stolen the prescription pad and is filling prescriptions without proper authorization so it's that same type of due diligence that they do in their in their daily work that you can kind of tie to uh cyber hygiene and then crisis management and I I don't like to use this term lately um but you know we saw the stories of of things that happen in our industry or in similar industry um but spend you know if you could get an hour of the board um but just spend some time with the board going through okay if what happened to them happened to us who's going to Comm communicate to Legal who's going to call the Cyber

insurance company and just kind of walk through that scenario so that everybody understands um you know one of the things about doing risk assessments is to really put your operational risk I mean information security risk is an operational risk and to put that into terms from even working with your Enterprise risk manager and just saying okay if this goes out you know we're we don't have to worry about trying to optimize our products we need to worry about paying our bills um and and so really kind of bring it home to to that piece of it you can do at a department level you can do business continuity planning you know walk into your Finance

team okay what if the vendor that we're using to pay our vendors gets compromised what do we do do we have any contingencies um you know in the US change Healthcare handled anywhere the statistics are anywhere from 1/3 to 1/5th of the US healthc care claims and they were breached and they were down for a couple of weeks other companies you know kind of took that on and said look we'll you know we'll start doing the payments for you etc etc so I mean bring that home to to them um and you know worry about your vendors and all of that um and then for your it team teams use a false positive um as a real world

what if you know what if this wasn't a false positive what if this really had happened um one company I was working at we were starting to really get into patch management and so we were patching systems that had had not been patched in a really long time we were having to do Powershell commands to do that while our antivirus was like hey they're poers shelling so we got a call from our MSP saying um you know it looks like you're compromised well we're not um but then we asked the question we're like well what if that had been what if that really had been a bad guy and not us patching what would we have done and

we were able to kind of right size the response because we're like well it's a workstation so in the case of a workstation we'd break it we'd overnight on a new one you know but if this was the CEO's workstation what would we do probably break it and have his admin assistant work on things because you know who really gets the work done but um but yeah so you know so use real world scenarios that are happening and and kind of use that as as fuel for having those discussions and then this is one that I always use with um when I when I meet with retirees and do said if you're ever making any of these faces just call you

know call the IT department and again this is can this can be something that you you can put out on a corporate internet you can put it in a newsletter you know say if you're ever doing this please call rather you call than you worry or wonder or don't take any action all right so just to sum up we've got some new approaches to security awareness training um and so does anybody have any questions on any of those that that I went through all right well you can also host your own tea party you can make security awareness fun I can't I can't tell you how many times I told people I I I host

I host tea parties um security awareness training disguises tea parties and like I want to come I want to do it I want to dress in the Hat I we had we just a couple weeks ago had a a group of uh retirees and it was the largest uh it was the largest gathering that they had had in at this at this organization and I still don't feel like I I even did enough um and we're probably going to go back quarterly to them but it was encouraging them to bring their own devices and we would help put multiactor authentication on FaceTime for them because it was a big deal and they didn't necessarily feel comfortable

asking their their children or their grandchildren to do it um you know we went through some app security and and things like that but when you're hosting your own tea party you can build security awareness and even into the invitation because if somebody gets that and they click the link right away just go well didn't that seem like it was a little odd I mean what something that's never happened before you know did you think about it did you hover over the link when you came into the Tea Party did you tell everybody where you were going you know so you can incorporate even some basic security awareness into the whole process and Logistics of

hosting a tea party and then really a tea party is you know just finding something fun and relevant incorporating that in and again if you're not doing it every you know on just once a year if you're not relegating it to that you can you can focus on one topic and so you don't have to overload them with a lot of jargon you can focus on hey let's get your phone app security where it needs to be or let's talk about business email compromise let's talk about ransomware things like that so again if you want to host your own tea party make it social um also include if you have a team hopefully you have a

team even a small team have them come to the party as well um ideally it works with round tables and then SE your team at different tables and let them all collect in one and just be on their phones have them at different tables and then do some of the workshop exercises that we did introduce yourself demo a tool you know get so that your teams are out and about with your other business teams and they get to know them on a personal level when they might not otherwise um making sure you have some good food some tea some you know something special something to to make it memorable um host ask me anything sessions um our pastor at our church has

he goes to a local bakery every Monday from 10:00 a.m. to noon and it's drop in if you have questions for him otherwise he just enjoys a nice muffin and some some iced tea um but have those as a regular as a regular occurrence so that people can feel like they can even bring their home computers and ask questions about it you know should I patch this I I can't tell you how many different people from their own personal computers don't patch because they're so afraid and don't necessarily know that their browsers need to be patched from home so encourage that encourage them to bring a phone do you have a question about your phone you know just anything doesn't

have to be work-related because the stronger they are personally in their security awareness the stronger they are going to be at the office and then host office hours similar to how um you colleges and University professors have office hours just have a regular time that people know you know you can I'm available and you know just stop by or like I said if you're not getting that traction go out and talk to people during those office hours that you have and so I know a lot of people think oh yeah security RAR is going to be a lot of money but I really don't think it has to be a lot of money I think there's an investment of time

but we all have the same amount of time it's just how we want to spend it and so the acronyms um you know tea wasn't just a wasn't just a drink here um I consider the tea time and I think about you know how you make time for tea um it's training your people um making sure that it's consistent it's not relegated you know don't be that once a year exerciser and think that everybody's going it's going to resonate and stick with everybody um you know we have to do security awareness training we definitely have to do compliance training um but but make sure you take that time and be mindful about training them engage with your audience

communicate um on a regular basis and again don't be that you know I I don't really know who they are the one of the um companies that I worked for my predecessor my boss had said he's like you he's worked here for two years before he left he's like I don't think anybody knew who he was he's like I want that to be different for you and we had different offices um across the the east coast and so I made sure I was very intentional about making sure I walked into each of those offices and I may have only stayed a half an hour you know and yeah it's kind of a pain to fly up

to Boston and spend a half an hour in one location and another half an hour in another location but it was it was impactful because then when I sent that newsletter or when I had that meeting they knew who I was um and I would just sit in in their you know in the employee lounge and just wait for people to you know that's just my face you know you know who I am and and I think it it went really it was it was very you know very impactful for them to do that or just to see me there um and then you know for everything that I've talked about use what works and leave what doesn't you

know there not everything is going to work for everybody um but you know if you saw one you're like never but you know there might be one or two that that was impactful for you and then definitely at the end of the day have fun be passionate I mean I we're we're in this business not for the glory we're in it because we have a passion about making people and in our systems more secure and let that show you know let that shine out to people um and and they will it will resonate with them and and they will take from that and and be serious about it and if you have any questions um I've

got business cards um that I can hand out um but this is my website and I host uh tea parties and newsletters and I am happy as you can tell I'm a little passionate a little quirky about about security awareness but um it's something that through all the years of it that I've done this is something that I really think hits at every level um you know every company is now an IT company in one shape or form you know in the past we weren't but you know everybody has a dependence on on it on technology and it's and it's up to us to be the the ones that lead the way in training people so again please remember

to make time for

tea and we still have time yes we still have time for a couple of questions if anybody has

questions yes you in the front what you do to your what I do to my hand all right dress the elephant in the room thanks for sticking with me um I fought with a can opener and I lost so it happened about a week ago I had surgery just about a week ago so yeah I have I had a a shortened uh truncated enjoyment of the of the Cayman Islands but I still I admire this beautiful island and definitely have to come back so I have a mic I have a microphone so thanks so um good presentation quick question for you which is what what are some of the um the best ways that you can think of to

reinforce the training because often times staff just do the training as a necessary evil to meet some compliance check yep I've done it so therefore I can get my bonus or whatever correct yeah what are some of the things that you think can help to reinforce it so that it really hits home well like I said compliance training a lot of times they'll say you know I I know for the US it's very specific as far as it has to be delivered with this wording in this format you can't make it fun you you have to just endure it um but I think for that it's really you know the carrot in the stick you know make it

competitive you know if you've got if you've got departments and teams that that are um are looking to um there's there's usually a little rivalry between departments you can be like hey I'm going to give a party to you know whoever does this first um and the same with like that insecure workstation um you can send that out and even if you're a remote you know if you're a remote organization you can take a picture of a of an insecure workstation or you can kind of make your own and like have that as your backdrop every time you're in a meeting and go hey what's wrong what's wrong today you know and and kind of

make it fun to engage people and see who notices um there is um one just this week was talking with somebody and his slack message you know they have slack has a as a location um and his was Venus and like two days earlier it was Mars and I was like what's that about and he's like you're the first person that noticed that he's like I've been doing that for six months he's like you're the first person that called that out but you know you can make it it fun like that compliance it's going to be government run government regulated um so there's really you know there's the incentives to um you know I I gave out

little squeezy tooth uh teeth as an incentive um at one of the dental organizations so whichever team whichever office completed it first we sent 30 of those little squeezy teeth out to them um and then the stick obviously which is the name and shame um you know it's senior Management's going to see this which is more of the corporate you know that you have to do um because you know when you're audited they're going to look for that 100% compliance on your training but again you know and you still probably still have to do some sort of you know to to pass an audit for information security training you probably still have to do some of those videos but you can maybe

put it out quarterly or you can tone that down because you're going to be using weekly monthly you know other things that you're doing as part of the their daily lives to to improve that security so yeah from a compliance perspective a lot of times you're you're stuck with that but to raise the level of the culture to be security aware these are the the principles to put into

practice all right anything else oh there's one back

there I'm not trained to do this um thanks for that um I just wanted to ask the fishing tests how frequently do you in your opinion should that be done well for fishing tests I think you need to exercise those so I think monthly it becomes um it becomes not necessarily um it's not too cumbersome to do a monthly and that's still enough to be fresh in people's minds but I also would put together a newsletter I I had a Weekly Newsletter that I would send out to to my teams to to the entire company same one that was hey introduce yourself you know um so weekly I would send out something and if there was um

something that was happening like the CEO is pretending to you know somebody pretending to be the CEO sending text messages I would do that immediately and send that out as as kind of a hey let's do another fishing test to make sure that you know people are are reading my my newsletter reading the emails seeing the the slack messages um you know and that's the other thing is you know meet people where they are culturally um I'm a horrible slacker I I don't like slack I it's it's unnatural to me but I forced myself to have a security an infosec Channel a security channel in slack and I would just post you know Shark Week

okay well you know be be careful of ransomware and so I would just kind of do fun things in there to see you know who was going to stumble across it and and things like that so all right anything else other questions I've got one for you if I can horror stories what horror stories of people of firms Oran a that just as a learning experience things that have shocked you oh my horror stories um well luckily I did not work at change Healthcare I left change Healthcare before that that horrible hack happened um and but you see it I mean you see it in the industry um one of the organizations that I was working for one

of their third parties was hacked um and it was where all of the health records were held so it was um you know not only what what luckily we could work offline so we we had that ability but we had to order supplies because we use that same vendor for ordering uh Dental Supplies and we had to do that all manually so it all funneled into one person who suddenly became you know instead of just being the studio manager um she became the order Clerk and had to take all of these paper orders fax them or email them in see what the status was you know it was it was no longer an online thing

um so you know I know from change Healthcare I saw the um the Congressional hearings on that so I mean when it gets to that level it it's huge um like said Lu I didn't have to wasn't part of that organization when all that happened um but uh yeah so the for me personally the worst was a vendor that got compromised that forced us back to a manual process we have time for one more question someone needs to uh one more question from the audience please or I'll or or we'll pick on someone shall we yeah yeah whoever was introduced yourself no I'm kidding but well thank you all so much I appreciate it and

hopefully I've added some fun and levity into your day [Applause]