Get Cyber Ready: Best Practices for Navigating Today’s Biggest Threats

(DESCRIPTION)
A slideshow's title slide fills the display of a laptop sitting on a desk beside a mug with a Travelers logo: Wednesdays with Woodward (registered trademark) Webinar Series. Travelers Institute (registered trademark), Travelers. 15 years. 

(SPEECH)
JESSICA KEARNEY: Good afternoon and thank you so much for joining us. I'm Jessica Kearney, Vice President here at the Travelers Institute. And I'm standing in for our host today, Joan Woodward. 

Welcome to our webinar series, a series where we convene leading experts, thought leaders, to discuss issues at the intersection of business, insurance and public policy. As we lean on our background in risk management, we're going to help tackle some of today's biggest challenges in our personal and in our professional lives. We're so glad you're here.

Before we get started, I'd like to share a disclaimer about today's program.

(DESCRIPTION)
Slide: About Travelers Institute (registered trademark) Webinars. Text: The Wednesdays with Woodward (registered trademark) educational webinar series is presented by the Travelers Institute, the public policy division of Travelers. This program is offered for informational and educational purposes only. You should consult with your financial, legal, insurance or other advisors about any practices suggested by this program. Please note that this session is being recorded and may be used as Travelers deems appropriate. 

(SPEECH)
And then right off the bat, as always-- much appreciation to our program partners who are joining us today-- 

(DESCRIPTION)
Slide: logos fill the bottom third of the slide, below text. Get Cyber Ready: Best Practices for Navigating Today's Biggest Threats. 

(SPEECH)
TrustedChoice.com, the Master's in FinTech Program at the University of Connecticut School of Business, the Insurance Association of Connecticut, the Connecticut Business & Industry Association, the American Property Casualty Insurance Association, the National Association of Professional Insurance Agents, and MetroHartford Alliance. Thank you all for being part of our program today, and a special welcome to all of your members, students and guests. Thanks for being with us.

(DESCRIPTION)
Slide: A map, dotted with lights depicting the major United States cities sits beside a list of event dates. Text: Cyber: Prepare, Prevent, Mitigate, Restore (registered trademark). National Cybersecurity Education Tour Fall 2024. September 24, Washington, D.C., October 10, Irvine, California, October 30, Philadelphia, Pennsylvania. Register, travelers institute dot org. 

(SPEECH)
October is Cybersecurity Awareness Month. So there is a lot going on right now in terms of cybersecurity. So if you’re looking to get your arms around this topic, this is a great time to do it. 

We're very proud to say that since 2016, the Travelers Institute has hosted nearly 70 in-person and virtual programs to help business and public sector professionals become cyber ready. And this year is no different. Last week, Travelers released our annual Business Risk Index. And cyber risk reclaimed the top spot as the leading business concern. So we know this matters. And we know it's important to everyone right now.

So in fact, today's webinar is just one piece of our broader programming this month that we have planned all throughout Awareness Month in October. So more details about that are in your chat. Specifically, as you see here on screen, if you find yourself in Irvine, California, or if in the greater Philly area, we hope you'll join us for a cybersecurity education luncheon throughout the month of October.

(DESCRIPTION)
Slide, Speakers. Four headshots appear above biographical information. Text, from left to right. Jessica Kearney, Vice President, Public Policy, Travelers Institute, Travelers. Renee Wynn, former Chief Information Officer, National Aeronautics and Space Administration (NASA). Tony Collings, Cybersecurity State Coordinator for Illinois, Cybersecurity and Infrastructure Security Agency (CISA). Tim Francis, Enterprise Cyber Vice President, Travelers 

(SPEECH)
Today, we're going to discuss the current cyber threat landscape-- so what's happening out there today-- and, specifically and importantly, how organizations can proactively navigate all of those risks. But maybe what I'm most excited about is the who in this conversation, and you'll see those here on screen, and who's going to help share that advice over the next hour. So let me introduce our esteemed speakers. 

First of all, we all know NASA, America's space agency. And today, we are lucky enough to have NASA's recently retired Chief Information Officer, Renee Wynn. So if you're like me and you're thinking, what does a day in the life of the CIO at NASA look like, well, we're about to find out. So hang in there with us.

In that role, Renee led collaboration on complex NASA mission programs to improve its global cybersecurity and to continuously transform its IT management. She oversaw an IT portfolio of more than $2 billion and provided IT services to more than 60,000 customers across the globe. Her tenure at NASA was the culmination of over 30 years of federal service, including at the Environmental Protection Agency, where she served as Deputy and Acting CIO.

Renee is going to kick us off with an opening presentation. And then following her, we're going to have Tony Collings, who works at the federal government's lead cyber agency, or CISA. Some of you may be familiar with CISA. It's the Cybersecurity and Infrastructure Security Agency.

Tony is the Cybersecurity State Coordinator for Illinois in Region 5, which means he offers cybersecurity assistance to critical infrastructure owners and operators all across his region. So we're going to learn more about that. Tony brings 39 years of information technology experience, including seven years in cybersecurity. So he's going to bring a wealth of knowledge there.

And then if that wasn't enough, we are beyond thrilled to have our very own Travelers' Tim Francis joining the program as well. Tim is Vice President Enterprise Cyber Lead here at the company. And he has oversight for our cyber product management, including our underwriting strategy and products for businesses of all sizes, public entities, tech firms, you name it. So he's been recognized as one of the industry's foremost experts on cybersecurity issues. And we're very lucky to have him as well.

So first up, I am so pleased to welcome Renee. Renee, the Zoom floor is yours. And thank you again.

(DESCRIPTION)
Slide. Text: Space -- it's not too far away for cybersecurity risks. 

(SPEECH)
RENEE WYNN: Great. Hello, everybody. And good afternoon. So we do have to remind you that even though space is really far away, it is not too far for cybersecurity risks. 

(DESCRIPTION)
Slide. An image of a satellite appears beside bulleted text, under a heading: Why? The National Aeronautics and Space Act of 1958 charged the new agency with conducting the aeronautical and space activities of the United States "so as to contribute materially to one or more of the following objectives:" The expansion of human knowledge of phenomena in the atmosphere and space; The improvement of the usefulness, performance, speed, safety, and efficiency of aeronautical and space vehicles; The development and operation of vehicles capable of carrying instruments, equipment, supplies and living organisms through space; The establishment of long-range studies of the potential benefits to be gained from, the opportunities for, and the problems involved in the utilization of aeronautical and space activities for peaceful and scientific purposes. 

(SPEECH)
So I always like to begin with some grounding. A lot of folks know that NASA was created as part of the space race. There were a few more reasons that NASA was created for not only the benefit of the United States, but our international partners as well as across the globe. A lot of the technology that is developed in anticipation of needs in space travel are also put back into commercial use to advance across the globe for the benefit of humanity. 

A quick example of that is childbirth, even here in this country, is still a risky proposition. There are cooling suits inside every astronaut when they go on a spacewalk or they're wearing their space uniforms themselves, their external go-outside gear, including when they're training in the pool. And that is-- they get very hot. Those cooling suits-- previous incarnations of that were used and shared across the globe, in particular in developing nations, where those suits, the cooling nature of that, were used to improve the survivability of both the mother and the child.

So that is just one example related to technology that has plowed into the general economy for the benefit of the humanity that lives here. Also, I would say, everybody, if you have your YETI cups or your Stanley cups, that cooling system that's there-- again, that was created through NASA, as well as the cameras on any phones that you might be using.

(DESCRIPTION)
Slide. An image of an astronaut in a space suit appears beside bulleted text, under a heading: Why, continued. The preservation of the role of the United States as a leader in aeronautical and space science and technology and in the application thereof to the conduct of peaceful activities within and outside the atmosphere. Sharing discoveries that have military value or significance, and the furnishing by such agencies, to the civilian agency established to direct and control nonmilitary aeronautical and space activities, of information as to discoveries which have value or significance to that agency; Cooperation by the United States with other nations and groups of nations in work done pursuant to this Act and in the peaceful application of the results, thereof; and the most effective utilization of the scientific and engineering resources of the United States, with close cooperation among all interested agencies of the United States in order to avoid unnecessary duplication of effort, facilities, and equipment. 

(SPEECH)
There are some key pieces that I wanted to point out here. And that is is that-- not only the value to economics and survivability of humans, but also military value-- we also took a look at the safety in aviation. Airplanes now fly closer. Sustainability-- the airplanes have those tipped up wings. That is intended to save fuel when flying across-- around the globe. 

And I think finally, what I wanted to point out is that in peaceful operations of space, space is now incredibly contested. But also, the international exchange of information that is found out from space as well as the inventions created to explore space further--

(DESCRIPTION)
Slide, Role of the NASA CIO. Text. Plays a vital role in ensuring NASA’s I.T. resources are managed effectively and securely to support its mission of space exploration, scientific discovery, and aeronautics research. Example areas: I.T. Strategy; I.T. Governance; Cybersecurity, including Cyber Supply Chain Risk Management; I.T. and Cybersecurity Operations, including International Space Station; Innovation and Emerging Technologies; I.T. and Cyber Workforce Development 

(SPEECH)
So people say, the NASA CIO-- what does that really mean? And the first part is is that I was the NASA CIO for all of NASA. So the centers that you may have heard about-- Johnson Space Center, Kennedy Space Center-- encourage you to go visit the visitor centers, especially at those two-- those CIOs that were at the center all reported to me as well as all of their staff. So it was about 700 to 1,000 people because that includes the contractors. 

Generally, my role was really quite simple, but rather hard to deliver. And that is is to allow for the delivery of NASA's mission in our space, science and aviation areas, and included IT strategy, IT governance, cybersecurity, which also includes the cybersecurity check of supply chain-- of our supply chain. And this looks at hardware and software-- in particular, who's funding the hardware and software development, where the code may have been developed and what precautions, additional precautions, might be needed in order to protect the enterprise.

And finally, yes, there really is a preferred do not buy from particular vendors in nations that are considered hostile to the United States. So we would have to look at that before we could say yes to software and hardware.

Give you a sense of the hardware purchases at NASA-- the mobile launch unit-- so if you've ever watched any launches out of the Kennedy Space Center, you have seen this mobile launch unit. And that has 400,000 sensors on it. So that just gives you a little, tiny-- one piece of equipment, complex piece of equipment-- gives you a sense of the type of IT and the amount of IT, hardware, software, sensors and certainly a few rocket engines, that NASA purchases. 

Also, I ran cybersecurity both across the globe as well as off the globe. Cybersecurity, as well as IT management, by law, were my responsibility. So that also meant that I would go to Congress to testify, which I did four times.

We brought innovation and emerging technologies solely for the use of enabling mission. This is separate from emerging technologies used for space exploration, aerospace, like hypersonics and things like that. And then, obviously, we can't do anything without our people being prepared as well as recruitment. And that was my responsibility as well.

(DESCRIPTION)
Slide, NASA Has Two Logos. An image labeled "The Meatball" depicts the word NASA in block text inside a blue circle decorated with stars and a comet. An image labeled "The Worm" depicts the four letters of NASA, each letter formed in unbroken, curved red text, with no horizontal dash in either "A." 

(SPEECH)
So NASA-- surprise, surprise-- now has two logos. And I always like to tell people this because you're going to see these on the rockets. While I was at NASA from my start until just before I left, the meatball over here on the meatball, as it's labeled-- that was the sole logo. But a couple of years into my tenure at NASA, we decided that the debate was way too strong versus the worm, which was one of the earlier ones, versus the meatball. 

So both were brought back. And if you look at any launch vehicles, you'll see one or both of them on the vehicle. You'll see a preferred-- employees, civil servants-- which ones they like to use. I like the blue one. I look better in blue than, necessarily, red.

So I always chose the meatball as my pin whenever I wore it. Actually, I wore it every time I traveled because at NASA, we were considered ambassadors for the United States federal government as well as for NASA itself. So I would travel with coloring books, pens, pins, and pencils and patches and stickers, a lot of stickers, to give out to the public. And we would also leave time when we're at the airport because that happened quite a bit. We'd get to talk to the public about what's going on at NASA and some of our newer features-- our newer launches. Next.

(DESCRIPTION)
Slide. An image depicts a satellite hovering above a rocky expanse in the blackness of outer space. Text: Pathfinder to Space Mining, OSIRIS-Rex, Asteroid Sample Return. 

(SPEECH)
So, I did want to begin also, before we get into the cybersecurity part of space-- is just bring to your attention to me a very cool pathfinder to space mining, which has already happened. Both Japan and the United States have successfully had a mission where we landed a robot from a satellite onto an asteroid, collected a sample and returned that sample back to this great Earth. 

And just as a reminder for folks, an asteroid travels up to 17,000 miles per hour. So that robot landed on that wonderful asteroid, opened up, collected the sample. If any of you followed OSIRIS-REx, you will probably remember that the little door for the sample had a hard time closing. But we did get that closed. Both those samples have been returned to the Earth.

Japan has provided the United States with a piece of their asteroid that they recovered. NASA's asteroid is held at the moon rock library at the Johnson Space Center. And I have been in that moon rock library.

And while it's very cool to be able to hold with protective gear moon rocks and other space materials, I thought the coolest thing was the fact that they labeled their trash can a lunar trash can. And that's because people would go dumpster diving. So they needed to know what trash was from some of the materials that were returned from space. And then they would surreptitiously throw that away in a safe manner.

(DESCRIPTION)
Slide. Images depict a woman holding a cell phone, a television in a living room, a car's GPS system, a cell display reading "Online Dating," and a reporter wearing a protective suit at a biohazard site. Text: Satellites in our daily lives. 

(SPEECH)
So satellites-- every single day, satellites play in our lives. The first one is our weather. I'm here in the Washington, D.C., area, where it's been raining. So I haven't really had to look at the weather all that often because I knew it was going to be raining for several weeks. 

If you watch television sports, the latest hurricane that happened, satellites are used to broadcast across the world. And then, of course, there's our GPS when we go from one place to another place. And we use the GPS satellites for that. And speaking of place and location, even online dating apps provide you access to space assets.

(DESCRIPTION)
Slide. An image connects a floating satellite to dishes, labeled "Uplink and Downlink." Two people sitting at laptops are connected to other computers, labeled "Data Moving Through Internet." Text: simple diagram of satellite communication. 

(SPEECH)
So here is a simple diagram of satellite communications just in case there are any of you that come from the space arena or domain in that or worked in space at all. I want to make sure you know this is a simplification to make the point of what are the main attack vectors that we are seeing with satellite communication and cybersecurity. So the first one is just straight uplink and downlink-- that is, sending the commands up to space, bringing the data down from space. If that line is not encrypted, it's actually pretty easy to get into.

Now, I say pretty easy. You will have to have a significant investment of resources to do it. So it's not quite as common as you see with typical hacks into computer systems. But it is a hack, just the same.

(DESCRIPTION)
The next slide briefly flashes.

(SPEECH)
And now we're going to slide over to there's always insider-- we could go back to the diagram, please. We're going to go over to what is insider threat. You'll see the two workers there. We do have to be very careful who is running the commands associated with the satellite. And we do have to make sure that individuals are cleared with at least a minimal background investigation so that nobody goes into these locked areas that can command satellites and does something nefarious with that. 

But moving data is also an opportunity for a cybersecurity incident-- one, just back and forth from the cloud operations. Some of the space systems are shifting to cloud use-- I think it's kind of funny since they operate above the clouds in that.

And there's also traversing the internet. And those are opportunities to-- for a breach for stolen data or to change the data, which would be pretty bad, especially so many scientists' entire careers are built on space discoveries. And the integrity of that data is key to the discoveries that we make with-- in space.

(DESCRIPTION)
Slide, What's Being Done? Four icons are labeled with text. Encrypting communication with satellites, monitoring to detect anomalous behaviors, multifactor authentication, developing satellites so they are more secure and can get software updates. 

(SPEECH)
So moving on from our places to do this-- but what would be a problem without a potential solution? As I've already mentioned, encrypting communication with satellites. And here, too, with the quantum-ready encryption-- as we are now encouraging folks to be thinking about using quantum-ready encryption, there are a couple of algorithms available to use for those highly sensitive areas, such as the military for the United States. We're encouraging the changeover of that encryption into quantum-ready encryption. 

There's always monitoring to detect anomalous behaviors. Space assets or satellites are monitored on a regular basis for anomalous behaviors. The Voyager, which stopped sending back this summer-- once again, that was an anomaly. That was a detection-- is that we're not getting any information or the information was gibberish. And so that's anomalous.

And so it allowed NASA to take action. And then actually, thankfully, they were able to reestablish the connection and bring down data that we could actually use. But that monitoring is also used for cybersecurity to see that-- if what's happening is intended. And if it's not, in addition to investigating perhaps a problem with the satellite, we also investigate now for a cybersecurity incident.

My personal favorite is multifactor authentication. And the final thing is we are developing satellites where you can do software updates. A lot of the-- I mentioned Voyager out there. We cannot update that-- the software in that satellite. But some of the newer satellites are being developed to allow for software updates in case we see something that is cyber-oriented or just need to do an update for the sensors that are collecting scientific data in space.

(DESCRIPTION)
Slide: Thank you. Text: Renee Wynn. Renee dot P dot Wynn at outlook dot com. 

(SPEECH)
And with that, let me turn it over to Tony Collings. 

(DESCRIPTION)
Slide. Wednesdays with Woodward, CISA, Cybersecurity and Infrastructure Security Agency. 

(SPEECH)
TONY COLLINGS: Thanks, Renee. Good morning and good afternoon to everyone. It's great to be with you today. 

(DESCRIPTION)
Slide, Threat Landscape, Overview, with two categories of bulleted text. First, Opportunistic/Low-Hanging Fruit. Ransomware most impactful; Phishing/Spear Phishing (credential harvesting attempts); Malspam (emails with malware laden attachments or links); Exploitation of exposed or vulnerable ports and services. Second, Nation-States or Supporting Groups. Disruptive operations (e.g., DDoS); Destructive operations (e.g., Wipers); Supply chain compromises (e.g., SolarWinds); Information gathering; Malign influence. 

(SPEECH)
I would like to start my presentation today with a little brief on the threat landscape. The threats are broken into two groups, the opportunistic groups and the nation-states or supporting groups. 

So right there at the top, it's no surprise-- ransomware. It's been around for a while. And it's not going anywhere anytime soon. The one thing I wanted to share with you on ransomware-- there's been a slight pivot in the ransomware attacks.

Traditionally, it was the bad actors looking for big payouts on ransomware. And recently, they've switched to targeting organizations-- hopefully, that the organization has cybersecurity insurance. And then they can leverage that cybersecurity insurance.

So organizations who maybe not-- maybe don't have access to resources to set up a strong defense against ransomware or maybe aren't prepared for a ransomware attack-- so if they can get many smaller attacks against organizations that are willing to-- have bought cybersecurity insurance and willing to pay that ransom, it's a bigger profit for them in the long run. So if you're ever wondering, are you possibly a target for a ransomware attack, I think I just answered that question. So it's important that we're all aware of this and we actually prepare for it.

Phishing is still the No. 1 attack vector. It's been around forever. I don't anticipate it going anywhere anytime soon. It's just easy. And it still works. It's still very effective.

Malspam, a new word for an old attack-- this is where they send you a link or an attachment trying to get you to download something or go somewhere and give up some information. And then the exploitation of exposed vulnerable ports and services-- your IPs that are connected to the internet, your websites that are connected to the internet.

On the nation-state side, disruptive operations-- yes, DDoS attacks are coming back. Destructive operations, wipers-- we're seeing a lot of activity on that. And they basically do just what you would think they would do, wipe out the environment-- the computers, the servers, the-- whatever they can get access to. They wipe them out.

Supply chain compromise-- this is a hard one for most organizations to deal with because these are the people you trust. These are the people, the tools that you use. We need to make sure that our suppliers are doing their due diligence in cybersecurity around their environments and the products that they supply to us. And then malign influence--

(DESCRIPTION)
Slide, Cyber Threat Landscape, Phishing. An image of a slashed out QR code appears beside two categories of text. First, Phishing, Use ongoing crises or seasonal events; Spear Phishing, Vishing, Smishing, Quishing, etc.; Business email compromise (BEC). Second, Cyber Threat Actors are always adapting. Use of QR codes to bypasses email phishing protections and email security tools; Use of OneNote files starting in 2023. 

(SPEECH)
I want to talk a little bit more about phishing. We typically see an upcrease-- or an increase in phishing during seasonal events. We got a couple of holidays coming up. We got an election coming up. And we've got some conflicts going on in the world. 

So we usually see more increased phishing looking for, hey, can you give us money for this, or hey, here's a great opportunity for you. So again, advice on phishing-- they're always looking for-- are typically looking for a reaction from you. Hurry up and do this. This is important. We're going to shut off something if you don't do this.

Put those aside. We probably all get a lot of emails every day. Put those aside. Go back to them and act on them, if needed to be act on, when you have time to think about it. Don't be reactive. That's the key for them-- is they can get emotionally-- get you emotionally invested or an urgency to the whole thing. And boom, away we go.

Business email compromise-- still on the increase. An example of business email compromise-- this was one I just found in researching. I really liked this one. My boss sends me an email that says, hey, Tony, Christmas is coming up, go out and buy gift cards for all our employees. Go out and buy 500 gift cards to whatever your favorite store is.

Then they come back with another email to me and says, hey, since everybody is working part-time remote, we have a lot of remote people, let's save on the mailing costs of sending these gift cards out and just give me all the codes for all the gift cards, and I'll email them to everybody. Well, what if it's not really Tony's boss that's asking for this? I bought the gift cards. And now I sent the bad actor all the codes for the gift cards. That's gone.

So situations that are a little out of the normal for your business, your organization-- think twice about those. And it never hurts to pick up the phone and call somebody. If you're calling a vendor that has a new billing address or a new bank routing code, call them on a number that you know.

Talk to people that you do business with. Don't just assume the number in the email of the person in the email or the code in the-- or the routing number in the email is now correct. So just use common sense. Double-check on that.

One of the newest things, and it's exciting for people in the cybersecurity world because we got to make up a new word-- quishing-- so using QR codes to do phishing. So the new word is quishing.

Be cautious about this. My advice for this-- if you scan a QR code that wants you to log into something-- I'm at a restaurant. I scan a QR code for a menu. And boom, it wants me to log in to a site or my bank account. Use common sense and-- when you're scanning QR codes.

(DESCRIPTION)
Slide, State Sponsored Threats, Volt Typhoon Activity. Bulleted text. Volt Typhoon is a People’s Republic of China (PRC) state-sponsored cyber group. Confirmed to have compromised multiple critical infrastructure organizations in the United States and its territories. Primarily in Communications, Energy, Transportation Systems, and Water and Wastewater sectors; Prepositioning for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. 

(SPEECH)
On the nation-state-sponsored side, Volt Typhoon is a new nation-state-sponsored cyber actor, cyber group, sponsored by the People's Republic of China. We have confirmed compromised critical infrastructure. This is a big deal. We, as a nation, need to be aware of this and be prepared for this. 

They're primarily focusing on communications, energy, transportation and water, wastewater. So if you're in one of those critical infrastructure sectors, be sure and read about this and get prepared for it. What we see is typically pre-positioning-- getting into your environments, trying to stay in your environments without being detected so that, in the case they need to, they can disrupt our critical infrastructure or do, basically, destructive cybersecurity attacks against our critical infrastructure.

(DESCRIPTION)
Slide, Volt Typhoon, Alert Code AA23 dash 144A. Release date, May 24, 2023. Joint Cybersecurity Advisory. A series of logos sits above text and a link. Logos: NSA, CISA, FBI, Australian Government, Australian Cyber Security Centre, Canadian Centre for Cyber Security, National Cyber Security Center, part of the GCSB, National Cyber Security Center, part of GCHQ. Text: People's Republic of China State-Sponsored Cyber Actor living off the land to evade detection. Link: https colon slash slash www dot CISA dot gov slash news dash events slash cybersecurity dash advisories slash AA23 dash 144A. 

(SPEECH)
This slide shows all the state-- or all the different governments that worked together to release this cybersecurity advisory. There's a link there at the bottom. It's a good read. And I encourage everyone to take a look at it. 

(DESCRIPTION)
The speaker video fills the screen. 

(SPEECH)
So this month marks our, as mentioned previously, October Cybersecurity Awareness Month. This marks our nation's 21st Cybersecurity Awareness Month at CISA. And there will be a link in the deck as well. 

We are all in on cybersecurity. We have a program that we started last year.

(DESCRIPTION)
An animated image of two people standing beside technology playing instruments. Text, We can secure our world. Link, https colon slash slash Y-O-U-T-U dot B-E slash k-W-J-A underscore T-M-G-7-Z-M. 

(SPEECH)
This is one of my favorite things. It's really catchy. It's really good. If you have young people that are just starting to join the cybersecurity world with their new device or you have parents, grandparents, people like me getting up in their years, this is a great tool to share with them. We basically talk about four things that you can do to be proactive in cybersecurity. 

Next, please. 

(DESCRIPTION)
Slide: Secure Our World, Cyber Hygiene. Text: Install Updates (Security Patches); Make Better Passwords (Longer is better); Think before you click (Security Awareness Training); Use multiple factors (Multifactor Authentication, MFA). 

(SPEECH)
Install updates. Make better passwords. Think before you click. And use multiple factors. 

(DESCRIPTION)
Slide: CISA logo. 

(SPEECH)
Jessica, I'll turn it back to you. 

(DESCRIPTION)
The speaker videos fill the screen. 

(SPEECH)
JESSICA KEARNEY: Great. Thank you so much, Renee and Tony. Those were just fascinating and a great way to tee up this conversation, everything from phishing and MFA to supplier due diligence. And I'm learning some new words with quishing as well. So that's all good. 

I want to start off just quickly bringing it back to Renee. And then, Tim, I want to give you a few minutes just on an open here. But Renee, we talked about your leadership at NASA. And you shared, gosh, those just incredible stories about cooling suits and stainless-steel cups and all of the innovation.

Could you just take a minute? For most of us, NASA is a thing of fairy tales or even science fiction. But in a leadership role, and particularly with this topic of information security and information technology, can you just spend maybe a minute reflecting on some of the main accomplishments and maybe how they might tie into our conversation today?

RENEE WYNN: Yeah. So there's two. The first one was a fateful day when a representative from the White House came over to NASA to visit with the then NASA administrator, myself and our CISO to basically tell us that our cybersecurity posture was nonexistent and a threat to national security. And I had been on the job just a couple of months. And my boss at the time, the amazing Charlie Bolden, who I still get the opportunity to work with, said-- looks at me across the table. And he says, Renee, just go make that happen.

And what does one say to your boss? You say, sure, we'll go make that happen. And I was there with my CISO. We walked out of the office and went, oh my gosh, what are we going to do?

We were already in a position to start to understand the lack of our posture. That was one of the early things that I did upon getting to NASA-- was start to get that assessment done so we would know what to do. The good news is there's a lot of white space-- so lots of opportunity.

So that was the beginning of my time at NASA. The tail end in the NASA, I was sitting in one of my last overview meetings. It was actually at the commercial crew meeting before the launch of both the SpaceX as the Boeing options for being able for the United States to launch astronauts to the International Space Station. When the shuttle program was ended in 2013, in that time frame, NASA was buying seats on the Soyuz, which is out of Russia, Kazakhstan in particular.

So for years, we could not launch humans out of the United States. So I sat in on that one last meeting. And the Astronaut Office is present at those meetings, not always at meetings. And one of the female astronauts pulled me over at the end of the meeting to pull me aside and said, Renee, on behalf of the astronauts, we want to thank you for your work at NASA in-- especially in cybersecurity because we know that our safety when we are on International Space Station is a cybersecurity issue. And I really want to thank you for investing in that and in the astronaut safety.

So it was very touching. And it was very interesting bookend, given the dumb, ugly and stupid conversation I had at the beginning, to thanks for what you did in your tenure at NASA.

JESSICA KEARNEY: That's amazing and, I think, really speaks to the progress. And I think that that sentiment that you described in that first story of just having a blank slate and trying to make something happen-- I'm sure that many of the folks in our audience today might be able-- might be familiar with that feeling and trying to really have their arms around this topic and learn some of those things for today.

So I just want to follow up there. You had to deal with so many complexities when it comes to IT management and cybersecurity and, as you mentioned, managing cybersecurity literally thousands and thousands of miles away.

What are some of the things-- and I know Tony talked-- started getting us into some of the best practices. But what are some of the things that you think are somewhat universal that you were doing on this huge, global, and beyond global scale that might also be the bedrock of what we're hoping to talk about folks today to help them in their own organizations?

RENEE WYNN: So Jessica and everybody in the audience, the first part is educating people. Actually, cybersecurity is a human issue, not a technical issue. It is humans trying to steal your data. Really, yes. I know they use bots and AIs in that. But it begins with somebody deciding they want to steal or ransomware or gain money. Fame, fortune and fun are the three drivers for cybersecurity incidents. And it doesn't necessarily mean that they're mutually exclusive.

So educating people on the risks that they face in their mission or their business-- the top one's, regardless of what you do, financial. There's reputational. Can you imagine had there been a significant issue that affected NASA? That would have been a pretty big black eye for NASA with respect to a cybersecurity incident.

And then, of course, there's your strategic risk and your program risks associated with it. And that is, can you deliver what you want to deliver, whether it's a business or whether it's delivering a satellite safely into space or constellation of satellites? That is the same, educating people on what the risks are and then helping them mitigate those risks-- or in some cases, all we could do is watch those risks, which gets to the next thing.

How do you get to educate people? Everyone always says to me, data, data, data. I worked in a very data-intensive agency. Fifty-plus terabytes of data came down from space the year-- every day the year I left NASA. So we've launched more complex systems in the year and-- which means there's way more data coming from space. They didn't want data. They wanted stories. They wanted their hearts to be pulled on. And then you talk to them with their brains.

So it's hearts over minds. And I've also gotten into talking to folks about useful fiction. Science fiction helps us explore space. That same useful science fiction can have us talk about the true risks associated with cybersecurity because it's a failure of imagination when you sit back and think, that's never going to happen, and it does.

And then the final thing to close out-- and again, NASA didn't own these things-- never let a crisis go to waste. If you've got to hit the hurry up button because there's a crisis associated with cybersecurity or IT itself, look back at your list of things you want to get done and see if you can't slide in a few more things associated with that. And so that would be my advice.

JESSICA KEARNEY: I love it. That's super practical. And I think the educating people and the hearts and minds and the storytelling-- you're right, not the first thing that might come to mind when you think cybersecurity, but so important. And I think we probably all experienced in crisis comes opportunity. So that's a really great thing to keep in mind.

Tony, I want to bring you in, too, as well, because I know that one thing-- so we're all over the country, hosting in-person cybersecurity education programs. And we always have a representative from CISA. And our audiences are always just fascinated to learn about all the resources that you offer. So as we're thinking about this from the practical lens, can you talk a little bit about maybe some of the resources that your organization offers to the public and maybe some of the similarities with some of the ideas that Renee just expressed?

TONY COLLINGS: Sure. Great. So I agree with Renee 100%. So we need to look at cybersecurity from-- with a risk lens on. We started cybersecurity out of IT. We like to throw technology at cybersecurity. But we need to do a better job and focus more on the risk.

One of the things, and I think it's a key resource that CISA can offer to organizations, is our advisors. So we have Cyber Security Advisors. We have Protective Security Advisors. We have Emergency Communication Coordinators. And we have Chemical Security Inspectors if you're an organization that has large stores of chemicals.

All these advisors are at no cost to you. I like to use the term "prepaid." And they are just waiting for a call to work with you. And don't just think of them as a one-time thing. Hey, I can come get advice and then I never want to work with them. Build relationships. Build these partnerships. These are key.

Most people don't need a full-time cybersecurity advisor, to go out and hire a cybersecurity advisor. But leveraging these prepaid resources for your organization to get that advice, to help educate you in the best practices for cybersecurity for your organization-- currently, we have 150 Cyber Security Advisors like myself across the country. So there are lots of resources. All you have to do is make that call and make that contact. I'm sure they'll be happy to help you.

We also offer scanning services. So you are probably, whether you're aware of it or not, being scanned. Your external IPs, your public-facing IPs, how you connect to the internet, and your public-facing web applications are being scanned all day, every day, multiple times. The difference is that we are the federal government. We will scan you. And we will send you the results of those scans.

In addition to that, your Cyber Security Advisors that you've already contacted and are working with can help you understand the results of those scans and help you to fix or address the issues, the weaknesses, the misconfigurations, whatever it may be to give you a more secure cybersecurity public-facing posture.

One of the other things that I really like that CISA does is cybersecurity assessments. How do you improve cybersecurity? Where do I start? You do an assessment. You start where you are. Find out where you are. And then you can put together a plan to improve your cybersecurity, again, based on risk.

So we have several different types of cybersecurity assessments. Your CSAs that you're working with now can help you pick the best cybersecurity assessment for your organization. One of my favorites is our new cross-sector Cyber Performance Goals. We call them the CPGs. This is a great place to start. The intent of the CPGs is to set a baseline of security practices for everyone in our nation.

If you're a K-12, if you're a major manufacturing, if you're a small business, if you're IT, operational technology, manufacturing, it works for everybody. These are the basic practices we believe sets a baseline to move forward from. We believe everybody should be doing these things.

Again, work with your Cyber Security Advisors. They can help you with all this, plus doing an assessment helps start to build that relationship. You build a little trust in us. And we understand your needs and can help you move forward. All of these are available at no cost to you, prepaid.

Your CSA can help you connect with the other-- the Protective Security Advisors, the Emergency Communication Advisors, the Chemical Advisors-- or Chemical Inspectors. So leverage those CSAs. That's what they're there for.

JESSICA KEARNEY: Great. So CSAs, Cybersecurity Advisors-- you have them in regions, CISA regions, all over the country. We went ahead and we dropped a link in the chat for all the members of our audience so you can access CISA's website and find some of those local and prepaid resources in the area near you. Thank you for that, Tony.

And Tim, I'd love to just invite you to maybe comment on the conversation so far. I know we've gotten some assessment of the current threat landscape. We've gotten a little bit into some of what do you do about it. Where do you see us today? And just get into the conversation here.

TIM FRANCIS: I think it's great to have representatives from CISA and NASA and think about the cybersecurity ecosystem because it ranges from literally Renee talking about things that are taking place off the planet to Tony talking about things with critical infrastructures. And a lot of our customers-- while they might fit within critical infrastructure or other industry groups, really, we're talking about mom-and-pop organizations across all industries, small, midsize and larger corporations that maybe are not necessarily-- have the same complexity, certainly, of NASA or are being targeted by Volt Typhoon, but yet they face cybersecurity issues.

And you mentioned at the top the Business Risk Index. We serve a-- lots of companies, not necessarily Travelers policyholders, but just lots of companies across many different industry verticals. Routinely over the years, they've indicated that cybersecurity issues are the top concern. And this year, again, it was the No. 1 concern.

And that's amongst choices of economic conditions, the economy, health care costs, employee retention, all of the things that you would expect a company to worry about. The No. 1 concern is cybersecurity. And unfortunately, I think from hearing Tony and Renee, you can understand why, because if NASA has concerns about security and CISA does, organizations that are just trying to make widgets and sell them and keep the lights on probably don't have the resources to pull on. And so it's important to understand cybersecurity from that level.

JESSICA KEARNEY: That's great. That's great. I want to go ahead and jump right into-- so we have these five-- if you don't do anything else, you have to do these best practices things that we like to talk about with a lot of our audiences across the country, things that everyone can learn a little bit more about. We talked about the education.

So let's start with practice No. 1, which is multifactor authentication. And Renee, I think this might have been-- you said this might have been your favorite. Tony, can you tell us what multifactor authentication is and maybe how effective it is in helping organizations protect against cyber threats?

TONY COLLINGS: Sure. So when we use the word multifactor authentication, let me back up a little bit. So the factor part of multifactor authentication refers to methods of authenticating.

Traditionally, when we talk about that in cybersecurity, we talk about something you know-- a password, a PIN, something you have, a code sent to you via text message, an email, a phone call, a code on your app. So you get that code. And then you put in your password or your PIN. And then you get the code. And then you follow that up by entering the code to get into your system and/or something you are-- so a fingerprint, a thumbprint, facial recognition.

I want to caution you there. If your organization is using or storing the results of the biometrics-- thumb fingerprint-- check with your state laws because there are privacy issues around that. So just do some due diligence ahead of that. But basically, when we're looking at multifactor, if you're using a PIN and a password, that's not multifactor. That's two of the same factor, something I know.

So you want to use one of each or one of the first two, typically. But more and more biometrics are coming into play-- so at least two of these different factors. So that makes harder-- so they can guess your password. But do they have your phone that that code is going to be sent to?

So it just makes it harder. People are people. We click on a link. We put in our user ID and password because whatever the vendor is, it's going to update your software for you. It still happens all the time. And you're like, I shouldn't have done that. But you have multifactor on-- they don't get that factor and you have another chance to correct and go and change your password.

JESSICA KEARNEY: That's great. And I'm sure many of us are familiar with this with our banking institutions and that type of thing. And I know our Business Risk Index actually surveyed-- so for example, in the health care industry of those surveyed, 44% were saying that they didn't use multifactor authentication. Fifty-two percent of small businesses in the survey reported they weren't using it as well. So there's definitely still room to make up in that area. Let's jump-- go ahead. Go ahead.

TONY COLLINGS: I was going to say real quick-- and Jessica, for your audience, do not be afraid to push your banks, your financial-- or institutes to implement good multifactor authentication. It's your data. So be proactive in that as well.

JESSICA KEARNEY: That's great. Let's move on to No. 2. And Renee, I'm going to go to you on this one. Updating your systems seems like a relatively simple thing. And I'd be curious about the experience on that really large scale at NASA. But what are the risks of running outdated software, essentially? When you get those little notifications, again, it seems like something that's so simple. But why is that so critically important?

RENEE WYNN: Thank you, Jessica. I want to go back to the multifactor authentication. We'll go back to a fairy tale, Prince Charming in Cinderella. She had the foot. He had the shoe. They put them together to make a match. So it was something she had and something he had to put that together. So sometimes, you have to get really-- love to tell people stories about how to do that.

So patching systems-- so when we were at NASA-- gosh, probably nearly 4,000 systems at NASA. And we created some of the software. In fact, NASA actually helped create the internet. And I'm not kidding because we were still-- NASA is still an e.root provider for the internet itself.

So with thousands of systems, we would be in a patch mode. For those systems, we could patch pretty much every day. Why is that the case? Well, one is-- let me take what I call our legacy systems that are good legacy systems. These are ones that-- operating flying assets. There's no way we could change the operating system with it. And yes, some of them are XP from Microsoft.

So we took other mitigation strategies and put them in place. So the systems that would touch space assets are always behind a locked door with limited access. Even I didn't have access to any of the data centers or any of the mission control centers. It was on a you-need-to-have-it basis. And if there was an emergency-- very easy procedures to allow for access ahead of time.

So let's put those systems over to the side because many companies, especially with operating technology, have these legacy systems. And you can't do updates associated with them. So let's push them over here.

Then there's a series of systems that can have updates. And you do those updates after testing and making sure you don't break a function associated with a mission or business area. And so you would just-- that's why it would be every single day. And that's why we also established a vulnerability management program.

So we were tracking-- when we started tracking, we were well over a million, probably over 1.5 million, vulnerabilities that we were tracking. And we would continue to track them with different buckets associated with them.

So if you had a system and you needed two months to test, then you had to put other mitigation strategies in place until you could get the update done. And then we would track actually getting that finished.

There's also a set of systems in NASA which go on what's called a freeze, especially the mission control centers. And that is-- it could be a two-year freeze. They freeze a lot of the human launch systems. They say, this is how it is. This is how we tested. This is how we train our operators. And that's it.

So what they do is they begin the process of deploying in their test environment what works, what's not working. So when a system comes out of a freeze, they can then apply all the things that need to happen, not just the patches associated with it.

So for large, complex global or off-the-globe systems, what you need to do is you must have a vulnerability management program and be prepared to track things, as well as being able to say, we can't do anything, and these are the mitigation strategies that we put into place in order to address it.

JESSICA KEARNEY: That's great-- thank you-- and such a well-rounded view of that topic. I'm going to move right along here to practice No. 3, which is endpoint detection and response. And Tim, I'm going to go to you on this one. I think for folks who maybe aren't as close to cybersecurity, this is the one that might be a little bit-- need a little bit more explaining. Can you explain to us what EDR is, how we use it and why it's important?

TIM FRANCIS: Sure. And I'll try to keep a compressed version so we can get to all of them. And so if we don't get to everything, go to some of the CISA sources and get more information-- or some of the Travelers Institute hub.

So I think as we're thinking about EDR and maybe EDR in comparison to traditional firewall or antivirus technology, those are more technologies that are meant to prevent certain things from getting into the system. But often, they're focused on known vulnerabilities or known viruses. And they can do a good job of preventing those. But traditional firewall and antivirus doesn't do a great job of knowing what's gotten through that wasn't on their list of getting-- being disallowed in the first place or understanding where vulnerabilities or malware might go once it's past that firewall.

So EDR is a more comprehensive way to not only prevent things from entering the system in the first place, but being able to contain it, track it and isolate it so that if something does get through, it's easier for the IT security experts to keep it from spreading more laterally across the network or understanding where the malware ended up and which systems and data pieces that it might have seen and keeping it from spreading.

JESSICA KEARNEY: That's great. Thank you. Practice No. 4-- have an incident response plan. Tony, can you talk a little bit about what an incident response plan is and maybe who should be involved in developing one?

TONY COLLINGS: Sure. So real quick, an incident response plan is a documented plan that we use if the attack on us is successful. So who should be involved? Of course, your IT team. But don't forget about if you have access to a legal team and if you have access to a public information officer or a group like that who are trained to talk to the public.

So when you have an incident, people lose it. And everybody's trying to figure out what to go on. Don't make the mistake of not having a plan. If we have a plan, we follow the plan. It may not address everything. We may have to pivot, change, adjust the plan. But start with a plan, a documented plan.

And test your plans. We have several scenarios that you can download from the CISA site that you can sit and walk through a tabletop exercise. Your CSAs, your Cyber Security Advisors, can help you with that as well.

So have a plan. Know what you're going to do. Don't overthink the plan. Test the plan. And then improve the plan. After an incident, what worked well? What didn't work well? Update your plan.

JESSICA KEARNEY: Thank you, Tony. I'm going to move right on to practice 5. And Renee, I'll pull you in on this one. So regularly backing up your data-- can you talk about that?

RENEE WYNN: So as a start from the top, what is cybersecurity, the basics of what it is? Of your data, it's the confidentiality, the integrity and the accessibility of your data-- seems rather simple. But that's what it really is all about.

And so depending upon the sensitivity of the data, the amount of confidentiality-- both of our presenters, Tony and Tim, have mentioned privacy in that-- what are the frequencies of data changes? And then what is most critical to business and mission, because when you do a backup, it is a cost.

So you have to lay out-- let's just take the NASA financial system, which there's all sorts of financial data moving on a regular basis every single day, from simply paying me to travel-- and by the way, when astronauts leave, they do actually have a travel authorization because they are federal employees. And they get reimbursed, sort of. NASA provide their flight. And they provide their food. So it's probably just incidentals that they might need along the way, although there's no place to get those incidentals except for from NASA.

So you just really need to take a look at the system itself, the data, how much you need to do. And our backups on our financial system was every single night. Others may be more frequent. Others may be later.

But it comes down to the importance, criticality of the data to the element of the mission or business and that business element back to the larger enterprise. And then you have to take a look at it.

But you better have your data backed up because if someone locks up your system, it's probably better that you don't pay, but you just go ahead and say, great. And then you dump the container. And you just refill the container for the last place that you were.

JESSICA KEARNEY: Yes. That is a very handy backup to have in one of those high-pressure situations. I want to turn to some audience questions. We're getting a number of questions coming in. This one's coming from Chris. How was a cyber incident handled if a client is using a third-party vendor as part of their IT management? I don't know if Tim or Tony-- you can comment.

TIM FRANCIS: Sure, I'll start. And I think that's often an issue that comes up. And I think probably on the-- before it happens, understanding what does the contract say, what does the contract allow between the different-- the principal parties-- so that's No. 1.

No. 2, though-- I think we've seen situations wherein that coordination is-- you need that service provider to be responsive. You need to understand where the data is. You need to also understand whether or not they were part of the problem in the first place. So that complexity may create a conflict and create a tension.

But it's also important to understand that vendors are part of the cybersecurity ecosystem. And that's not a-- while it adds complexity, they're often adding a lot of value in that security. So I think that it's right and good that vendors are being used and service providers are being used. You just need to understand and prepare for, when you're looking at an incident response plan, well, how is that plan affected and changed because it's a third party rather than something that's completely compromised-- or comprised with in-house resources?

JESSICA KEARNEY: And similar, we're getting a question on supply chain. And I know, Renee, you talked a little bit about that in your comments as well. But how would you recommend-- this question is asking, how would you recommend vetting that on the front end? What's that process look like?

RENEE WYNN: So NASA uses a platform that-- the platform does buy data-- actually, a lot of data-- in order to allow us to take a look at a couple of things. And it goes to the platform. I'm actually advisor to the business now because we were big consumers of the information. And we also drove a lot of the requirements because it was very initial stages when we started.

But I'm just going to do it as an example. So we purchase a subscription to a data platform. And so when a procurement would come in to buy a chip, it had to go through my organization and check whether that chip was, A, permitted to be purchased, what risks might be associated with that chip, what do those risks look like. It's seven layers of ownership. So what we ended up learning is there really aren't a whole lot of chip manufacturers.

You can also look if it's software. You look at where are the software being programmed. And if your coders are in a questionable country or, for me, the United States, hostile to the United States, we were likely not to buy the software because it would be added cost to then deal with the potential risks associated with using software where you are concerned that executable code was embedded in the coding and so that the software would do more than you want it to do.

Going back to the hardware, where is it manufactured? Who's touching it? And who's funding all of these activities as well? And so we buy access to-- or NASA bought access to a data platform so that before-- if something is bought, it had to go through my organization. And since everything is IT, including your refrigerators, that meant everything that NASA bought pretty much had to go through-- maybe not the clean room suits-- pretty much had to go through my organization for us to make a check.

JESSICA KEARNEY: What about for a smaller organization that might be looking to shore up its contracts and make sure that they're thinking about some of that risk? I don't know, Tim, if you could speak to that?

TIM FRANCIS: Well, smaller organizations have-- again, it's more of a-- how much resources and how much exposure and understanding of what's right for their organization. And the good news is small organizations probably don't have to have the same level of security that NASA does. The bad news is that they've got risks of threat actors compromising their systems. And often, the threat actors are really just looking for the low-hanging fruit to make a good payday and monetize it. And oftentimes, smaller companies are, in fact, that low-hanging fruit.

And Tony mentioned the scanning that CISA does. Well, some of the threat actors are just scanning for vulnerabilities. And so they're not always just targeting organizations because they're sophisticated or they're big. They're targeting vulnerabilities. And if they happen upon a small company, they're perfectly happy to take money from a small company, as a midsized company and a large company. 

JESSICA KEARNEY: Great. Well, Tony, Tim, Renee, the hour has flown by. Thank you all so much for your time and your advice and your wisdom. I think we could, obviously, carry on for a whole 'nother hour. But we will continue this conversation in different formats throughout the month of October. Thank you, all three of you, again, for your insights. And we are dropping a number of the resources that were mentioned in the chat for the folks that are joining.

I'm going to take this opportunity now to turn to some of the programming we have coming up if you're still with us.

(DESCRIPTION)
Slide: Wednesdays with Woodward (registered trademark) Webinar Series. Text: Take our survey, link in chat. 

(SPEECH)
We have a link in our chat today about a survey for today's program. So tell us what you thought about today's program and any thoughts that you have for future topics and speakers. We'd love to hear it. 

(DESCRIPTION)
Slide: a previous slide with tour dates appears. Text, National Cybersecurity Education Tour. Fall 2024, September 24, Washington, D.C.; October 10, Irvine, CA; October 30, Philadelphia, PA. Register: travelers institute dot org. 

(SPEECH)
As a reminder, as I mentioned at the top of the program, we've got two live cybersecurity education events coming up in Irvine, California, on October 10 and in the Philly area on October 30. So if you happen to be in those regions, please sign up on our website and come visit us for lunch. And we'll continue the conversation on cyber. 

(DESCRIPTION)
Text. Upcoming Webinars: October 9: Mastering Market Shifts: What Independent Insurance Professionals Need to Know; October 23: A.I. in Action: The Future of Risk Management Through Predict and Prevent. Register: travelers institute dot org. 

(SPEECH)
And of course, we hope you'll meet us back here Wednesdays at 1:00 p.m. throughout the month of October. 

For those of you in our insurance crowd, on October 9, we'll explore the evolving insurance landscape for independent insurance agents and brokers. We're going to dig into the Big I's new Agency Universe Study with Charles Symington, President and CEO of the Big I, and Travelers' very own EVP Sean Ramalho.

Then on October 23, we host The Institutes' Pete Miller to discuss his views on the evolution of Predict and Prevent model in risk management and how this approach is really leveraging emerging technologies and how it could potentially enhance safety for insurance policyholders-- so both-- two great programs coming up in October.

(DESCRIPTION)
Slide. A logo, Travelers Institute, Risk and Resilience. 

(SPEECH)
Lastly, if you're a podcast listener, please look for us. The Travelers Institute Risk & Resilience podcast is now available wherever you get your podcasts episodes. So subscribe today. We've got a link in the chat. 

(DESCRIPTION)
Slide: Wednesdays with Woodward (registered trademark) Webinar Series. Three logos appear above text. Watch, travelers institute dot org; Connect, Joan Kois Woodward; Listen, Where you get your pods. 

(SPEECH)
Thank you again for tuning in. Thank you to our speakers. And thank you for helping mark Cybersecurity Awareness Month. I hope you have a great afternoon. 

[SOFT MUSIC] 

(DESCRIPTION)
Logo. A red umbrella sits beside text, Travelers Institute. travelers institute dot org.