Free Webinar Video
Listen as a podcast
View and download slides
2020 Nonprofit Cybersecurity Incident Report
Join CTO and Nonprofit Cybersecurity expert Matthew Eshleman as he walks through the second annual Community IT Nonprofit Cybersecurity Incident Report.
You can download the report here.
This report looks at the different types of attacks that occur at small and mid-sized nonprofit organizations. Is your nonprofit prepared?
Matt will also share advice on security improvements that provide protection against the most common attacks. Learn the role of leadership in placing a value on cybersecurity preparedness for your nonprofit and the long term planning that should accompany your immediate assessment of your security risk.
Learn about real cyberattacks on nonprofit organizations and how they responded to these attempted hacks. Matt will give you the tools you need to protect your organization and staff from cybercrimes.
Many of these tips you can put in place quickly and train your staff on immediately.
Some resources from the webinar:
Microsoft Nonprofit Cybersecurity Guidelines: https://download.microsoft.com/download/1/D/4/1D494A7D-D153-40FC-BC18-F4C2F800E752/Nonprofit_Guidelines_for_Cybersecurity_and_Privacy.pdf
TechSoup Courses: https://techsoup.course.tc/ Our 101/201 courses are now FREE in the remote work bundle. We’ll have a dedicated course on Cyber Liability in the next month or so.
Zoom Overview: https://communityit.com/nonprofit-cybersecurity-tips-zoom/
Schedule an initial conversation or sign up for a free Darkweb scan: https://meetings.hubspot.com/meshleman
More Nonprofit Cybersecurity resources.
Our Cybersecurity Services.
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt joined Community IT as an intern in the summer of 2000 and after finishing his dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, he rejoined Community IT as a network administrator in January of 2001. Matt has steadily progressed up at Community IT and while working full time received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course. He presents updated tips to protect your login credentials throughout the year.
Matt is excited to present this 2020 nonprofit cybersecurity incident report.
Johan Hammerstrom: Welcome to the April Community IT Innovators Webinar. Thank you for joining us for today’s webinar, in which we release and announce the 2020 Nonprofit Cybersecurity Incident Report. My name is Johan Hammerstrom and I’m the President and CEO of Community IT and the moderator for this series. Before we begin, I’d like to tell you a little bit more about our company. Community IT is a 100% employee owned company, our team of almost 40 staff is dedicated to helping nonprofit organizations advance their missions through the effective use of technology. We are technology experts and we have been consistently named a top 501 managed services provider, an honor that we received in 2019 as well. And now it’s my pleasure to introduce today’s presenter, our Chief Technology Officer, Matthew Eshleman. Good afternoon, Matt.
Matthew Eshleman: Hey, good afternoon, Johan, thanks for hosting the webinar today and thanks to everyone who is taking some time out of their day to join me as we go and talk about some of the unique security challenges that are facing nonprofit organizations and how we can best combat that. Also. in this unique situation that we find ourselves in, with everybody that can doing remote work, we’ll also have some time to talk a little bit about good practices for secure remote work.
So, I would ask you to please use the questions feature to chat in your answers. We will have time for Q and A at the end. Johan, can also moderate and if there’s anything that we need to talk about on a specific slide we’ll be able to address those questions as they come up. So, thanks again for joining today and as we get started, I’d like to go ahead and just get a little bit of a sense of our audience today and see, of the attendees, who has a plan to improve nonprofit cybersecurity at their organization. So, go ahead and we’ll get a quick poll to see where folks are at with improving cybersecurity at their organization.
You can see if you’re just underway, wait on approval, you’re just getting started or not yet. So, thanks for chatting that in, we’ll leave it open here for just another second or two. So, thanks for responding.
(2:57) So, it looks like most of the attendees today are underway and some folks are getting started and rest are haven’t started yet. So, again I think, we’re in a good place. I think there’ll be something for everybody who is attending here.
So, let’s go ahead and get one more question, so maybe this is more applicable to the folks that have said that they are underway. I was curious to see where folks are at with their budget for cybersecurity, either coming into the year and if organizations are starting on July 1 fiscal date. How has your budget changed, is it increased, decreased, flat or perhaps in the category where there’s no money allocated for cybersecurity?
I’m watching the numbers come in, so we’ll leave it open here for another few seconds. You can see where you’re at compared with your peers here on it.
(4:07) So, it looks like most folks are flat, some increased but a significant chunk has no money allocated for cybersecurity. There are some things that you could do that are at very low cost or already included with some of the tools you have so, all is not doom and gloom here, so thanks for that response, we’ll have another poll a little bit later on so, keep your ears open for that. (See our video on 10 Free Cybersecurity Resources and Three to Pay For)
So, let’s go ahead and get right into the next slide, where we talk about things work.
(4:38) I’m happy to announce that this is our second edition. Last year we did our first cybersecurity report. We took a look at all the data collected from service tickets submitted by our clients. We’re a managed service provider based in Washington DC. We support about a 120 organizations that represent about 5000 end points. We maintain an ITIL compliant service desk and categorize all the incidents as they come in, so we have a good handle on the types of security issues that are facing nonprofit organizations that have between 10 and 500 staff. (You can access more information at Nonprofit Cybersecurity: A Guide for 2020)
This represents the second year of that data collection and so we can start to see some trends emerge associated with the security incidents that our clients are facing. So again, there is a little bit of a bias in here in terms of being applied to organizations probably in the DC metro area, but I think there is things that can be extrapolated, regardless of your geographic location.
(5:52) Let’s take a look at our agenda, where we will talk about the overall
- cybersecurity landscape, I think it’s always a good idea to just get level set, to kind of understand the operating environment that we are in.
- We’ll talk a little bit about remote work. I knows that’s on the minds of many of you, as you’re supporting staff that are working from their homes or other locations and then we’ll talk a little bit about
- our approach to cybersecurity which I think it helps to inform some of the information that we have and then we will go drill into the
- types of incidents that we see and then the
- report data and then wrap it up talking about some
- steps that you can take to secure your organization, so we’ll take a look at that for our agenda today.
(6:43) So let’s talk about the cybersecurity landscape that we are operating in. I think there’s a couple of things that we know regardless of the type of organization that you represent and one is that, there is just persistent, and ongoing brute-force attacks on our online identities. I think that adjustment to the cloud has been a positive one overall. I think it does give us a lot more insight, in terms of what’s going on, in terms of how our networks are being attacked, our online identities being attacked.
If you’re an Office 365 client, there’s a rich amount of data in Azure AD to see the number of failed login attempts that are coming in and which accounts are being targeted. We can just see that any system that’s connected with the internet is just receiving constant brute-force attacks. We’re also seeing sophisticated spear phishing that proclaims to be your Executive Director, the Finance Director, the bad guys are really good at going to your website and figuring out the relationships amongst your staff and then using that information to target them, to get account information or commit financial fraud and we’ll see that in the data we have.
We also know that organizations are targeted because of the work they do and we’ll look at some of the trends that we see. Policy Think tank groups trying to be targeted by foreign state actors and we see that in the data amongst the clients that we see. And then we also know that attacks are targeting vendors such as ourselves, so as a managed service provider we have credentials for many different networks and so we take the integrity of that data very seriously. We know from the FBI and other cyber reports that malicious actors are targeting vendors as a way to exploit one network and then access many more.
So that’s kind of the environment that we’re at and if we take a look at the next slide, then we can also see that – let’s go back to the other – there’s another landscape here.
And we’ll talk about the new security tools that are available. It’s not all bad news. There do seem to be good tools available for cybersecurity, so I think that’s a positive thing.
And then also in the positive side, we’re seeing organizations are being more proactive about asking where to start with improving their cybersecurity. I think it’s evidence by the attendance here today, folks are really interested in what they can do. And we also know that from the Microsoft nonprofit cybersecurity report that there’s a long way to go. In their data, 60% of nonprofit organizations don’t know how their organizations handle cybersecurity risks so, I think we have a link, we can check that out from Microsoft and their report data, I think which has some really interesting findings, but it does highlight that nonprofit organizations in general haven’t prioritized cybersecurity and still have a long way to go when it comes to defining the risk, in defining the processes in place.
And then there’s also some data points: cybersecurity can be expensive to remediate. If there’s a breach, this from a Kaspersky study, but a breach response for small and midsize business is a $149,000 and that’s actually direct costs, so that’s cost associated for legal, for incident response from a vendor, cost associated with defending from lawsuits. So again breach response can be an expensive proposition for organizations to take on.
There are some pretty significant direct cost associated with responding to security breaches.
(11:08) Before we start talking about this remote work, let’s go ahead and just get a poll here to see how your organization has been handling the shift to remote work. I’ll leave this up for a second here…
All right. Thanks for the responses there, and great. I’m really glad to see the responses there that most organizations have had tools in place already and that it’s going well.
Another chunk had to scramble and then a small percentage of folks who require physical presence or are still working on getting things in place. So, I think that just kind of mirrored our experiences as well. We’re already a virtual organization largely, and so the shift to all remote work from a technology standpoint hasn’t been hard I think, the other things around it make it challenging. But from a technical perspective the tools have been in place and were doing well.
I think the number of organizations that we have supported were also in that. Though having shifted to a primarily cloud first approach – laptop centric computing and this thing has really been beneficial with the shift and transition.
(13:02) I do think it does bring up some more challenges, especially if the shift has been more reactive.
I do think that overall management and reporting is harder to do, perhaps if you’re already working with an MSP, then you already have the tools in place. We have a system that manages all the endpoints: make sure that antivirus is deployed, system updates are happening, inventory has been taken, software security updates are being applied. So it doesn’t matter for us whether your computer is in your office or at home, we’re able to make sure that it’s up-to-date, that may not always be the case.
I do think that there is some significant security risks that do come up with remote work to open up security holes. This is, I would say, primarily applied to organizations where staffs are now using personal computers to access work resources. You don’t have that same sense of control in terms of, is the computer up-to-date, do they have antivirus protection, what else is going on in that system and can you report an audit on that data?
So, I think that there are some things to be aware of as it relates to that. Home internet connections, I think there’s some potential risk there, although I think working from home is actually a more secure proposition than connecting from the public Wi-Fi in a coffee shop. So, I think there are some security holes. They’re not insurmountable and I think they’re primarily to with device management and having tools in place and a mobile device management policy as well so that you can ensure that the organizations that are connecting to you and accessing and storing and downloading information from your organization’s information systems are secure.
So again, for these organizations that have already worked for as MSP partner or rolled out Intune or some other MDM solution, you’re in a much better place because you can have that accountability for the systems that are being used to access the organizational data. And then finally proactive planning pays off. As I mentioned, organizations are largely already in the cloud for most of their primary email systems organizations. We’ve seen a pretty seismic shift to laptops away from desktops. So again, that makes remote work a lot easier.
So: proactive plans, the organizations that had the IT nonprofit cybesercurity policy in place, that made the transitions were able to put those new technologies in place to support a more flexible work environment, are now able to take advantage of that and be as productive as possible during these challenging times.
(15:56) So, let’s talks about the most popular topic of the day which is around secure video conferencing. We have some resources available on our website to talk about secure remote work tips in Zoom and then we’ll drop some links about – if you wanted to do a geek-out on some of these topics – we can send those links out as well.
And I would say, in general, organizations already have secure tools available to them. You’re either in Microsoft, with Office 365, in which case you have Microsoft Teams, which is a secure video chat platform amongst many other features that it has. If you’re in the G suite world, you have Google Meet, Google Hangout as another secure option, so from most organizations those tools are already in place.
They may not be as user-friendly as Zoom, but I think they provide the core functionality that most organizations need to be productive, stay engaged with colleagues and external partners as well. So, if you’re already in that world you can use those tools. We have actually had conversations with a number of organizations that had been using Zoom, that are now needing to pull back because of some security concerns and are rediscovering the tools that they already have available to them. Microsoft Teams or Google Meet that’s already in the stack for most organizations.
If organizations do have significant privacy and security concerns, I think that may outstrip even what you can get with Teams or Google, then there’s some zero knowledge encryption platforms that will provide secure end-to-end communication and so that could be
- Wire. That’s a Swiss company that provides video, group chat with end-to-end encryption,
- Signal is another popular tool, it is just a voice calling or a chat platform.
And then another one is called
- Jitsi, I think it’s supported by 8×8, but is another encrypted solution that can support those organizations that have significant concerns related to the integrity of their communications. And this is mostly talking about traffic being intercepted on the way to or from the end point.
Whenever we talk about Zoom – Zoom has been under the microscope lately.
I think there have been some notable security vulnerabilities within the platform itself, that I think have been addressed in terms of vulnerabilities with passwords being sent out. People were being sent a malicious link or, a couple months ago, there was an issue where they were deploying web server on Mac computers to automatically launch and share video.
So, those end-point or application-level issues have been largely addressed. In one of the links that we can send out, I think there are some concerns around their implementation of their encryption and how they’re using certificates and how they’re routing traffic that organizations that have a high privacy or sensitivity in their communications may want to avoid for that reason.
But for most organizations the biggest concern with using a tool like Zoom is malicious actors exploiting some of the weaknesses in the overall design related to meetings that were not restricted with a password. We saw the British government, the Prime Minister, was on a Zoom meeting where they had the meeting ID on a public tweet.
There are some good practices to keep the meeting integrity of Zoom intact so that you don’t get hassled by Zoom bombers that are coming in and causing havoc by exploiting some weakness in the platform.
The functionality within Zoom is certainly easy to use. I think it does the best job of video sharing for a lot of users, but there are weaknesses related to how they had implemented their encryption and certificate management that could be a concern but I think the largest concerns that are impacting most organizations are: how do you make sure that the meeting is secure; how can you control the meeting attendees; and make sure that the people that need to have access to the meeting, do have access to the meeting?
(21:23) We’ll go ahead and just make a shift now to talk a little about our approach to cybersecurity and then get into the data itself.
In Community IT we use this graphic to talk about how we view cybersecurity building on a foundation of security policy and then on top of that we got security awareness, so recognizing the first two building blocks are really policy and people related. The technology isn’t the ultimate goal here, there are elements around technology controls related to identity, protecting the data, protecting the devices, network perimeter which now is everybody’s home, personal computer, the web and then layered on top with some predictive intelligence tools. You can find all this in our Cybersecurity Readiness for Nonprofits Playbook, revised this year.
So again, that’s a graphic that we just use as a lens to makes sure that we are covering our bases in representing that these things are rooted in the foundation of security policy.
(22:27) And then also we can talk about our Security Practices that we have at Community IT, so for all the 5000 end points that I talked about, we’re managing
- operating system updates, we’re managing
- third party patching.
- We are deploying not only the operating system level updates but for Windows computers, we are also doing BIOS and Driver Level updates and that’s a side effect or an outcome of the spectrum meltdown vulnerabilities that we identified a couple of years ago, but again we want to make sure the whole stack is updated, we all are also
- deploying antivirus to all systems and then also implementing
- web filtering as an additional security layer.
So again, those are the pieces that we think are important to have in place on every machine and that help to keep the computers that we support up-to-date and secure.
(23:28) Now let’s talk a little bit about definitions before we actually get into the data. We call this the Nonprofit Cybersecurity Incident Report, because we want to talk about the actual events that compromise the integrity, confidentiality or availability of an information asset. You can find more information on these definitions and how they affect nonprofits in our report Nonprofit Cybersecurity: A Guide for 2020.
These are issues that get reported to us and then we investigative. So incident is kind of the top of the funnel and then the next slide, we talk about breach and the definition of a breach. So breach is an incident that results in the confirmed disclosure, not just the potential exposure like we have with an incident, of data to an unauthorized party.
So you’ll see in the data that we have, we’re talking about security incidents: those need to be investigated; and then some percentage of those security incidents do turn into a confirmed breach, which is a much more serious categorization. So just from a definitional perspective we have incidents and then we have breaches. Obviously, we want to minimize both, but the breach is the more serious of the two.
(24:37) The types of incidents that we classify in our system, starting off with what we see the most of which is spam, I think we’re all familiar with that. Then we’ll talk about malware which is a generic classification with any type of malicious software. It’s usually reported by the end user as a slow computer or strange pop-ups. That type of thing gets classified as malware. We talk about account compromise, which is the unauthorized use of the digital identity by someone other than the assigned user. If you have a confirmed account compromise it could constitute the data breach. Then moving on, talking about business email compromise, sometimes that’s also called spear phishing. These terms are evolving a bit. That’s a scam, when they are using, say – faking the name of your Executive Director or your Finance Director in order to extract funds, buy gift cards, update wire transfer information, provide data, list of employees. That kind of thing will be considered business email compromise or spear phishing.
We’ve classified wire fraud, which is often the result of a business email compromise attack, where they are actually stealing money using phone lines or electronic communications,
We have a virus which is more specialized term or narrow definition of malware, it’s a malicious piece of software that can alter the way the computer works and then spread from one computer to another.
So and then finally we’ll wrap up with the supply chain attack. That could be an attack that’s initiated through a partner of an organization, also known as value chain or third party. As a managed service provider, we can be a target for this type of attack. As a nonprofit organization, you could also be involved in a supply chain attack where somebody comprises an account, in your organization and then that’s used to pivot to target other partner organizations or board members. That would be an example of supply chain attack.
We have a definition for advanced persistent threat or APT. That’s really a state-sponsored actor that’s trying to get information on an organization. Their goal, as supposed to getting in and being disruptive, is to get in, maintain persistence, observe, see what’s going on and exfiltrate data over a long period of time.
And then finally we have Ransomware, Crypto, again a more specialized form of a virus that’s used to encrypt data and then demand payment so the data can be decrypted and used.
So that’s the incident classifications that we operate from.
I know from some of the comments that have come in, many people are experiencing spam and there’s compromise or spear phishing attacks with a few other account compromises and Ransomware attacks throwing in. So let’s go ahead and take a look at the data we have here.
(28:13) So in this table we talk about our cybersecurity incidents.
You can see that they are classified by incident type.
You have a count of incidents, the count of samples – that will be the number of unique organizations that have experienced it, and then a percentage of how many of that sample has experienced incident.
So of the clients we supported, we had 72 different organizations submit insecurity incidents. That’s a little bit of the classification.
And you can see, by far the most common security incident is related to spam and that’s probably not a surprise. I’m surprised it’s not maybe 100%, but spam is the most common type of attack with over 70% of the clients submitting issues classifying that.
Malware is the second most common attack that we see. You’ll notice down in the virus level, which is a couple lines down is that, we actually only had three viruses amongst our sample in 2019 so if 50 gets classified as malware only three viruses out of the lot. The actual number of malicious software that gets installed is very low in our sample size. I think that’s probably lower than industry average, because of the focus that we have on managing updates, having antivirus installed, keeping that up-to-date, really focusing on the fundamentals.
So we see that, malware is common, at least commonly reported. The number of actually kind of viruses that are detected is relatively low.
The number three in the list, related to Account Compromise is a thing that is a very serious risk in my view, because it represents the loss of control, so again this would be an instance where somebody other than the named user has had access to that system and then they had access to usually to an individual’s email or maybe had access to other files or resources on the network.
And so we can see while we had 15 incidences of that in 2019, 17% of those clients reporting security issues had a compromised account which we’ll see in the next slide to comparison but again it’s a high number and I think a reflection of the fact that most organizations still have not implemented multi-factor authentication as a way to protect themselves against these types of attacks. (See How to Prepare Your Nonprofit for a Cyberattack)
Fourth on the list is Business Email Compromise or spear phishing. We actually had 59 of those incidents that we classified last year which is a relatively large proportion and represents a big change over the data from 2018.
Wire fraud, is a relatively small amount although that can actually represent a significant financial loss to organizations. These are things where people are essentially tricked into buying gift cards, sending a wire transfer to somebody that it didn’t belong to – that kind of a thing.
We talked about viruses already and then we had, one case with Advanced persistent threat, and those are the types of incidents where we’re often working in conjunction with some three letter agencies to work on addressing and remediating those issues.
And we do not have any Supply Chain attacks nor Ransomware in 2019. I think more broadly and in the report we talk about, Ransomware has been predictably impactful for state and local governments. I live in Baltimore. Baltimore was knocked out for a couple weeks because of a ransomware attack, Atlanta as well. Ransomware does seem to be on the rise in the sample that we have. That may change coming in 2020, but for now, we don’t have any Ransomware attacks in the networks that we manage.
(33:04) And we’ll take a look here, as we compare year over year, so the orange is 2018 data and then the blue is 2019 data, so we can see that there was a pretty big spike in the amount of spam reported and I would say that it’s probably reported spam. I don’t think the amount spam of email necessarily has changed. But I think the one thing that we have been doing as part of our proactive engagement is just making sure that, we’re communicating with the clients we work with. If you have a suspicious email send it in the help desk; we’ll take a look at it. It’s a lot easier to get somebody else to take a look at it in 15 minutes and get back to you, than clicking on something yourself or trying to do that analysis.
So, again, I think this is more reflective of proactive engagement with our client base as opposed to an actual increase in spam, but you can see it shows up as a dramatic increase in the amount of security incidents that we’re responding to.
Not much change in malware, 50 couple, 54 — 2018, 50 in 2019. I think that number is holding steady in small decrease.
And then we come to spear phishing or business email compromise which is just a huge increase. We started to see this, looking back on the data, kind of at the tail end of 2018. Then in 2019, it just really took off in terms of the number of emails, the clients were reporting in saying, “Hey, I got this from my executive director, this doesn’t seem right.”
And it does seem to be able to evade traditional spam filtering solutions and so, we’ve invested in new tools to be able to combat this. I think, even though people get a ton of spam, most folks kind of treat it as an annoyance and are able to ignore it, whereas the spear phishing or business email compromise messages really elicited a different response. People feel personally targeted whenever they’re getting that message from their finance director, executive director asking them to do something.
So, again we have invested in a separate tool that’s specifically designed to combat this, in response to having such a dramatic increase in the amount of these spear phishing attacks. This is something that requires a lot of attention and really addresses one of the big points that most organization feel whenever they’re dealing with security incidents.
And then the other categories here viruses: one and three. It’s a big number 200%. In absolutes, it’s not that much.
Ransomware again we have zero and zero.
Then we see, we did have a decrease overall in the number of compromised accounts from 2018 to 2019. I think it’s still too high. And I will say, of the 15 accounts that were comprised, zero of them had Multi-factor authentication enabled.
So, I think, it is a real testament to have effective MFA is as a security control piece. For those of you that have zero cybersecurity budget, MFA is an included feature in Office365, in Dropbox and GSuite. Most mainline computer applications have this as a feature and it needs to be turned on.
Advanced persistent threats: we continue to deal with these at a very small level, on a year over year basis. It does take an enormous amount of time to kind of investigate and ball up on these.
For organizations that are targeted by these attacks, it’s just a reality of being in that space and we’ll talk about that.
Wire fraud: again we have a small percentage of these attacks that are successful year over year. And the next slides will talk about some techniques for helping to protect against that.
(37:20) So, in terms of some trends that we can now start to see not just anecdotally, but looking at the data is that overall cybersecurity incidents are on the rise in general.
Spam continues to be a problem but Business email compromise is certainly the biggest headache that organizations face. And I would say account compromise is still at a high level.
And I think this trend will continue especially as more and more organizations are working remotely. Maybe they’re making some policy changes to make systems more accessible from people working from home instead of working from the office. I think some of those changes are going to lead to more account compromises being identified because organizations are loosening some of the security restrictions that govern when and where people can access information. These are the trends that we’re seeing throughout 2019 and now into the first quarter of 2020.
(38:36) I’ve alluded to a little bit of sector differences and so we’ll talk about that here. Things like spam and business email compromise attacks, affect all the organizations. Nobody is particularly immune from getting them. All organizations have personally identifiable information about their employees – social security numbers; all organizations have some financial assets. And, you can be swindled into buying a $500 gift card, no matter what organizations you work with. Those attacks seem to be applicable to any organization.
We do see that policy or Think Tank organizations or organizations that are related to good governance or democracy are targeted by those advanced persistent threat actors (APT). If you are in that space, if you are a policy group or Think Tank, these foreign actors: Chinese, North Korean, Russian state actors are very interested in the policy that is being formulated, the people you are engaging with. Those organizations have a tremendous amount of focus brought on them by these advanced persistent threat actors that have the resources and are really focused on getting in, breaking into the networks and just maintaining their connection there. So, if you’re in that category, you certainly get a bigger bulls eye on your back than some other organizations.
And then finally, I would say, based on our data, social service organizations do seem to be more susceptible to business email compromise. That will be the result of somebody sending that email spoofing the executive director or finance director, or asking somebody for credentials or sharing information. And I would venture to guess that that’s largely due to lack of investment in training in security awareness, perhaps a lower level of tech-savviness on behalf of users. So I think, that some to be aware of. If you are in that social service or helping professions, we do tend to see more attacks being successful in those, in that classification of organizations.
(41:11) So, with all this bad news that’s out there, what are the things that you should be focusing on? I will say, we do have a cybersecurity readiness for nonprofits playbook that we have available that has a much more comprehensive list of security controls that you can establish. I think that’s a worthwhile resource to go through and evaluate and make sure that you’re following that road map.
But if you just have to get started, I think these are the absolute core essential tasks that need to be implemented for any organization:
- And the number one thing is implement security awareness training. Having an educated and aware staff, you could get a lot of benefit out of that. Security awareness training is not that expensive to implement, we use KnowBe4. It’s a fantastic online platform, it’s very affordable. You can implement it. There’s lots of flexibility in terms of the education that’s available, you can test that and you can really get a sense of the progress that organizations are making.
So, again, investing in that area pays tremendous dividends and so I would recommend implementing a security awareness training program as soon as you can because it covers protection against so many different areas.
- I think, once you’ve done that, I do think it’s worth getting a dedicated tool to protect your staff from business email compromise, we use Barracuda Sentinel. And it’s been very effective. It does business email compromise or spear phishing protection along with account takeover protection, demark management and administration and it’s really fantastic. I think other vendors – Proofpoint and some others, also do some other things, but I think the point is, you need something other than your regular spam filer to help protect staff against these types of threats. So, business email compromise because again, it helps to eliminate the biggest pinpoint that staff have, when they see that email that appears to be coming from the executive director.
- And then finally implement Multi-factor authentication. It’s free. All the platforms have it baked in and it’s the number one tool in your arsenal to protect your online identities from being compromised. It’s something that all accounts need to have in place because the bad guys are going to attack the weakest link. If you’ve got a hundred accounts and 99 have MFA on it, but one doesn’t, that’s the one that’s going to get boxed. So, MFA needs to be universally applied for all accounts, no matter who they are or where they access data from.
(44:03) I think we’re wrapping up here. In terms of, the things that we have capabilities of in cybersecurity at Community IT, we talked about security awareness training and policy, that’s really informed by a NIST cybersecurity survey that we can perform. I’ve talked about that in previous webinars and we’ll see if we can get the link out for that.
And then we have some off readings related to core cybersecurity assessments that provide a good overview of cybersecurity and organization with some road map recommendations for organizations that really need a deep dive into their configuration and policy.
We have what we call a comprehensive cybersecurity assessment that’s rooted in the Center for Internet Security’s 20 critical security controls.
We have arranged or managed cybersecurity services that we can provide.
I talked about security training, compromise protection and SOC Services, a whole long list of things.
I have listed on here as cyber liability insurance. We are not a cyber liability insurance broker ourselves. We certainly work with a lot of organizations to help fill out applications and I will put a plug in for a course that will be coming out that I did in collaboration with TechSoup courses. That will be an hour-long interactive course on cyber liability insurance, some ins and outs, the details. That will be coming out soon.
For right now, you can actually get you the TechSoup courses page and they have bundled together a number of their learning resources including the Cybersecurity 101 and 201 course that I did. And it actually bundled into a free training bundle to help organizations that are making the shift to remote work.
So, I encourage you to go check that out.
And then finally we can do, incident response as a way to address after a breach has occurred. Again, we have a range of those services for the organizations that we work with.
(46:39) So, let’s take a look at, I think the final slide here before we go on to questions is: Let’s Talk. We work with a wide range of organizations. Making sure nonprofit organizations have good cybersecurity controls in place is something that is really important to me and the work that I do.
As I said in the beginning, we use technology to help nonprofits advance their mission. If you worry about having account compromise, that distracts the focus away from what you’re doing.
So, if you email cybersecurity@Community IT, I can actually provide a complementary Dark Web Scan to see what accounts may already be compromised. So, again that could be some insight if you’re just trying to figure out what’s going on with your network and taking that initial step into tightening up some things, or you need something to share with your executive director or leadership, like, “Hey, we need to take this more seriously.”
You can email cybersecurity@Community IT for access to a scan. I can return that pretty quickly. If you want to talk, you can book some time with me. Johan can chat out my meeting link if you wanted to talk a little bit about some cybersecurity questions that you have at your organization. I’m always happy to do that. (at the top of this page)
(48:00) So, I think, we are now at some time where we can have some Q&A. I have been really focused on talking and I’ve not watched the questions or chat at all.
So, Johan, what are some of the questions that have come in throughout the presentation?
Johan Hammerstrom: Yeah, thank you so much Matt, that was a great presentation and it’s exciting to see the results from this year’s Cybersecurity Incident Report. There’s been a ton of Q&A, and I have been responding to those as quickly as I can. I’ve also been chatting out a lot of the links that Matt had mentioned, during the presentation. Those are also going to be available on our website along with the slide deck, the recording of this webinar as well as the transcript from the webinar.
That should be posted by the end of the week, and for anyone who has registered for today’s webinar, you will be getting a follow up email with links to that information.
So, before we get to the Q&A, I did want to take a second to promote next month’s webinar.
Next month’s webinar is going to be presented by our partners at Build Consulting. Build is an information strategy firm that specializes in nonprofit organizations. And they’re going to be presenting next month on “What Nonprofits Need from Their Tech Leaders.”
Please note that next month’s webinar will be on May 20th which is the third Wednesday of the month, but it will be at 1 o’clock, instead of 3 o’clock. It promises to be an exciting webinar and I encourage you to register for it. And I want to thank everyone for joining the webinar today. We really appreciate your time and the opportunity to share these results with you.
And now, let’s get into the Q&A, so please chat your questions in using the chat feature in GoToWebinar. We also have some questions that were submitted prior to today’s webinar during the registration period.
So, I think I might start there because there’s a really interesting question that I’m curious to get your take on that. It involves security, obviously.
(50:12) If an organization has cloud accounts: Salesforce, Office365, and they are using Multi-factor authentication to protect those cloud accounts and their staff are not using public WiFi, (I would presume they’re connecting from home or from the office) should they layer on a VPN as well? Do they need a VPN in that scenario, to use their cloud systems securely?
Matthew Eshleman: Yeah, I think it’s a good question and I would say, it may depend on the overall security talents of the network. But I do think that we are going to see a shift from what’s essentially open access to networks to a trusted device or trusted access model. You can kind of get example of this, if you just go into your Office365 login, you will just see thousands of failed login attempts against any account. And that’s because, you can access your account from anywhere. So I think we’re going to start to see a shift from that kind of open model to a trusted device model, where you’re saying like, “Only this device, that I’m going to register and approve, is allowed to access the systems,” as a way to kind of combat that.
So, I know, in Office365, in Saleforce as well, you can set up some IT filters. You can say, “We’re only going to allow connections to the network from these IP ranges or this IP range.” I would probably look at that as kind of a first step, as a way to minimize the surface area that’s being attacked. So, I don’t think it’s necessarily a bad thing to require a VPN. VPN’s can add some additional overhead and complexity. So, again, the final answer probably is, it depends on the organization’s security talents.
But I think, I may even look at seeing if you could skip past IP restrictions to just moving to a trusted device model where instead of allowing any device to connect, and then allow those that successfully authenticate, I would say, we are probably going to move to a model where it only allows this trusted device to connect to the system.
(52:45) Johan Hammerstrom: Great. The next question involves the situation that we’re probably all familiar with now, and certainly a situation that many nonprofit organizations are dealing with. What’s the best way to ensure that home systems are secured? So, if staff have devices – computers that are owned and managed by the organization, but also nonprofit staff are using their home machines to connect to organization resources.
Matthew Eshleman: Yeah, I think the most important step that folks can take is to make sure their computer is up-to-date. That’s either running updates for the MacOS or Windows updates for Windows computers, to make sure that they have the most recent security patches. I know with all this shift to remote work and kids needing computers, people are digging stuff out of closets. So again, if you got old systems out of running Windows XP or Windows 7, or older versions of MacOS, that would not be my first choice to access work resources.
So, I would say the first thing to do – make sure the system is up-to-date. Just by running those updates, rebooting the computer a couple times to make sure that they have all been applied successfully. Windows 10 does include Windows Defender as a Microsoft antivirus and it does an okay job of that. But really making sure that the system is up-to-date, is kind of the number one thing you can do to make sure that the system is actually secure. A lot of these vulnerabilities exploit older, unpatched operating systems and so, making sure the system is up-to-date, that’s number one thing.
Make sure all the third party plug-ins that you’re using, make sure your Zoom is up-to-date, make sure Google Chrome is up-to-date and make sure Acrobat Reader, all those third party applications are up-to-date is really the most important thing that you can do to ensure the security of the device.
(54:57) Johan Hammerstrom: Great. All right. So, next question: What are your thoughts about setting up a Honeypot? And, if you wouldn’t mind, defining that as well, I think that would be helpful.
Matthew Eshleman: Sure, a Honeypot is typically, the terminology would define, an easy access system or account that you would use to trick or trap people into. So, a common technique would be, in the Windows world, would rename your domain, admin account from administrator and then you give it some complicated internal name. And then you would create an admin account and just give it guest permissions or even block it, as a way to kind of throw would be attackers off the scent of the organization.
And I think it’s something that you could do. I would probably put it a little bit further down on the list of techniques. And I do think security is a game of fundamentals, and so I would really make sure that, for organizations, you have covered all those bases before you go down the road, or creating more sophisticated proactive security tool or proactive kind of security techniques.
So, again, making sure all the systems are up-to-date, making sure that antivirus is in place, making sure that you’re filtering all your web traffic, making sure that you are looking at all the system logs, making sure you got MFA in place, making sure you’ve got cyber liability insurance in place, making sure that you have got monitoring and learning configured, like those are all things that I would do before I would do something like setting up a Honeypot to trap or attract attackers.
(57:02) Johan Hammerstrom: All right. Next question: Any general sort of tips and suggestions for implementing multi-factor? Which is something, I know, Matt, that you have done quite a bit.
Matthew Eshleman: Yeah, I would say, and maybe we can dig it out, but we have actually a pretty good end-user guide for Office365, for the steps to take for implementing Multi-factor Authentication in Office365. There are links, there are lots of great training resources available. Microsoft has a really great three minute video that actually walks through, how to setup MFA on your personal device as an end user. So, there’s lots of great training resources available.
I think the biggest things to keep in mind from the IT organization perspective that we run into, is setting the expectations that, yes, you are going to have an app installed on your phone to make this work. And I think that’s been a place where we get some push-back. I think from our technology perspective MFA requirements are kind of easy to implement and easy to adopt. I think, in general, people are more used to being required for a second factor. Now, they have to have it to get in their bank or get in to other applications, so it’s not as unusual as it was maybe two or three years ago.
So, I would say, take a look at the training resources that are out there. There’s lots of good set up guides. Incorporating video as part of the training really helps, I think, to connect the dots for people when they’re trying to figure out like, “What do I need to do with my phone in this specific context?” And then again, set the expectation that a Smartphone really is required to make this work, and work effectively in the most secured manner possible.
Johan Hammerstrom: So, I wanted to mention, before I go on to the next question, this will probably be our last question. We do have the report, the companion to this webinar, and I’m going to send that link out. I just did. You can download it from our website and we’ll include that link in the follow up email that we send out to all the attendees today.
But just as a reminder, there is a report that includes all the information covered in today’s webinar and you can download that report from our website (the link is at the top of this page).
(59:35) So, finally, a topical question: Are you seeing anything, Matt, as part of the COVID-19 pandemic and the stay at home orders that are in effect throughout most of the world right now? Have you noticed or seen any security impacts from that, aside from the Zoom situation?
Matthew Eshleman: Yeah, Zoom-Bombing, people are hacking into or causing havoc on Zoom meetings is probably the most common thing that we have heard reports of. I do think that the shift to remote work has created some security holes related to remote access to servers in particular. I know there is a webinar that, I think TechSoup did talked about your RDP as a way to get access to service and kind of talking about that.
We have seen more open RDP ports popup. That is a pretty dangerous way to provide remote access because as soon as an RDP port is open, it’s getting thousands of login attempts and so it’s really important if you are providing remote access to servers that that’s done through the context of a remote desktop gateway, which basically proxies all of those connections through HTTPS which makes it more secure and less prone to these kind of brute-force attacks. So again, we are seeing this more RDP access popup, and we are trying to make sure that we are securing that remote access properly.
Johan Hammerstrom: That’s a great point, I hadn’t thought of that. It’s a big vulnerability and it’s definitely something that people should be on to look out for.
Great, well, thank you so much for your time today Matt, this was a fantastic webinar, very interesting, very important topic. And we thank all of you for joining us today, and we certainly wish that you would all stay safe and healthy during this time. And we hope you’re able to join us for our webinar next month. Take care.