Subscribe to our Youtube Channel here
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Nonprofit cybersecurity experts discuss the current state of risks, and the best counter-measures nonprofits should have in their toolboxes.
Learn what are cybersecurity essentials for nonprofits, and how your nonprofit organization can meet the moment.
Keep your staff, your networks, and your data secure in an insecure world.
You aren’t alone. The nonprofit sector is seeing new attacks and politicization of work that was never political before. Most attacks we are seeing in our networks are still financial, not political – but that doesn’t make being a victim of these attacks better. AI is changing cybersecurity needs rapidly.
If you aren’t sure what you need to know, or who to ask, learn from our expert panel in this webinar where we will discuss cybersecurity essentials for nonprofits in accessible language, and lay out a plan for any nonprofit to put the basics of cybersecurity in place.
Secure your devices.
Secure your accounts.
Secure your data.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic, and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 23 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at the Technology Association of Grantmakers, Jitasa, Nonprofit Learning Lab, NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert.
Download the updated Community IT Cybersecurity Readiness for Nonprofits Playbook here.
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, incident response, and cybersecurity tabletop exercises for nonprofits.
Ian Gottesman is CEO of a coalition of 200 NGOs and 20 major IT companies working together to improve cybersecurity for the nonprofit sector (NGO ISAC). They host an annual conference, monthly webinars, and online forums; he has enjoyed spearheading their mentoring program and serving as an organizer for their conference. The “join NGO ISAC” button is at the top of their website and Ian urges nonprofits to participate in this cybersecurity community.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty-five years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College. She was happy to learn from this panel what are cybersecurity essentials for nonprofits.
Carolyn Woodard: Welcome everyone to this Community IT webinar, What Are Cybersecurity Essentials for Nonprofits, with Matthew Eshleman, who is the Chief Technology Officer at Community IT, and Ian Gottesman, who is the CEO of NGO ISAC. And they’re going to discuss the basic practices that can block about 80%, at least 80% of attacks and help you get your nonprofit on the right track to meet this moment. They’re also going to talk about how to engage your staff with cybersecurity, so it isn’t just something the IT team does, but something that everyone at your nonprofit sees themselves as a part of. My name is Carolyn Woodard. I’m the Outreach Director for Community IT.
I’ll be the moderator today. I’m very happy to hear from our cybersecurity experts. I’m particularly excited because both of these guys are great at breaking down this complicated jargon into components and concepts in ways that I can understand. And I’m not a cybersecurity techie, so if I can understand it, I’m sure all of us can too.
We’re going to learn a lot today. But first, I’m going to go over our learning objectives.
So, by the end of the session today, we hope that you will learn what practices go farthest to protect your organization now, learn to train against phishing, always perform your updates, and prioritize identity management. Hear ideas on making cybersecurity more fun for everyone on staff and discuss some lessons that we’ve learned this year and next steps.
So Matt, if you’d like to introduce yourself.
Matthew Eshleman: Great. Thanks, Carolyn. It’s good to be here. My name is Matthew Eshleman, and as I said, I’m the Chief Technology Officer at Community IT. In my role, I’m really responsible for managing our back-end team that does all of the device and endpoint management for our over 200 clients. And I also work with our clients on cybersecurity strategy and implementation. Looking forward to talking with Ian today.
Carolyn Woodard: And Ian, would you like to introduce yourself?
Ian Gottesman: Sure. My name is Ian Gottesman. I’m the Chief Executive Officer on the NGI SAC. And then I was a long-time IT leader at a series of nonprofits, which led me to my current role where we help other nonprofits with cybersecurity.
Carolyn Woodard: Awesome. And before we begin, if anyone isn’t familiar with Community IT, a little bit more about us. We are 100% employee-owned managed services provider. We provide outsourced IT support, and we work exclusively with nonprofit organizations. Our mission is to help nonprofits accomplish their missions through the effective use of technology. We are big fans of what well-managed IT can do for your nonprofit.
We serve nonprofits across the United States. We’ve been doing this for over 20 years. In fact, our 25th year anniversary is coming up next year. We are technology experts. We are consistently given the MSP 501 recognition for being a top MSP, which is an honor we just received again in 2025. We always check the current list, but in the past, we have been the only MSP on the list serving nonprofits exclusively.
I just want to remind everyone that for these presentations; Community IT is vendor agnostic. We only make recommendations to our clients and only based on their specific business needs. And we never try to get a client into a product because we get an incentive or benefit from that. We do consider ourselves the best of breed IT provider. So, it’s our job to know the landscape, the tools that are available, reputable and widely used. And we make recommendations on that basis for our clients based on their business needs, priorities and budget.
We got a lot of good questions at registration. We’re going to try and answer as many of them as we can. But anything we can’t get to, we’re going to go over to our community on Reddit right after this webinar. It’s r/NonprofitITManagement/ and we’ll continue to answer questions over there. And we’ll do that probably for the next couple of days as well. So, if you don’t have a chance to go right over there this afternoon, you can check us out tomorrow or the day after.
And a little bit more about us, our mission, as I said, is to create value for the nonprofit sector through well-managed IT. We also identify four key values as employee owners that define our company, trust, knowledge, service, and balance. We seek always to treat people with respect and fairness, to empower our staff, clients, and sector to understand and use technology effectively, to be helpful with our talents, and we recognize that the health of our communities is vital to our well-being, and that work is only a part of our lives.
So, with that said, I’m going to go ahead and launch our first poll for those of you in the audience.
So, our question is, are you the cybersecurity person at your organization? Your answers could be:
And Matt, can you see that?
Matthew Eshleman: Yeah, again, so it looks like we’ve got pretty even distribution here for about 20% say no, definitely not. 35% of folks here, yes, they are the cyber, own cyber at their organization, or and then another 20% say, we’ve got some responsibility, but not the owner. And a couple of the people will say, hey, no, not applicable. So, but good distribution there. So hopefully something for everybody.
Carolyn Woodard: For everyone. Yeah, thank you for sharing that with us. If you are not the cyber person, don’t worry. But thank you for coming here and wanting to get more educated on what the threats and the protection that you can put in place as that’s a great step to take.
Some of the people have been putting in the webinar chat, they’re a board member, level 1 IT support, director of IT, volunteer board member. So, thank you for putting that in and welcome to the webinar. All right.
Then we actually have another quick poll right away. Oops, I just closed my polls. Hold on a second. Okay. It took me to close. I meant to go back. Okay. So, I’m going to launch this one.
This question is, what is your organization doing now about cybersecurity? And your options are:
Ian Gottesman: So, what is your organization doing about cybersecurity? The most common two answers, we’re worried about it. Taking some stats are probably not enough. That was 41 percent, 17 out of 41.
And then the second or tied for that is we have good practices in place, but we can always do more than 41 percent. And then for 12 percent, five respondents were hoping not to be a victim. We don’t know what we’re supposed to be doing. And then two people said not applicable slash other. So, I think that’s about where we can all be.
One of the things to think about with cybersecurity is it’s a bit like health or wealth or a lot of other things that you can do the bare minimum. It will make a big difference, but you can always do more. You can always eat more vegetables and be healthier or make more money. But if you can do enough to sort of do your day to day job and make sure that you can do your security, secure your information for your organization and your clients or users, whatever you want to call them, that that is really where you should go and sort of do it a step at a time. It doesn’t have to be this sort of great big unknown thing that causes you to cower in fear and stick your head in the sand like an emu or whatever.
Carolyn Woodard: I think doing something, like you said, doing something, taking a few steps, like maybe you’re not doing everything all at once until you feel like, oh, why should I even start? But it’s definitely worth it to start. All right.
So, we’re going to move on.
And Matt, I think you wanted to talk about this graphic, which everyone can find in our playbook, which is a free download from our site. I’ll post the link in the comments, and it’ll be in the transcript as well. But we use this graphic to talk about our philosophy of cybersecurity. So Matt, do you want to talk a little bit about it?
Matthew Eshleman: Yeah, I mean, I think it’s kind of building off of what Ian said, right? You can, you know, there’s always more you can do. And I think that’s a good kind of metaphor to keep in mind, right? Security is a, it’s a journey. It’s not a destination, right?
You’re never going to get to the place where you’ve got all the security. So, there’s always more things that you can do. So, I like this graphic. I mean, I should, I wrote it or I developed it. But it really talks about, you know, the foundation of policy. That can be hard for organizations, but it is good to have, you know, kind of a common language, set of instructions that just kind of talk about how do we think about IT at our organization.
You know, it can be in plain words, right? Like, what are we going to do about personal devices? How are we going to treat interns and volunteers? What’s our password policy going to be? Where are we going to store our data? You know, so just starting off with that foundation of policy helps make some of these other decisions a little bit easier. Building on that, you know, we feel pretty strongly that’s engaging and training users is probably the best investment that you can make in terms of organizations that have limited resources to spend on IT.
Just engaging staff, getting them trained, kind of showing them some of the basics, you know, really does bear a lot of fruit. You know, once you get beyond kind of trained and engaged staff, then, you know, there are lots and lots of different technology tools that you can layer on top of this. I mean, it really can be a daunting process. But, you know, if you’re working with a good partner, you know, they will have some good solutions in each of these different areas.
You know, and then kind of at the very top, we have this layer that we call compliance. And what we find in working with the small to mid-size nonprofits that we have, you know, everybody wants to have a good foundation of IT policies. And we are seeing, you know, more and more clients are getting into that realm where, you know, because of their financial audit, they are now required to maybe do additional security practices.
Maybe they are, maybe they were getting some government funding that required adherence to certain policies or kind of compliance framework. So, you know, organizations typically aren’t jumping, you know, both feet into kind of a full-on compliant framework at the beginning. But, you know, maybe it’s something that you do after you take care of some of these basics. So that’s a way that we like to think about it and kind of build out those recommendations. And that’s built into the Cybersecurity playbook that we’ve provided.
Carolyn Woodard: Yeah, and I just shared that link and it will be in the transcript, too, if you’re listening to this later.
So, I wanted to move on, and this one I want to turn to you, Ian. You had mentioned, when we started talking about doing this webinar about covering the basics, I think you said that if all nonprofits did these couple of things, they would immediately prevent up to 80% of attacks, which is a lot better than 0% of attacks.
So, as you and Matt talk about these basics that you pointed out for us, I wonder if you can also talk about the barriers to putting the basics in place for these different categories. We know our nonprofits are worried about cybersecurity. All of you here today in the audience are worried about it. Once you know that you should be doing these things, it’s also helpful, I think, to discuss why it can be hard to put them in place. So, Ian, do you want to kick us off?
Ian Gottesman: Yeah, I mean, these sort of three, Cybersecurity 123, ABC, what you want to call it, are really the core, the foundations of all the stuff you’re doing. And whether you’re using CSI, CIS controls, or some other methodology to help you with that, like Verizon Breach reports, you can see that these things come up over and over again.
And it can be hard, like even quote unquote, the basics is not easy. Like, you know, making sure you have updates running on all your computers requires, for example, having an inventory of all your computers and phones that have your company’s data on it. And that may include personal devices, right? A lot of us are in organizations where we provide our staff laptops and not phones, or maybe not even laptops.
And so, they’re kind of intermingled work devices and personal devices with all kinds of data in there. But yet, you have a responsibility to make sure your client or your users or whatever your data is secure.
So, you really have to kind of think about this and just start with simple things and start with baby steps. So, if you’re a super small organization and trying one person who’s managing IT and HR and finance, which is not that unusual in a lot of nonprofits when they’re starting out or just aren’t big, how do you make sure that people are running updates?
It could just be as simple as setting up a meeting with them, whether it’s in person or online, and making sure they’ve turned on automatic updates on their laptop and their phone so that they get the latest things automatically. Like I just had to install an update right before this call.
And then anti-phishing training could be something as you pay thousands of dollars for or tens of thousands of dollars for to train your staff, or do it asynchronously, or you have a trainer come in and do it. It could be as complicated as that. Or it could be as simple as you have some reminders that you give people once a quarter, or once a year, once people start. You have a document that you’ve created, or someone like Community IT, or the NGO ISAC, or whoever has created for you. They go through a presentation.
And then identity management is two words, but it’s a lot, like trying to make sure you have unique passwords and you’re using multi-factor authentication or pass keys or physical keys.
But there’s a lot of different tools and places and ways that you can help you with these things. And you just start with a simpler version of it. You’re not going to have a single sign on SSO. If you’re a small nonprofit, write out the box that maybe will add more security and physical keys from someone like Yubikey or Passkey, which is like using biometrics for your password, for that second factor. Right out of the box where you can move towards it. You can make sure that you’re all using a free or low-cost password locker, for example. There’s a lot of them out there that are free to use or based on open source or free to use.
And start with that and then mature yourself up. You got to kind of crawl before you walk or you run. And you got to just not be intimidated and not start. Start anywhere. And go from there.
You can’t, you know, it’s like the analogy we keep making with health and wealth or other things. You can’t eat a field of broccoli on January 1st and then not eat vegetables any day for the rest of the year. You’ve got to do a little at a time.
Carolyn Woodard: I love that. Speaking as someone who may have tried to eat a bunch of broccoli in January.
We do have a question in the Q&A. What are CIS controls?
And I wonder if while we’re on this slide also, we could maybe talk a little bit more about what is phishing? What is anti-phishing training and why identity management is important? What can happen if you don’t have good identity management?
Ian Gottesman: I mean, identity management is just how you log into things. Increasingly right, we’re all sort of working in a remote cloud first world where we’re like logging into things and we don’t have complete control over our stuff. 30 years ago, when I started out in IT as a little intern in graduate school, my first day we walked in and we had a meeting.
I was in an IT office at a state agency in Florida where I’m from. And they proudly got up and said, we’re the first agency in our division or whatever it was. I forget the exact thing. They had set up a firewall, and we had this very cool firewall called Eagle Raptor Firewall which I still remember 30 years later because it has a very impressive name, it sounds like a cartoon. And all the bad stuff on the Internet is kept outside with the firewall and all the good stuff is inside. And as long as you work inside the firewall, everything is safe and the firewall is going to guard us. And it’s a firewall and it’s full of fire and walls and it’s an eagle and it will claw you up.
And that was the analogy 30 years ago is that the Internet was bad and everything outside was bad and everything inside was good, kind of like an egg. And that’s still true, probably wasn’t true then either.
And that sort of increasingly now we’re all using things in different ways and very little of it is hosted inside like it was inside our firewall like it was a million years ago when I was in grad school. And we’re using, we’re logging in to those things. We’re logging in to Office 365 or Google or Salesforce or NetSuite or Intacct or all these cloud-based tools that run our day-to-day operations. And then there’s probably many more that I haven’t thought of.
And you have to make sure that when you log in to those tools, it’s giving the right person the right access that you want. Somebody can’t impersonate a staff member of yours and then send a bunch of money to the wrong place, which is the most common form of fraud. Or use an account that’s shared across a bunch of different people because it’s easier to do that than set up individual accounts.
You really have to make some time and effort and design things correctly from the get-go so that you’re doing managing individual access to tools in a way that makes sense and that protects the data of your staff, the data of the people you work for and with, and make sure that you are taking your responsibility, your duty of care for all the things that you’re supposed to do.
Then questions about what are CIS controls. CIS is the Center for Internet Security. It’s a big nonprofit that helps set up standards for cybersecurity and internet security. They’ve created these controls that you can use, I think there’s 20 something that you can use to measure your security and then you can like go and take a test and measure your controls, your standard, your organization standard versus say other peer organizations or other types of organizations.
And sometimes when you get like an IT audit, that’s what they’ll use to do it, CIS controls. And they have controls for things like identity management and updates and inventory that a lot of people use as a standard for cybersecurity and IT sort of maturity.
Carolyn Woodard: And is that https://www.cisecurity.org ? For Internet security?
Ian Gottesman: Yeah, yeah, yeah.
Carolyn Woodard: All right, I will put that in the chat, and I’ll be in the transcript too. So, you can look it up yourself.
Ian Gottesman: And they have a ton of different cybersecurity tools for nonprofits, or for anyone, but they’re a nonprofit and they have some pricing for nonprofits to do a bunch of different things in varying degrees of price and options. And I’m just a partner that we’ve worked with.
Carolyn Woodard: Matt, if I can turn it over to you just for a minute or two. We do a lot of anti-phishing training with our clients, and we find that very effective. So, can you talk a little bit about what it is and how it works? Ian was saying, you know, you can get really expensive, fancy ones, it can be as much as meeting together in the conference room and talking about what phishing is and how to be careful.
Can you talk about like kind of our medium range of what we recommend people do?
Matthew Eshleman: Yeah, I mean, I think, as Ian said, right, you can do 20% of the work and get 80% of the protection.
I really think that’s true as it relates to email. As we support organizations, it’s very apparent, right? I mean, almost all of the account compromises or like the wire fraud that we see, it all starts with a malicious email.
And we would call that phishing, where the sender of the message is obfuscated or the link that they’re sending you is obfuscated or has some way that it’s hiding its intent or its result. And so, the link that you thought you were clicking on to get access to the document from a partner, well, maybe that actually is, the partner maybe has a compromised account. And so now that attacker is sending you a link that’s able to steal your credentials or access to your systems. And so now, you’re kind of another victim.
And so that being able to identify as an end user, like is this message legitimate? Is it who I think it’s supposed to be from? What should I do if I click on something and it doesn’t look quite right? Building all of that expertise and knowledge is important.
And again, so there’s lots of free training resources out there. CIS has stuff, CISA, you know, the government agency has training resources that are free. And so, if you have the time and can kind of organize those and point folks in the right direction to get to that stuff and make sure folks are taking it, that can be a good resource.
We do a lot of managed security training, you know, through a platform called KnowBe4, you know, there’s other online security training tools that are out there.
But, you know, those tools are really helpful because, you know, you get a little bit more granularity in terms of, you know, maybe which users are getting which training. You know, you can kind of take it, you know, it’s an online learning management system, right? So, people can take training whenever it’s convenient for them.
And then the other nice thing is you can do a little bit of testing. You know, you can see which users maybe are more prone to clicking on those links that are going to come across and maybe, you know, which folks need some additional training resources to help them identify areas.
And I think the other thing is, you know, in terms of training, there’s a whole bunch of different training content out there. And some people might like the formal kind of stilted approach. It’s very like, here’s the detail and here’s how a website link is constructed. And, you know, here’s what the WWW means. And, you know, one of the things about KnowBe4 we like is that they have some really engaging, you know, like mini-series style content where, yeah, it’s like a little like mini show and they’re just like dramatically representing like what happens when you click on that link.
And I don’t know, it’s not that’s not the training for me, but we get like really great feedback when people take that. And I think if you can make training fun and engaging, educate people, give them the freedom to like ask questions, you know, talk to other people, share their experience, you know, I think that all works better.
It’s important, you know, for these emails, right? It’s good, right? Whenever we send out those test phishing messages, and we see, you know, the result, like people are like, oh, is this phishing? Or somebody forwarded this to me, asked me to take another look at it. Yeah, that’s great. That’s what you want to do. Take a second look at it.
Carolyn Woodard: Yeah. We do have a question, Ian. Someone asked if there’s a fee to join NGO-ISAC.
Ian Gottesman: We’re a Pay What You Can organization. We’ve been lucky to have some foundations help us with most of our operating costs. But based on your revenue, we have some guidelines. But if you want to join for free because you don’t have the ability to pay right now, that’s fine. You can just join through our website. Join through our website and we have a community online. We have weekly briefings. Not honestly that dissimilar from this. And Matt has given one of those. We have an in-person conference. It’s December 3rd in Washington, DC at the Brookings Institute for Nonprofits.
Carolyn Woodard: Ian misspoke. It is actually December 4th. It’s in Washington, DC at the Brookings Institution. And you can register on his website, ngoisac.org. That’s ngoisac.org.
Ian Gottesman: And we’re sort of going from a totally volunteer run organization where we were a year and a half ago to having staff and kind of moving up at providing more than just a community to help our sector protect itself.
I wanted to kind of double click on a couple of things Matt just said.
One really good resource, which is run by another nonprofit, the Aspen Institute, is Take9. It’s a nice free online tool that is designed for sort of everybody to use to learn how to do some training. If you’re in the Washington DC area, you may have seen some of their public service announcements that they did around the holidays last year. They did some advertisements in the metro and on billboards and stuff.
And then the most common type of Internet fraud involves phishing. It’s called BEC, Business Email Compromise. That’s basically where someone gets in the middle of a conversation you’re having with the vendor and misdirects funds. It can be a small amount like your printer vendor or your paper vendor and maybe a few hundred or a few thousand dollars. Or it can be a really large amount like it gets between you and a grant making organization and your annual grant of hundreds of thousands of dollars can be misdirected and it can be quite scary.
One thing I would like to say is that FBI is really, really successful at redirecting those funds. So, if that happens to you or your organization, you’re a victim of a crime, you should report that crime immediately as soon as you possibly can to the FBI, to the IC3 website.
I think the IC3 stands for Internet Crime Communication, Internet Crime and something. But they have an 80% recovery rate if you can report it in 72 hours. So, if you’ve realized you’ve had money stolen from you, I can immediately go there and report it.
The person who did it may or may not be punished as a crime because a lot of these things are happening outside the United States. And so, we can’t, our government, our law enforcement agencies can’t do a lot, but they can work with Swift and other banking institutions to pull your money back. And so that’s a really important thing is you’re a victim of a crime.
You shouldn’t be ashamed of what happens to you with something like BEC or any sort of cybercrime, honestly. And you should report it to local law enforcement in places like Washington, DC or Northern Virginia, Maryland, where I think most of us on this call or the speakers on this call are, or in the case of US or report to the FBI, they have large numbers of people dealing with cybersecurity and cybercrime and they can help you recover money, get more information to you. They may come back to you with questions if they have them.
But it’s really important that cybercrime is dealt with as it would be a real analogous crime, like in a physical crime. Like if someone were to drive through the front door of your organization, a big truck, run up the stairs, rifle through your finance office’s files, steal all the finance files if they’re interested, run back down and then drive out in an office and say DuPont Circle or where I used to work or any number of places in downtown Washington.That would be on the front page of every newspaper, it’s so crazy.
But if they do the analogous thing of like break into your file server and rifle through your CFO’s files, somehow that’s okay and that’s not nearly as bad and that’s the CFO’s fault because they didn’t have a right password or didn’t do security as well as they could have. I don’t think that’s true.
I think that that crime is just as serious if it happens in the cyber world as in the real world, and it should be reported to law enforcement and dealt with as a crime, and you’re a victim just like anything else, and I think that’s something that people kind of forget.
Carolyn Woodard: Yeah. Thank you for that analogy. I think also we always say don’t try to, don’t be so embarrassed or ashamed that you try to fix it yourself. Like that’s a criminal on the other end of what happened to you, and you don’t want to be trying to go after them.
So, I do want to move on to this slide about protecting nonprofits, talking about risk assessment and some more basics.
But I noticed that neither one of you really addressed, how can you get going on this if there’s some barriers at your nonprofit that are preventing you from taking these steps?
So, I’m actually going to turn it out to the audience.
While we’re discussing this slide, if you want to put in chat, if you’ve encountered barriers at your organization that are keeping you from getting going, please go ahead and put those in chat, and we’ll ask Matt and Ian for their thoughts on that.
But I wondered if you could get you to talk to us a little bit. I think Matt, this was one of your topics you wanted to talk about. I know a lot of cybersecurity companies use fear to sell their services, and there’s a lot of anxiety in the nonprofit sector now. So, can you guide our listeners as to how they can think through risks, do realistic risk assessment now?
Matthew Eshleman: In general, cybersecurity is kind of a fear-driven sales model. That’s how a lot of vendors come about it. Maybe for your organization, that is the only thing that gets people out of their complacency and will make them kind of take those steps.
I think every organization is a little bit different. I think if you’re in the role, maybe cybersecurity is not your responsibility, but you have some involvement. I think understanding what levers to pull at your organization to move things forward is helpful.
Maybe it’s that cyber liability insurance application. That’s a good way to say, hey, we have this application, they’re asking for all these controls. We’re not doing any of these. Let’s pick one or two that we just need to get started and then you can build momentum.
You don’t have to eat the field of broccoli today, but take a bite, take one step.
Maybe you’re going to enable MFA, maybe you’re going to sign up for a security awareness training, maybe you’re going to use a free training just to get started, and then once you see that successful, you can move on to the next thing.
I would say the other thing that’s important to understand is just from the risk perspective, what does your organization’s risk profile look like? What’s your biggest threat? How likely is that going to happen? What protections do you have in place to help mitigate against that risk?
I think just generally, being an organization with online resources, the biggest risk most organizations have is cybercrime that’s perpetrated through fraudulent email that targets your finances. That’s a very common, if you’re a one-person organization to like a 200-person organization, that’s the most likely thing that you’re going to experience.
Maybe organizations that work in policy, maybe they have a little bit of a different threat profile maybe. But that’s the most likely thing that’s going to happen.
And so just take a step back. What are you concerned about as an organization? And how can you put in protections to help address those most likely scenarios so that you can address that and then move on to the next thing?
Carolyn Woodard: We’re getting lots of great suggestions in the chat around barriers. So, I will include some of these in the transcript anonymously. I’m not going to say what you said your barrier was, but they’re really helping think through some of these barriers.
And so, we’ll also, if we don’t have a chance to talk about all of them because we only have an hour, I’ll get Matt and Ian to give me some thoughts as well on that and I’ll put them in the transcript too. So, look back for that.
We have another thought question for you and our audience. And that is,
So, if you have some ideas on that, please put it in the chat. We’re going to talk a little bit about it here.
Matt and Ian, do you have ideas on how it can be more something that people feel really engaged about? Maybe not excited about, but they understand how they can help protect this organization that they care enough about to work for? Tell us some of your ideas. What works?
Ian Gottesman: You can definitely game it, little simple toy, little simple treats or punishments.
For example, one year, and this is cybersecurity awareness, which I think why we’re doing this. One year when I was at an organization, if everyone, I think it was 80% or 90% of our organization, completed their monthly training within the first two weeks of the month, when we had our monthly party the second Friday of every month, I would drink cod liver oil to make me smarter and more aware of cybersecurity. I can just tell you, cod liver oil tastes really, really bad. But people enjoyed watching me drink it, so that really motivated people.
The other thing, I’ve used tools like Wombat, I know before in all of these training tools, and people really enjoy seeing their score, seeing how they do, providing examples of phishing that they’ve gotten it, then you can use to create examples for other people.
I mean, cybersecurity is a risk, like a lot of other risks, and it can be managed and mitigated and transferred in all the ways you deal with risk. And it becomes a risk with ways to manage it, and you can do audits and things. And you just need to, as an organization, you can figure out what are those really most important things and how do you protect them and find easier ways to do that and more fun ways to do that.
I mean, it, you know, financial records, donation records, those things are really important to all nonprofits, and you need to make sure that those are secure and that the CRM or AMS or whatever, you’re placing all those key things, that you’ve added as much security as you can there and that maybe you’ve done things like have an audit run, use the scoring system that will give you, say you have a score of 70 out of 100, here’s the things you can do to get the extra 30 points.
Do all these things that you can do routinely to help and do it a step at a time. You can’t eat that field of broccoli on January 1st, but if you have a few heads of broccoli every week, then you’ll be a lot better off.
Carolyn Woodard: I have a friend who gave me this analogy. While we’re on the health subject of the prevention versus recovery, and that if you do suffer a hack or a breach, it takes a long time and it’s really stressful. You’re going to spend a lot of money probably too, until your insurance pays for it or whatever. It’s like having to go to the ER versus going to see your doctor yearly for your annual checkup.
It’s not fun, but really doing the preventative stuff really can pay off in the long run of helping you not have to do the recovery. Again, some people are putting some really good things in the chat. We will share those in the transcript. Matt, did you have some ideas on fun stuff?
Matthew Eshleman: Yeah, I think I talked about it a little bit in the previous slide. In terms of making the training, using different training methods, I would say the other thing that we have tended to do is try to do training.
Instead of it being one big training once a year, where everybody is in the conference room or you have this hour-long thing that you need to slog through, our approach has been to do shorter but more frequent trainings. So again, our standard training, the big training is maybe 10 or 15 minutes of time. And then we’re typically doing a five-minute game, a little video, a quiz, a topical thing.
Try to mix up the actual training content that folks are receiving. Instead of it being, you just have to sit at your desk or there’s the all-staff meeting where somebody gets up and talks for an hour nonstop about some cybersecurity topic, you endure it and then you forget it after it’s happened.
But building that culture of security where we’re doing a training this month, there’s something next quarter, people are engaged in an internal Slack or Teams channel, to be like, oh, I got this weird email. What does this look like? I think those are all good ways to make it engaging. Cybersecurity is something that we just do and talk about all the time. It’s not something that just happens in October during cybersecurity month, but it’s something that really does need to get built into the culture of the organization and happen throughout.
Carolyn Woodard: Yeah, no, that’s what they say. You know, the cover up is worse than the crime. Definitely encourage an open community where you’re all talking about it and sharing what happened to you, or that something, you know, you clicked on the wrong thing. It’s better to be able to tell people. We never want to have any kind of shaming culture around the IT cybersecurity training.
I just wanted to go over, we covered a lot really quickly today. We are going to have some time for Q&A in just a minute or two. If you want to start getting your questions in, either using the Q&A tab or just write in chat, we’ll ask Ian and Matt.
If you need more resources, we do have the Community IT Cybersecurity Playbook, which I shared that download with you. We have the Cybersecurity Library on our site. We have a ton of free resources, articles. You can get in touch with Matt to ask more questions. We have also, we did a webinar on Cybersecurity Insurance, and that has a lot of good information on it if you’re kind of confused about what those controls are.
I’m also going to share these links for NGO ISAC, which as Ian said, they have these meetings where they just talk about what’s going on, the latest trends, what you should be doing, all of those sorts of things.
But I wanted to turn it back over to Ian and Matt. If you want to tell us something you learned over the past year or even the past month, past week that you’d like people to know about.
Ian Gottesman: Matt, you want to go first?
Matthew Eshleman: Let’s see. Maybe two things. I will plug that, talking about updates, Windows 10 just got its last security update this month. So whatever, that story made it onto NPR at least.
If you are running a Windows 10 computer, it’s probably time to upgrade or replace it. Keeping your devices up to date – it sounds basic, but updating your computer and restarting it once a month really does a lot of good.
Ian Gottesman: Once a month? You’re being generous. It should be every day, every week at least.
Matthew Eshleman: And then the other thing I will say, it’s a little bit tech-y, but the multi-factor authentication, making the switch from that app-based authentication to switching to a physical security key or what’s called a passkey is important.
I think particularly if you’re in one of those finance or operations or IT roles, the attackers are very sophisticated in getting people to click on those links and stealing your session. There’s a lot of technical detail around that but just know that the physical security keys are very good at preventing that. And again, if you’re in that role, you’ve got the biggest target on your back, and so taking those steps is important. Again, maybe not everybody in the org is going to be able to do that, but those three or four people really should.
Carolyn Woodard: And that’s one of those things where if you are doing that phishing training and you can see on your dashboard, there’s one person that always clicks on everything. Even if they’re not your executive director, maybe they need to have one of those FIDO keys that they have to use.
So Ian, did you want to weigh in? What are lessons learned recently that we want to share?
Ian Gottesman: I don’t know how recent it is, but I have a YubiKey here. I hold it up a lot in trainings that I do. So YubiKey does have a free program for nonprofits. You can just get a grant from them for keys. I’ve been lucky enough to get it at multiple different organizations. They’re one of the sponsors of our conference. So if you attend our conference, you’ll be getting some YubiKey to play with.
So that’s one thing you can do. There are a lot of really generous offers from the sector, from cybersecurity vendors to help you figure out things at little or no cost.
And Okta has its Okta for Good program, which will give you grants for single sign-on. Microsoft really has pretty steep discount and Google too for their cybersecurity tools. Some of them are free, some of them are really inexpensive. So don’t let price be a problem. Cloudflare is another really good example. They have a bunch of things for their tools, which includes website security, email security, a bunch of things.
So don’t let price be the determinative factor in everything you do. Look around and see what options are for low cost, no cost cybersecurity tools, whether it’s doing something with open source or getting a grant or a donation or something. And then a lot of foundations will help you build up capacity around your work, give you general support grant that can be included for cybersecurity or IT resources.
That I think is one of the hardest things about cybersecurity is you feel like there’s this big scary black box you’re staring at and there’s some sort of scary person on the other side. And you’ve seen TV shows like, Okay Robot or whatever it’s called where the guy puts his phone in the microwave. I never really understood that. But it makes for exciting when you see it’s a parking and he’s doing the stuff and he’s got a dark hat hood on.
That’s not really real life any more than the Fast and the Furious is like your commute in Washington DC every day. It’s what makes it a compelling TV show or a compelling movie. What’s real life is just sort of the day-to-day stuff of making sure you have multifactor authentication set up, making sure you’ve got something helping monitor your emails and your texts and your messages. So the really bad stuff isn’t getting through, you’ve trained your staff on how to not click on things and know what to look for and just really just pause for a minute.
That’s what the whole take9 is about. Take nine seconds and pause and ask somebody whether it’s an IT person in your office, a person that sits next to you and say, this is a weird email or this is a weird text. Should I really be getting a text from my boss who’s traveling right now to buy iTunes gift cards?
I’m going to let you in on a secret and say the answer is no on that one, and I’m sure most people know. But that’s one that people get a lot, especially new employees.
So really just make sure you have those resources and those things, and you do it one step at a time and figure out what that first step is for you.
Where do you want to concentrate on that initial thing? Is it updates? Is it security around certain core applications, certain key staff? Is it making sure you have a good inventory so you can run updates, or train all your staff with phishing? There’s just a lot of different places to start.
But like any other journey, you just start with the first step and that’s where you, and that’ll help get you in the right direction.
Carolyn Woodard: I love that we have several board members here because I want to say that’s probably maybe an overlooked asset. You might be able to get a board member on your side who understands how important cybersecurity is to the organization. That’s their, the board’s mission is to make you be successful. So they can also help get that set up.
We have some questions coming in, keep them coming. I want to make sure to talk about what Community IT does, our cybersecurity offerings. Matt is in charge of this kind of area of our services. You can find more about it at communityit.com/cybersecurity, which I’ll put in the chat.
Also, we’ve got a lot of previous webinars. We do three or four webinars on cybersecurity every year. We have downloads, we have articles on cybersecurity on our site, information on insurance controls, the playbook, other resources on training your staff. I want to make sure that we do have time to get to some Q&A, but if you do have more questions, get in touch with us. You can schedule time with Matt, get in touch with Ian right through his website. You can schedule time with him to talk about what they need to do. We have our Reddit community thread.
So, I just want to re-emphasize what Ian just said. You can feel alone, especially if you clicked on that link and you’re like the second afterwards, oh no, why did I click on that? I was going too fast, I didn’t really read it, and now I’ve got a big problem. You’re not alone. There’s a lot of people who want to talk with you about this, help you with this, so make sure you talk to people. All right.
I’m going to put up, this is how you get in touch with both of these wonderful people.
But we also have some good questions coming through.
So, a couple of different people said, can you provide the link for the security key, that is the physical key, the Yubi key or the Fido key, it’s also called sometimes. So, if we can put that in chat, we’ll also share that in the transcript.
We have a couple of questions in here. So, one is, I feel like this was touched on, but I may have missed it.
So, do you guys want to, I mean, Ian, just maybe a question.
Ian Gottesman: There’s a lot of different places you can go to do that. I mean, you could go to NIST or CIS. There’s a lot of different cybersecurity firm. There’s a lot of different controls. The CyberPeace Institute, which we’re a partner with, has a free assessment you can do, and then they have volunteers to help you conquer, what they call missions, to help you fix things. So, that’s a really good place you can go. I think, I’m trying to remember the exact URL. I think it’s cpb.ngo, cyberpeaceinstitute.org and that’s a self-directed test you can do. Let me double check that that’s right.
Carolyn Woodard: We will share all of these. We’ll make sure we have the right links.
Ian Gottesman: So, that’s a free test you can do. You walk through it. It takes about 45 minutes. It has a little wizard or bot or whatever you want to call it to help answer questions, because maybe you don’t understand what MFA is or some of the other questions it specifically asks. It can help you do that. They also even have a mission, which I call, to have someone help you walk you through that. They have about 1500 volunteers helping them. So that’s a good place to go. https://cyberpeaceinstitute.org/services-and-tools/
The YubiKey program is called Secure It Forward. It’s a very simple grant application. I can share this with Carolyn, who can post it. It’s specifically for organizations that promote and protect free speech and democracy, but they have a pretty broad definition of that. And if you are inclined to apply for it, I would recommend doing it. They’re engaged in our community. You can ask them questions about that.
There are just a lot of different options out there to help with things. And to get this stuff done, risk can be your friend. It can help if you’re showing how these exercises you’re taking, like training or getting passkeys or whatever, or if it’s physical keys, is preventing a risk from making sure your organization can do the work it’s done. It’s much better to give everyone passkeys and spend, I don’t know, an hour applying for the application and a few more hours training people how to use them and handing them out, than discovering, oh no, someone broke into our ERP, our financial system, and misappropriated hundreds of thousands of dollars. Which I’ve heard that horror story before.
Or someone misappropriated somebody else’s check by constantly spamming your HR person and now direct deposits are going to a weird place and very quickly things are going pear shaped.
And then coming up with training or tools or whatever that mitigate that risk and transfer that risk to someone else. Moving things to the cloud or using physical keys or making sure everybody’s gotten training or whatever it is that can help make that risk less likely to happen.
Carolyn Woodard: We have a question about a specific company, which I’m going to say at the outset, we’re not going to recommend any particular vendor. I think one of the things we would say is, like we said, you’re not alone.
You have peers at other nonprofits as well. There are other Reddit boards, there’s a Reddit just for nonprofits, r/nonprofits, where you can ask questions like this as well. I would say that is a better option to try and get what your peers think of different tools and vendors. To try and find out, you know, what’s a good value for you.
Like Ian was saying and Matt as well, there are lots of discount programs. As soon as you say that you’re a nonprofit, you may find that they have discounts or other options for you. I would definitely say NGO ISAC is a great place to talk about this vendor, that vendor trying to figure out.
The question was about Comcast Cybersecurity for Business. You know, there’s a bunch out there, and when you look at their websites, it’s always fear, scared, be afraid, you know, use our company. And, you know, of course, you do need to be careful, but you do need to, you know, find a company that will work with you, answer your questions so that you know what you’re getting into, what you should be working on first, that sort of thing.
All right, we’re almost out of time. We probably have time for one more question. And it’s a big one. In one sentence or so, we haven’t talked about AI yet at all today. And it seems like AI is changing cybersecurity.
Ian Gottesman: I’m saying about $1,000,000 in our economy.
Matthew Eshleman: Well, I would say what we see, I think without a doubt, is that AI makes phishing attacks more believable and authentic, and easy, and cheaper for threat actors to affect. It’s making it harder for sure.
Ian Gottesman: Yeah. I think obviously AI is a big buzzword. There’s a huge investment in our economy. We’ve all used or seen all these AI tools. But it’s become a Cold War weapons race where there’s AI on the defenders and AI on the attackers. But ultimately, I think the most important thing is covering those fundamentals that we’ve talked to over and over and over again here.
And if you’ve done the things like train your staff and have good identity management and all these other things, the AI is just another way to send a phishing email. But if your staff knows what a phishing email looks like, it can avoid or it’s another way to scan your network for things that are unpatched. But again, if your devices are patched, you can do that.
And once you’ve got those sort of three or four fundamental things done, which are, it’s not simple, but I know that there are nonprofits out here doing really cool, awesome work like getting kids to summer camps that never go out into the country and they’re riding horses and doing fun stuff like that, or teaching people to swim, or teaching people to read, or bringing world peace, and going to crazy places and war zones and counting up the kind of arms that people are using.
You can do your cybersecurity. That is something I’m 100 percent confident of. You do so many awesome mission-driven work, you do these really complicated, hard things. Cybersecurity isn’t as hard as the day-to-day work that nonprofits do every day, all day. And I think that’s something you need to remember.
Carolyn Woodard: I love that. It’s a great way to formulate it, to think about how complicated your mission is, and you’re doing that. So, cybersecurity is not as hard. That’s true.
All right, I want to go quick through our learning objectives. I think we covered pretty much everything. We wanted to learn what practices go farthest to protect your organization, learn to train against phishing, perform those updates, prioritize that identity management so that all your systems know the person logging in is the person that it’s supposed to be. We heard some ideas on making cybersecurity more fun for everyone on the staff.
Thank you everyone who contributed your ideas in the chat. We discussed lessons learned this year, next steps, took some Q&A. I want to make sure that I invite everybody back next month for our last webinar of 2025. We’re going to hear all about the N10 Equity Guide for Nonprofit Technology. That’s N as in Nonprofit, T as in Technology. I’m not sure what the E and the N is for, but it’s N, T, E, N. Equity Guide for Nonprofit Technology. It’s a free download from the NTEN website, which is updated for 2025.
I can’t wait to welcome the Equity and Accountability Director, Tristan Penn, to join us for our next webinar. He’s going to talk about how you learn to use this equity guide to address your IT strategy for things like inclusivity, especially in this age of AI. On their website, they also have a companion resource for board members helping guide your IT strategy. For all those board members on today, you can find that right at their site. That’s at 3 p.m. Eastern, noon Pacific on Wednesday, November 19th.
And I just want to thank Ian and Matt. Thank you so much for joining us today for an hour. We got to ask you all of our questions. It was like having our super smart friends here. Explaining and answering our questions about cybersecurity for nonprofits. Thank you so much. Thank you, everybody in the audience who joined us. We know an hour of your time is a gift. We hope that you got a lot out of it and learned a lot today.
As always, you can contact us, contact Ian, contact Matt if you have more questions or just don’t know where to start. That’s totally an acceptable place to be in, but we really encourage you to take those first steps and get some cybersecurity under way for your nonprofit. Ian and Matt, thank you again so much for joining us.
Ian Gottesman: Thank you for having us. Happy to do it. I hope everybody has a good rest of the day and a good rest of the Cybersecurity Month at the end of the month. We’ll probably be celebrating by handing out candy and dressing up in costumes. That’s always something to look forward to.
Carolyn Woodard: That’s right. Cybersecurity Month in October. Matt, thank you so much for joining us.
Matthew Eshleman: All right. Thanks, Carolyn. I appreciate it.
Photo by Evgeniy Alyoshin on Unsplash
Wednesday January 21st, 2026, at 3pm Eastern join our experts to explore trends in AI, cybersecurity, and essential IT for nonprofits.
Fill out the form below to request a quote. We’ll be in touch shortly to discuss your needs and take the first step toward better nonprofit IT.