Many nonprofit staff are facing increased stress and multiplying concerns about privacy, security, and vulnerabilities. What should you be tackling first in this new political environment?

The takeaways:

There are lots of resources available – here on our site we have free resources on basic cybersecurity, anti-doxxing resources, staff training, and governance policies. If you need motivation to start, listen to this podcast and take those first steps.

Listen to Podcast

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on AppleSpotifyGoogleStitcher, Pandora, and more. Or ask your smart speaker.

Assuaging Fears, Taking Action

Jennifer Huftalen is a 17-year veteran at Community IT and is our Director of Client Services. She speaks daily with clients about their needs and fears and shares her insights in this podcast interview with Carolyn. The good? news is that our fundamental recommendations on foundational cybersecurity still stand, and will protect most nonprofits from most threats, financial or political. More good news? Basic solutions do not have to be expensive, in fact in our experience, most nonprofits worried about cybersecurity need to walk – put fundamentals in place – before they can run – engage vendors in expensive comprehensive testing when an assessment could have already revealed those weaknesses, for less.

Bottom line, it feels good to take action, and Community IT has lots of resources on taking your first steps.

If you have questions that aren’t answered by our downloadable Cybersecurity Playbook or other online resources, schedule time with our Cybersecurity Expert Matthew Eshleman, no strings attached.

Presenters

Jennifer Huftalen


Jenny has been providing Account Management services for Community IT’s partner organizations since 2007. Now as Director of Client Services, she is responsible for ensuring those partner organizations are receiving the right combination of IT support services that meet their organizational needs and goals.

Before joining Community IT, Jenny worked in a similar role for a best practice healthcare research and consulting firm. Jenny enjoys Community IT’s commitment to serving progressive organizations that are devoted to making a positive impact on their communities and the world at large. She earned a BA in political science from Union College, with minors in economics and history. She is assuaging fears and helping clients take action every day, and is happy to share her insights from recent client conversations on where the stress is largely coming from, and what actions we recommend.



Carolyn Woodard


Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.

She was happy to have this podcast conversation with Jenny on assuaging fears and taking action to address cybersecurity vulnerabilities in the current nonprofit sector climate.



Ready to get strategic about your IT?

Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.

We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about cybersecurity, you shouldn’t also have to worry about understanding your provider. You want a partner who understands nonprofits.

We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.

More on our Managed Services here. More resources on Cybersecurity here.

If you’re ready to gain peace of mind about your IT support, let’s talk.

Transcript

Carolyn Woodard: Welcome everyone to the Community IT Innovators Technology Topics Podcast. I’m Carolyn Woodard, your host, and today I’m really excited to be talking with Jennifer Huftalen. Can you introduce yourself and what you do?

Jennifer Huftalen: Thanks, Carolyn. I’m Jenny or Jennifer Huftalen. I’m the Director of Client Services at Community IT, and I’ve been with the organization for 17 years, which is remarkable. I spend my time here largely focusing on the client experience and having a lot of conversations with the organizations we support and with potential organizations, so new potential clients as well. Happy to be here today.

Carolyn Woodard: Thanks. Thanks for joining me. 

What I was really interested to bring you on the podcast was to just talk about this moment that we’re in, where the nonprofit sector is experiencing some really difficult challenges and political challenges, the funding challenges, the environment.

A lot of nonprofits that were never controversial before are suddenly finding themselves under attack or doing something that is suddenly seen as controversial. So, they have to respond to that. There’s a lot of programmatic and press releases and coalition building and a lot of things, where you could think that kind of everybody’s hair is on fire all the time.

I know that you are interacting with our clients. We have hundreds of clients. 

What are Challenges Nonprofits are Facing Now?

I just wondered for some reality setting, could you talk a little bit about the challenges that our clients are talking with you about, and how that impacts their IT use and their IT support?

Jennifer Huftalen: Yeah, definitely. 

Stress and Anxiety at Nonprofits

Like you said, I think the primary kind of emotion that most folks we’re supporting and potential clients that we’ve been speaking to is just stress. I think there’s just a lot of anxiety. And for good reason. I think just on a macro level, there’s a lot of stress in the news, even if it’s not feeling directly targeted to either the work that you do, it feels targeted toward things you maybe care about. 

In some ways it feels similar to the way the beginning of the pandemic felt, where there was just a lot of uncertainty, and uncertainty just makes people feel anxious. 

Funding Anxieties at Nonprofits

I think in terms of what we are saying in response to that, I would say that for the organizations that we’re currently supporting, I think their primary issue right now is a worry about funding. That’s kind of the main thing. And not necessarily direct impact from federal changes, but just again on a macro level that the economy is up and down, and that impacts everybody eventually. When you don’t know what’s going to happen, you tend to hold tight and not want to make any significant changes.

For the folks that we’re supporting currently, I think that’s the main thing that’s come up is just, hey, look, can you be flexible? Because we don’t know what’s coming, and we don’t know if next year our budget’s going to be the same. 

At Community IT we’ve always been in a position to meet the organizations we’re supporting where they’re at and be flexible and kind of ride that wave with them. And we’ve done that for decades with the organizations that we’re working with. 

So costs and budget are the very practical, obvious ones that folks are thinking about and worried about. 

Nonprofits Under Political Attack Need Cybersecurity 

I think as far as the other piece you mentioned, you know, on a fundamental level of people feeling like they’re under attack, which is, again, a really scary feeling.

And you know, when you kind of don’t know what that’s going to result in, you don’t know where to start to think about what systems we should be worrying about, what do we do, where do we start, because we don’t really know what the threat is. It just feels like something’s coming for them, you know, because of the work they do, right, and the people they serve. And I’m hearing more of that type of concern from organizations we’re not yet supporting.

We’re hearing from new organizations that maybe their current provider isn’t talking to them about it, or they feel unsatisfied maybe with the way they’re talking about it. A lot of cases, organizations that the need has been very well met on a basic level, computer support, but they’ve not hearing that they feel this anxiety about how their mission is in the news, or being targeted in a way that’s feeling different. So there’s that. 

Or organizations that at this point are feeling like, jeez, now’s the time, we haven’t done anything yet, we’ve just been sort of in operation mode, not worrying, moving forward. But this stuff is making us feel nervous about not having anything in place for basic security. And again, we don’t know where to start.

I was thinking about it this week, actually, because it feels very similar, I think, to when you haven’t been to the doctor in a long time. And you’ve sort of been ignoring it. And, you know, that little ache in pain is there, but it’s not a major crisis. You go on a while now, and all of a sudden you think, hmm, I should probably have somebody take a look.

And that’s just an anxiety, right? I think what I have found in those conversations I’ve been having, is that just starting a conversation with an IT company or starting to read a little bit online or starting to just literally take that first step, I think can do a lot to kind of assuage some of the real concerns. Because the reality is, for the organizations we support, we’re not seeing significant threats that are all that different than they were before all of this uncertainty started earlier in the year. There are still bad actors, there’s still criminals out there that are going to be coming for everybody, but it’s not necessarily fundamentally different than it’s always been.

Cybersecurity Recommendations for Nonprofits

The recommendations are the same, right? 

ID Protection

I’m not the expert on that, but I think the basics haven’t changed, which is you want to be thoughtful about your accounts. That’s kind of the number one place where we see compromise. Keep those accounts secure, have MFA, and apply it especially to those critical systems. 

Cybersecurity Awareness Training

Get some sort of security awareness training for your staff, have them be thoughtful, because at the end of the day, people clicking on things is the last area of defense. You want your folks to be thinking about what they click before they click.

Regular Backups

Then having backups, having some place where you know your data is securely backed up outside of the primary systems. In the event there is a compromise, there is a place to go to get that information back. 

Those are the same recommendations we’ve had for many years now, and that continues.

And then of course, we always say we should dig in on maybe more of their specific issues if they’re having targeted experience. But for us so far, thankfully, that hasn’t changed significantly in the last few months.

Carolyn Woodard: Well, and I will say we have a lot of free resources on our website dealing with a lot of these different areas. We have a free downloadable Cybersecurity Playbook that lays out the fundamentals and basics. 

And something that we always talk about is that a lot of vendors and a lot of maybe some other MSPs also are going to try and make you feel afraid. And the more afraid you are, the more you’re likely to be willing to spend on some comprehensive testing or some big cybersecurity package. And what we found and what we advise is that a lot of the stuff you can do doesn’t have to be expensive, but you have to do it. You have to have a plan, and you have to spend time.

Maybe that’s where the expense is, in finding executive time and staff time to prioritize training, building a response plan, doing your cybersecurity IT roadmap so you know what you’re implementing. And that especially now, I think data also is kind of new, it’s a new thing that you may have data in lots of different systems. You may have data on clients like in a Google Sheets. Do you use MFA on that if those clients might be vulnerable or you might be vulnerable? That isn’t expensive. It just is expensive in terms of time, your time and priorities.

Data Retention Policy Best Practices in Uncertain Times

Jennifer Huftalen: That’s right. Again, it comes back, I think, to that first step, where that’s always the biggest hurdle.

A lot of times people feel like just the anxiety around it prevents them from taking that first step. 

I think, to your point of, there’s a lot out there, there’s a lot of fear in response to it. And that is something that we feel strongly that if your partner is not explaining it in a way that’s making sense to you, you should not have to be an IT professional and understand all the lingo to understand kind of what they’re saying and where it applies to your operations.

If they’re not able to break it down to you in simple terms, keep asking the questions, keep trying to figure out where it fits, and that’s their job. They should be able to do that. 

Change Management in Troubled Times

I’d be very wary about just throwing everything at the problem because first of all, not every solution is necessarily appropriate. And change is already very hard. If your staff are going through a change to maybe a new provider and then a whole bunch of new things that they now have to do, they might not do it. You have to have that buy-in from staff to really fundamentally understand why.

And it’s important that it’s sensible to them too, and not just another thing that they start to maybe ignore. 

I think it’s really important to have that relationship. And again, that’s why we take that approach of developing an understanding of the organization, what they’re facing, and making sure they understand what we are recommending and why, and that they have the tools to communicate it to their staff as well.

Carolyn Woodard: I’ve heard that from clients and people in our webinars and people on our team as well, that we really have an attitude that none of the cybersecurity stuff is stuff that you can’t do. You can do it. It takes willpower and priorities and leadership and following through, but it’s not something that only an outside company can do for you.

Jennifer Huftalen: That’s exactly right. You can definitely do little things, too, and start in pieces, bite off a little bit of what you can manage. A good partner should be able to tell you where to start, what the most important problems may be, and then work your way toward developing a more comprehensive approach.

I think just understanding the basics, getting a feel for some of the language and making sure that you’re clear on what’s being recommended and where the value add is specifically to your organization is really important.

Carolyn Woodard: And revisiting it, which I know is something that can be hard also for nonprofits with so many priorities and, like we said, so many fires that they’re trying to put out at the same time. But cybersecurity, your IT policies, your IT basics, they aren’t something that you can just set and forget. So, if you haven’t looked at your policies or looked at your policy for your response to a crisis or a hack or a suspected compromise in a couple of years, that’s too long. You need to be able to sit down at least annually and go back over everything and make sure it’s still relevant and that your staff still know what they’re supposed to do, who they’re supposed to tell if they see something suspicious or they clicked on the wrong thing.

Jennifer Huftalen: That’s exactly right. I think it’s always evolving. And again, it’s similar back to the doctor thing, right? You may be taking certain vitamins now and it’s great, but that you’re changing, you know, and the environment you’re in is changing. You’ve got to get back and do an evaluation and make sure that you make the right tweaks. 

What we found, too, is that a lot of the drivers for the requirements that are now coming down from funders or from other kind of oversight boards for the organizations we support are cybersecurity requirements and cybersecurity insurance, and other regulatory things that are new.

This is the time to make sure that you’re checking all those boxes. 

We’re finding that a lot of the specific little bells and whistles that we’re being asked about now are really the result of the compliance needs that are changing. This is a really good time to take a pause, look at what you’re doing and make sure that, your provider is handling all of those things for you. 

Staff Security On and Offline at Nonprofits

Jennifer Huftalen: Digital security, names and email addresses and that kind of thing are things we’re hearing more about. I think there are people who feel like when their mission is targeted, and the person gets doxxed or whatever, that’s kind of a new thing.

Carolyn Woodard: Well, I can answer that question. We have an article and a podcast that we did a couple of months ago about doxxing particularly and about protecting the personal information of your staff members. And we have a couple of companies and services that we feel comfortable making referrals along a range of different price points. 

So if you have staff members who are online a lot and you want to protect their identities, there are some low cost services that you can sign up for that help keep an eye on where they’re appearing online and maybe their home address and who’s in their family, those sorts of things, all the way up to more bespoke. 

If you have an executive director who’s getting actual threats, what kind of security you might want to have for them and how you can help their information of their address disappear online. That takes several months to have happen and it’s much more expensive, but if you’re seeing that kind of a situation, it’s good to have those kinds of resources. We can point people to that on our website. 

We did this podcast with Shana Dillavou about online security and doxxing. I said, well, is the answer just not to be online? She said, how would that even be possible? That’s not exactly a possibility in our world today. And also, it does feel like giving in.

Jennifer Huftalen: I know.

Carolyn Woodard: Just admitting that. But she said there are ways to hide your home address, your family, their addresses. It just takes a while. It’s probably not something that you can do yourself, but there are services out there that can help you with that. And how and when to contact the authorities and the police to report the threats and that sort of thing. There are resources on that.

Jennifer Huftalen: That’s good.

How to Prioritize Security at Nonprofits

Carolyn Woodard: Do you have any advice before I let you go in your experience with our clients and with prospective clients? It seems like one of the hardest things is carving out that time to meet with stakeholders, put a committee together to revise your incident response plan. All of those sort of mundane, maybe boring, back-off types of things that you need to do to keep your IT going.

And especially in a moment like this, where it feels like it’s such a moment of crisis, it’s really easy to feel that those political or environmental issues really require 100 percent of your attention, and sometime later down the road, you’re going to go back and revise that incident response plan. 

Do you have any good ideas or suggestions for the people that you talk to of how to get leadership to take an hour out of the next management meeting to talk about your cybersecurity, your data security, how you’re keeping your IT systems safe in this moment?

Jennifer Huftalen: Yeah, it is a tough one because it does take time, like you’ve said, and the mission is priority, right? And when the mission is currently taking up a lot of headspace and a lot of stress, you feel like that’s just where your focus needs to be, which is understandable. We don’t want to come from a place of a fear response, but the reality is if you’re not being careful with your data and your systems, and you suffer a breach, that could cripple your mission, right? That could be it. 

It just comes down to that fundamental truth of, if there’s no operation, if you have a very expensive breach and you lose a lot of data, your mission is going to suffer. So, it’s worth the time.

We hear a lot of times folks who will say things like they can’t take the time to implement MFA because the executive is just too busy. And well, yes, I understand that. But account compromise continues to be the number one place where people suffer a breach. And your executive is the number one target. So just take the half hour to set it up. Know that it’s going to mean a couple of different clicks now moving forward, but that’s going to protect you from a very potentially scary breach in the future.

It’s just, again, it’s sort of like going to the gym, like going to the doctor. It’s not fun. Nobody likes it, but it’s a lot more fun to do it that way than to do it the hard way, which could be really expensive and ultimately, your mission could go away completely if there’s a significant cybersecurity breach.

Carolyn Woodard: Yeah, you end up in the hospital instead of just going to-

Jennifer Huftalen: That’s exactly right. The ambulance ride is a lot more expensive than the annual appointment that you can schedule.

Carolyn Woodard: That makes a lot of sense. Thank you so much for sharing your thoughts and your insights with us today, because I know that you’re interacting with hundreds of contacts at our clients and hearing from lots of different nonprofits in different areas about the challenges that they’re facing and how they’re managing their IT in response to that.

And it’s good to hear that – I mean, good, I don’t know if it’s good to hear it, but the fact that it’s still most of what we’re seeing are criminals. It’s not political, it’s just money. They want you to wire the money to the wrong place. 

It’s good that all of these protections that you can put in place, just basic cybersecurity protections, are going to protect you from criminals and from any political adversaries you have too.

So, it’s worth it to put them in place.

Jennifer Huftalen: Yep, absolutely.

Carolyn Woodard: Well, thank you so much for joining me, Jenny. I really appreciate it.

Jennifer Huftalen: Of course. Thank you, Carolyn.

Photo by The Jopwell Collection on Unsplash