Cybersecurity expert and Community IT CTO Matt Eshleman walks us through the strategy behind creating a strong cybersecurity culture at your nonprofit.
Whether you are a large organization, small start up, comfortable with technology or not sure what you need, cybersecurity is something that everyone at your nonprofit needs to think about. This podcast covers the basics and gives you a foundation to put in place.
If you don’t know what you need to know, you’ve come to the right place. Set your team and your organization up for success by taking the first steps. As attacks more frequently also target your personal email for your organization’s passwords, learn how to protect yourself too.
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
- People are your human firewall, they need training and guidance to know what to look for and who to tell. Putting efforts into tools but not training your staff is not going to protect your organization’s assets and data.
- There are simple steps you can take to begin; the key is to start. Make time for cybersecurity and find an accountability buddy. 50% is better than 0%. Once you get started you will be able to build on your beginnings.
- Start with:
- Password Managers
- Install the updates/Reboot regularly
- Tools such as Antivirus and other protections
- Your organization should have security policies and incident response plans
- It is not a matter of if but when. Nonprofit organizations are not protected by being small or doing good work. Hackers want password credentials and money, and your nonprofit can’t afford to lose either.
- As hackers become more sophisticated and use social engineering cons to trick users into wiring money to the wrong account or clicking on the wrong link to enter credentials, staff preparedness is the number one step you can take to increase your cybersecurity and protect your nonprofit. Staff training can be simple and low cost. The key is to build a culture of security and trust, and make sure people are not afraid to report incidents quickly.
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 22 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here.
Johan Hammerstrom’s focus and expertise are in nonprofit IT leadership, governance practices, and nonprofit IT strategy. In addition to deep experience supporting hundreds of nonprofit clients for over 20 years, Johan has a technical background as a computer engineer and a strong servant-leadership style as the head of an employee-owned small service business. After advising and strategizing with nonprofit clients over the years, he has gained a wealth of insight into the budget and decision-making culture at nonprofits – a culture that enables creative IT management but can place constraints on strategies and implementation.
As CEO, Johan provides high-level direction and leadership in client partnerships. He also guides Community IT’s relationship to its Board and ESOP employee-owners. Johan is also instrumental in building a Community IT value of giving back to the sector by sharing resources and knowledge through free website materials, monthly webinars, and external speaking engagements.
Johan Hammerstrom: Thank you for joining us in today’s webinar on Cybersecurity Training for Nonprofits: Your Staff Are Your Best Defense. My name is Johan Hammerstrom and I am the CEO of Community IT. It’s my pleasure to introduce today’s presenter, our chief technology officer and cybersecurity expert, Matthew Eshleman.
Matthew Eshleman: Great! Thanks Johan. I appreciate the introduction and thanks to everybody who’s joining today. As Johan mentioned, the topic for this month’s webinar is going to be cybersecurity training strategy for nonprofits. We’ve been spending a lot of time talking about cybersecurity over the last couple of years and I think that’s only ramped up. I think, you know especially in today’s day and age, many of us working from home, adversaries have been taking advantage of that with lots of different spear phishing attacks. Hopefully the content that we will talk about today will help equip you and equip your organization to better identify and protect yourself against those cybersecurity threats.
So specifically, we are going to talk a little about the
- cybersecurity landscape. I think it’s helpful for us to just get started with an understanding of the cyber world that we are operating in. We’ll then look at some specific kind of things that you can identify for
- cybersecurity training to educate yourselves as an end user here. We’ll go into some concepts that are called
- “the human firewall” as a way to help protect your organization and your data and then finally we’ll talk a little bit about how to put it all together and
- put it into action. So this –we’ll talk about some specific things that individuals can do and then if you’re responsible for cybersecurity at your organization, I think that there’ll be some things that you’ll be able to pick up as well.
The Cybersecurity Landscape
We know that we’re in a world where there are persistent and ongoing brute force attacks on your online—on your digital identity, so again if you’re in Office 365 or G-Suite, basically if you can log into it over the web, then the bad guys can too, and so we just see if from the security logs there’s just a massive amount of automated brute force attacks on your digital identity.
We can also see that there’s been really a dramatic increase in the amount of rather sophisticated spear phishing that is targeting the operation staff, the finance associates, and the HR associates in your organizations, trying to target them to get either financial information or personnel information out of them.
We also see that organizations are targeted because of the work that they do, so especially in this run up to an election, we’re seeing organizations, specifically those that are working in the foreign policy area are really targeted by some sophisticated actors trying to get in and get access to information, organizations that are focusing on democracy and good governance are also big targets in this realm.
And then there’s also targets against vendors.
The good news is that there are some new security tools available to help combat these threats and so we’ll talk about some of those today, and I think it’s also great that organizations are starting to be more proactive about their security.
It’s not all good news, we know that about sixty-eight percent of nonprofits don’t actually have an instant response plan, so that’s a guide to say “hey, here’s what happens whenever we do have a breach or we do have some sort of security incidents.” And we also know that responding to incidents can be expensive, so the latest number say that about 149000 dollars, in terms of direct cost to respond to security incident.
So in terms of how that informs our approach to cybersecurity, we really want to start and root that in security policy, build on that security awareness, so that’s where we are really going to be focused on today, is talking about how to identify some of these threats, how to mitigate against them and some steps to defend. And build on that identity, data, protection against devices, perimeter, the web and then later on some next gen tools. We’ve talked about this in a little bit more detail in some of our previous webinars. We also have a cybersecurity playbook that’s on our website. You can register for it and download.
So we take a holistic perspective in security, I think rooted in policy, understanding that we can upgrade technology tools in place. I’m a technology person, I love all the gadgets, all the shiny stuff, the fancy software, but my view is that this technology is driven by the end users.
You can have all the greatest whiz bang security tools in place, but if you’ve got staff that aren’t engaged, that aren’t informed, it’s really hard to protect against every eventuality. Having educated and well aware staff really raises the overall level of the security in the organization.
So I do want to kind of frame that and say “hey, it’s good to talk openly about cybersecurity”. This is not something that we— IT does to everybody else. This is something that we want to create a culture to engage everybody in.
This is something where we want staff to be able to share their story and to learn, so a situation where somebody can share with their colleague “hey, I got this really weird email, what do you think?” is a much better situation than somebody clicking on a link and then asking about it afterwards or being embarrassed and not sharing with a colleague or IT that they may have clicked on something or done something that’s going to have a negative impact.
So again, we really want to build that culture of openness because we know that your experience is going to help somebody else. Somebody sharing like “oh, I had to help my parent deal with this IT issue” or “I had to help my colleague do this” or “this is something that happened to me,” I think is a really important part of building a culture of good security in your organization. It’s something in my view that should be encouraged.
Contemporary Attack Examples
So we’re going to take a look at some contemporary attack examples, so these are things that we see. So specifically, we’ll look at some
- email phishing examples, we’ll talk about
- malware and then we’ll also talk about some
- social engineering attacks and I think those are pretty interesting and dangerous because, you know no amount of great cybersecurity tools are going to be able to provide a hundred percent protection against those types of attacks.
So, specifically on phishing, we’ll look at some common attempts. How do I identify them and what to do once you’ve identified them. One of the things that you can do in terms of identifying what are some tips to identify the source of some information, is just hover over the link, right?
So we’ve got an invoice from online invoices, it looks pretty legit, it’s got all these details, but whenever we hover over that view invoice we don’t see invoice anymore, we’ll see https://corpcatererscleveland.com and then a random string of numbers.
From this example we can see that maybe the adversary has actually compromised that organization’s domain, maybe their website, and they’re combining a commercial online invoice template with a redirect or a malicious link.
Just hovering over the link is a great way to take a look and see “hey, does this really match up? Does this really make sense?” One, am I expecting an invoice? And two “oh, does this online invoice match—the link match the domain of the sender that I’m expecting?”
Here’s an example and this is being highlighted through one of our security awareness tools, and this is what a tool called KnowBe4 does in terms of their training, and it just highlights some of the things to look at. The red flag things to look for here are the email From address, again does this make sense? It’s not coming from WellsFargo.com, it’s coming from alerts-devices-Wellsfargo.com, so maybe again not the address that you would expect. It has some generic information, so again “Dear customer, confirm your device” is often a call for action in these messages or trying to get you to click on a malicious link. Being able to identify, is this coming from somebody that I expect, is there unique knowledge about me, personally that would make me want to click on this and then what’s the call to action? Is this something that I’m expecting? Just taking a look at those pieces of information is really helpful to identify if something is legitimate or is perhaps malicious.
Another thing that you can do, is just if you reply to the message, as soon as you reply to the message, it will actually reveal the real From address. We can see that there’s a mismatch between the From in the body of the message and the To now that’s in the address line.
You kind of have one more chance if you’re going to reply to a message because it will often reveal that the original From address was different from the To, so hackers have gotten really good at masking or hiding the From address, and so it makes it a little bit difficult to identify if it’s from somebody you know and trust or somebody who’s just masquerading as that domain.
So again, if you go in and choose Reply, you’ll see that name displayed and it’ll be a little bit easier to identify if that is from a sender that you actually know.
Staysafeonline.org is a government, you know your federal tax dollars at work, an organization that is here to support good cybersecurity. As October is cybersecurity awareness month, there’s a lot of content and resources available, just reminding us “hey, think before you click.”
If you’re unsure who an email is from, don’t click on any links or attachments found in that email. An ounce of prevention in this case is definitely worth a pound of cure.
So for phishing emails—for phishing messages, I think it’s really a good idea to take that second look at that email, check for those red flags again, hover over the links, and look at the reply to address. Does that all make sense?
And then if you’re still in doubt or you are not sure, ask someone or if you’ve got an IT partner, an in-house IT person or somebody else, it’s definitely worth getting a second opinion before clicking on something.
So just remember to follow those three steps, in terms of
- taking a look at the email,
- check for the red flags and then
- ask somebody for help.
So moving on to talk a little bit about malware as an attack vector.
We’ll look at how malware often will come as part of those email attachments that are coming from unknown or suspicious senders, but malware can also be launched against organizations from things like malicious websites or even advertising within a website. Thankfully this is not as common anymore, we don’t see this as much, but it is still a risk.
And then the final piece that I want to talk about in terms of the type of attack that we often see, and I think that this one is the most sophisticated or the most impactful, is just social engineering attacks, and so we see these as tricking you into making payments. Again, as innocuous as buying some gift cards, maybe as sophisticated as updating wire transfer information. It could be tricking you into entering credentials as a way to then launch other attacks or trick you into calling for “support to address an issue.”
So here’s an example of what we see as the first step in a lot of these attacks, so again here is our CEO Johan, who’s emailing our CFO Bill: “Hey Bill, confirm if you’re available. I’ll be in back-to-back meetings, so just respond to my email-thanks.”
It’s a very short, to the point, really hard for traditional anti-spam to protect against this and so then, what we would see is that Bill, if he replies to this and say, “Oh yeah, what do you need?” and then the follow-up email is often like “Oh, I need you to buy gift cards. Like, I really want to surprise staff,” and so this is often how these attacks start. Some quick engagement to take advantage of and prey on our feelings like “Oh, we really need to be responsive to our CEO,” or “We really need to be responsive to our executive director or finance person,” and so again, this will be targeted at your finance associates or the new intern who really wants to make sure they don’t screw up and so they’re being really responsive to any request they get.
Maybe they didn’t notice that this is not from Johan Hammerson at Community IT.com, it’s from wireless at ext03.com. So again, there are some clues here, these are the types of attacks that will often be initiated from email and then since you’ve started a conversation, spam filters and other stuff may not actually end up blocking it, because it says “Oh, well you’ve already had an email exchange with this email address, we’re just going to let it go.” So again, look at that call to action, look at that unusual request.
An example of credential harvesting, so again you may get a link to a shared document. There’s no malicious attachment for antivirus to block, it will just go to the website. You go to a website, it says “Hey, you need to log in with your credentials to see that.” We are often sharing stuff online and then you go ahead and enter in your credentials, without noticing in the message bar that this is not the Dropbox website, but is in fact landmarks.com.mx is the address. So again, it’s preying upon the lack of sophistication and being able to see like, “Wait, this is not a legitimate Dropbox sharing site. This is coming from a malicious or spoofed account.”
I would say adversaries are really getting sophisticated at building good looking mock ups of an Office 365 login site or Google docs sharing site, or something where it looks pretty real and you can go in and type in your password and if—in this case if they type in their password and sign in, like nothing’s actually going to happen other than the password being added to the database of the adversary who’s now harvesting all these credentials and then will use them later in follow up attacks.
And let’s see, the final example is something that looks super scary, which is these splashes that say “Oh your computer’s at risk! You’ve got to call us to give you support!” I think this is something that my parents had been targeted by and it looks really scary. It looks really dangerous. And so in this case, you call that number, somebody will helpfully take your credit card to pay for the support incident. They may log into your computer, may run some command prompts that may look like a lot of stuff is happening and then they’ll just leave.
So again, if you ever see these Splash pages come up on your system, the best thing to do is just, you could close your computer if that feels right. If you’re a little bit more sophisticated, you could go through and try to close the application or Alt F4 will close out that account or that application.
If you’ve got up-to-date antivirus and some web content blocking software, that should eliminate seeing this type of threat, but still I think adversaries have gotten pretty good at, this page in and of itself isn’t really malicious. There’s nothing—there’s no virus in here, it’s just a call of action of social engineering attack to get you to click on something and again, just turn over your credit card willingly.
Protecting Your Information – the Human Firewall
So let’s move ahead to talk about some tools of technique to kind of think of how we can protect the information that we have or the kind of information that the organization has. This rubric of the human firewall.
I think it’s particularly apt now, that many of us are working from home. We’re not behind our organization’s firewall, we don’t have the server, kind of down the hall or we’re not in our office protected, we are in our home, so we don’t have a sophisticated firewall. Maybe we are using our personal computer instead of our work provided computer that has more up-to-date or sophisticated security tools.
The security perimeter really is us now and our device, and so what are some of the things that we need to be aware of to make sure that we’re protecting the data that we have access to?
And I fundamentally view that there’s kind of two different elements here, so we’ve got
Protecting the device.
Historically, this has been where a lot of IT security controls have been focused, we’re going to protect the device, we’re going to have a firewall to protect the network, we’re going to have an antivirus to protect the computer, we’re going to do all the stuff to protect the devices, but as most of the stuff is now shifted into the cloud, we’re now looking into,
How can we protect the identity?
Again our online digital identity, if somebody has our username and password, they can get access to everything that we can. So how do we protect the identity as well, and how do those two things combine to inform our approach to cybersecurity?
I think fundamentally on the data side, just understand that you’re capable of protecting your information.
From an individual perspective, have a good idea of where your data lives, where your files are at, where your photos are at, you know what applications you have.
Is that data backed up? Is it in more than one place or are you just relying on the provider itself to make sure that that data’s protected? So again, having a good understanding of where your data is and if it’s protected by another system, I think are important steps to take.
Also on the device side, it may sound basic but patching and updating your systems is a key part of good cybersecurity.
A lot of these exploits target unpatched systems or things that are not up-to-date. So if you are in a good habit of updating your system for the operating system, third party applications like Adobe and Java, those applications are also avenues as well, and then also updating the device firmware, making sure that all of your devices are updating on a regular basis, ideally monthly and make sure that you are rebooting your computer.
I think Microsoft has forced us to do this, Windows update is a lot more assertive in installing updates and rebooting computers because they have to be. I think in the same way, I have an Iphone and that’s updated on a regular basis and it just kind of happens in the background automatically.
Enable the use of antivirus. It is only fifty percent effective in some metrics, but fifty percent is better than zero.
I think in this approach of cybersecurity, We are talking about building a multilayered approach.
So building layers with effective tools that can help protect us in case something gets through and we caught on something inadvertently.
Finally on the identity side, protect your identity. As I said we are not really behind the corporate firewall, where everything is on the server in the office down the hall anymore. We haven’t been there for quite a while at this point, and so it’s really critical for everyone to make sure that they’re
- using good passwords they’re using a password manager,
- that you’ve enabled multi-factor authentication to protect that identity.
That may be complicated because you may log in to five, ten, fifty, a hundred different systems, so having a good way to manage and protect that is really a key element of good cybersecurity.
And then finally, know where your data lives.
Again, we talked about this on the device side but also on the cloud as well. What systems have access to your account information? In terms of how to create a good password, there’s a lot of different philosophies around that.
So as we move into the cybersecurity,
What are good cybersecurity practices?
These are things that I would say are a good place to start. So if you can’t confidently say that you’ve checked off all these things, this is where I would start.
- Make sure that the backups are in place for your data,
- make sure that your systems are updated on a regular basis,
- make sure that you have multi-factor authentication in place with good passwords,
- make sure you’ve got that antivirus turned on,
- make sure you understand and know which systems have access to your data through the cloud and then, from an organization perspective
- make sure that you’ve got some cybersecurity awareness training in place.
And as I mentioned, the cybersecurity checklist, we talked a lot more about this in detail in our completely revised 2021 Cybersecurity Readiness for Nonprofits Playbook, so go ahead and check that out.
Putting this all into action
What does that mean? So I talked a little bit about backups, and just kind of understanding where data is, so I think it’s important to understand that right? I mean, it’s no longer like all our data is in the server down the hall. Now we’ve got data in all kinds of different cloud systems. We have data that’s in our desktop computer, we have data in cloud services, we’ve got pictures that are the most important thing. Where’s all that stuff? How do we access it, how was it being protected and how is it being backed up?
So ideally, that data would be somewhere other than the primary service provider. So again, even if you are in Office 365, I would recommend making sure that you’ve got your data backed up in another location. There’s lots of great tools out there for that. Microsoft and Google and all the other big vendors, your data is important but they’re primarily protecting themselves against a server failure or some kind of other crash.
The protection is not so much if your computer crashes or you get ransomware in your device or something happens. You may be able to get it back or you may not.
Having that data protected in a system other than the primary vendor is a critical piece of IT security, and also puts you in control.
You can manage the data, you have access to it if something happens. If a provider fails or data is not available, you’ve got another way to access that data.
Updating your devices, and that’s all devices. Your phone, your computer, your tablet. Ideally that’s something that you are updating monthly. You know for other devices, updating system bios and firmware and drivers is also something that I think should be happening monthly.
(If you follow us on LinkedIn you will get reminders from our #ReBOOT1st campaign)
Also make sure you’re just in a habit of rebooting weekly. These updates can’t often get completely installed until a device is completely rebooted, so it’s a good habit if you can, to reboot your computer at least on a weekly basis to make sure that everything is clean and running well. Sometimes those reboots can take a long time. I know it’s a hassle, close out of stuff, but it really makes a difference. Reboot it at the end of the day so your computer’s ready for use the next day.
So for password managers, with just password management in general, I think it’s almost impossible to do this on your own. I’m a big fan of password managers, there’s a couple of different ones out there. If you do this right, you don’t actually need to remember that many unique passwords. One for your computer, one for your password manager. That’s minimalist password management. It means that if you can generate sophisticated passwords you don’t have to remember and it will be easy to rotate or update if something does happen.
Wrap Up – Cybersecurity Strategy for Nonprofits
As we wrap up here, I just want to offer some encouragement that cybersecurity can be daunting, but it doesn’t need to be overwhelming.
So here’s some specific things I would like you to take away from this:
If you’re here as an individual, or a very small organization, it’s important that you
- inventory and back up your data,
- make sure your computers are up-to-date and reboot it on a regular basis, (#ReBoot1st on LinkedIn
- make sure that antivirus is installed.
- get a password manager to store, manage and generate passwords for all those sites that you’re accessing
- review system access, what systems have access to your data and remove those unnecessary ones
- schedule time for security. I think this doesn’t happen on its own; it needs to be pursued intentionally, so make sure that you’re blocking out some time in your day, your week, your month to focus on that.
If you’re here representing part of an organization, I would say it’s really important to
- start with policy, we didn’t talk about that much in this webinar, but starting with, what are we supposed to do as an organization?
- Formalizing yours and then formalizing your cybersecurity controls and then I think it’s really important to
- implement regular user engagement that includes different elements,
- we would typically do baseline phishing,
- have initial training and then
- run quarterly phishing tests,
- quarterly focus trainings and then
- provide regular reporting, and then
- incorporate feedback.
Cybersecurity Awareness Training Tips
So when we’re talking specifically about cybersecurity awareness training, I think it’s really important that the
- training must have executive buy-in and this is not something that IT can do on its own. It needs to be coming from the top, maybe the board, maybe executive leadership, but in order for it to be effective, it needs to come from that senior executive level.
- I would say it also needs to align with organizational culture. If you’re doing security awareness training that’s really strict and rigid and nothing else in your organization that’s strict and rigid, then you’re probably not going to be very effective, so find a way to make the tools work with how your organization works.
- I think it’s really important that training should be frequent in its timing, so having a three-hour security awareness training that’s once a year, not that effective. Having a twenty or thirty minute training once a year, five minute training once a quarter that’s great. Keeps you fresh, keeps you engaged and it’s a lot more effective.
- I think it’s also important to incorporate testing and feedback, what’s working and what’s not. Is this training, does this speak to us as an organization or is this not really tailored to us?
- Build that culture of learning. I mean, this is something where if you can get people engaged, staff can talk about it, they can be open and you can be educated by the vendor that you’re using, I think that’s a much more effective approach than feeling like you’re being talked down to, or bullied into training, punishing people that click on stuff, making an example of them, in my view that’s not a very effective way to build a good culture around cybersecurity.
- Working with a vendor that is able to engage you to be a teacher, an educator around these topics is I think—you’re going to get much better results than vendors that may, have all the answers and kind of communicate it in that way.
So again, let’s make sure as we wrap up here, that you’re setting a reminder for yourselves, maybe a week from today.
Choose one or two of those things you said “Hey, I really want to get a password manager” or “Oh, I really want to make sure I have a backup of all my cloud data” so go ahead and set a reminder for yourself right now to do that.
You know if you could take the step, have an accountability partner, is there somebody else in your organization that you can check in with? Maybe a contact with your IT partner to say “Hey, we really need to review XY and Z, let’s do that in a month”. Go ahead and schedule some time for that, so you can make this really actionable.
Security really doesn’t happen on its own, it requires us to be engaged with it, so schedule time to do that security now.
Johan Hammerstrom: All right, thank you Matt, appreciate your time, your knowledge and your expertise and my thanks to everyone for joining us today for this webinar.
Matthew Eshleman: Great! Thank you.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap, if you don’t have an in-house IT Director. When you need technology change management, our ITBM team can help you communicate what the change is, why your organization is doing it, and discover who it will impact.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.