How to Protect Your Organization Against New Threats
Following the 2024 Nonprofit Cybersecurity Incident Report, Carolyn sat down with Matt Eshleman, our Chief Technology Officer and cybersecurity expert, and José Antonio Peña-Rosales, our Director of Support Services, to talk about what users can do to stay safe and share some cybersecurity updates for nonprofits.
When should you report something or submit a ticket? (Right away is the correct answer!)
How can you tell if an email is legit? (Consider the address but also consider the content. Be suspicious!)
What should you do if you a pop up tells you your laptop is infected? (Don’t call the number on the popup!)
Get some practical tips and helpful advice to protect yourself and your organization with these cybersecurity updates for nonprofits.
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Presenters
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 22 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response.
José Antonio Peña-Rosales joined Community IT Innovators in 2016. As Director of Support Services, he is responsible for the daily operations of the company’s support services teams and functions: Help Desk, On-site Support, Dispatching and Escalations. He has oversight of service delivery, and leads coordination with other service teams in resolution of client’s requests, consistent customer experience, and processes. José Antonio previously served as Service Desk Manager.
Prior to coming to Community IT, José Antonio worked in telecommunications for an Internet Service Provider for 9 years, focusing in two sectors: project management in technology and retail strategic marketing. He also worked in the Inter-American Development Bank as Resource Planning Assistant for 1 year, coordinating IT provisioning of electronic devices to employees worldwide.
José Antonio was born and educated in Venezuela and speaks English and Spanish. Upon coming to this country in 2014, he attended Carlos Rosario International Public Charter School in DC. He has a B.S. in Information Systems, and holds CompTIA A+, Network+, ITIL and Microsoft Certified Solution Associate certifications. He was happy to talk about cybersecurity updates for nonprofits in this podcast.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about your email safety and spam, you shouldn’t have to worry about understanding your provider.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Transcript
Carolyn Woodard: Welcome. My name is Carolyn Woodard, and we’re here with the Community IT Podcast, talking to my colleagues, Matt and José Antonio today.
José Antonio, would you like to introduce yourself and tell us what you do at Community IT?
José Antonio Peña-Rosales: Thank you. My name is José Antonio, as you said, and I am the Director of Support Services. I basically oversee the Help Desk Operations and the On-site Support Team Operations.
Carolyn Woodard: So, you’re responsible for the Help Desk. Do you set their schedule? Do you also see what they’re seeing? What role does that responsibility take?
José Antonio Peña-Rosales: Right. So, in my role, I oversee the operations in general. We have a manager for the Help Desk that actually monitors their schedule.
We do have a coordinator who also assigns appointments and manages all the appointments for the Help Desk technicians, which I did before because I was in that role as a manager before we even had a coordinator. It’s pretty busy there. So, we have the need to have these two roles, coordinating all the appointments with the users for the Help Desk for all of our clients.
Carolyn Woodard: It’s a lot. I didn’t realize until Matt did the webinar last week that there’s over 7,000 end users that we’re supporting. So of course, they need to have a Help Desk available and able to answer their questions.
You see a lot of other issues as well, not just cybersecurity, but I’m guessing that cybersecurity is a big chunk of what the Help Desk is seeing.
I’d like to turn it over to Matt, if you wouldn’t mind introducing yourself and what your role is at Community IT and how you approach this problem of cybersecurity.
Matthew Eshleman: Sure. My name is Matthew Eshleman. I’m the Chief Technology Officer at Community IT.
And in my role, I really have two different primary responsibilities. One is I oversee our Centralized Services team. That’s the backend team that manages those devices. You mentioned 7,000 endpoints. We centrally manage all of those, provide a lot of cybersecurity through those platforms, ensuring consistency and access to our remote support team.
And then in my other role, I’m really responsible for driving the cybersecurity strategy and planning with our clients and helping them with adoption and new technology initiatives.
So, I have this internal capacity building role and then working externally to really align clients with the appropriate cybersecurity controls for their organization’s needs.
Carolyn Woodard: Thank you both so much for joining me.
José Antonio, I wanted to bring you in because you’re such a dynamic speaker for starters. And I just thought it would be interesting because Matt and I just did this webinar last week about the Cybersecurity Incident Report.
Taking all of that information from our end users, Matt did a bunch of analysis on it and presented a lot in that webinar. So, I was hoping that I could get you to weigh in a little bit on what that means for users.
José Antonio Peña-Rosales: Of course, yes. Happy to do so. Thank you for inviting me.
Carolyn Woodard: Excellent.
Matt, last week when we talked about the Cybersecurity Incident Report, one of the charts that you showed that was pretty alarming was all of the unwanted email increasing exponentially. And I know I’ve been seeing a lot more email in my inbox. Of course, we know that’s just the tip of the iceberg. We have a lot of automatic tools that are keeping the worst spam out of your inbox.
Could you talk a little bit more about why unwanted email is increasing so much?
Matthew Eshleman: Yeah. The reason why it’s increasing is that it’s ultimately effective. And I say that, insofar as what we’re dealing with and trying to protect against are cyber criminals and cyber criminals are interested in finances.
An important understanding is that while there is a certain class of threat actors that might be into espionage or stealing data or something, at the end of the day, most of these organizations are getting paid to do their work. And even though email may not be as popular as a communication tool as it once was, it is still really effective.
And so, for these threat actors to use phishing tactics to get you to click on a link with the ultimate goal of either directly engaging in sending them gift cards or updating some wire payment information, or maybe just using your account to target somebody else, it’s really financially motivated.
And we’re seeing that reported in the FBI statistics in the increase in financial crime year over year. So again, the bad guys use it because it works.
And I think that’s the reason why we’re seeing so much increase in two categories of messages.
- Spam, just unwanted messages, relatively benign;
- But also phishing, which carries the connotation of some additional risk for the recipients.
Carolyn Woodard: Can I turn it over to you, José Antonio, and ask you the opposite side of that question?
If you have a user that has received something that they don’t want to receive in their inbox, what’s your advice for them? What should they do about it?
José Antonio Peña-Rosales: A lot of our tickets related to incidents are basically spam, as Matt has mentioned. A lot of tickets are users asking, is this legit? Is this an email that I should trust? Can I open this? Or maybe, “I clicked on this link and now I don’t know if my computer is infected, or my account might have been compromised.”
We do have certain protocols that start with a basic analysis of the email and depending on what the technicians find in this email, they might advise to either block the sender or if we suspect that there is a possible compromised account or the email is representative of a threat, then maybe we have to escalate this to a more advanced engineering team.
Usually, the technicians also work with Centralized Services, which is the team that Matt is overseeing, to understand and determine the risk of every email. Not all the time, but there are certain protocols that we follow, and we recommend to the users to follow, depending on what we find in the ticket.
Carolyn Woodard: I know that often there are certain roles that you want to have a lot more training and a lot more security around, like your Chief Financial Officer, people who are in accounts payable, the finance team, maybe the development team as well that are getting those major gifts.
Do you pay special attention if the person submitting the ticket has a role like that where they may be more targeted?
José Antonio Peña-Rosales: Our recommendations are for everyone, not only for the CFO of the company or for specific roles. It is probably true that certain roles in the company are more prone to have this risk of being attacked or being targeted. So, we recommend paying attention if you receive an attachment.
Did you trust the sender? Did you know the purpose of his attachment? Did you know the sender? Don’t open the attachment if you don’t really know the source or if you aren’t expecting it.
The same with links. Don’t click on any link unless you hover the mouse over the link and see what is taking you to. Do you trust the sender? Were you expecting this?
These are basic recommendations that we do when we analyze spam. Check the From field to see if it’s coming from a source that you trust.
These are practices that we recommend when you’re reading emails. But don’t respond to any spam. Don’t click on unsubscribe. Just delete the email. And basically, report anything that looks suspicious to Community IT, because that would allow us to do a better analysis of the email and give you the best advice.
Carolyn Woodard: I know in a past webinar, we talked with someone who works in cybersecurity who said she’d rather get 99 false tickets that weren’t anything and still catch that one that was very dangerous than have people be worried about bothering her or thinking, it’s fine; I’m not going to report it.
She said, try to cultivate a culture where everyone is reporting if they think it might be something and let the experts figure out if it is or not. Don’t try to do that analysis yourself, which I felt was good advice.
I want to move on and ask about something, Matt, that you spoke about last week about fake virus pop-ups that people are starting to see. For myself, it’s been a while since I’ve seen a pop-up that just opens and then it’s blinking and flashing and says, oh, you’ve got a virus.
Can you talk a little bit more about fake virus pop-ups, Matt, and what you’re seeing?
Matthew Eshleman: Yeah, the days of pop-ups in my memory were a long time ago. And having pop-up blockers was a really big deal. In general the pop-up ads and that kind of stuff seems to have been solved.
But what we do see, and again, we’re managing 7,000 endpoints. We’ve got a big window there and insight into a lot of different devices. But when those pop-ups do occur, they are really unsettling.
Oftentimes that will occur, as you mentioned, a pop-up that says, oh, you’ve got a virus, or your computer is going to be encrypted, or you need to call us right away so that we can unfreeze your device.
It’s really a social engineering attack. They’re trying to prompt a behavior from whoever is falling victim to that attack.
On the one hand, if you have a little bit of insight or you’ve gone through a training or you’ve seen this before, it’s really easy to take a deep breath, step back, hit Alt F4, close out of the window and boom, you solve the problem.
The challenge comes when that sense of anxiety kind of rises and all of a sudden, you’re like, “Oh, my gosh, what do I do? My computer is being taken over. I need to call this number to get help right away!” which is kind of what the attackers want you to do.
And so again, it’s a training piece. It’s one of those unique areas of cyber attack where even though we’ve got all kinds of different protections and controls, somebody putting a message on your screen, if they do it enough, somebody ultimately falls for it.
It’s really hard to protect against technically. That’s something that we look at continually. And this is one of those areas where training is really effective to understand what it is, what you’re seeing, and then know how to just close it out.
Carolyn Woodard: Jose Antonio,
Do you get people who call in a panic, either because they have a pop-up or something else is happening on their laptop and they’re not sure what to do?
José Antonio Peña-Rosales: Yes, that happens. It doesn’t happen as often as they send emails, but it does happen.
And it’s good when it happens before they actually take any actions. It’s really bad when they actually fall for that message. And usually there’s a pop-up that says not only your computer has been infected, but also you need to call this number.
They fall into what Matt can confirm. This is social engineering. They call and a person who is supposed to be a technician or help team answers the phone.
And they say, “Oh, yeah, your computer’s been infected. Let me access your computer.”
And that’s how they get into all your information. That usually ends on a ticket that we have to escalate, because at that point, the computer has already been compromised. Not only the computer, but the account, everything.
But it’s good when they call before that, and they say, “OK, I have this problem, I can’t do anything. Can you please get rid of this?”
I think that’s why I mentioned training is so important, because the earlier we catch it, the more we can do to prevent any harm.
Carolyn Woodard: Yeah, I think that just goes back to what we said before. As early as possible, submit the ticket before it goes farther. It’s really invasive, especially if the way you would usually submit the ticket is on your laptop, right? And your laptop is telling you, you can’t do anything because you have a virus.
Maybe it makes sense to have the phone number also on your desk somewhere, physically written down, to call this number to the help desk if something is so haywire on your laptop that you don’t even feel comfortable trying to submit a ticket.
José Antonio Peña-Rosales: Sometimes these pop-ups come because you installed an add-on from a website that you visited, or maybe you visited a place that you should not have visited, and then your prompt is with messages.
Matthew Eshleman: I think the challenge is that these things kind of pop up, no pun intended, but pop up relatively infrequently. I think we had maybe 60 or 70 of these reported last year, but 60 or 70 out of 7,000 devices, right? The relative rate is not that frequent.
Clearly, we have a lot of tools in place that are blocking a lot of these things proactively. But for whatever reasons, in some cases, they’re able to get these messages to pop up by maybe malware, like advertising, they get through a malicious Google ad or something. And what pops up today, maybe in a few hours, the system will catch up and block it.
But at the scale that we’re dealing with, some stuff is just going to come through. I do think that old adage, an ounce of prevention is worth a pound of cure, is really appropriate in cybersecurity.
If you can, just reach out to us. For our clients, our help desk is really great. They can call directly. They can get in touch with somebody right away. So, it’s not like you have to wait around.
And so, if you can make that call and we can prevent it, that’s a 15-minute call, as opposed to if you click on it and follow the stuff, we’re into multiple hours of cleanup and disruption. And so that ounce of prevention is really a good thing to keep in mind when it comes to cybersecurity, because it saves so much time down the road.
Carolyn Woodard: I think that speaks to training as well. The situation you’re talking about, we talked about in the past as the cat and mouse. So, the hackers are trying to find ways around your prevention and you’re trying to catch up with new prevention to prevent their new ways. And so, as that’s changing so quickly, and AI is going to make it change even more rapidly now, ensure staff have up-to-date training.
As soon as you’re seeing trends or seeing something new happening it’s really important. I think the days of being able to do one annual cybersecurity training are long gone.
I wanted to go back a little bit to emails and just ask, you spoke earlier, José Antonio, about a compromised account.
Sometimes you will receive an email that looks like it’s coming from maybe a colleague, maybe a vendor, maybe a partner, someone that you work with, and it is their email, but it’s not them sending it. It’s because a hacker has somehow gained control of their domain or their email that they’re sending.
And that can happen to you also, right? Your email could be being used to attack someone that you’re a partner with. So, are there ways to check if it looks like a real email? That seems just so insidious to me, because we tell people to look at the address, if it’s spelled wrong, almost closely, but not quite, then it’s not real.
But what if it really is a real email? What can you do about that?
José Antonio Peña-Rosales: Yeah, that’s true. And I think the hackers are getting better and better every day. Every time we see new things we think, wow, this can be easily missed.
So, yeah, the account might have been compromised and they’re using an account to reach out to you that was compromised before, or the email might be spoofed, and it looks like it’s coming from someone else. Those are difficult cases. It’s important to pay attention.
What is the request on this email? If it’s a financial transaction, maybe it’s good to pick up the phone and confirm with that other person, is this real? Is this legit? Are you asking me for this information?
Use encryption on your emails, which your IT department might help you understand how to implement it if you don’t have it. Validate information over the phone. Pay attention to the sense of urgency. Those are the basics that you need to pay attention to.
And lastly again, go back to your IT department, report it and have them take a look at this email to make sure that it looks safe and legit.
Carolyn Woodard: That’s really good advice, to pay attention to the content. Does this content seem like something this partner or this vendor would be asking for or would be telling me? Because that is using your human part of your brain to try and outwit maybe some AI or some hackers.
Matt, can I go back to you just for a quick question about the new attack you talked about last week, the attacker in the middle, and how that impacts the multi-factor authentication?
We’ve been telling people for a while to use MFA on all their accounts, including your personal accounts, social media accounts, etc. Now that there’s this new attacker in the middle where that MFA is not completely 100% protecting you anymore, what should people be doing?
Matthew Eshleman: An interesting thing that we saw when we were reviewing the data from all the incidents that the remote services team took in is the number of accounts that we responded to that were compromised that also had multi-factor authentication enabled. I think a lot of these things are connected.
The increase in sophistication in phishing is they’re using what’s called an attacker in the middle (AitM) attack.
So, you may receive a message from somebody that you actually work with, maybe their account is compromised, that has a link. And instead of going directly to their Office 365 account or Dropbox or whatever, it’s instead using what’s called a proxy. There’s a connection between your computer and the website that you’re ultimately trying to get to and that proxy is able to steal your login session.
It’s a little bit technical, and there’s lots of good articles out there that talk about how this happens, but they’re able to steal that authentication session and then reuse it and maybe add their own method for MFA.
And so, what we’re now moving to, particularly for people in trusted roles, is using the physical security keys or pass keys. It’s a little bit different from the Authenticator app on your phone in that there’s some additional technical work that ties the physical device to your account, as opposed to it just being a second method.
Those are known as phish-resistant MFA methods, and they’re becoming a lot more common, I think a lot more useful, particularly with these proxy attacks where they can steal the MFA session.
So, for organizations that have staff, finance operations, IT departments, people that can have access to sensitive information, moving to these phish-resistant MFA methods is really important as part of the overall protection plan to secure the organization.
Carolyn Woodard: So that means that even if someone has a proxy between you and logging in with your MFA session and they’re trying to do that remotely, they can’t because the physical key that’s going to allow that session is physically with you. Is that how it works?
Matthew Eshleman: Yes, that’s exactly correct. So, we’re going beyond multi-factor authentication. We typically describe it as something that you have and something that you know, which is your password, and this authenticator app is something that you have. There’s some technical nuance there about what you have, but these physical security keys really do fulfill that requirement of something that you physically have and is required to make that final authentication.
So instead of it just being that token that can be portable, the service, Microsoft or Google are actually looking for the physical device that you retain as opposed to an authentication token, which can be stolen.
Carolyn Woodard: All right, last question for both of you.
Is there one thing that you wish users would know about cybersecurity? One thing that’s the most important.
José Antonio Peña-Rosales: Never call those numbers when pop-up ads come into your browser. Never, ever, ever, ever, ever call that number. That’s the most important thing, I think.
Carolyn Woodard: I think you said earlier, José Antonio, don’t engage, don’t respond to an email, don’t click on the thing, don’t have any interaction with something you think is suspicious. And that includes not calling the number they give you. Yep.
Matt, do you have one thing you’d like to leave people with?
Matthew Eshleman: Yeah, I think being attentive is good. Understanding some of those basic cybersecurity techniques, particularly evaluating email. If you’re not sure who the message is from, you can hit reply, and then that will often reveal the actual sender’s address. That can be a good visual cue.
Being able to hover over the links can be helpful. It can also be a little tricky, especially if there’s spam filters. They tend to replace those things. But just have a basic understanding of how email addresses are constructed and how website links work. I think that’s a good use of 15 or 20 minutes of your time to spend learning how those things work.
Carolyn Woodard: That makes sense. I think being attentive, paying attention, and being suspicious, right? Developing that healthy sense of suspicion also helps you keep an eye on what’s coming into your inbox or popping up on your screen.
Well, thank you guys so much for joining me today. I really appreciate your time. Thank you, José Antonio, for all of your work.
And Matt, thank you so much for doing that incident report and sharing those statistics with us. Thank you.