Most nonprofits will be asked about vulnerability scanning when they renew cybersecurity liability insurance or complete an annual audit. Do you know what it means and what you should do to comply?
Many providers will use the label “vulnerability scanning” so it is important to understand what is meant by this term and what the provider will do and report on. There is no one universal vulnerability scanner. Different systems must be scanned with their own automation.
Join CEO Johan Hammerstrom as he explains in plain language what is vulnerability scanning for nonprofits, why nonprofits need to do it, and what to look for when talking to a provider.
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
The takeaways:
- There is no one-size-fits-all vulnerability scanning app for your entire nonprofit organization. You will need to do vulnerability scanning on various systems and the scanning will be different.
- As part of your incident response planning you should have an inventory of your general vulnerabilities – website, any custom apps, any customized anything, and then other apps and tools. Check in with your IT team and stakeholders to understand your inventory of risks.
- If you are being asked to check off a box on your cyberliability insurance or part of your annual financial audit, talk with the auditors or your insurance broker to get more clarity.
- In addition to checking this necessary box, vulnerability scanning is an important layer of protection to have around your organization and your mission. Take it seriously, but realize that as a buzzy term, you may be approached by vendors overselling what you need.
- A trusted IT partner – whether a board member, IT director, or outsourced IT provider – can help you wade through the options and choose the one that fits your budget, risk profile, and the specifics of your IT set up.
Vulnerability Scanning for Nonprofits
Vulnerability scanning is the process of using automated tools to scan for weaknesses in computer systems, apps, networks, and platforms. It is particularly necessary for websites, to avoid falling victim to hacks and ransom extortion. It is a proactive approach to finding these flaws and vulnerabilities before outsiders and hackers can. Doing vulnerability scanning for nonprofits will help your nonprofit learn where risks may hide, and allow you to take proactive steps to mitigate risks and correct errors in configuration. Vulnerability scanning providers will need access to your systems and will provide a comprehensive report on vulnerabilities found, often arranged by most immediate risks or risks most potentially damaging.
Many security regulations and standards require periodic vulnerability scanning. Nonprofits are being asked to complete vulnerability scanning as part of renewing cyberliability insurance or complying with enhanced annual audits as part of SAS145 guidelines. Vulnerability scanning helps prioritize remediation efforts by highlighting the most critical vulnerabilities, and should be a continual process reviewed periodically to help improve nonprofits’ security posture.
If you have questions that aren’t answered by this podcast, talk to us! On our site we have free resources on basic cybersecurity and IT governance policies. You can also use our downloadable Cybersecurity Playbook or other online resources, or schedule time with our Cybersecurity Expert Matthew Eshleman to ask your questions.
Presenters
Johan Hammerstrom’s focus and expertise are in nonprofit IT leadership, governance practices, and nonprofit IT strategy. In addition to deep experience supporting hundreds of nonprofit clients for over 20 years, Johan has a technical background as a computer engineer and a strong servant-leadership style as the head of an employee-owned small service business. After advising and strategizing with nonprofit clients over the years, he has gained a wealth of insight into the budget and decision-making culture at nonprofits – a culture that enables creative IT management but can place constraints on strategies and implementation.
As CEO, Johan provides high-level direction and leadership in client partnerships. He also guides Community IT’s relationship to its Board and ESOP employee-owners. Johan is also instrumental in building a Community IT value of giving back to the sector by sharing resources and knowledge through free website materials, monthly webinars, and external speaking engagements.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.
She was happy to have this podcast conversation with Johan about what vulnerability scanning for nonprofits is and how it works. And why it is another important layer of protection you can build around your organization and your mission.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about cybersecurity, you shouldn’t also have to worry about understanding your provider. You want a partner who understands nonprofits.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
More on our Managed Services here. More resources on Cybersecurity here.
If you’re ready to gain peace of mind about your IT support, let’s talk.