Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Presented with Nonprofit Learning Lab
Community IT CTO Matt Eshleman presented a new free webinar on 10 Free IT Security Tools for Nonprofits, hosted by the Nonprofit Learning Lab
What should you do to protect your nonprofit from hacks if you don’t know much about IT?
Where can you find expert, current information on practical steps you can take as a nonprofit leader to make sure your staff take cybersecurity seriously, without breaking the budget, or paying for security you don’t understand how to use? Nonprofits are seeing cybersecurity risks and costs go up.
Come learn how to manage cybersecurity basics at every level of your organization, to better protect yourself from scams and frauds.
Matt gives an overview of the threat landscape for nonprofits and shares 10 free IT security tools your organization should be using – and probably already have access to. He also shares a few bonus low-cost tools you can consider, and discusses ways to make cyber security an integrated part of your nonprofit culture.
All staff will find this information relevant, whether or not you have IT responsibilities.
Community IT Innovators is pleased to partner with Nonprofit Learning Lab to present this webinar on free IT security tools for nonprofits. Learn to put safeguards in place to prevent falling victim to scammers and cons.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT and Nonprofit Learning Lab are proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
As the Chief Technology Officer at Community IT, Matthew Eshleman is responsible for shaping Community IT’s strategy in assessing and recommending technology solutions to clients. With a deep background in network infrastructure technology he fundamentally understands how secure technology works and interoperates both in the office and in the cloud.
Matt has dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University and received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference and Non-Profit Risk Management Summit. He is happy to share 10 free IT security tools for nonprofit in this webinar.
How can you contact Matt?
Tammy from Nonprofit Learning Lab: Hello everyone, and thank you for joining the Nonprofit Learning Lab for today’s workshop. And without further ado, I will now hand it over to you, Matt and Carolyn.
Carolyn Woodard: Thanks, Tammy. Welcome everyone to the Community IT Innovators’ Webinar on 10 Free Security Tools for Nonprofits.
- Today we’re going to talk about the cybersecurity landscape and what the biggest risks are to nonprofits and nonprofit staff.
- And then we’re going to talk about some free and low cost investments you can make to increase your security.
- And we always try to explain any lingo we end up using. And today, during the session, please ask if you don’t understand any terminology because that’s what we’re here for.
Our learning objectives are that after the session, you should be able to
- Describe the cybersecurity landscape for nonprofits,
- Learn about cybersecurity readiness
- Review the 10 Free Security Tools we’re going to talk about.
- Understand the role of executives and staff to manage basic security, even if you’re not the IT person.
- And know where to go for additional resources on nonprofit security.
And I want to remind everyone, Community IT is vendor agnostic. This presentation is to discuss how nonprofits are using common tools and what we are observing about them, but we don’t recommend any tools in general. We only make recommendations to our clients based on specific business needs and their nonprofit culture.
So again, I want to encourage everyone to submit questions and comments through the chat and the Q&A feature today, and we probably won’t be able to get to everything, but you can always contact us after the webinar for a follow-up. So, Matt.
Matthew Eshleman: Great. Thank you for that introduction, Carolyn. I’m happy to be joining you all today. My name is Matthew Eshleman and I’m the Chief Technology Officer at Community IT. In my role as CTO, I’m responsible for not only the internal IT systems that we use to manage our 170 nonprofit clients, which support about 6,000 staff, but also work with our nonprofit clients to help them develop their technology and cybersecurity strategy to ensure that their data is well protected. So looking forward to talking today about some free tools that organizations can take advantage of as it relates to cybersecurity.
Carolyn Woodard: Thanks. And my name is Carolyn Woodard. I’m in charge of outreach at Community IT, and I’m going to be helping Matt today in monitoring the chat. I’m very excited to be sharing our expertise with you today.
I think sometimes cybersecurity can be so daunting. It’s tempting just to try not to think about it too much and just hope for the best. But Matt is going to show you today that there are some easy steps you can take to make your nonprofit much, much more protected. It makes sense to start taking those steps now.
So before we begin, if you’re not familiar with Community IT a little bit about us. We are a 100% employee owned, managed services provider. We provide outsourced IT support. We work exclusively with nonprofit organizations. And our mission is to help nonprofits accomplish their missions through the effective use of technology.
We serve nonprofits across the U.S. and we’ve been doing this for over 20 years. We are technology experts and we are consistently given the MSP 501 recognition for being a top MSP, which is an honor we received again in 2022.
We have lots of free resources on our website, including videos, articles, and free downloads. We have a weekly podcast on technology topics, and we really just think that the more nonprofits learn about nonprofit IT, the better you can accomplish your mission.
We’re also recording this webinar, as Tammy said, and they’ll be sending out the link to that video later. So don’t worry too much about taking notes while we have this conversation. If you miss a link or resource, you can look it up later.
So now our agenda, we are going to be talking about
- the cybersecurity landscape,
- talk a little bit about cybersecurity readiness,
- and then Matt is going to talk about the 10 free tools.
- And then, we’ll hope to leave some time at the end for Q&A.
Matthew Eshleman: Great. Well, thank you Carolyn for that introduction. And I would just reinforce that if you have questions as they come up along the way, please feel free to use the question feature that will be moderated. If there’s something that’s really relevant to one of those slides that we’re on, I’m happy to take those questions as they come in or we can have some time at the end as well to answer questions that you may think of as we’re going throughout this presentation.
So as I mentioned, I think it’s really helpful to understand the cybersecurity landscape that we all operate in. Cybersecurity is important. The threats are not just something that happens to the big organizations that you read about in the paper, but cybersecurity concerns are important to every organization, no matter how big or how small. And I think it’s important for everyone to understand just what’s going on out there in the cyber world.
And one of the things that is happening quite a bit is that there are persistent and ongoing brute force attacks against your digital identity.
I think nonprofits have done a great job of moving resources into the cloud. That’s Office 365 or maybe Google Workspace, and it’s been really great to access that information from no matter where you are, but it also means the bad guys can too. And so we see evidence of lots of ongoing attacks where the bad guys are just trying different username and password combinations and trying it again and again. So that’s one area that we see a lot of attacks around is your digital identity.
We also see pretty sophisticated spear phishing attacks. Spear phishing is a special type of email attack that combines some unique knowledge about you and your organization in order to get you to take some action, click on a link, type a password, open up an attachment, that sort of thing.
Industry research says that as much as 91% of cyber-attacks really start with email. And so we certainly see that in the nonprofit sector. Another thing that nonprofits do a really good job of is they’re very proud of their staff. Many organizations have really great staff directories, so it’s easy for the bad guys to find email addresses, reporting structures, and all of that information ends up being used to craft those spear phishing messages.
We also see that organizations are targeted because of the work that they do. This applies particularly to organizations that are in the policy space. If you’re government or government-adjacent, you’re very attractive to sophisticated hacking organizations because they want to know what’s going on, and who has access to government resources, or may have access or influence on government officials.
We also see attacks targeting organizations that are in family planning and health services as well. So it’s important if you’re in one of those maybe protected categories to have additional attention to your cybersecurity protections.
And then attacks are also targeting vendors. So if you were a managed service provider like Community IT, we take extra care and caution because of the access that we have to our clients’ data. If you’re working with an IT vendor or an IT consultant, it’s important to understand the cybersecurity controls that they have in place to protect access that they may have into your systems. Again, that’s very, very appealing to these cyber actors to make sure that they can try to exploit one organization and then thereby gain access to many more.
I’ll say it’s not necessarily all bad news when it comes to the cyber landscape. There are lots of great security tools out there that can help protect and prevent some of these attacks from occurring. I’m also encouraged that we’re seeing, compared to a few years ago, a lot of organizations are being really proactive about improving their cybersecurity. And so as somebody who’s been talking about this topic for quite a while, I’m really encouraged to see so many organizations being proactive to say, hey, what can we do? What steps can we take to make sure that we’re being as secure as possible given the constraints that we have. Even with that good news, I think there’s still a long way to go.
NTEN put out some information about the cybersecurity controls that organizations and nonprofits have. And they identified that even with this good momentum, about 68% of nonprofit organizations still haven’t defined an incident response plan. That’s a document that describes what steps an organization is going to take, if and when something bad happens to them: access to a donor database is disclosed; maybe a ransomware attack; and just having that policy document in place, because cyber-attacks are expensive.
While we see the million dollar damages in the news, the costs associated with cyber-attacks for small organizations certainly isn’t that large, but it can still be in the hundreds of thousands of dollars range, which can have a significant impact on a nonprofit organization.
All right, So I’ve asked a bunch of questions and talked a lot about Community IT. Now here’s your chance to respond.
What type of cyber threats have happened to you, at your organization or maybe an organization that you are familiar with?
- Have you had a compromised email account?
- Have you been a victim of wire fraud or financial loss? That’s when information is stolen from the organization.
- Have you been a victim of sophisticated hackers that are interested in your work?
- Maybe you’ve been a victim of some ransomware attacks or crypto attacks,
- Or, maybe you’ve been the lucky person that hasn’t been involved in any of this.
Carolyn Woodard: And I think we also were going to ask people if they had had something else happen to them and they felt comfortable briefly saying what it was, they could drop that in the chat as well, because sometimes they’re just off the wall things that happen that are also cyber related.
All right, so I’m going to read the responses.
About 60% said that they had a compromised email account.
About 20% said that there had been some wire fraud or financial loss. Maybe somebody had gotten you to send money to that bank number that wasn’t the right bank number.
About 40% have been a victim of ransomware or a virus or malware.
And about 20% of you, hello, wonderful, haven’t seen any incident or don’t know anyone who has.
So you can see 80% of the respondents just today said they have familiarity with some kind of cyber-attack.
Matthew Eshleman: Great. Well, thank you for sharing those results. And for those of you, the 20% that haven’t, the operative phrase that you hear in cybersecurity, it’s not a question of if, but when. With that mindset, maybe you’ve been lucky so far, but it’s something that you could surely plan for.
And so we’ll talk about some of the tools and techniques that you can use to help provide some additional security for your organization.
So when it comes to cybersecurity readiness, I like to break things up into these top level categories.
Knowing that there are technologies or solutions that are people centric. And so those are things like choosing good passwords or having your staff implement multifactor authentication, right? Those are steps that your users can take to make your organization more secure.
There’s a lot of process around policy and training. I think those are absolutely critical. And so organizations can take those steps to have clearly articulated policies that really define how the organization approaches these different technology controls and make sure that that is well communicated.
And then along with the process, I would say that training is a very key piece.
While there’s lots of technology solutions, and we’ll get into those, making sure that staff are educated, aware and engaged is a really key part of cybersecurity.
And cybersecurity training is something that has lots of free solutions; there’s lots of low cost options out there to help improve and educate your staff.
And then finally, the technology tools, there’s lots and lots of different options out there. It can be overwhelming at times but we’ll talk through some of the free tools that are available to help manage things like computer updates, some proactive scanning tools, and then also look at some tools related to email protection as well.
And I would just highlight that Community IT has a free resource on our website. It’s our Cybersecurity Readiness for Nonprofits Playbook. That’s a free guide that will provide some step-by-step instructions along with some budget information for organizations that are ready to take some additional steps to protect their organization.
Carolyn Woodard: Yep. So throughout today, I’ll be putting some of the links in the chat. Hopefully you’ll be able to see those and grab those there. And I love how you framed this. Matt,
I know this is a somewhat common rubric, but
- the people,
- the process
- and the technology
We’re not going to jump right into the tools right away. I think first we’re going to talk about people. Is that correct?
Matthew Eshleman: Yes. So first, we’ll talk about some things that are human-centric or people-centric cybersecurity controls. I’m the CTO, I’ve got technology in my job description. But I really think that people controls are absolutely critical and provide a lot of value for organizations, because again, they don’t cost much to do. You just need to get people to take those steps.
And the one that we want to make sure that every organization has, if you only take away one thing from the webinar today, is that you should make sure that multifactor authentication is enabled on not only your primary IT systems, but any system that will support it. It should be enabled because password breaches are so common, because it’s so easy to access resources from anywhere.
The bad guys are constantly trying different username, password combinations that they gather. And being able to implement multifactor authentication, which combines something that you know, which is your password, along with something you have, which is often going to be an app on your smartphone, is a great way to put a big speed bump in front of those hackers who are trying to get into your account.
We’ve got some additional links and resources available to help support that process at your organization. There’s some videos on our YouTube channel that walk through a step-by-step process if you’ve got Office 365 so that you can turn on that multifactor authentication. Google refers to it as two-step authentication, and that provides an incredible amount of protection.
One of the things that we see at Community IT is lots of security incidents. And we can see from our data that none of the account compromises that we responded to last year had multifactor authentication enabled. So we can really see from the data associated with supporting over 6,000 nonprofit staff, that MFA is incredibly effective at stopping the bad guys from getting into your account.
MFA is our number one security control that you should have in place. It doesn’t cost anything, it’s included as part of all of those platforms and is not something you need to pay extra for. If you have Office 365, you have the ability to turn on multifactor authentication. If you are a Google Workspace customer, you also have free access to multifactor authentication.
The next control is related to passwords. And again passwords to all these systems, I know myself, I probably have accounts at hundreds of different online services. Every place you go needs a different user name and password and keeping track of all of those is really complicated and can be a daunting task.
It’s important to make sure that you are using unique and complex passwords for every site that you need to access. And the reason is that there are password breaches that happen all the time. That’s when a hacker gets into a system and they are able to get a list of usernames and passwords associated with some certain web service. And then they take that information and maybe go from a shopping site or some kind of member site, and then they’ll try those same credentials at your mobile phone provider or your Office 365 account. And so it’s really important for every site that you access you create a new and unique password.
There are some free tools that are available to help manage these passwords.
KeyPass – https://keepass.info/
Dashlane – https://www.techsoup.org/dashlane
Chrome Password – https://support.google.com/chrome/answer/95606
KeePass is one that’s a free open source tool that can be installed and used to manage credentials. I would also say that there are some built in security tools in most browsers. If you use Google, or even Edge browser will now give you the ability to securely store passwords for websites. From a security perspective, that is a good security tool to have and makes it easier to access those systems. If you can protect your main account with multifactor authentication and then store all of those other credentials in that vault, that gives you a secure way to access multiple sites through the browser.
If you’re a Mac user, the actual Mac OS Keychain is also a great secure enclave as a way to store passwords that can then be decrypted and used at a range of sites. So it’s really important to make sure that you are using unique and different passwords at all the different sites that you have access to.
For a discount option for organizations that are 501(c)(3) nonprofits, there are also some discounted tools available through TechSoup. I believe Dashlane has a nonprofit discount or donation program where you can access that tool and get a bit of a discount off of the regular list price, because you’re a nonprofit.
Carolyn Woodard: I know we get this question sometimes Matt, but sometimes people are concerned about a free tool that’s going to guard their passwords. So are those types of tools secure? Should you trust them?
Matthew Eshleman: Yeah, I think you need to certainly be skeptical of the tools that you use. I think particularly with a lot of the apps that end up being on the App Store or the Google Play Store, there can be a lot of look-alikes that appear like they’re legitimate software, but they’re not. It’s important to investigate what tools they’re there.
And so that’s why I would recommend using the big names, like your browser, like the Keychain if you’re in Mac OS, KeePass, again, it’s an open source tool. And so again, it has lots of eyes on it to make sure that that tool itself is very secure. So be careful, be skeptical, and just make sure that you’re using a well-regarded and well rated app for passwords.
Carolyn Woodard: And I think we always say that using a free tool, a password manager, is so much better than reusing a password over and over in different places. It just makes a huge difference.
Matthew Eshleman: Yes, exactly.
Carolyn Woodard: Our next three tier rubric, we’re going to talk a little bit about different processes that you can use and maybe some tools that will help you with the processes.
Matthew Eshleman: Great. So one of the tools that I wanted to highlight was a free resource. It’s actually a government resource. So your tax dollars are already paying for this.
It’s free to use now. It’s stopthinkconnect.org. That is a cybersecurity resource that the government has put together that provides a lot of free tips, tricks, some basic trainings and overviews.
If you’re looking for somewhere to get started, this can be a great place. Here you can see some of the basic tips that they outline to make sure that you are, from a process standpoint,
- keeping your computer up-to-date through automated software updates.
- Make sure everything that’s connected to the internet is as secure as possible.
- And be careful about plugging in external USB drives.
Some basic advice that may seem like common sense, but is really good to just work on the fundamentals.
Unfortunately, in cybersecurity, the way that the attackers work is that they’re really looking for the weakest link. If a system is not patched or not up-to-date, that’s the system that’s going to get compromised. And so it’s important for your organization to just make sure that you’ve got a good foundation, making sure all the basics are covered.
There’s a technology checklist of all the systems. Making sure that you’ve got a good system inventory is a basic form of cybersecurity control.
Making sure that you understand as an organization,
- What are the different resources that we have in place?
- Who has access to them?
- How are they updated?
- How are they managed? All those elements go together to form some good baseline cybersecurity controls.
For the next resource, I’ll highlight some resources from an organization called SANS. As we talked earlier, one of the important pieces to get started with is IT policy. And then the following question is, hey, where can I get those policy templates? And this is a great resource to get started with. They’ve recently updated their site, They have some new updated policy templates.
You can go to sans.org/informationsecuritypolicy. And they have a wide range of policy templates that are available from your foundational IT acceptable use. Let’s just set the baseline to disaster recovery, to incident response, to data management. Lots of policy documents are available there that provide a framework and then you can tailor and customize for your organization’s unique requirements.
I’d be remiss if I didn’t highlight some of the free resources that we have at Community IT.
I already talked about one, which is our Nonprofit Cybersecurity Playbook. That gives you a roadmap if you’ve already done all these basics to really move into some next level cybersecurity controls. So that’s a resource that is available.
And then we have our monthly webinar series where there’s quite a few cybersecurity topics that we talk about that can help provide you with some additional tools and education to ensure that you’re staying up-to-date with the most current best practices.
I’ll also highlight that there is a free tool that we are going to make available for folks that are attending this webinar. This is a standards based risk assessment tool from NIST. What that will do is, it takes about 30 to 45 minutes to fill out the survey, and we’ll generate an automated report with this pretty graphic that highlights what areas of cybersecurity are in the green and are good, and then what areas might be in the red. We’ll provide some recommendations.
The NIST Cybersecurity Framework highlights and prioritizes things like security awareness training, which we’ve talked about as well. And so it’s a great resource. If you’re looking to get some baseline understanding of what your organization should be focusing on, this is a great free tool. I think we have the link we can chat out. [contact Matt at the link on this cybersecurity page for more information and the free NIST assessment]
You can drop an email and I will create access to this tool for you. And then you’ll have access to the online portal where you can fill out this risk assessment tool, get an automated report, have a PDF download, and then dashboard access to this tool moving forward. It’s a really great resource especially if you’re trying to get started and figure out where to prioritize the cybersecurity investments for your organization.
All right, another under the process, we talked about passwords in the password manager section. This is a free resource that’s available: Have I Been Pwned. This is put together by an Australian cybersecurity researcher. He has taken all these publicly disclosed password breaches, put them in a big database, and then you’re able to go and search to see if any of the passwords that you use, or an account that you use, has been involved in a data breach or compromise.
Again, that comes back to the good practice of having strong and unique passwords for all the different sites that you go to. You can go to this website, which is haveibeenpwned.com. You could check that out and see which of your accounts may have been involved in a data breach.
If you find an account, good practice, reset the password, see if you can enable multifactor authentication.
Carolyn Woodard: Oh my God, I did this and I had this old Yahoo! account for years, I wasn’t even using it anymore. And I guess Yahoo! has been hacked so many times. But yeah, I recommend this just for your personal emails that you use as well. It’s good. And then you can change the password on that account and enable the multifactor authentication as well.
I have been busy on the sidelines chatting out these different links.
If you want to get in touch with Matt to request that NIST risk assessment, the link is in there as well.
Now we are going to turn to technology and talk about some more tools. We haven’t got to 10 yet, so it’s time. I’ll be putting them in the chat as well.
Matthew Eshleman: All right. So now we’re talking a little bit about technology tools. We can have some conversation about keeping computers up-to-date.
Keeping your computers up-to-date with both operating level system patches, and application patches is a foundational element of cybersecurity control.
If you are a Windows user, Microsoft has made a shift in their patching policy. If you’re Windows 10, they’re automatically pushing down those patches to you and installing them in the background. So it’s important for folks to be rebooting their computers ideally once a week so that those patches can have a chance to be applied and applied correctly. So again, Windows, you just make sure that you’re restarting your computer weekly, and that should take care of the operating system patches.
If you’re a Mac user and you get into system preferences and check for updates. Mac OS patching is really end user centric. So again, check for those updates and restart your computer weekly to make sure that they have a chance to be applied. So that’s for operating system.
For third-party patching, that would be third-party applications like Chrome, Adobe, maybe some additional add-on tools. A lot of them have now moved to a self-updater model. So that’s been great. If you’re responsible for the IT at a larger organization, it may be helpful to have some sort of an automated tool to make sure that it’s not just the operating system level patches that are being installed, but all those third-party applications as well.
There’s a couple of tools out there. Ninite is a very popular one. There’s a free version of that, and you can run it on a computer. It’ll scan for all the applications that are installed there and identify which of them need to have updates.
Not free, but on the pro version there’s an enterprise level that allows you to automate a lot of that. And so if you’re at a large organization, that might be a great tool.
Chocolatey is another so-called package manager, providing a free way to manage and update applications from a centralized way. Those are some great tools to make sure that not just your operating system is patched, but also the third-party applications are patched as well.
So now that your operating system is patched, that’s a pretty straightforward process. Third-party applications are patched. Now you can look at some vulnerability scanning.
Vulnerability scanning is a process where you can get a third-party application to scan your computers, your public web resources, and report back if it detects that anything has not been updated.
Email threat scanning https://freescan.qualys.com/freescan-front/
This is a great way to check and confirm that the patching process that you think is in place is actually working. There are a couple of different options out there. Qualys, which is a really well regarded vendor for this, does make a free scan version. It has kind of a limited scope, but is a great way if you just want some independent checks on the quality of your patching and management systems. The Qualys tool is available there. So qualys.com will give you some insight in terms of, are my computers patched and up-to-date? Are my servers patched and up-to-date? It’ll even look for network firewalls, that kind of information is able to query and report on that level of insight as well. So, again, it’s important to patch your systems, and it’s important to confirm and make sure that that patching is actually happening.
And as we talked about at the very beginning, email is a huge source of attacks. The most common attack factor is going to be through email. And there’s a lot of great paid security tools that are available to help block spam, remove business email compromise messages, all of that. So there are great paid tools that can proactively block that.
Bonus recommendation: https://www.barracuda.com/email_scan
If you’re trying to build a case or just want some additional insight about whether you need this tool, Barracuda makes an email threat scanning tool where you can sign up, delegate some permission, and the Barracuda system will actually scan your Office 365 environment and identify if you have malicious messages already in your Office 365 environment.
Here in this report that we can see delivered, it will identify if there are fraudulent messages. Maybe if there’s spear phishing that’s already been delivered. It will surface those messages that you can get some additional information on.
Again, a really great tool to provide some of that reporting and analysis to make sure that the email tools that you currently have in place are doing the job that you expect them to and give some good insight and reporting to identify if there have been any threats that have already made their way through. So, again, the Barracuda email scan is a great free resource as a way to scan that Office 365 environment to make sure that your email inbox is clean.
All right, I think we’ve got a bonus recommendation here. I did want to highlight there are some additional free tools that vendors like Microsoft make available, particularly for organizations that are in the democracy and journalism space.
If you find yourself in that category, there are some additional security tools that Microsoft will make available called the Defending Democracy program. I think it goes by the term Account Guard. It turns on some additional security options within Office 365, and then gives you access to their heightened security planning and response team for making sure that your organization is well protected and you’ve got some additional set of tools and monitoring available from Microsoft. So again, that’s a free resource that Microsoft provides to organizations that are in what they call the defending democracy space. [For more info: https://news.microsoft.com/on-the-issues/topic/cybersecurity/democracy-forward/]
So we’ve talked a lot about free tools, and I think you can certainly do a lot with free. But I will say, for a lot of these tools, there’s a limit to what you can get out of the free platform.
There’s certainly a couple things, if you’ve done the free stuff, and you’re ready to move forward and take the next step, I think there’s a couple things that are really worth paying for.
One is formalized security awareness training. Again, you can do a lot for free. If you’re an internal person, you can provide education to your staff. I think that’s great. I would look for security awareness training. It’s being included with a lot of different service offerings now. Maybe your HR system is including some training libraries as part of an added module that they’re throwing in. That’s something that we’re seeing quite a bit.
You want to make sure that the cybersecurity training is really good and relevant so that you can get your staff engaged, and it’s not something that people just kind of pass off and ignore because it’s not done very well.
I do think security awareness training is something that it is worth paying for because you get such a good return on investment from that. We use Knowbe4. It’s very well regarded. It’s not that expensive. And we see results.
Gamified email anti-phishing training: https://www.knowbe4.com
I think they have 6 million customers or mailboxes that they’re protecting or providing training for. And the thing that I like about some of these paid training programs is that you can see progress over time in terms of who’s clicking on emails.
So you can do some test phishing out of the tool where messages are delivered in inboxes. You can see which of your staff are opening messages, which of your staff are clicking on them. And then it combines that with an online learning management system where you can assign trainings, gauge progress and then provide follow-up as it’s needed.
We see this mirrored in the clients that we’re working with, where from the initial baseline phishing campaign, we may see 20% to 30% of messages get clicked. And then typically over time, after about a year or so, that falls into the low single-digit percentage points. So it really is effective and you can measure the progress over time. Really great resource and not that expensive. Totally worth it. And that reportability is really handy so you can get some feedback. So it’s not just the IT person sharing a staff meeting once a year, but you can really see some measurable progress over time.
Carolyn Woodard: I can definitely say having done Knowbe4, you get an email from Knowbe4 and it’s a little suspicious, like you should be suspicious of it. And of course, I clicked on it, and then it’s immediate. You’re like, Oh, I shouldn’t have done that. And it takes you immediately to what you should have done, how you can check, how you can hover over to see, look for misspellings and stuff like that. I found it incredibly effective for me personally that fit my style of being able to learn about it in a positive way.
Matthew Eshleman: Great. Another tool I think is really important to pay for, and it’s actually a follow-up on that email scanner tool is business email compromise protection. Some of that may seem a little jargony, so I will define.
Spam is just any type of unwanted email. We all know it, we’re all familiar with it. Offensive emails for Viagra, sales junk, just stuff that’s unwanted. You know who it’s coming from, but it’s not something you’re interested in. It’s kind of easily ignored. That’s how I characterize spam.
Business email compromise is a little bit different. Also, spear phishing is kind of a similar term where the sender of the email is obfuscating who they are and they’re trying to appear like somebody else. Like your executive director emailing a staff person saying, hey, can you do something for me real quick, right? Or, hey, I need you to buy some gift cards. Can you do this or, call me back on this number?
So that is when the name of the sender is often obfuscated, and they’re disguising who they are and trying to get you to take some action. It’s really hard for any spam solutions to block this stuff because there’s just not that much content to go on, so it can be very difficult.
If you have spam protection, it’s been set up for a long time. It’s going to miss all of this stuff because it just hasn’t been updated or it’s not designed to protect against those very short transactional email messages. There are security tools that are built to identify and block this. They typically work a little bit differently, whereas in regular spam filters email flows through them.
Business email compromise protection tools like Barracuda Sentinel work by connecting into the back end of your email system and scanning email after it’s delivered. And so they’re able through some of their AI work to analyze messages, determine intent. That tool can maybe figure out that the sender is different, the actual reply email address is different from the sender and provide some additional insight. And it’s great because it can remove messages from your inbox after it’s delivered.
Barracuda Sentinel: Artificial Intelligence for Real-Time Email Protection https://www.barracuda.com/resources/Barracuda_Sentinel_DS_US
This is a very helpful and powerful tool in combating business email compromise attacks. And I find organizations, if they have to pick between the two, they’ll often choose to pay for this type of protection because people get a lot more upset and frustrated whenever they’re getting email that looks like it’s coming from their executive director or looks like it’s coming from their finance department. If they can block and remove that they’ll prioritize that over trying to reduce the amount of junk spam messages that people get in their inbox.
So again, business email compromise protection or spear phishing protection, I think is something that’s worth spending money on. Because so many attacks originate via email, it’s important to have the best type of protection you can.
If you’re going to make a cybersecurity investment, after MFA, email protection is a great place to look at spending that money.
And then I will say, assessments are actually worth spending money on as well. I think you can learn a lot. There’s a lot of free assessment tools. I already talked about a couple here. There’s a five minute survey tool that you can go through on our website that would give some immediate feedback. There’s the offer to do the free NIST assessment, about a 30 to 45 minute investment of time on your part to go through the survey, to answer all the questions. Gives you a nice report back.
Those are great survey driven tools to give you some insight in terms of what your organization should do next. But there’s certainly no substitute for somebody actually looking under the hood at your organizations, IT configurations, and policies, and procedures, and identifying where those gaps exist.
If you’ve already done the fundamentals right, if you’ve already implemented multifactor authentication, you’ve already done security training, you’ve already maybe done some IT policy work, that’s where you really should start. You don’t need an assessment to tell you that.
But if you’ve done the basics and you’re really looking at how you can continue to improve your organization’s policy and practices around cybersecurity, having in an outside vendor who’s specialized and focuses on cybersecurity controls can be a great way to continue to make sure your bases are covered and then move to a more mature level when it comes to implementing cybersecurity protection.
So again, I think getting an independent assessment is a great way to provide a lot of value. I would certainly do this before organizations invest in pen testing. I think pen testing can be helpful, but you really need to make sure you’ve invested a lot in your cybersecurity controls before that sort of assessment or that sort of service is really worth it. So again, free tools are helpful. Once that’s done, you can move up the chain and continue to improve your controls.
Carolyn Woodard: We said we’d make sure everyone knew all of the lingo. So can you just tell us what pen testing is?
Matthew Eshleman: Yes. Pen testing is short for penetration testing. That is a tool or system of approach where an organization will actually pretend or act like the bad guy and try to hack your system. They will maybe send emails to your staff to try to get them to click on things, look at your website and try to do some exploits.
It’s a mock adversarial engagement where you’re paying somebody or firm to do some proactive scanning, proactive hacking so that they can uncover weaknesses for your organization to identify and protect so that whenever the real bad guys come, you’ve had a chance to identify and implement some of those protections.
Carolyn Woodard: And I think pen testing tends to be a lot more expensive and also more necessary for larger organizations or if you are working in a policy area where you have specific concerns, like an advocacy area. Maybe some other countries where you’re thinking that there may be that kind of spying or persistent threat you’d want to invest in pen testing perhaps?
Matthew Eshleman: Yeah, I would say, penetration testing, depending on the size of the organization, again, the answer is it often depends.
That’s going to be at least like a $10,000 engagement, right? Starting at 10,000 and going up and going up kind of quickly from there. So again, it’s very expensive and may be a requirement if you’re an organization that needs to follow PCI compliance. You process credit card information, you have a lot of donor information, those are areas where it may be relevant and worthwhile or even required to do penetration testing.
But if you’re doing it as hey, we have some money to spend on cybersecurity, where should we spend it? That would be one of the last things that I would do. Invest in the basics, get a roadmap, make sure that these basic controls are in place. And then you may get value out of the pen testing.
Carolyn Woodard: I think you said that once you’ve had a security breach, you’re then on the list of more likely to have more, not because you were doing anything particularly wrong, but once it’s known out there that you had a problem, then you get on these websites and other people are going to try and attack as well. So maybe that would be another consideration.
We’re doing great on time. I want to make sure that we go to the Q&A now.
We have a question from Carolina who wonders, do you have a recommendation for email threat scanning for Gmail?
Matthew Eshleman: Yes. Most of the tools will do email threat scanning for Office 365. I think they have a bit more of an open API that allows them to do that. For Google, the name is escaping me right now. If you send me an email, I will reply with it. Or if I think about it, by the end of the webinar, I will share that. [
[The free tool is Graphus: https://www.graphus.ai]
This is one area where, if you have a spam filter, the way that works, you’re just sending your email through there and then they can deliver it, whether you’re in Google or whether you’re in Office 365. These business email compromise tools, again, typically work through APIs. Most of the work is around Office 365, so there’s a lot of solutions there. There are less solutions available for Google, but they do exist.
The next question is, do you have a recommendation for free is great or paid is okay for password managers for teams and staff? I’m sorry, the person who asked this is Ben, I’m not sure if that’s for Teams, the platform, or for a team.
Matthew Eshleman: Teams as a group, yes.
The password journey that many organizations are on are: step one, no password management or using the browser, or that kind of thing, which is where we all start.
The next step would be getting a password manager, maybe as a one on one.
And then moving up to team based password managers. There are popular tools like Dashlane. I like LastPass, personally. And there are team based subscriptions where, for your organization, you can buy and provide password managers for staff as a secure way to manage and deal with all those unique passwords that you need for all these different sites.
Dashlane – https://www.techsoup.org/dashlane
LastPass – https://www.lastpass.com
You’ve got 150 different sites that you need to log into throughout the course of your work week. And it’s important to have a good way to generate and manage all those passwords without reusing anything. So, yeah, so I think LastPass is a great tool for that.
Carolyn Woodard: It was Ben who asked the question and he clarified teams as a group not Microsoft Teams, the platform.
I might be opening a can of worms here, but I know that you’ve talked about single sign-on in the past. That’s something that’s more organization-wide. You wouldn’t have that just for a team to access all of their applications that they need.
Matthew Eshleman: Yeah, that’s correct. A password manager is great for storing and providing passwords to all these discrete websites. If you’re part of a larger organization or maybe you have a little bit more sophistication, the next tier up would be called single sign-on. So instead of having 10 usernames and 10 passwords for 10 different websites, you would have one username and one password for those 10 websites.
The security thinking there is that instead of protecting all those different accounts equally and managing them discreetly, you’re able to provide more support and management around that one credential that then provides access to all those different websites through some security technology called SAML is typically the mechanism.
And there’s a whole bunch of technical stuff that we could geek out about related to that. But the security benefit of single sign-on is that you get much better reporting and analytics from the gateway that you’re putting up than you are trying to manage 10 different accounts at 10 different websites. And obviously that increases exponentially as you add more people and more websites to the security profile.
Carolyn Woodard: I think if you want to geek out with Matt, you need to get in touch with him.
We have another question, which is, any recommendations for log aggregation and analysis tools? We worry that if we had a breach, we would never know or have records to hand over to law enforcement or security professionals.
I did already put in the chat in response to that question, the Lockton Guide for Cyber Insurance. It’s a free download and it’s kind of adjacent to what we were talking about, but it has a lot of the controls and how to think about insurance, and then as part of that insurance process, if you had a breach, what would you do next? And I can also recommend our webinar that we did on that in August, which I’ll drop as well.
Matthew Eshleman: Yes, I think that is a great question. I think whoever asked that shows a growing awareness of all the different systems that are out there that would need to be considered if and when you do have to respond to a breach.
I’d say in general, most systems will provide maybe a week or two, or up to 30 days of logging within a platform. And so in the event of a security incident, your IT provider or the breach response person, are going to look in those logs and unless you’ve got a unified system in place, they have to look in all these different places to try to piece it together.
How did this email come in? And then this person clicked on it and then it was a virus on this computer and then it spread to this other system. If you have all these disconnected systems, it can be very difficult, if not impossible to try to really piece something together.
There are a number of different solutions that are called Security Information and Event Management tools that are geared towards basically receiving all this log data so that you can retain it and search it and analyze it. So they end up being expensive, right?
If you’re asking questions about log aggregation, that I think shows a certain degree of maturity as an organization. There are some open source tools that are on the lower cost side, but if you’re making the investment in a SIEM tool, it’s important to understand your requirements. And it’s probably going to be part of a strategic investment for the organization. And you would go through and figure out what your requirements are and find a vendor that would match up with that.
That’s probably in the $10 to $50 per month, per user, cost range. It can be relatively expensive, but again, depending on the type of organization that you work in, may be a requirement.
Carolyn Woodard: Okay. I want to make sure that I get to tell people about some of the other events that are coming up for cybersecurity month. I want to make sure to tell people that we are also giving a webinar on October 12th. You can sign up for it on our website communityit.com. Matt is going to be back and talking about anti-phishing training where we worked with a funder to provide that to their grantees. A really interesting case study about working to protect your investment in your nonprofit and how to train staff to be that first line of defense. So that’s coming up as well.
We have the learning objectives; I want to just go back quickly over them. I always like to wind up an hour of having such a great conversation with you, Matt, about all of this.
You did a great job, of course, covering
- the cybersecurity landscape for nonprofits.
- Talking about cybersecurity readiness.
- We have that free download with the 10, I think it was more than 10, free security tools and a couple of those that you could pay for.
- And then depending on what kind of investment you wanted to make, what you would do next,
- how to get in touch with Matt if you need an assessment or that free tool or just want to geek out
- understanding the role of executives and staff to manage basic security even when you’re not the IT person. Although I get a sense that we had some IT people on this webinar.
- I hope that if you are not totally up on all of the lingo and in charge of this at your nonprofit that we gave you some things to think about and some tools to investigate, of course you can always get back in touch with us.
And that’s the last point of the learning objectives, knowing where to go for additional resources on nonprofit cybersecurity. So I think that’s it for us.
Tammy from Nonprofit Learning Lab: Yes, thank you Matt and Carolyn, this workshop has now come to a close. If you are interested in receiving the recordings and materials from today’s free webinar, you could visit our free webinars page on the Nonprofit Learning Lab website, or you can send us an email. Thank you so much for participating, and again, thank you Matt and Carolyn for educating our community.
ICYMI: [almost all] Links from the webinar, in the order they were shared in the chat feature.
KeyPass – https://keepass.info/
Dashlane – https://www.techsoup.org/dashlane
Chrome Password – https://support.google.com/chrome/answer/95606
Vulnerability scanning www.Patchmypc.co
Email threat scanning https://freescan.qualys.com/freescan-front/
Bonus recommendation: https://www.barracuda.com/email_scan
Gamified email anti-phishing training: https://www.knowbe4.com
Barracuda Sentinel: Artificial Intelligence for Real-Time Email Protection https://www.barracuda.com/resources/Barracuda_Sentinel_DS_US
Other events and on-demand resources for cybersecurity month:
https://communityit.com/webinar-preventing-financial-fraud-at-your-nonprofit/ (with Nonprofit Learning Lab)
https://communityit.com/webinar-2022-nonprofit-cybersecurity-incident-report/ (has a free download of this report)