Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Join CTO and Nonprofit Cybersecurity expert Matthew Eshleman as he presents data from the fourth annual Community IT Nonprofit Cybersecurity Incident Report.
This report looks at the different types of attacks that occurred in 2021 at small and mid-sized nonprofit organizations in our network. Using real data, Matt tracks trends in cybersecurity attacks and gives your organization tips on how to respond – and on prevention.
Is your nonprofit prepared?
Matt walks through our Community IT advice on security improvements that provide protection against the most common attacks. Learn the lingo around cybersecurity, the types of attacks nonprofits face, and the role of leadership in placing a value on cybersecurity preparedness for your nonprofit.
Matt updates us on the most recent international scams and hacks, and discusses steps your nonprofit should take to understand your risk level.
Matt gives you the tools you need to protect your organization and staff from cybercrimes. Many of these tips you can put in place quickly and train your staff on immediately.
You may also be interested in downloading our completely revised 2021 Cybersecurity Readiness for Nonprofits Playbook, or taking the 10-minute Cybersecurity Self Quiz.
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 22 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here.
Matt is excited to present this 2022 nonprofit cybersecurity incident report.
Carolyn Woodard: Welcome everyone, to the Community IT Innovators’ webinar series. We’re so happy that you could join us for today’s webinar on our updated Nonprofit Cybersecurity Incident Report. This report will look at the different types of attacks that occurred in 2021 at small and mid-size nonprofit organizations in our network.
Using real data, Matt Eshleman, our Community IT CTO, will show us trends in cybersecurity attacks and give tips on how to respond and on prevention. We’re going to talk a little bit about our learning objectives for today.
After the webinar today, you should be able to:
- Understand the cybersecurity landscape for nonprofits.
- You should be able to understand our Community IT approach to Cybersecurity. We have a framework and we’re going to talk a little bit about it.
- You should be familiar with the incident types and data from the 2021 report, and Matt is going to go over some definitions. So don’t worry if you’re not up on the latest terminology, because we’re going to cover all of that.
- And then we’re going to learn basic steps to take, to secure your nonprofit.
We encourage you to submit questions and comments through the Q&A feature today. And many of you submitted questions at registration that Matt is going to do his best to answer. You can always follow up with Matt afterwards. We will have his contact information to get some time to talk to him, because we know we won’t be able to cover everything today. It’s a pretty big topic.
We also have several free cybersecurity resources on our website. If you haven’t looked already, including a
- short self-assessment quiz.
- There is a downloadable playbook that walks through our cybersecurity framework in more detail.
- And there are multiple previous webinars on cybersecurity available as videos, podcast, or transcripts and all the links that we talk about today are dropped in the chat. We are also going to make links in the transcripts, so you don’t have to worry too much. If you miss one, we will make them all available later.
And we are also recording today’s conversation and the video and podcast will be available on our website, so you don’t need to worry too much about taking notes. After the webinar, you’ll receive an email with a link. It’s also posted on our YouTube channel and as a podcast episode in two parts within a week.
And I also want to let you know that when you close the webinar today, you’ll see a survey link and this really helps us improve our presentations. So if you take the survey today, you’ll be entered to win a $25 gift certificate. So be sure to click on it when we’re done with the webinar.
If you happen to be watching on YouTube right now, we encourage you to subscribe to our YouTube channel, so that you’ll get the updates every time we post a new webinar.
And we also invite you to subscribe to our email list from our website. We don’t send a lot of emails, but we do update you on webinars that we’re offering every month, so you can attend in real time and ask your questions.
Before we begin, if you’re not familiar with Community IT, a little bit about us: we are a 100% employee owned managed services provider. We provide outsourced IT support, and we work exclusively with nonprofit organizations. Our mission is to help nonprofits accomplish your missions through the effective use of technology. We have about 40 staff and we started in the DC metropolitan area over 20 years ago. And we now serve nonprofits across the United States. We’re technology experts and we are consistently named a top 500 managed services provider by channel futures, which is an honor we received again in 2021.
So let’s get started with the discussion today with the cybersecurity incidents we’ve seen. I’d like to start by introducing myself. My name is Carolyn Woodard. I’m the marketing director at Community IT, and I’ll be monitoring the Q&A and chat and helping Matt in his presentation. So Matt, would you like to introduce yourself?
Matthew Eshleman: Hey, thanks Carolyn. It’s great to be delivering the session today and also doing the webinar with you. I think this is our first time doing one of these presentations together. As Carolyn said, my name is Matt Eshleman and I’m the Chief Technology Officer at Community IT, and I’m the author of the incident report.
This is our fourth time that we’ve delivered this incident report, which really looks at the unique cybersecurity incidents that face our nonprofit clients. Community IT actively supports about 150 different non-profit organizations, which represent about 6,000 staff, so we have a unique perspective on the cybersecurity incidents in this sector.
So we’ve learned a little bit about Carolyn and myself. I’d really like to get a chance to know the audience, so we’ll go ahead and launch a poll here.
So I’m curious for the folks that are on the webinar today. If you could just respond to the two questions that we have up here.
First question is about your role at your organization and then also to get a sense of how well you feel like your organization is protected, related to cybersecurity.
We will give that a moment or two for you to respond and share that out so we have a sense of the audience here today. I’ll also just give another plug. I really do appreciate any of the feedback that you would offer. And so please take advantage of that. An incentive we have to hang on to the end and enter that drawing for a $25 gift card. And Carolyn, where are we doing the gift card to?
Carolyn Woodard: You know, usually we would do one to Amazon, but it depends on the person who is drawn out of the hat. So if there is an alternative that you would prefer, we can see what we can do. We’ll work it out.
Matthew Eshleman: Sounds great. Sounds good. All right, well, let’s go ahead and share the results here. So we can see we’ve got a broad swath of folks represented in terms of the audience from executive folks to a large majority of operation staff. And then in terms of how well you’re prepared it looks like most folks have taken some basic steps to secure your systems. A few folks on the opposite end.
So I think, what my goal has always been in providing this analysis and sharing out the report is really to provide some specific and tangible steps that organizations can take to better protect against the most likely risks that face their organization. So the incident report itself is in the final stages of doing the document editing. By attending the webinar today, you’ll get the early advanced copy as soon as it comes out. Hopefully, that will be here relatively shortly, we have a lot going on.
And the complimentary document or report that we put out in addition to our incident report is really our cybersecurity readiness for nonprofits guide. The incident report really is focusing on the data that we have and then the playbook focuses on the specific control. Carolyn, you want to talk a little bit about where folks can find that?
Carolyn Woodard: Yep. I just put the link in the chat for downloading the playbook. And I also wanted to just give a quick plug as well for the self-assessment quiz that we have, that’s also free on our website and I’ll drop that in the chat in just a minute. The quiz takes about 10 minutes and it’s a really good option for putting in your basic information and getting a feel for where you might be doing a good job and where you might need a little bit more work on your cybersecurity.
This slide is going back to the agenda and our learning objectives. Matt’s going to talk a little bit about the
- Cybersecurity landscape.
- How remote work has impacted some of the threats and some of the vulnerabilities that we see.
- Our approach to cybersecurity.
- He’s going to go over the types of incidents and the definitions for what the different incidents could be.
- And then he’s going to share some of the report data with us and
- Finish up with the steps to secure your organization.
Matthew Eshleman: Great. I think it’s helpful starting off with just understanding a little bit of the cybersecurity landscape that we are operating in. And that’s one where we really do see persistent and ongoing brute force attacks against your digital identity. I think it’s really great nonprofits have done a great job of adopting cloud services and it’s really helped organizations be productive during this prolonged work from home period, but it also means that the bad guys are also able to attack and try to log into those cloud based systems because they’re so ubiquitously available.
We also know that there are lots of sophisticated spear phishing attacks, and in fact it looks like some reporting shows that almost 90% of all threats come through email and that’s a really prominent avenue for adversaries to use.
We also know that organizations are targeted because of the work that they do. And we see this particularly in organizations that work in the think tank or public policy space. Those organizations that have access, or are adjacent to government really do garner the attention of some of these more sophisticated state sponsored actors.
And then finally we know that the bad guys are targeting vendors like us. So again, if you work with a managed service provider they are likely subject to a higher degree of attacks than a regular organization would be because of the nature of the work, because of the access that they have into the system.
So if you’re in one of those specialized categories, it’s likely that you need to pay some additional attention and care to the controls that you have in place to protect your organization.
Microsoft has done a lot of great research around the attacks that they see. And this has come out from a report from data from 2020, around cyber-attack victims by sector.
The largest chunk of organizations that are targeted by cyber-attacks are in the IT sector, followed by government. And then at the same level, think tanks and NGOs. So again those or types of organizations really do receive an outsized amount of attention from threat actors. And it’s important that if you’re in those categories, you’re really taking extra care to invest in the protections and controls for your organization.
Carolyn Woodard: So Matt, with that landscape in mind, can you tell us a little bit what we saw broadly in 2021 that impacted nonprofits around cybersecurity?
Matthew Eshleman: Yeah, definitely. So in 2021, there were a couple of big splashy events that caught a lot of attention related to cybersecurity controls. The first one in March of last year, there was an adversary called Hafnium, that is associated with the Chinese state sponsored actors. And they were exploiting Microsoft Exchange Servers.There are still exchange servers out there and they were using some vulnerabilities within that platform to get remote access to those systems. So that kicked off the year.
In July, a vendor that makes remote management and support tools for managed service providers and for larger organizations called Kaseya, was a victim of a coordinated ransomware attack, where ransomware was launched.
And then at the end of the year there was a vulnerability that impacted a login vulnerability. It was called log4J and this is a software logarithm that’s used in many, many different software applications. And so that was pretty widely impacted. Basically any organization with software installed had to do some follow up and remediation and discovery to determine if they were vulnerable to this type of attack. There were a couple of these really significant events that occurred last year that really shaped some of our response and our remediations and the incidents that we focused on protecting our clients.
And then in the operational trends that it all translated into is that we are seeing overall an increase in wire fraud. And we’ll talk about a little bit more specific definition about what wire fraud is. We did a joint webinar with Your Part Time Controller [on how to Protect Your Nonprofit from Financial Fraud] to really focus on how to best protect and defend your organization against that. And Carolyn can provide that link as well, but recognize that that’s not just a technology control, but a policy and procedure control.
We’re seeing more cases where secure by default is enabled. And so for organizations that are new to Office 365 or Google workspace, those organizations are now turning on security features like multifactor authentication by default, which is I think a really positive step. If you’ve been on either of those platforms for a long time, that’s something you have to take a proactive step to do. But many organizations are turning on secure by default, as their baseline option as opposed to having to opt in.
The other big operational trend that we are seeing is around cyber liability insurance. This has transformed pretty rapidly over the last year where it’s gone from having very loose control requirements where, as long as you filled out the application, you could get coverage to now, we’re seeing really strict expectations around requiring multifactor authentication, requiring policies and procedures before an organization will even be considered for coverage. And also we’re seeing policy premiums really go up pretty dramatically. This is a new space as far as insurance goes and that’s really driving some of the compliance that we’re seeing amongst the organizations we support because the insurance companies are demanding it.
And then finally, I think this has been the case for a while, but I think it bears mentioning again, there are significant resources available to nonprofit organizations from the big tech vendors such as Microsoft Account Guard. Google provides their advanced protection program for organizations that are supporting democracy. And then Cloudflare, which is a DNS or web security provider also has some free services available through their project Galileo Initiative. Nonprofit organizations can get these technology solutions at very low or no cost to help protect their organization.
Carolyn Woodard: Matt, I know that we talked about external events that are impacting cybersecurity over the past couple of years. I know COVID has impacted so many areas of our personal and work lives. Can you tell us a bit of what you’re seeing in cybersecurity in relation to COVID and remote work.
Has working remotely and the other challenges nonprofits are facing during the pandemic impacting vulnerabilities or increasing risks? What are you seeing ?
Matthew Eshleman: Yeah, we saw a big spike particularly as the work from home shift happened and it was new related to spam and spear phishing campaigns that were related to vaccinations and those issues. On the heels of that we’ve started to see an increase in workers comp fraud claims as employment resources were extended. That’s been really taken advantage of by hackers who are using identity theft to make fraudulent workers comp claims. I think that continued shift, or continued work from home environment has meant that many organizations have had to adapt and implement new technology solutions to support their staff. That’s created some challenges in remote access and secure home environments as well.
There’s also been an increase, that’s maybe lessened as we’re now in year two of the pandemic, but the use of more personal devices to access work resources. Organizations are becoming aware of that challenge, particularly with a lot of the staff turnover that we are seeing as well.
Staff use personal devices to access work or organization resources, and then they leave and then there’s not really a way to call that data back. I think it has been a risk.
And then the other challenge we’re starting to see now as organizations bring folks back into the office, there’s a whole process to get reoriented or realigned around what it means to be back in the office, especially as people have had new computers and maybe they’re not set up for the office wireless, or maybe the office network doesn’t meet the same requirements that it did pre-COVID. We’re seeing a lot of issues now on the reintegration side, in terms of coming back into the office.
And then, the management to help support all that has been a lot more difficult if you didn’t have tools in place ahead of time. So management and reporting has been challenging. As I mentioned earlier, I think work from home does open up additional security holes and we’re concerned about not only the integrity of the office network, but now we have to be concerned about an individual’s home network as well, since that can represent another area of attack.
Device management and mobile device management policy, so that we can make sure that systems are updated and getting antivirus updates and patching, no matter if they’re out of the office or in the office, is really an area of concern for us.
Fortunately our management tools support that distributed workforce, so we were well prepared for organizations that didn’t have those tools or a partner that had cloud-based tools to begin with. I think it was a little bit of a steeper learning curve. So I think that’s the approach that we’ve seen in terms of dealing with some of the security issues associated with more remote work.
Carolyn Woodard: Just to remind everyone that we do have this playbook that’s available on our site as a free download. I did get a chat from someone who was trying to access it and was having a little difficulty. I will be able to look into that after the webinar, but it is there. People have downloaded it in the past. We will be sending that link out as well. We also have a video on our site where Matt walks through how to use the playbook and the framework which is a little bit more complicated then we’ll be able to get into. Not complicated, it’s just a longer conversation than what we’re going to be able to do today.
Matt, can you touch on some of the basic cybersecurity practices we outline in the playbook that all nonprofits should be using?
Matthew Eshleman: Yeah. This is the graphic that we use. There’s lots of different frameworks. I think this is a simplified graphic that we use for small to midsize organizations to emphasize that the work that you do should start off with policy and policy development.
It’s good for organizations to go through that process of identifying what data systems they have. What is the expectation around the use of passwords? And what’s the use of corporate devices versus personally owned devices? There’s not necessarily one right answer, but it’s important for the organization to go through and make that determination on their own.
- Starting with the foundation of IT acceptable use policies,
- getting that incident response policy in place,
- have a data retention policy.
Those would be some of the key elements that we would expect to have at a foundational layer.
Security Awareness Training
Then moving on to security awareness training. Even though we’re a tech company and I love all the tech tools, I really do think that security awareness training is absolutely critical for nonprofit organizations to help defend against the most likely attacks that you’re going to experience.
Having staff that are engaged and aware and know what to look for, know how to respond, know how to ask for help is a great return on investment for your IT spending.
Once those foundational pieces are in place, then there’s technology solutions available to protect your identity and protect your data and the devices that you’re using, the network perimeter, whether that’s just your office or much more distributed. Then protecting your web resources as well.
Like I said, there’s always more technology tools that you can layer on top, but I think it’s really important to have those fundamentals in place in policy and training, so you have those bases covered and can make better use of those more advanced tools as you can adopt them.
Specifically, the foundational practices that we like to see would be
- IT policies,
- Security awareness training.
- It sounds basic, but making sure your computers and the third party updates are applied and working regularly is good.
- Make sure you’re rebooting your computer weekly, so that those updates have a chance to apply. That’s really key.
- Having antivirus in place.
- And we like to include web filtering as well, as part of a multilayer approach.
- And then finally, multifactor authentication is really a key control. And you’ll see that reappear in some of our closing recommendations, but that’s a very important piece to protect your digital identity online.
At Community IT, we provide device management for over 6,000 devices and the things that we’re able to deliver as part of that technology solution are the patching and the antivirus and the web filtering. Things like the policy work, things like the security awareness training and things like MFA, do require end user engagement and executive buy-in. And so those are things that you’ll need to plan for more proactively to work on adoption with your staff, as opposed to just flipping a switch and getting those protections turned on right away.
So let’s talk a little bit about some background definitions. I’ve used some terms already. I want to make sure that we’re all on the same page in that regard.
Threat actor is a term that is used to define who’s doing the targeting. That’s the entity that’s perpetrating the attack. According to Verizon Data Breach Investigations Report, while espionage gets the headlines, it is only about 10% of the breaches with 86% of those attacks being financially motivated and just 4% caused by these advanced or state sponsored threat actors. That’s another important thing to keep in mind.
Cyber-crime is really financially motivated and this is big business.
So organizations don’t necessarily care about you and your fantastic mission. You’re an organization and you have financial resources and they can get them. The mission of your organization is not going to necessarily protect you from cyber criminals.
The specific incident itself would be a top level term. Many security issues are security incidents. That’s an event, an alert or something that could indicate a more sophisticated or serious issue.
That could turn into the things that we’re really concerned about which is a breach. That’s an incident which results in the confirmed disclosure, not just the potential disclosure of data or assets to an unauthorized party.
Carolyn Woodard: Thank you so, so much for those definitions, Matt. I know that’s one thing that I struggle with is all of the lingo. If all the attendees remember one of the topics we wanted to cover today was to define some of the types of incidents and what they involve. You’re going to talk about the report and the number of incidents that we saw. So could you talk a little bit more and define maybe the types of incidents that we’re encountering?
Types of Incidents
Matthew Eshleman: Yeah, there’s a lot of different ways to categorize incidents. This is what we’ve done that makes sense for us. We categorize things as
- Spam. We want to know about that. That’s the junk messages. The identity of the sender is pretty clear. But it’s just unwanted messages.
- Compared with the spear phishing or sometimes also called business email compromise That’s really a much more sophisticated form where the sender is obfuscated. They’re trying to get you to take some action. So, buy this gift card, click on this link, type in your password to access this document. That’s often the first step in a much more sophisticated attack.
- Many times the ultimate goal of this is wire fraud which is a criminal classification that talks about stealing money basically through electronic means. That could be updating a wire transfer to a third party to steal funds that way, gift card fraud. Those things all fall under that category of wire fraud.
Moving into the device based attacks, we’ve got
- malware. Again, a top level generic classification. Which is malicious software. It’s maybe just annoying compared to a virus, which is a bit more malicious. Spreads from one computer to another, or renders the computer unusable. We actually don’t see this as much anymore.
And then the thing that we’re all really concerned about, is
- ransomware where your data is recognized, unreadable. Then, the way to get it back is to pay some sort of ransom in cryptocurrency. That’s untraceable. That’s a very serious concern and a big dollar value amount when it comes to cybercrime.
Then we also have things that are around compromising your digital identity.
So we’re really focused on protecting against
- account compromise. That’s when somebody, other than you, gets access to your account. And the way they do that is often through some sort of
- brute force attack or credential stuffing. The bad guys are harvesting credentials off the web for these various data breaches, and then reusing them and just trying to log in over and over and over again until they get in.
And then finally we have some more focused attacks,
- supply chain, attacking one organization to get to another. Attacking a managed service provider to get to their clients, maybe attacking a nonprofit organization to get to board members. That sort of thing is something we want to be aware of and protect against.
And then we have the
- advanced persistent threat. These are state sponsored actors that are really focused on targeting and maintaining persistence at an organization. Getting in specifically for Think Tanks, seeing what’s going on. Who are they talking to? What type of policies are being developed? Who are they working with? That’s the category there.
Carolyn Woodard: Matt, we have a question in the Q&A of whether paying ransom works. Do people get their data back generally? Do nonprofits get their data back or is it gone for good?
Matthew Eshleman: No, I would not recommend paying the ransom. It’s not a guarantee. Oftentimes, the criminal operators are under surveillance. The systems that they’re using to decrypt data can be disrupted by law enforcement. And so, we would not recommend paying a ransom.
It’s really important to have good backups of all your data in a third party system that you have access to, so that if and when you do have a ransomware attack, you’re able to recover that data from your own systems, as opposed to relying on some criminal decrypting your data after you get Bitcoin. So we don’t want to pay ransom and we want to make sure we’ve got our data in systems that we have control over and are disconnected from other accounts so that we have the ability to recover that data when necessary. Great question. Thank you for that and if there’s others, please, chat them in.
We started off supporting about 5,300 devices. We ended the year supporting about 6,000 devices. This is the data that we’re gathering through our service desk to generate the report information that we have. So we’ve grown over time and we’ve been able to have a broader impact to support organizations regardless of their geographic location because of the support tools and the capacities that we have.
Before I share the incidents that we responded to last year, I’m going to just launch another poll here to get a sense of the biggest cybersecurity concerns for the audience today. There’s a lot of bad things that can happen.
I’m curious to get a sense of what’s the biggest concern? Is it this advanced persistent threat actor that’s maintaining persistence on your network? Compromise of your account, either accessing information of your organization? That ransomware threat certainly makes a lot of big splash on the news, wire fraud or financial loss?
Carolyn Woodard: Matt, you’re asking about the things that people are worried about, not necessarily what’s already happened to them.
Matthew Eshleman: Yes, exactly.
Carolyn Woodard: Although that might make it something that they’re still worried about.
Matthew Eshleman: Yes, exactly. I mean, what’s the biggest concern? I think it sometimes gets phrased as, what keeps you up at night? I think any of these things hopefully are not keeping you up at night.
Again, what you’re concerned about, and then what you want to be able to align your organization’s protection against. Looks like we’ve got responses pretty broad across the spectrum here. I’ll go ahead and share the results. Seeing account compromise being the highest area of concern. I think that that makes a lot of sense because somebody’s accessing something that isn’t theirs and it feels really personal. It does carry a pretty huge risk to the organization in terms of what data could be potentially exposed or how that compromised account could then be used to pivot and target other organizations.
Carolyn Woodard: And just for the people who are listening on the podcast, or maybe can’t see as well, some of the other responses were advanced persistent threat, ransomware, compromised account, wire fraud or financial loss, data exfiltration, insider staff threats, which probably would be like embezzlement, that sort of thing. And then I’m a little bit surprised that all of the above is as low as it is with only 22%, because I think that would be what I would pick!
Matthew Eshleman: Yes, there’s lots to be concerned about. For us and the incidents that we categorized and responded to as part of our service desk, the biggest number of threats was related to spam followed by spear phishing or business email compromise where the identity of the sender is obfuscated. They’re trying to get you to click on a link or take some other action.
This year, for the first time, we’ve broken out our account compromise into suspected and confirmed. In some cases that “account compromise suspected” could manifest itself as part of a business email compromise.
You get an email, it looks like it’s coming from the executive director, maybe it’s not clear. So some additional investigation is really required to make sure we can confirm that, yes, even though the email address says it’s from your executive director, when we look in more detail, we find out this is actually a spoofed account. And so the account is not compromised, but there’s some spoofing going on. They’re faking the address.
We had quite a few of those suspected account compromises occur last year (88) And then, we did actually have 32 confirmed account compromises that we had to respond to across our client base.
You can see that we have a new category this year, or for the last two years, we went back to look at brute force attacks. This is something that we’re able to more accurately report on for those organizations that still have servers on premises.
If you’re an organization that has what’s called a desktop server. If there’s an open port on the internet, RDP, it is almost guaranteed that you’re getting brute force attacks. The bad guys just are cycling through all of those passwords to try to find an account that they can log into and then take actions from there.
So again we’ve got a range of attacks. As I mentioned, this is the fourth year that we’ve been doing this. We can see that the first year of data that we reported on was actually 2018. We categorized 233 incidents. In 2019 that jumped up to a little over 500. In 2020, we had 690 incidents and in 2021, we had 696 incidents. So maybe a flattening out and we’ll see some of that data over time.
We can see a little bit of the trends of the various security incidents over time.
I will just note that we have two different scales. On the right hand side our scale goes from zero up to 70 incidents. That’s where we classify issues like account compromise. We had 32 in 2020, and then another 32 in 2021. The brute force attacks were 40 couple in 2020, and that spiked up to 64 in 2021. And then the spam has gone up and stayed consistent. And then we actually saw a little bit of a decline in the spear fishing data, which is a little bit easier to see.
The other types of incidents that we responded to: again, ransomware. We did have two issues of ransomware that we responded to last year after not having any for a couple of years and then malware and virus activity overall tends to be very low for the organizations that we manage. I think because of the proactive security controls that we have in place, the proactive patching, the antivirus, the web filtering, I think they all contribute to relatively low incidents of virus activity on the computers that we are managing.
Carolyn Woodard: Matt, we have a quick question from chat. What is advanced persistent threat? Can you remind us of what that is?
Matthew Eshleman: Yeah, so the advanced persistent threat, the definition there would be a state sponsored actor. So, Russia, China, North Korea, a number of countries have significant cyber capabilities that really operate with slightly different incentives than cybercrime. With cybercrime, they’re there to make money in ransomware. That’s the tools of the trade. Advanced persistent threats are really interested in maintaining access and getting data and learning about that. That’s why Think Tanks and policy organizations tend to be targeted. They don’t see as much ransomware activity, but they really do see sophisticated threats from state backed threat groups that are trying to get access to their networks.
Carolyn Woodard: Excellent. Thank you for answering that.
Matthew Eshleman: We can see email security incidents have flattened out a little bit and we even see a reduction in spear phishing. I think one of the reasons, when we were going back through the data we saw a pretty big increase in the number of email protection tools that we were able to deploy last year. You can see some of the business email compromise protection tools that we used.
We went from having 1500 seats deployed at the beginning of the year to over 2,400 seats at the end to the year. That makes an impressionable difference in terms of the actual number of incidents that our clients are seeing, because the security tools that are put in place are actually doing what they’re supposed to do, which is removing or blocking those malicious emails from reaching the inboxes, or removing them after they’ve been delivered.
This is from the Verizon Data Breach Incident Report, basically every organization is experiencing malicious email. This chart shows company size from zero to 10,000, on the bottom. Malicious URLs – if you’ve got 50 people, you’re almost guaranteed to receive a malicious email that has a malicious link in it. And then, you’re almost guaranteed to receive malicious packages. Those would be mobile files trying to get accessed to systems.
So again, every organization is targeted and targeted heavily through email based attacks. And so I think it’s worthwhile investing in protecting there.
Device and identity attacks are going up and down as well.
The brute force attacks on remote desktop servers is a really big threat area. We’re working with our clients to try to decommission those systems and shift away because they do represent such a significant risk to the clients. Again, if you have on-premises servers that are open to the internet, that’s a really risky scenario to be in. It’s important to take extra precautions to secure and protect those on-premises resources from external threat actors.
Carolyn Woodard: I love all of these charts and graphs, Matt, thank you so much for putting this all together. Can you talk a little bit more about trends and some takeaways that would help us focus on how to understand this data?
Matthew Eshleman: Yeah. I think it’s good. Lots of numbers, lots of data. So what do we do?
The one thing that was interesting for me to see is that maybe a cybersecurity incident is holding steady. We added several hundred users that we supported last year, but even with 15% growth in the number of clients that we support, we still saw basically about the same number of security incidents. So that’s positive.
I don’t think cyber issues are going away anytime soon, but I do think that use of these tools for protection helps address that big category. Going back to the beginning slides that we had in the overall landscape, attacks against big vendors like Kaseya and third parties as a way to compromise systems is something we all need to be aware of.
In 2020, Blackbaud had a security breach. So I think that type of attack is not going away. It’s not going away anytime soon.
As organizations rely on third party vendors to provide services and host data, it’s important to understand what protections are in place, how your data’s being managed, and how you can recover. Just because it’s in the cloud, doesn’t mean you can forget about it. I think that’s an important takeaway.
Account compromise is still at a very high level.
And there again, implementing the right tools can help reduce risk.
So, if you are taking the steps to implement the advanced email protection tools, that really reduces the risk. If you can implement security awareness training, that can provide education capacity building for your staff to know what’s malicious and what’s not.
All of those things help contribute to protecting your organization and your organization’s data a little bit more.
- Those advanced persistent threat actors really do target policy and Think Tank orgs. They continue to be something that we are seeing increasing sophistication in and in how those attacks are occurring.
- We also see that if an organization has been compromised once, then more attacks are likely. You get on the bad guys’ list and they know you and your organization are out there. And so if you have had an account compromise it’s likely, or if you’ve had some other sort of data breach, we see a lot more activity or interest over time.
- We work with some social service organizations. I think we see more business email compromise attacks there, targeting that sector more so than some of the other organization types.
- And then I think the other thing that I would just highlight is that MFA is incredibly effective in preventing account compromise. Tying back to the number of accounts that we saw compromised in 2021, which is 32, none of those users had multifactor authentication enabled on their accounts. It’s just a really striking statistic. I think it’s why we see in many cyber liability insurance applications that they’re demanding that multifactor authentication be enabled and we can see it in the data. Of the account compromises that we responded to, none of the staff had turned on MFA. At this point, it’s really a key security control that every organization needs to have deployed across any solution that they can log into from the web.
Carolyn Woodard: We have a couple of good resources on our website about multifactor authentication and just briefly explaining how it works. And we even have a little training video of how it works and why to require it. So you can look up those resources on our site.
We’ve had a couple of questions come in, but we’ve answered them as we’ve been going along, but I wanted to just pose this question. Why don’t we see 100% of nonprofits adopting multifactor authentication to keep their accounts more secure?
Matthew Eshleman: Yeah, I think it’s a good question. I think for many organizations, it’s not just a technical solution that can get turned on in the background.
It requires users to take some proactive steps to implement. Aso it’s because organizations have not, or vendors have not made it a requirement. That is starting to shift. This year we saw Salesforce make the change; MFA is now required for all accounts. My hope is that we see much more adoption of multifactor authentication. It’s becoming a lot easier to implement.
I think staff are becoming more familiar with it as it is required in many other areas of our life. If you have a bank or credit card, they’re all implementing two step or multifactor authentication that combines something you know, which is your password, along with something that you have, which is often in the best of cases, a security token on your phone or a physical token.
It can also be a text message or a secondary email authentication. My goal is that everybody gets MFA implemented here this year.
Carolyn Woodard: We have a couple more questions coming in, but we do have a question slide that’s coming up in just a couple slides. So I’m going to ask this one first for us. Why don’t nonprofits invest more in cyber security? That’s a big one so, do you have thoughts on it?
Matthew Eshleman: Yeah. It’s a rhetorical question I think, to some extent. Organizations are really focused on the mission and cybersecurity feels like a luxury to some extent. It’s like an extra, so until it’s really required or mandated, organizations have other priorities.
I think that’s often why that extra expense of turning on multifactor or having a formal security awareness training program, moving from regular antivirus to a higher endpoint EDR endpoint detection tool, it’s extra cost.
Organizations are focused on minimizing overhead. So I think that that’s a big opportunity for funders and foundations to come in. We know this stuff is important. We know it’s critical. We know it’s effective. And so to help reduce that cost, I think is really important.
Secure Your Network
We don’t want to just focus on all the bad things that we’ve seen and all the things that could go wrong, but we really want to focus on some specific steps that you can take at your organization to improve.
While we have a whole cybersecurity playbook that you can download, and I encourage you to use as a reference,
- let’s make sure you start with an IT acceptable use policy to protect against those misguided and misaligned IT initiatives. It can help set the groundwork for making good technology decisions later on.
- Implementing a security awareness training program is a really great way and a really great return on investment. Not just relying on ad hoc training or free resources, there’s lots of good free stuff and we have free stuff on our website, but having a formal way of testing, training and engaging staff is a really great step to take.
- And then finally, turning on multifactor authentication, not just on your primary Google or your primary Office 365 platform, but carrying that into the other systems that you use. I know organizations are using 5, 10, 15, 20, different cloud based solutions. Just think; if you can log into it over the web, the bad guys can too. Putting that speed bump of multifactor authentication is a really effective way to ensure the integrity of your accounts.
Carolyn Woodard: I think people are a lot more used to having to do some secondary authentication, like when you log onto your bank account or what have you. So it’s not as big of a lift as it used to be.
We have more information on all of these core cybersecurity functions that we can talk to you about, and provide. We can do assessments. There’s a self-assessment quiz on our site as well.
I really want to make sure that we get to our questions. One that a couple different people have asked about is SSO, single sign-on, how does that relate to MFA?
Matthew Eshleman: Yeah. That’s a great question. If you look at our foundational security control, we would suggest everybody start with a password manager, right? It’s a way to store and manage and generate unique passwords for all the different sites that you have.
Single sign-on takes that to the next level. So instead of storing 40 passwords for 40 different applications, you use one password with multifactor authentication that then has access to those 40 different applications. From a workflow perspective, it makes it a lot easier to support, manage and monitor those authentications into all of those different systems. If you can do single sign on, that’s a better way to go. It’s streamlined. I think you need to be of a certain size and I think a certain sophistication to do that.
We start seeing organizations tackle SSO whenever they get to be 20, 25 staff and up. If you are in Office 365, you can do single sign on through Microsoft enterprise applications. It’s a very good platform that has native integrations with many tools.
Okta was mentioned. The chat has a really nice single sign-on platform. They do have nonprofit discounts. That can be another good tool to use. Okta has also had a security breach of a third party vendor that they used and I think they have not done a particularly good job of communicating with their staff and customers about that, but I think these sorts of things are unavoidable.
I don’t think the solution is to go back and say, we’re going to go back to having the server in our office and everybody has to come into the office and we’re going to have all of our applications on premises. But organizations need to have good systems and processes in place to understand what data they have in which system and how it’s being used and accessed. And so whenever a vendor does have a security issue or a security incident, then you’re able to react and respond.
And then, I think it’s also important to have a good vetting process when you’re working with third party vendors to understand, do they have a good process in place? Do you have confidence in that? What steps are they taking to secure your data and provide a response whenever there are issues.
Carolyn Woodard: There are so many great questions. I know we’re not going to get to all of them. I think maybe if you go to the slide that has your contact information that’s available on our website as well, so people can get to it.
If you put a question in and we didn’t get a chance to get Matt to answer it, I will include those in our transcript [see below!]. And then we’ll have a little written response from Matt about what you should think about or do. We’re going to answer all the questions; I just don’t think we’re going to have a chance to get to it right now.
So we have Matt’s contact information there. And like I said, that is available on our site as well. So people can get in touch with you and maybe ask you their questions directly.
If you can go to the next slide, I want to just make sure we tell people about our next webinar, which is May 18th at 3:00 p.m. eastern, 12:00 p.m. Pacific.
This is going to be a panel talking about Building a Foundation for IT Innovation. I think a lot of us have some tech projects that just don’t work. And there are some tech projects that are really fantastic and help you out a lot with your efficiency or effectiveness or with having greater security. This webinar is going to talk a little bit about a framework to think about your organization, your culture, your assets, and when it makes sense to invest in innovation, either an innovative technology or an innovative use of existing technologies that your nonprofit might want to put together in interesting new ways.
We know that nonprofits are always trying to get as much as they can out of what they have. So that’s going to be an interesting webinar and I invite you back to it.
I wanted to make sure we go back to our learning objectives and talk about our takeaways. I think we covered everything we were trying to cover. Matt gave us a good
- overview of the cybersecurity landscape and
- our approach to cybersecurity, the different layers that you need to have. If you need more information on that, of course we have our playbook. Thank you so much, Matt, for going into depth about the
- definitions of the lingo and the types of incidents that we’re seeing. New incidents, old incidents that are coming back, incidents that should be concerning to all of us as we saw in that poll.
- And then we did talk a little bit about basic steps to take to secure your nonprofit.
I see in the chat, I think a lot of people have a lot of really good questions. So that means you’re already thinking about it and doing your research and maybe struggling or confident in what you need to implement in your nonprofit. So that is great to see.
And I think one of my takeaways, Matt, from something you said earlier is that it’s difficult not to see this as just a cost, but if you think about it as an investment, I think that makes a lot more sense. So you’re preventing a larger cost down the road by making an investment now and that nonprofits who can see that as an opportunity maybe have a step up on nonprofits who can only see it as a cost and have difficulty making that investment because they just see it as a cost.
So this was just such a wonderful webinar. I’m really so excited that we were able to have so many great people join us today. And Matt, thank you so much.
I have to remind people of the survey, so make sure that you click on the survey when you close your webinar.
I just wanted to put a quick plug in for a conference that’s coming up in May, the Good Tech Fest is a virtual conference at goodtechfest.com and we will be presenting about innovation and IT, but they also just have a bunch of good interesting sounding keynote speakers. So I urge you to check that out and we’ll have a link on our website to that as well. So Matt, I just wanted to thank you again so much for helping us think through this. And I don’t know if you have any final words you wanted to leave people with.
Matthew Eshleman: Yeah, there’s been lots of good comments here about multifactor authentication and the importance of that. I would wholeheartedly advocate for organizations to take that proactive step. There’s lots of edge cases and all kinds of other permutations that you can talk about, but I think what we see is that, the most likely scenario is that there’s going to be some email based attack or some brute force attack. Being able to block those malicious emails or equipping your staff to identify them, and then protecting your accounts with multifactor authentication is going to go a long way to protecting the integrity of your organization’s accounts and data.
Carolyn Woodard: Yeah. I think what I got from you too, is that you can’t just do it with tools. You have to have your people on the front lines being careful and helping each other to be careful.
So thank you again so much. This was a great presentation and all the attendees will be receiving an email that will let you know how to access the video, podcast and transcript. So thanks again.
Q&A from In-Person Chat
How do we convince our users to use advanced security features like using hardware keys, app based MFA applications, etc?
That’s a great question! I think something is to require what you can require. We also recommend frequent short training vs once a year boring security videos. That helps staff feel like they are part of the solution.
Does paying ransom work? Do people get their data back?
Answered live: No. The FBI does not recommend paying ransom. You will lose your money and probably your data too. We recommend ensuring you have a recent back up, on a system not connected and under a separate password/MFA protected login, so you can restore your data without paying ransom.
Many B2B have been compromised. Adobe, Kaseya, Okta, etc. What are some things to look for if it would be safe to come back? or should we dump them forever?
This can be a tough question, when you are weighing your options – stay with a previously compromised third party vendor, or go to a new uncompromised one (as far as you know!) Individual cases of course will vary. First, if your organization’s data was compromised, you will need to work with your vendor on the solution. Hopefully not with lawsuits, but you will probably get very familiar with the terms of your contract. Second, this brings up how important these contracts are. Understand what is covered in your third party contract, whether that is through your IT provider or directly with your IT department. Don’t be afraid to ask questions and a vendor’s attitude toward answering your questions will tell you a lot about whether you want to sign a contract with them! If the third party vendor is managed by your outsourced IT provider, that provider should be able to answer any questions about the vendors they use to your satisfaction. And third, you need to weigh the probability that a previously hacked vendor will be hacked again (are they taking safeguard measures?) vs the probability that a hack is just waiting to happen to your new vendor. In either case, the important questions are a) how do they protect their clients b) how do they react when hacked.
Any thoughts on SSO? Pros and cons?
Answered live: SSOs are very useful in many settings. We have more information on our site about Single Sign On for Nonprofits.
I know that MFA is almost impossible to implement for shared accounts. We either can’t afford an account for every staff member who will use it, or its usage is very low, but broad. Any tips besides don’t use shared accounts?
Short of not allowing shared accounts (which is more secure all around!) it is possible to use MFA with shared accounts if you are using an authenticator rather than authenticating through a text to a specific phone. Diligently changing the password with regularity can help track who is still sharing the account and keep folks who no longer need to use it from having access. This is absolutely a common problem at nonprofits, so while we don’t recommend shared accounts we know that they will continue to exist as a solution to a budget issue – but taking steps to keep them from becoming a larger security issue is worthwhile.
(from another attendee) It should not be a question – MFA should be a requirement. As a nonoprofit, we are stewards of our advocates information and donations. We must protect that. So, this is not a question, but it is puzzling to me when nonprofits don’t do this. Every CEO/ED should require this.
Is “remember my device” a 100% no?
Your device itself is relatively secure. If you’re an organization that’s at higher risk for hacking, such as foreign policy, or good government advocacy then you may want to have more stringent requirements. We’re interested in having good baseline practices in place so that it’s easy to be secure.
Where can we find funding to cover IT security. Are there foundations that fund this?
This is unfortunately a question we are all asking. The short answer is that foundations SHOULD be funding this, at the minimum for their grantees, and funding should be more available for nonprofits in general to protect themselves online. One community talking about this is the Technology Association of Grantmakers. If you need talking points for your own funders, we covered some ideas recently near the end of our presentation Cybersecurity Basics for Nonprofits.
Where can we get more info on developing response plans (staff vs. IT point people)?
We have this resource on our site on how to create an incident response plan. We also covered this in the webinar IT Security Incident Response for Nonprofits.
How do I get management to take the threat seriously?
That is a great question. With so many incidents in the news, maybe find a way to highlight that prevention is easier than response. Here is one example (not our client) the food bank Philabundance lost nearly 1 million in wire fraud in 2020 in a phishing fraud scheme.
What is the threat my org should be most concerned about?
We hate to give this answer, but it depends. The short answer is, there is a level of basic threats – and basic tools and training – that all nonprofits should be implementing against regular attacks that are coming in every day. You can learn more from our free framework Cybersecurity Readiness for Nonprofits and in our recent webinar on Cybersecurity Basics for Nonprofits. The three most important actions to start are documentation of acceptable use policies, require MFA, and staff training. None of these is expensive.
The answer specific to your organization depends on your risks. Do you deal with data that is appealing to hackers (major donors, childrens’ contact records, etc)? Do you work in an advocacy field that puts you at risk from state-sponsored actors? Do you have executives who create financial work-arounds, or refuse to use MFA for highly valuable data? Any of those specific risks could be the threat your organization should be most concerned about – performing a self-assessment quiz or getting a consultation could help you determine your specific risks.
Do you see or have concerns about MFA bombing? (MFA bombing is multiple prompts for sign-in until user click yes on authenticator app)
(from another attendee) Regarding MFA bombing, we usually disable the call to phone option as that’s what gets people the most.
(from Matt) We think that Microsoft going to “passwordless” authentication is a good move because it provides a way to provide an interactive response to a push notification. In that case the user needs to enter the digits on screen to confirm the MFA challenge.