Listen to PodcastPt 1 Pt 2
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
How do you plan for Cybersecurity readiness at your nonprofit?
Community IT Innovators’ CTO and Cybersecurity expert Matt Eshleman discussed cybersecurity in a new webinar conversation hosted by Art Taylor at Give.org, the BBB Wise Giving Alliance.
October is Cybersecurity Awareness Month and we want you and your charity to be on top of the latest cautions when it comes to the security of your data and websites. Only 20 percent of nonprofits report that they have a cyberattack policy in place. Matt Eshleman, Chief Technology Officer at Community IT joined this discussion to answer questions about the current state of cybersecurity.
In part 1 of the podcast, Matt discusses a framework for cybersecurity policies and ways to focus on your people first – training and policies – before investing in any new technology products or platforms that promise cybersecurity. There are lots of fancy technologies out there, but if you don’t invest in training and maintaining staff skills, no technology will save you from scams.
In part 2, Matt discusses cultural constraints and the nonprofit environment that creates assumptions about risk and return on investment for cybersecurity protections. But much of the action you can take should be focused on your staff training, and those investments can be a financial minimum with a huge financial savings when your organization avoids ransomware or other hacks. Matt closes by answering audience questions from practitioners at charities and nonprofits like yours.
As with all our presentations, this webinar on cybersecurity for your nonprofit charity is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
You may also be interested in this related podcast interview with Art Taylor.
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt holds dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course. He enjoys discussing the many cybersecurity options and scenarios with you and taking your questions on cybersecurity for your charity or nonprofit.
Art Taylor: Well, hello everyone. I’m Art Taylor, the President and CEO of the BBB Wise Giving Alliance also known as give.org and it’s Cybersecurity Month. So we decided that it might be worthwhile to convene a Coffee with Colleagues to discuss various issues that charities face dealing with their cybersecurity.
We are fortunate to have with us a gentleman who knows a lot about cybersecurity and he is going to take us through a presentation and give us all a chance to ask questions and make comments as we need to so that we can dig into the subject at a significant level.
Our guest today is Matt Eshleman. Matt is the Chief Technology Officer at Community IT Innovators. Matt is responsible for shaping Community IT strategy around the technology platform used by organizations to be secure and productive. Matt has a deep background in network infrastructure and he fundamentally understands how to secure a network technology and how it interoperates both in office and in the cloud.
So, Matt, thanks for joining us and we’re going to turn it over to you and I’ll just say to all of our guests today if you have questions, please put them in the chat and we will try to get to each one of them before the session is over. Matt, it’s all yours.
Matt Eshleman: Great. Well, thank you so much for inviting me to be with you today and talk about cybersecurity. I think it’s a very important topic and there’s a whole month for it, but it’s certainly relevant outside of those times as well. So looking forward to the conversation here today. As Art mentioned, I do want this to be a conversation and so go ahead and feel free to chat in questions and we can take them as they come in.
Just a little bit about Community IT, the company I work for: Community IT is a 100% employee owned company, and we have a staff of about 38 individuals who are dedicated to helping nonprofit organizations advance their missions through the effective use of technology. We’re technology experts and we’ve been consistently named a top 501 MSP by Channel Futures and have received that again here in 2020.
I started as an intern in 2000 and never left, played a lot of different roles, and bring that experience to supporting organizations and the technology that is available for nonprofits, and the unique culture that exists there as well.
Some of this mirrors a conversation that Art and I had just last week, but
- I’ll talk a little bit about the cybersecurity landscape to help fill in some gaps and help you understand the threats that are out there.
- We’ll talk about some of the controls that you can put in place at your organization.
- And then we always have to make choices. There’s not unlimited resources. I’ll talk a little bit about how to prioritize that implementation,
- and then finally how to engage leadership.
This is not something that IT can do on its own, but it’s something that does require leadership involvement, leadership buy-in.
Starting off to talk a little bit about the cybersecurity landscape. This is something that you probably are experiencing, or and we certainly see as an organization that supports over 140 different nonprofit organizations that represents about 5000 staff.
We see persistent and ongoing brute force attacks on your identity. If you can log into something in the cloud that means bad guys can too, and so as we look at the logs that are associated with those cloud systems, we can see persistent, ongoing attacks from many different locations by people trying to log in and access your account.
We see a lot of really sophisticated spear phishing. That’s when you get a message that looks like it’s coming from your executive director or your finance person, maybe your HR person, that asks you to do something like click on a link, buy a gift card, update some wire transfer information. Really sophisticated messages that can sneak through spam filters.
We certainly see organizations targeted because of the work they do. Specifically, organizations that would be in the think tank or policy space, we see a lot of targeted attacks from foreign adversaries there.
But then again, grant making organizations are targeted for more financial fraud as well. Then there’s attacks to target vendors. Service providers like Community IT, we’re targeted because of the access that we have.
There are broad based attacks that are going on all the time. It’s not necessarily all bad. There’s lots of good security tools that are available to combat these threats. It’s good to have those resources available. It’s also very positive that we’re starting to see organizations be much more proactive in trying to learn and understand what they can do to help protect their organization.
That’s been a shift we’ve seen over the last several years. Evidence is thanking you for attending today just to learn a little bit more about what you can do to help protect your organization. I think it’s a positive step, but we know we’ve got a long way to go.
There was a study that was put out by NTEN a few years ago, and it showed that 60% of nonprofit organizations don’t have an incident response plan. That would be something to put in place to help guide them when they do have a network issue or a compromise.
We also know that that breach response is expensive. We often get caught up in the really expensive, high profile things. We just saw that the Colonial Pipeline, I think spent $11 million to respond to their crypto attack, but smaller organizations are vulnerable too. A stat from Kaspersky said that a breach response for small to medium sized businesses averages $149,000. That’s a significant amount of money itself, much less for a nonprofit or a charity, where your resources are constrained as it is.
Needing to come up with that sort of money to do an incident response is a really significant hardship. If we can be proactive and protect against those threats then you can reduce the risk for your organization.
What that data is worth: A lot of organizations say, hey, nobody wants to bother us; our information isn’t that valuable. Why would somebody go after our organization?
It’s important to recognize that all data has value. It could be a specific kind of record, or could be some other financial loss that occurs due to fraud.
At Community IT we’ve seen recent examples of this related to email compromise that turned into wire fraud -five figure loss.
We’ve also seen gift card fraud, a couple hundred bucks.
While we haven’t been able to find a direct organization system compromise, we’ve also seen a spike in unemployment fraud. That’s where an employee’s identity is stolen, and then an unemployment claim is filed. The state office will then reach out to the employer to confirm and follow up.
There’s lots of different avenues for fraud like that. Angie Barnett, who is from the Better Business Bureau of Greater Maryland, said that there have been increases of unemployment fraud over 3000% since the coronavirus pandemic and catching and prosecuting the criminals is really tricky.
As an organization, you likely have PII about your employees and other information, all of that is valuable and can lead to a significant amount of financial fraud.
In terms of the overall impact of cybercrime, the FBI maintains their Internet Crime Complaint Center and we can see the amount of both the number and the dollar amount associated with cybercrime.
In 2020, that amount is almost 800,000 complaints representing about $4.2 billion of financial loss. It’s a really significant amount of money associated with cybercrime.
We may have the stereotypical view of a hacker in their parents’ basement, hacking systems because it’s fun and something to do. But the fact is that many of these cybersecurity adversary areas are well funded. They’re either supported by a foreign government or a criminal enterprise that has significant resources. So it’s not just one person in a basement somewhere, but it’s a well funded crime based syndicate doing this because there’s a financial payoff for it.
I think that helps to change our perspective, knowing that each organization is vulnerable because we all have assets or resources that could be valuable, could be exploited for profit.
Our Approach to Cybersecurity
Download the Community IT Cybersecurity Playbook for Nonprofits here.
Community IT developed this view of how we want to approach cybersecurity, and that really does start with security policy. Making sure that your organization has a good set of controls in place and has a good framework is a great place to start.
Once you have that framework in place, then it makes it easier to implement other technology solutions like security awareness training. Again, I think that’s a great place to start. You get a lot of bang for your buck from training staff:
- helping them identify threats,
- giving them guidance on how to respond when they do find something.
Training and equipping staff is a great return on your investment because it helps address the weakest link, which is often the people in this chain.
Once you’re able to deal with those two non-technical things, then add in some technology solutions on top of that.
- We look at protections around your online identity,
- protections around the data that you have as an organization,
- the devices that you’re using, your network perimeter, as most of us are in a work remote environment, that network perimeter is very diffuse.
- protections around your website.
If you can do all of that, then it may be appropriate to add in some more NextGen tools or more sophisticated things.
But really, think about starting with policy and training as the first steps in cybersecurity.
At Community IT, I mentioned we support about 5,000 staff at nonprofit organizations. What we’ve written over the last three years was a report called the Nonprofit Cybersecurity Incident Report, where we take a look at all the security issues that we respond to as a company and help to categorize and define those so we are better prepared for protecting our clients’ networks against threats.
When we started this back in 2018 we recorded 233 different incidents at our client networks. That number has jumped all the way up to almost 700 security incidents that we responded to in 2020, and I can tell you this year, we’re on track to continue that growth.
We see the number of cybersecurity incidents really climbing. The big categories that we see here are email first. That mirrors some of the bigger industry research where most threats are coming through email. Generic spam, which I think we all can ignore, but more seriously that spear phishing. I talk about threats that are trying to get you to click on a link, to update financial information, to take some steps that would disclose information or provide financial benefit to the hackers. We see that as the most common attack.
Then probably then the most serious attacks we see is around account compromise. As I mentioned, because you can log into a system online, it means that the bad guys can do that as well.
Making sure that we’ve got protections on your identity is absolutely critical to improving the security at your organization, and I’ll talk a little bit about some specific steps that you can take to help address that.
Specifically, as we think about those cybersecurity controls and what policy needs to be put in place, that typically starts with three documents.
- The first would be an IT Acceptable Use Policy. [You can view a webinar on creating one here]
For many organizations, this was probably written 10 years ago when the employee handbook was last updated. And so it’s likely that it’s out of date at this point. Most organizations have something in place. However, it’s not reflective of the flexible and cloud-centric nature of many nonprofit networks now. I really would encourage organizations to go through a policy development process and use it as an opportunity to identify all of those IT and information systems that are in use and catalog all the data that is stored in each one of them.
Do you have sensitive information? If so, where does it live? Who has access to it? How is it protected? You can help answer all those questions.
It’s also a good opportunity to have a discussion around the device status of the organization. Again, 10 years ago when we were all going into the office and working there every day and we had a desktop computer, that may have been fine. But now, especially with work from home, people need the flexibility. Laptops are much more common now. I know many organizations had to scramble.
Do you have staff using personal computers to access work resources? Personal devices accessing organizational email, is that okay? I think this is a good opportunity to go through and answer those questions.
What happens when somebody leaves the organization, but they’ve synced all of our file data to their personal computer? How do we need to handle that? What risk does that present to us as an organization? It’s always good to talk through some of those scenarios. You don’t have to be necessarily very technical on your own, but I think it is important to be able to talk through different scenarios and then identify any gaps that may come up as a result of that.
It’s a very important step and it helps to give confidence to those folks you’re engaging with.
- And then the final baseline policy that I had listed here is an incident response plan. [You can view a webinar on creating a plan here]
In the IT world, when we talk about cybersecurity, you often hear this phrase of, it’s not IF you’re going to have a network compromise, but WHEN. Thinking about it from that perspective reframes things a little bit.
You need to know how your organization is going to respond when you do have a breach, when your system does get hacked. This document doesn’t need to be long necessarily, but it should be thorough and you should talk through it. Maybe even do some scenario analysis. We’ll call it a tabletop exercise, to say, “What happens if our donor database gets compromised? Who do we need to talk to? Who do we need to notify? What role do the various departments need to play?”
This is not just IT’s responsibility; your IT department will probably have a role, or if you have an outside IT vendor, they will certainly have a role in carrying out that incident response. But, your communications team might also need to be involved to put out news releases or press releases. Your development team needs to be involved to help manage the response to your constituents.
Incident response plans are multi-step. They don’t need to be very complicated, but it’s very important to have something in place before you have an incident so you’re able to respond thoroughly and completely as opposed to trying to invent this all on the fly when you do have an issue.
Talking a little bit about cybersecurity and training, you get a great return if you invest in your people.
At Community IT, our standard approach is for staff to go through one “large” annual training.
We use a training portal called KnowBe4 to use some online training resources, maybe a 20 or 30 minute online system to go through that.
Then we are doing monthly phishing tests. So again, if you can test your staff on a monthly basis to see how folks are doing.
We are doing quarterly micro trainings. Maybe a five minute quiz, a little game, something interactive because we just want cybersecurity to be front of mind.
We don’t want it to be once a year everybody goes into the conference room and three hours later, you emerge.
We want to have it smaller, more bite sized, more focused so that it’s in the staff’s front of mind all the time as opposed to something we really only think about once a year.
And then again, at many organizations there’s always a few people that maybe need a little extra support. Through some of the online training resources, you’re able to identify the people who are clicking on links when they shouldn’t be. Maybe we need to provide them with some additional training and support so they’re able to educate themselves around the threats that are out there.
And then the final piece is really talking about the technology tools that you can have in place. And I think these are typically divided up into three top level categories.
- Protections around your identity and digital account management,
- protections around your data and then
- protections against your device.
On identity, we’re really talking about that account that you’re using to log into systems. The best thing you can do to protect that account is to enable multifactor authentication.
Multifactor authentication combines something that you know, which is your password, along something you have. That is typically going to be an app on your smartphone, so whenever you log in, you type in your password, and then your phone buzzes to say, “Oh, we’re detecting a login, is that you?” and you can press approve or type in a code.
So that’s a great example of how to protect your account because we know passwords are getting compromised with some regularity. The bad guy may be able to get your password, but it’s very unlikely that they’re going to get your password and your phone, as well. Protecting your account with multifactor authentication is really one of the best things you can do for your digital identity.
There’s also some tools you can use to help manage all of those accounts. I know that with everything being on the cloud, there’s so many different passwords to remember, and that’s why I like to use a password manager. I use LastPass; there’s a number of other products out there: Dashlane, 1Password, where you can generate unique and secure passwords, store them in an app. Then they will be auto filled whenever you go into a different website.
That’s the most important thing: each password you use should be unique for each different system.
Using a password manager is really a great way to handle that. I think there was a question that came in as part of the registration that said, “Hey, what about using the password manager or the built-in password feature in my web browser? Can I do that? Is that more secure?” I think it can be a good option. It’s certainly convenient to have the passwords saved in your browser. I do think that there’s probably a little bit of policy work or to think about it as an organization.
Do you want to have your organization’s passwords saved in a user’s personal web browser that may be accessible whenever they’re logging in on their home computer? Or, do you want to have a little bit of a separation? Maybe their work accounts are stored in a password manager. If you’re using that password manager in Chrome or Safari for personal sites, maybe that’s okay.
The most important thing is that you want to stay away from a situation where you are reusing the same passwords on many different sites. That’s a very bad practice. Or, you have some sort of pattern that you’re using where you’re incrementing it by 1, or something like that. Choosing new, unique passwords for every site that you go to really improves your security. Then one system’s compromised, it’s not going to lead to a compromise at other locations.
When we think about protecting data, then we think about some old school techniques of backup. I think that’s one of the things that we’ve lost in the transition to the cloud is that it’s out of sight, out of mind. We don’t really think about it, but it’s likely that the vendor that you’re using for your cloud storage isn’t protecting your data in a way that you would assume it is.
It’s important to understand how the vendor that you’re using is protecting data. If a file is deleted or corrupted or encrypted, what are your options for getting that back? I would tie that back to your organization policy. How long do you need to retain data? If somebody leaves the organization, deletes some files, are you going to be able to detect that within 30 days, or do you need to be able to go back longer if you ever needed to recover data?
Being clear about where your data is, who has access to it, and what protections are in place, is a key piece associated with data protection. I would also add in basic permission structure and permission management as a key piece of data protection, because we’ve got all this data in the cloud and it’s all really available. It’s important to understand the security roles and permissions that people have. If you have a Salesforce database or something that’s storing information about all of your volunteers and you’re using volunteers to help service some of those members, what information do they need to do their job? Not everybody necessarily needs to have access to everything.
They should only have access to what they need to do their job. Being critical about what data is accessible to whom is an important step in data protection.
Finally around data protection, I would say encryption is a newer standard that we’re seeing implemented with more regularity. Encryption would be protecting the hard drive on your computer so that if your computer is lost or stolen, whoever grabs it is not going to be able to get into your hard drive and see all the data that’s there. That drive is encrypted and it requires a unique password or something to decrypt it.
So backing up data, having good security practices in place of access to information and protecting data when it’s stored at rest on your computer, really are very important steps to ensuring the security of that data.
And then finally we’ll talk about device protection. This may seem like basic information, but updating your computer is a very important security control. Art and I talked about this during our conversation, but rebooting your computer once a week to let all of those patches complete their installation, restarting your computer is a very important piece about keeping your device secure.
There’s always security vulnerabilities being discovered and released, and the software manufacturers are patching them and pushing out updates. It’s a little bit of a never ending loop, but as you are being proactive about security, being attentive to those updates, installing them, restarting them on your computer. Maybe having that done at the end of the day on Friday, just restart your computer as opposed to closing the lid on your laptop. Make sure those updates are installed on your device.
In addition to installing the updates, have a good quality antivirus program installed as an additional layer of protection. With all of this, there’s really layers to the security that we’re talking about. There’s not just one thing that you do, but it really does require multiple steps to add together in order to provide that layer of security to protect against all the different threats out there.
If you’ve been with me so far and you’ve been nodding your head and saying, “Yes, I’ve got updates, I’ve got patching, I’ve got policy, I’ve got backup,” that’s great.
There’s more that can be done. Security is a growing and evolving world, and if you’ve got all that stuff done, then the other things you can do would be to look at getting an outside perspective on how things are set up and configured. That could be some sort of a gap analysis that looks at your policies and procedures. If you’re a larger organization and you’ve got well defined systems in place, having a gap analysis system may be appropriate.
You may have a technical review of those configurations. Some vendor may come in and do some scans to take a look at the configurations, log in to your systems and do a review there.
It may be as significant as a penetration test. That’s when a company would come in and essentially pretend to be a hacker and try to hack into your systems. That could give you some additional insight that you wouldn’t necessarily get just through some of those other reviews.
We’re also talking about going from basic antivirus to some new technologies called Endpoint Detection and Response. These are more sophisticated endpoint solutions that can look for not only malicious files that are most typically associated with viruses, but some newer techniques that may run on your computer called “fileless malware,” or other scripted attacks where it’s really hard for antivirus software to detect. But there’s some new solutions out there that are able to identify and block those systems as they occur.
And then finally, being able to monitor and verify everything is a key piece of technology. There’s lots of different disparate systems that are out there. If you’re in a position where you’ve been able to check a lot of the boxes that we’ve talked about so far, being able to roll up all of that reporting to one place where you can look at all the sign-in logs for your staff and all the different systems they’re using. You can feed in information from those Endpoint Detection Response systems. That really helps your monitoring team be able to identify and see what’s going on.
What we know in cybersecurity is that it’s really the weakest link that will get exploited. So it’s important to invest in all of those basics before you move up the chain and want to spend more on additional tools. So again, you need to really make sure that the foundation is covered before you can move on and really get value from some of these other sophisticated things.
I would be remiss if I didn’t really talk about the impact that organizational culture has in all of this. It’s important for folks to understand your organization’s tolerance for risk and what needs to be protected and what can be allowed.
What I mean there is, every organization is different. They operate differently and the cybersecurity controls you put in place really need to flow into how your organization works.
We have some organizations where they’re very competitive and so they like to actually display the security awareness training stats. They like to say who’s clicking on those links and that’s how their culture works. They’ve made it more of a game and interactive.
We have other organizations that are a little bit more conservative and staid. They will approach it with a little bit more seriousness.
Each of these controls needs to be done within the context of the organization. So you can’t just drop a control in place and expect it to work. Understand how it’s deployed and support those users in that change.
So I think in summary, whenever we’re talking about getting started with cybersecurity, what are those things that you need to have in place at your organization?
- It really does start with IT policy
- followed by security awareness training,
- talking about patching for both the operating system and any third party applications that you have on your computer,
- protecting with antivirus,
- making sure that your data is backed up,
- enabling multifactor authentication on those accounts. We have accounts on many different systems. And so that could mean that you’ve got multifactor authentication on your Office 365 account and your Dropbox account and Google; anything that you can log into online should also have that multifactor authentication in place,
- have a password manager to help manage some of that access.
And then the final piece that we’ve added in here as a baseline control is spam filtering or business email compromise. Most people can ignore those unwanted messages – the Viagra ads, that kind of junk, but people really get upset whenever they see a message that looks like it’s coming from their boss or their finance director asking them to do something. Investing in a targeted and sophisticated tool that’s able to protect against that really helps out a lot. It gives people a little bit more confidence in the tools that are deployed.
So it’s kind of a long list. If you can only do three, these are the things that I would suggest you do. I harp on it kind of again and again, but multifactor authentication is really the best protection you can have to protect your online identity. I’m going to see if I have a link here that I can chat out that includes some information about it on our website.
Community IT has some trade resources that we have developed on our YouTube channel. You can go to that site and we’ve got some resources that will walk you through multifactor authentication, also some training and other resources.
Security awareness training. There are lots of different options out there. You can do it yourself. You can do it for free. We use an online tool called Knowbe4 and it’s relatively affordable, about $20 a user per year and that will give you all the online training resources.
Finally, I talked about that business email compromise protection that protects against spear phishing. It also does some great alerting and notification if an account is compromised. You’ll get that notification immediately. If there’s a strange login from a new location or a new rule is created, we’ll see that and it’ll alert your IT admins, so they can respond much more quickly than just relying on other indicators.
The reason we say that multifactor authentication is so important is because it’s so effective. There is research from Google where they have done analysis on how effective MFA is. For most organizations, we’re really trying to protect against those automated bots or those phishing attacks. Those on device prompts are 100% effective, 99% effective against that sort of attack. If we can get there that’s really great.
From the data we see, last year we responded to just over 30 or 32 account compromises for the clients that we supported. Of those, I think 30 did not have multifactor authentication enabled. So about 96% of the account compromises that we responded to didn’t have that protection in place and that led to the compromise. It’s a very effective tool; it really does work and we can see that shown up in the data.
Also, I’d say that security awareness training is very effective. Again, this comes from the vendor that we use, Knowbe4. We’re seeing these numbers for the clients that we work with as well. That initial baseline, you’ll find about 40% of your staff are clicking on phishing links, which is a sobering thought. But the good news is, after training and after ongoing testing, that number really drops down into the low single digits, less than 5%, so it shows that that training does work. It’s effective.
Once you put it in front of people, give them some tools and awareness, you can see measurable improvement in just how many links folks are clicking on, and each of those things is an opportunity for loss. So it’s important to reduce that number as much as we can.
There is a graphic from the FBI that shows how business compromise works from getting targeted with some specific information and trying to get people to click on links, open up attachments, have that interaction, that would then lead to financial fraud and other transactions.
Those are the three things that if you need to focus on just a few controls, where we would start.
It’s important that organizations understand that all organizations are vulnerable. It’s not something that just happens to somebody else. Every organization is at risk and poor cybersecurity is an organizational liability.
If you have to respond to a breach, that $150,000 amount is not unrealistic. That can help put it in perspective.
It requires organizational leadership to say yes. IT can’t turn stuff on in a vacuum and just make people do it. It is something that needs to come from the top. We’ve seen time and again, if an organization says cybersecurity training is important and we do it at the staff meeting and the executive director says, “This is what we’re doing and here’s why,” that’s great.
If it’s just kind of done on the side and the executive team isn’t engaged, or they don’t give it the priority that it needs, it often falls by the wayside. Organizations need to have the leadership say yes, in order to get these things in place.
And I will say that every organization is different in how it’s going to be most well received there. We do suggest that people make time for security.
For our clients, we work on monthly reporting where we’re sharing some metrics back: threats blocked, patches updated, that kind of thing.
And then have a quarterly planning rhythm where we’re looking at what are the things that we’ve got in place, what’s on our annual work plan, what are the other initiatives that we need to be aware of, making it part of the ongoing planning process of the organization.
I think it’s also important to know your audience, as I said some organizations are very competitive and they like numbers and making things visible. Some people may be swayed by that $150,000 loss and they want to avoid that. Other organizations may find that sharing a story or an example of another nonprofit organization or staff person that they know that’s had this negative experience, maybe that’s going to get them to act.
Find what works at your organization in order to be able to move these initiatives through.
Finally there may be some existing compliance mandates that you need to comply with because of the work that you do. If you are receiving credit card donations that means you need to be responsive to PCI compliance. There’s some significant cybersecurity controls that are part of PCI compliance.
And that may give you a little bit of an extra nudge to enable some of these things at your organization, if you haven’t already done so.
We work with some health clinics and for them, HIPAA is a significant control. There’s financial teeth to non-compliance. That gets folks moving when it comes to cybersecurity control, if they have HIPAA compliance.
If your organization works with European folks, then GDPR may be a policy or a control that you need to look at implementing because of the data that you’re working with.
We’re also seeing Cyber Liability Insurance now actually being a big driver for organizations to implement controls. A couple of years ago, you could fill out whatever you wanted on those application forms and you would get policy coverage, and it wouldn’t be that expensive. It was no big deal, but that has all come to a screeching halt. Just this past year, we’ve seen renewals really change because organizations have to turn on MFA on all of their systems. They have to have a backup and disaster recovery plan. They have to have all these policy elements in place. If they don’t, they’re not even going to get coverage; they’re not even going to get a review. Cyber Reliability Insurance is another area that we’re seeing push organizations to implement controls because otherwise they’re not getting written at all. They’re getting significant premium increases because the Cyber Liability Insurance marketplace is really reacting. They paid out a lot more in claims than they took in, so they have to make changes because things are out of balance right now.
So what I would say is review those results we talked about, all those different controls that should be implemented, and those would be considered foundational from our perspective. You should have all of those things in place. If you’re missing some it can feel overwhelming, but pick one to implement. Maybe it’s multifactor authentication, maybe you’ve already got that done. Maybe it’s backups, but I would say, pick one of those controls and find a way to get it implemented so that you’re able to take the next step, and the next step.
There’s lots of different security assessment frameworks out there. There’s lots of things that are going to show your roadmap, but it’s really important that you are able to act. Once you get started, you’ll find you have some momentum. But I think it’s important to pick that one control that you’re going to do next. Schedule time for it and then work on the implementation.
So I think we have a few minutes for maybe either questions or comments as they’ve come in. I think there’s one here in the chat. I’ll take a few minutes here at the end of our time together to see what questions this may have raised for you and your organization.
Art Taylor: Yeah, Hannah and Michelle and Glenda, Jeff and Laurel feel free to give us any specific comments or concerns that you may be having or questions that you have for Matt.
Matt, I want to thank you, but yes, there is a question in the chat about Captcha, which is something that’s used on charity sites that collect donations.
First of all, can you tell us a little bit about captcha, what it does and whether it is something that is more of an industry tool now?
Matt Eshleman: Yeah, so a captcha is often represented as a little checkbox on a webpage. There’s some fancy technology that goes into it where it’s easy for people to check the box, but it’s actually hard for robots or scripting things to figure out where that checkbox is and to check it.
The captcha tool is used to help prevent automated attacks against online forms, and that could be donation forms. We use it for registration forms, anything where a bot could test filling in information or credit cards. That kind of thing can be protected with a captcha.
I think there is a balance and I think each organization will need to test those things and see the impact. I think there’s a lot of tools in place to help, particularly on payment processing and you may need to work with that payment gateway to figure out the right balance for your constituents.
You don’t want to have things wide open because what we see is that organizations that don’t have any gate keeping or quality checks on those kinds of donation forms, in particular those sites can be exploited.
We talked about if credit card numbers get stolen. What happens is that those bad guys then will take those credit card numbers, and try to do small transactions just to see if the numbers work. So if you don’t have any controls on your credit card donation site, your site could be exploited because the bad guy could be running a whole bunch of dollar credit card transactions to verify if a credit card works or not. Turning on captcha on a donation site would be a way to raise that bar to eliminate some of those sorts of attacks.
Art: Great. You talked a lot about risk and organizations needing to balance risk against something happening. And yet, you also said that it’s not whether, it’s when.
It seems that lots of organizations are going to be hit at some level. Maybe it’s a question of how much scale they are going to be hit by. And so these recommendations are really important that you’re making. Is there any estimate for instance of what charities should be spending as a percentage of their budget to secure their organizations? I mean, do we have any sense of that?
Matt Eshleman: Yeah, I think that’s a good question. I think that always comes up, what’s the magic number? And I don’t know if there’s just one number. I think there’s the consulting answer that it depends.
But certainly a few percentage points of the organization’s operating budget devoted towards IT and cybersecurity would be appropriate. I think the good news is that for a lot of these controls we’re talking about: policy or multifactor authentication; those things don’t cost very much in terms of direct dollars. And so you can implement them without a big hit to your bottom line or a big overhead contribution.
And to some extent, some of this is insurance. Organizations are in a position where it’s hard to think about spending money on this, because it does seem like it’s all overhead. It’s like insurance. You need to turn on multifactor so you don’t get compromised. I think that financial calculation can be hard for organizations because they’re really focused on the mission and the work and how they are delivering services. And so that risk that’s out there can be hard to quantify. To say “Well, if we don’t implement this control, that’s going to cost us down the road,” but as I said, it’s not a question of if, it’s when. Having those controls in place to prevent a loss from happening, I think is invaluable. Having those things in place, again: multifactor, backups, we’re talking about a couple dollars per user per month. Not that expensive compared to the potential risk that it helps to avoid.
Art Taylor: Yeah. Hannah had a question, I guess it kind of drifts off of your point about password protections. There’s some management systems, like LastPass. Are they in any way superior to saving passwords on Keychain, or Safari, or Chrome?
Matt Eshleman: Yeah. It’s probably gradations of good, right? Using the password manager, the save password in your web browser is definitely better than reusing passwords over and over again.
What’s important, probably more from the organizational perspective, is what risk do you have of data leaking out of your organization?
And so if somebody is signed into their browser with their personal Gmail account, that account is saving all the passwords that they use to log into your organization’s systems. Then that person leaves the organization, and they kind of walk away with all your passwords for all your business systems. That could be an unacceptable risk, or represents an additional risk.
If you can say, as an organization, “Hey, we’re going to use LastPass for Teams for our organization to help us manage passwords. All your organizational passwords go there. Your personal account, you can do whatever you want with, but as an organization, we’re going to store our passwords here.” I think it helps to improve security at the organization because again, you can keep a little bit tighter control over access to that information.
Art Taylor: It looks like Jeff has a question about many organizations relying on cloud-based solutions for parts of fundraising, including processing of sensitive personal information. In light of data breaches at various cloud based businesses, even those with relatively secure operations that serve our industry, what sort of guarantees can we, or should we offer our donors and others who ask us about this? How do we protect them against this? For a small or medium size organization, it may be even more challenging because they don’t have a lot of options.
Matt Eshleman: Yeah. This becomes almost like a contracting review issue, so you’re right. We’re relying on a lot of outsourced systems and processes to make all this happen. It’s important that organizations do a very careful read of the terms and conditions of those agreements to understand how that organization is handling your data, that you’re essentially outsourcing to them. Using well established and reputable vendors to do that work gives you a leg up. There’s no such thing as a 100% secured system or system that has zero risk. So have a good understanding of how your data is being handled, how they are treating it. What protections they have in place can go a long way to helping ensure the confidence of that processing system.
Art Taylor: One last question from Glenda is, can you talk about cybersecurity coverage and how much coverage a nonprofit organization should have or framework for how to make that decision?
Matt Eshleman: I would say talk to your broker. I’m a cybersecurity person, but when it comes to organizational liability, I’m a little bit out of my area of expertise.
I will say taking in some of that external information, just to understand how much these things cost to fix, would be good. I think you’d probably want at least $250,000 worth of coverage, and I think it’s important to have that conversation with your broker to understand that coverage. What does it include? What would be exempted? Make sure you have a good understanding.
If we have a crypto attack, what does that mean? How would this policy help us? So again, I think having that conversation with your broker, so that you have a clear understanding. If this happens, how are we protected? What’s our recourse? What resources are going to be available is an important conversation to have because unless you are clear about what’s covered, it’s likely you’ve got gaps in your coverage. Your liability insurance does not cover cybercrime, for example. So being clear about how much things would cost to recover can help provide some additional insight into policy levels.
Art Taylor: Okay. Last question, just a yes or no answer: should an organization pay a ransomware attack?
Matt Eshleman: No.
Art Taylor: No. All right. I thought that would be what you’d say.
Matt Eshleman: The FBI says no.
Art Taylor: Well, listen Matt, thanks so much. Julie’s also going to put in the chat, your podcast episode you did with me on Heart of Giving podcast in case anyone wants to hear that.
I certainly hope you listen to it. It was quite well done and you gave us a lot of great information there, too.
So and to all of you who agreed to be a part of this today, I really thank you for joining and I hope you got something out of it. Send us your comments so that we can continue to get you what you need and help you strengthen your organization in ways that you feel will be helpful to you. So thanks for joining, and everyone enjoy the rest of your afternoon or morning, depending on where you’re from.
Matt Eshleman: Great. Thank you so much. I appreciate it.