Transcript below
View Video
Subscribe to our Youtube Channel here
Listen to Podcast
Pt 1 Pt 2Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
How secure is your organization?
Join Community IT CTO Matt Eshleman in a new webinar that will explore risk assessment and cybersecurity preparedness options.
Many nonprofits are building cybersecurity policies from the ground up.
Your nonprofit may not have a good idea of where your weaknesses lie, or where to invest your cybersecurity budget wisely. You may not have an executive level role responsible for cybersecurity, or adequate and frequent staff training.
For more details, you can download our free Cybersecurity Readiness for Nonprofits Playbook that will help you build the foundation on which you can begin to optimize and then be proactive about your security approach.
As with all our presentations, this webinar on cybersecurity self assessment is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Presenter:
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt holds dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course. He enjoyed presenting this new webinar on cybersecurity self-assessment as an additional resource to our nonprofit IT community.
Transcript
Johan Hammerstrom: All right. Welcome everyone to the October, 2021 Community IT Innovators webinar. Thank you for joining us for today’s webinar on our Cybersecurity Self-Assessment.
Today, we’re going to explore your risk assessment and cybersecurity preparedness options.
This self-assessment will help nonprofit organizations document their cyber security readiness.
My name is Johan Hammerstrom and I’m the CEO of Community IT and the moderator for this webinar series. The slides and recording for today’s webinar will be available on our website and YouTube channel later this week. If you’re watching on YouTube right now, we encourage you to subscribe to our channel so that you can receive automatic updates when we post new webinar recordings each month. We invite you to use the Q&A panel throughout today’s webinar to ask questions, and we will do our best to respond.
Before we begin, I’d like to tell you a little bit more about our company. Community IT is a 100% employee owned company, and our team of 38 staff is dedicated to helping nonprofit organizations advance their missions through the effective use of technology. We’re technology experts, and we have been consistently named a top 501 managed services provider by Channel Futures and it’s an honor that we received again for 2020.
And now it’s my pleasure to welcome our Chief Technology Officer, Cybersecurity Expert, and resident thought leader in the area of nonprofit cybersecurity, Matthew Eshleman. Good afternoon, Matt.
Matthew Eshleman: Hey, good afternoon, Johan. Thanks for the intro and I’m thankful for all of you who are joining today. This is October. It’s cybersecurity awareness month and so we’re bringing this session to you today to talk a little bit about how to go through our cybersecurity self-assessment and I think more important than going through the assessment is understanding the recommendations and making a plan for how your organization can get those plans implemented.
We are going to be talking about a couple of things today during our session:
- One is the overview of the cybersecurity landscape. It’s always good to level set and understand the IT world that we’re operating in.
- We’ll talk about some controls that are identified in the assessment and then talk about
- how to prioritize implementation, and then
- engage leadership.
I think there’s so many different assessment tools out there and surveys and frameworks, there’s no shortage of knowing what to do. I think the real gap is in implementation and execution and so we’ll talk a little bit about how to pick some things, how to engage your leadership and how to really move forward with the implementation.
As Johan said, we want this to be a conversation. Please use the chat in the Q&A features. Johan will be moderating that, and we’ll be taking questions as they come in the session. So please feel free to go ahead and chat those in, so we can answer any questions that come up as you think about them.
Cybersecurity Landscape
Let’s first start off by talking a little bit about the cybersecurity landscape. This is the world that we’re operating in now where we see persistent and ongoing brute force attacks on identities. If you’ve been following the releases from Microsoft, there’ve been a number of different threat actors that have been conducting password spray attacks against Office 365. Something that we see in the security systems that we monitor is that there’s just ongoing authentication attempts against any cloud based systems. If you can log into it from the cloud, the bad guys can too, and they’re actively doing so and trying to log in.
We’re also seeing very sophisticated spear phishing attacks being perpetrated where, you may get those emails that look like they’re coming from somebody within the organization, or maybe even a partner organization that you work with, and then try to get you to maybe click on a link, share your password, buy a gift card, update some financial information, and they look very convincing. That’s something that we’ve seen a real increase on in the last year or so.
We’re also seeing organizations targeted because of the work that they do. Organizations in the think tank and policy space are particularly targeted right now. We’re also seeing attacks against healthcare and even education. Non-profit organizations don’t get to fly under the radar because they’re doing good work. Organizations are targeted because of the work that they’re doing.
And then finally, we’re also seeing attacks targeting vendors. Vendors like managed service providers, such as ourselves, because of the access that we have, are favorite targets of these attackers. So it’s important that as you’re working with a vendor, you have a good understanding of the security controls they have in place to protect your information.
It’s not all necessarily bad news. The good news is that there are lots of good security tools available to help combat these threat types. You’ve taken a really good step coming to the webinar to learn a little bit more. Maybe you’ve already taken that self-assessment.
We certainly see a lot more proactive steps from the clients that we work with, like asking about how they can implement good security controls at their organization and what steps they need to take. I think that’s really encouraging. But we know we still have a lot of work to do. And I think that was judged by the survey results that we saw. I don’t think we had very many people that had the big smiley face that said, Yes! We’re doing all that we need to do in the area of cybersecurity protection. So again, there’s lots more work to do.
There’s also a real financial impact of this as well. We see the stat here that breach response for a small to midsize businesses is about $149,000. That’s real money.
The other thing that we’ve seen in the last six months in particular, as it relates to cyber liability insurance renewals, is that those prices are going up. They’re going up steeply and they’re also mandating significant cybersecurity controls to be in place to even be considered for a policy.
So if you have a renewal coming up, you need to be aware that the controls that you may not have had to say yes to, you will now need to be able to say yes to. The cyber insurance business has gotten burned, and so they’re reacting to that with increased requirements for controls, and then also raising prices as well.
How Much is Business Data Worth to Bad Actors?
As I reiterated, I’ll reiterate that just because you’re a nonprofit organization doesn’t mean that you get to fly under the radar. Your organization has data that is valuable.
That could be specific information like what’s shown here: credit card or customer PII or medical information if you’re in that space, but it also could be other financial loss that occurs due to fraud.
We’ve seen recent examples of this related to email compromise that turned into wire fraud updating a bank transfer information. We’ve also seen cases of gift card fraud.
Unemployment Fraud Spike
While we haven’t been able to find a direct correlation between any compromise on a system that we’ve maintained, we’ve also seen a spike in unemployment fraud. This is kind of new to me in fraud associated with unemployment claims but that’s where an employee’s identity is stolen somehow. We’re not necessarily clear how. But an unemployment claim is filed and then the state office reaches out to the employer to confirm the status and then follow up.
This is something that has increased pretty dramatically as part of COVID. Angie Barnett, who is the President of the Better Business Bureau of Greater Maryland said that in some estimates, this type of fraud has gone up over 3000% since the coronavirus pandemic and catching and prosecuting these criminals is really tough.
I know I’ve been on the reacting side. Whenever we have a client say, “Hey, we were contacted by our State Labor Department to investigate this claim of unemployment, can you investigate what happened?” And so we’re involved in responding to those incidents as well because of the data that is stolen.
It could be from the organization or it could be other areas where an identity may be stolen, but that really translates into real money, into real financial loss.
It’s important to understand that these hackers aren’t some genius hacker in the basement who knows 15% of your password that’s trying to get into the system, but these are organized criminal enterprises.
Cybersecurity Adversaries
The cybersecurity adversaries that you face are examples here, like Fancy Bear. They got a lot of press as part of the DNC Hack back in 2016. Cozy bear, also a Russian backed entity, that was involved in the Solar Winds hack. We have the other adversary, which is not necessarily a nation state, but more of a criminal enterprise: the REvil group that has been responsible or associated with a number of ransomware attacks recently, the Colonial Pipeline among others, where networks were infected with a crypto virus. All the files were locked and then a ransom was demanded in order to get that data back.
That’s something that happens to big companies, but it’s also something that happens to small organizations, as well. I was talking with a colleague today and he said that the local newspaper was a victim of a crypto attack just in the last week and it really crippled their ability to put out a newspaper. So this is something where no organization is immune from attack. It doesn’t matter if you’re Colonial Pipeline or a local print company, a local department of education, all are vulnerable and susceptible to these types of attacks.
Our Approach to Cybersecurity
How we take all this bad news and scary things and turn them into actionable steps for nonprofit organizations is really by building a foundation of security policy and awareness. We really try to start with that view of a policy roadmap, educating and training the staff at the organization and building on top of that with the technology tools.
Once we have our foundation established, it may be appropriate to add on some additional, sophisticated tools to provide that extra layer of protection.
We draw that from what we put out for the past three years, which is our Nonprofit Cybersecurity Incident Report.
This is a report that we’ve developed because as a managed service provider, we support over 140 different organizations. We support over 5,000 users, so we get a lot of information through our help desk in terms of the types of attacks nonprofits are facing. We can see, over the years, that the number of security incidents that we record has really gone up dramatically.
Back in 2018, we recorded 233 incidents, 2019 that number went up to just over 500 incidents. In 2020, that was almost 700 incidents, that helps us take a data driven approach to guide our cybersecurity recommendations.
In addition to the data that we see coming through our service desk, we also use common industry standards such as the NIST Cybersecurity Framework and the Center for Internet Securities. If you’re a policy wonk, that used to be referred to as the 20 Critical Security Controls, now there’s only 18.
I think they’ve actually done a good job in the revision making it a little bit more applicable to smaller organizations. They provide some good high-level guidance, but I do think that they end up being a little bit overly cumbersome for the smaller and more cloud centric networks that we see in our small and mid-sized nonprofit clients.
Applying those big frameworks to your organization just may be a little bit too complicated or not relevant. That’s why the assessment that we put out in that survey really is a stripped down and focused version. You can focus, you can get started on manageable steps to really address the most likely risks to your network.
Cybersecurity Controls – Policy
So let’s go ahead and take a look at specific sections in the survey and talk a little bit more about the details and where you can get started.
We really start with policy. Policy may not always be the most entertaining thing to talk about, but the policy really should form the foundation of your cybersecurity controls. It provides the framework to make other decisions that layer on top of that. We have an entire webinar and podcast devoted to crafting a nonprofit cybersecurity policy that you can check out.
I really go into a deep dive on the policy creation process and the details associated with each of those elements. Whenever I’m doing consulting engagements with clients, I will say that most organizations do need to refresh their IT acceptable use policy; it’s likely part of the employee handbook. It was usually developed a long time ago and it really isn’t reflective of the organization and how they work now in terms of being flexible and cloud centric, as many non-profit networks are now.
I think that was one of the striking things that I noticed in the survey data of all the people that have taken the assessment, only one organization has data on premises, solely on-premises. Every other organization was entirely in the cloud or was in a hybrid environment. I think that’s evocative of what we see, as well as that we’ve taken a cloud centric approach for quite a long time.
Nonprofit organizations benefit from the donations from Google and Office 365 among others, and I think that’s really been a benefit. But it also means that our policy work often is not reflective of the current operating environment.
I would also encourage organizations to go through that policy development process and use it as an opportunity to identify all of those IT and Information Systems that are in use and catalog the data that’s stored in each one of them.
It’s also a good opportunity to have a discussion around the device status of the organization. This is another thing we’ve found, because of COVID and the work from home and the use of cloud platforms, that many organizations have relied on personal devices, personal computers and mobile devices. It’s been viewed as a nice benefit and that may be okay, but it’s good to talk through some different scenarios to see how your organization would react.
If somebody syncs your organization’s Dropbox folder to their personal home computer, and then they leave the organization. What impact would that potentially have? Same scenario could be, your development director has their email on their personal phone. They leave the organization. What happens to all of those contacts, calendar, email addresses as they leave the organization? Is that okay? Is there any concern about that data going away or would your organization want to have or need to have some sort of controls? Say, “Hey, whenever you leave, we’re going to wipe data from that device,” or “If your device is lost or stolen, we need to have some way to prove that it can’t be accessed by someone who picked up the computer, who acquired it maliciously or by accident.” Having some of those real world cases helps to make this stuff come to life.
We’ve all appreciated having the flexibility of these cloud-based platforms. We’ve all appreciated the ability to access new services, but at the same time, it’s good to ask those questions, what happens in these scenarios? What do we need to have as an organization in place to protect our data, which is our most important asset? That can be included as part of the IT acceptable use policy.
The next bullet on there talks about a data privacy policy. One thing that I typically see is that this policy tends to be a little bit more up to date. This often comes through the web or data side of the organization. This tends to be more up-to-date. It really talks about how your organization is handling the data that you receive from your constituents, from your donors.
And what are the protections and expectations that somebody would have whenever they fill out a donation form or sign up to volunteer? How is that data going to be used? What expectations can that individual have around the privacy controls of that data?
Oftentimes, this is a separate document and would be informed by the various data systems that you’re using and could potentially also be informed by some external compliance standards. So, for example, if you do need to be aware of GDPR or there’s some California Data Privacy or New York standards, those would be applicable here or help inform those policies. So again, the data privacy policy would be a separate document that would be often developed to support those platforms where you’re storing information about constituents, volunteers, and other stakeholders in the organization.
Then the final policy document that we think is a key element of a foundation or a baseline would be the incident response plan. This is a document which doesn’t have to be very long, but it really describes what your organization is going to do when something bad happens.
The operative phrase in the cybersecurity world is, it’s not a question of if, but when. So it’s not — if you’re going to get hacked, it’s when you’re going to get hacked. With that mindset, it does change the thinking. We still want to prevent, we still want to have good practices in place to prevent bad things from happening. But then, we also need to have thoughts around what we are going to do whenever that bad thing does happen.
It doesn’t need to be long and sophisticated, but it should be clear in terms of who you’re going to contact. Does your current IT Provider have the capacity to respond to an incident? Do you need to have somebody else in place? Are there resources maybe that are available through your cyber liability insurance that would help support an incident response plan? What stakeholders on your communications team need to be involved if you have to do the notification to your stakeholders?
I think that was a challenge that many organizations that were affected by the Blackbaud breach had to scramble. They had to figure out, their database of 50,000 users was exposed. How are they going to communicate? What are they going to say? What do they need to say to those stakeholders?
If you’re able to at least run through some of those scenarios ahead of time, it could help you fill in those gaps. So when you do have to use it for real, there’s not so much thinking on your feet. You can have a plan and work through it, as opposed to really reacting in that scenario.
That outlines the policy controls and provides a little bit more context to those survey questions that we’re asking.
Cybersecurity Controls – Training
The next piece and element that we talk about is around training. As an IT Professional who loves lots of shiny tools and lots of reporting and analytics and endpoint management, I really think that training is the key first step in investing in a technology solution. Make sure your staff are aware of what’s going on, are educated and equipped to respond to these cybersecurity threats.
I think it is a key element in protecting your organization’s data and also preventing financial loss through these online fraud attempts.
We know that most of the cybersecurity threats are coming from email, and so if we can really focus our training and tools and protection around reducing those email threats, then we get a lot of value out of that. We have some training resources that are available that we’ve done for free that are on our YouTube channel.
How to Enroll in Multi-Factor Authentication (MFA)
Cybersecurity Training for Nonprofits
Nonprofit IT Staff Training How-to and Why
There’s end user security awareness training and there’s some other resources that you can walk your staff through. Our best practice is to use an online training platform called Knowbe4 and this is the framework that we use in education and awareness for a standard cybersecurity training plan.
And so that plan really starts with a “large annual training.” What I mean by that is NOT once a year, everybody goes into the conference room, and you have a one or two hour presentation by somebody up front, and everybody sits there and learns about it.
We use the online training platform, typically a 15 to 20 minute training video, that talks about a couple of different scenarios, different educational elements, a quiz, and a survey to have some interaction. That would be something that would be done on an annual basis, or as you onboard new staff. They would go through that training on their own time within a few days of their employment, and if you can, do this on an annual basis for your staff.
An annual training that covers some foundational concepts to give people awareness of the most likely attacks that they’re going to see. How to identify spear fishing, choosing good passwords, good security practices – those are all common elements of that annual training.
The other thing that we like to do is monthly test phishing. This gives you a way to measure how well you’re doing. In addition to providing the training, we also want to test and evaluate how well staff are responding to that. We do monthly test phishing just to see how things are doing. And I have a slide a little bit later on where we can see the effectiveness over time but we found that this rhythm works well.
And then alongside that, we’re also employing the ability for staff to report if they have a suspicious message. We want to have an engaged user base that feels like they have tools and they’re equipped to identify suspicious messages. If they’re not sure, they have a way to check. They just send it to our help desk team and we can evaluate it and head off any potential issues.
And then finally, we want to have quarterly micro training. So we don’t want cybersecurity training to be something we do once a year, then we don’t really think about it. We want to keep it in front of people. So on a quarterly basis, we’re typically delivering a five minute micro training that’s in the form of a game or a quiz. There’s even some short form videos, like mini series that communicate the concepts in a way that’s engaging and educational as well.
We want to keep security in the front of people’s minds so that they are constantly aware and vigilant. Then, because we have a training system that gives us some reporting and insight, you would identify staff that needed additional assistance. Usually there’s a handful of folks that could use some additional training. Maybe that’s one-on-one, maybe some additional online training, but again, we want to know where our problems are, so that we’re able to be proactive and address it ahead of time.
Cybersecurity Controls – Tools
So now that we’ve talked about the policy elements, we’ve talked about the security awareness training and staff education. I think now we get to the technology controls and the tools. There’s technical pieces that we can implement at your organization to prevent those attackers from getting into your systems.
Tools are broadly in three different categories.
- The first is your identity and account management.
As I mentioned earlier, anything you can log into from the web, the bad guys can too. Focusing controls around that identity is where we want to make that initial investment.
- We also want to focus on data protection.
Because we have that mantra of, it’s not a question of if you’re going to get compromised, but when, we need to have those reactive protections in place.
That means, things like backups.
Just because you have data in a cloud-based system, doesn’t mean it’s protected in the way that you assume it is.Tying this back to some of the IT acceptable use or data policies, if you, as an organization, say, “Hey, we really need to retain data for a year.” Then you need to make sure that you’ve got the technology tools in place to support that because many cloud systems may have a 30 day data retention.
If you have a departing staff person, they delete all their files whenever they leave the organization. And then you realize, 60 days later that you need to recover some of that information, it may not be possible unless you proactively put something in place. In the same way, if you need to be able to respond to some sort of a security incident, you need to have the security tools in place that will allow you to do logging and reporting and analytics before that incident actually needs to be reacted to.
Data protection is really important because we’ve gotten rather lax in our shift to the cloud where we haven’t needed to be as deliberate about planning data protection as when the server was in the office down the hall. We had the backup tapes and somebody was swapping and taking them home and being diligent. Moving to the cloud, we forgot about it. I think that’s a mistake and we need to be intentional about the protection that we have around not only the backups, but also folder permissions. Maybe there’s some encryption that needs to be put in place on files or on a desktop computer, so that if something is lost or stolen, you’re not going to disclose information about your constituents.
- The final element here is really on device protection.
Device protection really is being focused on elements of updates and patching. So if you follow us on Twitter, you’ll see we tweet, “Hey, have you rebooted your computer this month?” (#reboot1st) It’s kind of basic, but making sure that your computer is up-to-date with the most recent security patches is a very good security practice. It’s low cost.
If you’re in a Microsoft world, it happens automatically. If you’re in the Mac OS world, you may need to be a little bit more intentional around installing those updates, but restarting your computer allows those things to be installed completely and then that protection is applied to your computer. The same thing goes for third-party applications. So in addition to the operating system updates, the third-party apps need to be updated as well.
And then also you need to have antivirus on your computer to make sure that you’ve got that extra layer of protection in place. For us as a managed service provider, we have reporting to make sure that all of this stuff is happening. We can verify that updates are installed and the antivirus is up to date. Unless you’re able to do those things, there’ll be gaps in the system. There’s the three elements of the technology pieces really around your identity and account management, data protection, and then also device protection.
If you’ve been hanging with me so far and you’ve checked everything off, congratulations, that’s really great!
I think cybersecurity is really about fundamentals and once you have those fundamentals in place, then you can move into additional controls that will provide an additional layer of protection for your organization.
In cybersecurity, it’s the weakest link that’s exploited.
It’s important to invest in the basics before spending money on tools or consulting or services that may not provide much of a return on your investment.
Cybersecurity Controls – Next Steps
Here we see a value associated with those next steps. If you’ve already done all that stuff that we’ve talked about so far, that’s fantastic. Once you’ve gone and implemented all of that then it may be helpful for your organization to have some sort of an external assessment.
There can be different kinds of assessments depending on what your primary concern is. From a terminology perspective, you could get a gap analysis from a policy side where you could have an organization come in and score you against those critical security controls that say, “Hey, this control says you need to do this.” How are you meeting it? That could be a policy assessment, Community IT, we do that.
We also do a technical review. We’re actually logging into systems, looking at your Office 365 configuration, looking at the Google configuration, are the backups in place? How’s multifactor implemented, are you using modern authentication? We do a full technical review of the system.
You may also need to do a pen test. A pen test is a specific type of security scan where often a vendor will put an appliance on your network. They’ll run some scanning to identify vulnerable systems on your network. Are there imports, are there systems that need patching? It’s not a server, it’s your network.
Investing in those elements can provide some additional insight into gaps in your current deployment plan.
You may want to invest in an endpoint detection and response tool. Antivirus is table stakes. EDR is the new buzzword. I think XDR is the newest acronym to be aware of, but these are higher end tools.
It’s what we run in Community IT, that can detect not only your traditional malware and viruses, but these new, what are called fileless attacks. It could be a script, it could be some PowerShell that’s running. This is where a lot of the adversaries are moving to. They’re running to fileless attacks because they’re harder to detect. And so you need to have a more sophisticated tool that’s able to both identify, detect, and then block these systems.
And then the final piece here that may be helpful is to have more of a unified monitoring and management platform. Because we moved things to the cloud, we have all these disparate systems. Instead of just looking at the server to see who’s logging in and what’s being accessed, now you have audit logs you need to look at for email, maybe a separate file system, a separate CRM. All these systems have different usernames and passwords to log in to, and so it’s hard to really get a single view of those.
There are systems that allow you to integrate the logging data from all those different tools into a central place, so you can do some event log correlation. You can see, “Oh, I see this user logged in, they accessed email, they logged in the access to CRM and all of that’s expected,” or it could also help to raise some flags and provide that analysis in a single pane of glass.
Those unified monitoring management tools are going to become more common. And I’m also happy to see that they’re also more affordable as well. Specifically with Microsoft, that’s something with their Microsoft cloud app security is included as part of an E5 license, and I’ve been very impressed with how it works and how it aggregates not only security logs from the Microsoft Tools, but also the third-party applications as well.
Are there any questions that have come in so far that we can answer, or we can just continue on into talking about some of the implementations and road mapping?
Johan Hammerstrom: There are a few questions, but I think it makes sense to save them for the end. If you want to keep going, we can get to those questions at the end.
Impact of Culture
Matthew Eshleman: So I think with all this, you would be remiss to talk about implementing any change at an organization without understanding the impact that your organization’s culture has on all of this.
Understanding your organization’s tolerance for risk and what needs to be protected in the context of what can be allowed is really important. Each organization is different. The technology tools may all be the same, but how they’re implemented can be vastly different.
We have organizations that tend to be very competitive. They really want to know, on the security awareness training, how many people are clicking on those messages. Who is it? And so they made it into a game.
You have other organizations that are maybe a little bit more reserved, and so they want to handle that kind of thing a little bit more privately.
So the same thing goes in terms of device access. Did you make the shift to work from home reluctantly or were you already in a pretty good place to allow people to work remotely in terms of providing laptops and cloud access to systems? Was it a very traditional, come to the office and work on your desktop computer mentality?
The impact of your organization’s culture really does continue to flow into how you’re protecting the organization from a cybersecurity perspective. Each organization needs to navigate the implementation of those controls within their own operating framework.
Top Three Cybersecurity Controls
Distilling down to the top three controls on the technology side, or the assessment side is that multi-factor authentication is the number one thing.
I talked about policy a lot, talked about the importance of it, but at the end of the day, if you only have the capacity to implement one thing, it really needs to be multifactor authentication.
We see that being the biggest risk area because if an account is compromised, such a significant cascade of negative consequences results. So we need to really protect those digital identities and turn on multifactor authentication and it needs to be turned on for everything.
If everything you have is in Google Workspace, great. If everything you have is an Office 365, great. But most organizations don’t have all their data in just one system. Every system where you have important information needs to be protected by multifactor authentication.
The good news is that it is included with most cloud applications, so it’s not something you have to pay extra for typically, if you’re big enough. That could be a subjective term, but again, you could turn on some additional features through enterprise mobility and security (EMS) on the Microsoft side, to upgrade to conditional access and turn on single sign-on.
Instead of turning on password policies and multifactor authentication for Office 365 and Salesforce and Bamboo, you can just turn it on one time and run everybody through the Office 365 portal, so that you’ve got one place to manage access.
You have one set of passwords to deal with. You have one MFA challenge to deal with, and so that’s very efficient. So multifactor authentication should be the number one thing on your list if you haven’t done that already.
After that, I do think security awareness training is a very important step to take. There are lots of options out there. We’ve already talked about it. If you’re just getting started, there’s lots of free resources that you can use.
We have an online MFA training available that’s on our YouTube channel. I was able to partner with TechSoup and do a 101 and a 201 cybersecurity training course for them. Those are great one-offs that you can use.
If you’re able to, I would really encourage the investment in a security awareness training platform like Knowbe4. There’s others out there. It’s not that expensive, $20 a user for the year for the license, and I think the real value is the training, but then the ongoing testing and evaluation. So you have a better sense of what’s going on.
And then the final technology tool that is really important to implement is around business email compromise protection. So we’ll provide some additional detail later, but as I said, most threats are coming from email. The technology tools associated with this have needed to catch up. Traditional spam filtering is okay against blocking unwanted messages, but it hasn’t been doing a very good job in blocking these confidence scams, things with malicious links and having a dedicated tool to work on business compromises, we get a lot of mileage out of that.
People can ignore the spam message in their inbox, but it’s really hard for them to ignore the email that looks like it’s coming from their Executive Director or their finance person, to click on this link, to share something. Business email compromise protection really focuses on identifying those messages and then removing them from the inbox.
The other thing that we like about them, particularly the Barracuda tool that we use, is that it provides some additional alerting. If an account does look like it’s been compromised, we will also provide alerting on that. For all those things, getting visibility into what’s going on in your network is key and so some of these tools like Barracuda, Sentinel, are great for blocking spear phishing messages. Also for raising flags if things like new mailbox rules are created, or if there’s a suspicious login, that generates an alert and then you’re able to respond when you get it.
MFA is Effective
So talking specifically about why MFA, we can see how effective it is. Another plug for our video is that we do have an MFA enrollment video. It’s about 10 minutes long and walks you through how to turn on multifactor authentication in your organization and using the on-device prompt.
Multifactor authentication is something that you know, which is your password, along with something you have like a smartphone. And so those on-device prompts where you log in, your phone buzzes from the authenticator app, are 100% effective against automated bot attacks. So that’s the best method that we recommend implementing whenever you’re going to make this change and you want people to use a platform in the right way. So multifactor authentication is extremely effective.
Cybersecurity Awareness Training
And then cybersecurity awareness training is also extremely effective. So this is some information from the vendor that we use in terms of KnowBe4 and these are real numbers that we see whenever we do baseline phishing tests for a new organization. We will see up to 40% clicking on links and emails. I mean, it’s unbelievable. You would be surprised what people click on. But the good news is that after that initial baseline, and you do that major training, and maybe after you do quarterly trainings, the click through rate really does decline and decline significantly.
What we’ve seen is that it typically never, ever goes away. Somebody always clicks on something because they’re curious. But going from 40% of your staff clicking on things to 4% is a really good return. This is data that was taken from KnowBe4 and they did an industry benchmarking study across 4 million users, 17,000 organizations. This is the data they came up with and we echo their experience in terms of very high initial click rates and then significantly reduced click rates after training. So again, training needs to be ongoing and needs to be consistent.
Here is some supporting information around how business email compromise works. This is a graphic from the FBI where they are very concerned about this because of the financial impact.
Confidence based schemes that start via email can be very expensive to organizations, and they’re very difficult to defend against because there’s often not much content in the messages.
Spam filters are often not able to catch them, so we’re reliant on either really
- sophisticated tools to try to block it or
- staff being able to identify that it’s malicious, or something is off, and then
- having good processes in place for organizations, if and when they need to change payment information.
Business email compromise is a significant threat and having a technology tool in place to help prevent it provides a lot of protection.
As we transition from this laundry list of things to do, maybe you already know what you need to do.
Engage Leadership
It’s really important to engage the organization’s leadership and impress on them that all organizations are vulnerable. Hacking isn’t something that only happens to the big organizations with big IT teams. It happens to organizations no matter what their size.
Poor cybersecurity is an organizational liability. We have seen that if your organization has not implemented multifactor authentication, you are very likely going to have an account compromise. The data that we saw from last year, 96% of the account compromise tickets that we responded to were staff that had not implemented MFA.
It’s really stark whenever we see those numbers that if you have multifactor authentication, you’re in good shape. It’s very unlikely you’ll get compromised. If you don’t have multifactor authentication in place, then it’s very likely that your account would be compromised or maybe not yours, but somebody at your organization.
Finally, it does require leadership to say yes. These are organizational changes and for multifactor to be effective, for security awareness training to be effective, somebody at the executive level needs to say, “This is important, we’re making it a priority. We’re going to devote time at our staff meeting for this.”
It can’t be IT pushing it through, because it’s not going to get the adoption that it needs to.The organization’s leadership really needs to identify this as a priority and include it at all levels. It could be driven from the bottom up. IT can certainly initiate it and be successful. We’ve also seen it come from the top down. The board says this needs to happen, and then it occurs that way. There’s not necessarily one right way to do it but the key factor of success is really for leadership to make it a priority.
How do you do that?
Your organizational culture really comes into this a lot.
- You need to schedule time for security. It needs to be part of your regular rhythm. So it’s not an afterthought. It could be monthly reporting that you’re going to do with your executive team. It could be quarterly planning with your IT partner to identify what we need to focus on. What are the threats that we’re seeing? How’s security awareness training going in terms of how that gets communicated?
It comes back to knowing your audience. What is most effective?
- Is it a narrative? Is it stories? “Hey, this other organization that we work with, they got hacked and here’s why they got hacked and here’s why we need to make this change.”
- Are they more impressed by metrics and numbers? Is it, “Hey, it’s going to cost us $6000 more for our cyber liability insurance because we haven’t implemented MFA. How are we going to address that?” “A breach is going to cost $150,000 once we get through, how are we going to address that?”
And then it’s also an opportunity to leverage existing compliance requirements, to do some of these things as an organization.
- If you are receiving any sort of donation then PCI compliance would be applicable here.
- If you’re a healthcare provider then HIPAA would be appropriate.
- If you’re dealing with European data subjects, then GDPR may drive some of that compliance as well.
Understanding those external factors can help get some additional traction to implement these initiatives.
Next Steps
I would say, prioritize one control to implement. It can be really daunting to get these assessment reports where it seems like there’s so much work to be done, but you just need to take a bite, take a step, so pick one new control to implement.
If you haven’t implemented multifactor authentication already, make that the first step. If you already implemented MFA, but maybe you haven’t done training, go ahead and start with a training plan.
Pick a control, implement it, and then you gotta really plan.
Get time on the all staff meeting to say, this is a priority. We’re going to talk about multifactor authentication, or we’re going to talk about security awareness training.
Really make it intentional and then you’ll be able to execute and get through those roadmaps.
Questions and Answers
We have a couple minutes here for questions, and so I’m happy to respond to anything that’s popped up throughout this presentation.
Johan Hammerstrom: Yeah. Thank you, Matt. That was fantastic. Great summary and overview of cybersecurity, which I’ve been thinking about for a long time and have heard about many times, but I feel like I always learned something new in these presentations.
We do have a few questions. If you have any questions, please chat them in or use the Q&A utility to ask your question.
Q: If money is no object, what does best in class protection look like? What are some specific examples you can provide? What would you suggest someone who’s got a blank check to write on security protection, what should they do?
Matthew Eshleman: I think once you get the policy work done and out of the way, I would really make sure that you’ve got good tools in place on the device protection side.
At Community IT, we work really hard to get the best in class. We may not have a complete blank check, but we invest a lot in our security. For us, that means we’re doing all managed devices.
Staff have managed computers, we’re doing client-side encryption. We have SentinelOne Complete, which is a high end EDR tool in place on our systems. Then all of that information feeds up into our managed cloud app security portal.
We have learning and management and monitoring that comes from the tools that we use. We’ve been really intentional around any privileged system that we have access to includes multifactor authentication.
Most of that is driven through our single sign on portal. We happen to use Microsoft’s Enterprise applications, which is included in Office 365, but we’ve also supported organizations that use Okta or OneLogin. There may be some reasons to invest in that.
Investing in training and education and awareness for your staff is important. I think the final piece, once you’ve got the policy, the device protections, backups of those critical systems, server failover, all of those things in place, which we do, then you can start looking at those external assessments where you can get a third party view. Even as you have really invested a lot in those internal controls, it’s likely that you’ve missed some things.
Getting somebody to look at that system with fresh eyes and investing in gap analysis or a technical assessment, or even a pen test can be really helpful to get that view.
We use a laundry list of technologies at Community IT. We’re all in Barracuda, all of their cloud protections, spam filtering, spear phishing, backups, the Sentinel One Tools, the Microsoft Suite. We’ve got a lot of protections in place. And I think that gives us the insight and reporting that we need given the level of work that we do.
Johan Hammerstrom: Great. Thank you, Matt.
Q: We have another question from an organization that relies on volunteers. These volunteers are spread out throughout the country, they’re using their own personal laptops to do the work. What sorts of protections might you recommend for them? And maybe more importantly any suggestions for how to train those volunteers on cybersecurity?
Matthew Eshleman: It would be important to implement those security controls in the systems that they can access. Some of those data protection policies in terms of what we call “least privileged access.”
Make sure that you’ve got volunteers that only have access to the information they need to do their job. That may mean, if you’re collecting information about various constituents, volunteers are using that information. They don’t need to know their birthdate, or they don’t need to know their address to deliver service. You can make that restricted. The volunteer has their name, even their phone number as a way to identify somebody, but they don’t have access to additional personal identifiable information.
Understanding what information people need to do their work, and then only providing that level of information would be an important step. Again, depending on the type of data, if you’re just delivering it through a web browser, you can put in some controls so that they can’t export data. Limited opportunities for them to download something on a personal device that you don’t control would be good.
I don’t think it would necessarily be out of line to expect volunteers to go through some basic training on good cybersecurity practices, particularly if it involves creating an email account at your organization for them. I think this is one area where we see organizations get a little bit casual and say, “Oh, well this person is only a volunteer, we just need to create an email account from them.”
Recognize that any account that can be logged into from the web is potentially vulnerable. If it is associated with your organization’s domain, that email address is potentially valuable because it could be used then to target other people. That’s the real risk.
Only provide people access to the information that they need. If you can, turn on multifactor authentication for those systems, particularly if they have sensitive information and then have consistent policies and follow through, I think would be important steps to take.
Johan Hammerstrom: Great. Thank you, Matt. Well, I think we have just about reached our time limit for today’s webinar.
We do want to let you know about next month’s webinar. We’re not going to be talking about cybersecurity. I know we’ve done a lot of that this year and we wanted to finish strong this month since October is Cybersecurity Awareness Month. Next month, we are going to be talking about Best Practices for Mac support. We know that many of you probably use Mac or have staff that use Apple Mac computers. We manage over 600 Macs. It’s probably 10% of our install base. It’s a significant number.
And those of you who use Macs or manage Macs know that they’re a little bit different, and they require a special approach. It can be done well. It is possible to use Macs on an enterprise basis, and we’re going to be going into a pretty deep dive on November 17 to go over that and provide you with some tips and tricks on things you can do to manage your Macs.
I’m very excited about it. I’m looking forward to attending that webinar and that will be Wednesday, November 17th, right before the holidays at 3:00pm Eastern. So keep an eye out for that announcement and we encourage you to register for that webinar.
Thank you very much for your time today. We will be sending you an email with a summary of all the resource links that we chatted out today, as well as a link to the recording of today’s webinar. Wish you all a great afternoon and a pleasant rest of the week. Thank you.