View Video
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
In pt 1, Matt and Carolyn go over what a tabletop exercise is and how they fit into your cybersecurity planning for your nonprofit. In pt 2, Matt describes 3 scenarios specific to nonprofits that you can use, and reviews general lessons learned and best practices from his work with clients.
Cybersecurity Tabletop Exercise for Nonprofits
Community IT Chief Technology Officer and resident cybersecurity guru Matthew Eshleman explains how to carry out a cybersecurity tabletop exercise for your nonprofit and why this type of active testing is so valuable to your security planning.
Make regular cybersecurity tabletop exercises part of your nonprofit incident response plan using this guide.
Do you regularly practice your nonprofit’s cybersecurity incident response?
If you haven’t had a cybersecurity incident yet, count yourself lucky. If you have, you probably encountered some questions you wish you had had the answers to before the incident began to unfold.
That’s where a cybersecurity tabletop exercise for nonprofit has enormous value. A cybersecurity tabletop exercise simulates a cybersecurity incident in a controlled environment so you can practice your response and discover weaknesses before they become damaging.
For example, a staff member alerts you that they clicked on a malicious link in an email and now their laptop is “acting funny.” Do you have a phone tree of the people you need to contact? What if someone important is on vacation, who do you contact then? What if everyone’s laptops are frozen, can you still access important contacts? What do you do next?
Cybersecurity tabletop exercises can be elaborate or simple, run by a consultant or run from within. It is surprising how many nonprofits that regularly review and evaluate their programming never use the same principles to evaluate their basic cybersecurity preparedness.
How can your nonprofit get started on this practice?
If you’ve never walked through a cybersecurity tabletop exercise at your nonprofit, you may be intimidated at the prospect or have trouble prioritizing it and carving out time on everyone’s calendar. In this webinar, Matt introduces some popular resources, describes common examples of tabletop exercises, and explains how to adapt this skill-building exercise for nonprofits.
Matt Eshleman has run through cybersecurity tabletop exercises with many nonprofit clients and guides you through best practices and first steps to get started. Don’t wait to introduce this valuable training tool to learn where you can strengthen your practices and better protect your organization in these challenging times.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic, and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Presenters:
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 23 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at the Technology Association of Grantmakers, Jitasa, Nonprofit Learning Lab, NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert.
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, incident response, and cybersecurity tabletop exercises for nonprofits.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty-five years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College. She was happy to learn more about cybersecurity tabletop exercises for nonprofits with Matt Eshleman.
Transcript Coming Soon
Q&A Expansion
From the webinar and reddit/r/NonprofitITManagement/ after the webinar:
Q: What is the difference between staff training, like KnowBe4 training against phishing, and a Tabletop exercise?
Matt Eshleman: Staff training through KnowBe4 is an important part of the organization’s overall cybersecurity plan. It’s really focused on providing education for staff to detect, identify and report security threats that they may notice. The Tabletop exercise is a way for the entire executive team to test out the organization’s incident response plan.
Q: What are some good ways to impress upon less-tech-savvy staff the importance of MFA, if they have not had an incident yet?
Matt Eshleman: I think that these stats from Microsoft are impressive, “We’ve found that more than 99.9% of compromised accounts don’t have MFA”. https://learn.microsoft.com/en-us/partner-center/security/security-at-your-organization. If you want to protect your account and your organization’s data then taking basic steps like enforcing MFA is critical.
Q: If you are a nonprofit with a small staff but a lot of volunteers, how do you involve the volunteers using your IT in a training program or tabletop exercise, depending on the scenario? How do you suggest getting the leaders of the volunteer program to start requiring security training and processes?
Matt Eshleman: I think that this is related to the first question. Everyone that has an account to an organization’s IT system should be using MFA and also should be taking security awareness training! The tabletop exercise is something that the organization’s executive leadership needs to take ownership of since it is tied directly to the risk and financial liablity that the organization takes on.
Q: (from the exit survey) Should organizations document when minor incidents happen like when someone clicks on a link or a single email account gets compromised but it’s resolved right away?
Matt Eshleman: I think that you can define the level of severity for your own organization. It would be overkill to have a full incident response for every phishing message that comes into the organization. I do think that recording serious incidents like compromised accounts is important, as you can get a sense of which users or roles are targeted. For more serious cases where a compromised account wasn’t detected for several days, or led to data loss or financial loss, then a more detailed record should be kept.
Photo by Nika Benedictova on Unsplash