Transcript below!
View Video
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Cybersecurity Training for Nonprofits: Your Staff Are Your Best Defense
Community IT presents a discussion of basic IT cybersecurity training for nonprofits’ end users. Learn about common threats and the best techniques for dealing with them. Learn how to balance convenience and security for your staff, so they can follow best practices and be your best defense against hackers and cybercrime.
Lots of organizations are rethinking working from home, secure collaboration on slack and zoom, and security on home devices. And as we have seen an uptick on ransomware and phishing schemes, some organizations have rushed to tighten up your security measures.
Make your security too rigorous, miscommunicate your objectives, or skimp on training, and your staff will soon be working around your measures, opening your organization back up to the cybersecurity risks you were trying to avoid.
Cybersecurity begins with good training.
In this webinar, Community IT Innovators’ Cybersecurity expert Matt Eshleman walks you through a typical staff training, explaining what must be included, how to approach building a team ethos, and how often to update/mandate your training and work with HR.
- Do you need specialized security training for certain roles?
- Do your executives support and participate in security training?
- Where do your greatest cybersecurity risks lie?
- How do you document your training?
- What apps can make training easier?
Matt has worked over the years with many of our clients to implement cybersecurity, and always emphasizes the importance of staff training as the first line of defense. This webinar incorporates material and best practice advice from recent cybersecurity trainings.
We know our nonprofits will be called on over the next few years to provide more support to our communities than ever before. Put your best foot forward now with cybersecurity training updates that protect your nonprofit, build your team, and allow you to focus on your mission.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
You may also be interested in downloading our completely revised 2021 Cybersecurity Readiness for Nonprofits Playbook, or seeing the webinar walk through of this Playbook.
Presenter:
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt joined Community IT as an intern in the summer of 2000 and after finishing his dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, he rejoined Community IT as a network administrator in January of 2001. Matt has steadily progressed up at Community IT and while working full time received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course. He presents updated tips to protect your login credentials throughout the year.
Matt enjoys presenting webinars on cybersecurity training for nonprofits. You can access more videos of his past cybersecurity presentations here.
Matt provides a free initial consult if you have cybersecurity questions for your organization. Click Here to learn more and schedule.
Transcript
Johan Hammerstrom: Welcome to the October Community IT Innovators webinar.
Thank you for joining us in today’s webinar on Cybersecurity Training for Nonprofits: Your Staff Are Your Best Defense. My name is Johan Hammerstrom and I am the CEO of Community IT and the moderator for this webinar series. The slides and recording for today’s webinar will be available on our website and YouTube channel, later this week. Please use the chat feature during the webinar to ask questions and we will do our best to respond. Before we begin, we would like to tell you a little bit more about our company.
Community IT is a one hundred percent employee owned company. Our team of thirty-six staff is dedicated to helping nonprofit organizations advance their missions through the effective use of technology. We are technology experts and we have been consistently named a top 501 managed services provider by Channel Futures, and we received this honor again in 2020, and now it’s my pleasure to introduce today’s presenter, our chief technology officer and cybersecurity expert, Matthew Eshleman.
Good afternoon Matt, I’ve really been looking forward to this webinar all month.
Matthew Eshleman: Great! Thanks Johan. I appreciate the introduction and thanks to everybody who’s joining today. As Johan mentioned, the slides and the recording of this will be available to everyone after the event, so if you miss something, don’t worry, you’ll be able to go back and review it and also share it if you find some of the content interesting.
So, as Johan mentioned, the topic for this month’s webinar is going to be cybersecurity training for nonprofits. We’ve been spending a lot of time talking about cybersecurity over the last couple of years and I think that’s only ramped up. I think, you know especially in today’s day and age, where these are not normal times, we are—many of us working from home, I am coming to you from my basement. Kids are home, work has just been chaotic and adversaries have been taking advantage of that with lots of different spear phishing attacks and COVID attacks, and so hopefully the content that we will talk about today will help equip you and equip your organization to better identify and protect yourself against those cybersecurity threats.
So specifically, we are going to talk a little about the
- cybersecurity landscape. I think it’s helpful for us to just get started with an understanding of the cyber world that we are operating in. We’ll then look at some specific kind of things that you can identify for
- cybersecurity training to educate yourselves as an end user here. We’ll go into some concepts that are called
- “the human firewall” as a way to help protect your organization and your data and then finally we’ll talk a little bit about how to put it all together and
- put it into action. So this –we’ll talk about some specific things that individuals can do and then if you’re responsible for cybersecurity at your organization, I think that there’ll be some things that you’ll be able to pick up as well.
So, we’ve got some different content here, and to that end let’s go ahead and let’s get started with: Who’s responsible for cybersecurity in your organization? So there should be a poll that pops up here and so go ahead and just chat in those—or select those answers. Just curious to see, both for yourself and for everybody on the webinar.
Who is responsible for cybersecurity in your organization? Is it yourself? Maybe the IT departments, maybe operations, maybe no one or maybe you’ve outsourced that to a managed service provider, for example like Community IT.
We provide managed IT services to about a hundred and forty different organizations here, in the DC Metro area and beyond and so that gives us some perspective on what nonprofit organizations are facing in this realm. (4:25) So thanks for that response, we will go ahead and close that and share, so you can see that yeah, today, those folks that said me—are responsible for cybersecurity that’s great, you’re in the right place. If you’ve outsourced some of this to a managed service provider, maybe we will give you some questions to ask them or some talking points to make sure that you’ve got good coverage and so, hopefully there’ll be something for you to take away from this.
The Cybersecurity Landscape
All right, so moving into the cybersecurity landscape, we know that we’re in a world where there are persistent and ongoing brute force attacks on your online—on your digital identity, so again if you’re in Office 365 or G-Suite, basically if you can log into it over the web, then the bad guys can too, and so we just see if from the security logs there’s just a massive amount of automated brute force attacks on your digital identity. We can also see that there’s been really a dramatic increase in the amount of rather sophisticated spear phishing that is targeting the operation staff, the finance associates, and the HR associates in your organizations, trying to target them to get either financial information or personnel information out of them. We also see that organizations are targeted because of the work that they do, so especially in this run up to an election, we’re seeing organizations, specifically those that are working in the foreign policy area are really targeted by some sophisticated actors trying to get in and get access to information, organizations that are focusing on democracy and good governance are also big targets in this realm.
So, it’s not kind of just garden variety spray attack that’s targeting and everybody, there are specific focused attacks on organizations because of the work that they do and then there’s also targets against vendors, so again as a manage service provider, we have information about a lot of our clients, in terms of their privileged accounts and so we’re a target and so that’s something that the Center for Infrastructure Security Agency has been sounding an alarm at and so that’s something that we are especially conscientious of.
The good news is that there are some new security tools available to help combat these threats and so we’ll talk about some of those today, and I think it’s also great that organizations are starting to be more proactive about their security and I think that this points webinar specifically is one of the most popular—the most registered. We have the most number of registrants for this webinar, because I think that there’s a desire of organizations to be proactive to equip their users, to equip their staff to better identify and protect against cybersecurity attacks.
It’s not all good news, we know that about sixty-eight percent of nonprofits don’t actually have an instant response plan, so that’s a guide to say “hey, here’s what happens whenever we do have a breach or we do have some sort of security incidents” that’s from NTEN and we also know that responding to incidents can be expensive, so the latest number say that about 149000 dollars, in terms of direct cost to respond to security incident.
Now, many of us we see the big numbers in the news about the Sony’s and Home Depots and kind of the big organizations that get targeted and kind of, our eyes glaze over but this does represent a real financial threat to our organizations that needs to be taken into consideration, so specifically, we see this information.
(8:21) This is taken from the Verizon data breach information report, which is a really fantastic document that Verizon security services puts out, and so they’ve identified— these are kind of some specific dollar amounts that are tied into data breaches, so again credit card information, that’s a couple of dollars per record. If you’ve got PII or personal identifiable information, perhaps about a customer that’s about 25 to 50 dollars, again that could be a social security number, combined with date of birth, address. Same thing for employees, so again even if you don’t have PII maybe about your constituents, you certainly have PII data about your employees, so again all that HR information, social security numbers, that’s all stored and managed by HR, so it’s important that that data is protected. Medical records, for sales or financial information or proprietary information about your organization that will be valuable to again, your state actor, wanting to know what policy positions you’re taking.
(For more information on ways to audit your databases to see if PII is being stored in non-encrypted fields, read this article from our colleagues at Build Consulting How to Keep Your Nonprofit’s Data and Systems Secure.)
You know all of these things that we have as an organization, have some value to somebody else, so the hackers, they’re out there. They may not all be geniuses with an IQ of 197 and they may not have fifteen percent of your passwords, but the adversaries are out there and they may look more like this, (9:50) which are state sponsored adversaries, and so that means it’s not just somebody in their basement, doing this for the sport of it. These are well-funded organizations that are sponsored by the state and have a mandate to do information reconnaissance and maintain persistent organizations to kind of figure out what’s going on.
So here we see that there are state sponsored actors in the democratic of North Korea. We’ve got Russia involved, we have the panda representing China, so there are a range of well-funded state-sponsored actors that are out there, and we actually see them in the nonprofit space. So I think it’s a real wake up call for organizations to take their cybersecurity seriously, because as a nonprofit you cannot fly under the radar. Just because you’re small, just because you’re doing good work, you’ve got stuff that’s interesting to these other entities.
(11:02) So in terms of how that informs our approach to cybersecurity, we really want to start and root that in security policy, build on that security awareness, so that’s where we are really going to be focused on today, is talking about how to identify some of these threats, how to mitigate against them and some steps to defend, and build on that identity, data, protection against devices, perimeter, the web and then later on some next gen tools. So, we’ve talked about this in a little bit more detail in some of our previous webinars. We also have a cybersecurity playbook that’s on our website. You can register for it and download, so Johan you can chat out those links and some other links that I will be sharing as well for reference as you go.
So we take a holistic perspective in security, I think rooted in policy, understanding that we can upgrade technology tools in place. I’m a technology person, I love all the gadgets, all the shiny stuff, the fancy software, but my view is that this technology is driven by the end users.
You can have all the greatest whiz bang security tools in place, but if you’ve got staff that aren’t engaged, that aren’t informed, it’s really hard to protect against every eventuality. Having educated and well aware staff really raises the overall level of the security in the organization.
So I do want to kind of frame that and say “hey, it’s good to talk openly about cybersecurity”. This is not something that we— IT does to everybody else. This is something that we want to create a culture to engage everybody in. This is something where we want staff to be able to share their story and to learn, so a situation where somebody can share with their colleague “hey, I got this really weird email, what do you think?” is a much better situation than somebody clicking on a link and then asking about it afterwards or being embarrassed and not sharing with a colleague or IT that they may have clicked on something or done something that’s going to have a negative impact.
So again, we really want to build that culture of openness because we know that your experience is going to help somebody else. Somebody sharing like “oh, I had to help my parent deal with this IT issue” or “I had to help my colleague do this” or “this is something that happened to me,” I think is a really important part of building a culture of good security in your organization. It’s something in my view that should be encouraged.
Contemporary Attack Examples
(13:46) So we’re going to take a look at some contemporary attack examples, so these are things that we see as an IT support provider and so I’m sure that you may have seen something similar to this, so please feel free to chat that in or share some examples that you’ve encountered on your own.
So specifically, we’ll look at some
- email phishing examples, we’ll talk about
- malware and then we’ll also talk about some
- social engineering attacks and I think those are pretty interesting and dangerous because, you know no amount of great cybersecurity tools are going to be able to provide a hundred percent protection against those types of attacks.
So, specifically on phishing, we’ll look at some common attempts. How do I identify them and what to do once you’ve identified them.
(14:33) So here we can see the first example is an email that I got myself, a year or so ago. It looks relatively benign. I’m the chief technology officer, I buy stuff all the time, and so it’s not uncommon that I would get an invoice or something, but—however; when we take a look and one of the things that you can do in terms of identifying what are some tips to identify the source of some information, is just hover over the link, right?
So we’ve got an invoice from online invoices, it looks pretty legit, it’s got all these details, but whenever we hover over that view invoice we don’t see invoice anymore, we’ll see https://corpcatererscleveland.com and then a random string of numbers. So again, from this example we can see that maybe the adversary has actually compromised that organization’s domain, maybe their website and they’re combining a commercial online invoice template with a redirect or a malicious link.
So again, just hovering over the link is a great way to take a look and see “hey, does this really match up? Does this really make sense?”
One, am I expecting an invoice? And two “oh, does this online invoice match—the link match the domain of the sender that I’m expecting?”
(15:59) Here’s an example and this is being highlighted through one of our security awareness tools, and this is what a tool called KnowBe4 does in terms of their training, and it just highlights some of the things to look at. So again, the red flag things to look for here are the email from address, again does this make sense? It’s not coming from WellsFargo.com, it’s coming from devices-Wellsfargo.com, so maybe again not the address that you would expect. It has some generic information, so again “Dear customer, confirm your device” is actually a call for action in these messages or trying to get you to click on a malicious link, and so being able to identify, is this coming from somebody that I expect, is there unique knowledge about me, personally that would make me want to click on this and then what’s the call to action? Is this something that I’m expecting? So again, just taking a look at those pieces of information is really helpful to identify if something is legitimate or is perhaps malicious.
(17:13) And then the final piece just to show off here is, another thing that you can do, is just if you reply to the message, as soon as you reply to the message, it will actually reveal the real from address and so here we can see that there’s a mismatch between the From in the body of the message and the To now that’s in the address line.
So again, even if there’s something—you kind of have one more chance if you’re going to reply to a message because it will often reveal that the original From address was different from the To, so hackers have gotten really good at masking or hiding the From address, and so it makes it a little bit difficult to identify if it’s from somebody you know and trust or somebody who’s just masquerading as that domain.
So again, if you go in and choose Reply, you’ll see that name displayed and it’ll be a little bit easier to identify if that is from a sender that you actually know.
So, this is a graphic that comes from staysafeonline.org. This is a government, you know federal tax dollars at work, organization that is here to support good cybersecurity, and so as October is cybersecurity awareness month, there’s a lot of content and resources available, and they have this infographic.
Everybody loves dogs, maybe not as much as cats, I don’t know, but just reminding we “hey, think before you click.” If you’re unsure who an email is from, don’t click on any links or attachments found in that email. So again, an ounce of prevention in this case is definitely worth a pound of cure. So for phishing emails—for phishing messages, I think it’s really a good idea to take that second look at that email, check for those red flags again, hover over the links, and look at the reply to address. Does that all make sense? And then if you’re still in doubt or you are not sure, ask someone or forward it to your IT support provider. I know that’s something that we encourage here at Community IT. If our clients have a message they’re not really sure about, I would much rather them forward it into our help desk for them to take a look at, instead of clicking on something and then trying to call back information after it’s gone out.
So again, it could be a little bit harder to do that, now that so many of us are working virtually all the time, but if you’ve got an IT partner, an in-house IT person or somebody else, it’s definitely worth getting a second opinion before clicking on something.
So just remember to follow those three steps, in terms of
● taking a look at the email,
● check for the red flags and then
● ask somebody for help.
So moving on to talk a little bit about malware as an attack kind of vector.
We’ll look at how malware often will come as part of those email attachments that are coming from unknown or suspicious senders, but malware can also be launched against organizations from things like malicious websites or even advertising within a website. Thankfully this is not as common any more, this is mostly targeting Flash and so with Flash being deprecated, we don’t see this as much, but it is still a risk and then finally talk a little bit about cryptojacking, which has a very cool name, but actually has some very real security implications.
So malware does keep rising, so this is from an organization called abtest.org and so they received samples of malicious software, and so we can see this is up-to-date in terms of the total number of unique malware samples that they receive(21:07) and the number just keeps going up and up and up. It’s very easy now for malware writers to take software; to manipulate it to generate a new file hash or a new ID and make something that no antivirus tool has seen before.
So again the number of malware out there does keep rising. Also in this category is something called PUA or potentially unwanted applications, and so that could be stuff like, that browser extension that you installed to help with a tool, or some other add in or widget that you’re not quite sure how you got, but is now on your computer, so again potentially unwanted applications and that just really provides adversaries a foothold into your system, and so that could be used to launch further attacks down the road or maybe used for some other malicious processes.
(22:05) This is an example of malvertising, so again this is a couple of years ago, but this was an example of how the crypto wall virus was delivered, so it was actually delivered via an exploited Flash advertisement. So again, very sophisticated, very hard to defend against. This looks like some generic Bing ad used to deliver a Flash, so we use some sophisticated technology to block this kind of stuff from a vendor called Cisco, so we’re using Cisco Umbrella to block malicious content that may not get – that may get through kind of the traditional firewall and then your traditional antivirus is not going to pick up as well. So again, it’s kind of—be careful of what you click on, be careful of what you are kind of navigating through to avoid these kinds of situations.
And then finally I did want to raise another technique that we have started to see, which is called cryptojacking. So crypto is short of cryptocurrency or Bitcoin and so in this case what occurs is that an adversary will launch some, usually some malicious Javascript, that mines cryptocurrency. So again cryptocurrency is a pretty processor and power intensive task, so instead of having a dedicated mining rig kind of sucking up electricity and consuming more electricity than you’re getting in Bitcoin, you can use malware to just have a bunch of other computers do that for you.
So it uses your computer’s power for the adversaries’ benefit, so if you want to get back in the weigh back machine, you can kind of think of this like SETI, they’re scanning for extraterrestrial life, distributing their software to everybody’s software, so your computer can kind of chunk aware in the background while you were doing other work or while your computer was busy. So think of that model but just kind of for a nefarious purpose. You’re not going to discover alien life, but you’re going to be mining some crypto coin for some adversary.
And then the final piece that I want to talk about in terms of the type of attack that we often see, and I think that this one is the most sophisticated or the most impactful, is just social engineering attacks, and so we see these as tricking you into making payments. Again, as innocuous as buying some gift cards, maybe as sophisticated as updating wire transfer information. It could be tricking you into entering credentials as a way to then launch other attacks or trick you into calling for “support to address an issue”.
(24:08) So here’s an example of what we see as the first step in a lot of these attacks, so again here is our CEO Johan, who’s emailing our CFO Bill: “Hey Bill, confirm if you’re available. I’ll be in back-to-back meetings, so just respond to my email-thanks.”
It’s a very short, to the point, really hard for traditional anti-spam to protect against this and so then, what we would see is that Bill, if he replies to this and say, “Oh yeah, what do you need?” and then the follow-up email is often like “Oh, I need you to buy gift cards. Like, I really want to surprise staff,” and I think adversaries know that HR and executives are often now looking at having some kind of benefit or gift or something to send to staff because of all this work at home stuff and it’s just— we’re trying to do good stuff for our staff at the organization and so this is often how these attacks start. Some quick engagement to take advantage of and prey on our feelings like “Oh, we really need to be responsive to our CEO,” or “We really need to be responsive to our executive director or finance person,” and so again, this will be targeted at your finance associates or the new intern who really wants to make sure they don’t screw up and so they’re being really responsive to any request they get.
Maybe they didn’t notice that this is not from Johan Hammerson at Community IT.com, it’s from [email protected]. So again, there are some clues here that you need to be aware of. We’ve actually invented a sophisticated tool to block this, and so that’s why we’ve got the analysis information on here, but I did want to show this as an example of “Hey, these are the types of attacks that will often be initiated from email” and then since you’ve started a conversation, spam folders and other stuff may not actually end up blocking it, because it says “Oh, well you’ve already had an email exchange with this email address, we’re just going to let it go.” So again, look at that call to action, look at that unusual request.
(27:10) The example that you see up on your screen now, is really an example of credential harvesting, so again you may get a link to a shared document. There’s no malicious attachment for antivirus to block, it will just go to the website. You go to a website, it says “Hey, you need to log in again with your credentials to see that.” We are often sharing stuff online and then you go ahead and enter in your credentials, without noticing in the message bar that this is not the Dropbox website, but is in fact landmarks.com.mx is the address. So again, it’s preying upon the lack of sophistication and being able to see like, “Wait, this is not a legitimate Dropbox sharing site. This is coming from a malicious or spoofed account.” I would say adversaries are really getting sophisticated at building good looking mock ups of an Office 365 login site or Google docs sharing site, or something where it looks pretty real and you can go in and type in your password and if—in this case if they type in their password and sign in, like nothing’s actually going to happen other than the password being added to the database of the adversary who’s now harvesting all these credentials and then will use them later in follow up attacks.
(28:42) And let’s see, the final example is something that looks super scary, which is these splashes that say “Oh your computer’s at risk! You’ve got to call us to give you support!” I think this is something that my parents had been targeted by and it looks really scary. It looks really dangerous and so in this case, you call that number, somebody will helpfully take your credit card to pay for the support incident. They may log into your computer, may run some command prompts that may look like a lot of stuff is happening and then they’ll just leave.
So again, if you ever see these Splash pages come up on your system, the best thing to do is just, you could close your computer if that feels right. If you’re a little bit more sophisticated, you could go through and try to close the application or Alt F4 will close out that account or that application and will kind of go on. If you’ve got up-to-date antivirus and some web content blocking software, that should eliminate seeing this type of threat, but still I think adversaries have gotten pretty good at, this page in and of itself isn’t really malicious. There’s nothing—there’s no virus in here, it’s just a call of action of social engineering attack to get you to click on something and again, just turn over your credit card blindly.
Protecting Your Information – the Human Firewall
So let’s move ahead to talk about some tools of technique to kind of think of how we can protect the information that we have or the kind of information that the organization has. This is kind of done under the framework or this rubric or the guidance of the human firewall. So again, I think it’s particularly apt now, that many of us are working from home. We’re not behind our organization’s firewall, we don’t have the server, kind of down the hall or we’re not in our office protected, we are in our home, so we don’t have a sophisticated firewall. Maybe we are using our personal computer instead of our work provided computer that has more up-to-date or sophisticated security tools.
The security perimeter really is us now and our device, and so what are some of the things that we need to be aware of to make sure that we’re protecting the data that we have access to?
And I fundamentally view that there’s kind of two different elements here, so we’ve got
- Protecting the device.
(31:05) Historically, this has been where a lot of IT security controls have been focused around, we’re going to protect the device, we’re going to have a firewall to protect the network, we’re going to have an antivirus to protect the computer, we’re going to do all the stuff to protect the devices, but as most of the stuff is now shifted into the cloud, we’re now looking into,
- How can we protect the identity?
Again our online digital identity, if somebody has our username and password, they can get access to everything that we can. So how do we protect the identity as well, and how do those two things combine to inform our approach to cybersecurity? So I think fundamentally on the data side, just understand that you’re capable of protecting your information.
I think if you’re again—from an individual perspective, have a good idea of where your data lives, where your files are at, where your photos are at, you know what applications you have.
Is that data backed up? Is it in more than one place or are you just relying on the provider itself to make sure that that data’s protected? So again, having a good understanding of where your data is and if it’s protected by another system, I think are important steps to take. We’ll talk a little bit more about this later, as well.
Also on the device side, it may sound basic but patching and updating your systems is a key part of good cybersecurity. A lot of these exploits target unpatched systems or things that are not up-to-date. So if you are in a good habit of updating your system for the operating system, third party applications like Adobe and Java, those applications are also avenues as well, and then also updating the device firmware, making sure that all of your devices are updating on a regular basis, ideally monthly and make sure that you are rebooting your computer. I think Microsoft has forced us to do this, Windows update is a lot more assertive in installing updates and rebooting computers because they have to be. I think in the same way, I have an Iphone and that’s updated on a regular basis and it just kind of happens in the background automatically, and also, say, enabling the use of antivirus. It is only fifty percent effective in some metrics, but fifty percent is better than zero.
I think in this approach of cybersecurity,
We are talking about building a multilayered approach.
So building layers with effective tools that can help protect us in case something gets through and we caught on something inadvertently. Finally on the identity side, protect your identity. As I said we are not really behind the corporate firewall, where everything is on the server in the office down the hall anymore. We haven’t been there for quite a while at this point, and so it’s really critical for everyone to make sure that they’re
- using good passwords they’re using a password manager,
- that you’ve enabled multi-factor authentication to protect that identity. That may be complicated because you may log in to five, ten, fifty, a hundred different systems, so that the most—I think up to date research yes, as people have on average a hundred passwords, so yes there’s a lot of things to remember, so having a good way to manage and protect that is really a key element of good cybersecurity.
And then finally, know where your data lives.
Again, we talked about this on the device side but also on the cloud as well. What systems have access to your account information? I will add some links on how you can check that a little bit later on. So again, in terms of how to create a good password, there’s a lot of different philosophies around that. We have a blog article that we can chat out, Johan, on just how to create and pick a good password, something that’s secure, easy for you to remember and hard for computers to guess.
(35:40) So as we move into the cybersecurity,
What are good cybersecurity practices?
I think this is a graphic that was really helpful for me to see and understand and hopefully explain here, is what’s the expert advice for good cybersecurity practices versus Joe Shmoe on the street. So we can see this comes out of Google’s Project Zero that’s their security focused entity and so these are their recommendations in terms of data that they’ve collated from security experts.
Again, so we see basic stuff:
- installing updates,
- using unique passwords, every site that you log into should have unique passwords. In case one site gets compromised, doesn’t lead to other compromises.
- Using two factor authentication, again that’s something I talk about incessantly is, the importance of multifactor authentication or two factor authentication that combines something that you know, which is your password, with something that you have, which is often just an app that you have on your smartphone. and then
- using strong passwords. Again, something that’s easy for you to remember, hard for the computer to guess and then using a password manager to make it all easy. So again, at the end of the day you should only maybe have three or four passwords that you need to remember. Password for your computer, a password to get into your password manager and maybe one or two other things. Don’t make it too hard for yourselves, don’t make a pattern. Use the password manager. Let the tools work for you.
Don’t worry about changing passwords frequently, that tends to not be a good approach to security, because you end up just picking new bad passwords. You don’t need to only visit websites you know. There are some things that are not necessarily wrong in the kind of non-expert’s practices. Focusing on updates, new passwords, making sure that multifactor authentication is enabled, strong passwords and a password manager is a really much more effective approach in raising the overall security and can give you access to the data that you have.
So I think in a more helpful or easily distilled graphic, these are things that I would say are a good place to start.
So if you can’t confidently say that you’ve checked off all these things, this is where I would start.
- Make sure that the backups are in place for your data,
- make sure that your systems are updated on a regular basis,
- make sure that you have multi-factor authentication in place with good passwords,
- make sure you’ve got that antivirus turned on,
- make sure you understand and know which systems have access to your data through the cloud and then, from an organization perspective
- make sure that you’ve got some cybersecurity awareness training in place.
So maybe this is a good time to get another poll here, and see where folks are in terms of cybersecurity training.
I’m going to leave this up here, get a drink and we will see where folks are at in terms of cybersecurity training…
(39:16) Oh, let’s see, thanks everybody for chatting in here or responding. I’d say these responses here are a little bit better than what I thought that were going to be based on the initial survey, which led me to believe that ninety percent of folks weren’t doing anything at all, which was kind of a scary thought.
Let’s go ahead and share the results here, so we can see that almost half of the folks here are doing cybersecurity training in an adhoc manner, when they get to it.
It looks like a quarter of the folks are doing it as a part of their broader IT policy, so that’s fantastic. We’ll talk a little bit more about that later.
And the other quarter are, “Cyber security training, what’s that?” You’re going to be able to check that off. You’ve done some cybersecurity training here and hopefully been able to take away something that is interesting and actually has a meaningful impact on yourself or your organization.
And as I mentioned, the cybersecurity checklist, we talked a lot more about this in detail in our completely revised 2021 Cybersecurity Readiness for Nonprofits Playbook, so go ahead and check that out after the webinar, if you haven’t had a chance to do so yet.
Putting this all into action
What does that mean? So I talked a little bit about backups, and just kind of understanding where data is, so I think it’s important to understand—understand that right? I mean, it’s no longer like all our data is in the server down the hall. Now we’ve got data in all kinds of different cloud systems. We have data that’s in our desktop computer, we have data in cloud services, we’ve got pictures that are the most important thing. Where’s all that stuff? How do we access it, how was it being protected and how is it being backed up?
So ideally, that data would be somewhere other than the primary service provider. So again, even if you are in Office 365, I would recommend making sure that you’ve got your data backed up in another location. There’s lots of great tools out there for that. Microsoft and Google and all the other big vendors, your data is important but they’re primarily protecting themselves against a server failure or some kind of other crash.
The protection is not so much if your computer crashes or you get ransomware in your device or something happens. You may be able to get it back or you may not.
Having that data protected in a system other than the primary vendor is a critical piece of IT security, and also puts you in control.
You can manage the data, you have access to it if something happens. If a provider fails or data is not available, you’ve got another way to access that data.
Updating your devices, and that’s all devices. Your phone, your computer, your tablet. Ideally that’s something that you are updating monthly. You know for other devices, updating system bios and firmware and drivers is also something that I think should be happening monthly.
(If you follow us on Twitter or Facebook you will get reminders from our #ReBOOT1st campaign)
We are able to automate that for our clients that have Dell computers. There’s some sophisticated stuff that we developed to do that, but maybe something that you need to do manually and then also make sure you’re just in a habit of rebooting weekly. These updates can’t often get completely installed until a device is completely rebooted, so it’s a good habit if you can, to reboot your computer at least on a weekly basis to make sure that everything is clean and running well. Sometimes those reboots can take a long time. I know it’s a hassle, close out of stuff, but it really makes a difference. Reboot it at the end of the day so your computer’s ready for use the next day, and I think Microsoft specifically has done a lot better job of surfacing the stuff that you’re working on.
So again, if you had ten different Word documents up, they will often reopen, it’s a lot easier to get back to them. The same thing with web browsers, but again reboot and reboot weekly.
So for password managers, with just password management in general, I think it’s almost impossible to do this on your own. I’m a big fan of password managers, There’s a couple of different ones out there. I think the Last Pass—that’s for personal use, I like it and it works well. I use it on my computer and my phone. I don’t remember passwords anymore, I don’t generate my own passwords, I just automate everything, which makes it easy to generate complex and unique passwords and I can access that through the app, and 1Password is highly rated.
If you have a favorite password manager, you can chat that in. I know passwords are really personal. People really get into the tools or the devices that they use, so if there’s something that you have, feel free to go ahead and chat that out. And again, like I said, if you do this right, you don’t actually need to remember that many unique passwords. One for your computer, one for your password manager. That’s minimal password management. Yea, you are putting a lot of faith into the system, which I have, but it means that if you can generate sophisticated passwords you don’t have to remember and it will be easy to rotate or update if something does happen.
Again with me, I’ve got some guides on how to create an excellent password that’s on our website. Have I been “Have I been pwned” is a great resource. I have a link in another slide or two that shows a little bit about that. You can see if a password that you use has been compromised. And then finally, enable multifactor authentication. I see thousands of attacks against accounts and if you have multifactor authentication, you have a much higher chance of being able to defend against that than somebody just walking in with username and password and getting access to all of your information.
And so specifically, MFA really is effective.
(45:42) This is another slide from the Google Project Zero, talking about how effective multifactor authentication is against various types of attacks. Here, I think most organizations are going to be protecting against automated bot or bulk phishing. MFA with on device prompt, it’s an authenticator app—Microsoft authenticator, Google’s got one, Duo, there’s a ton of them. They are very, very effective and much more effective than knowledge-based challenges, like “What’s your secondary email address? What’s your phone number?” And they’re more effective than SMS codes.
Down at the bottom you’ll see security keys, those are becoming more popular. I use a security key for certain applications. I like it because it’s really fast, but it is limiting and security keys aren’t supported by every application, so happy to talk more about authentication devices later, but the on device prompt for Microsoft authenticator or Google authenticator is super effective, easy to use, free, and it’s very effective.
This is “Have I Been Pwned” you can check this out, type in a password. Troy Hunt is an Australian guy that maintains this system, and so basically he—every time there’s a huge data breach, somehow he gets a copy of the passwords that were included in that data breach, and he adds into his database and then surfaces it up through the site.
Again, you can type in a password, any password. In this case I typed three passwords and that password has been seen a hundred and eight times before, so basically it means that bad guys know that this is a password that’s in use, and so they’ll try it against your username and password combination. So, if you’re using a great password anywhere don’t anymore, go pick a new password and update those sites to make sure that your accounts that are using those passwords are secure.
Again antivirus, I think it is an important layer of protection, it may miss fifty percent of attacks, better than zero, and I think the good news is that there are new technologies and approaches that are available and some tools you may see, called EDR or endpoint detection response, but these typically come over a premium antivirus.
So if you’re managing an organization, I think it’s important to have a third party AV tools, so you can make sure that the systems that you’re supporting or managing are all up-to-date.
If you are a single user, then you can purchase a third party tool. Actually Microsoft Defender, which is now built into Windows 10, does a pretty good job. That’s even sufficient. Making sure that that’s on and up-to-date is just IT security fundamentals.
The security awareness checkup
(49:44) This is specifically about what systems have access to your data, Here’s some links for how to audit access to applications. So again on Facebook, you can go ahead and see what apps you’ve given the ability to view your profile and your friends list and all of this other stuff. Google similarly, you can see which applications you used Google to sign in, what access those applications have, and then you can also revoke it again. And then again, LinkedIn similarly has a way to provide that.
The example here is in Google, so again the Google security checkup will show you “Hey, you should review the third party access. Here’s some devices.” This was me. No recent events in twenty-eight days, I’ve got two step verification. That’s what they call multifactor authentication. So again, it’s not just the applications that you’re using, but all these third party cloud applications, how they interact and making sure that you’ve got a good list of what data you are sharing with those systems.
And then finally on cybersecurity awareness, training specifically. This is data that comes from a vendor called KnowBe4, the security awareness training tool that we use. They provide training resources to everyone basically and so they’ve got a lot of data to support their thesis. They’re able to say for SMB nonprofits with one to two hundred and forty-nine staff, the initial baseline test, the number of people that click on a malicious link is almost forty percent. We do this and I’ve seen some organizations break that right? Forty percent of users just clicking on stuff that lands in their inbox, so that’s a pretty scary number. But then they also say that, data shows that after ninety days after initial training that drops down to under fifteen percent and then one year into a training program that’s under five percent.
Here’s what we see in terms of the organizations. Whenever we’re implementing an online security awareness training tool, we get pretty good reduction in the amount of people that are clicking on these malicious links that are contained within emails.
As we wrap up here, I just want to offer some encouragement that cybersecurity can be daunting, but it doesn’t need to be overwhelming.
So here’s some specific things I would like you to take away from this:
If you’re here as an individual, or a very small organization, it’s important that you
- inventory and back up your data,
- make sure your computers are up-to-date and reboot it on a regular basis, (#ReBoot1st on twitter!)
- make sure that antivirus is installed.
- get a password manager to store, manage and generate passwords for all those sites that you’re accessing
- review system access, what systems have access to your data and remove those unnecessary ones
- schedule time for security. I think this doesn’t happen on its own; it needs to be pursued intentionally, so make sure that you’re blocking out some time in your day, your week, your month to focus on that.
If you’re here representing part of an organization, I would say it’s really important to
- start with policy, we didn’t talk about that much in this webinar, but starting with, what are we supposed to do as an organization?
- Formalizing yours and then formalizing your cybersecurity controls and then I think it’s really important to
- implement regular user engagement that includes different elements, so again we would typically do baseline phishing, have initial training and then run quarterly phishing tests, quarterly focus trainings and then provide regular reporting, and then
- incorporate feedback.
So when we’re talking specifically about cybersecurity awareness training, I think it’s really important that the
- training must have executive buy-in and this is not something that IT can do on its own. It needs to be coming from the top, maybe the board, maybe executive leadership, but in order for it to be effective, it needs to come from that senior executive level.
- I would say it also needs to align with organizational culture. If you’re doing security awareness training that’s really strict and rigid and nothing else in your organization that’s strict and rigid, then you’re probably not going to be very effective, so find a way to make the tools work with how your organization works.
- I think it’s really important that training should be frequent in its timing, so having a three-hour security awareness training that’s once a year, not that effective. Having a twenty or thirty minute training once a year, five minute training once a quarter that’s great. Keeps you fresh, keeps you engaged and it’s a lot more effective.
- I think it’s also important to incorporate testing and feedback, what’s working and what’s not. Is this training, does this speak to us as an organization or is this not really tailored to us and one of the reasons I like KnowBe4 is that they have thousands of training resources available and so you can find something that really works for your organization and
- Build that culture of learning. I mean, this is something where if you can get people engaged, staff can talk about it, they can be open and you can be educated by the vendor that you’re using, I think that’s a much more effective approach than feeling like you’re being talked down to, you know bullied into training,
- punishing people that click on stuff, making an example of them, in my view that’s not a very effective way to build a good culture around cybersecurity. Working with a vendor that is able to engage you to be a teacher, an educator around these topics is I think—you’re going to get much better results than vendors that may, have all the answers and kind of communicate it in that way.
So again, let’s make sure as we wrap up here, that you’re setting a reminder for yourselves. We’ve got a lot of content. Like I said you’ll be able to review this. This will be posted on our YouTube channel and you also get a copy of all the slides, so maybe a week from today, set a reminder for yourselves.
One or two of those things you said “Hey, I really want to get a password manager” or “Oh, I really want to make sure I have a backup of all my cloud data” so go ahead and set a reminder for yourself right now to do that. You know if you could take the step, have an accountability partner, is there somebody else in your organization that you can check in with? Maybe a contact with your IT partner to say “Hey, we really need to review XY and Z, let’s do that in a month”. Go ahead and schedule some time for that, so you can make this really actionable.
Security really doesn’t happen on its own, it requires us to be engaged with it, so schedule time to do that security now.
So, I really put out a lot of content. I’ve been seeing the chat go the whole time, but I’ve not had a chance to look at it, so we’ll take some time now to go over any questions that may have come up, things that needed clarification and we’ll see what we can do to answer any additional comments that came up along the way.
(56:25) Johan Hammerstrom: Great, thank you so much Matt, that was a fantastic webinar, a training in and of itself, in its own right, and we definitely encourage folks to check out the recording of this webinar on our YouTube channel and on our website. It should be available within the next day or two.
Next Webinar and Q & A
Before we get to the Q&A, I did want to mention our final webinar of 2020, which will be next month and we’ll be partnering with Build Consulting, which is an information strategy consulting firm that focuses on nonprofit organizations.
Next month, we are going to be hosting an “Ask the Experts Panel” webinar with three Build principals, Peter Mirus, Kyle Haines and David Deal. They are going to be discussing, Building a Better Nonprofit Software Selection Process, so that will be next month, November 18th from 3 to 4 o’clock in the afternoon, and if you got a reminder about this webinar, you will get a reminder about that webinar too. We encourage you to sign up and also share that with anyone in your network who you think will be interested in it.
So we only have just about two minutes left, so really quickly Matt, Do you have any suggestions regarding HIPAA compliance as it relates to security?
Matthew Eshleman: I mean, I think that could be a whole webinar series in and of itself. I mean, I think HIPAA more than anything really needs to start with the compliance policy side of things and so working with legal to frame that out, I think is the first step to figure out what you need to do and how you set things up. Yeah, we can talk about that, follow up.
I think HIPAA is such a complex beast in and off of itself. I think the first step, like I said, focus, talk to the legal representation of the organization and go from there. Because there’s such a severe impact if you’re not doing things in a HIPAA compliant way that you need to make sure that all of your bases are covered from a legal perspective first.
Johan Hammerstrom: And last question, we have one minute left—this will probably take longer than a minute,
In the current political climate, especially with the elections coming up, do you have any specific advice or resources for organizations who might be targeted? Particularly vulnerable with the elections in this political climate?
Matthew Eshleman: So I didn’t actually mention this in this presentation, but I think I covered it in some other ones. If you’re a Microsoft customer and actually if you’re in Google as well, so both of those vendors have more sophisticated security controls that they’re making available for free to organizations that may be higher risk in this political climate. For Microsoft it’s called Account Guard and Google, the name escapes me right now, (Protect Your Election With Google) but there’s some additional security monitoring that they turn on. We have a number of our clients that are using it. I work with a Microsoft team on some security and some response stuff and they’re really fantastic resources, those are free. So Microsoft Account Guard would be the thing to check out first.
Like I said, IT security fundamentals, multifactor authentication. Again for many vendors ii’s going to be a free, included solution and so, making sure that that’s turned on is a great place to start. I mean, every vendor, every three letter agency is going to tell you that that needs in place.
Johan Hammerstrom: All right and that will have to — go ahead, go ahead.
Matthew Eshleman: Up on the screen now is a list of other resources, so again we put in a lot of content around cybersecurity, so please check that out.
- Community IT Webinars – https://communityit.com/webinars/
- Stop Think Connect – https://www.stopthinkconnect.org
- Tech Soup Covid Response Bundle – https://techsoup.course.tc/catalog/course/coronavirus-mitigation-resources
- KnowBe4 Free Resources – https://www.knowbe4.com/free-it-security-tools
- Microsoft Free Cybersecurity Training – https://security.microsoft.com/attackSimulatorTrainings
Also, I talked about Stop, Think, Connect earlier, and so that’s a free resource. There’s a lot of great getting started tools there. I also wanted to highlight that TechSoup has a COVID response bundle that has a lot of stuff, including a Security 101 training and a Security 201 training that I did about a year and a half ago, so the content is still pretty fresh and up-to-date. Usually they charge for that, but I think through their partnership with Microsoft, TechSoup is making that available for free, so again if you need more online training resources, you could go check that out from TechSoup.
KnowBe4 has some free tools and we use them as well for their paid offering, which I think is great and Microsoft has added some free cybersecurity training that’s available, especially if you’re an Office 365 customer. It’s okay, but again if you have no money and want to get started that could be a good place to go first.
Johan Hammerstrom: All right, thank you Matt, appreciate your time, your knowledge and your expertise and my thanks to everyone for joining us today for this webinar. Have a great month.
Matthew Eshleman: Great! Thank you.