Listen to Podcast
View and Download Slides
Nonprofit Cybersecurity Risk Assessment Basics
You know your nonprofit organization is at risk.
But do you know how to manage cybersecurity risk?
This webinar presents a best-practices framework on assessing your risks, using the National Institute of Standards and Technology (NIST) privacy risk assessment methodology.
Matt Eshleman, Community IT Innovators’ CTO and resident cybersecurity expert, will teach you how to
- Understand the cybersecurity threats facing nonprofits
- perform a basic assessment using our NIST survey tool
- understand the recommendations
- budget for risk prevention
- engage nonprofit executives in supporting proactive cybersecurity
- create an actionable road map with next steps for your organization
Over the last few months, many organizations began to use personal computers and devices for work, quickly set up cloud file sharing platforms, put the entire remote office on Slack or Teams, or moved to using Zoom for conference calls.
Even if we did our best to implement thoughtful security protocols and train new users on new tools, circumstances have made measured approaches to cybersecurity difficult. Your practices are probably out of sync with your security needs.
Now is the time to better manage risks by reviewing your cybersecurity stance and (re)training your users on security best practices.
We know our nonprofits will be called on over the next few years to provide more support to our communities than ever before. We see news headlines to be prepared for more and larger hacking in the future.
Don’t let a cybersecurity issue derail your mission or distract your staff during this mission critical time.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
For more on building a comprehensive cybersecurity roadmap for your nonprofit organization, download our free Cybersecurity Playbook.
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt joined Community IT as an intern in the summer of 2000 and after finishing his dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, he rejoined Community IT as a network administrator in January of 2001. Matt has steadily progressed up at Community IT and while working full time received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course. He presents updated tips to protect your login credentials throughout the year.
Matt enjoys presenting webinars on nonprofit cybersecurity risk assessment. You can access more videos of his past cybersecurity presentations here.
Johan Hammerstrom: Welcome to the July Community IT Innovators Webinar. Thank you for joining us for today’s webinar on Nonprofit Cybersecurity Readiness. My name is Johan Hammerstrom, and I’m the CEO of Community IT and the moderator of our webinar series. Before we begin, I would like to tell you a little bit more about our company. Community IT is a 100% employee owned company, and our team of almost 40 staff is dedicated to helping nonprofit organizations advance their missions through the effective use of technology. We’re technology experts and we have been consistently named a top 500 managed service provider by Channel Futures, and now it’s my pleasure to introduce today’s presenter, our Chief Technology Officer Matthew Eshleman, Hello! Matt.
Matthew Eshleman: Hey, Johan, thanks for the introduction and thanks everyone for taking time out of your day to join this webinar. We’re going to be talking about Nonprofit Cybersecurity Risk Assessments and specifically the NIST Framework It’s good to be with everybody today, I was checking my calendar and it’s actually been about 20 years this month that I joined Community IT as an intern and it’s been a great journey with this company, kind of playing all the different roles and really getting to know nonprofits and the unique needs that nonprofit organizations have around technology and in the last several years specifically around Cybersecurity resources.
So, I’m thankful for this opportunity to talk with you today, and invite you to ask questions using the chat, so Johan will be moderating that as we go along. And we’ll be making this interactive, we will have some time for questions at the end, but please don’t wait until the end to chat in your questions. We’ve got a lot of content to cover today, so I’m going to go ahead and get right into it.
(2:09) The agenda for our conversation this afternoon is going to cover a couple different areas, first I would like to start off by helping to set the groundwork for the Cybersecurity landscape that we operate in. I think it’s new and different and changing and especially in our current context, there’s a lot of things that we need to understand about the world that we operate in from a cyber standpoint.
We’ll talk about the risk assessment portions specifically and spend most of our time there. We’ll talk a little bit about budgeting for risk prevention and some of the tools and techniques that are available for organizations and look at some of those specific budget numbers that you can put in your organization’s budget. We’ll talk about how to engage executives, if you’re an executive and you’re on this meeting, great, congratulations.
If you’re somebody who is responsible for Cybersecurity at your organization, there may be some tips or tools that you can take away, in terms of engaging with your executives, or if you have got a great relationship with your executive leadership at your organization, please feel free to chat that in as well. And then finally after we Engage the Executives, we can talk a little bit about the road map for implementing some of those controls.
Before we go too much further, I do want to get a sense of the audience that is here today, and just understand who is responsible for Cybersecurity in your organization? (3:39) So go ahead and chat that in or respond to the poll there. Is it you? Do you have an internal IT department? Does that follow under operations, maybe no one’s responsible for it, or perhaps, you’ve outsourced that to an MSP, or Managed Service Provider. Maybe we should have included another acronym, to include MSSP or Managed Security Services Provider. We’ll leave that open for just a few more seconds and thanks everybody for participating with that.
Okay. It seems like most folks on the webinar, maybe outsourced that to a Managed Services Provider and I think that’s a good option, certainly as a Managed Service Provider ourselves, we have a lot of tools and capabilities in that area. As we’ll see, the security controls can be rather complicated, require a lot of updating and maintenance and so outsourcing it can be a good option, I think. For those folks that are saying “no one,” hopefully, you can get some takeaways and maybe you get some better understanding of where to put that responsibility and hopefully implement some of those controls as well.
(5:15) I think it’s helpful for us to understand the Cybersecurity Landscape, the world that we’re living in on a Cyber perspective and understand that there are persistent and ongoing brute force attacks on your online digital identity. Sometimes, we look at this from a two sided approach. We’re concerned about securing people’s digital identity, the username or passwords that people use to access systems, and then we’re also concerned about securing the devices.
So, we see from the monitoring tools that we have there are persistent and ongoing brute force attacks on those identities. So, if you’re in Google, if you’re in Office 365, if you’re in Dropbox, if you’re in Box, if you’re in any platform that can be accessed from the web, in addition to you accessing your platform, lots of other bad guys are trying to access your platform as well. And so they’re leveraging those massive password database breaches that occur and they’re just trying to login all the time, against that online identity.
We’re also seeing sophisticated spear phishing attempts. I saw from the information submitted by people in the registration that this was a common threat that they saw, particularly targeted towards executive leadership at the staff. Those emails that kind of slip through these spam filters, that appear to be the executive talking to a finance associate, an operations person, talking to one of their assistants to kind of get them to call to action, like “Hey, can you do this? Can you take this action? Can you review this email, can you process this, buy this gift card, can you update this wire transfer?” and that’s really sophisticated and has come a long way.
And we’ll see a little bit further on in the incident report data that we have, that this is a trend that we have seen a big increase in going from 2018 and then into 2019.
We’re also seeing organizations targeted because of the work that they do. That certainly applies to us, as a Managed Service Provider. The U.S. Cert issued an advisory saying, “As a managed service provider, you’re targeted by Nation State Actors,” because we have access to a lot of privileged information of our clients, and so we take a lot of care to protect that data.
We know we are target organizations, especially coming into an election cycle. We certainly are aware of disinformation campaigns, of campaigns against those accounts for people working on federal campaigns or other election campaigns. They’re targeted. If you’re in that space, you can expect to have your account targeted based on the work that you do. There certainly could be other organizations that are also targeted. We see it from our perspective. A lot of organizations are working on policy, good governance, journalism, those sectors tend to be targeted by sophisticated attacks, because the actors that are out there are interested in the content that they’re producing and who they’re talking to and how that information is being disseminated. So again, depending on the organization that you’re in, you may have an additional layer of risk, just because of the work that you do.
And attacks targeting vendors. So again, in our connected world, you may have data in one system, that vendor maybe using a subcontractor in another system, so the web of your connections can be rather extensive and all of those vendors are targets and so, it’s important to understand the data that you have, the systems that that data resides in, and which vendors are accessing it, or have access to it. If there’s a breach at a subcontractor, that may expose your data.
It’s important to understand where your data lives and who has access to it.
It’s not all necessarily bad news. There’s a lot of great security tools that are available to combat these new threats and we’ll talk a little bit about that during this webinar. But there are great security tools that are being developed to combat the threats and in general they are fairly affordable.
I think it’s also great that organizations are starting to ask about where to start to improve their Cybersecurity. Now that we’re halfway through 2020, maybe it feels like a lifetime through 2020, but organizations are starting to take a proactive stance about Cybersecurity and not just because they want to have better security controls, but because they think, it’s the right thing to do. They’re seeing external compliance pressure or membership organizations including cyber controls as part of what it means to have a gold star from their organization.
But it is starting to be a proactive approach that we see as an organization, as supposed to just something that we as a Managed Service Provider are constantly reminding our clients. So, I think that’s good.
There’s still a long way to go. According to, I think this is the Microsoft Nonprofit Cybersecurity report that they put out about two years ago, 68% of nonprofits still didn’t have an incident response plan and so that would be a plan for what to do when an organization’s data is compromised. So, again, that’s a big gap that needs to be addressed.
And Cybersecurity threats are real and they have real costs, even for small organizations. I think we tend to get blinded by the big numbers associated with data breaches of massive companies, and the millions of dollars and so small organizations kind of tend to dismiss that. But we see from data from some organizations that do reporting on small and mid size businesses, that the breach response for a small to medium business is about $149,000. That’s direct out of pocket cost. That is not counting lost staff time or lost productivity, or lost donations or lost services. That’s direct cost. That’s paying for lawyers, that’s paying for media, that’s paying to remediate the damages. So again, a Cybersecurity breach, even for a small to mid size organization, can be substantial.
(11:49) We tend to view Cybersecurity through a lens and it helps us to organize our thoughts and this is the lens that we approach Cybersecurity at Community IT. It’s not just a technology solution. This is something that’s rooted in policy, to help what’s important to the organization. How is that defined? So, if we can start with that foundation of security policy, then you can build the appropriate tools and processes in place, on top of them. So, on top of the security policy, we really want to look at training the users in security awareness, so that you get an educated and aware staff. We’ll see this come up in the NIST Framework. User training is a big element because it’s an effective control and it’s relatively affordable as well.
Building on top of that, we get into some technology controls like protecting identity, data protection, device management, looking at your perimeter firewall. In today’s primary remote work environment, certainly the network perimeter is very expansive or maybe doesn’t even exist at all. And then we also look at controls and protections around web based applications and then finally looking at some next gen tools to layer on top of that, once all our bases are covered. So again, just a helpful framework, building on a foundation of policy.
(13:25) As I mentioned, we support about 140 different nonprofit organizations. We’re primarily based here in the DC Metro area and that represents about 5000 seats. So, we see a lot of ticket data, we see a lot of incident information. Over the last couple of years, we started to compile that and report it back out as a resource to help inform nonprofit organizations to say, “Hey, what are the threats that are facing other organizations that look like me?”
And so, this is a summary from our Nonprofit Incident report. We had a webinar back in April on that and Johan can chat that link out if you want to reference that. That looks at the data that we see from our clients. And then we report out on the different types of security incidents that our clients experience.
You can see here, perhaps no big surprise, it’s spam is the most common threat we see. We still see some malware, most of that tends to be pop ups and unwanted things like that, which is a little bit different than viruses, perhaps more a malicious form of malware.
We’re seeing a significant amount of account compromise, meaning somebody’s online digital identity was accessed by someone other than themselves. Then the other kind of big category is around business email compromise. A much more sophisticated type, you might also see it referred to as spear phishing. So, those are the common threats that we see facing organizations that actually help inform some of the security controls that we invest in and recommend organizations invest in. Knowing what are the types of threats that these groups are facing, how we can best combat those threats.
Since we’ve been doing this for a couple of years, we’ve now started to generate some comparative data. So we can see that spam has a big increase. I think it probably doesn’t reflect that there’s more spam out there. I think it’s reflective that we’ve done a better job educating our clients to say “Hey, we see something suspicious,” send it in to us. Again, this is an area where an ounce of prevention is certainly worth a pound of cure. We can prevent somebody from clicking on a malicious link. That’s going to be a lot more effective than trying to make sure we’ve got technology tools in place to block it or clean it up after it’s happened.
The other, the big thing you see here, that I think is impactful, is the big increase in spear phishing from the data that we saw in 2018, compared to 2019. Again, a lot of spear phishing came in on the scene in 2019 and there’s some technology tools in place to combat that. I think those are the big takeaways. I see that there are account compromises on here. We had a decrease going in 2018 to 2019.
I will make a pitch here, and you’ll hear it later, for organizations that had implemented multi-factor authentication. They aren’t reflected in this number. This shows organizations that have not turned on multi-factor authentication are much more susceptible to account compromise than organizations that have turned on multi-factor authentication for all of their cloud services.
The trends we’re seeing in general: Cybersecurity incidents are on the rise and I would say that certainly continued here into 2020. We mirror the broader organizational marketplace, where a lot of spear phishing and general attacks were centered around remote work and the COVID response. There was lots and lots of spear phishing around that vector. Spam continues to be a problem; I don’t think it’s going away.
I would say business email compromise, that spear phishing. Not just the generic Viagra ads that may be considered spam, but the emails that come in, that appear to be from your Executive Director, appear to be from your finance person, that ask you to do something—to buy the gift card to transfer money, that is the biggest headache.
And so, we probably get more hours spent responding to that, because it generates such a reaction among staff. That’s a real big ping point for organizations, and thankfully there are some technology controls that helped to combat that.
And then finally, account compromise is still at a high level. We had a reduction from 2018 to 2019, so that’s great. We would say we’re still responding to some account compromise incidents into this year. Until we get 100% compliance on multi-factor authentication, I think that is just going to be how things go for the foreseeable future until we can really implement some stronger controls around our online identities.
(19:08) So, I’m going to just take a pause and do another survey. I just want to get a sense from the attendees here, in terms of how confident you are with your own organization’s Cybersecurity controls? Very concerned, somewhat, or not at all?
I’ll just give this a minute to respond here.
Oka, we got most everybody responding here and looks like, perhaps an even distribution between those folks. Most folks are somewhat concerned which probably makes sense. You know with a quarter saying, very concerned and 22% saying not at all.
I’m curious for these folks that are saying, “not at all concerned.” Is that because your Cybersecurity controls are in a really good place and so, you don’t have to worry about it? Or, are you saying not at all concerned because you don’t really think you have any data or information that’s of interest? So I would be curious to know a little bit more about that.
So making the shift a little bit from the trends and the landscape, I do want to talk a little bit now about the assessment itself and the different ways that organizations can go about understanding
- what’s in place now,
- what they should do next,
- how much should they budget
(20:55) What you see up on your screen here, is a summary of some of the different options that we have at Community IT.
Today, we’re going to look specifically at the NIST Cybersecurity Framework Survey. That’s a survey based approach. It’s a relatively low effort, about an hour time investment. It doesn’t look at your network, it doesn’t evaluate any configurations. It’s simply a survey that walks you through all the different NIST controls and generates the report.
It’s a great way to just get started. It’s a really nice tool, but it doesn’t take much time and requires you to just fill out some information about your organization, what controls you’ve implemented, and then it will generate a report from there.
The step up from that, we have what’s called a Core Assessment. That’s a more detailed discovery than the NIST assessment. Instead of just looking at the roadmap, it’s a process that involves interviewing staff, looking at your existing process and controls, evaluating the existing security policies, taking a look at the security configurations that are in place and mapping out a high level roadmap for what to improve.
That takes about 20 hours of time, and is a good step in the water if you know that you’ve done some basics, but you really want to understand what your next steps are.
We also have a Comprehensive Assessment. Instead of it being a 20 hour survey configuration, it’s more on the order of 80 to 100 hours. This is geared toward organizations that are probably 100-150 staff and up. It’s a much more detailed assessment, looking at the detailed discovery process, evaluating all aspects of people, process and technology aspects of Cybersecurity and then developing a comprehensive roadmap to take from there.
And then the final piece that we also hear clients interested in, is what’s called a Penetration Test. I wanted to add this in here. We don’t do the penetration test ourselves; we have a third party vendor that we partner with to do the penetration test. Those are really focused on simulating an adversary attacking the network.
Whereas in our assessments, we’re going to be in your network, working alongside your IT teams, having back and forth, the penetration test is kind of a black box test, where they’re going to put a device in your network. They’re going to be scanning, they’re going to be doing external testing, they’re going to be probing and trying to simulate what an attacker is already doing on your network.
It tends to be very technical in nature focused on those technology weaknesses and vulnerabilities. It generates a very comprehensive list of technology related systems that would need to be upgraded or improved. Those tend to be on the order of $20,000 solution, on up.
It may be necessary for some organizations to complete a penetration test, but unless you’ve already invested a lot in security controls, you may not get the most value from the $20000 test to tell you to implement some of the basics.
So, depending where you’re at in the maturity of your organization, the NIST survey may be a great place for you to start, or you may need to invest a little bit more to get your security aligned to where it needs to be.
(25:08) So specifically on the survey, I do want to talk about: What is NIST, and what does it do?
So the NIST Cybersecurity Framework, NIST CSF, stands for the National Institute of Standards and Technology. That’s NIST. It was founded in 1901, and it’s part of the U.S. Department of Commerce. This is your tax dollars at work. It’s focused on developing, as the name would apply, Standards and Technologies for industry and for institutions to use.
So, from NIST comes smart electric power grid and electronic health records, computer chips, all the stuff is kind of rooted in NIST standards. They put out this standard called NIST800.53. It’s specifically developed for federal agencies and related contractors to make sure their Cybersecurity controls are in a good place. You can download it yourself. This is a freely available resource and it essentially turns into almost a 1700 line spread sheet of controls.
It’s a pretty massive list of controls, not really designed for a 50 person nonprofit organization to go through. It contains lots of irrelevant information for organizations that have outsourced a lot of their technology, don’t have a lot of resources, aren’t doing development, all that kind of stuff. So, the NIST survey that we have access to basically distills down those 1700 controls into a much more digestible format that’s included in the survey. We are now talking about answering 75 questions instead of 1600 and then they are organized into these five domains that you see here. The NIST cybersecurity framework breaks things into these five domains, which is identify, protect, detect, respond and recover.
These are familiar controls that you will see in some other frameworks as well, but this idea that you have got a life cycle of understanding the assets that you have.
What are the IT governance decisions you need to make, what’s your overall risk assessment as an organization, how do you protect those assets, how are you detecting whenever vulnerabilities or issues may occur, what do you do from a response perspective? When some anomalous event happens, how are you going to mitigate that?
Then, finally what are you going to do to recover, make improvements, incorporate that in your life cycle and then, communicate with the necessary stakeholder?
So, essentially the NIST Cybersecurity framework takes all these 1700 controls, distills them down into these five different domains, and then looks at all of these different areas. The NIST survey will generate a risk map that will surface the deficiencies that you have in your organization, or perhaps where your organization is doing well, as a way to provide some information for reporting. So, you can have a visualization of what’s working well and what needs improvement.
Access to the online tool provides this and in addition to the risk map, also a prioritized list of recommendations.
(29:10) This is the element of the report that really connects the recommendation back to the security standard. PR stands for Protect and then AT. You can map all these standards back to the NIST controls if that’s important to you, but from a standards framework perspective, it gives us a consistent way to assess risk and understand what controls are helping to support different initiatives.
In this sample report that we see here, we can see that it’s identifying that all users are informed and trained. Unless your organization has implemented a security awareness training program, this will be a recommendation that you will get. We see further down, threats both internal and external are identified. Unless you have a managed service partner that is getting information from intelligence sources and their vendors and helping you understand what threats are out there and what risks your organization may face and how you are protected from them, this may be a recommendation for you as well.
You can see this report will generate a list of all those critical recommendations, along with high priority recommendations as well.
I will just pause here and ask Johan, if there are any questions about the content that we have covered so far?
Johan Hammerstrom: Not yet, but this has been great, Matt. I think it’s been very clear and I am going to send out a link to the NIST website to their Cybersecurity framework.
Matthew Eshleman: Yeah that’s great and in addition to the Cybersecurity framework, which you can have and download and review yourself, they also have some additional resources that you can look at in terms of training on the NIST framework to better understand what they are doing and why they are doing it. It’s a great resource and like I said, this is a Federal Government initiative and so this is your tax dollars at work. It’s free; it’s available to you.
If security is your thing, this would be something to really delve into and to understand. Like I said, the NIST Framework is about 1700 lines of stuff and that’s a lot to dig in. So, the NIST survey that we will talk about how you can get access to – it’s a much more concise way to understand what’s relevant and what’s meaningful as a small to midsize nonprofit organization. What should my security look like? This is a great way to get a standards-based report. It’s not just what Community IT made up. It’s what NIST is doing and what’s relevant for small to midsize organizations.
All right. So, as we transition from the survey itself and pivot into getting started with implementing some of the cybersecurity controls, I do want to get a sense from folks on the meeting here today.
(32:42) Do you have a plan to improve cybersecurity at your organization? So, again, we just get a sense of where folks are at with improving the cybersecurity controls at your organization.
Great, if you can just take a second and vote, we will get those results up here for everybody else to see.
Okay and yeah it does seem like most people on the webinar today do have some controls that are underway. That’s really great to see and smaller percentages say “not yet.” So, hopefully if you are in that 20% that are saying not yet, you can get some specific takeaways and for those folks that are “underway,” there may be some recommendations that are new, you get some additional context to help move those forward.
(33:59) So, in terms of getting started with cybersecurity, I did want to highlight: these are our foundational cybersecurity controls that we have in place at Community IT. That starts with
- IT policy
- cybersecurity awareness training
- operating system and third party updates are really critical element of cybersecurity
- antivirus and backups, those are kind of the oldies, but goodies. Even now, this month, we see that Microsoft has released a security patch for a rather significant vulnerability in Windows server, related to DNS. Having a policy and a process and a mechanism in place for doing updates, making sure they are installed, reporting on them is a key element of cybersecurity. And then, we round out our core cybersecurity controls with
- multi-factor authentication
- business email compromise. From the data that we see of our clients, this is a major pain point and it’s something that’s growing in prominence and based on the risk that it represents to the organization, that’s why we added this in as part of a core recommendation.
If you are getting started with cybersecurity, these should be the things that you can check off to make sure that you have got a good foundation.
(35:33) If that seems like a long list and you are just getting started, I think it’s important for organizations to basically implement these three things:
- implementing multi-factor authentication,
- putting in place the security awareness training program and then,
- actually adding some business email compromise protection tool into your list of systems that you are using really does pay benefits and then provides protection against the most common threats that we see facing organizations.
So, with multi-factor authentication, that combines something you know, which is your password with something you have, which is your device most often. A smart phone that is able to generate a unique code, to help complete the log in process. So, when a hacker gets your password, they are not able to get into your account, because they also would need to have your device as well. So, that’s a very effective way of blocking that. So, again multi-factor authentication is included with most cloud applications, with Office 365, with G Suite, Box, Dropbox all of those should include multi-factor authentication as part of their base package.
Specifically for Office 365, you can add on some additional security bundles to give you some more sophisticated controls. If you add in EMS, the Enterprise Mobility and Security, I think that’s 220 per SKU for non profits. You can upgrade that to include conditional access, meaning that you can apply different rules or policies to grant or block access, depending on where the user is or what device they are trying to access the system from. That can be powerful.
We are starting to see more and more organizations move from just this binary – if you have a username and password login, to looking at these conditional access policies, to say, “Hey! We are only going to allow access from devices from our organization,” or “We are only going to allow access from IP addresses that we trust,” or “We are going to block sign ins from this location, because we know, we we don’t work in this area and so there is no reason, anybody should be logging in!”
Conditional access can be an improved security tool, just to help minimize the surface area for attack. For Security Awareness Training, like I said, there are lots of options out there. This is an area where there’s lots and lots of vendors competing. We use KnowBe4 at Community IT. I think they have got the best mix of both security awareness training and a big library of really relevant topics and it’s not just somebody talking IT for an hour, but interactive games and quizzes and videos to make that training interesting and engaging. But then, they also have a really nice phishing tool that you can test your staff and see who is clicking on the links, what staff may need some extra education or training or engagement to make sure that they are able to identify suspicious links or information in email.
So, again KnowBe4 is the tool that we use. It’s typically about $20 per user for the year, for the license, so not very expensive and something that really provides a lot of benefit to the organization in terms of improving the overall security posture of the organization.
Many cyber liability insurance policies will check, “Do you have security awareness training?” So, this is an easy way to do that.
And then the final piece here is Business Email Compromise Protection. This is something that protects against that spear phishing. So, not just spam, I think most folks actually can ignore spam at this point. It doesn’t rise to the level of the frustration we see with business email compromise. The tool that we use is called Barracuda Sentinel in addition to blocking – doing a good job of blocking this kind of stuff that makes its way through the spam filter, it also does some additional stuff, like including the account takeover protection. If all of a sudden, the system sees a login from a user account that’s not in the normal location, it sends an alert. If a forwarding rule is detected, it can create an alert, so again it can provide reporting insight like that. And then, it also will include DMARC and DKIM administration. So, these are some of the newer tools that would supplement traditional validation schemes like SPF as a way to say, “This is a valid email, from this organization” as a way to help combat spoofing. So again, an effective tool, only a couple of dollars per mailbox, per month.
Those would be the controls that I would focus on that provide immediate protection assuming that you already have backups in place, assuming that you already are updating your systems. But these are the three controls that I think are really important to have in place to help protect against the most common threats facing non-profit organizations.
(41:08) So having all these — we have the fancy survey, we have the list of controls to implement, how do we make that change from understanding we need to act to actually moving into action?
I think it’s important, obviously leadership has to be engaged with making these decisions. And so, I think it’s important, as we talked about at the beginning, in the cybersecurity landscape, all organizations are vulnerable. Non-profit organizations don’t get to fly under the radar because they do good work or because they are small or because they don’t have the budget to maybe invest in cybersecurity controls.
The people sitting on the other side of the computer, don’t have that concern. All organizations are vulnerable. Every organization has Social Security information of their staff. They may have sensitive information about donors. They may have sensitive information about patients or clients that they are working with. So, all organizations have resources that can be exploited. And poor cybersecurity is an organizational liability. Your organization may have reporting requirements if you have personally identifiable information, so recognize that just because you are non-profit, doesn’t mean you can skip out on those controls.
And it does require leadership to say “Yes.” I think for a lot of things, you can put in some controls and some policies and some procedures without executive buy-in, but to have a truly meaningful cybersecurity campaign, the executive leader needs to be at the front of the organization saying, “Hey! We are making these changes, because our data is important and this is important for us as an organization to make sure that we are protecting the information of our staff and the constituents that we support.”
So, it’s important that this is the message that does come down from the top. In terms of how to engage your leadership, I would say it’s important to schedule time for security. You can have a rhythm such as monthly reporting and quarterly planning. Cybersecurity changes relatively quickly, so doing annual plans or three year planning or five year planning may not be as helpful in the context of cybersecurity. What’s happening now in planning may be different two or three months from now. You may want to decide on some monthly metrics that you want to report on and then have a quarterly planning process to update for what is going to happen in the next quarter.
I think, it’s also important to know your audience, what is the method of communications that’s going to be the most effective for your leadership team? Do they want to know the story of how somebody at another organization updated a wire transfer and transferred $50,000 to another bank account or do they want to have big picture metrics like a breach is going to cost $149,000 for most small and mid-size organizations? Sixty-eight percent of nonprofits don’t have an incident response plan. So, again understand the audience and figure out the way to communicate with them.
And then, finally leverage existing compliance requirements. If your organization processes credit card payments, you need to be concerned about PCI compliance. That may be an avenue to make improvements in your cybersecurity controls. Certainly, if you operate in healthcare in any way, then HIPAA compliance may be the avenue to move toward some cybersecurity improvements. If you deal with data subjects from European Union, then GDPR, maybe that’s the avenue.
Finally I would say, beyond just these really big, formal compliance frameworks, you may also look at your membership organizations that you are part of. I was just working with an organization that doesn’t have any of these formal compliance requirements, but the membership organization that they are part of was saying, “Hey! We are going to issue our seal of approval and to have the seal of approval from this group of non-profit organizations, we need to understand what security controls you have in place in your organization”.
More and more organizations are starting to incorporate cybersecurity controls in other areas. Your finance audit may now include cybersecurity controls, so, understand where those leverage points are.
So as we kind of wrap up here, I do want to say, in terms of the next steps that you can take, I would say, “Yeah, it’s important to understand what existing controls you have in place.” What are the things you have already done?
The next step, I would say would be, get you access to the survey tool. You can schedule time with me and I will go through this assessment with you, to make sure that you understand all the questions and you understand the outcomes. Security is really important to me. It’s something I have been working on a lot in the last couple of years and being able to move from a general security tool to like, “Hey! What are the specific steps I am going to take at my organization?” is something I want to make sure gets done. So, take that opportunity to exercise that, to get the roadmap.
Once you get that report back, it would be a good opportunity, if you haven’t already, to schedule time with your organization’s leadership to say, “Hey! We went through this NIST survey, here are the three things that are identified as critical risks for us, how can we address them?” as a way to provide some specifics to move forward.
So, I will pause here, and see if there are any additional questions that came up during the last section or two?
(48:30) Johan Hammerstrom: Yes, thank you Matt, so there was a question about cloud applications that don’t support multi-factor authentication, what are some recommendations in those cases?
Matthew Eshleman: I think the answer is it depends and to some extent, how sophisticated that application is. In some cases, you may be able to provide what’s called single sign-on access to those applications. So the multi-factor authentication would happen at your SSO provider, your single sign-on provider, and then, it’s providing access to the application. That would be one way of doing it. There are some other tools. If you are an Office 365 or an Azure customer, Microsoft provides some really impressive tools to put some gateways, in front of the applications so you can use a feature in Azure called Azure Application Gateway, as a way to proxy access to applications and so you can use your Office 365 SSO and multi-factor authentication policies as a way to authenticate to an application and then provide secure access to it.
So, again there are a couple of different ways, depending on the application, that you may be able to put some controls in front of it. If it’s a vendor that’s maybe some custom software, I don’t know that I would necessarily leave a vendor just because they don’t have MFA, especially if I have been with them for a long time. But I certainly know at Community IT, every application that we use, we put MFA. Every application that has sensitive client data has to be protected by MFA for us. And so, that may be a buy or do not buy decision, if you are evaluating new solutions. So, again, there are a couple of different ways to go about it, I think depending on the application and what’s available from the vendor themselves.
Johan Hammerstrom: Great, thank you. And for those who are interested in scheduling a meeting with you, and we certainly encourage anyone who is interested to follow that link that I had chatted out just a minute ago, is there anything that they can do to better prepare for the meeting with you?
Matthew Eshleman: I think, taking a look at your existing – if you have existing IT policy or procedures, I think that would be helpful information to have available ahead of time. If you are already working with an existing Managed Service Provider, you could ask them for a copy of their cybersecurity controls documents. We have a 20-page document at Community IT that outlines all the different systems we have and how we use them and what’s protected and how we protect them. So, your MSP should be able to provide something like that that can provide you some information on how they are protecting your system. If you can get a copy of that, that would be a helpful thing to have, it should maybe have those answers to what are some of the protections that are already in place, how are they vetting threat sources, what are they doing? So, look at your existing policies. If you are already working with the vendor, get a copy of their cybersecurity controls document as a way to help have that documentation because we are going to need to find some answers to those questions.
Johan Hammerstrom: Great, thank you Matt.
Matthew Eshleman: Great. Thank you, I appreciate it. So, I will say, next month and I forgot to put the date in, so this will be the August webinar our colleagues at Build Consulting will be delivering the webinar then.
Johan Hammerstrom: I am sorry, it’s going to be Wednesday, August 12th at 1 o’clock in the afternoon. You will get an email with an invitation to register for that webinar, but if you want, you can go ahead and set aside the time right now. That will be Microsoft Dynamics and Salesforce, Wednesday, August 12th at 1 o’clock Eastern Time.
Matthew Eshleman: All right, great well thank you so much. Yeah, I will – Johan let you wrap it up.
Johan Hammerstrom: All right, well thank you very much Matt, that was great as usual. I don’t know if I actually mentioned this at the beginning, the slides and the recording will be available on our website.
You will get an email with a link to those after – probably tomorrow we will be sending that out. Feel free to share it with anyone who was not able to attend the webinar today. We certainly enjoy offering these webinars and are grateful for all of you joining us today. So, please stay safe and we look forward to having you join us in the future, take care.