View Video

Subscribe to our Youtube Channel here

Listen to Podcast

Part 1 focuses on Artificial Intelligence (AI) tools and how nonprofits are using them and creating policies around acceptable use. Pt 2 delves into cybersecurity, platforms, and hybrid work tools and concerns.

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on AppleGoogleStitcher, Pandora, and more. Or ask your smart speaker.

Transcript below

Download the new Acceptable Use Policy for AI Tools in the Nonprofit Workplace.

Understand the Technology Association of Grantmakers new AI Framework.

Listen in as experts from our senior team discuss …

How is your organization using AI? What policies do you need?

What is the new cybersecurity reality and
what should you be doing now to better face the next threats?

Are you remote/hybrid/in-person?

Are you in Google Workspace? Wondering about Office365?

What tech do you need for 2024?

Join CTO Matthew Eshleman, Director of IT Consulting Steve Longenecker, and IT Business Manager Team Lead Norwin Herrera, moderated by Carolyn Woodard from Community IT, in a lively and specific discussion of all things nonprofit tech for 2024 and beyond.

It’s like listening in on your smart friends talking about stuff you need to know about but don’t know who to ask. We’ve gathered our senior experts in one place – ask them your questions at registration or live during this webinar nonprofit tech round table.

Kick off the new year with a new understanding of trends and practices that can help your nonprofit succeed. This is one of our most popular webinars and podcasts year after year for a reason. We don’t believe a lot of lingo or jargon is necessary to understand what you need to know to manage IT.

As with all our webinars, this presentation is appropriate for an audience of varied IT experience.

Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.

Many questions asked at registration or live at the virtual event will be answered in the transcript. Check back and get some expert insight in this webinar nonprofit tech round table.


Matthew Eshleman

As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.

Matt has over 22 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert.

Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.

He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here.

Steve Longenecker

As Director of IT Consulting, Steve Longenecker divides his time at Community IT primarily between managing the company’s Projects Team and consulting with clients on IT planning. Steve brings a deep background in IT support and strategic IT management experience to his work with clients. His thoughtful and empathetic demeanor helps non-technical nonprofit leaders manage their IT projects and understand the Community IT partnership approach.

Steve also specializes in Information Architecture and migrations, implementations, file-sharing platforms, collaboration tools, and Google Workspace support. His knowledge of nonprofit budgeting and management styles make him an invaluable partner in technology projects.

Steve is MCSE certified. He has a B.A. in Biology from Earlham College in Richmond, IN and a Masters in the Art of Teaching from Tufts University in Massachusetts.

Norwin Herrera

Norwin joined Community IT Innovators in November 2019 as an IT Business Manager. Bringing over 25 years of experience working with technology to his role, Norwin knows how to help clients achieve their organizational missions by managing IT tools wisely.

As Business IT Manager Team Lead, Norwin manages this team of senior technology specialists and ensures clients benefit from well-managed IT.

The Community IT ITBM service provides an outsourced IT manager to clients at a reduced cost to hiring and having an IT manager on staff. These managers are a resource dedicated to matching technology solutions to clients’ business needs. To do this well requires an ongoing conversation with the client to continually understand their business needs, and then effective communication with client staff and leadership about the ways specific technology solutions can meet those business needs and how to budget for technology.

The ITBM makes recommendations on IT investments, training programs, maintenance, and licenses. They help the client be forward-looking, and act as a vendor-agnostic, trusted advisor with deep knowledge of the nonprofit IT software and platforms available. Because Community IT works in partnership with clients to manage long-term IT needs, the ITBM relationship with the client makes them a true asset.

Norwin has a strong history of providing direct services in Spanish and English to nonprofit organizations in the Washington DC area. Prior to joining CIT, he worked at Casa de Maryland as a computer teacher and created a technology handbook with popular education techniques. At La Clinica del Pueblo he was Manager of Technology.

Carolyn Woodard

Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College. She is happy to be moderating this webinar.

Check back soon for the transcript and additional resources in case you missed this webinar Nonprofit Tech Round Table.


Download the new Acceptable Use Policy for AI Tools in the Nonprofit Workplace.

Understand the Technology Association of Grantmakers new AI Framework.

Nonprofit Tech Round Table

Carolyn Woodard:  Welcome, everyone to the Community IT Innovators webinar, Nonprofit Tech Round Table. This is always one of our most popular webinars every year. 

We have a panel of our senior staff here today to talk to you about essential trends in nonprofit tech and what that means for nonprofits. 

They’re going to spend some time talking about 

My name is Carolyn Woodard. I’m the Outreach Director for Community IT, and I’m the moderator today. I’m very, very happy to hear from our experts. So, Matt, would you like to introduce yourself first?

Matthew Eshleman:  Great. Thanks for including me as part of this webinar. This is one of my favorite events I get to do here at Community IT. My name is Matthew Eshelman, I’m the Chief Technology Officer at Community IT. And in my world, I get to work with organizations on their technology strategy and tech adoption. Also, I manage and support our backend team that provides support and management to our over 180 clients and about 7,000 endpoints.

I’m really looking forward to the conversation with my colleagues here today.

Steve Longenecker:  Thanks, Matt. I’m Steve Longenecker, I’m the Director of IT Consulting at Community IT. I’ve been at Community IT for close to 20 years and I manage the projects team. Norwin and I together do the leadership of the IT Business Management team.

Norwin Herrera:  Yes. Thank you, Steve. Thank you, Matt and thank you, Carolyn. I’m Norwin Herrera, I’m the IT Business Manager Team Lead at Community IT. I work mostly with clients and I hear their pain and suffering and I try to help them every day. I have two clients that are considered large clients, over 300 staff. One of them is here in Washington, D.C. and the other one is in San Francisco. So I’m happy to be here and I hope this is going to become my most interesting and important webinar of the year.

Carolyn Woodard:  Thank you so much Norwin, for joining us, and I’m looking forward to your insight into the many clients that you and Steve work with and what we’re seeing from them. 

Before we begin, if you’re not familiar with Community IT, I’m going to give you a little bit more about us. 

I just want to remind everyone that for these presentations, Community IT is vendor agnostic. We only make recommendations to our clients and based on their specific business needs, and we never try to get a client into a product because we get an incentive or benefit from that. But we do consider ourselves a best of breed IT provider. So it’s our job to know the landscape, what tools are available, reputable and widely used. And we make recommendations on that basis for our clients based on their business needs, priorities and budget. 

We are going to mention a bunch of IT tools and products and platforms today, but we would only make recommendations for our clients. 

We did get a lot of good questions at registration, so we’re going to try and answer as many of them as we can. Anything we can’t get to, I’ll ask our experts to give us some written thoughts and I’ll append those to the transcript, so you can check back after the webinar if we don’t get to your question. We’re trying to pack a lot into this hour today.


By the end of this webinar, we want you to be able to 

Polls About AI Use

Poll 1: Is your organization using AI? 

And your options are, 

  1. I don’t think so. 
  2. Yes, we are using publicly available AI tools. 
  3. Yes, we are using AI enhancements available in tools we already use, like Office 365. 
  4. Yes, we are using enterprise or custom AI tools like Copilot for Microsoft or other paid or subscription AI specific tools. 
  5. I see in the chat that I did not give you an option to say no, absolutely not. We’re not allowing AI and we’re turning off the tools and features as often as we can. So thanks for writing that in.

Steve Longenecker: So the largest plurality was, I don’t think so, maybe almost half, 47%. And then using publicly available AI tools was 36%. Then the last, next largest was using AI enhancements available and tools we already use, like Office 365. I know Zoom has some as well, that was 30%. And then almost 10%, 9% said that they were using enterprise custom AI tools like Copilot and other paid subscription or AI specific tools.

Carolyn Woodard:  Great. Thank you and thanks everyone for sharing that with us. Okay, so we are actually going to go on to another quick poll. 

Poll 2: How many people at your organization are using AI tools?

How many people at your organization, at your nonprofit are using AI tools? And feel free to guesstimate. 

  1. One person, maybe your early adopter or somebody who’s your gadgethead or is interested in the technology. 
  2. Another option is 50%, about half the people you think at your organization are using the AI tools. 
  3. And then the third option is 75 to a hundred percent. So everybody’s doing something with some AI. 
  4. I’m sorry, I should have included zero, we’re not allowing people to use AI at our organization. For our next webinar on AI, I’ll make sure to include the none of the above option.

Steve Longenecker: Although, I’m skeptical that you’re able to keep that one person, that early adopter, out. 

Matthew Eshleman:  For our audience today, about over half say, one person or early adopter. We’ve got about 40% saying half the organization is using these AI tools and then, only about 5% of the respondents said that the majority or 75 to a hundred percent of their organization are using these tools. 

I would just maybe tack on to say, this is an interesting number to get at because as we do some cybersecurity assessments, we have some insight into web traffic at the clients that we’re managing. And it was really surprising when I was doing an assessment recently, about 90% of their endpoints were reaching out to ChatGPT. 

So, if we were to ask their organizational leadership how many people are using AI, I think they would’ve been on certainly a lower number. I would say the use of these tools is really pervasive even if it’s not officially supported by the organization.

Carolyn Woodard:  That’s a good point to make. Thank you, Matt.

Poll 3: Do you have AI policies at your nonprofit?

  1. I don’t think so? Not sure, maybe?
  2. Second option is, we’re in the process of creating policies. 
  3. And then the third option is, yes, our organization has created an AI acceptable use policy and staff understand our policy. 

Norwin Herrera: Do you have AI policies? I don’t think so, 55%. So it’s a lot of people. And then we are in the process of creating policies, 44%. And yes, our organization has created an AI acceptable use policy and the staff understand our policy, we have a two percent. Very interesting.

Carolyn Woodard:  Yeah. I’m hoping this poll and the webinar today means you’re in the right place. Everyone is struggling with this. 

And you can see how many of you who answered this poll, say either you don’t know if you have policies or you’re working on creating them to kind of catch up with all of this use of AI. So thank you all for sharing that with us and I hope you feel like you’re in the right place. 

AI and Nonprofits

Our first topic is in fact AI and nonprofits. Matt, I think you are going to lead a discussion and Steve and Norwin, feel free to jump in.

Matthew Eshleman: Yeah. Thanks, Carolyn. I don’t know if we’re experts on AI; I don’t know that I necessarily qualify and I think this is a really fast and rapidly changing space. 

It’s interesting, last year when we did this trends webinar, I think only one of us identified AI as a big trend for 2024, and here we had in the very beginning of the year Open AI being released and gaining a hundred million user accounts in the first two months. 

I mean, the adoption is really stunning in terms of just how fast this technology has been made available to everyone, how quickly people are adopting it and how rapidly the landscape is changing. 

I went to a training led by Microsoft in December. Whenever the Open AI or Copilot was going to be released for Microsoft customers, it turned out that was only for enterprise customers. You had to buy 300 seats and you had to have Microsoft Enterprise Licensing in order to get it. And there was no timeline for when that would be made more broadly available.

Well, here we are today with the announcement that anybody with a Microsoft license, basically Office 365 account, can buy a Microsoft Copilot license for $360 for the year for a person. And so just to see that change happen over five weeks is pretty striking.

And it also leads us to think, well, what’s going to happen in the next five weeks? 

So this introduction of AI powered tools that are being added into everything from Zoom to Teams to dedicated third party apps is really striking. And as I said in my earlier comment, in the context of reviewing a client’s web traffic for security assessment, it’s really clear that staff at organizations are going to do this on their own. 

So in the absence of really clear policy guidance that forbids access to these tools or actually putting in blocks on your web traffic filters to block these types of applications, it’s clear that folks are really relying on these tools or testing them out. And I think that’s a good thing. 

It’s a new technology. It’s built on the data that the systems have access to. If you’re just using the public, free version, the content that you contribute is going back into the model. The responses are going back into the model.

In the Microsoft world, if you’re using (now part of Copilot), that’s going to give you an Office 365 filtered view; again, that’s kind of free. If you’re using Copilot for Microsoft 365, then that’s going to be built on the access that you as an individual have into your own Office 365 environment. So again, files, anything that you have access to, your Copilot will have access to.

It really comes back to some of these fundamental things that we’ve talked about year over year over year, which is that good adoption policy is important. Good data hygiene is important, file structure is important, permissions are really important. And so if you’re looking where to start, that’s a good place to start.

Carolyn Woodard:  Matt, we have a quick question that just came in through chat or a comment about the difference between ChatGPT and the ChatGPT that they’re using within Microsoft.

Matthew Eshleman: Regular ChatGPT, if you just go to the website, you make an account. What you put into the prompt, and then the responses out of there, are effectively public. And so those questions and the responses go back into developing a large language model. 

You would obviously want to be careful about putting things that would be sensitive or personally identifying in that kind of thing. So if you’re maybe using a prompt, can you help me write a letter to get people to click on my fundraising email? Maybe that’s pretty benign and the results aren’t especially unique to you or your organization. 

Whereas if you say, this donor gave this much money last year and this is their home address. Help me write a thank you letter to that person. Well, that’s probably not the kind of thing you want to put into a public model. 

Microsoft keeps rebranding their AI. I’m maybe not going to have consistent terminology, but the Bing Chat for Enterprise or Enterprise (Copilot) Chat is basically a Microsoft filter view where your prompts and the results that come from it just exist for that session and they don’t get added back to the model. 

There’s no trail or inclusion of that data into the model so that somebody else could potentially get information out of the model that would be informed by your questions or input.

Steve Longenecker: I think that’s worth highlighting right now. I’m just stating what a lot of people know already, but ChatGPT is kind of the leader of the pack. It may or may not stay that way. It may not even be that way now depending on who you ask, but it certainly has huge usage and is maybe the place that your staff will go to by default in the absence of any other direction. You get that same engine with fewer privacy risks if you direct your staff, if you’re a Microsoft 365 customer, to use Bing Chat. That part of Microsoft’s AI services is free to Microsoft 365 customers.

So that’s definitely one of the starting places that we’re telling our Microsoft 365 clients. Not all of our clients are Microsoft 365 clients, but those who are, at the very least, have a policy that directs your staff who want to use ChatGPT to use the Bing Chat (now rebranded as part of Copilot and available through Microsoft 365). At least then if they do ask for that letter to that donor, it will not end up in the public domain. And that’s a vital thing. Policies that half of you are writing now, should definitely focus on hygiene and privacy concerns and being aware of all of that.

Acceptable Use Policy Template

Carolyn Woodard:  We have had so many people asking us for a template to create acceptable use policy. You can Google it, but there’s a lot of very generic ones that don’t seem tailored to nonprofits in the nonprofit sector. So we put one together, and you all are the first that are going to be able to see it and use it. We would love feedback on it. 

Download the new Acceptable Use Policy for AI Tools in the Nonprofit Workplace.

You can download it as a Word document, so then you would be able to update it the way that you want to, with your organization name and your logo. It’s just a starting point. You would want to make your specific policies around that. But as I said, we’d love to get your feedback on it. So please use it, see if it works.

And why are policies important, guys?

Matthew Eshleman: The policies are important because it really gives organizations a way to level set or have a conversation around how they are using it or plan to use it. And it helps making some technology decisions down the road a little bit easier. 

For a lot of these tools, even though AI is a transformative technology, the things that it is relying on are things that organizations have been talking about and governance has been working to address for a long time. What information do we have? Where’s it stored? Who has access to it? 

The AI tools that Microsoft specifically is making available are really reliant upon the folder structure and the permissions that are built into Office 365 and SharePoint.

And so, if everybody in your organization has access to everything and there’s not good data governance and you rely on security by obscurity, all of a sudden adopting a tool like Microsoft 365 Copilot is going to surface a lot of information that may not be something that you want to have surfaced. Things like employee job descriptions or salary ranges or all those kinds of things; that’s data that an organization has. 

And so if you make Copilot available to everybody and somebody’s able to type in a prompt like, what is a salary at my company? And get other people’s salary information because that information wasn’t protected, that can be a risk. 

Having a good policy foundation in place to say, how do we structure data? Where do we store it? Who has access? And then carrying that through to the actual implementation and adoption of new tools is a really important process.

Carolyn Woodard:  I want to try and bring Norwin in a little bit. Steve as well, you can weigh in. Do you have clients who have AI policies already or are you pretty much looking at all of your clients needing to create them?

Norwin Herrera: Basically all of them are asking because some of them are already asking authorizations to install AI tools. And then the answer from us is, okay, make sure that you add at least a line into your acceptable use policy that mentions AI. 

And that’s the thing. Most of the organizations are going to try to use it before thinking about the policy. But the way it should be, let’s make sure that we have a policy in place and then we can start using it. 

My recommendation will be that and also to do other checks. Make sure that you have, for example, security awareness training, everybody on board on that. You know, that’s a must. If you’re going to start using AI tools, make sure that people understand the basics of the technology they’re using currently. There’s people asking, can I install this? Can I install that? Can I use this one? 

Carolyn Woodard: Thank you so much Norwin.

There is a really great resource, the Nonprofit AI Framework from the Technology Association of Grantmakers, who did a project with Project Evident and a couple of other partners to develop a framework around using AI at nonprofits and foundations. They’ve developed a really beautiful visual tool about the different areas and issues that you should be taking into account as you’re creating your policies. 

They have these three areas of 

I went to a presentation that they did on this, and it was very interesting. They mentioned that a lot of organizations start with the technical; which tool do we use and which tool are we going to allow? et cetera.

They recommended taking that step back and looking at the ethical considerations and what your organization needs. What’s the business case for using a tool? Does it have a specific case? You run an archive and you want to use AI to pull out information from 10 years ago that’s way down, maybe mislabeled in your archive, or do you have other use cases for it? Be thinking and intentional about it before. It helps you develop policies as well.

AI in Nonprofits

Steve Longenecker: Can I highlight a couple things that have come across the chat?

What is the scale and training data for AI for nonprofits?

Most of our Community IT clients are small and medium sized nonprofits. And our understanding of the landscape is that they’re going to be using general purpose AI tools, right? So when you ask your AI agent, whether it’s ChatGPT, Copilot or something else, to write a contract, it’s probably going to be basing its answer on a zillion contracts that are on the internet. Its answer isn’t based on the contracts that are in your data that only you have access to. We’ll never have the scale quite needed to achieve that volume.

The AI is not being trained on nonprofits’ data. It’s general purpose. And so, you have to have your expectations set that way. It’s changing so fast though. Don’t be surprised if in three years, Microsoft can add a layer on top that’s based on just your data and only you get to access it and it will be a really nice thing. 

In fact, one of our engineers in today’s huddle that Matt and I were in asked, can my AI just watch me work for three weeks, so I can go away for a week and go skiing and the AI can cover for me? Yeah, maybe soon, but not now.

Another question was, since Copilot is based on ChatGPT, why would you pay for Copilot?

The idea there is that the UI (User Interface) is going to be really handy. You’re going to be in Word and the Copilot will be right there in Word, in Teams and in Excel, being able to answer context-specific questions right there from the apps. 

Matt, do you want to say anything more than that? It is an advantage, and whether it’s worth $360 a year? I bet it could be worth it pretty quickly, but your mileage may vary.

Matthew Eshleman: Yeah. This is all new and we’re still waiting to see how this is all going to be revealed, but essentially the demos that we have seen with Copilot is that app-specific context. You can be in your Excel document and say, can you help me analyze this spreadsheet and highlight the top five trends? Ask specific information about the data that’s in your application. 

Fundamentally, ChatGPT is largely a text-based tool right now in terms of, can you generate a summary of this document, or can you edit this and make me sound more serious or more casual in conversation?

So it’s the productivity enhancement that’s really built into the applications themselves. And using that application, as Steve said, to analyze data that Copilot has access to. At least in the Microsoft 365 world, Copilot is going to have access to everything that your user account does. You could have it analyze other documents or links that are contained within spreadsheets. It has that ability to navigate down through other related data elements within your organization’s file structure.

Steve Longenecker: Matt, if you were a small nonprofit, all of a sudden as of this week, you can buy a Copilot license for some early adopters for $360 a year, upfront and it’s a commitment. If it saves somebody 10 hours of time, it might pay for itself right there, but still it’s a bit of a risk. 

Let’s say that you could get away with spending a thousand dollars right now. Who would you kind of think would be the best choices? Obviously, you want to pick someone who has an aptitude and a propensity and likes new technology and really pushes things to find out what they can do. But I’m not sure you’d want to pick an intern, right? But at the same time, maybe not your Executive Director. Do you have thoughts on that? 

Are there certain jobs that are maybe more able to be leveraged by AI than others?

Matthew Eshleman: I think in the corporate world, I see this translating into job losses, potentially. In some content creation areas, I think AI is well suited to generating content for websites, for web copy, for fundraising appeals. I think that’s how Microsoft is certainly positioning this. There are a couple of other links that Microsoft has included as companion resources, where you can go through and do a little bit of a self-assessment, rate your organization in terms of how mature you are in certain areas, and then it’ll spit back some different things where organizations may be able to benefit the most.

From what I see, content creation and data analysis roles are really well-suited for this. Looking at it from a script development and code quality perspective, that’s helpful. That’s such a well-defined area and machine learning is really good at helping augment in those areas. 

And my take, while we see AI is being viewed maybe as a job displacer in the enterprise, my hope is that in the nonprofit small to mid-size, it’s really a capacity builder. So many nonprofit organizations are so resource constrained, they don’t have enough time to get to all the things that they want to do, given the resources that they have. 

Hopefully, through the use of some of these tools, all of a sudden it’s like, oh, I have an extra hour or two to focus on this other task I haven’t been able to get to because I’ve been so busy writing this letter, or analyzing the spreadsheet. So I think, we can hopefully look in the nonprofit sector as this being a capacity enhancer as opposed to it just being purely an efficiency of we need 10 people to make these widgets, now maybe we only need eight people to make the same amount of widgets.

Carolyn Woodard:  I want to reset a little bit; we’ve got a couple more topics we want to cover. Do not worry, we will be doing more webinars on AI specific over the next year, so keep your questions coming. 


I want to ask Matt to talk a little bit more about cybersecurity. I know there’s some new threats, some including AI, but some other threats out there. 

Matthew Eshleman: I’ll use the AI point as a little bit of a pivot. I think AI is great and gives us a lot of capacity, particularly when it comes to writing convincing emails. Also, the tools that we have access to are the same tools that the attackers have access to.

So, some of those things that we’ve come to rely on in the past in terms of, is this a poorly worded email or is it full of misspellings? Oh, that must be a hacker trying to get me to click on something. They’re using these same tools too. They’re using tools to improve their code to write more malicious web injections. They’re using these tools to write better copy to get you to click on the link to buy a gift card or share banking information or update some wire transfer.

This technology is available pretty widely and everybody is using it. With that being said, we have seen more new attacks this year than we’ve seen in previous years.

For a long time we’ve been advocates of wide adoption of multifactor authentication: using something that you know, which is your password, along with something that you have, in many cases, a smartphone with an app on it, as a really safe way to protect your account.

In some of the presentations that I’ve done in the past, there’s a graphic that we use from Google that shows different MFA methods. You have an app, you have SMS, you have a phone call and you have a security key. Looking back at our data from 2023, we actually had a significant number of account compromises for accounts that were enrolled in traditional multifactor authentication, meaning that they were using an app on their smartphone as the second factor, which is considered very secure.

But through some new technology that attackers are able to use called Adversary in the Middle or AitM, they’re able to steal both the username, password and the multifactor authentication token and then maintain access to an account. So it’s pretty sophisticated technology and it’s difficult to protect against.

So we are now encouraging organizations, particularly those that may have high security roles, finance, or in the policy world, to look at physical security keys, you may see that called FIDO or Fast Identity Online.

Those types of authentication methods are phish proof in that they have a physical connection to a device. Certificate based enrollment, FIDO keys, those are physical security keys that provide that second factor. And at least at this point, they’re the best multifactor authentication method that is available. 

I think organizations should start seeing how they can improve their stance when it comes to multifactor authentication. Again, everybody needs it, and some multifactor authentication is better than none, but the attackers are getting more sophisticated and there are now ways to steal multifactor authentication tokens. And we saw that happening against the 7,000 nonprofit staff that we were supporting last year.

Other things that we saw are specifically related to policy organizations or organizations that have staff who are adjacent to government.

They bear a unique risk and they get targeted by very sophisticated threat actors, often sponsored by foreign governments. In past years, we had seen a lot of that be limited to mostly online. An interview with somebody purporting to be a journalist asks to install a browser plug-in so that you could have a video interview or something. 

Just at the end of last year, we had a couple of different cases where the threat actors were actually making invitations to specific in-person events to purportedly meet with trade officials or some other stuff, or be a part of a conference, contribute to a book and have an in-person meeting. Through that exchange, there was a request to open up this attachment, here’s the agenda, all that kind of stuff, but those events didn’t exist. 

In one case, we had somebody show up at a restaurant for a lunch meeting. Nobody had ever heard of the person they were supposed to meet. So it’s a really interesting intersection between the virtual world that we’ve operated with for a long time for cybersecurity, and then being combined with the in-person or physical world. 

We’re still working with the FBI on some of that stuff, but we’re expanding the boundaries of what we thought was possible that organizations should plan on being critical of. More information on new scams from Experian.

Steve Longenecker: In terms of social engineering, don’t think that the introduction of the physical world means that it’s not a scam is the take home message because actors are willing to introduce physical presence, real people, at least the possibility of them.

Google Workspace and Microsoft 365

Carolyn Woodard:  Steve is going to take the lead on Google Workspace and Microsoft Office 365 and where our thinking is on that right now.

Steve Longenecker: Hearkening back to the theme of the entire webinar in terms of trends, definitely a trend of 2023 and ongoing trend that we expect in 2024, is that both Google Workspace and Microsoft 365 will continue to be the two main platforms that nonprofits use for their basic productivity suite of services, email, file storage, presence, collaboration. 

And then there’s always a stack of additional services that go along with that for calendaring to augment it and support it. Both of those platforms are solid platforms. Both of them developed new things in 2023. 

Obviously, AI is a big part of Microsoft’s push right now going into 2024, but both Google and Microsoft are making massive investments in their platforms. We expect that to continue. And for that reason, we continue to take a stance that both platforms are good. 

If I were starting from scratch, I would start with Microsoft. Partly that’s because it’s just a stack that maybe has a little bit more at the top and more at the bottom. That depends on the commitment to the stack. 

If you’re a Mac organization, then you’re already giving up one part of the Microsoft stack, which is Windows, but Microsoft has some advantages. If you use Windows, then they can integrate deeply with Windows. The Microsoft desktop suite Word, Excel, and so forth are also Microsoft products. So they can build integrations there, but both Google and Microsoft at the top of the stack have good identity protections. They both provide single sign-on options and good identity hygiene. They are both very solid, so we are not recommending either, even though we might have a preference if you started from ground zero. 

A lot of our clients have already started in Google. Probably a third of our clients at this point are Google, have their email in Google and we do not strongly urge such clients to change to Microsoft, even if on the margins, Microsoft is a richer platform. It’s probably not worth the trouble. Rarely would you switch for one little piece of functionality, because if it’s a really useful piece of functionality, it’s going to be reverse engineered by the competing platform in the next 12 to 18 months, or even sooner.

And we definitely would say Google’s not less sophisticated than Microsoft. We have some very sophisticated clients using Google. So it’s not like Google is kid stuff and Microsoft’s adult stuff. That’s not the case at all. And we do have webinars covering this topic, so I don’t want to spend too much time today. 

If you have your email and your files in one or the other that’s great. We do have clients that are straddling because their email was in Google to start with. They decided that they like their email there, but they want to use some other parts of the Microsoft stack. Maybe they wanted to manage their Windows, laptops and Microsoft 365. You can do that without it being a terrible experience. 

Carolyn Woodard: You mentioned it, but we do have a couple webinars on Google Workspace and we also have one on a case study managing a hybrid system where you have some in Office and some in Google.

Steve Longenecker: It used to be that if you were at the Nonprofit or Free tier for Google, the storage limitations that were imposed at that tier were really problematic once the nonprofit got to be of any age at all. Especially for email storage, it was a very low limit. 

In the fall of 2023, Google rolled out a massive upgrade in the amount of storage available at that nonprofit tier. So now it’s been taken off the table as an issue. It’s not that it’s unlimited, but it’s such a level that if you’re a small or a medium sized nonprofit, it’s hard for me to imagine you using it all up.

More on Google Workspace Storage Updates.

Hybrid Work

Carolyn Woodard: I want to make sure that we get a chance to talk about hybrid work. We’ve kind of stabilized the tech after this mad scramble in 2020. Most of the tech is working, most of the time. Do you want to talk a little bit more about what you’re seeing at your clients?

Norwin Herrera: Yes. Organizations are understanding more the way they should work. Let’s be prepared for a moment that we need to be away from the organization. What happened with COVID and people working from home, their environment, their network, their infrastructure was not prepared for this new scenario.

Now, organizations are being more conscious about it. They’re being more mature about it, and they are understanding that there is a way to make their organization secure. That’s one of the first things that comes to a point. Is it going to be secure if we work from home, if it’s going to be remote work?

They are understanding more that this is the new way to work. It happens with the time of replacing servers, for example. Instead of replacing a server, organizations are understanding that they can go serverless.

For example, by doing some important task. Instead of having your files on a server, move your files to either Workspace or SharePoint. You’re going to have security, enforce the security in your logins to Microsoft. Are you going to enforce security on your logins into your Google Workspace? That’s one of the first things. So right now, instead of replacing servers, instead of investing $10,000 in a new server, let’s invest that $10,000 in migrating our files.

And also, it’s a good opportunity to organize your files because usually that’s the most critical thing in the organization. Usually they’re very disorganized, so it’s the right moment to do it. Start setting up the standards. 

We at Community IT have a really powerful team of people working in file migrations. We have a lot of experience and Steve is the one leading that team. I’m very confident, every time we recommend a migration. I just throw the ball to them and they deliver as expected and really well. 

We also always recommend making sure that you have policies for bringing your own device. That’s something that people keep asking. We cannot provide support for your personal devices. 

Most organizations, instead of buying desktops, now get laptops. And they set up a design that has monitors and a docking station. So they bring their laptop, put the laptop in their docking station, and they work from the office. And then as soon as you want to go and work from home, take your laptop, go back home. You’re going to use the same device, same security, that you have been using in your office. 

It’s a natural thing going on right now. Organizations are understanding the transition and this is the way to go. I will say that we have been really successfully helping our clients move from the old scenario to the new scenario. Every time we do it, they see the benefit and are happy and less concerned. There’s less worry about what people are doing. 

Since the staff is working from home, make sure that you have your security awareness training in place. You can do it with us, you can do it with anybody. Find a way to do it. Also it’s going to be a requirement now for your cyber insurance. Anytime you’re going to fill out that insurance application, they’re going to ask you if you have cybersecurity awareness training in place. So instead of starting in six months, start right now. That’s going to help because you need to train your users.

Talking about creating security access to your Google Workspace or Microsoft, basically everything is in line. Make sure that you do it right now because it’s going to help. It doesn’t hurt to train your staff, right? 

Especially in this hybrid environment, if they’re at home, they might click something because they cannot go to your office and ask, did you send me this email? Is this you, for real? You can’t do that now. So instead of doing that, learn that they are going to trick you. They’re going to get you, they’re trying to get your data from wherever you are. I think those are the most important things that I can say about the hybrid work environment.

Carolyn Woodard: It’s funny that we got this question at registration. Is any of this important for a tiny nonprofit? So I hope that from your listening today, if you are at a tiny nonprofit, that some of this has been helpful to you. 

We have a lot of resources on our website, all of our videos from older webinars with lots of information on cybersecurity training, Google Workspace, as we said, lots of different resources there. 

I want to just quickly touch on our learning objectives. I hope you’re able to go to your next party and talk about

Norwin, thank you so much for updating us on things to think about in terms of remote, in-person or hybrid work as we’re going forward. 

Next Webinar

Next month, we’re having a free workshop with a friend of Community IT, Tim Lockie, who runs an organization called The Human Stack. He is going to lead us in a workshop aimed specifically at small nonprofits, under 15 staff, who are struggling to manage their IT and maybe think that they are not able to manage IT if they’re not a techie person.

Tim’s idea is that everyone is able to manage IT. And in fact, at a small nonprofit, you have to be able to manage your IT, cybersecurity, cyber liability, all of the things that you need to have IT do to work for you.

I hope you’ll come back to that. I love how Tim approaches this around people and how your people feel about technology is fundamental to how they’re able to use it. This nonprofit digital health workshop  works you through a free quiz to figure out where you’re at in terms of your management and then identifying first steps of things you can work on.

I really want to thank our speakers, Matt, Steve and Norwin, for taking the time to share with us your expertise and answer our questions.