Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Nonprofit Tech Trends and Tips Leaders Need to Know
Are you afraid to think about what IT your nonprofit needs?
Do you know how to budget for IT?
Do you know about cybersecurity?
Serverless offices and remote work?
Do you have any idea where to start?
Community IT CEO Johan Hammerstrom and CTO Matt Eshleman presented a new webinar hosted by Nonprofit Hub on these tips and trends.
The nonprofit community has been going full speed and above and beyond over the past 2 years. In the midst of enormous changes and upheaval, we hope this webinar on using technology to deliver for your constituents will put your organization in a good place to grow and thrive. Join two Community IT Innovators executives for one of their most popular webinars as they take a deep dive into nonprofit tech trends.
You’ll hear about:
- How to budget for IT at your nonprofit
- Nonprofit technology trends expected to deliver new impact in coming years
- Emerging threats, prevention, and how to do staff cybersecurity training
- How outsourced computing is transforming offices, from supporting productivity and remote work, to providing stability and lowering costs.
Cybersecurity concerns, change management, and moving to cloud platforms are all long term and persistent trends. Remote work specifically has put new pressure on cloud solutions to deliver – is your team utilizing all the tools that you have? Do you have all the tools that you need?
This presentation is appropriate for an audience of varied IT and security experience.
Community IT Innovators is pleased to partner with Nonprofit Hub to present this webinar on top trends nonprofit leaders need to know about.
Community IT and Nonprofit Hub are proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Presenters: Nonprofit Tech Trends
Johan Hammerstrom’s focus and expertise are in nonprofit IT leadership, governance practices, and nonprofit IT strategy. In addition to deep experience supporting hundreds of nonprofit clients for over 20 years, Johan has a technical background as a computer engineer and a strong servant-leadership style as the head of an employee-owned small service business. After advising and strategizing with nonprofit clients over the years, he has gained a wealth of insight into the budget and decision-making culture at nonprofits – a culture that enables creative IT management but can place constraints on strategies and implementation.
As CEO, Johan provides high-level direction and leadership in client partnerships. He also guides Community IT’s relationship to its Board and ESOP employee-owners. Johan is also instrumental in building a Community IT value of giving back to the sector by sharing resources and knowledge through free website materials, monthly webinars, and external speaking engagements.
Johan graduated with Honors and a BS in Chemistry from Stanford University and received a master’s degree in Biophysics from Johns Hopkins University.
Johan enjoys talking with webinar attendees about all aspects of nonprofit technology. He loves answering questions on nonprofit tech trends leaders need to know about.
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 22 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
Cara Godlesky: Good morning, everybody. Welcome to today’s webinar, Nonprofit Tech Trends and Leaders Need To Know about.
My name is Cara Godlesky and I am the Marketing and Events Coordinator here at Nonprofit Hub. And I’m so glad you all could join us for another great webinar.
I want to give a quick shout out to today’s sponsor, Community IT. We’re so lucky to have them joining us today. They offer IT support services for nonprofits who want to outsource some of their IT support. They help nonprofits plan, implement, and maintain dependable technology. They can take care of your IT system, so you can accomplish your mission. So shout out to them and thank you.
So with that being said, I will introduce our presenters for today. We have Matt and Johan with us and we’re so excited to have them here. Matt is the Chief Technology Advisor at Community IT. He has quite a background in technology. He has very extensive knowledge on Computer Science, Computer Information Systems. So he’s going to be a great guy for us today.
And Johan, he’s always been interested in using technology as a force for good and how to improve the world. So that really fits into the nonprofit mission and how those kinds of things really can coincide, how you can use tech for good.
So we’re so excited to have them join us today and dive into these Tech Trends that we need to know about. So without further ado, I’ll let you all take it away.
Carolyn: Great. Thank you so much, Cara.
Thank you so much everyone for joining us for this Ask The Experts Panel on Top 10 Technology Trends and Tips that Nonprofits Need to Know, especially nonprofit leadership. We’re so excited that you’re here. If you’re not familiar with our webinars,
We’re going to discuss
- technology that nonprofit executives, staff members, board members need to know, and
- we’ll talk about it while defining the terminology and the lingo.
- So you’ll be able to go back and talk to your IT director or IT providers about these tools and strategies and trends that we are expecting to continue to influence nonprofit technology.
If you’re running your own nonprofit, maybe a startup,
- we’re going to talk also about tools you can use right now and
- and just ways to think about the interaction of technology with your nonprofit mission.
The learning objectives for today are that after this session, you’d be able to
- describe 10 major nonprofit trends and tips,
- learn the terminology and definitions that are common,
- understand the role of executives and staff in managing IT outcomes and strategic planning, even if you are not the IT person, and
- know where to go for some additional resources on nonprofit tech.
As Cara mentioned, we’re going to be sending out an email after this with some links. And we have a website that you can go to, where we have a lot of free resources as well. I want to make sure everyone knows that Community IT is vendor agnostic. This presentation we’re going to be discussing some specific tools but we wouldn’t make recommendations except to our clients when we know what their business needs are, that are more specific.
But we want to share with you some basic things that are out there. And yes, as Cara said, we encourage you to submit your questions and comments through the chat feature, but we probably won’t be able to get to everything. You can always contact us afterward to follow up.
So Johan, would you like to introduce yourself?
Johan Hammerstrom: Yes. Good morning, everybody. Thank you so much for joining us today. It’s a real pleasure to speak with you all. My name is Johan Hammerstrom. I’m the CEO at Community IT. I’ve been with Community IT for almost 23 years. So it’s been so long that when I first started doing IT support, the internet was something you accessed over a telephone line and software was something you installed from a CD or a floppy disk.
I’ve seen a lot of changes in the world of technology in my career. And this is a particularly exciting time for nonprofits as they use technology to accomplish their mission. That’s something that we’re really passionate about at Community IT and something that we’re really looking forward to talking with you all about today.
Matthew Eshleman: Great. Welcome. My name is Matthew Eshleman. I’m a Chief Technology Officer at Community IT. I’ve been with the organization full time, a little over 20 years.
In my role as CTO, I’m really responsible for driving our technology strategy and tools that we use to manage about 6,000 endpoints across our 170 nonprofit clients, and also work to develop our cybersecurity strategy and implementation. So looking forward to talking about how some of those things are carried out today and looking forward to the conversation and any questions that we get as we go along.
Carolyn: Great. Thanks, Matt. My name is Carolyn and I’m the Marketing and Outreach Director for Community IT. I’m happy to help with this presentation and help our experts.
Before we begin, if you’re not familiar with Community IT, a little bit more about us. We are a 100% employee owned, managed services provider. We provide outsourced IT support. We work exclusively with nonprofits and our mission is to help nonprofits accomplish your missions through the effective use of technology. We serve nonprofits across the United States. And we have been doing this for over 20 years. We are technology experts and we are consistently given the MSP 501 recognition for being a top MSP, which is an honor we received again in 2022.
We have a lot of free resources on our website, including videos, articles, and free downloads. We have a weekly podcast on technology topics for nonprofits, and we really just think the more nonprofits learn about nonprofit IT, the better you can accomplish your mission.
All right. So we’re going to go to the agenda, which looks like a lot, but don’t worry. It’s a lot to take in, but you’re in the right place.
We’re going to break it down for you and talk about what you need to know to match up your business needs with your tech needs at any stage of growth of your nonprofit.
So if you have an IT department, an IT director, if you have outsourced IT, as a nonprofit leader, you still need to know some of these basic concepts and be thoughtful about your IT strategy. And that’s going to give your organization an advantage and maybe even keep you from some financial problems, if you have a cyberware attack, that sort of thing.
We’re going to divide our talk today up into four sections.
Johan is going to start us out with a quick overview of basics around budgeting for IT, which I think is something we all need to jump into and know how to think about as an opportunity, strategic decisions, and also just ways to understand the costs.
Then we’re going to talk a little bit about long-term trends you can expect over the next few years.
And then Matt is here, our CTO, to talk about cybersecurity insurance and how to protect your nonprofit.
And then to wrap it up, Johan and Matt are going to touch on some changes to office operations that we’ve seen since the start of the pandemic. And we really do expect to continue to grow in importance.
It’s a big agenda with a lot to cover, and we’re going to be sharing resources at the end.
Poll – How do you budget for IT?
To begin, Johan is going to talk about budgeting and we have a little poll to get things going.
Johan Hammerstrom: Yeah. Go ahead and respond to the poll with the option that best describes your situation, a couple different scenarios here.
Whoever’s in charge of your finances,
- CFO director of finance just takes last year’s amount spent and increases it slightly or keeps it the same.
- Or do you have option two, a leadership team that meets with different departments in your organization to talk about the overall strategy and roadmap for IT and develop a budget from that strategy.
- Do you not have a budget and just replace things when they break or fix things when they break, that’s number three.
- Number four, do you outsource your IT, and aren’t sure how the money’s being spent and are just sort of going from invoice to invoice or
- Number five, do you not know? You’re not sure.
So about two thirds of the audience has responded, three quarters. This is great. Thank you all for taking the time to respond to the poll. And right now, I think you can all see the results, but
the majority of you have answered about a third of respondents have answered number five, not sure, not applicable and of the remaining two thirds, only about 15% have been intentionally planned and designed budget.
So we’ll talk about the importance of the budget and we’re going to provide you with some guidance on things that you can do to develop your IT budget.
Budgeting is critical.
It’s an important and necessary part of using technology effectively and ensuring that IT is meeting the overall needs of the organization and helping your nonprofit organization in accomplishing its mission.
And the nature of the budgeting process is really going to vary based on the size and complexity of your organization.
Very large organizations with hundreds of staff, multiple departments, sort of sophisticated financial management systems in place are going to have a more complicated and formalized budgeting process.
Smaller organizations, maybe your organization only has 10 to 20 staff are going to have a much less complicated budgeting process. But regardless of the complexity and scope of your budgeting, these are some steps that you see here on the slide that we feel are useful in all scenarios.
These four steps are something that you can go through and adapt to your organization’s specific budgeting process.
And the first step is really the preparation. And that’s something that, if you’ve already been building an IT budget each year, you may have already been doing these steps without necessarily realizing it. If you haven’t put an IT budget together before, then these are some of the things that you can do to get all the information that you need to put together an accurate budget.
The first step, preparation, start with an assessment.
Understand what it is that you have as an organization, pull together an inventory of all of your equipment, particularly your laptops, your workstations that your staff are using. You want to inventory all the different information systems that you’re using. Do you use Microsoft 365 to communicate? Do you use Google Workspace email for communication? Are you using Slack for chatting? Do you use Zoom for your meetings? Do you use Teams? Just list all of that out, so that you understand the specific IT systems that are being used by the organization.
Different ways that you can get that information, you can send a survey out to your staff. You can just ask people, if you’re a small enough organization, what is it that they’re using? But getting that comprehensive list together in advance is really helpful.
You do want to look at your previous IT spend, that’s not always a great guide as to what you should be spending in future years but it can also help you with assessing your existing IT infrastructure.
And then finally, you want to look at your overall business plan.
So your organization’s plan, what is the organization going to do over the coming year; one to three years really. Does the organization have plans for growth? Is it going to be expanding into new markets, new regions? Is it going to be adding new programs? Is there a large grant that you’re going after that you have a good sense that you’re going to get that will allow you to do additional program work?
All of those things are going to be important to incorporate into the budget for the coming year.
So once you’ve
- assessed your existing systems,
- once you’ve looked at what you’ve been spending in the past,
- and once you’ve factored in the impact of the organization’s strategic plans for the coming year, then you can put together a draft budget
We’ll talk on the next slide about a framework for thinking about different budget categories in your draft.
Once you’ve drafted the budget, then you have to go through a prioritization process.
And that’s where you take what you’d like to do for the organization in terms of IT. And then balance that with what the organization is capable of. We all know, nonprofits have resource constraints and they can’t always invest in all of the technology that they would like to. So, prioritizing is a pretty critical part of the budgeting process.
And then once that budget is completed and approved by the senior leadership, and in some cases by the nonprofit board, then that budget can be used to develop a plan where you outline when the spending is going to happen, and that can help you with developing an IT roadmap, which is really useful for ensuring that your IT systems are set up and implemented in a way that benefits everybody and helps the organization.
Four IT Budget Categories
So let’s talk a little bit about IT budget categories. I like to think of IT budget categories and in these four different buckets. You can take the assessment that you did, the inventory that you put together and then categorize the different aspects of your IT into these different categories.
The first is personnel and that’s really, who’s providing the IT support for the organization. For larger organizations, you may have an in-house IT team and their payroll costs would fit into that category. For smaller organizations, you may be outsourcing your IT to a third party provider, and those costs would go under personnel as well. It’s essentially the cost of the staff that are required to keep IT running.
The second category is hardware costs, which these days, especially with a lot of organizations working remotely, are generally workstation and laptop costs. If organizations are maintaining an office or thinking about going back into their office, it could include things like wireless access points, printers, copiers, audio visual systems. Those are the sorts of things that fall into hardware.
Software. These days, software is almost entirely in the cloud. There are some software applications that organizations still use that are installed locally, but there are licensing costs associated with those. So if you’re using the Office desktop suite, there’s a licensing cost associated with that, that you would want to make sure you’re including in your budget. If you’re using cloud based infrastructure such as Azure, if you’re a larger organization, you would want to put that in this category as well.
There’s been a sort of overlap between categories three and four as more and more software moves into the cloud and really becomes software as a service. But we think it’s helpful to continue to categorize those expenditures as software expenditures.
And then finally there’s services. And these are things like your internet service at your office. If your organization is providing stipends to staff to help cover some of the cost of their home internet, if they’re working from home. Their cell phone costs, if they’re using their cell phone for business, that would fall into this category, as well as other types of services costs.
So in terms of prioritizing, this is a very simple, straightforward way of thinking about how to prioritize your IT expenditures. The concept is sort of like Maslow’s hierarchy of needs, where you have to fulfill the needs at the bottom of the pyramid first before you’re in a place where you can fulfill the needs higher up the pyramid.
And at the base is the hardware. If the hardware for your staff isn’t working, if the laptops are old and out of date, if you’re not providing laptops for your staff, it’s going to be very hard for them to do their work. So we recommend prioritizing the hardware refresh first and foremost in the budget.
It’s important to maintain your existing licenses. So that is also something that needs to be prioritized once you’ve spent on refreshing the hardware.
Once you’ve addressed your existing IT spending needs, then you can start to look at spending on new initiatives, new IT solutions, new software as a service, and new security initiatives. This is the basic approach that we take to prioritizing IT spend.
So that’s just a real quick overview of budgeting. We actually have a webinar on our website that spends a whole hour talking about budgeting, so you can find out more information there. And of course, we’re available and happy to answer any questions at the end of today’s webinar, if you have more specific questions about IT budgeting.
Carolyn: Great. Thank you, Johan. I know it’s hard to compact it but you did a great job covering the ideas of how to do a budget and include IT in it, which is a good segue into long-term trends that we can expect over the next few years.
These are the types of trends that should guide some of your budget decision making. How much are you going to be in the cloud? How much are people going to be working remotely? Those types of decisions for your long-term plan.
I want to mention here that if you have an IT director or a CIO or a CTO, then you may already be making a roadmap of your technology needs and strategizing those needs in your budgeting process. Community IT provides this service to our clients through an IT business manager, which is a fairly senior position that acts as a manager, basically.
They can act as an IT director for our clients helping match those IT needs to your budget and your strategy.
We also can help on the help desk, if you’re seeing like a bunch of a similar type of problem come in, maybe it’s around hardware, then that’s something our IT business manager can help our clients work on – strategizing those budgets, so that we are addressing issues that are coming up again and again. So it’s just a way to help our clients be forward looking and take a lot of this stuff into account when you’re working on your budget and working on your IT.
So now Johan and Matt are going to briefly review a couple of the areas where we’ve seen changes and where we’re going to continue to see these trends.
Remote Work, Remote Support
Matthew Eshleman: The big trend that we’ve seen over the past two years with the response to the COVID pandemic is around remote work. I think that was a big transition that a lot of organizations had to scramble for to prepare. As we kind of come out of the COVID work remote model, we’re seeing many organizations adopt a hybrid approach.
Not everyone is going back into the office. Even organizations that have established return to work programs are having challenges with adoption. I think we certainly see it with our organizations. The ones that have established the return to work, it’s relatively limited. A lot of the knowledge worker positions have preferred to be at home, preferring to work remotely.
We’ve seen organizations make that transition and adopt a virtual organization model, which carries with it a little bit of a different IT mindset than having an office with a physical space with all the resources that go into it.
If you’re an organization that’s in that transition period, we’ve also seen that there’s a lot of challenges in getting the office space ready for that return to work as staff have been remote over the past two plus years. A lot of the things that were working or were set up and configured when people left now need to be refreshed or updated in order to support staff as they come back into the office.
We are fortunate in that a lot of our tools are cloud centric and cloud enabled. Especially as organizations become more distributed, making sure that the support systems are in place to support the staff wherever they happen to be, whether physically in an office location or at their home, or back and forth is an element that needs to be considered and making sure that your IT policies and procedures are in place to support that.
Policies tend to be the last thing on everybody’s list, but they are a critical resource when helping to define just what the expectations are, what resources are going to be provided to staff and what the expectations are around the use of personal technology or organizational technology as well.
And I think finally, the transition into a remote workforce has introduced some unique cybersecurity concerns as well.
In the days before, whenever you came to the office, behind a firewall, everything was relatively straightforward and there wasn’t a lot of migration of resources. Now the network perimeter is much more expansive. And so now, instead of just considering, is the firewall at the office up to date? Do we have good practices and security procedures in place at our physical office location?
The network security boundary is everybody in their home and their home office. And so, are all of those firewalls up to date? Is there adequate internet? Is there adequate support? How are we ensuring the security devices that we can’t really see or get our hands on? So it does require a change in mindset and the use of tooling to make sure that you can support organizations regardless of the location.
Sophisticated Information Management
Johan Hammerstrom: We’ve been big fans of the cloud over the last 10 years and really moving information into the cloud. Having email hosted by Microsoft rather than in your server closet at your office has been a huge improvement with regards to reliability and functionality.
The challenges and opportunities really emerging with this shift to hosting information in the cloud is a combination of things. For one thing, there’s a question of integrating the data.
You may be using Microsoft for email communication. You may be using Slack for chatting both internally and with external partners, and you may be using Salesforce to manage your fundraising database or provide for your case management system. You’ve got information on all of these different cloud hosted systems.
How do you connect them with one another? How do you integrate them so that the information can be put to better use? This is a big challenge that we’re seeing and we’re starting to see more and more of, but it also creates an opportunity. Organizations that are able to integrate data across different systems are able to use it more effectively and report on it, combine it into reporting that can be delivered to funders and to the organization’s board.
There’s a lot of potential in getting a hold of data integration and being intentional about it.
One of the other nice things about these new systems is the degree to which they can create automated workflows and the degree to which they can reinforce and support business processes.
You can set up and encode the process in the system, so the process is basically being followed by everyone in the organization. That’s a new feature that a lot of these systems are providing that organizations can use.
The last two bullets on this slide are really interrelated. One of the challenges of having all of these cloud based systems is you’ve got logins for all these different systems. You’ve got one login for Google, you’ve got another login for Slack, another one for Zoom, another one for Salesforce or Raiser’s Edge. That’s a security risk because now you’re maintaining multiple passwords for all of these different systems, but it’s also a major inconvenience for staff.
So single sign on is something that’s provided by Microsoft, by Google, by third party providers, such as Okta. And it can really help in providing a single interface for accessing all of these different systems. That’s a real trend. That’s something we’ve seen a lot of organizations implementing. It creates greater security protections. It helps with provisioning and it also creates an easier, more efficient way of logging into systems for the staff of an organization.
IT Policies and Procedures
One of the other things that we’ve also noticed with our clients is the increased need for IT policies and procedures. I think this is a reflection of the increasing importance of IT in the work that organizations do.
Having a good acceptable use policy that’s part of the employee handbook that’s provided to staff on their first day and that’s reinforced with staff over time is really important in helping protect the organization from things like staff using organization devices for personal work or perhaps, using organization systems for storing personal information. Having a good acceptable use policy is really important.
As Matt talked about earlier, more organizations are working remotely, allowing or requiring their staff to work remotely. Having a good remote work policy is really important. Specifying in a policy what constitutes a productive home and work environment is something that you want to state clearly for your staff.
If you’re going to allow staff to use their mobile devices to access work information, you also want to make sure that those policies are clear and that you’ve implemented the technology in a way that supports those policies.
It’s important to have a data protection policy, having it clearly stated in writing that staff are not permitted to share information outside of the organization. It’s very easy to do that these days, easier than it’s ever been. And a lot of organizations just don’t have that as a stated policy, so that if there ever are issues, they can’t go back and say, well, we clearly stated that this is something that employees are not allowed to do. That’s just one example of a host of items that would be included on a data protection policy.
Application management policy. Who is responsible for creating and managing user accounts in the different applications? That’s a security issue; it’s a governance issue. And it’s something that organizations should think about. If you’re not sure where to start with some of these things, you can work with the outsourced IT support provider. Really good support providers are already thinking about these issues. They’re not just fixing your IT solutions. They’re helping you develop a holistic approach to managing IT, which is what all of these policies and procedures are really aimed at.
Finally, we recommend that organizations have a disaster recovery plan, an incident response plan and an IT support and training policy and these are things that also would inform the budget. How much are you going to invest in a disaster recovery system? How much are you going to invest in cybersecurity? How much are you going to invest in providing IT support and training to your staff? These are all things that would get defined by the senior leadership of the organization, potentially in conjunction with the board. Once defined, they basically represent what the organization is committing to and then that can be used to inform budget and investment.
Matthew Eshleman: I wanted to piggyback a little bit on the disaster recovery plan and incident response. With so many resources moving out to the cloud, I think there’s been some sense of it’s out of sight, out of mind. The cloud provider must be taking care of it. And developing that disaster recovery plan is a really good exercise to help test some of those assumptions.
What happens if your data gets corrupted in your cloud database? Are you able to recover it? How are you able to recover it? To what degree is that cloud vendor providing backups? How far back do they go? And then run those as different scenarios to say, can we recover a corrupted file? Can we recover a thousand corrupted files, can we recover 50,000 corrupted records? What does that process look like? Make sure that that expectation is set clearly and communicated well across the organization.
So, what’s old is new again, the deliberate care that you would take if that database or that file system was on premises, still needs to be applied, even if the organization has moved a lot of those resources into the cloud and has all this great integration and workflow. Still make sure that those systems are tested and not just assumed.
Carolyn: I think that’s a great point, Matt. We have seen some of our clients where that exercise of getting a committee together and creating that disaster response plan for their IT, helps them organize their thinking around it and their strategy toward it and how much they’re going to budget for it.
Also having that list of phone numbers, who do you call first? And then who do you call next? That needs to be something that you can’t respond to if you’re not prepared for it.
We’re going to actually turn it over to Matt, to talk a little bit more about fraud, cyber insurance, your nonprofit and basic cyber security.
We have a poll. Matt, do you want to read what the options are?
Matthew Eshleman: Yeah, Community IT, as has been mentioned before, we run managed services for about 6,000 nonprofit staff; we categorize all of those security incidents that we see into an incident report.
These are some of the types of incidents that we respond to.
- So we see the instance of a compromised account that’s where somebody’s user login to Google or to Microsoft or to Salesforce may be accessed by someone other than the intended user.
- We see organizations suffer wire fraud or some other financial loss, due to gift card buying.
- We see some organizations being targeted with what are known as advanced persistent threat actors. So those would be nation or state sponsored actors that are really interested in getting in and understanding what an organization is doing, who the staff are interacting with.
- We still see some organizations experiencing option four, ransomware or other malicious software.
And if you’ve experienced something else, then you can go ahead and drop that into the chat.
What we’ve seen is that over time, the number of cyber incidents that we’re responding to is only increasing. That’s backed up by some of the data we see from the FBI as well as other industry sources. This is a topic that is not getting better, unfortunately, but requires more care and attention.
Carolyn: So about 25% had a compromised account. So somebody got access to one of your email accounts.
We didn’t have anyone responding about wire fraud, which is interesting. We just did a whole webinar last spring on wire fraud and how to protect yourself.
Option three, advanced persistent threat or spying. Got a couple of answers to that, a couple of ransomware attacks.
I think you’re going to talk a little bit about how to prevent that, and then some other dropping in the chat for the malware supply chain attack, other IT incident or not having had an incident.
State of Nonprofit Cybersecurity
Matthew Eshleman: This is some survey data that came out, I think from NTEN, but many organizations don’t know or don’t have those policies in place that we talked about.
I think at the time of the survey about 74% of organizations had not implemented multifactor authentication, which is an absolutely critical security control. If you are an Office 365 Customer, Microsoft is going to force MFA by the end of September. So they’re going to turn that on an enabled security default. So if you’ve not implemented MFA already, that will be coming. Salesforce did that earlier this year as organizations really react to these compromised accounts and MFA is a great way to protect against that.
We know many organizations are using unsecured wireless and Bluetooth devices.
Again, I think in the rush to provide remote work resources and not have firmly established policies, a lot of this has just been getting people productive and getting to work.
Now, I think there’s an acknowledgement that we need to provide better security controls and more effective protections for staff regardless of their work location. And then tying that back to the openness that many nonprofit organizations have, anybody can access their data from anywhere and from any device.
I think there’s a growing acknowledgement specifically as we have a lot of staff turnover and transitions. If that remote staff person synced your organization’s Dropbox to their personal laptop and now they’re gone, what risk does that present to the organization? I think taking a clear view and doing some risk analysis on what is important to your organization or what could represent a security risk to your organization is a critical exercise.
Cybersecurity Insurance Requirements
Speaking of trends, there is a real change in the landscape around cyber liability insurance. Many organizations are getting this type of coverage. But what we’ve seen in the last year is that there’s been a pretty dramatic increase in the cyber liability underwriting requirements in terms of the controls that you need to have in place as an organization. Also, the cost has really gone up dramatically.
We did a webinar earlier this month where we worked with an insurance broker who talked about the increase in prices. They were seeing renewal rates, sometimes double, on average about 155% increase in cyber liability insurance coverage. So the costs are increasing and the requirements are becoming more stringent as well.
They’re looking for multifactor authentication on all cloud systems, anything that you can access remotely, the bad guys can too, so make sure that that is protected.
The underwriters are looking for formal evidence of all of the policies that we talked about earlier.
They are looking for backups in disconnected systems. Again, the bad guys can get in. If they’re hacking into your systems, they’re pretty sophisticated and they will target backup systems first. So if those backup systems are accessible on the same network, you’re using the same credentials as your production system, then that can be targeted as well.
We’re also seeing, I think this is a positive movement, an increase in security awareness training. I love all the tech tools that are available for organizations to purchase for spam filtering and device protection. But fundamentally, the most important thing organizations can do is train and educate their staff. Most attacks are delivered through email and the bad guys are trying to trick people into taking some action: to click on a link, to enter their password, to provide that next step of access for the adversary who will then go in and try to buy those gift cards or open up a new bank account. Understanding the financial risk that organizations face and helping connect the dots, so that staff feel comfortable and knowledgeable whenever they can evaluate the emails that they receive is a great step to take.
As we talk about data in the cloud, this is a question that we get quite a lot: which platform is more secure? or, I’m in the cloud; I’m secure aren’t I? But it’s important to understand or acknowledge that any secure platform can be used insecurely.
If you are in an organization that has HIPAA compliance for example, you can go with all the big cloud providers. They will provide you compliance documents that they use and that their facilities observe. But if you are in an organization and you give everybody admin rights to all the data in the organization, that’s an example of insecure use of what could be a secure platform.
So again, any platform can be used securely and any platform can be used insecurely as well. I think it’s important to have that regular training as we talked about before, to make sure that staff are aware and engaged and know what to do and feel comfortable talking to IT, as opposed to feeling bad and trying to kind of cover up their tracks if they did click on something or if they did have some negative event happen.
And then, as we talked about, those passwords and the MFA requirement is absolutely critical to make sure that every system that you are accessing has a new unique password. What we can see from the data is that once one username and password is compromised, then the adversaries will go and try that login on every other system that your organization may be using. So making sure that your accounts are unique and you’re not reusing passwords is an important step to take.
As we wrap up some of the cybersecurity initiatives, I think I’ll just leave you with the three bullet points here as the trends that need to be in place at your organization
- Developing and implementing effective IT policies,
- Making sure that your staff are trained and engaged.
- And making sure that you’ve got multifactor authentication enabled on any and all cloud accounts that you can access remotely
These are really the foundational steps that will make a meaningful difference in improving the cybersecurity at your organization.
Carolyn: Matt, we had a quick question in the chat about if you haven’t received security training at your organization, usually it really does come from the organization, it’s not something that you can do on your own; but do you have any advice for who they should talk to? Is that usually something you would ask at HR or your manager, or what would you advise?
Matthew Eshleman: I would say typically we’re seeing cybersecurity training come from the IT department. But I do know that many HR systems are now building it in or including that as one of the options that is included with the online package and it’s included as part of staff onboarding process in terms of the policies and procedures of the organization. I would say, probably IT first and if they’re not engaged, then HR would be the second place to go to look.
Free Cybersecurity Resources
Carolyn: And we have some resources that we put here and I’ve also been dropping a few in the chat as well as some resources on our site. We have a lot of free downloads. There’s a couple of other resources here, but I want to make sure that we have enough time to get to questions at the end.
I want to give you guys a chance to move on to some of these ongoing changes that we’re seeing in operations and that we expect to be part of the landscape for a while going forward. So if you want to talk a little bit more about those?
Johan Hammerstrom: Yeah. And in the interest of time, I’m going to go very quickly through these remaining slides. Each one could probably be its own hour long webinar. And in some cases it is, and you could check that out on our website. So I’ll just talk briefly about each one of these. If there’s any additional questions you have about any of them, we’d be happy to get into it in more detail during the Q&A time.
One of the big questions that organizations have is whether or not they should go with Google Workspace or Microsoft 365.
They’re both excellent systems. Some are a better fit for some organizations. Some are a better fit for other organizations. And in some cases, organizations benefit from using both. So it’s not an all or nothing question. And it’s something that we’d be happy to help organizations think through in more detail.
Similarly, organizations have a question of whether they should go with Windows or Macs or both; both is an option. It does cost a little bit more to manage multiple systems, but there are good business reasons for doing that.
If you go with Windows, there’s a great new technology from Microsoft called Microsoft Autopilot, which allows you to order your equipment from the manufacturer, whether it’s Dell or Lenovo or similar manufacturer, automatically assigned to your organization.
And if you have everything configured properly in Microsoft Intune, then that brand new laptop can be shipped directly to your staff and it’ll automatically configure itself out of the box. So that saves a lot of time with provisioning and we’ve had a lot of success with Microsoft Autopilot.
Apple Business Manager, Apple has a similar program with Apple Business Manager, where you can link any Macs that you order, or iOS devices, or iPad devices with your organization. And then if you’re using a mobile device management solution, you can also have that equipment automatically provisioned for your staff out of the box. So this is a great utility for organizations that are using a lot of Apple products, something that’s definitely worth exploring in more detail.
Matthew Eshleman: Yeah. And I would just add, the idea is not, either/or. You don’t have to use Office 365 or Google, you don’t have to use Mac or Windows. You can use both. And I think that’s part of the trend that we’re seeing with a lot of non-profit organizations is that they’re finding the best tools for their organization to use and integration as opposed to being really strict about the silos that they’re putting folks in. And it’s good to know that there are effective technology management platforms for both Windows and now for Mac OS as well.
We take a best of breed approach. You can’t use tools that were designed to support Windows to support Macs. You may need to have some additional technology tools in place to support that, but you can certainly have Macs in your enterprise organization if folks want them, if they’re more productive using that platform.
Johan Hammerstrom: Many organizations are going officeless, but if you still have an office, most organizations that do are going serverless.
No matter what your size is, you probably don’t need that server anymore. And it makes sense to look into migrating away from the server. That’s a real trend that we’ve noticed. One of the few things that servers were still needed for was managing printers. Organizations would print through a print server. There are now ways to do printer management through a cloud interface. We use a solution called Printer Logic, which can be deployed directly to the laptop. It makes things a lot easier. You no longer need a server and it will automatically add and remove printers based on which office you’re in. So that’s a really cool solution. And we’re definitely seeing the entire IT environment go serverless.
Finally, a quick word that obviously we’re all aware of supply chain challenges, it’s impacted all kinds of industries, including IT.
We’re actually entering a strange new era. There was a chip shortage you’re probably aware of. Now, it seems like we’re entering a chip glut; prices have really been dropping on things like GPUs. There’s word that laptops are starting to pile up in warehouses. It doesn’t mean that the things are easier to order though, because supply chain isn’t just about chip manufacturing. It’s the result of all kinds of impacts on what is a vast, very complicated and large global network around manufacturing and shipping.
So our advice is to plan as early as you can, place the order as early as you can and prepare to be flexible. We’ve had situations where we’ve ordered equipment and it’s taken months to arrive. We’ve had situations where we’ve ordered equipment, we’re told it would take six months and then it showed up the following month and then we had to scramble to deploy the equipment. So it’s not that there’s a supply chain shortage, it’s that there’s supply chain uncertainty. And it just requires a lot of flexibility and agility to work around.
Carolyn: Johan, when we talked earlier about the budgeting, if you know what your hardware needs are for a year out, two years out, then you can order as soon as possible; hoping that you’ll have them when you need them, which is something to be mindful about. We had another question come in on the chat,
Cheryl asked, do you need a server for an external database?
Matthew Eshleman: The short answer is, no. Many popular databases, Raiser’s Edge is a good example, very traditional client server database; used to be in your office on that server. They now have and had for a while, a cloud hosted version of that same system. So, you can do all the things you would expect to do, directly in the cloud. There may be a need to have some additional data reporting capabilities, but running a physical server, that’s not something that we see many organizations still doing. They’re either using the software as a service provided by the vendor, or then supplementing that with some other cloud systems.
Johan Hammerstrom: One of the things we found is that the costs of buying a server, storing it, paying for the power, the internet, ongoing maintenance of the server, over five years that those costs can get up into the $10,000-$15,000-$20,000 range.
For the same price or less, you can just purchase a virtually hosted server with Amazon or Azure, and not deal with all the physical headaches that go along with it, and in some cases save money. So we’ve found that moving everything to the cloud has made the most sense in most cases.
Carolyn: That also reflects what we’re seeing of people working from many different locations, like in a hybrid office, maybe in an office, maybe in a shared space, a subleted office. If people are downsizing, or working from a coffee shop, or working from home, they’re able to have that access.
There used to be a whole bunch of different hoops you had to jump through to be able to get into a server. Matt, you talked about multifactor authentication and making sure those logins are secure, but if you have a secure login and you can work in the cloud, then you really can work from anywhere, which we are seeing a lot of.
So the people have more questions. If you have more stuff that you need to say, you have all of our contact information here.
Cara Godlesky: Yes, that is correct. We will have a follow up email with the recording and everything. So that’ll be all taken care of for the attendees.
We do have one more question that did come in from Liya, she asked can you share a sample of an IT policy document?
Carolyn: I can take that. Hold on. I’ll have to grab the link, but I will share that in the chat.
Cara Godlesky: Okay, awesome. Yeah, we have about two more questions. Oh, we have another question coming in.
Margo asked a question: do you have a good resource for forming a very small shop of IT options that can help with productivity? We don’t even know what’s out there that might help us, for example, integrating CRM platforms with other software applications, or helping with managing social media.
Well, for social media, you can use something like we use, Loomly, in our organization. There’s a lot of platforms out there that you can use for CRM, I guess. Do you all have any examples or anything to share on that?
Johan Hammerstrom: Yeah. One resource that you may already be familiar with, but that we really like a lot and I’ll send it out in the chat is TechSoup. They offer courses. They have a lot of free online material and their mission basically is to help nonprofits of all sizes, but particularly small nonprofit organizations, with their technology capacity.
That’s a good resource for an organization of your size, that’s very small. You might be able to find a volunteer who could provide you with some advice. An independent consultant tends to make the most sense for really small organizations just getting started, getting their feet on the ground, when it comes to IT.
Cara Godlesky: Awesome. Thank you for sharing that. Cheryl, asking another question too.
She asked, we have a database that we can log in from anywhere, but we were told to buy a new server to fix the issues we’re experiencing with it. Do you have any suggestions on cloud-based databases where client worker interactions can be recorded?
Matthew Eshleman: I wouldn’t just do what you’re doing now and move that system either to a brand new server or a hosted database in the cloud.
But I would really look at what your organization’s requirements are and is there a software as a service application that can meet your requirements? Particularly on that auditing and logging and reporting side, unless you have a lot of really sophisticated tools, it’s hard to do that with a database that you have on a server in your office.
Cloud databases like Salesforce, or Dynamics are really built with a lot of that auditing and reporting built right in, and then you don’t have to take all of those additional steps. And so that can be a much more affordable way to get a high quality and sophisticated database platform.
Carolyn: I just wanted to jump in, I put another resource in the chat on how to hire an outsourced IT provider and some good questions to ask. So that might be helpful to you if you’re contemplating a big project, or if you’re being told by your current provider, you need to do this big project, if you want to have some ideas of how to get a second opinion.
Johan Hammerstrom: I just saw a question from Lucinda. I appreciate it, because it’s an excellent question.
Lucinda asked, do you have any recommendations for non-techie people to evaluate proposals about technical issues or even candidates for tech type positions?
And I think this is something we feel very strongly about at Community IT, that anyone who’s delivering IT as a service has to be able to explain it in terms that the average business manager, nonprofit manager, or leader can understand.
So if you’re getting a proposal from someone and you don’t understand it, go back to them and ask them to explain it to you, and if they can’t, then you probably don’t want to work with them.
Cara Godlesky: Awesome. I think that’s all that we have time for right now. You can see everybody’s emails here on this slide. There’ll be a follow up email going out too, so feel free to reply to that email if you have any additional questions as well.
Thank you all again so much for this awesome presentation and great information. So thank you all so much and we hope to see you again on next Webinar Wednesday, take care.