To download:

IT Security Incident Response for Nonprofits

You get a frantic call from a staff member – your nonprofit organization has been hacked. Now what? What do you do first? What should your IT security incident response be?

Join Community IT Innovators CTO Matt Eshleman and President and CEO Johan Hammerstrom for a worst-case scenario walk through. They discuss several possible breaches – email, Office 365, servers, etc. Matt shares his experience responding to credential hacks and other situations, and presents a checklist you should include in your security policies.

Forewarned is forearmed, and if you haven’t been hacked yet, it never hurts to know what you would do. Participants who had experienced a hack were invited to share experience with us, and what they wish they’d done differently in their response to more quickly get their organization back on their feet.

We have several webinars and resources on creating your security policy and training your staff available here. This webinar is specific to planning your response in the event you experience a breach.

You can view a video and download the 2020 Nonprofit Cybersecurity Incident Report here.


photo of Johan Hammerstrom

President and CEO Johan Hammerstrom has always been interested in using technology as a force for good that can improve our world.  In college, he pursued this interest through science, first studying Chemistry, Physics and Biology at Stanford University, graduating with Honors with a BS in Chemistry.  He then studied Biophysics at Johns Hopkins University and received a Masters Degree.

The time spent in Baltimore convinced Johan that there were more pressing and immediate problems that technology could and should be used to address. He pursued a career in Information Technology, with the express goal of improving our communities and our world.  He started at Community IT in 1999 as a Network Administrator.  Since that time, Johan has been a Network Engineer, a Team Lead, the Director of Services, Vice President of Services, Chief Operating Officer, and beginning July 2015 President and CEO. Working directly with over 200 nonprofit organizations, to help them plan around and use technology to accomplish their missions, has been one of the most positive and rewarding experiences of his life.

photo of Matt Eshleman

As the Chief Technology Officer at Community IT, Matthew Eshleman is responsible for  shaping Community IT’s strategy in assessing and recommending technology solutions to clients. With a deep background in network infrastructure technology he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt joined Community IT as an intern in the summer of 2000 and after finishing his dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University he rejoined Community IT as a network administrator in January of 2001. Matt has steadily progressed up at Community IT and while working full time received his MBA from the Carey School of Business at Johns Hopkins University.

Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference and Non-Profit Risk Management Summit. He lives in Baltimore MD with his wife, daughter and son.


  1. Incident Response Webinar Series October 2018
  2. About Community IT Advancing mission through the effective use of technology. 100% Employee Owned
  3. Presenter Matthew Eshleman CTO
  4. Agenda What’s a breach? Security Background Compliance Incident Response Checklist
  5. So, what’s a breach?
  6. This Photo by Unknown Author is licensed under CC BY-SA
  7. A security incident is the act of violating an explicit or implied security policy according to NIST Special Publication 800-61. Of course, this definition relies on the existence of a security policy that, while generally understood, varies among organizations. Security incidents include but are not limited to: • attempts (either failed or successful) to gain unauthorized access to a system or its data • unwanted disruption or denial of service • the unauthorized use of a system for the processing or storage of data • changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent
  8. Security Incident Unauthorized Access Service Disruption Unauthorized Usage Hidden Changes
  9. A security incident involves the unauthorized or unexpected access or use of an organization’s IT systems.
  10. Breach Examples • Compromised user account • Malware on a computer • Ransomware on a file system • Forwarding email or files outside of the organization • Unauthorized access to a database • Manipulating / defacing a website
  11. Security Environment • Data breach can almost be assumed • Higher expectation of privacy & security from stakeholders • Increasing compliance requirements • GDPR • HIPAA • PCI
  12. Security Background
  13. Security Focus Cycle INCIDENT SecurityFocus Make the pain go away! Can we avoid it again? Return to status quo
  14. Security Focus Cycle INCIDENT SecurityFocus Make the pain go away! Can we avoid it again? Return to status quo
  15. Written & Updated Policies Predictive Intelligence Security Training & Awareness Passwords Antivirus Backups Patching Encryption Good Security PracticesSecurity Readiness
  16. Building Security Readiness Policy Training Tools Encryption, AI
  17. Often overlooked… Written & Updated Policies
  18. Why the need for an Incident Response Policy? Provides for a systematic response, so that the appropriate actions are taken. Moves away from knee-jerk reactions to deliberate response.
  19. Incident Response Policy • Define stakeholders • Classify your risk • Identify response steps • Understand reporting requirements • Incorporate lessons learned
  20. Incident Response • Stakeholders (at Community IT) • Client Communication • Technical Lead • Stakeholders (Your Organization) • Primary Contact • Legal Counsel • Business System Owner • Board • Compliance Officer
  21. Incident Response • Risk • Risk to operations / productivity • Risk to privacy • Compliance
  22. • Response • Notify the client • Stop the infection • Remediate the infection • Understand infection vector • Exhaustively investigate related systems and accounts Incident Response
  23. Incident Response • Reporting • Driven by organization compliance and policies • Potentially handled by legal counsel
  24. Incident Response • Incorporate Lessons Learned • Update systems inventory • Implement MFA policy • Edit incident response policy
  25. Action Steps Talk Talk to your IT partners Understand Understand compliance requirements Review Review incident response templates
  26. Resources • Thycotic Template: tools/free-privileged-account-incident- response-policy-template/ • SANS: resources/policies • NIST: cations/NIST.SP.800-61r2.pdf • Digital Security Training –
  27. Upcoming Webinar Selecting Nonprofit Software: Technology Comes Last