View Video
Listen to Podcast
In part 1, Matt discussed the cybersecurity landscape for nonprofits and some of the changes that prompted this update to the Playbook. In pt 2, Matt walks through the “foundational” suggestions and takes audience questions.
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Transcript coming soon.
Is your nonprofit struggling to understand cybersecurity fundamentals?
Are you unsure what level of protection you need or can afford?
October is Cybersecurity month! Community IT Chief Technology Officer Matt Eshleman walked through our revised Playbook on Cybersecurity Readiness for Nonprofits in a webinar designed to get your nonprofit prepped to face cyberliability insurance requirements and ever-evolving threats.
Learn the Community IT approach to cybersecurity and how even small changes will protect your organization against threats big and small.
2024 Updated Playbook on Cybersecurity Readiness for Nonprofits – Download
Matt shares updated advice on security improvements that provide protection against the most common attacks. You will learn about AI and cybersecurity, best practices in staff training, how to qualify for cyber insurance, and why you need written IT documentation and governance policies. Do you have an approach to compliance? Do you know if your staff are following your cybersecurity policies and procedures?
With the rise of automated and realistic AI tools and more sophisticated methods of identity and email verification, your nonprofit can’t afford not to prioritize cybersecurity. It may be difficult to qualify for business insurance if you don’t complete certain checklists of cybersecurity precautions. But if you don’t know where to start, it can be tempting to delay indefinitely.
This Playbook gives you a simple structure to understand how to think about cybersecurity risks and costs for your nonprofit. Matt’s presentation gives you tips you can put in place quickly and train your staff on immediately. You can download the new Playbook for free here.
This webinar is appropriate for nonprofit executives, managers, accounting, development, and nonprofit IT personnel – and as with all our webinars, it is appropriate for a varied audience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Presenter:
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt joined Community IT as an intern in the summer of 2000 and after finishing his dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, he rejoined Community IT as a network administrator in January of 2001. Matt has steadily progressed up at Community IT and while working full time received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course. He presents updated tips to protect your login credentials throughout the year.
Matt was excited to present this completely updated 2024 Playbook on Cybersecurity Readiness for Nonprofits.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College. She was happy to interview Matt Eshleman about this updated and revised Playbook on Cybersecurity Readiness for Nonprofits.
Transcript
Carolyn Woodard: Welcome to the Community IT webinar, celebrating the re-release of our Playbook on Cybersecurity Readiness for Nonprofits with the author, Matt Eshleman. This free download covers the essentials you need to know to get to what we call a foundational level of managing for cybersecurity. And we also cover additional levels of optimized and proactive and where those might be your most appropriate strategies.
The Playbook is easy to use, but I’m really happy that Matt’s here to help us walk through it today. I’m so happy he’s the author and cybersecurity expert, and we’re going to go into some of the updates that we made in this revised edition.
My name is Carolyn Woodard. I’m the Outreach Director for Community IT, and I’m the moderator today.
First, I want to go over our learning objectives. By the end of the session today, we hope that you will be able to
- learn our basic approach to cybersecurity,
- learn about the foundational level that we recommend all nonprofits try to get to,
- understand those optimized and proactive options, and then
- take away maybe your first steps and best practices in managing cybersecurity at your nonprofit.
Matt, would you like to introduce yourself?
Matt Eshleman: Yes. Thank you for the introduction. It’s great to be with you here today.
My name is Matt Eshleman, and I am the Chief Technology Officer at Community IT. I’ve been with Community IT for over 20 years, and I’ve gotten to work with over 1,000 nonprofit organizations during that time.
I’m really excited to be able to talk about this Cybersecurity Playbook as a revision and a complement to our incident report which we released earlier in the year. We get some of the data, and now we get to talk about how to practically apply that today. Looking forward to our conversation so we can answer any questions that come up along the way.
Carolyn Woodard: Before we begin, if you’re not familiar with Community IT, I’ll give you a little bit about us. We are a 100 percent employee-owned managed services provider. We provide outsourced IT support. We work exclusively with non-profit organizations, and our mission is to help non-profits accomplish their missions through the effective use of technology. We are big fans of what well-managed IT can do for your non-profit, and we believe all non-profits deserve well-managed IT. We serve non-profits across the United States. We’ve been doing this for over 20 years, and we are technology experts. We are consistently given the MSP 501 recognition for being a top MSP, which is an honor we received again in 2024.
I just want to remind everyone that for these presentations, Community IT is vendor agnostic. We only make recommendations to our clients and only based on their specific business needs. We never try to get a client into a product because we give an incentive or benefit from that.
But we do consider ourselves a best of breed IT provider. It’s our job to know the landscape, know what tools are available, reputable, and widely used. We make recommendations on that basis for our clients based on their budget needs, their priorities, their business needs. We got a lot of good questions at registration so we’re going to try and answer as many of them as we can. But anything we can’t get to; I’ll have Matt give us some written thoughts and I’ll append that onto the transcript.
Cybersecurity Fears
As I mentioned, we had at registration a question where you could put in your greatest fears around cybersecurity and October is cybersecurity month. So scary. I thought it was really interesting. I took those fears, and I made this word cloud out of them. You can see ransomware came up. Many people had put that in.
Matt, did you want to talk about this visual at all though?
Matt Eshleman: Yeah, I think it’s really interesting to get that perspective for what the biggest concerns that individuals or organizations face. And I think that ransomware term really does catch a lot of our imagination. It certainly makes the news.
And I think ransomware attacks preoccupy a big part of our brain whenever we think about cybersecurity and how do we protect ourselves. I will say, whenever we look at the data for the organizations that we support, we support about 200 nonprofit organizations, we haven’t had a ransomware incident at our clients for I think over five years now.
I do think that there’s a difference between the big enterprise and kind of the on-prem server infrastructure that a lot of organizations still maintain that is still very vulnerable to ransomware and the distributed cloud environment that many of our non-profit customers have been moving to. We’re really getting rid of servers; many organizations are 100 percent in the cloud. And there are other risks to be sure. But ransomware, whenever we actually look at our numbers for the non-profit sector, is not kind of the most common or even a very likely threat.
So, I put together a word cloud for how I think about cybersecurity and the issues that our clients are actually facing. And the big word that you’ll see front and center is fraud. And maybe this needs to be wire fraud, tied to scammers.
But I think understanding that most of the cyber issues are really driven by cyber criminals. And that this is a financial enterprise is helpful to keep in mind. Ransomware certainly has that end result, right? Encrypting your files, extorting people for Bitcoin or for whatever to pay to release that information.
But what we see for small to mid-sized organizations is that the biggest issue that they face is wire fraud that is related to updating payment information, changing banking account for partners or even employees and redirecting those payments into accounts that are controlled by the hackers, not by the individuals. A lot of that is initiated because of compromised accounts that are stolen through weak MFA controls or attacker-in-the-middle.
That’s what we see a lot. And so that also informs the Playbook in terms of what we’re focusing on and some of the emphasis that we have on protections around email that you’ll see whenever we get into it. I think this graphic to me really highlights the things that you should be worried about. And that helps, I think, align and prioritize some of the protections that organizations should be investing in.
Carolyn Woodard: We have a question about a couple of the acronyms there. What is BEC?
Matt Eshleman: BEC stands for Business Email Compromise. I think that’s a term that the FBI uses. It’s an email-initiated attack. And we see this most often is a spoof message, right? It looks like it’s coming from somebody you know. It could be your executive director or the finance director, right, emailing, “hey, can you update this payment information? We had a problem.” It could also be initiated from maybe a partner organization that had one of their staff compromised, said, “hey, we had a problem receiving that grant. Our bank had some issues. Here’s the updated information. Please apply the payment here.”
So that that act of email-initiated kind of fraud is called business email compromise.
Carolyn Woodard: And then the other question is about AITM.
Matt Eshleman: AITM is the acronym for attacker-in-the-middle. That is the method where these threat actors are able to steal what’s called your session token.
Even if you have MFA, using the Microsoft Authenticator or Google Authenticator app, the bad guys are able to use these attacker-in-the-middle frameworks to basically run your login through a system that they control and they can steal that access. Then it appears and you are authenticated and can send emails and do that kind of thing.
That’s what we really saw in our incident report is that a large number of accounts can get compromised even though they had MFA because of these new sophisticated frameworks that are available for hackers to buy that allow them to create these proxy systems so they can steal your authentication requests.
Carolyn Woodard: Yeah, it’s kind of a big freak out because we’ve been telling everyone for several years now, MFA will really protect you. And so of course, hackers are looking for ways to subvert your MFA. We did talk a lot about it when we did the webinar about the incident report. I did put that in the chat. It’ll be in the transcript. It’s communityit.com/nonprofit-cybersecurity-incident-report. If you’re looking for that webinar and that report.
How many audience members have been victims of a cybersecurity attack?
I think let’s go ahead and launch this poll. We wanted to find out about you. And the poll is, has your organization had a cyber incident? There’s a lot of stigma, a lot of shame around being the victim of a scam or attack. Your organization will not be visible in your answer. We’re just trying to show how pervasive the problem is and different levels of stress you’re probably under and why you need a plan and cybersecurity controls to help prevent attacks. The answers you could choose are no, not that we know. Number two is not sure. Number three is yes, but we discovered it with time to mitigate the impact. Number four is yes, and we suffered significant impact. And number five is not applicable or other.
We’re all potential victims of an attack, I would say. So, we just wanted to see how many of you are in this webinar because you haven’t had an attack and you’re with looking to prevent it. And how many of you are really interested in cybersecurity for specific reasons that you were attacked?
Matt Eshleman: All right. Of the respondents overall, it looks like a big chunk, about 40 percent of folks said no, not that we know, right? Another 14 percent said not sure. And then we do have a pretty significant number of respondents, about 30 percent said yes, they have been a victim of a cybersecurity incident, but they were able to identify it and respond rather quickly. And then another 14 percent said yes and suffered a significant impact as a result.
Now, we didn’t dive into that, but I assume that that could be significant financial loss, which is something we’ve certainly seen, or a big incident response, maybe cyber reliability insurance was involved, and forensic response and that all gets very expensive very quickly.
Carolyn Woodard: So stressful. I think one of the biggest outcomes to nonprofits is the stress that the whole staff goes under when you have to respond to any kind of attack like this. It just saps your energy. It’s very, very stressful.
Well, thank you, everyone, for responding to that. Really appreciate it. Before we get to the Playbook, Matt, I wanted to ask you the bigger picture of what we are seeing in cybersecurity these days.
Why did we update the Playbook now?
Matt Eshleman: Yeah. I think the last time we launched Playbook was maybe back in 2021. Several years ago. And things change over time. The IT landscape is certainly very different now than it was in 2021. And we’re seeing certainly different results.
That MFA example is, I think, a good one. When we first did our incident report, if you had MFA, you were basically immune from being hacked. But now the old MFA methods haven’t really kept up.
For us, it’s really a good time to review what we’ve put in place, what has been working, and match that up with what current protections are in place for organizations as they are in a new environment.
Cybersecurity is really a journey. It’s not a destination.
You’re never going to get to a place where you can say, all right, we’re done. We’ve put in place all the protections and we don’t really need to make any more changes. This is something that grows and evolves over time and requires ongoing attention and investment.
In terms of the cybersecurity landscape, I think this top bullet point has probably been in every presentation I’ve ever given about cybersecurity for the last 10 years, but it’s still worth saying that cybersecurity impacts every organization. Nonprofits are not too small to fly under the radar. I was actually just looking at Microsoft’s Digital Defense Report that came out. The top three sectors that are targeted by cybercriminals are IT, education, and then the nonprofit public sector. There is a need for ongoing education that just because you’re a nonprofit, you have a great mission, you have great staff, doesn’t mean that the bad guys will leave you alone.
That leads into the second point, which is this really is a cyber-criminal enterprise. This is a business opportunity for organized criminal groups. Yes, there are the proverbial hacker kids in their parents’ basement, but what we really see are well-organized, maybe even well-funded groups that are doing this as a financial means. If they can send you a well-crafted email and get a $200 gift card to Amazon, that may be a good use of an hour of their time, or maybe they set up a well-crafted phishing campaign and are able to nab a $20,000 wire transfer. That’s a good investment of time. Cybersecurity is something every organization needs to pay attention to, and you’re targeted because you have money. That’s the short summary of that.
I think the other thing that we have seen, and this has been a trend for a while, is that cyber liability insurance is normalizing those controls. I think the good news is that the year-over-year cyber liability insurance premiums are starting to recede or not increase as much. But the number of controls that they expect to be in place is certainly getting a lot stricter.
Five years ago, you could put down whatever you want, and you could get cyber liability insurance. Now, that’s not the case. Unless you have MFA, unless you have a security awareness training program in place, unless you have third-party spam filtering, they may not write you a policy unless those things are actually in place and in use.
The note here, I don’t think you can have a presentation and not mention AI, but I think that really is changing the game, both on the defense side and attack side. There’s lots of tool investment in terms of helping to filter and cut down on the response time needed to analyze an attack. But then also, the bad guys have AI too. It’s really easy to use these AI conversational tools to write a compelling and well-crafted email that’s going to get you to click on something.
Just as you may be using AI tools to craft fundraising emails, the bad guys on the other side are crafting well-written emails to get you to click on something. A lot of things that maybe we used to rely on in terms of poorly worded messages or incorrect grammar, you can’t rely on that anymore.
Carolyn Woodard: If you haven’t downloaded the Playbook yet, I’m going to put that in the chat. You can download it here. It’s a free download, about 20 pages. We’re going to walk through part of it today, but we can’t get into all of the details that are in that Playbook. I really hope that you’ll download it and share it. You can read it online. You can share the link for people to download it themselves. Hopefully, that is helpful for all of you.
Cybersecurity Basics
This slide covers our approach to cybersecurity. Matt, do you want to talk a little bit about this graphic?
Matt Eshleman: This is a graphic that we’ve used for a while, and there have been a couple of edits. But I think in general, this holds up and is still reflective of the lens that we view our approach, which is really rooted in policy. Having a strong policy foundation really helps to inform how and which types or the method that you’re going to go about implementing some technical solutions.
That policy work is important for organizations to do, just to develop common ground that they can all understand and be on the same page in terms of, how are we handling corporate devices versus BYOD devices, or how are we handling information systems? What types of data are we going to store? Establishing that security policy foundation gives you a good place to build.
The next thing on the list is really security awareness training. As the CTO, I love all the tech things. There’s lots of awesome technology tools that can be used to protect organizations.
But I really think that investing in your people gives you probably the best return on any cybersecurity investment that you can make.
Having your staff be engaged, knowing what to look for, knowing who to talk to if they have an issue, all of those things help to protect your organization. Because at the end of the day, we don’t want people to open up stuff they’re not supposed to, click on links that are dangerous. Get tricked into providing their credentials, or providing their credit card information to somebody that’s asking. Educating staff is really important, and something I would really focus on after that policy layer.
Then we have lots of different technology solutions. That blue line is representative of the different control areas, so your identity and account management, the data that you have, the devices that are being used to access organizational data, your network perimeter, whatever that looks like. It could be an office firewall, but you may have 50 home internet connections that you need to think about, securing your own website and public web presence.
Then finally, this top layer, we refer to now as compliance.
Carolyn Woodard: That is the piece of this graphic that’s changed from last time, so I’m glad we get to talk about it.
Matt Eshleman: Yeah, because I think what we see is that it started with cyber liability insurance being a real driver for organizations to make real technical changes to their organization. But we are now seeing compliance standards being implemented or demanded by funders, for organizations that maybe have government or federal contracts. Adopting some sort of formal compliance standard and being able to demonstrate that yes, we are following the CIS controls. Or we are following NIST with that top level control that drives some of these decisions as well.
It also could be for organizations that may not yet have those formal compliance requirements. You know, governance may also be a new term, right? How do we make decisions around what we’re investing in protecting and how we’re going about making those choices is really at the top.
If you have that good foundation of policy, that allows you to build and make good decisions around some of the technology and process tools that you need to implement along the way.
Carolyn Woodard: I like how that we were talking a little bit before about how that helps wrap this graphic and our approach together. You have those security policies as your foundation, that are the bottom layer of what you need to be able to manage your cybersecurity. But if nobody is checking them, if you’re not monitoring that those policies are being followed, and no one at your organization owns that compliance with your own policies, then it doesn’t matter that you have the policies.
If you don’t have someone checking, you are going to go in and find that you still have 20, 50 accounts for employees who have left your organization, and maybe you had a policy for offloading, offboarding those people, but you didn’t follow it. So, you didn’t ever delete those accounts, and then now you’ve got a cybersecurity liability there of risk, where people could be using those accounts to get into your system.
I like this change that we’ve made – not just having the policies but checking up on them.
And then we didn’t change this piece of our approach. This remains the same, but that is something in this Playbook that I think, I hope is very helpful for people using it.
Our approach recognizes the unique operating environments of small to mid-sized nonprofit organizations.
I think some security firms probably are telling you, “you have to do everything, and we’ll charge you for all of it.” But we really wanted to look at appropriate approaches for nonprofits. Some of the things that we recommend are really not very expensive to do.
We looked at those eight elements that you talked about in the last slide, Matt, and then we ran them through these three different layers.
There’s foundational, which is what we hope everyone gets to.
Then there’s a little bit more intense, optimized.
And then at the top we have proactive, which is the most intense, the most expensive.
And I think we do need to find a better way to show this, to illustrate this because in our view, we don’t think proactive is, quote unquote, better than foundational. So, it may be appropriate that you have a more proactive stance if you’re working in a country where you might have more cybersecurity risks. If your advocacy that you’re working on means that there are more targets on you, more targeted attacks.
But you also might shift between these levels for some aspects and maybe beyond foundational for other aspects. You may have some tools that you’re using or some things that you’re doing where you need to have a more optimized approach.
And when you do your assessment, you’re going to see that that has a return on your investment and that you are going to make that investment in a little bit more security in those levels.
So all this just to let you know, don’t feel like you have to get to proactive. But we do want you to get to foundational.
That’s really important.
Doing an Assessment
Matt, could you talk a little bit about assessments? We’ve had a couple of people ask already; how do you do an assessment? Do you always need to hire someone to do that assessment for you? How do you get this information of where you’re at and where you want to get to?
Matt Eshleman: Yeah. I think it’s a good question. And before I talk a little bit about assessments, I do think this kind of idea that security is a journey, not a destination, I think means that there is some kind of logical way that you kind of proceed through these things. One of the things that always comes up in terms of a security assessment is, “do you do pen testing? I heard we need to do pen testing, that’s going to make us more secure.” (Penetration Testing is where a security firm will do an exercise to break into your IT and learn where your vulnerabilities are.)
Well, pen testing is a very expensive process to go through. And unless you’ve really invested in some of the foundational elements, you’re just going to get an assessment that exploits all of these underlying weaknesses and it’s not really going to be a good use of those dollars that you do have to invest in cybersecurity control.
I think cybersecurity is additive, it builds on things. Having a good framework in place to help make those decisions is important.
We do a couple of different things for assessments. We have a free assessment tool that we can use that will kind of give kind of a quick dashboard view of some of the areas for investment.
Because we have worked with nonprofits for over 20 years, we’ve developed our own assessment framework that really looks at key areas as a way to rank and identify different areas of investment for improving the overall cybersecurity protection of an organization.
There’s lots of formal cybersecurity assessment frameworks that are out there. The resources to do them are free. The two popular ones that we use are the Center for Internet Securities, V8 Cybersecurity Controls. You can go to their website and get an account and download the 153 areas that they look at and go through and assess it yourself. Those tools are out there. The same thing with NIST. Those are the kinds of public resources that are available.
I think the benefit and reason why people pay for an independent assessment is, is they’re complex. It’s really tedious to go through and I think just explaining and understanding what they’re asking and why they’re asking does provide value.
I think the real benefit of going through an assessment (with an expert provider) is you actually have some sort of meaningful road map of recommendations to actually take once you get through the process, right? Because once you get through 153 different controls, trying to figure out where to start can be a challenge.
Carolyn Woodard: That’s a great segue into in the Playbook when you download it, we do estimate some of the costs for some of the different recommendations that we make. There are estimates. They’re kind of our best guesses, but it can really change how many people you have, how many licenses you have, what risks you’re actually undergoing.
And another thing we wrestled with is whether we could estimate time for some of these projects because time is usually your biggest cost – staff time to be able to prioritize and do some of the things that you need to do to get up to that foundational level.
We’ve talked about doing the assessment and building out your plan, but we couldn’t really make estimates of how long it’s going to take you. You need to prioritize what you’re going to need to prioritize, and then you need to look at your schedule and see, make your guess of how long it’s going to take you and how much you’re going to be able to work on it, along with all of your other priorities that you have.
Carolyn Woodard: Moving back to this slide, the foundational, and our approach, you have your policies, your security awareness, the five technical tool aspects there, and then compliance.
Foundational Level Cybersecurity Policies for Nonprofits
Matt, would you like to talk a little bit about, for the foundational level, the types of policies and the type of security training that we would recommend?
Matt Eshleman: Sure. I think this is an area that’s changed since the 2021 version. We’re certainly investing more in the policy side of things at the foundational level now.
I think all organizations should have an IT acceptable use policy establishing basic guidelines for the organization. I mentioned some of that earlier.
How do you handle personal devices? A password policy, how are you handling mobile devices within the organization? How are you handling access to systems?
All of the basic information that an organization needs to operate really is in that IT acceptable use policy.
The data privacy policy is something that we typically see organizations have maybe as part of a website. Or if they have a CRM or something, that maybe they already have that piece that talks about how you use data in the organization that you are caretakers of. Defining that and being able to communicate that to your stakeholders is important.
The new addition here of the AI acceptable use policy for organizations that are thinking about or already are using AI or have staff who are adopting AI tools that the organization isn’t yet aware of. That provides an area for conversation and decision making around, how are we as an organization going to interact with these AI tools that are just being included in all of our platforms, whether we wanted them or not?
So, AI use is a new policy that’s included in this foundational tier, along with some policies that have been in place for a long time, like backups and disaster recovery. Even as systems have moved into the cloud, it’s still an important exercise to go through and understand, how is that data being protected? How can I recover it if there’s some sort of corruption or deletion, either intentional or unintentional? Just because it’s in the cloud doesn’t mean you don’t have to think about those things anymore, you need to have a system in place to deal with that.
And then the last two here, incident response and cyber insurance. We see many organizations being intentional about purchasing cyber liability insurance because of the risk associated with a breach, and then that kind of ties into having an incident response policy as an organization, because the organization itself needs to have a clear standard on what happens, who’s going to be involved, who’s our insurance provider, how are we going to interact with our MSP.
This is something that at Community IT, we have an incident response policy for when something happens to our client, but we are relying on the client to have their own policy that talks about how and when we are involved and how we interact with people and that kind of thing. Even if you have an outside partner that works with you on IT things, it’s important for the organization itself to define those policy responses for themselves.
Carolyn Woodard: Yeah, you don’t want to be realizing as something is unfolding that you don’t have somebody’s phone number that you need to call. Running through that scenario and just figuring out who’s on your call list is important to have ahead of time.
Matt Eshleman: Yep, and having that printed out on somebody’s desk, right? So the incident response is not located on the same system that just got encrypted or deleted.
On the security training side there’s lots of training that organizations can kind of dip their toe in and start for free. I think we still have a free video on our website about training. There are a lot of free training resources that are out there. So just getting started is important.
And then also defining those policies and training around remote work. How safe workspaces, how do you handle shared computing, maybe at the home, right? So just talking about defining and educating staff around good practices in these areas. It doesn’t have to be expensive, but it does need to be intentional.
Cybersecurity Training Best Practices
Carolyn Woodard: We have a question about approaches and training for mid-size nonprofit organizations. So especially frequency, would you recommend an annual all-staff training on cybersecurity is enough? Or do we recommend doing maybe smaller, shorter security training throughout the year? What works?
Matt Eshleman: This is one of my favorite things to talk about because I think training is so great. We spend a lot of time investing in our training program for our clients. And I think what we found works the best is that shorter but more frequent trainings are more effective.
I think the traditional approach has been, once a year there’s a meeting or you have some online training. It takes an hour. You do it, you check it off and you kind of go on with your life.
What we like to do is quarterly trainings that are online. They have a variety of topics that are included. And so, the minimum standard would be quarterly. I like that because it keeps it shorter, more concise and you can talk about different areas that are relevant at the time.
Alongside of the training, we like to include some test phishing. So again, you’re doing some testing, you’re providing some practical ways for your staff to kind of be engaged and click on that report button so that they have a way to interact with IT that says, “hey, this looks weird, I’m going to report this. Is this a test phishing message? Is it real? Is it fake?”
That’s a good way to make training a two-way or an interactive process, not just sitting in a conference room for an hour to once a year to check the box and move on.
Foundational Cybersecurity Tools and Practices for Nonprofits
Carolyn Woodard: And so then moving up through those are our two lower levels, policies and staff awareness training. And then at the foundational level, those different tools that we recommend. Can you talk about that?
Matt Eshleman: These are all those technical controls. And I think we kind of keep packing more and more into what’s the minimum standard that we expect organizations to have.
As I mentioned before, multi-factor authentication is essential. And we are actually going through and updating our MFA guidance. We are now recommending what’s called fish-resistant MFA, particularly for organizations that have internal IT or HR and finance contacts.
That’s to combat this attacker-in-the-middle phenomenon where they’re able to steal those authentication tokens from the app-based authentication. We’re moving to physical security keys or Windows Hello as a way to provide device-bound MFA authentication sessions. Kind of a technical term, but the idea is that we need to take some additional steps to secure our identities.
And that’s really at the root of a lot of this. Same thing with using a password manager. If you’re just getting started, use a password manager so that you’re not reusing the same password over and over again or creating some pattern of passwords.
I literally know, I don’t know, three passwords. I know the password of my computer, password manager, and my encryption key. That’s it. We want new unique passwords for all the systems that we’re using at a basic level is the approach to take.
Carolyn Woodard: I have to jump in and just say that all of this is in the Playbook. And also, we have a lot of resources on our website for many of these tools that are on this list for those five different areas that you’d want to make sure that you’re taking steps in all of those areas.
The five areas of identity, data, devices, perimeter, and web. And for each of those, we do have some subtitles, sub headers. Under identity, MFA, and password manager, under data, we have backups.
Under devices, you’d want to have OS or third-party updates and antivirus. Under perimeter, you want to invest in spam filtering, test phishing messages, business email compromise prevention, and DMARC and DKIM. And under web, you want to make sure you’re investing in a secure website platform and that you’re securing your website domains.
All of this advice can be found in the Cybersecurity Readiness Playbook, which is available as a free download on our site, communityit.com.
But just in the interest of time, I don’t know that we’re going to be able to go through all of them. So, I just recommend that you check them out on our website. We have podcasts about, for example, the DMARC DKIM, which you may not know what that acronym is. Listen to the podcast, you will learn all about it. It’s about email verification, that the email is coming from where it says that it’s coming from.
Foundational Cybersecurity Compliance Best Practices for Nonprofits
I wanted to just be able to move on to the compliance issue as well, Matt. At this level, at the foundational level, there aren’t really tools that you can implement that will make sure you’re compliant with all of the things you need to be compliant with. So, can you talk a little bit about what we recommend, how you should approach it?
Matt Eshleman: Yeah, I think that’s right. I think at the foundational level, if you haven’t done so already, it’s just really important to invest in leadership and identify at the organization who owns IT security or who’s accountablefor that happening.
Again, you don’t have to be an IT person yourself, but our perspective is that the organization itself needs to own that responsibility.
It’s not something you can outsource even to a great provider like Community IT. We can do a lot, but we can’t own the security decisions at your organization. From that leadership role at the organization, then you can make the decisions around where to go and how to do planning and make some of those prioritization choices at your organization.
Carolyn Woodard: Like that great question about how often you should do training. That’s something that ideally whoever owns cybersecurity at your organization and maybe a committee, or stakeholders, or a leadership team would sit down and prioritize. How are we going to do training and how often are we going to do it?
A Foundational Level Cybersecurity Roadmap for Nonprofits
To do that, we recommend that you create an IT roadmap. Now we have another webinar that’s exclusively on creating an IT roadmap for all of your IT at your nonprofit. But you can do that for your cybersecurity strategy specifically.
Once you’ve gone through an assessment, whether you do it yourself or you get an outsourced provider or a consultant to do it for you, and you have this list of the things where you are, and the things you need to work on to get up to where you need to be, to be safer, you can create a document out of that. We have a little example here. You can see that it lays out the urgency, the complexity, the impact, how many people at your organization is this going to touch.
If you’re requiring everyone to use MFA, then that’s going to hit everyone at your organization, and you have to be prepared for that to be a bigger project to roll that out. There may be some cybersecurity projects that only relate to a certain database that you have. And so just the people who work with that database are going to need to have that training, so it might have a lower impact.
But then you would make a roadmap like this. You would add a timeline to it. You could add the people responsible for it. And I really love having a roadmap like this because it helps you report back on your progress. Sometimes working on IT and especially cybersecurity can feel like you’re swimming in place. There’s always something new coming in. There’s always something you have to change. We’re just talking about the MFA, how that now has some extra things that you can do to make it more secure.
Sometimes it can be hard to feel like you’re making progress. Having a checklist or timeline can help your leaders and your team feel like you’re accomplishing something.
You can look back and say, “well, we started at this level of cybersecurity, and we have through our work and the time that we spent on it, we’ve gotten up to this level, this foundational level, and that can help us also respond when there are new threats to address.” We have a whole other webinar on this, the Designing an IT Roadmap.
Financial Fraud and Cybersecurity at Nonprofits
But I wanted to make sure that we have some time, Matt, for you to talk about the types of attacks that have changed, and that have helped change our recommendation, especially around financial fraud, as you were saying.
Matt Eshleman: Yeah, coming back to those earlier slides, that’s the big word in my mind, in terms of thinking about how we protect our clients from these financial fraud attacks, because phishing is more dangerous. They’re very well-crafted messages that are coming from obfuscated sources, or because of the attacker-in-the-middle frameworks, coming from actual trusted partners that you work with. It’s not uncommon for clients to get a malicious link that’s sent from a trusted partner to a SharePoint or OneDrive file that is managed by the hacker and is used to launch those attacks.
We see increasing danger and effectiveness of those phishing campaigns. The other note that we’ve seen here is that, particularly for policy organizations, and I think that is really a special case. Those are very well crafted.
We had a couple of cases this past year where the attack thread seems to be targeted to, “hey, we want to have this meeting” or “we’re going to invite you to this conference,” or “we need your input into this policy document,” or “hey, let’s come to this hotel for this meeting. Here’s the agenda.” We actually had people or clients show up at a restaurant or hotel expecting a meeting with the foreign minister’s attaché and nobody’s there. It’s just James Bond level intrigue, but these threat actors are using it all under the guise of trying to be a trusted partner and get you to open up a document.
Carolyn Woodard: Get you to click on something. Yes.
We did have a question earlier about the optimized and proactive levels. I would say, we talked a little bit before, doing your risk assessment is your first step. Both the risk assessment of what you think are your biggest risks, but also where you’re at now, what policies and practices do you have in place.
Foundational, Optimized, Proactive
Matt, would you talk a little bit more about this idea of optimized and then proactive?
Matt Eshleman: Yeah. I think at the Foundational level we have this layer of things that we just know we need to do regardless.
Then I think as you move up or you have those baseline controls in place, then the questions become around what other areas may need protection, or maybe we need to extend protections or provide a more sophisticated solution in place because of the risk that we face.Those different control areas.
Then you start getting into more formal compliance standards, and a lot of the solutions that we talk about in the guide really do map to some of those formal compliance standards. Figuring out which ones to invest in, how to go about doing that, is really the work in those more optimized and proactive perspectives so that you can get to a place probably in the proactive area where you’re meeting those formal compliance standards. You have a good place to document, and to demonstrate, and to provide feedback to executive leadership and write the whole thing works to report and secure itself when you get to that more sophisticated tier.
Carolyn Woodard: They might also be if you’ve suffered a hack, because then some of your information is out there. We do know that organizations are more likely to be attacked again if they’ve already been attacked before. So that might also inform how much you’re going to put into your cybersecurity.
But I want you to let you have a chance to talk a little bit about our cybersecurity offerings. And I’m going to put the link in the chat now. It’s communityit.com/cybersecurity.
And that’s also where people would talk to you, Matt, and schedule an assessment.
Matt Eshleman: I love talking to folks about this topic and identifying, I think, areas to start.
Because we’re practitioners at Community IT, the assessment piece is really interesting because it allows us to get to providing meaningful protections to organizations. And so those different resources that we have are really aligned around, okay, let’s identify what we have, but let’s now be able to act on that.
We don’t just make a pretty report, but we have a list of steps that we can take that are providing improvements, right? I think at the back of my mind, I’m always thinking, well, how can I reduce the calls or help desk about security incidents? I respond to them, it’s not that much fun.
And so if I can not have to respond to them because we can get some of these proactive solutions in place, then I think that’s a benefit to everyone.
Carolyn Woodard: And here is the exact link that you would use to schedule some time with Matt.
Cybersecurity Risks When Changing Vendors
I am going to go ahead and ask one of the questions that we got at registration, which I just thought was so interesting. So, this was how to transition from one vendor to another without causing disruption or bad feelings. And I don’t know. I mean, I don’t know that that’s a huge cybersecurity risk in itself, but definitely when you cause bad feelings with a vendor, with staff, that gives something extra that you have to think about.
Do you have advice on changing vendors? (Besides using our Nonprofit Guide to Vetting an MSP?)
Matt Eshleman: Yeah, I mean, we do it all the time. I think we exemplify what we would like to have in the partners that we’re transitioning with. And I think having clear documentation, identifying the systems that are in place, the tools that are in place, the accounts, can be lacking. I think that’s one of the things that we often find is that when we inherit a client from somebody else, there will be leftover admin accounts or other things imbedded in the systems that weren’t necessarily disclosed.
And so that is a security issue, right? And working with an MSP, right? That you’re providing a lot of access to those partners.
Whenever you transition, it’s important to make sure that you really go through a thorough clean out process to make sure that anything that a previous provider had access to is taken care of.
Make sure that the new provider is using new, strong, unique passwords for all those systems. Open communication, I think, is really important. And good documentation. It’s always the answer.
Carolyn Woodard: Yeah, that would be my advice too. I know sometimes it might be tempting to just say, we’re changing providers and it’s going to happen next week. But I don’t think that’s a great option in this case. You really want to have some time for that handoff to happen.
Accounting Tools and Systems and Cybersecurity
There’s a great question in the Q&A, which is, are there stronger or weaker cloud-based accounting systems? Systems like QuickBooks, Bill.com, Expensify, and or donor systems as well.
For those databases and tools where you’re tracking your donors and your accounting, are there any specific ones that are stronger or are there cybersecurity practices that you would emplace no matter what tool you’re using?
Matt Eshleman: Yeah. I’m not an expert in accounting packages. I’ll just start off saying that.
I do think there are several standards or certifications you can look for. An SOC 2 compliance audit is a good one to look at, and you can get copies of that from these big commercial and reputable vendors.
But I also would say that no platform itself is just inherently secure or more secure.
You could use a very secure platform like Microsoft 365, very insecurely. So as long as you’re not picking some kind of like a fly-by-night, very under-resourced provider that’s just cobbling things together, you should be relatively secure. I think at this point, good commercial solutions can generally be trusted, but it’s important to also have good security controls in place so that you don’t make everybody an admin in the system.
You want to make sure that people can only see what they need to do for their job. You want to make sure people aren’t putting social security numbers in unencrypted systems and that kind of thing. So again, any system can be used insecurely, and it’s important to have a deliberate approach to implementing those tools.
Carolyn Woodard: That makes sense.
Backups and Cybersecurity for Nonprofits
We have another question about backups. If you have moved into cloud storage, do you need a local backup, like a local on-premises backup system? What do you recommend in that case?
Matt Eshleman: For cloud file sharing solutions like Box or Dropbox or Google Drive, or even SharePoint, we find that there are cloud-to-cloud backup solutions that are good to have in place, and you don’t need to have that on-prem.
I will say it’s expensive, and I would say this is one thing where the big cloud providers are typically providing some nonprofit discounts for their service because they can subsidize it, whereas maybe the backup service providers don’t do that same level of discounting.
But I do think it’s important to have data in a separate and disconnected system in the event that that primary data is compromised or corrupted or something.
And so, making sure you have data somewhere else is still a good approach, right? We talked about it at the beginning, right? Just because your data is not in the server down the hall, doesn’t mean you don’t really need to think about backups anymore.
It may make it easier. There might be more versioning and there’s other stuff. But if you didn’t have access to that folder in the box, what is the process (to recover it)?
Can you get back a file from a month ago or three months ago or a year ago? If you need to be able to do that, and if you’re not able to do that within the native platform, then look for a backup solution that will allow you to meet those organizational requirements.
Carolyn Woodard: Thank you so much. I just want to go back over our learning objectives. We hope that today you learned the basic approach to cybersecurity that we have, the foundational level we recommend.
Once you read the Playbook, it will become clearer, I think. We didn’t have a chance to get really into the optimized and proactive options, but those are in the Playbook. I hope that you were able to take away some first steps and best practices in managing cybersecurity at your nonprofit.
The big takeaway I hope that you get is that you need to start. You need to pay attention to it. It can seem really overwhelming and really make you anxious, because people are out there trying to get you and get you to click on something.
But really, you can start at yourself, download the Playbook, that’s a really good start. Then just get in touch with us if you have more questions about that sort of thing.
I want to make sure to tell you next month we’re doing something really different, which is talking about de-stressing and self-care in nonprofit IT roles.
There’s a lot of research out there on how important it is to us to stay healthy, mentally and physically, and how de-stressing is a big part of that. I think I can speak for many of us when I say having a nonprofit IT role can be extremely stressful. You have a lot of demands, you have a lot of budget constraints, you have demands from both sides, both from your leadership and from the staff that are trying to use the tools.
Cybersecurity, anxieties. We’re going to talk about things that you can do specifically while you’re in this role to help yourself stay healthy so that you can be doing this role and helping your nonprofit achieve your mission. I hope you can join us for that.
I just want to thank you, Matt, for your time today.
Thank you everyone who joined us for this webinar. Your time is a gift. Thank you for giving it to us for this hour.
I hope this was helpful to you. Matt, thank you so much for sharing your expertise with us and helping us get smarter about cybersecurity.
Matt Eshleman: Great. Thank you. It was a real pleasure.
Photo by Valeriy Khan on Unsplash