Matt Eshleman & Sarah Wolfe: Cybersecurity 101
Our #22NTC coverage picks back up with a summary of the tech threat landscape, key policies and procedures to have in place, and how to make the case for devoting resources to IT protection. Our guests are Matt Eshleman and Sarah Wolfe, both from Community IT Innovators.
Listen to the podcast
Podcast: Play in new window | Download
Get Nonprofit Radio insider alerts!I love our sponsors!
Turn Two Communications: PR and content for nonprofits. Your story is our mission.
Fourth Dimension Technologies: IT Infra In a Box. The Affordable Tech Solution for Nonprofits.
We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners
Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.
Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript
Transcript for 601_tony_martignetti_nonprofit_radio_20220725.mp3
manager [00:02:16.64] spk_0:
Also at Community I. T. Innovators. Matt serra. Welcome to non profit radio [00:02:23.14] spk_1:
Thanks. tony It’s good to be here. [00:02:25.34] spk_2:
Thank you. Glad [00:02:42.84] spk_0:
to have you. Pleasure to have both of you. Um Your session topic is defending against Bogart’s and boogie men understanding and pitching cybersecurity for the accidental techie sarah. Why don’t you get us started? Let’s define accidental techie. I think we have a lot of them listening but they may not know it. [00:03:13.44] spk_2:
Yeah so accidental techies are the people at an organization that are not necessarily somebody who’s been trained in I. T. But is relatively tech savvy and so they end up being the ones who help their coworkers with tech issues or are the ones that end up wearing the I. T. Support hat even though they might necessarily have they haven’t necessarily gone through professional training for it? [00:03:32.14] spk_0:
Okay. Right so they know enough that they know more than others but they’re not they’re not professionally trained in technology. Okay and and matt why are why are Bogart’s and boogie men your your description says an accidental techies biggest nightmare what’s lurking there? [00:03:38.23] spk_1:
Well I think yeah [00:03:51.34] spk_0:
I don’t even know. Yeah I’m not even an accidental techie. Okay there’s the first problem you like you’re suffering a lackluster host obviously. Okay. Alright [00:04:28.24] spk_1:
so they I think the takes the form of kind of your your biggest fear and so yeah whenever it appears it it shows up as as what you’re most afraid of um you know and I think for for folks that are supporting nonprofit organizations. Yeah there is this fear of of kind of what could be lurking out there, What kind of threats could impact your organization. Uh and for many folks, especially the accidental techies, they don’t have that background training and experience in terms of how to protect their organization. And so that’s why we wanted to to have that session to help provide some tools and equipment so that people that, you know, have that responsibility, but maybe not the training can pick up a few, a few tips. [00:04:40.74] spk_0:
Okay. Why don’t you, why don’t you start us off? What would uh what would you like folks to know about that? They don’t know well enough, but they ought to. [00:05:30.74] spk_1:
I mean, I think the biggest thing for for folks to understand is just I think the importance of what’s called multi factor authentication. So M. F. A. It’s often referred to uh it’s something that, you know, which is your password and then something that you have and for most folks that would be an app on their smartphone. Um and what this gives is an extra layer of protection, you know, we all know people’s passwords get compromised and and kind of stolen all the time. But if you can add that extra layer of, you know, an app on your phone to protect that login, then you’re much much less likely to have your account compromised. And kind of, what we see is that most compromises then, you know, will then lead to other things that you know have significant damage in terms of, you know, emailing, you know, all of the contacts in your organization’s database, uh sending out malicious links, you know, sending out updated payment information so that can kind of lead to a lot of other bad things. And so if we can protect that account with M. F. A. Then the organization becomes a lot more secure. [00:05:46.54] spk_0:
Okay. And you’d like to see this mandatory? Not opt in [00:06:16.74] spk_1:
that is exactly right. You know, Microsoft and the other big Um you know, tech providers are starting to enforce that now as a as a requirement, but if you’ve been in office 365 or if you’ve been in Google apps for a long time, uh it’s not required and it’s something that organizations need to take a couple of steps in order to set it up and roll all their staff provide training uh just to make sure that it’s set up and working correctly. [00:06:27.54] spk_0:
Okay. So we should be doing it, we should be opting in where it’s optional and we should make make it mandatory if we’re the we’re wearing the hat of the uh the accidental techie, [00:06:32.04] spk_1:
yep. Exactly. Right. [00:06:37.94] spk_0:
All right. All right. Sarah, what else, what else can you share for? Are these folks [00:08:13.14] spk_2:
I think for the next biggest thing uh is, you know, making sure that your staff, you know, are actually aware of the different security risks and things like that? Having a security awareness training program is one of the best ways to make sure that even if something, you can have all of the fancy tools in the world, every single like filter and everything, something’s going to slip through. And if you have staff that know what to look for and know not to click on something or not to go on that website or not to, you know, enter their information in various different places. Them having the knowledge is going to be one of the biggest returns on investment in terms of security, antivirus. Uh, we only, we had so few um, issues with antivirus last year, out of the 696 security incidents that we were dealing with, Only seven of them were viruses and only 45 of them were malware. And so it’s much more important for staff to be able to identify what’s a spam email, what, spearfishing. How can I tell if I’m looking at an email from somebody else whose account has been compromised and having the training to make them aware of. That is definitely worth the investment. And there are great tools out there, like, no before that, you know, are really easy to use. [00:08:31.84] spk_0:
Okay. And so, uh, no, first of all, it was no before like K N O W K N O W before. Okay, I didn’t know about this, but I figured out no. Before. All right. But that’s not that’s not really saying much but any case. Um So is that a security training? Like is that online security training that folks can get it? No before or like how is this accidental techie gonna push this and and offer the training in their in their non profit [00:10:02.94] spk_2:
That’s great. Yeah. So uh that’s a learning management software and that’s specifically for cybersecurity behaviors and tools. The way that you’re going to pitch this for your organization is to first gather your data, get your plan of attack. And a lot of times you know that involves one Looking for friends in the company to support you to getting data and you know trying to make sure that if you are able to um like find partners either within the organization or maybe even reach out to your board governance committee, um those people are going to be able to you know, help leverage some of the existing requirements that you have, if an organization needs to apply for cyber liability insurance a lot of times multifactor authentication is going to be one of the requirements. A staff security training is going to be one of the requirements. And so being able to leverage those and then putting it putting your plea into terms that people understand if your E. D. Is looking at, you know, what is the comparing the cost of of security, education software versus you know, financial compromise. Like there is a definite argument to be made there [00:11:03.94] spk_0:
it’s time for a break. Turn to communications, media relations and thought leadership. Peter pan a pinto, a turn to partner was on last week. He’s a former journalist at the Chronicle of philanthropy. His partner scott is also a former journalist so they know what to do and what not to do to build relationships with journalists. Those relationships are going to get, you heard turn to communications, your story is their mission turn hyphen two dot C. O. Now back to cybersecurity 101 you mentioned cyber liability insurance. Is that is that something else? We should be flagging for these for these poor accidental turkeys. [00:11:08.54] spk_2:
The [00:11:08.75] spk_0:
beleaguered, beleaguered, accidental techies. [00:12:16.64] spk_1:
Yeah. I think we’re seeing more and more organizations go through a cyber liability insurance kind of renewal process. Typically that’s something that’s handled by the, you know, the finance department of the organization. What we’re seeing is that, you know, for cyber liability insurance or even for financial audits, they’re becoming a lot more technical. And so it’s likely that if you’ve got any any tech aptitude at all, then you’re being enlisted to help fill out these applications to provide the detailed information that’s being requested. And so yeah, we’re seeing a lot more sophistication being, you know kind of demanded by these insurance companies in terms of, you know understanding which controls are in place because we’re seeing even cases where if you have not turned on multi factor authentication for all your your systems you won’t even be eligible for coverage. Uh and so it’s pretty dramatic that you know organizations are now being, you know, it’s a good idea to protect the organization, you know, for these cyber security controls. But there’s this also this extra layer of requirement from you know, insurance carriers now to say hey like you have to have this so we’re not gonna provide you insurance. [00:12:40.94] spk_0:
Okay, okay. Sarah, let’s go back to you. I’d ask you about cyber liability insurance and then matt usurped unceremoniously uh usurped your your your your platform. So let’s go back to you what else, what else can you contribute for these for these folks? [00:13:53.94] spk_2:
Yeah. So with with cyber liability insurance it’s something that oftentimes is getting you know much more of a top down decision making process. Somebody will have, you know, these things like the ransomware and and wire fraud and issues like that have been, we have bubbled up more inter in like the public awareness and so there’s a lot of top down pressure for these things to get adopted and you know there one of the things that they’re also going to ask for is you know, what are your plans? Do you have an acceptable use policy for your I. T. Do you have a plan for when something does go wrong, you know what do people know what to do, who to reach out to, what steps to take? You know because you know you you hope for the best to plan for the worst. And there are a lot of really good resources out there for developing these sorts of acceptable use policies for for creating incident response plans and you know you can um really it can get overwhelming sometimes the number of you know different resources that are available and what to use and what not to use. So you know partnering with somebody who does know you know a little bit more about cybersecurity or is providing that knowledge to the community. Um [00:14:43.94] spk_0:
Let me guess that that that’s the work of community I. T. Innovators. Am I going out on a limb taking a taking a stab in the dark? Yes. Okay well we’ll get I’ll give you a chance for this for the shout out. Alright explanation. But I’m gonna ask you first what are what are some resources for folks? I mean I’m you got me feeling bad now for these people because we’re like we’re enhancing their to do list but this isn’t even their job that they’re paid for. But yeah we’re talking about looking into insurance and having policies and now now now they are now realizing they are beleaguered because it’s not even their job, they’re just got foisted on them because they know more than all the baby boomers in the [00:14:53.77] spk_1:
office. [00:14:56.64] spk_2:
Sometimes it is baby boomers who are accidental techies. [00:14:59.85] spk_0:
All right. It’s probably not too often. Thank you for that, but probably not not too often. All right. But so what are some resources that folks can can rely on? You said there’s there are many, where can we look? [00:15:14.44] spk_2:
So I’m going to start with the the self interest pitch first. Uh community I. T. Has a great um library of publicly available resources on our website and our Youtube channel um that are really great for digging into these kinds of things. Um A great [00:15:30.38] spk_0:
places website. The website [00:16:00.74] spk_2:
is uh community I. T. Dot com. Um and the one of the other places that I know that matt has as our cybersecurity expert has a lot of people start is with the cybersecurity framework by nest the um and that website have a link to it. It’s N I S T dot gov two slash cybersecurity framework. [00:16:03.65] spk_0:
Okay. And I S T dot gov slash cybersecurity framework. So N I S. T. Obviously is a government agency, National Institute [00:16:11.61] spk_1:
of Standards [00:16:12.97] spk_2:
and Technology [00:16:24.44] spk_0:
Technology. Thank you. So. Okay. Um Alright, so there’s a couple of resources um including community I. T. Innovators. Anything else you’d like to share with that folks can rely on? [00:16:47.44] spk_1:
I’d say that there’s no shortage of resources out there. Techsoup is also a great resource. So in addition to the donations that I think we’re all familiar with Techsoup also has a courses and training and so they have some free resources that I would encourage folks to check out there. Um, so I think, yeah, there’s, there’s no shortage of resources that are out there to help people learn. I think, you know, the big, the big challenges is really putting it into action. [00:17:16.24] spk_0:
What about a little uh, can we give some uh, psychological support to these beleaguered folks? Now? I’m telling you, you have me feeling very badly for them? Um, what we’ll get back to the to the bog arts and boogie men, I promise. But but uh, let’s let’s take a little digression to how we can support these folks other than recommending things for them to be aware of just like how can how can we support them otherwise. [00:17:25.34] spk_2:
So I think that, you know, I’m trying not to turn this into a pitch for joint for having an MSP come in and like do you own this stuff for you? Because [00:17:33.45] spk_0:
what’s an MSP [00:17:34.70] spk_2:
MSP is a managed service provider. [00:17:38.13] spk_0:
Thank you. That’s what you are [00:17:40.09] spk_2:
support, we have [00:17:41.20] spk_0:
drug in jail on non profit radio So yeah, but I, I saved you from from any any lengthy sentence. Okay, a managed service provider. Okay, [00:18:35.14] spk_2:
so that is that is one of the ways you know that you can get support. The other thing is you know, really leaning on the rest of the community Text suit is a great place to look for resources and you know, the entire community is a place to ask questions. Um There are also you know on linkedin and facebook and places like that. There are communities that you can reach out to for wanting to event looking for ideas, looking for recommendations. Those are all um possibilities. I uh definitely enjoy seeing how many you know how ready people are when people post on the N 10 forums like I need help with this and like there are definitely people jumping on, [00:19:12.74] spk_0:
it’s an enormously supportive community. Yeah I I fear that even though I say it a lot because amy sample Ward is on the show very often. She’s our technology contributor. Um and so she’s often saying it to that intent is not only for technologists but I I still think people have that misconception. Um It can be for folks who are not even you know not even responsible for technology in their office but they’re just using it. You know you’re just using it in your non profit and In 2022 like who is not using technology? I don’t think we’re running everything by index cards even if you’re on an excel spreadsheet, you’re still using technology. So. [00:19:22.64] spk_2:
Yeah. [00:22:28.84] spk_0:
Yeah. Well that yeah and line printers now you’re talking about when I went to college so be careful Sara it’s time for a break. Fourth dimension technologies. You heard the four D. Ceo jug in last week. Talk about I. T. As a service for nonprofits. They know they’re in a service business. Their I. T. Infra in a box. The I. T. Buffet. If you will is structured around service, take what you need and what fits your budget, leave the rest behind. They know their work is to serve your I. T. Needs comes from the Ceo directly fourth dimension technologies tony-dot-M.A.-slash-Pursuant D. Just like three D. But they go one dimension deeper It’s time for Tony’s take two. This is my silver jubilee in planned giving and august is national make a will month next month. So let’s start talking about your planned giving program launch with wills wills. Why should you start your planned giving program with wills This week? three easy reasons. First they are the most popular planned gift by far expects 75-90% of your planned gifts forever to be the most simple planned gift. The gift by will. So it just makes sense to start with what’s gonna be At least three quarters of your gifts anyway Behind door number two there’s no donor education. Everybody knows what a will is. Everybody knows they need a will and everybody knows how will’s work. You don’t have to spend time and money educating donors explaining to them the concepts of life insurance as a planned gift or charitable gift annuities or remainder trusts. You’re sticking with the basics, something that everybody understands and Behind door number three there’s no staff education, everything I just said applies to your staff to everybody knows what wills are, everybody knows how they work and everybody knows that they need one. So you don’t have to train your staff on life insurance and gift annuities and charitable remainder trusts completely unnecessary. You’re starting with the basics and you may never ever decided to go further and that won’t matter. But the place to start is gifts by wills for those three reasons, three reasons for today in any case. And that is Tony’s take two. We’ve got just about a butt load more time for cybersecurity 101 with Matt Eshelman and Sara Wolf Matt. [00:22:29.94] spk_2:
What [00:22:30.17] spk_0:
else? Um, let’s go back to [00:22:32.94] spk_2:
what, [00:22:33.16] spk_0:
what we can the rockets and the boogie men that [00:22:36.24] spk_1:
we want [00:22:36.47] spk_0:
to help these folks look out for. [00:23:01.04] spk_1:
Um, yeah, I would maybe also just kind of come back in terms of what’s good about investing in this training is that it’s, it’s good to see progress And I think that’s one of the benefits as Sarah mentioned the know before platform. It’s great. You know, spend a little bit of money to invest in a platform because then you can actually see the progress of, you know, how many people are taking and passing these little trainings and then know before does a little thing called test fishing and you can actually see the percentage change of how many people in your organization are kind of clicking on stuff that they shouldn’t. And so, you know, whenever you test, yes, [00:23:34.04] spk_0:
it’s great test phishing emails to your enemies in the office, report them when they click, when they click after two days after the training and they click, you can, you can turn them in. Now organization advantage. Now there’s an advantage to being an accident that you’re no longer beleaguered. You’re empowered. Yes, send, send, send a, send a test phishing email to my boss who just turned me down for getting the day after christmas [00:23:46.84] spk_1:
off. So [00:23:47.30] spk_0:
yeah, so it’s great. [00:24:31.44] spk_1:
You can, you know, you can see, you can see progress and so not all of cybersecurity is kind of like doom and gloom and you know, battening down the hatches, you know, against the onslaught. I think it can be fun. It can be engaging. You know, uh, you know, I think organizations that yeah, do elevate it. And it’s something that, you know, people can talk about and talk about openly as opposed to, you know, being being silenced and kind of feeling bad about themselves. If they, if they clicked on one of those messages, right? Like that’s not the approach you want to take. You want to take the approach of encouraging that learning because, you know, if you got caught by a suspicious message, uh, you know, it’s likely somebody else got that too. And so having this kind of culture of openness and engagement. Yeah, is really successful, [00:24:37.54] spk_0:
right? I agree. Unless it’s your boss who turned you down for the day after christmas, that then it’s then it’s vindictive reported [00:24:40.64] spk_1:
to the board. [00:24:49.24] spk_0:
Yes. Oh, without a doubt. So All right, well let’s stay with you matt. What else? Um what else can we? Yeah, [00:26:00.74] spk_1:
I think the other thing that we started to see more of would be kind of financial fraud or what’s kind of called in the, I think the official terminology wire fraud. So you know, it could be something as simple as those messages people get, you know, that look like they’re coming from the executive director saying, hey, I just need you to buy these gift cards. Call me real quick. I got something for you to do. You know, we’ve seen people get caught up by that, you know, even to more sophisticated cases where people are getting tricked by well crafted emails that say, oh, I need to update my payment information or hey, we’ve got a grantee and they had a problem with their bank account and here’s the new bank account information. So uh you know, that kind of falls into an area where it’s, it’s not just a technology control. You know, there isn’t some product that you can buy that’s gonna magically make that go away. Um but it’s a combination of having training, maybe having some good spam filtering tools in place, but then also having some policy and procedures so that you’re talking about that with your finance department, uh, so that you, you have good processes in place. So it’s payments aren’t made just by one person making a change, but there’s some some review and some betting maybe we need to call somebody. So I think again, it’s it’s not just technology solutions, but really that that kind of the people in process comes in into these equations as well. [00:26:22.74] spk_0:
It seems like they’re getting more sophisticated. Uh, the little savvy er like uh your your account renewed for $399, you know, click here to see the invoice. You know, I don’t know, they just seem, they seem like they’re improving [00:27:35.94] spk_1:
well. And I think you’ve identified a key understanding is that uh this is this is a cyber crime. This is a criminal enterprise, right? This is financially motivated. And the bad guys are doing it, you know, not just to kind of go in and wreak havoc on your network, but they’re doing it to make money. Uh and so I think that’s also helpful for organizations to keep in mind, right? You know, you can be the greatest nonprofit in the world and be, you know, have the most noble mission. No, they’re not attacking you because of your mission. They’re attacking you because you have money and, and you might get tricked into yeah, doing that $399 renewal or maybe you updated a payment information and and that was $25,000. And so uh, you know, the mission, you know, does not matter For those, uh, you know, cyber criminals who are financially motivated and it’s a lot easier to, to kind of trick somebody into giving you $400 than it is to, you know, write some super sophisticated virus that’s gonna go on to your computer and encrypt all your files. Then you’re gonna have to try to figure out how to pay them in Cryptocurrency. Yeah. It’s just, it’s a lot easier to try to trick people into giving you money than it is to write, write a new virus. Yeah. [00:27:49.14] spk_0:
Okay. And then of course there is the community of nonprofits that, that are at risk because of their mission. And because you know, we’re living in a polarized time. It’s, it’s no longer [00:27:54.27] spk_1:
just [00:27:55.34] spk_0:
um, hot button issues, you know, like gun rights or, or abortion. [00:28:00.21] spk_1:
I mean, [00:28:06.74] spk_0:
it seems like a lot of missions could trigger someone to do something malicious, you know, technology wise. Uh, [00:28:27.94] spk_1:
yeah, I would say so. We really see that, um, primarily for organizations that are in the space kind of like government think tanks, policy groups, you know, kind of good good government. Those tend to be the kind of attack attract the most attention. Um, and then I think organizations that work on, you know, human sexuality and uh, you know, family planning and abortion services like are in that category as well. Right, [00:28:39.24] spk_0:
Sarah, let’s turn back to [00:28:40.94] spk_1:
you, what, [00:28:41.21] spk_0:
what, what more can you share with us? [00:31:26.84] spk_2:
Well the one of the things that you know in in that theme of you know it is financial, these these this has become a business enterprise and it’s become you know not necessarily organized crime but it has become something that is a multibillion dollar business. And um That is something that we’ve definitely seen. We’ve seen an increase in the number of incidents that we end up responding to like from 2018 to 2021. The number of cybersecurity incidents is that that community I. T. Was able to track tripled. And so you know there isn’t a way to really fly under the radar anymore and you’re right, these people are getting smarter. It’s not just all Nigerian princes looking for for oil or gold or whatever. It’s you know, there have been times where you know, we’ve seen examples that have been caught in the tools or that did get through and did nearly create an issue. And I sat there and looked at the email chain and I was like, I can’t tell where this jumped in and then you like have to like really highlight and look in and look in the details and you go, oh, oh okay. Like there was just like a one letter change in somebody’s email address, you know, or and like that can you know if if you don’t have the training and you’re not necessarily aware of that stuff and then the redundancy that that matt was talking about um making sure that, you know, it isn’t just up that that all of the keys to the castle aren’t in one person’s hands. Uh so that you can, you know, make sure that there’s additional eyes to see, you know, what you missed or to make sure that this is the real deal is, you know, really important. Um you know what, it’s, it’s definitely a frame of mind thing. You don’t want to be constantly consumed with worry and you know, be paranoid about everything and because that just takes, we’ve got a whole lot of other things going on in the world right now that we don’t need to be panicking about cyber security all the time and just doing a few relatively low cost things can really help with peace of mind. And you know, it’s worth taking the time, you know, penny wise, pound foolish is one of the other sayings that comes around a lot, you know, just to make sure that, You know, you don’t end up having to deal with a $25,000 wire fraud [00:31:30.01] spk_0:
issue sarah. What were some of the questions that you got from the accidental Tuckey folks who were watching, [00:31:38.84] spk_2:
they [00:31:38.91] spk_0:
were with you? [00:32:14.44] spk_2:
Yeah, there were some questions on like where do we start, like how do I like uh we, we pointed people to the Nist Nist framework has a chess checklist um of things that you can start thinking about and looking at as you know, places to start. There were also um questions about how do I how do I make sure that I can, you know, convince my my edie about this and [00:32:18.14] spk_0:
leadership by in [00:33:06.84] spk_2:
leadership buy in and you know, we really for that we really said, you know, try if if if if you’re, if you’re leadership isn’t necessarily into it, you have to get like there’s no right or wrong way to go about things that can be top down, it can be bottom up but making sure that if it’s something where your leadership isn’t as invested, making sure you gather allies, you gather allies and you gather financially focused um data to back you up. You know, cyber security is getting more frequent and it is getting more costly to have to address issues after the fact. And so, you know, those were, you know, some of the really big questions and focuses [00:33:34.34] spk_0:
you and you had mentioned allies early on the value of having having friends uh sympathetic to the to the cause all you know, making this case together to to the ceo or wherever it needs to go. Um All right, matt you want to leave us with some well matt, let me ask you any questions that you uh that that Sarah didn’t mention that you, that that hit you as particularly interesting important. [00:34:43.34] spk_1:
Um I think it’s important for for folks to to realize that, you know, just because their data in the cloud doesn’t necessarily mean that it’s, it’s backed up or it’s protected in a way that they, that they think it is. And so I think, you know, nonprofits have done a really great job of getting their data in the cloud platforms. You know, there’s been a lot of great donation programs and discounts and so non profits, I think have done a really good job of technology adoption. Um, but what we see is that they haven’t been maybe as strict on kind of the policy and the governance and some of the other supporting, you know, processes. So we think it’s really important that you understand where your data is and understand how it’s protected and just make sure that that lines up with what you, you know, your organization expects, you know, is it okay if somebody downloads all of your organization data on their personal computer? Like is that an okay thing to have happened? Let’s make, let’s make sure that we talk about it and understand that, uh, you know, and I think the same thing goes again, you know, if somebody deletes a file today, do we need to be able to recover it, You know, a day from now, 30 days from now, a year from now. And so I think just having some of those baseline settings and kind of testing them is a really important step to take [00:35:01.54] spk_0:
backup recovery. You know those are not necessarily covered by just being in the being in the cloud and how what’s the time to recover? [00:35:22.44] spk_1:
Right. Yeah. So I think a lot of those, you know quote unquote old school you know security methods or techniques are still important even if you’ve got your date in the clouds again having that third party backup, having an offline copy. Uh those are all really important steps to take to make sure that your organization’s data is well protected. [00:35:24.94] spk_2:
Okay. [00:35:26.14] spk_1:
All [00:35:29.04] spk_0:
right. Why don’t we leave it there then? I feel like we’ve covered this. [00:35:31.14] spk_2:
I [00:35:31.51] spk_1:
think we’ve got the foundational element. Is [00:35:41.34] spk_0:
there anything alright, is there anything on your mind just like oh wait I gotta get this in. Is there anybody, I [00:35:41.67] spk_1:
mean I’ll put in a plug for multi factor authentication again I think it’s worth saying at least a couple more times [00:35:46.63] spk_0:
because [00:35:47.47] spk_1:
it’s the it’s the most important step that that that many organizations can take. [00:35:54.74] spk_0:
Okay Sarah parting thought [00:36:16.33] spk_2:
just gonna emphasize what matt said about the managed backup just now um you know it’s really important to know your settings and to discuss them because you know a lot of times data loss is actually accidental and so if you have a way to get it back that can save you a whole lot of heartache and headache. [00:36:20.38] spk_0:
Okay we want to avoid [00:36:22.00] spk_1:
both. Thank [00:36:34.53] spk_0:
you that’s Sara Wolf sales manager at community I. T. Innovators and also matt Eshelman Chief technology officer at community I. T. Innovators. Sarah matt, thank you both very much. [00:36:37.33] spk_2:
Thank you so much. [00:36:38.26] spk_1:
Thanks tony it’s good to get to talk to you. [00:36:39.97] spk_0:
All right, pleasure and thank you for being [00:36:42.51] spk_1:
with [00:38:02.03] spk_0:
nonprofit radio coverage of 22 N. T C. The 2022 nonprofit technology conference. I’m glad you’re with us next week tech policies to reduce toxic productivity. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. This is # 601 by the way, I don’t know if you’re counting. We’re sponsored by turn to communications pr and content for nonprofits your story is their mission turn hyphen two dot C. O. And by 4th dimension technologies I. T. Infra in a box. The affordable tech solution for nonprofits tony-dot-M.A.-slash-Pursuant four D. Just like three D. But they go on to mention deeper. Our creative producer is claire Meyerhoff. The shows social media is by Susan Chavez, marc Silverman is our web guy and this music is by scott stein yeah thank you for that. Affirmation scotty be with me next week for non profit radio Big non profit ideas for the other 95% go out and be great. Mhm. Mhm
Processed on: 2022-07-23T23:48:11.167Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2022…07…601_tony_martignetti_nonprofit_radio_20220725.mp3.159997831.json
Path to text: transcripts/2022/07/601_tony_martignetti_nonprofit_radio_20220725.txt
[00:02:05.14] spk_0:
Hello and welcome to Tony-Martignetti non profit radio big non profit ideas for the other 95%. I’m your aptly named host of your favorite abdominal podcast my goodness. Last week’s show was great fun. They’re all fun. But the last weeks 600 show was great fun. Oh I’m glad you’re with me for this week’s fun show I’d be thrown into an echo Griffo sis if you clawed me with the idea that you missed this week’s show, Cybersecurity 101. Our 22 NTC coverage picks back up with a summary of the tech threat, landscape key policies and procedures to have in place and how to make the case for devoting resources to IT protection. Our guests are matt Eshelman and Sara Wolfe, both from community I. T. Innovators, non tony steak too. My boys just cracked like I’m 14 years old, please start your plan giving with wills. We’re sponsored by turn to communications. Pr and content for nonprofits. Your story is their mission turn hyphen two dot c o and by fourth dimension technologies I. T infra in a box. The affordable tech solution for nonprofits. tony-dot-M.A.-slash-Pursuant four D. Just like 3D but they go one dimension deeper Here is cybersecurity 101. Welcome to Tony-Martignetti non profit radio coverage of 22 NTC. The 2022 nonprofit technology conference hosted by N 10. Our coverage brings me now Matt Eshelman chief technology officer at community I T innovators and Sara Wolf sales
manager [00:02:16.64] spk_0:
Also at Community I. T. Innovators. Matt serra. Welcome to non profit radio [00:02:23.14] spk_1:
Thanks. tony It’s good to be here. [00:02:25.34] spk_2:
Thank you. Glad [00:02:42.84] spk_0:
to have you. Pleasure to have both of you. Um Your session topic is defending against Bogart’s and boogie men understanding and pitching cybersecurity for the accidental techie sarah. Why don’t you get us started? Let’s define accidental techie. I think we have a lot of them listening but they may not know it. [00:03:13.44] spk_2:
Yeah so accidental techies are the people at an organization that are not necessarily somebody who’s been trained in I. T. But is relatively tech savvy and so they end up being the ones who help their coworkers with tech issues or are the ones that end up wearing the I. T. Support hat even though they might necessarily have they haven’t necessarily gone through professional training for it? [00:03:32.14] spk_0:
Okay. Right so they know enough that they know more than others but they’re not they’re not professionally trained in technology. Okay and and matt why are why are Bogart’s and boogie men your your description says an accidental techies biggest nightmare what’s lurking there? [00:03:38.23] spk_1:
Well I think yeah [00:03:51.34] spk_0:
I don’t even know. Yeah I’m not even an accidental techie. Okay there’s the first problem you like you’re suffering a lackluster host obviously. Okay. Alright [00:04:28.24] spk_1:
so they I think the takes the form of kind of your your biggest fear and so yeah whenever it appears it it shows up as as what you’re most afraid of um you know and I think for for folks that are supporting nonprofit organizations. Yeah there is this fear of of kind of what could be lurking out there, What kind of threats could impact your organization. Uh and for many folks, especially the accidental techies, they don’t have that background training and experience in terms of how to protect their organization. And so that’s why we wanted to to have that session to help provide some tools and equipment so that people that, you know, have that responsibility, but maybe not the training can pick up a few, a few tips. [00:04:40.74] spk_0:
Okay. Why don’t you, why don’t you start us off? What would uh what would you like folks to know about that? They don’t know well enough, but they ought to. [00:05:30.74] spk_1:
I mean, I think the biggest thing for for folks to understand is just I think the importance of what’s called multi factor authentication. So M. F. A. It’s often referred to uh it’s something that, you know, which is your password and then something that you have and for most folks that would be an app on their smartphone. Um and what this gives is an extra layer of protection, you know, we all know people’s passwords get compromised and and kind of stolen all the time. But if you can add that extra layer of, you know, an app on your phone to protect that login, then you’re much much less likely to have your account compromised. And kind of, what we see is that most compromises then, you know, will then lead to other things that you know have significant damage in terms of, you know, emailing, you know, all of the contacts in your organization’s database, uh sending out malicious links, you know, sending out updated payment information so that can kind of lead to a lot of other bad things. And so if we can protect that account with M. F. A. Then the organization becomes a lot more secure. [00:05:46.54] spk_0:
Okay. And you’d like to see this mandatory? Not opt in [00:06:16.74] spk_1:
that is exactly right. You know, Microsoft and the other big Um you know, tech providers are starting to enforce that now as a as a requirement, but if you’ve been in office 365 or if you’ve been in Google apps for a long time, uh it’s not required and it’s something that organizations need to take a couple of steps in order to set it up and roll all their staff provide training uh just to make sure that it’s set up and working correctly. [00:06:27.54] spk_0:
Okay. So we should be doing it, we should be opting in where it’s optional and we should make make it mandatory if we’re the we’re wearing the hat of the uh the accidental techie, [00:06:32.04] spk_1:
yep. Exactly. Right. [00:06:37.94] spk_0:
All right. All right. Sarah, what else, what else can you share for? Are these folks [00:08:13.14] spk_2:
I think for the next biggest thing uh is, you know, making sure that your staff, you know, are actually aware of the different security risks and things like that? Having a security awareness training program is one of the best ways to make sure that even if something, you can have all of the fancy tools in the world, every single like filter and everything, something’s going to slip through. And if you have staff that know what to look for and know not to click on something or not to go on that website or not to, you know, enter their information in various different places. Them having the knowledge is going to be one of the biggest returns on investment in terms of security, antivirus. Uh, we only, we had so few um, issues with antivirus last year, out of the 696 security incidents that we were dealing with, Only seven of them were viruses and only 45 of them were malware. And so it’s much more important for staff to be able to identify what’s a spam email, what, spearfishing. How can I tell if I’m looking at an email from somebody else whose account has been compromised and having the training to make them aware of. That is definitely worth the investment. And there are great tools out there, like, no before that, you know, are really easy to use. [00:08:31.84] spk_0:
Okay. And so, uh, no, first of all, it was no before like K N O W K N O W before. Okay, I didn’t know about this, but I figured out no. Before. All right. But that’s not that’s not really saying much but any case. Um So is that a security training? Like is that online security training that folks can get it? No before or like how is this accidental techie gonna push this and and offer the training in their in their non profit [00:10:02.94] spk_2:
That’s great. Yeah. So uh that’s a learning management software and that’s specifically for cybersecurity behaviors and tools. The way that you’re going to pitch this for your organization is to first gather your data, get your plan of attack. And a lot of times you know that involves one Looking for friends in the company to support you to getting data and you know trying to make sure that if you are able to um like find partners either within the organization or maybe even reach out to your board governance committee, um those people are going to be able to you know, help leverage some of the existing requirements that you have, if an organization needs to apply for cyber liability insurance a lot of times multifactor authentication is going to be one of the requirements. A staff security training is going to be one of the requirements. And so being able to leverage those and then putting it putting your plea into terms that people understand if your E. D. Is looking at, you know, what is the comparing the cost of of security, education software versus you know, financial compromise. Like there is a definite argument to be made there [00:11:03.94] spk_0:
it’s time for a break. Turn to communications, media relations and thought leadership. Peter pan a pinto, a turn to partner was on last week. He’s a former journalist at the Chronicle of philanthropy. His partner scott is also a former journalist so they know what to do and what not to do to build relationships with journalists. Those relationships are going to get, you heard turn to communications, your story is their mission turn hyphen two dot C. O. Now back to cybersecurity 101 you mentioned cyber liability insurance. Is that is that something else? We should be flagging for these for these poor accidental turkeys. [00:11:08.54] spk_2:
The [00:11:08.75] spk_0:
beleaguered, beleaguered, accidental techies. [00:12:16.64] spk_1:
Yeah. I think we’re seeing more and more organizations go through a cyber liability insurance kind of renewal process. Typically that’s something that’s handled by the, you know, the finance department of the organization. What we’re seeing is that, you know, for cyber liability insurance or even for financial audits, they’re becoming a lot more technical. And so it’s likely that if you’ve got any any tech aptitude at all, then you’re being enlisted to help fill out these applications to provide the detailed information that’s being requested. And so yeah, we’re seeing a lot more sophistication being, you know kind of demanded by these insurance companies in terms of, you know understanding which controls are in place because we’re seeing even cases where if you have not turned on multi factor authentication for all your your systems you won’t even be eligible for coverage. Uh and so it’s pretty dramatic that you know organizations are now being, you know, it’s a good idea to protect the organization, you know, for these cyber security controls. But there’s this also this extra layer of requirement from you know, insurance carriers now to say hey like you have to have this so we’re not gonna provide you insurance. [00:12:40.94] spk_0:
Okay, okay. Sarah, let’s go back to you. I’d ask you about cyber liability insurance and then matt usurped unceremoniously uh usurped your your your your platform. So let’s go back to you what else, what else can you contribute for these for these folks? [00:13:53.94] spk_2:
Yeah. So with with cyber liability insurance it’s something that oftentimes is getting you know much more of a top down decision making process. Somebody will have, you know, these things like the ransomware and and wire fraud and issues like that have been, we have bubbled up more inter in like the public awareness and so there’s a lot of top down pressure for these things to get adopted and you know there one of the things that they’re also going to ask for is you know, what are your plans? Do you have an acceptable use policy for your I. T. Do you have a plan for when something does go wrong, you know what do people know what to do, who to reach out to, what steps to take? You know because you know you you hope for the best to plan for the worst. And there are a lot of really good resources out there for developing these sorts of acceptable use policies for for creating incident response plans and you know you can um really it can get overwhelming sometimes the number of you know different resources that are available and what to use and what not to use. So you know partnering with somebody who does know you know a little bit more about cybersecurity or is providing that knowledge to the community. Um [00:14:43.94] spk_0:
Let me guess that that that’s the work of community I. T. Innovators. Am I going out on a limb taking a taking a stab in the dark? Yes. Okay well we’ll get I’ll give you a chance for this for the shout out. Alright explanation. But I’m gonna ask you first what are what are some resources for folks? I mean I’m you got me feeling bad now for these people because we’re like we’re enhancing their to do list but this isn’t even their job that they’re paid for. But yeah we’re talking about looking into insurance and having policies and now now now they are now realizing they are beleaguered because it’s not even their job, they’re just got foisted on them because they know more than all the baby boomers in the [00:14:53.77] spk_1:
office. [00:14:56.64] spk_2:
Sometimes it is baby boomers who are accidental techies. [00:14:59.85] spk_0:
All right. It’s probably not too often. Thank you for that, but probably not not too often. All right. But so what are some resources that folks can can rely on? You said there’s there are many, where can we look? [00:15:14.44] spk_2:
So I’m going to start with the the self interest pitch first. Uh community I. T. Has a great um library of publicly available resources on our website and our Youtube channel um that are really great for digging into these kinds of things. Um A great [00:15:30.38] spk_0:
places website. The website [00:16:00.74] spk_2:
is uh community I. T. Dot com. Um and the one of the other places that I know that matt has as our cybersecurity expert has a lot of people start is with the cybersecurity framework by nest the um and that website have a link to it. It’s N I S T dot gov two slash cybersecurity framework. [00:16:03.65] spk_0:
Okay. And I S T dot gov slash cybersecurity framework. So N I S. T. Obviously is a government agency, National Institute [00:16:11.61] spk_1:
of Standards [00:16:12.97] spk_2:
and Technology [00:16:24.44] spk_0:
Technology. Thank you. So. Okay. Um Alright, so there’s a couple of resources um including community I. T. Innovators. Anything else you’d like to share with that folks can rely on? [00:16:47.44] spk_1:
I’d say that there’s no shortage of resources out there. Techsoup is also a great resource. So in addition to the donations that I think we’re all familiar with Techsoup also has a courses and training and so they have some free resources that I would encourage folks to check out there. Um, so I think, yeah, there’s, there’s no shortage of resources that are out there to help people learn. I think, you know, the big, the big challenges is really putting it into action. [00:17:16.24] spk_0:
What about a little uh, can we give some uh, psychological support to these beleaguered folks? Now? I’m telling you, you have me feeling very badly for them? Um, what we’ll get back to the to the bog arts and boogie men, I promise. But but uh, let’s let’s take a little digression to how we can support these folks other than recommending things for them to be aware of just like how can how can we support them otherwise. [00:17:25.34] spk_2:
So I think that, you know, I’m trying not to turn this into a pitch for joint for having an MSP come in and like do you own this stuff for you? Because [00:17:33.45] spk_0:
what’s an MSP [00:17:34.70] spk_2:
MSP is a managed service provider. [00:17:38.13] spk_0:
Thank you. That’s what you are [00:17:40.09] spk_2:
support, we have [00:17:41.20] spk_0:
drug in jail on non profit radio So yeah, but I, I saved you from from any any lengthy sentence. Okay, a managed service provider. Okay, [00:18:35.14] spk_2:
so that is that is one of the ways you know that you can get support. The other thing is you know, really leaning on the rest of the community Text suit is a great place to look for resources and you know, the entire community is a place to ask questions. Um There are also you know on linkedin and facebook and places like that. There are communities that you can reach out to for wanting to event looking for ideas, looking for recommendations. Those are all um possibilities. I uh definitely enjoy seeing how many you know how ready people are when people post on the N 10 forums like I need help with this and like there are definitely people jumping on, [00:19:12.74] spk_0:
it’s an enormously supportive community. Yeah I I fear that even though I say it a lot because amy sample Ward is on the show very often. She’s our technology contributor. Um and so she’s often saying it to that intent is not only for technologists but I I still think people have that misconception. Um It can be for folks who are not even you know not even responsible for technology in their office but they’re just using it. You know you’re just using it in your non profit and In 2022 like who is not using technology? I don’t think we’re running everything by index cards even if you’re on an excel spreadsheet, you’re still using technology. So. [00:19:22.64] spk_2:
Yeah. [00:22:28.84] spk_0:
Yeah. Well that yeah and line printers now you’re talking about when I went to college so be careful Sara it’s time for a break. Fourth dimension technologies. You heard the four D. Ceo jug in last week. Talk about I. T. As a service for nonprofits. They know they’re in a service business. Their I. T. Infra in a box. The I. T. Buffet. If you will is structured around service, take what you need and what fits your budget, leave the rest behind. They know their work is to serve your I. T. Needs comes from the Ceo directly fourth dimension technologies tony-dot-M.A.-slash-Pursuant D. Just like three D. But they go one dimension deeper It’s time for Tony’s take two. This is my silver jubilee in planned giving and august is national make a will month next month. So let’s start talking about your planned giving program launch with wills wills. Why should you start your planned giving program with wills This week? three easy reasons. First they are the most popular planned gift by far expects 75-90% of your planned gifts forever to be the most simple planned gift. The gift by will. So it just makes sense to start with what’s gonna be At least three quarters of your gifts anyway Behind door number two there’s no donor education. Everybody knows what a will is. Everybody knows they need a will and everybody knows how will’s work. You don’t have to spend time and money educating donors explaining to them the concepts of life insurance as a planned gift or charitable gift annuities or remainder trusts. You’re sticking with the basics, something that everybody understands and Behind door number three there’s no staff education, everything I just said applies to your staff to everybody knows what wills are, everybody knows how they work and everybody knows that they need one. So you don’t have to train your staff on life insurance and gift annuities and charitable remainder trusts completely unnecessary. You’re starting with the basics and you may never ever decided to go further and that won’t matter. But the place to start is gifts by wills for those three reasons, three reasons for today in any case. And that is Tony’s take two. We’ve got just about a butt load more time for cybersecurity 101 with Matt Eshelman and Sara Wolf Matt. [00:22:29.94] spk_2:
What [00:22:30.17] spk_0:
else? Um, let’s go back to [00:22:32.94] spk_2:
what, [00:22:33.16] spk_0:
what we can the rockets and the boogie men that [00:22:36.24] spk_1:
we want [00:22:36.47] spk_0:
to help these folks look out for. [00:23:01.04] spk_1:
Um, yeah, I would maybe also just kind of come back in terms of what’s good about investing in this training is that it’s, it’s good to see progress And I think that’s one of the benefits as Sarah mentioned the know before platform. It’s great. You know, spend a little bit of money to invest in a platform because then you can actually see the progress of, you know, how many people are taking and passing these little trainings and then know before does a little thing called test fishing and you can actually see the percentage change of how many people in your organization are kind of clicking on stuff that they shouldn’t. And so, you know, whenever you test, yes, [00:23:34.04] spk_0:
it’s great test phishing emails to your enemies in the office, report them when they click, when they click after two days after the training and they click, you can, you can turn them in. Now organization advantage. Now there’s an advantage to being an accident that you’re no longer beleaguered. You’re empowered. Yes, send, send, send a, send a test phishing email to my boss who just turned me down for getting the day after christmas [00:23:46.84] spk_1:
off. So [00:23:47.30] spk_0:
yeah, so it’s great. [00:24:31.44] spk_1:
You can, you know, you can see, you can see progress and so not all of cybersecurity is kind of like doom and gloom and you know, battening down the hatches, you know, against the onslaught. I think it can be fun. It can be engaging. You know, uh, you know, I think organizations that yeah, do elevate it. And it’s something that, you know, people can talk about and talk about openly as opposed to, you know, being being silenced and kind of feeling bad about themselves. If they, if they clicked on one of those messages, right? Like that’s not the approach you want to take. You want to take the approach of encouraging that learning because, you know, if you got caught by a suspicious message, uh, you know, it’s likely somebody else got that too. And so having this kind of culture of openness and engagement. Yeah, is really successful, [00:24:37.54] spk_0:
right? I agree. Unless it’s your boss who turned you down for the day after christmas, that then it’s then it’s vindictive reported [00:24:40.64] spk_1:
to the board. [00:24:49.24] spk_0:
Yes. Oh, without a doubt. So All right, well let’s stay with you matt. What else? Um what else can we? Yeah, [00:26:00.74] spk_1:
I think the other thing that we started to see more of would be kind of financial fraud or what’s kind of called in the, I think the official terminology wire fraud. So you know, it could be something as simple as those messages people get, you know, that look like they’re coming from the executive director saying, hey, I just need you to buy these gift cards. Call me real quick. I got something for you to do. You know, we’ve seen people get caught up by that, you know, even to more sophisticated cases where people are getting tricked by well crafted emails that say, oh, I need to update my payment information or hey, we’ve got a grantee and they had a problem with their bank account and here’s the new bank account information. So uh you know, that kind of falls into an area where it’s, it’s not just a technology control. You know, there isn’t some product that you can buy that’s gonna magically make that go away. Um but it’s a combination of having training, maybe having some good spam filtering tools in place, but then also having some policy and procedures so that you’re talking about that with your finance department, uh, so that you, you have good processes in place. So it’s payments aren’t made just by one person making a change, but there’s some some review and some betting maybe we need to call somebody. So I think again, it’s it’s not just technology solutions, but really that that kind of the people in process comes in into these equations as well. [00:26:22.74] spk_0:
It seems like they’re getting more sophisticated. Uh, the little savvy er like uh your your account renewed for $399, you know, click here to see the invoice. You know, I don’t know, they just seem, they seem like they’re improving [00:27:35.94] spk_1:
well. And I think you’ve identified a key understanding is that uh this is this is a cyber crime. This is a criminal enterprise, right? This is financially motivated. And the bad guys are doing it, you know, not just to kind of go in and wreak havoc on your network, but they’re doing it to make money. Uh and so I think that’s also helpful for organizations to keep in mind, right? You know, you can be the greatest nonprofit in the world and be, you know, have the most noble mission. No, they’re not attacking you because of your mission. They’re attacking you because you have money and, and you might get tricked into yeah, doing that $399 renewal or maybe you updated a payment information and and that was $25,000. And so uh, you know, the mission, you know, does not matter For those, uh, you know, cyber criminals who are financially motivated and it’s a lot easier to, to kind of trick somebody into giving you $400 than it is to, you know, write some super sophisticated virus that’s gonna go on to your computer and encrypt all your files. Then you’re gonna have to try to figure out how to pay them in Cryptocurrency. Yeah. It’s just, it’s a lot easier to try to trick people into giving you money than it is to write, write a new virus. Yeah. [00:27:49.14] spk_0:
Okay. And then of course there is the community of nonprofits that, that are at risk because of their mission. And because you know, we’re living in a polarized time. It’s, it’s no longer [00:27:54.27] spk_1:
just [00:27:55.34] spk_0:
um, hot button issues, you know, like gun rights or, or abortion. [00:28:00.21] spk_1:
I mean, [00:28:06.74] spk_0:
it seems like a lot of missions could trigger someone to do something malicious, you know, technology wise. Uh, [00:28:27.94] spk_1:
yeah, I would say so. We really see that, um, primarily for organizations that are in the space kind of like government think tanks, policy groups, you know, kind of good good government. Those tend to be the kind of attack attract the most attention. Um, and then I think organizations that work on, you know, human sexuality and uh, you know, family planning and abortion services like are in that category as well. Right, [00:28:39.24] spk_0:
Sarah, let’s turn back to [00:28:40.94] spk_1:
you, what, [00:28:41.21] spk_0:
what, what more can you share with us? [00:31:26.84] spk_2:
Well the one of the things that you know in in that theme of you know it is financial, these these this has become a business enterprise and it’s become you know not necessarily organized crime but it has become something that is a multibillion dollar business. And um That is something that we’ve definitely seen. We’ve seen an increase in the number of incidents that we end up responding to like from 2018 to 2021. The number of cybersecurity incidents is that that community I. T. Was able to track tripled. And so you know there isn’t a way to really fly under the radar anymore and you’re right, these people are getting smarter. It’s not just all Nigerian princes looking for for oil or gold or whatever. It’s you know, there have been times where you know, we’ve seen examples that have been caught in the tools or that did get through and did nearly create an issue. And I sat there and looked at the email chain and I was like, I can’t tell where this jumped in and then you like have to like really highlight and look in and look in the details and you go, oh, oh okay. Like there was just like a one letter change in somebody’s email address, you know, or and like that can you know if if you don’t have the training and you’re not necessarily aware of that stuff and then the redundancy that that matt was talking about um making sure that, you know, it isn’t just up that that all of the keys to the castle aren’t in one person’s hands. Uh so that you can, you know, make sure that there’s additional eyes to see, you know, what you missed or to make sure that this is the real deal is, you know, really important. Um you know what, it’s, it’s definitely a frame of mind thing. You don’t want to be constantly consumed with worry and you know, be paranoid about everything and because that just takes, we’ve got a whole lot of other things going on in the world right now that we don’t need to be panicking about cyber security all the time and just doing a few relatively low cost things can really help with peace of mind. And you know, it’s worth taking the time, you know, penny wise, pound foolish is one of the other sayings that comes around a lot, you know, just to make sure that, You know, you don’t end up having to deal with a $25,000 wire fraud [00:31:30.01] spk_0:
issue sarah. What were some of the questions that you got from the accidental Tuckey folks who were watching, [00:31:38.84] spk_2:
they [00:31:38.91] spk_0:
were with you? [00:32:14.44] spk_2:
Yeah, there were some questions on like where do we start, like how do I like uh we, we pointed people to the Nist Nist framework has a chess checklist um of things that you can start thinking about and looking at as you know, places to start. There were also um questions about how do I how do I make sure that I can, you know, convince my my edie about this and [00:32:18.14] spk_0:
leadership by in [00:33:06.84] spk_2:
leadership buy in and you know, we really for that we really said, you know, try if if if if you’re, if you’re leadership isn’t necessarily into it, you have to get like there’s no right or wrong way to go about things that can be top down, it can be bottom up but making sure that if it’s something where your leadership isn’t as invested, making sure you gather allies, you gather allies and you gather financially focused um data to back you up. You know, cyber security is getting more frequent and it is getting more costly to have to address issues after the fact. And so, you know, those were, you know, some of the really big questions and focuses [00:33:34.34] spk_0:
you and you had mentioned allies early on the value of having having friends uh sympathetic to the to the cause all you know, making this case together to to the ceo or wherever it needs to go. Um All right, matt you want to leave us with some well matt, let me ask you any questions that you uh that that Sarah didn’t mention that you, that that hit you as particularly interesting important. [00:34:43.34] spk_1:
Um I think it’s important for for folks to to realize that, you know, just because their data in the cloud doesn’t necessarily mean that it’s, it’s backed up or it’s protected in a way that they, that they think it is. And so I think, you know, nonprofits have done a really great job of getting their data in the cloud platforms. You know, there’s been a lot of great donation programs and discounts and so non profits, I think have done a really good job of technology adoption. Um, but what we see is that they haven’t been maybe as strict on kind of the policy and the governance and some of the other supporting, you know, processes. So we think it’s really important that you understand where your data is and understand how it’s protected and just make sure that that lines up with what you, you know, your organization expects, you know, is it okay if somebody downloads all of your organization data on their personal computer? Like is that an okay thing to have happened? Let’s make, let’s make sure that we talk about it and understand that, uh, you know, and I think the same thing goes again, you know, if somebody deletes a file today, do we need to be able to recover it, You know, a day from now, 30 days from now, a year from now. And so I think just having some of those baseline settings and kind of testing them is a really important step to take [00:35:01.54] spk_0:
backup recovery. You know those are not necessarily covered by just being in the being in the cloud and how what’s the time to recover? [00:35:22.44] spk_1:
Right. Yeah. So I think a lot of those, you know quote unquote old school you know security methods or techniques are still important even if you’ve got your date in the clouds again having that third party backup, having an offline copy. Uh those are all really important steps to take to make sure that your organization’s data is well protected. [00:35:24.94] spk_2:
Okay. [00:35:26.14] spk_1:
All [00:35:29.04] spk_0:
right. Why don’t we leave it there then? I feel like we’ve covered this. [00:35:31.14] spk_2:
I [00:35:31.51] spk_1:
think we’ve got the foundational element. Is [00:35:41.34] spk_0:
there anything alright, is there anything on your mind just like oh wait I gotta get this in. Is there anybody, I [00:35:41.67] spk_1:
mean I’ll put in a plug for multi factor authentication again I think it’s worth saying at least a couple more times [00:35:46.63] spk_0:
because [00:35:47.47] spk_1:
it’s the it’s the most important step that that that many organizations can take. [00:35:54.74] spk_0:
Okay Sarah parting thought [00:36:16.33] spk_2:
just gonna emphasize what matt said about the managed backup just now um you know it’s really important to know your settings and to discuss them because you know a lot of times data loss is actually accidental and so if you have a way to get it back that can save you a whole lot of heartache and headache. [00:36:20.38] spk_0:
Okay we want to avoid [00:36:22.00] spk_1:
both. Thank [00:36:34.53] spk_0:
you that’s Sara Wolf sales manager at community I. T. Innovators and also matt Eshelman Chief technology officer at community I. T. Innovators. Sarah matt, thank you both very much. [00:36:37.33] spk_2:
Thank you so much. [00:36:38.26] spk_1:
Thanks tony it’s good to get to talk to you. [00:36:39.97] spk_0:
All right, pleasure and thank you for being [00:36:42.51] spk_1:
with [00:38:02.03] spk_0:
nonprofit radio coverage of 22 N. T C. The 2022 nonprofit technology conference. I’m glad you’re with us next week tech policies to reduce toxic productivity. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. This is # 601 by the way, I don’t know if you’re counting. We’re sponsored by turn to communications pr and content for nonprofits your story is their mission turn hyphen two dot C. O. And by 4th dimension technologies I. T. Infra in a box. The affordable tech solution for nonprofits tony-dot-M.A.-slash-Pursuant four D. Just like three D. But they go on to mention deeper. Our creative producer is claire Meyerhoff. The shows social media is by Susan Chavez, marc Silverman is our web guy and this music is by scott stein yeah thank you for that. Affirmation scotty be with me next week for non profit radio Big non profit ideas for the other 95% go out and be great. Mhm. Mhm
Rachel Clemens is concerned that your website is holding you back from raising all the money you can. Are you confusing donors? Overloading them? She’s chief marketing officer at 
