Nonprofit Radio for January 4, 2019: Stay Secure In 2019

I love our sponsors!

Do you want to find more prospects & raise more money? Pursuant is a full-service fundraising agency, leveraging data & technology.

WegnerCPAs. Guiding you. Beyond the numbers.

Credit & debit card processing by telos. Payment processing is now passive revenue for your org.

Fundraising doesn’t have to be hard. Txt2Give makes it easy to receive donations using simple text messages.

Get Nonprofit Radio insider alerts!

Listen Live or Archive:

My Guest:

Jordan McCarthy: Stay Secure In 2019 
Let’s resolve to keep our technology and data safe in the New Year. Jordan McCarthy will help. He’s with Tech Impact and he’s got simple, proactive measures for the short term as well as bigger long-term initiatives for your consideration. Stay safe!



Top Trends. Sound Advice. Lively Conversation.

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.

Get Nonprofit Radio insider alerts!

Sponsored by:

View Full Transcript

Transcript for 420_tony_martignetti_nonprofit_radio_20180104.mp3.mp3

Processed on: 2019-01-04T22:17:46.089Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2019…01…420_tony_martignetti_nonprofit_radio_20180104.mp3.mp3.454052384.json
Path to text: transcripts/2019/01/420_tony_martignetti_nonprofit_radio_20180104mp3.txt

Oppcoll. Hello and welcome to Tony Martignetti Non-profit Radio Big Non-profit ideas for the other ninety five percent. I’m your aptly named host. Happy New Year. Welcome. Welcome to Non-profit radio two point zero one nine. Whatever the hell that means. Welcome to the new Year. Oh, I’m glad you’re with me. I’d suffer the embarrassment of Pem Fergus Arithmetic. Assis, If you made me face the idea that you missed today’s show, stay secure in twenty nineteen. Let’s resolve to keep our technology and data safe in the new year. Jordan McCarthy will help. He’s with tech impact. And he’s got simple, proactive measures for the short term as well as bigger long term initiatives. For your consideration, stay safe on Tony’s Take two Time to be an insider. We’re sponsored by pursuant full service fund-raising data driven and technology enabled. Tony Dahna may slash pursuant by Wagner CPAs guiding you beyond the numbers regular cps dot com. Bye. Tell us Attorney credit card processing into your passive revenue stream. Tony dahna slash Tony Tell us and by text to give mobile donations made easy text. NPR to four four, four nine nine nine How police to welcome Jordan McCarthy to the show. He is infrastructure and security lead at tech impact. He works with organizations of every shape and size from three person grassroots advocacy groups to three hundred plus Persson social service providers to help them figure out what kinds of technical tools, analyses and strategies will maximize their social impact. Yes. A decade of experience and systems and network administration, technical writing and education and technology policy analysis. Tech impact is at tech impact dot org’s and at tech underscore impact. Welcome to the show, Jordan. Thank you so much. It’s a real pleasure to be here. Thank you. And happy New Year. Oh, you as well, Thank you very much. Thanks. Um, Tech impact is Ah, non-profit itself. What? What are you doing there? So quite a lot. We are an interesting organization because we have the heart and soul of a non-profit, um and to some extent, you know, the constant, you know, running from one thing to the next. But we provide services in the style of a more traditional tea shop to other non-profit. That’s not the only thing we do. We actually have several arms, one of which I’m really, really fundez works arm, and they’re sort of a more traditionally non-profit ah division that does workforce development in Philadelphia, Wilmington in Las Vegas. I bring in underserved young people and giving them a solid foundation of skills in its various kinds of support and allows them to go back in their communities and give back and start off on really solid careers. But, um, I was out of the house. We provided all sorts of technical services advising, consulting, implementations and an ongoing support. Two non-profits of every shape and size. And what we do for each non-profit really depends on who they are and what they need. So we try to meet folks where they’re at and, you know, get a sense of who they are and then sculpt a package of services, whether ongoing or short term. There really helps them be more effective at whatever it is that they do using technology related. Yes, exactly. Right. So you know, we aren’t necessarily going to help for supply cars, but anything related to information technology. It pretty much falls under arm broke Now I saw that in training you partner with Idealware Idealware Sze CEO Karen Graham is bound to show a couple of times. I’m a big fan of Idealware. Did I see that right? You You do some partnering with them? Actually, yes. And we’ve partnered more closely than ever because we have actually merged with Idealware second back and idealware. Yeah are now basically part in parcel of the same organization. So we are tremendously excited about that, Looking forward to working with Karen and her team to really redouble our efforts in the area of education and training and really trying to get people empowered to do some more of that stuff on their own. So they don’t have to, you know, exclusively, Rely on, you know, chops like that Come back. We will be here still that people need us. But we want to give people a much much of the tooling and resources that they I can stomach so that they can be as effective as they can on their own looking Look at Non-profit radio outside the loop. I did not know that you had merged. Is there going to be a common name? But between you and idealware. So they are, I believe now, but we’re keeping the name check impact it’s sort of, you know, it’s It’s a nice broad umbrella Idealware is keeping their name is well, but I think there now, you know, one of our major flagship. Yeah, Not not. I don’t know what we’re calling it the subdivision because they are, you know, really powerhouse in their own right. But they’re a member of the family. Let’s say OK, how recent is that merger that I that I didn’t know? Only in the past couple months. Oh, good. Okay. I don’t feel so bad. All right. No, more like two or three months behind. Oh, that’s not so bad. I’m still reading the newspapers from October then. Okay, Trump. Um, So you want to see, um, social progress? You say that you want to see social progress shaped technology usage, not the other way around. What do you feel like? Non-profits are not doing as well as they as well as they could in this. That’s very interesting and complex questions. All right. What we have in our you know, I mean, we go. Don’t take. Don’t take a full hour on it, you know? But now I don’t know if we have time. You don’t want the one you don’t want to tail wag the dog? Yes, exactly like that. One of my personal driving philosophies, that sort of really, um they put me where I am today through various stint in higher education and the D. C think tank world. And what I know what that means to me. I think, is that I see, you know, technology is everywhere in today’s world, and we’re doing a lot with it. But a lot of what’s being done is not all that socially oriented, right? You know, I several years ago was already sort of concerned about what Facebook was doing to all of us. And now, you know, come two thousand eighteen and we get a really big download of exactly what’s been going on there and how they have not really been all that interested in doing good by the world on. You know, Facebook is obviously the bookie man of the day. But you could look at any big tech company, really and and ask. Okay, well, how much of this is socially relevant? And to be fair, many of these cos I do have a lot of really powerful, um, philanthropy arms, and they do a lot of really good work. But at a zoo community, I feel like the technology space isn’t as focused as it should be on solving the really big problems that we face as a society as a world, you know, matters of civil rights and environmental destruction so forth, Um, and I think that the non-profit community really does tackle those problems day in and day out. You know, that is their core focus. They’re kind of safety net providers in the whole bunch of different spaces where you know other sectors just aren’t quite stepping up. And so what I would really like to see is a fusion of the spirit and the really innovative thinking in terms of social development and progress on the non-profit side and be able to fuse that with the you know, really, under a nouriel creativity of the technology space so that we can see maur tools, Mohr types of work that leverage this tremendously powerful tool kit that we’ve developed over the past twenty years or so to really maximize the number of people who can be reached by a particular social intervention, you know, the number people who are aware of various pressing problems really raise the level of engagement. OK, tidy as a whole. Uh, Jordan, I want Our people are not only more aware of what’s going on, what’s really important, but that they also empowered to do something about it. That’s meaningful. Unhelpful. Okay, we got to take our first break, but I want to continue this thread of the conversation talking about Cem Cem. You know, idealware non-profit technology network and I feel like there’s we’re making inroads to this, but time for a break right now pursuing two New resource is on the listener landing page. The field guide to data driven fund-raising is practical steps to achieve your fund-raising goals using data and they’ve integrated case studies included and demystifying the donor experience guide you through creating a donor journey. That donor journey map plus savvy stewardship strategies. You find those two resource is on the listener landing page at Tony Dahna may slash pursuant capital P for please. All right, now, back to stay secure in twenty. Nineteen. Right. Jordan sometimes might take these brakes. I forget where we were, but I did not forget where we are. This time. But future breaks, I may ask you, Teo, be my crutch. Remind me what? That we were just talking about. OK, so where you want to see this fusion between social progress and the technology tools that can enable it support it? We’re making inroads, though. I mean, there’s there’s tech impact. There’s a non-profit technology network there’s idealware. Let’s see, I just had a guest on and Mae Chang a few weeks ago talking about instead of lean, startup lean impact, you know, howto iterated and learn fast from buy-in in your in your non-profits. I mean, that’s sort of ah, that is broader than just technology. But she was taking that technology that that tech startup theory of lean impact from Eric Reese and applying it here to non-profits. I feel like we’re making inroads, right? Oh, yeah. Okay. Which is not where you want it or not, where you want to be yet, right? I think you know the corporate world is really good about innovating rapidly and figuring out new things, Teo. New products to bring to market and new ways to capture the public attention and so forth. I mean, there was really good at it. That’s what they do. And I feel like the non-profit and civil society space. You know, it’s so focused on its core work, which is some of the most important work being done out there, right? You know, it is life saving work. It is world saving work that they don’t necessarily have much time to throw at considerations that might seem, in some ways, like overhead. You know, obviously fund-raising that one is a given, right? Everyone needs to do that. Yeah, but way. I’ll know that mandate all too well, but there are other things that are perhaps equally important, like keeping abreast of what opportunities are out there in the way of technical tools that could really help, you know again, reach more people or make your operations more efficient or save money or saved. The’s are all important investments and unfortunately, overhead. Gotta bad label several years ago. But, you know, Ah, non-profit radio were always bristling at that. That that thought that, Oh, you know, if it’s not direct service related, it’s wasted money and people won’t. Our donors won’t understand it on DH. They’ll think that we’re not good stewards of the money that they give us. That’s that that thinking has got to go out because we’re talking about investment in your organization and your people and in the services that you’re providing. That’s exactly right. Yeah, I mean and invested time and money to end up with a better, more efficient, leaner you gnome or impactful and state like that’s just there’s no way around it, right? I mean, you can’t deny that the most Well, I was gonna say most admired companies, Let’s just say the wealthiest cos whether they’re most admired. That’s ah, value judgment, but that you can’t deny that they’re constantly investing in in themselves in their people. Amazon, Google, Facebook. Was that Fang Netflix? You know, the company’s heir, constantly investing in technology, and there’s a lot of lessons to be learned in those types of investments. Oh, most definitely. And I think you know, I I also share your frustration with the whole idea that overhead is a bad thing because you know, it doesn’t matter and you know not to stare at their do it, Lee. But information security is often seen his overhead right. It’s something that you have to deal with on a regular basis. You know, you do it right. It’s always in the back of your mind and always take some resource is an attention, and you don’t really see immediate, tangible benefits because by definition, good security is not getting broken into right. And it’s hard to measure the value of a negative. I know, until, of course, you do get broken into and you see just how bad it can be. So I completely agree. I think overhead is a sort of A I wish it were not a bad term, but since it is, let’s get rid of it and call it something like, you know, core structural support, investment. That’s what investment you’re investing. Exactly. Yeah, that’s even better. And people understand that. And you’re asking people to invent me? If you’re talking to donors, you’re asking them to invest and you’re investing in the work that they’re investing in. You just give it to you, and you invest duitz. Okay? All right, Let’s school. Good. Uh, love that opening. So let’s let’s get to some some details. Tech impact has this excellent resource which we’re goingto sort of talk through. So if you could just goto tech impact dot or GE, is that the way to get it? I got it. But I forget, how did what did I do? You go to Tech Impact or GE. And then where, then Eleanor website. There’s a whole bunch of menus, and there’s a menu item for things that we do on underneath that there is a security section and I’ll go there. You’ll get brought Teo Page that ask you for just basic information. And then you get a quick security checklist of the top things that you can do is a non-profit or honestly, for that matter, as any kind of organisation or even a person to be safer in a world that is getting less safe. Okay, Yes. And I I want to thank Thank you that I appreciated that it was very minimal information that you asked for sometimes to get the resource, you know? Yes, it’s free. But you have to give up your your physical address. Ah, phone number. You know, I bristle it that for this resource, it was this name and email. That was it, that’s all. And that’s all I asked for When people join our list. Name and email. So thank you for that. Thank you for not going overboard with data collection. You know, I mean privacy, because then you have to preserve lead right to you. If you take my address, then you will have to preserve it and secure it. All right, So we’re gonna get to that. OK? Eso what kinds of risks are you concerned about your welcome to share client stories. I know you. You know, you do direct work with clients non-profits clients. So what types of risk air you seeing? So I think I unfortunately have gotten pretty Harry particularly. I would say over the past year, twenty eighteen was not a good year in so many ways. So what we’ve seen is that, ah, the tax that previously were targeted, let’s say, mostly at bigger fish especially, you know, corporate fish are now coming downstream to smaller organizations. And that is ah, indicative of AA few things. One important thing to understand about the space of ideas, security or insecurity, if you like, is that it is and has been for a while. It is dominated by big, actually corporate actors. I mean, These are international crime syndicates who exist in their their core business model is to break into other organizations and steal their intellectual property. Used there are rather abuse their infrastructure. For other, you know, malicious reasons just generally do as much damage as possible. Like steal half a billion addresses and credit card numbers from it was, Well, Marriott, Whatever the weight of a company emerged with Marriott last year. Spring him not Spring Hill, but Starwood Starwood, right. Half a billion addresses, credit card, a data passport information for some people compromise. And that’s just one example of yeah, well, you go back, you know, even a couple of years. And, you know, many, many big names just, you know, fly off the pages of a Home Depot. There was target argast, you know, the Office of Management and budget in the federal government like you be. These attackers have targeted very successfully the some of the largest institutions out there that have truly massive databases of personal information. But Betsy’s coming down, proceed. You Ah, go and steal people’s identities or you know what? They generative process, right? They take the information that they’ve stolen, and they use it to try to extract as much value from that data set and then build dated today to set further. So they might use those emails to send more spam, encouraging people to log into a fake. You know, Google, Sinan Page or something and thereby build their database even further on. And they really refined this. It’s not a technique, it’s a hole. World of techniques, really. It’s a business model over several years. Two at the point where it’s really a precision engineered process, and they have a specialization. They’re different parts of this black market ecosystem that specialize in breaking into accounts. They’re different ones that specialize in spamming. They’re different ones of specialized in setting up and distributing attack tool kits that make it even make it easy for people to start performing these attacks. So there’s a lot of specialization, a lot of a lot of different firms engaged in this process, and there’s a CZ. You pointed out this billions of dollars to be made in compromising organizations. Now rhetorically again. And even now, of course, the Holy Grail, if you will, is to break into a target or a Home Depot or something because they have millions upon millions of records, latto payment information and so on. But of course, you know, this is an arms race, and so the big companies have gotten somewhat better at securing themselves. Many of them have been hacked and therefore have been paying a lot of attention to their borders and making sure that you know they’re relatively safe and At the same time, the attacks have gotten cheaper to run because they’ve been systematized and really reached a sort of industrial level of scale, which means that it is easy and cheap to run attacks against smaller and smaller organizations profitably. And so that’s exactly what’s been happening is that, um, these very sophisticated attack tool kits and procedures have been used to go after smaller and smaller organizations. Ah, and another important thing to understand is that most of this work is not at all targeted. It’s very opportunistic. So you know, a. A big crime syndicate will get a big list of E mail addresses by way of breaking into a company’s database. And you know, there’ll be all sorts people on that on that email list. You know, private individuals, partners of the company and so on. And the attackers will just use that database and send out fairly generic phishing emails to everyone on the list on the assumption that sure most people will recognise this email that’s coming in is not actually asking to reset their Gmail password. But even one percent of the people on that you know, many million person list do actually take the bait that represents thousands and thousands of more accounts they’ve just broken into and a hand that can now use to execute even more attacks. And so there’s a lot of daisy chaining that’s going on here a lot of building on prior work or prior attacks to create even Mohr devastating attacks that target even more people. And so the non-profit space is sort of squarely in the sights of this black market ecosystem now. And so, you know, at any given day I c e mails coming in both to Tech impact itself and to our partners, who then forward them on to me. You know, maybe somewhere between five and ten fairly well crafted emails. Ah, on all sorts of subjects. You know, some of them say your Gmail account has been compromised. Please click here to reset your password. I saw a brilliant one just yesterday purportedly from American Express saying something is wrong with your card. You need to click here to review some another as transactions. This email wass spectacular. He had all the right branding. It was formatted exactly right. All of the links in the email even went to valid American Express Web pages except the big click Here button, which set you to the attack Paige that tried to get you to divulge your log in information for your American Express account. You’re saying that was very high level of sophistication mary-jo right now, very hot again, basically targeting everyone at this point. Okay. And that was very high quality, so very equality. And I mean, I think the big theme is I have seen a steady progression of the quality. So it started out, you know, in let’s say, Well, that’s a year ago, January of last year, Most of the stuff I was seeing was pretty shoddy, right? It had lots of spelling errors, very little in the way of visual branding. Um, you know, the formatting was terribly off. The email address didn’t look even remotely convincing. But you know the email I got yesterday again, everything about it was perfect. Except that one button and even the button. I mean, it was, well formatted. You would have to actually hover over it and noticed that the link point somewhere other than an American Express. But Paige Teo be able to tell that anything was wrong. Okay? S so natural. You know, next question is, what the hell are we going to do about this? So you’re you’re resource papers, got ideas, and you really want to start not with the technology, but with your people. Exactly. There’s a misconception in the general, you know, world at large that because this is a high tech problem, it must have Ah, hi tech solution. And more to the point that you know that high tech solution probably going to cost a lot of money. And it is true that there are some high tech solutions out there or I wouldn’t call them high tech. I would just call them, you know? Yes. Technical solutions. None of them are that involved. And, you know, you shouldn’t have to pay that much, if anything, for most of them. On the most effective solution to this kind of problem, um, is getting your team, your staff on board with the project of keeping the organization’s safe and helping them to understand just how pervasive and sophisticated the threats really are. You know, it’s hard to get a bunch of dedicated, hardworking, you know, non-profit staffers into a room for an hour and get them to listen to a lecture on you know how they need to care about security. You know, for all the reasons we talked about you so much rather be getting their work done. But if you can get your team to understand that this is the risk Israel, the threats are, you know they’re significant and growing. I get people to just adopt a stance of reasonable vigilance, you know, not full blown paranoia, but just being a little bit, you know, thoughtful about everything they click on, whether it be an E mail that comes in from that they weren’t expecting, even if it comes from someone they know. Because part of this whole like iterative process in the attack space is that attackers will break into an email account and then send emails to every single person in that now hijacked account’s address book so that the emails do, in fact, come from someone that that person know you can’t even now just say, Oh, as long as I know the person, it’s fine may very well not be fine because you maybe not. But when you open an email and you’re not expecting it. And I’d ask you to go. You know, you this special report that, you know, if for your eyes only and what not especially if the person that you, uh, get this email from would never write that way. That should be a red flag. And similarly, whenever you’re browsing online, you need to be vigilant about what you click on you. No, don’t click obviously, on anything that says you’ve won a thousand dollars, because that is never true either. It’s certainly not true in real space, and it’s doubly not true online. And, you know, you always just have to be a little bit, you know, a little bit suspicious in back of your head. Think, Okay. Could there be another you No ulterior motive here? Like what? What’s the agenda of the person who sent me this thing or, you know, showing me this web page? Um, you know, is that someone I trust on? Do I have some context for why I’m being asked to enter my password here or provide this information Or click on this button? Um, is this going to do what I wanted to do? And if you can adopt that kind of a mind set and get your entire team to adopt that kind of a mind set. You become exponentially safer than most other folks around. Because this is a new mindset. It’s hard to shift your thinking, particularly the non-profit space, where we operate largely on the basis of trust. Right? You know, we have a lot of partners. Uh, you know, we have to trust that our partners are also interested in doing the same good work that we are. You know, we don’t want to wander around being endlessly suspicious of everyone, but unfortunately, the state of security online. Yeah. Yeah, You really have to be all the more vigilant. We just We just have about two minutes before break, tell us what’s been going on at Tech. Impact yourself. You’re you’re you’re CEO. You’re some sort Your CFO has been getting emails that purportedly come from your executive director. Oh, yeah. And we’re not alone. So the more sophisticated version of we’ve only really talked about one type of attack. And there are others that we might want to talk about. But, you know, let’s go quickly. There’s a different variant that isn’t quite fishing. So fishing is trying to get you to divulge your own personal information over email. But there’s a variant of that attack where someone writes into an organization pretending to be someone high up in the leadership team, the executive director or the CFO or someone like that and ask various members of the staff, Oh, I’m out of the office right now, but I really need you to conduct a transaction for me. I need you to buy some gift cards. Some of them get really creative, and they say, and they and they do their background research. And they say, Uh, we just had this annual conference, and I need to send gift cards to all of our speakers. Could you go out and buy those for me and then send me the codes from the back of those gift cards so I can, you know, send them along to peep folks by email. Those e mails, when they’re well done, can look exactly like they come from the executive director of the C. F O or whoever. And of course they don’t. And if you reply to them and do what they ask, you will be sending all sorts of things potentially financial information out to someone you’re never gonna be able to find again. Because they set up a fake e mail account for the purpose of trying to infiltrate your organization. And once they’ve done that, they’re going to get rid of it, and it’s going to be on Treyz schnoll. All right, we’re going where we’re going to take a take a break. And when we come back, I want youto continue this because I’m going to ask Ah, Jordan, how could this possibly happened? Attack impact. Okay, so ah, stand by for that weather. CPAs nufer the New Year. They’re kicking off a remote non-profit roundtable. Siri’s. They used to just be on location. Now they’re doing it remotely. Livestreaming each quarter a wagner’s C P a C P a will cover a topic that they’re intimately expert in. So they’re the experts, but you need to have a basic understanding of it. All right. I mean, you want to know what you want to have a rough idea of what you’re seeing is doing and what to do in the non-profit realm. That’s what they’re talking about. The first one is on January fifteenth about revenue recognition for your grants and contracts, you goto wagner cps dot com Click Resource is than seminars Now Time for Tony. Take two. It’s time for you to be an insider. A non-profit radio insider also nufer the New Year. I’m kicking off something expanded guest interviews that are going to be exclusively for non-profit radio insiders. Each week, I’m going to dive a little deeper into a topic with a guest or cover something we didn’t talk about on the show in these three to five minute videos. All right, the video is going to be on a private playlist entirely for insiders. Have you become an insider? Sounds like something that you would have to pay for. And you’re right. It does sound that way, but you don’t have to pay. Other people might charge for something like this, but I will not. Ah, all I do. All you do is go to twenty martignetti dot com. Click the insider alerts, button name and email Like George and I were just talking about that’s all you got to give and you become an insider. Tony martignetti dot com. Now let’s go back to Jordan on DH Stay secure in twenty nineteen Jordan How could this happen to tech impact? No. The unfortunate thing is this is really easy to do, and it’s easy to do for someone with not that much technical skill. And just because you get one of these emails that looks really carefully crafted and whatnot doesn’t mean anything has actually been weak or that you’ve been broken into every one of us as an organization has tons of information about us online, right? Certainly the names of our executive directors are incredibly easy to find. If nothing else, you can get them from our tax returns, right? And attackers again have built out this elaborate process that involves doing some basic background research on any organization that they want to attack. I’m sure that they go to the organization’s websites and maybe even look at their tax forms and find out other things about the organization’s. Actually, I read recently that many of these militias actors air now doing extensive Lincoln research on a particular people within an organization is they’re trying to go after, so you don’t know what they’re doing. They built the whole process around this on. They use the publicly available information to construct, you know, eh uh, intact. It is as plausible as they can make it. So, you know, if they see a mention on the Web site that there was a annual conference recently, they might throw that into the E mail again to try to make it that much more authentic. They might mention someone else on the team and say, Oh, you know, like, you know, pretend that the message was coming from your executive director. Oh, I tried to contact, You know, Jim our c F. O. And he was out of the office, but I really need this done. Can you help? It is very common behavior. Now, I will say each second a background research. That hacker does represent one less second of profit. Right. They don’t want to put in that much time. So you know, you shouldn’t worry generally unless you are really, really big and really, really interesting about, you know, hypothetical attackers scouring your web page and every other thing you’ve done publicly for information about you. They’re not going to do that, but it probably will spend, you know, a minute looking at the stuff they confined most easily. And then they’re gonna construct attacks based on what they found, uh, and make it seem like you know the emails. They’re sending our legitimate as possible. They also will do that, actually, not only even just pretending to be part of the organization, they will also try to extort you and say, you know, I found out all of this fallacious information about, you know, your executive director, or you know what your organisation’s doing on. They’ll drop some publicly available details that aren’t even remotely interesting and say, But I have so much Mohr and, you know, if you don’t want us to go out, then you have to pay me a lot of money. I actually saw entire wave of the attacks last month, and they they weren’t particularly well done. But they bothered to do a little bit of background research. So the bottom line is you’re going to get these emails on. They will contain information about you and that should not be as big of a red flag You as you might think. You shouldn’t respond to them. You shouldn’t do anything except, you know, look at them carefully make sure that there isn’t anything in there that really is private and that someone has figured out, because if that’s the case, you need to do a lot more work to get things locked down. Um, and again, just be suspicious. Don’t believe someone when they ask you to do something, you know, unless you have actually had a conversation about that request before. Better yet, I encourage every organization to have a basic policy that says no one in the organization is going to ask anyone else to authorize a financial transaction or a password reset or anything sensitive over email alone. That’s just never gonna happen, and it’s never going to be allowed. You always have to actually talk to the person who’s making the request to confirm that they, in fact, made it before anybody acts on anything. Sounds like a sound policy. Okay, Labbate. Let’s let’s bring it back to what we can do to protect our organizations. So after staff training, what what would you say is next? So after staff training and then again, building a sort of culture of vigilance and everyone being it together on everyone having each other’s back, I would say there are some basic technicals. Defense is you can put in place. Um, because the most dominant type of attacks that we’re seeing right now are definitely email based and identity based. That is, they’re trying to convince you that you know, the attacker is someone they’re not, or and most often there, trying to steal your own account credentials and then use them for exactly the same purpose. One of the best things you can do to protect identity online is too not used, just a password alone. Wherever possible, passwords are kind of outdated security mechanism. They were only added back, you know, twenty thirty years ago, when the original researchers who were building Internet realized Oh, really? You know, not everybody should have the ability to read everybody else’s email without a password. That’s how open everything wass until they tacked on the password, kind of as an afterthought to fix the security hole and a force. As the Internet has evolved to do all sorts of incredibly sensitive things. The password as a security mechanism really hasn’t kept up to speed. It’s not good enough for the level of security. We really need of our bank websites and our social services websites and our, you know, electronic health record websites. So there’s a new standard which itself is not perfect. Nothing ever will be, but it’s a whole lot better than just a user name and password. And this technique or technology is called a couple of different things depending on who you talk to. But they all mean the same thing. You can hear the phrase, multifactorial indication or dual factor authentication or two step verification and all of those terms mean you can. You still have a user name and password, but you also need to supply something else whenever you log in to prove that you are who you claim to be, so that someone who managed to steal someone’s password can’t get in with John. That stuff this is this is Well, I think it’s we’re starting to see this. I see it on a lot of options, you know? Do you want to enable? I usually see there’s, like, two factor authentication, and this is where it’s a code will be sent to your to your phone number to your to your cell, and then you have to enter that number into the site that you’re tryingto log into is that yes, we’re talking about. That’s exactly right in the core idea There is. It’s actually just terrifyingly easy to steal someone’s username and password, particularly if you build a Web page. It looked exactly like the Gmail log in Paige, but it’s going very, very difficult for someone to simultaneously steal someone else’s phone. It is possible are, but it’s just so much so non-profits can implement this a CZ. When people come in in the morning latto log onto the system, they have to provide two factor authentication. You can do that. I would say it’s less important to do that on, you know, your PCs, you know, so that when you grow up coming in the morning, you have to go to this process. Certainly, hospitals do do that. Everyone has, you know, their little cars, that they swipe against some sort of scanner and that that council there’s there in a second factor. But most of us, I think, are now using something like Google Sweet or Office three sixty five, which is accessible from anywhere. And that’s where the attacker’s really have a have a party right they can get because you could get into the system from anywhere. The attackers can get in from Russia, Thailand, South Africa, lots of various places where they tend to work out on. And so those kinds of cloud based systems, as convenient as they are, also present a pretty big security risk that literally anyone on Earth put attack. And so those are the platforms where you really want to make sure you have multi factor authentication turned on. And the good news is, in most of these platforms, turning on multifactorial education is free and pretty easy. It’s, you know, there’s a few steps to it, but you basically just go to someone’s account. You say this person should now be required to use this second, you know, step verification or multi factor authentication. You have to have your your team signed up. You know, basically, just put in their phone number that they want to receive those authorisation codes at and then you’re done. That’s it. You know, they’re they’re logging process is going to be a little bit harder in some cases, but the whole it’s pretty painless and it’s so affected by locking these kind of so much worth the extra minute that it takes just to enable this, okay? Let’s say we got We got a couple minutes before another break, so give us No, we have to go to a break. Sorry. My mistake. So hang on there, Jordan. Think. Think of the next thing we’re going to talk about Xero tell us. Can use more money. Do you need a new revenue source? This is your long stream of passive revenue that you get when companies that you refer process credit card transactions through. Tell us watch the video. Send potential companies to watch the video. After you do, you go when you want to see it first. And then if they use, tell us for processing you. Your NON-PROFIT gets fifty percent of the fee for each transaction. This adds up small dollars. Adding up the video is that tony dot m a slash Tony. Tell us time for live listener love. We’ve got to do it. There’s so much of it. I get it. I get three sheets of paper, but do not. Eight and a half by eleven sheets. Uh, Northvale, New Jersey. The live love to Northvale, New Jersey. Wow, Northvale. Hello. That’s like that’s two minutes from where I grew up in uh, old Japan. Ah, New Bern, North Carolina. Live Love to you, Carmel, California Paddocks. Kala Patasse, Piela, Ohio Pascal or Patasse Piela Live Love goes out. However you pronounce it even if you pronounce it differently than either of those two ways. Live loves going to Ohio. Jacksonville Beach, Florida Atalanta. Oh, California Tampa, Florida All right, Awesome. Lots of live listener love today. And let’s go abroad. Uh, why wouldn’t we? No reason not to, um Tokyo and Cicada. Oh, Japan. Wonderful. Konnichi wa Hanoi, Vietnam. Ah, Social Korea, on your own. Haserot comes a ham Nida for our Korean listener. Beijing, Beijing, China. Of course we know d how everybody knows that Mexico City, Mexico I was always said, guten tag. No, that’s not right. Mexico City. Mexico would be good afternoon. What a star days when a star dies. Of course. Iran. That’s not guten tag either. But Iran is listening. Laos and Egypt. Well, look. Ah, Middle East. Checking in love it Lots of live love going out to all those people. And they maybe others that we can’t see. Sometimes there’s masked cities, et cetera. Um and ah, the podcast pleasantries. The podcast pleasantries have to go out to our over thirteen thousand podcast listeners right on the heels of the live list. Their love comes my gratitude to our the bulk of our audience, which is sitting podcast in the time shift. Whatever time device, however, you squeeze non-profit radio into your life, whether it’s Sunday nights or Saturday mornings. Pleasantries to you. Very glad that you’re with us. Thank you. Okay, we’ve got several more minutes left for we got lots of time left. Oh, yeah. We got latto two time left for Jordan McCarthy and stay secure in twenty nineteen. What’s next? Jordan? What? What should we attack after we take on too factor with simple enabling of two factor authentication? I don’t want to sound like I don’t make it sound is difficult. Once we once we checked out off, where should we go next? It is really not not hard at all again, just so valuable. So we talked about fishing. We talked about email based attacks on identity based attacks. Again, I would say they are the most frequent, Andi increasingly sophisticated type of attack we’re seeing so that definitely your number one priority, I would say. But then there’s a whole other universe of things that also are happening at the same time. So let’s talk about malware and others have more software based attack. So in addition to the attackers, just constantly, you know, trolling around, trying to find people who they can trick into divulging their passwords. There also constantly scanning every system connected to the Internet to see if those systems are susceptible to various kinds of software attack that can sort of worm their way onto PCs, possibly even then spread to other PCs on the network. Um, and again, all these attacks, very opportunistic, automated. It’s very rare that you’ll see someone actively targeting you because they care about you. They just want a, you know, hit the low hanging fruit. Um, but that means they’re going to put up a malicious file that looks like, I don’t know, maybe a pdf of, you know, um, various discount code for something that that’s that’s a common technique. Or or even better yet, a free version of Adobe Photo Job. Right, look, one one deal. What, one day deal, you know, download adobe photo job for nothing here, right? Of course, that’s ridiculous. That would never happen. And if you click on that link and download the software, you may get some variant of Adobe. But you’re also going to get a boat load of malicious software along with it. And once that software is on your machine, that could do anything it wants. Pretty much, you know, they can watch every keystroke that entered into the BC. It can even take video and audio recordings. It can hijack the computing a network power of the PC and use it to attack other targets. Um, until malware is Avery Big deal. And it’s producing a pretty big deal because the most rallies not even that recent anymore, but one of the more modern variants or evolutions of malware. Let’s say it’s called crypto ransomware, which is a mouthful. But what that basically means is this malware is very sophisticated and what it does. Once it gets onto a machine, it takes a look around. It finds every file. It looks like it might contain something useful to you. So every word document, every picture, every email, takes all of that data and steals it, put it into an encrypted archive, delete the original copies from your computer entirely, and then puts up a message on the screen saying, We have your files. If you ever want to see them again, you have to pay us about a thousand dollars. That was last year. The British medical system, right? And the entire city of Atlanta. All right, let’s get to what we can do. The help mitigate the likelihood minimized. I know we can’t prevent. What can we do to minimize the likelihood of this? So when you were talking about malware again, the number one thing going back even earlier discussion is, too promote that culture of vigilance and thoughtfulness. But technical safeguards there your most powerful defense of your software systems and your system security is to keep your systems up to date and that that sounds deceptively simple for anyone who’s actually tried to do it. You know, it’s next to impossible because everyone is very busy and no one wants to take the time to reboot their computer ten times a day to keep everything up to date. So it’s a challenge. But there are various tools that can help you do that shit. Um, e-giving mind when I say keeping up to date? I’m talking about not only your computer’s operating system so Windows or the Mac OS. I’m also talking about your phone operating system, whether it be Android or IOS. I’m also talking about various programs on your PCs, especially Web browsers on other boardmember that connect to the Internet quite a bit from all of that needs to be kept up to date because any one of those pieces could theoretically, if they get out of date, be broken into by one of these automated attack phones. Khun B phones could be turned. Phones could be turned around into microphones against you, right? Exactly. And you know, phones or general purpose computers, too. So if the phone gets compromised, theoretically, you could end up You know, using that phone is a launching point onto other devices are connected to it. OK, what are we going to do? What? You scared us enough. You scared me. And it was very good, too. Sorry. Didn’t get a little bit late for Halloween anyway, so there’s a few tools that can help you. There are tools that very simply watch all of the program’s installed on your PC and alert you. If any of them get out of date, some of them will automatically install patches for those tools for you on. Most of them are free. You know, if you just do a quick online search for, you know, keep my PC updated, that kind of thing. You’ll get some good options whenever you download anything online. As part of this, you know, theme of vigilance. You wantto look for reviews, make sure other people have used that tool and like it. But there are a lot of tools out there to do this work. That’s very ad hoc, right? Each piece he would have to have that installed, and, you know, someone could uninstall it. It would be kind of messy for organizations that are I would say above, let’s say ten people inside. It probably makes sense to aim for some degree of centralization. Uh, you can monitor and enforce the prompt application of software updates for both the operating system and other applications on there’s a variety of tool kits that can do this that there’s a too big name, um, types of rockets that are useful in this case. One of them is called a mobile device. Management took it. And again, if you do a quick Web search for mobile device management, you’ll find a bunch of different options. Um, some of the big players in the space there include things like Microsoft in Tune, Cisco Air Watch, um, IBM mas three sixty and there are a bunch of others. But those are just some that come to mind, and those are really, really good at managing the security of mobile. As their name suggests mobile devices. So many of them focusedbuyer merrily on the the mobile phone space. But many of them can also handle desktops and laptops as well for desktops and laptops. Then there’s another tool kit or a type of tool kit that really focuses in on that space and those air remote management and monitoring toolkit abbreviated are. Mm. On the first one was abbreviated mdm tonight. We love acronyms. I’m not really sure why, but but thankfully, you kept yourself out of jargon jail by actually using the full name before you even said that with him. So yeah, I get that way. That’s why we have debts when non-profit idea has jargon jail. Oh, thank you. I What? All right, finish your sentence, and then we gotta take our last break. Okay? So remote management and Mandarin monument and management and monitoring tools do exactly what I proposed. It needs to be done. They help you watch species for anything that might need to be updated and get those that they supplied promptly. They can also do more than that. They can watch and monitor and a virus programs which are not actually as useful as you might think. So that’s why I didn’t put them first on my list. Keeping yourself repeated is actually more important than having antivirus programs in place generally. But it is a good last line of defense. And these talk is gonna help make sure that those you’ll stay in place and are updated as well. All right. Jordan and Jordan, Wait. Take your last break. When we come back from this break, I want you to list list again. The resource is that you named so that people can have a place to ah t check out and you know, the ones that you believe are our sound. Do you think hoexter give can use more money again? I need a new revenue source. Here’s another way. Mobile e-giving. You could learn about it with text to gives five part email. Many course. Now, this is an E mail that is bona fide. So you don’t have to worry about is being a phishing e mail. You know, you’re just five e mails away through this many course. One each day from raising more money are raising money to get started through mobile giving. It’s cheap to get started. Its easy for your donors. The way to start the many course. You text NPR to four, four, four, nine, nine nine. All right. And we still got several more minutes. Force they secure in twenty. Nineteen with Jordan McCarthy. Alright, Jordan, what’s your What’s your list of resource is that users can trust. So first of all users listening listeners, listeners, contrast. Who’s you? Well, they are users, too, but listeners is what we’re talking about here. You want to look at whatever vendors you use and you want to see. You wanna have a look at what they say about their own security? So, you know, look at go to the web page of, you know, blackbaud sales force, Microsoft, Google and, you know, just say all right. Tell me about your security. What do you do? What do you offer? What can you help me to nail down? Okay, because many of these platforms will have a lot of security features built in that you may not be taking advantage of. So start simple. Start free. You use a totally ordinary included but may not know about you already included. Ok, then you want to start looking for other resource is to tell you you know, about what else you, Khun Dio? What else? What what? What are the sort of tools of record that really are effective and secure and we’ll increase your security So I mean not to be too self promoting, but idealware is a phenomenal resource for this kind of thing. That haserot hutchisson tons of resources and listeners know that idealware idealware knows dimension of, you know, I, including security brought up Yes. Objective, objective, objective. Other indexes as well. So if you look at sites like PC World, um, com p world ars technica Wired, they usually do reviews of various security tools I go to them routinely to see. All right, what is the latest on the mobile device management tool kit? There really top notch? What antivirus programs are recommended this year because they always cycle in and out. Okay, no. In terms of the tools that I use quite a bit and trust, I would call out for things like authentication. Obviously, Office three sixty five and the Google Sweet are phenomenal talk it They can both do a lot for you in terms of keeping things safe and helping you to monitor the security of your communications and your files and everything. So either this platform’s, I think are exemplary. And both have built in multi factor authentication. You just need to turn it on. Um, if you’re looking for something that can be, go beyond those core platforms and spanning multiple product, you might want to look at. Ah, couple of tool kits that focused squarely on authentication, safeguarding identity. Those tools are duo. Do you and octa O K E A. And these They’re both really big names in the space of again. Just making sure that people’s identities were kept saying that they cannot get attacked by simply divulging their passwords. Both of them provide multifaceted indication toe a wide range of other tools so you could end up just logging in with your duo or octa credentials and then be granted access to a bunch of other things. But but in a very secure way. Okay, excellent. We just have about a minute left. Jordan. So I feel like we did enough on why you should be paying attention to this. Let’s not. Let’s not wrap up with that. But I’ll leave it to you. How do you want to close? You got a minute? I think I would say that. You know, things are pretty scary right now, and I don’t want to sugarcoat that way. As you say. We said enough about it, but there is a lot that any given non-profit Khun do it doesn’t It’s not rocket science. You know, you might be told that you need to pay a butt load of money or hyre, you know, a really fancy consultant to tell you what to do. Ah, and if you find it helpful, sure, by all means, go and get some help. And you know, if you want a lightweight approach or even something more in depth, tech impact is here to help where we’re more than happy to meet you at whatever level the support you need. But having said that, a lot of this stuff is really not that difficult. It can be done by someone who just has the time. I mean, that’s sort of our all of our scarcest resource. I know. So that’s easier said than done. But if you have the time and you know, you can set aside some resources to dig in and turn on mold a factor authentication and figure out how to keep yourself up to date, you were going to be so much safer as a result. And for most non-profits, that’s exactly what they need to do as long as they are safer. Than the average. They are totally not interesting. Okay, hackers we got Okay, We got to leave it there. Don’t be interesting. Two attackers. Ah, he’s Jordan McCarthy. Infrastructure and security of the tech impact. You’ll find them at tech impact dot or GE, which is where you’ll find there the resource paper with even more ideas. And they are at tech. Underscore impact. Thank you so much, Jordan. It’s really a pleasure. Thank you. Thanks. My inside a video with Jordan. We’re going to talk about single sign on next week. The annual zombie loyalists replay with Peter Shankman. His customer service ideas are excellent, so it’s very worth Well, he worth replaying it. Do it every year. If you missed any part of today’s show, I beseech you, find it on tony martignetti dot com. We’re sponsored by pursuing online tools for small and midsize non-profits data driven and technology enabled Tony dahna slash pursuant Capital P. Well, you see, piela is guiding you beyond the numbers regular cps dot com by tell us credit card and payment processing your passive revenue stream. Tony dahna slash Tony Tell us and by text to give mobile donations made easy Text n p. R. To four four four nine nine nine. A creative producer was Claire Meyerhoff. Sam Liebowitz is the line producer shows Social Media is by Susan Chavez. Mark Silverman is our Web guy and his music is by Scott Stein. You with me next week for Non-profit radio Big non-profit ideas for the other ninety five percent Go out and be great. What duitz? You’re listening to the talking alternative network you get to thinking. Things xero. You’re listening to the talking alternative now, are you stuck in a rut? Negative thoughts, feelings and conversations got you down. Hi, I’m nor in Santa the potential tune in every Tuesday at nine to ten p. M. Eastern time and listen for new ideas on my show Yawned Potential live life Your way on talk radio dot N y c geever Hey, all you crazy listeners looking to boost your business. Why not advertise on talking alternative with very reasonable rates interested? Simply email at info at talking alternative dot com. You like comic books and movies, HOWBOUT TV and pop culture. Then you’ve come to the right place. Hi, I’m Michael Gulch, a host of Secrets of the Sire, joined every week by my co host, Hassan, Lord of the Radio Godwin. Together we have over fifteen years experience creating graphic novels, screenplays and more. Join us as we bring you the inside scoop on the pop culture universe you love to talk about. Wednesday nights eight p. M. Eastern Talk radio dot and wives. Did you know you’ve been playing poker your whole life, even if you’ve never played a hand of cards? Hi, I’m Ellen Lake and author of Polka Woman and host of the new show Poker Divas. On the show, I talk about poker. Strategy helps you win in business. Life and Love tune in Live every Thursday one p. M. To two p. M. Eastern Standard Time on talk radio dot N. Y. C. You’re listening to talking alt-right work at www dot talking alternative dot com, now broadcasting twenty four hours a day. Are you a conscious co creator? Are you on a quest to raise your vibration and your consciousness? Um, Sam Liebowitz, your conscious consultant. And on my show, that conscious consultant, our awakening humanity. We will touch upon all these topics and more. Listen, live at our new time on Thursdays at twelve Noon Eastern time. That’s the conscious consultant, Our Awakening Humanity. Thursday’s twelve noon on talk radio dot you’re listening to the talking alternative network. Yeah.

Leave a Reply

Your email address will not be published. Required fields are marked *