Tim Mooney: Politically Motivated Attacks: Who, What & How
Attacks on our nonprofit community are happening and the environment is likely to get worse before it improves. Just last week Elon Musk called our community a Ponzi scheme. The week before, he claimed only 5-10% of our work does any good, and that the sector is a big scam and a giant graft machine. You need to know who is a potential target of the attacks; what form they take; and, how to proactively protect your nonprofit. Tim Mooney, from Alliance for Justice and Bolder Advocacy, helps you understand.
Donorbox: Powerful fundraising features made refreshingly easy.
We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners
Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.
Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio. View Full Transcript
Welcome to Tony Martignetti Nonprofit Radio, big nonprofit ideas for the other 95%. I’m your aptly named host and the podfather of your favorite hebdominal podcast. Oh, I’m glad you’re with us. I’d suffer with dipsesis if I had to thirst for you not to tell me that you missed this week’s show. Here’s our associate producer Kate with what’s up this week. Hey Tony, here’s what’s up. Politically motivated attacks. Who, what and how. Attacks on our nonprofit community are happening, and the environment is likely to get worse before it improves. Just last week, Elon Musk called our community a Ponzi scheme. The week before, he claimed only 5 to 10% of our work does any good, and that the sector is a big scam and a giant graft machine. You need to know who is a potential target of the attacks, what form they take, and how to proactively protect your nonprofit. Tim Mooney from Alliance for Justice and Boulder Advocacy helps you understand. On Tony’s take 2. Especially now, please follow your meds. We’re sponsored by DonorBox. Outdated donation forms blocking your supporters’ generosity. Donor box, fast, flexible, and friendly fundraising forms for your nonprofit, DonorBox.org. Here is politically motivated attacks. Who, what and how. It’s a pleasure to welcome this week’s guest Tim Mooney, senior counsel at Alliance for Justice, has guided nonprofits through the maze of political and tax exempt law for over 2 decades. He empowers organizations to elevate their impact, challenge the status quo. Uh, particularly relevant now, hopefully it’s not the status quo for very long and drive meaningful progress. You’ll find Tim at Tim Mooney on BlueSky, also on LinkedIn, and you’ll find the Alliance for Justice at AFJ Alpha Foxtrot Juliet.org. Tim Mooney, welcome to nonprofit radio. Tony, thank you so much. This is a real pleasure to be here. I’m glad. Thank you. Thank you very much for, uh, for, I’m glad it’s a pleasure for you as well, because I always say that it is a pleasure to host you, host our guests. The Alliance for Justice, Boulder advocacy. I don’t know, you seem to be busting at the walls. I mean, I, I see you, I see the alliance and Boulder advocacy almost uh a couple times a week now. I, I spent a lot of time on LinkedIn and more now on Blue Sky. I don’t know. I, I, I will confess that, uh, before January, I had not heard of the Alliance for Justice or Boulder Advocacy, and now I feel like I’m seeing you several times a week. What what’s the alliance about and what’s the boulder advocacy program inside the alliance? Yeah, sure. We, we’ve been around for a few decades now at Alliance for Justice, and we are an association of, uh, give or take 150 or so organizations, and we all share a commitment to an equitable, just and free society. And we, as our tagline says, we build the strength of progressive movements by training and educating nonprofit organizations on advocacy. I’m reading this, you can tell, while harnessing their collective power to transform our state and federal courts. If you want to break that down, basically, I just assumed you had it memorized. Oh, I wish I did. One of these days the office does a lot of. Work on courts and judges and making sure that these are the folks that represent the interests of the people, not other types of interests. My side of the office is bolder advocacy, and we’ve been making some news lately just because of, you know, gestures broadly, all of this stuff that’s been going on. We help equip nonprofits with tools, knowledge, and understanding on how to be the best advocates that they can be, and we try to do that in the best way, which is to harness grassroots organizations to help reform systems, make positive policy change, but to be the leaders in the communities that they are. And that’s been my job for in in a couple of different stints here for the better part of 10 plus years and it’s um It’s, it’s more interesting now than it ever has been. I think I will, I will say that. Uh, uh, among the resources that you have, which are pretty vast, uh, at, at the, at the Boulder advocacy, uh, in that, that part of the site, um, you, you, you do counseling. I mean, people can talk to an attorney, not for representation naturally, but you can, you can chat or. Chat or converse with one of the boulder advocacy attorneys, right? That’s right. Uh, myself and my colleagues are all lawyers, but as we like to say a lot, we’re not your lawyer. Um, we are all trained and, and I’ll, I’ll sheepishly say we are experts in this very strange niche area of federal tax law, a little bit of state law, a little bit of nonprofit corporations and things along those lines, election laws. That makes up what it means to be a tax exempt organization, particularly around advocacy, and a couple of the things that we do, we are available for technical assistance questions, give us a call, you can send us an email, you can even fill out a little form on our website, and we try to get back to you within 24 to 48 hours with an answer. 9 times out of 10, we can answer most people’s questions, so long as it’s around you being an advocate as a tax exempt organization. We also do trainings, um, we were talking offline before we started recording that I was just recently in Seward, Alaska of all places, uh, with the wonderful people there, child advocates, and uh did a big training on on what it means to be an advocate and the the the basics around lobbying activity as they’re considering a ballot. Measure potentially uh in Seward itself. So, um, do those types of things we do trainings on the topic that we’re going to be talking about today, politically motivated attacks during the election season, we’re pretty busy talking about what you can do around elections. We have publications, we have one pagers, we even have a podcast of our own called Rules of the Game. And a lot of other things. So lots, lots going on at Boulder Advocacy. Yeah, there are, there’s a ton of resources there, but I, I, and I was particularly impressed by the fact that you can have a conversation with an attorney. All right. All right. And that’s, um, now AFJ.org is where the Alliance for Justice is boulder advocacy remind us where we’re gonna find that. Uh, we are now folded into the main AFJ website, so just go there and hit boulder advocacy at the top of the screen. It may be AFJ.org/boulder advocacy, but don’t quote me on that. You don’t, right, you don’t need that part. It’s just all part of the Alliance for Justice. OK, OK. Um, let’s, uh. Yeah, let’s get into what’s been going on. I don’t, I, I, we don’t need to spend time on uh What, what’s brought us to have this conversation? Why, why I’m now seeing boulder advocacy multiple times a week, you know, since January 20th, uh, essentially, or maybe the 22nd. Um, and I think we know, regrettably, we, we share this common understanding of what’s gotten us here. Um, what, what are some of the, uh, organizational potentials, you know, I mean, I, I, I, I. Uh, I also regrettably, I mean, it could be 100%, but you’re seeing attacks at, at, uh, uh, certain, certain types of missions, certain types of work. Why don’t you flesh that out for us. Yeah, I mean, this actually goes back before kind of the current administration. We’ve been seeing attacks against nonprofit organizations for a very long time and and what you said is exactly right. It tends to be on topical organizations. It tends to be organizations that are working in particular hot button issues, and modern day DEI LGBTQ rights, reproductive rights, immigration, the usual, the usual cast of characters these days. But you know, it goes back even further civil rights organizations were targeted by independent organizations uh uh a long time ago, you might have heard of a clownish group called Project Veritas that would go out and went after organizations. So this is a tactic that has been used Project let’s just remind us is Project Veritas, that was the organization that was surreptitiously creating videos, right, interviewing people without their knowledge, uh, being, being videotaped, and then. I think selectively editing those recordings and embarrassing, wasn’t Planned Parenthood one of them. Planned Parenthood was one. There were other, there it is, it is targeted groups through the years. I, I believe that it went through some interesting, uh, drama recently and the original founder left, but I do believe it still exists. The big thing was they’re an ideological organization that is trying to, you know, put a metaphorical stick in the front tire of of the bicycle of these organs. to try and get them to go over their handlebars. But their tactics are mischievous and uh I would say unethical. I mean, it’s very clear that they are selective in their editing. They are would go after organizations um in their most vulnerable places, speaking to volunteers or other folks that don’t have that kind of training and essentially, you know, in a surreptitious way lead them to say things that they know that they could edit in a way that makes it look uh. Not good in for that organization, even though that was a misrepresentation of of the conversation of what the organization was doing. Those are the types of things that we’ve seen for a really long time. What we are seeing now is that still, because there are some keyboard warriors out there that are are doing those types of things too in addition to groups like Project Veritas and then their progeny. But we’re also starting to see this happen in official channels as well. And of course, you know, this administration is rife with it right now, um, and what they’re doing, that’s almost its own category, but of course we’re seeing this at the state level as well. We’re seeing questionable, uh, investigations by administrations at the state level against organizations. Again, targeting organizations that are doing the type of work in these hot button areas, um, You know, it almost goes to say that they’re being successful, these organizations in, in, in convincing the public of their point of view on these types of issues. And so what has to happen? Well, these investigations, these phony investigations come about in a way to try to discredit them when they can’t win on the on the merits of the argument, at least that’s kind of my point of view on some of this. So that’s what we’re seeing a lot of. We are Having a lot of organizations ask us, when they give us a call, when they ask for our technical assistance about what they can do to be prepared to fight back in those types of situations. And the honest answer is, is that, you know, if, if you’re doing this after you’ve been attacked, you know, you’re a little bit behind the eight ball. You really do need to be prepared for these types of things. In advance. And so we’ve created a variety of resources that will help organizations to think about to plan and to be ready in the event that they are attacked by one of these types of actors, official actors, state actors, or otherwise. Yeah, and we’re gonna get to how to protect your your nonprofit in advance. What should you what what what should be dotted, what should be what I should be dotted and T’s crossed in advance to Reduce the likelihood because you can’t eliminate the possibility but reduce the likelihood that you’ll be, uh, you’ll be targeted, uh, or that, uh, you know, an attack would be meritorious at all even on its face that you’d be able to defeat it. Um, what about, uh, in swing states are you, are you seeing any greater activity now in the, in the 6 or 7 swing states? Yeah, I think we’re starting to see it in, well, really in a lot of different states, you know, certainly in swing states, we’re seeing that any place where there’s a chance where there’s a tipping point, um, I think that that’s certainly a case, um, you know, and, and, you know, you see this all over the place too, red states, blue states, whatever. It’s just a question of what are the tactics that are being used. I mean, we’re starting to see a lot of them more in red states, at least the two that I’m thinking of, Texas and Ohio. Recently, Missouri is the 3rd 1, where, you know, traditional red states where there’s been some state investigations, but you know, you’re you’re you’re seeing these attacks happen also in blue states as well, often by third parties. So there’s no safe place for lack of a better way of putting it, um, from these types of attacks. You need to be prepared for these types of things, you know, we just like you have a good password on your computer because you’re, you know, hackers are everywhere, you need to be prepared for types of things like this. Yeah, and we’ll get into the preparation, which is essentially insurance to, to protect yourself in case you are uh you are targeted. Um, what, what, what kinds of attacks, there are, there are many different approaches that either government or some of these nefarious third actor, third party actors are, are conducting. What, what are you seeing there? Yeah, there’s a wide array of tactics that we’ve seen. And the interesting thing also is that once something is successful, we tend to see some copycat action in there. Um, the categories though that we see are claims of violation of the law is one really big one. So are you a public charity, 501c3, um, you know, there are certain restrictions on what you can do. There’s a limitation in how much lobbying you can engage in. You’re prohibited from doing things to support or oppose candidates. Claims. That you’re violating those types of restrictions is a pretty common thing, uh, claims of engaging in voter registration fraud or some other type of election related activity for a tax exempt organization. And yet, and yet there are provisions that allow us to do all these activities. Absolutely, and voter registration is perfectly bona fide. There’s there’s a certain degree of lobbying and advocacy that you can do as a 501c3 as long as you take the safe harbor. That’s right. And, and, and, you know, there you are allowed to lobby, you’re allowed to lobby actually a fairly generous amount, but it, you know, there are accusations by some groups that you’re exceeding that and a complaint is lodged. Um, you are allowed to engage in a whole host of nonpartisan activities as a public charity. elections, voter registration, get out the vote efforts as long as it’s nonpartisan, you’re fine. What we’ll see is accusations that these nonpartisan activities are really this kind of cloak and dagger, really technically partisan, trying to get somebody elected type of activity. And of course, usually that’s a garbage accusation. But that’s the kind of stuff that’s put out there. It’s time for a break. Imagine a fundraising partner that not only helps you raise more money, but also supports you in retaining your donors. A partner that helps you raise funds both online and on location so you can grow your impact faster. That’s DonorBox, a comprehensive suite of tools, services and resources that gives fundraisers just like you, a custom solution to tackle your unique challenges. Helping you achieve the growth and sustainability your organization needs. Helping you, help others. Visit donorbox.org to learn more. Now back to Politically motivated attacks. Who, what and how. That’s so insidious because it, it creates a chilling effect, you know, it, it discourages the nonprofits from exercising the rights that they are given in the Internal Revenue Code for the types of things that you and I are talking about now and maybe others, maybe other statutory frameworks as well, but I, I know the Internal Revenue Code as a, as a start. So it creates that chilling effect and then. You know, if you are, if you’re not chilled and you do uh do exercise the rights that your nonprofit has, uh, you’re, um, you’re attacked for it. Yeah, and I think that chilling effect is really the number one tactic here, or at least that’s the the end game, because it’s just, it’s to shut you up, but it’s more pernicious than that even. Uh, a lot of these attempts will go after the funders of organizations that are doing the things that these folks don’t want to have happen. And so what they’re trying to do is they try to defund you. Now, of course, we’re seeing that at a in a different way, officially through the federal government in in recent weeks. But then there’s, you know, attempts to attack your funders, try to say, uh, shame funders into thinking that The grantees are doing something wrong or awful or terrible and try to leverage them to stop funding and pressure to withdraw that support. So chilling effect is really more than just directed at the organization. It’s it’s against the larger network that supports that organization too, including supporters. How are they getting to the supporters? We use two good words, insidious and and uh nefarious. I love the pernicious. No, you said pernicious, insidious words, right? Yeah, yeah. Um, how are they getting to the funders? I mean, are we talking about like individual funders? Uh, so there’s, I mean, there’s, there’s institutional, they might be a little easier to get to, but individual funders, are we, are we seeing it on that level also? Well, what we’ll see we’re donors and donor against against individual donors. The idea here is to try to discredit the organization in a way where it loses its support within the community as well. As you mentioned, institutional funders, private foundations and the like, those are a little bit easier to go after. There’s, there’s a sense that amongst many of them that they don’t want to stick their. Head out, they don’t want to fund something that gets them in trouble, that looks bad for them or their trustees. So there’s certainly an angle there. But of course, you know, you go after an organization with a campaign that’s meant to denigrate what they do. Well, that also is meant to create a funding gap by basically shaming people from giving money to them within their own communities, you know. If they they do a good enough job, uh, making a community organization look like a villain, well, that certainly is going to impact their ability to fundraise amongst individuals too. So there’s bank shots involved here. There’s all sorts of different things where the idea here is to discredit and and defraud and to otherwise make it so that these organizations have a much harder time operating and being funded. All right, there, there’s, uh, going after the donors, whether institutional or funders, you, you, you have a broader term funders, also insidious, uh, there’s other, there are other methods of attack. Yeah, I, things like, um, investigations and and sometimes that’ll be by official sources, attorneys, states attorneys generals have been doing some of that, but also the third party organizations will have a quote unquote investigation of their own and and look into these types of things, you know, a fraud or abuse and and will publish their findings on such things. There’s also intimidation lawsuits as well that we’re starting to see against certain organizations, um, and that. Of course, you know, even if the lawsuit is meritless, um, that still costs the organization money to defend and effort and reputation and reputation. All of this works together against that chilling effect. And sometimes it’s multiple tactics that we’ve mentioned here before, sometimes it’s multiple organizations. It’s tag teaming together. All of these things are are are designed to discredit the. Organization reduce its standing in the community and eventually hope that it goes away. A prominent example, Acorn um was a target of Project Veritas years ago. And uh it it it ceased to exist eventually over over what we now know are largely false accusations or at least uh uh accusations that were much broader than anything that was actually going on within the entity. Some of these official investigations or other actions, um, the, the, the officers are, are working within their within their statutory authority, like a, like a state attorney general, and they’re, they’re authorized most maybe all state attorneys general’s offices have charities bureaus, so there’s, so there’s authority to do what they’re doing, but they’re, they’re doing it under color of authority. In but in a in a nefarious backhanded way. Yeah, and, and these are the ones that are the most politically motivated we tend to see, you know, the Missouri Attorney general recently sued media matters uh over what seems to be ludicrous types of of arguments. The interesting thing here and and in Texas is the Texas Attorney general has done this, Ohio has done as well. What’s interesting here and what’s difficult, what’s challenging here is is exactly what you said, Tony. These attorneys general are all empowered and have a great deal of of latitude for their investigative authority. And so when they make these pronouncements that are based often on weak records, questionable complaints, you know, they are not necessarily acting outside of the law. Now, I would argue that there is a line that they could cross where It would become problematic, but they have a great deal of latitude and authority to pursue these types of investigations and to eventually get into uh administrative complaints and some other types of things. And that’s what’s really tricky for this particular category is that there’s not a lot that you can do other than make sure that you’re and we’ll talk about this later, be prepared in advance, make sure you’re dotting your I’s and crossing your T’s and know that your compliance is right. And if this type of a thing comes after you, you’re going to have to defend it. It’s going to take time and it’s going to take money. But you know, if you feel confident that nothing is wrong, well, you can continue to work on the things that are making these attorney general attorneys general upset at you, um, and maybe have your revenge that way as you later on when or the the what I would argue potentially is a frivolous complaint would eventually get withdrawn. People abbreviate, you know, AGs, and I always think, no, it should be A. I know, but nobody’s gonna do. It’s attorneys general. I think there was a whole episode of the West Wing on this, yes. It doesn’t matter. It’s completely frivolous and doesn’t even deserve a footnote, but I don’t know, I just always think, no, it’s supposed to be ASG right um. What, what about the, I’ve seen press too about The possibility of uh False Claims Act liability when a nonprofit is accused of submitting a payment for to a government entity. And they are not complying with, you know, the latest executive order on DEI. And so now there’s, now there’s a statute that they’ve committed fraud when they request their next payment please explain, explain what’s the potential here. Yeah, I mean, I have to, I have to confess a lot of that is a little bit outside my lane of expertise, but I will say this. This is another example of a politically motivated use of the laws, um, in a way that is meant to cost an organization it’s standing, cost the organization actual money and time to defend. And whether or not there is any truth in those types of things, um, technical or otherwise, it doesn’t matter, I think, because again, this goes to that chilling effect. Uh, I think that the point of a lot of these intimidation lawsuits or enforcement actions or whatever they are, it’s not so much the substance of that individual action. The idea is to say, look at this organization here. You don’t want to be that organization, do you? Well, you better back off from your DEI program. You better make sure that you’re doing things that that uh don’t make you a target. Get out of. uh folks who are undocumented immigrants. You know, it, it is meant to intimidate, it is meant to chill, and that is honestly the real reason here. A whole host of the things that we’re seeing in the last few weeks since, since the inauguration. are of questionable constitutional value. Oh, there are a lot of things that, that, um, will ultimately, uh, potentially by courts be reversed. But the point is that here and now there’s this flood the zone method that’s happening right now. Try to make it seem like that there’s little hope that that the the the powers have turned and everybody is, is uh subject to the whims of a person or a group of people or a political party or whatever. And the idea is to chill and intimidate, and that is the real tactic here because so many of these things are probably not going to be considered legal at the end of the day when things are all said and done at the court level. That’s such an important point, Tim, that the, the, the purpose of a lot of this is intimidation, you know, discouragement. Oh, you know, there’s so much happening. Flood the zone is that, that goes back to Steve Bannon, uh, Trump’s, uh, adviser, particularly in the, in the, in the first, uh, presidency. That’s his, that’s his strategy, flood the, well, it’s the way I’ve seen him say it on his podcast, flood the zone with shit. Yeah, just overwhelm people, overwhelm the, the, the what, 200 and some executive orders within the first couple of days of the administration. That alone. But then, you know, everything compounded after that, the, the, the federal employment. Major upheavals, you know, veterans, the, the different agencies being, being targeted, you know, the latest is weather, the, the National Weather Service, for God’s sake, and NOAA, you know, uh, it’s all part of the strategy, so you need to, need to recognize that that a lot of, a lot of what’s happening is, is intended to have the effect that you don’t want it to have to put you off to just say I’m overwhelmed so I can’t pay attention to anything. And it’s, it’s, and, uh, uh, a couple of articles I’ve read on strategy and how to deal with this is just pick some things that are important to you, you know, you don’t need to doom scroll on your phone 12 hours a day now, you know, keep that to a minimum and especially not during right before you go to bed, but you know, pick some issues that are important to you and focus on those. Don’t let them. Defeat you with their strategy of flooding the zone to just overwhelm. And I think that one of the reasons why flooding the zone is so successful is that it, it, it’s the shiny silver object that takes you away from some of the bigger ticket things that are happening in the tax exempt space. I, I don’t have to tell you, but maybe the listeners will be interested in knowing that we’re now starting to see some things happen at Treasury and the IRS. And what that is going to do to impact tax exempt organizations and the exempt organization division within the IRS is an open question. right now. Um, but the, the IRS has been insulated since post-Watergate years, post Nixon from politics. And that seems to maybe be changing now. So, you know, on top of all of the things that we’re talking about, uh, there seems to be an attempt perhaps to distract from those types of things and and that um dosifying of treasury and the IRS that’s been in the news lately too. So, There’s a lot of really substantive things that are going on that are related to the topic that we’re talking about as well. Um, it’s all part of the the flood the zone that we’ve been mentioning here. Is there anything more you want to cover, uh, we haven’t talked about or maybe more detail on something uh in terms of the, the forms of attack? No, I think that that the biggest thing is that when it comes to the attacks, there, we’ve been talking a lot about PR attacks uh and that type of thing, but there’s also online attacks that that we’ve been seeing and, and I mentioned kind of the keyboard warrior situation, you know, there’s certainly an element of online attacks going after data. Bass and things along those lines as well. And and part of what we are recommending as part as part of our prep is to make sure that you’ve got, you know, good password protections and things like that, making sure that your online world is safe too. But you know, so much of what we do and how we do things are online these days that we’ve got to be really buttoned up in that area because that tends to be one of the big vectors that we end up seeing. It’s time for Tony’s Take two. Thank you, Kate. Especially now with all the attacks going on uh against our nonprofit community. Obviously the show today, devoted to that. I’m harkening back to our guest Miko Marquette Whitlock and his advice when he was last on the show. To follow your meds, your mindset, exercise, diet, and sleep, you know, mindset. Manage, manage yourself, you know, if, if you feel depression, you need to get help with that, not let it fester, you know, do things that are good for you mentally. Exercise, of course, taking just equal care of your physical body, uh, like you’re doing with uh with mindset, and you know what exercising is right for you. What it is that invigorates you, gets those endorphins going. All important diet. You know, the foods that are right for you, uh, doesn’t mean you can’t indulge now and then. But being careful, not, not, uh, overeating out of, out of stress. And sleep, getting adequate sleep. We’re all supposed to get between 7 and 8 hours for adults. Well, probably adults are listening to this. I don’t, I don’t think there are any children under 12, uh, listening to nonprofit radio, not likely, unless they’re future, uh, you know, aspiring nonprofit CEOs, maybe that could be or board members, maybe, maybe you have a 9 year old who aspires to be a nonprofit board member, could very well be, but, but if not, Uh, 7 to 8 hours recommended sleep, so please, uh, this. Important advice, particularly around challenging this challenging time from uh from Miko, mind your meds, the mindset, exercise, diet, and sleep. And that is Tony’s take too. Kate. Yeah, a little self-care moment never hurts. Get a mani pedi. That’s my, that’s my favorite like uh. Thing for me to take care of myself. Love going to get my hair done, little medi pedi that really like calms me down. I see. All right, so we have to modify I for indulgence indulgence mindset. Yes, meds for uh for our associate producer Kate. Maybe we can add an F in there too, so it’s like meds, so it’s like family and friends. Family and friends, that’s the different meds. OK, meds. All right. We’ve got Voco but loads more time. Here’s the rest of politically motivated attacks. Who, what and how with Tim Mooney. Let’s let’s go then to um. What we can do in advance, the point you made earlier that we don’t want to wait until someone comes after us, starts asking, well, you know, what we, we’re just asking questions. We’re, we’re just, we’re just asking questions about whether they’re in compliance. That’s all we’re doing. And if they’re not, we certainly want to find that out, but we won’t know if we don’t ask the question. And of course there’s no predicate to ask the question there’s no reasonable basis for asking the question, but we’re doing it. Um, alright, so in advance, in advance, what should we be doing? You’ve got some, we have plenty of time left together, you know, so what should we be doing now reviewing, making sure that we can, as I said, do the best we can, which is to just minimize the likelihood of, of success of an attack or maybe even stave off an attack. In advance. Yeah, I, I think that the most important thing that you can do first is know the narrative around your organization. You know, is there a common but false narrative about your activities, particularly from folks that are Opposed to your point of view. So are you uh uh uh a voting rights organization, you know, all the common narrative often for voting rights, particularly civil rights organizations, is, oh, they’re registering illegal voters, the common narrative. Um, if, if you are um with an organization that is, um, Interested in criminal justice reform, the the the concept of what defund the police means, and and and how that is impacted by your organization. Are you a civil rights organization working in the DEI space? Well, we all have heard about the, the, the, the narratives around that. So know your organization and know what the potential attacks are. What are those common but false narratives are. From That point, everything sort of opens up from there because when you know where those potential vulnerabilities are, what is, what are the narratives that tend to have resonance with folks that are false? That’s the good starting off point. And, and sometimes that’s as simple as just kind of opening up social media and looking at what the other side is saying about your stuff, um, and then kind of uh taking it from there. OK, be aware of what people say about you, what they may, including what’s what’s potentially false. Um, other stuff, you know, compliance related, you know, your organic documents, compliance, let’s let’s talk about that. I think compliance is a really important piece and it taps into a whole bunch of other things that you’ll want to do as well. You know, you’ve got to know what laws your organization is subject to. And and for for many organizations, that’s going to be starting off with federal tax law because that’s what sort of organizes us as tax exempt organizations. If you’re a public charity, as we mentioned before, you’re allowed to Engage in lobbying, you’re just limited in how much you can do. There are reporting requirements around your lobbying activity. This is a common area. Anytime that there’s any kind of limits or reporting requirements, especially for the type of work that you do, you’ve got to make sure that you know what those are. When you have to register, there’s a registration component and what your reporting obligations are and because often this will happen not just at the IRS level but also at the state and perhaps even local level as well. Um, you know, I’ve been talking about lobbying, but this could be something as simple as charitable solicitation registration, you know, are what are the rules in your state? Are you doing things outside of your state where you might be subject to those states charitable solicitation rules. All of these types of things are really important because if you are a a a small nonprofit and maybe you don’t have a lawyer on your board of directors or or somebody who really understands compliance in these types of things, but you’re you’re aiding um uh undocumented folks in your community and someone wants to come after your Well, they can just look at the charitable solicitation records and say, oh, look at this fraudulent organization that hasn’t registered and reported, you know, and that’s small potatoes comparatively, but that’s the kind of stuff that that you’ve got to be careful about. You want to make sure that compliance is a big part of what you do, especially if there are those common false narratives there. So you you do really want to make sure that that’s an important type of thing. Um, it also gets to the point with where the vectors come in. And often what will happen is that there will be attempts by organizations or investigators or whomever that will try to Interact with your staff or your volunteers. It may be a public event and start asking questions. We often call these odd questions or weird questions because they’re really trying to route uh the person that they’re talking to to quote unquote admit something. And so what you need to do there is this interface is on the compliance side but also on the training side as well. So say you’re an organization that’s doing uh nonpartisan get out the vote work. And that’s perfectly legal. It’s perfectly legal under all sorts of different, different uh rules and regulations. But if you have a volunteer and someone comes up and says, oh, thanks for doing this uh nonpartisan event, but really you’re here to register people in this one party, right? What are they trying to do? They’re trying to get that person to, to, uh, you know, trip up and admit those types. This is the Veritas. It’s that right now but it could be an official official investigation as well. Um, you know, the idea here is, OK, you gotta make sure that anybody that’s public facing has got to understand that, you know, just because someone comes up and is friendly and is asking questions and maybe asks the question over and over again just to elicit a response. That, you know, you’ve got a responsibility to represent the organization, right? And the organization on the other hand, needs to make sure that those folks are trained. And so we’ve got a whole host of a variety of different recommendations for that type of a thing. But most importantly is that you’ve got a, a point person at any given public event where if that volunteer feels like they’re getting a little browbeat with these questions that they know they can say, hey, I don’t know the answer to your question. I’m gonna go get Suzie over there and come and talk to you. That, that’s the kind of stuff that you that that puts the separation between that type of a thing. Now, is every single person asking these types of questions a part of some Project Veritas or a state attorney general investigation? Of course not. But at the same time, these are the types of things that you want to do from a best practices perspective, to make sure that you’re buttoned up, to make sure that you’re Organization not only is doing the things legally, but doesn’t get tripped up by bad actors with bad intentions to say something that makes it look like, especially with some creative editing, that you’re acting contrary to how you’re actually acting. We need to be more vigilant now, more, more more conscious of, of the potential for the the kinds of Well, you know, um, bad actors, whether they’re official or unofficial, uh, being out there lurking, you know, trying to, trying to, trying to set us up, trying to trap us. We, we need to be more aware than we did a year ago. I don’t know about you, Tony, but I, I was a big Spider-Man comic book fan and cartoon fan when I was younger. Well, actually I still am, but just between you and me. I’m a big fan of my spidey sense, you know, if you don’t, if you’re not familiar with Spider-Man, if you’re a listener, Spider-Man has this unique superpower where if something is bad is happening, if he’s about to get hit by a villain or if somebody has launched a missile at him or something along those lines, he gets a little tingle and in the comics it’s these little lines over his head. I think we all have that in some way, shape or form. Our instincts are usually pretty good. If your spidey sense is going off, you know, it might be good to listen to that, especially in the context that I’ve been talking about, um, you know, it’s, uh, our instincts are pretty finely honed in those areas and it’s pretty good to listen to those two. A couple of weeks ago we had Gene Takagi on and uh he was talking about, and I’m sure you know Gene. Oh yeah, absolutely, yeah, he’s our legal contributor. He was talking about uh compliance with your own organic documents, your own originating documents, your, your bylaws, uh, uh, your, even your mission statement. Gene talked about it, but it’s been a few weeks and it’s important, so I’d like you to. Uh, you’ll you’ll end up amplifying what Gene said about compliance with your own documents, please. Gene’s one of the smartest lawyers in the biz, so shout out to Gene. You need to make sure as a function of state law, that you are complying with your nonprofit corporation laws. One of the many different ways that comes into play is when you tell the state, because you’re getting a deal from the state by by registering as a nonprofit corporation, and that It means you’ve got to operate in a particular way. You’ve got to have a certain number of board members. They’ve got to be operating in a particular way. You have to make sure you’re complying with that state statute around that. And your articles of incorporation are talking about the, the methods that you’re going to engage in and the type of topics that you’re going to be uh working under. But then your bylaws are really going to dig into the details and very often organizations will have bylaws that they haven’t looked at in decades. And they no longer follow them. The board meeting minutes are done differently. Um, they don’t operate with the same type of procedures that their bylaws and maybe even their articles uh require. Uh, and it’s critically important that you’re following those types of things because if you don’t, then you are likely in some type of breach of the laws around the nonprofits within your state, and that is something that could be potentially a. But it’s certainly something that could at least again be highlighted, you know, oh, look at this organization, it’s supposed to have um uh open meetings for its members and they haven’t done that since 1978. Look, there, there, there’s, it’s a scofflawer organization, or if you’ve got an attorney general who is particularly disinclined to like your organization, they will certainly like to dig into what your procedures are. Are you following your articles of incorporation? Are you following your bylaws? Are you in breach? I talked about uh charitable solicitation rules. There’s a whole host of different things. There are taxable events for some tax exempt organizations from time to time. You’re not necessarily exempt across the board in some states. Are you in compliance with those filings? So making sure again that you know what your exposure is, what your obligations are, and especially the calendaring of those obligations. File on time, don’t file late. If, uh, you change your activities, and that’s subject to another law, you know, election-related activity is often one of these types of things. Are you getting involved in a ballot measure? You may have registration requirements because you’re participating in a ballot measure as a charitable organization. It’s totally fine. It counts as lobbying, but under state and local rules, you may have to register and report. Separately on top of that, you gotta make sure you’re doing that and if you’re not, you could be subject to fines, you could be subject to other types of actions by the state or local law. And so these are the types of of angles that could be taken on the official level, but also outside of, of, of the official enforcement agencies to try to Embarrass and to denigrate and to show to funders. Funders do not like it, do not care for organizations that are not following the laws. So you know, highlighting these things for organizations that work in subject matter areas that we’ve already talked about, um, to try to get them to lose standing in their community, standing in their funders, that’s all part of the game plan here and that’s why it’s important that you got to make sure what your obligations are and follow them. Tim, what are the limits, uh, that bolder advocacy can take? I mean, you, you said your attorneys, but you’re not, uh, we’re not, we’re attorneys, we’re not your attorney. But what, what types of questions around what we were just talking about, could, can you field or or maybe even not field what would go over the, over the, the boundary? Yeah, the line is, you know, since we’re not, we do not have. Attorney-client relationship, we don’t give legal advice and the and it’s a fine line between technical assistance and legal advice, but essentially what we can do is we can help explain what the rules are. If it gets to something that’s more specific, you know, where an organization is asking a very specific question and asking for essentially more of an opinion than what the law says, that’s where we start getting Into the legal advice uh perspective. And that’s where we’ll kind of, you know, say, well, um, this, this is the line we can’t cross, but this is a good time to tell you, you should retain local counsel to be able to properly answer that question. I think the thing that we do really well is most of the questions that we get, we can answer, the vast majority I would say. When it gets to the point where someone is asking for legal advice, we can help them get to the point where they can have that conversation with their lawyer, whether it’s their internal lawyer or external counsel, and sort of fast forward them a little bit in the conversation, maybe save them a few bucks, and that’s, that’s kind of one of the big reasons. Why we were founded all those years ago, why I think we’ve been supported by a lot of organizations and by, of course, a lot of private foundations as well, because we’re able to give that kind of service within the boundaries of what we’re able to provide, um, and to serve the broader nonprofit community that way. Thank you. All right. Um, let’s talk about data security. You mentioned it, uh, you mentioned it briefly earlier, but now in our discussion of how to protect yourself, data security, personally identifiable information, etc. Yeah, it’s interesting, you know, I, I’m of a certain age where I was around before the internet, and I remember time before the internet and you know, I think that those of us who are sort of in our age range, you’re not the only one in this conversation you go Gen X’s right, yeah, yeah, you know, I mean, we, we came in with the idea of, oh, you’re going to put your credit card into that machine and it’s gonna, you know, give you a book later that gets. Delivered well, that’s strange, you know, and then we eventually got comfortable with all those things and, and I think that a lot of folks who are a little bit younger than us, uh just got were thrown into the world where, you know, oh yeah, of course you share your your your personal information on the internet in your social media accounts and things like that. And so I think what we’re seeing is a retrenchment of that a little bit that maybe we don’t necessarily need to put absolutely everything out there. And the reason why is that our individual act activities as say employees of a nonprofit organization are sometimes used to suggest that the nonprofit is doing things that it shouldn’t do. So, on my own personal time, on my own dime, I can support a candidate of my choice. I can’t do that in my role as senior counsel for Alliance for Justice. It’s a 501c3. We don’t do that. We don’t support candidates out of that, out of the C3. But these malicious actors will often try to Cherry pick and and and and take that information that’s sort of out there and create a a a feeling that, oh, that organization is just full of people that all they want to do is see this this person elected or that person defeated. All you have to do is look at their social media posts, and that’s the kind of stuff that we often see is that conflation. And of course the traditional stuff, the cyber attacks, the hacking, the phishing, I mean, I can’t tell you how many times I have gotten an email where it’s very clear a text even today, where it’s it’s enormously clear that it’s a phishing attack, but we do training internally and I have um thought of myself as a very smart person who will never get caught in a fishing attack and one of our training um uh. Thats absolutely caught me, absolutely caught me. Why did they say? I I even have my prop for this. It was, it was, it was months ago before these came in. We have a new swag for those of you who are on the video, you might be able to say we have swag for our, our organization now. So frontline, front line of democracy? Yeah, front lines of democracy on the front lines of democracy FJ.org, really great sweatshirt, very excited for these things. Well, we were, we We got a faux phishing attack that basically said, oh, put in click here to put in your size, and they got me on that one. So phishing attacks can, and this was I can’t emphasize enough, this was a test, just to show how often these types of things can really dig in and look legit when they really aren’t. So do those do those internal trainings, know what’s what’s coming after you. Uh, have your complex passwords, make sure that they get a reset every couple of months or whatever is kind of best practices, two-factor authentication, all that kind of stuff. If someone nefarious gets into your database, they, they, they’ve got so many opportunities to wreck you, to lock things up, or to make things to plan things perhaps. And then make it look like that you’re doing things that you’re not. It’s a really, really pernicious type of a thing. So making sure that you’ve got good hygiene for your own personal online type of things. Um, and doxing, of course, is another type of a situation that that we’ve been seeing as well. And, and you know, we’re seeing a movement, I think, again, to start to retrench how much personal stuff that we put out there. But it is remarkable. How much information, individual personal information is out there, you know, if your password, for instance, is, uh, your, your favorite sports team’s most recent championship, and as a Buffalo Bills fan, I do not have that, so I can use that as an example. Um, you know, and, and you know, that’s the type of thing it’s like, oh, well, that person is a big Philadelphia Eagles fan. Well, if it’s Eagles and then the date of their most recent Super Bowl win, you know. Trust me, they’re gonna try those types of things. Um, you know, that’s the kind of stuff that that that we’ll see that is sort of these attacks to get in, but also the doxing element of, of things when we learn you can learn where people live and have protests in front of their house and things along those lines and then release that information uh out into the general public with an intent to create harm or at least um discomfort for that person. All of this stuff is, is out there, and it’s stuff that we’ve got to be mindful about because, you know, when you sign up to work for a nonprofit organization, you’re, you’re not signing up to be, you know, on the. Front page of The New York Times or to necessarily be be subject to the whims of some of these types of personal attacks, but we do see that, um, we, we’ve seen, um, election officials, local election officials, um, get, get doxed and and harassed online. And, and, and this is the type of of attack that we’re seeing. It’s, it’s to the organization, but it’s narrowed down to the personal. And so making sure that you’ve got uh your Your individual um online home buttoned up a little bit more, um, think about how much you want to be out there. That’s, that’s another thing as well. And your CRM database, um, and, and so in light of all this, uh, talk about data security, I want to remind listeners that that same show a few weeks ago where we had Gene, we also had Amy, uh, Sample Ward, our technology contributor, and she gave a very good explanation of managing your data, making sure you’re not saving data that you don’t need. That’s personally identifiable and could be compromised. So that’s all in the episode called Prudence in our political environment just a couple of weeks ago. Yeah, retention policies, all of that. Make sure that’s all buttoned up. Um, there’s a lot of best practices out there and a lot of resources that are out there to allow you to not have to reinvent the wheel on this kind of stuff. Whistleblower protection, another one, another one, what about, uh, openness and transparency with our, with our funders whether again institutional or, or individual, as a, as a method of again protecting ourselves, you know, being open about and truthful about what our work is maybe part of that is defeating false narratives that may be out there or could, uh, that aren’t out there or could be out there, but just open this with our, our, our funding community. When you are attacked, the instinct is to, oh, we’ve got, we’ve got to huddle up and we’ve got to keep this quiet. I, I, I think that our advice is kind of the exact opposite as, as you’re suggesting here. We need to make sure that we’re being open when a false attack comes at us. We need to make sure that we tell our allies, our community, and indeed our funders what’s going on, and the reason why is. There’s copycat attacks, so we’re going to help prevent that by getting that out there, but we’re also going to be open about what’s going on. And in doing that, you are huddling up more broadly, not just internally, but more broadly with your allies, with your community, with your funders, because they are on your side. And you know, an attack against one is really in a sense an attack against all, um, from, from my perspective at least. And so what that does is it will help. Everybody within your coalition and your funding community understand what is happening and what may be coming. And there may be an opportunity that comes out of this attack rather than just the cost of the, the attack, and the cost of course can be time and money and and and opportunities, but you know, if it is easily revealed that there is a, a political animus behind this type of a thing. This might be something that actually gets a broader attention and there there could be a backlash against that attack and that might actually end up being, it’s never good to be attacked, but it might be in the long run, a positive thing because what you’re doing is you’re showing the tactics of this other side that are negative and unethical and spurious, and that they’re doing it because you’re succeeding in doing things. that they don’t like. And that just doubles down on all of that and may ultimately mean more support, ultimately when all of a sudden done. But that doesn’t happen unless you got a plan, you are good on your compliance, you’ve trained your staff, and you’re ready for the types of attacks that are based on the false narratives that you should know about just by being active in your field. You said that you believe an attack against one is an attack against all. Um, I believe that the nonprofit community. is much stronger when we all stand together. And protect any one of us under threat or any segment of us under threat and that whether that’s a mission that we believe in or it’s one that we find antithetical to our to our being, but there’s still a 501c3 and they’re part of the community and they’re under attack and you never know when the attack may point toward you. So I leave with the, the, the strength of the community when it stays together. The, the attacks often are not are ideological, but I, I, I think that you’re exactly right. This should span ideology. The the the the the nonprofit community is strong because we represent our communities and, you know, An attack against a nonprofit is an attack against a real pillar within our communities broadly and, and, and it’s a bummer that this tends to have political ramifications to it. It shouldn’t. The tax exempt organizations span ideology. They serve communities, they’re charitable, they’re educational, they’re scientific. They, they, they shouldn’t, they shouldn’t be subject to those political whims. And and and I’m I’m saddened that that this is the latter part of my career been that type of a thing. But you’re absolutely right that By going after these types of entities, it’s really trying to hobble one of the important legs of a stool of what our communities are built on. And, and, you know, I think that Nonprofits are critically important in our communities and by going after them in any way, shape or form, really is taking a hatchet to Good things and good people and good ideas and to do it over the sense of ideology is a really sad thing to me. Tim, thanks for sharing all your advice, advice from Alliance for Justice. Thank you very much. Thank you. You’ll find the Alliance at AFJ.org and there you’ll find the important Boulder advocacy half of the alliance. You’ll find Tim, he’s at Tim Mooney on BlueSky and also on LinkedIn and Tim, thank you again. Thanks so much, Tony. I really appreciate it. Next week, great value in sustainable giving. If you missed any part of this week’s show, I beseech you. Find it at Tony Martignetti.com. We’re sponsored by DonorBox. Outdated donation forms blocking your supporters’ generosity. Donor box, fast, flexible, and friendly fundraising forms for your nonprofit, DonorBox.org. Our creative producer is Claire Meyerhoff. I’m your associate producer Kate Martignetti. The show’s social media is by Susan Chavez. Mark Silverman is our web guy, and this music is by Scott Stein. Thank you for that affirmation, Scotty. Be with us next week for nonprofit Radio, big nonprofit ideas for the other 95%. Go out and be great. There’s one sentence I need you to reread. In the politically motivated tax block, uh, you said. You need to know who is a potential target of the attack. So we need a tax, so why don’t you just say that sentence. That starts, you need to know.
As our 2024 Nonprofit Technology Conference coverage continues, Janice Chan returns with the savvy idea of adapting team meeting principles to a team of just one. She’ll have you thinking of yourself as a team leader, rather than one person doing everything. Janice is at Shift and Scaffold.
Steve Sharer: Cyber Incident Cases And Takeaways
We’ve got good stories about bad actors. You’ll also hear the practical steps your nonprofit can take to prepare for cybersecurity incidents to reduce their impact. And we’ll empower you to hold incident prep discussions with your leadership or staff. Steve Sharer, who says “Security is a team sport,” joins from RipRap Security. This is also from 24NTC.
Virtuous: Virtuous gives you the nonprofit CRM, fundraising, volunteer, and marketing tools you need to create more responsive donor experiences and grow giving.
Donorbox: Powerful fundraising features made refreshingly easy.
We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners
Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.
Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio. View Full Transcript
Welcome to Tony Martignetti Nonprofit radio. Big nonprofit ideas for the other 95%. I’m your aptly named host and the pod father of your favorite abdominal podcast. Oh, I’m glad you’re with us. I’d suffer the effects of formation if you made my skin crawl with the idea that you missed this week’s show. And if you think I said fornication, get your head out of the gutter, close the porn hub window. It’s formation. Here’s our associate producer, Kate to introduce this week’s show. Hey, Tony, we have strategic meetings for teams of one as our 2024 nonprofit technology conference coverage continues. Janice Chan returns with the savvy idea of adapting team meeting principles to a team of just one. She’ll have you thinking of yourself as a team leader rather than one person doing everything Janice is at shift and scaffold and cyber incident cases and takeaways. We’ve got good stories about bad actors. You’ll also hear the practical steps your nonprofit can take to prepare for cybersecurity incidents to reduce their impact and will empower you to hold incident prep discussions with your leadership or staff, Steve S who says security is a team sport joints from riprap security. This is also from 24 NTC on Tony’s take two delightful nostalgic women’s names. We’re sponsored by virtuous. Virtuous gives you the nonprofit CRM fundraising, volunteer and marketing tools. You need to create more responsive donor experiences and grow, giving, virtuous.org and by donor box, outdated donation forms, blocking support, generosity, donor box fast, flexible and friendly fundraising forms for your nonprofit donor box.org here is strategic meetings for teams of one. Welcome back to Tony Martignetti nonprofit radio coverage of the third day of the 2024 nonprofit technology conference. We are all together in Portland, Oregon. Nonprofit radio coverage of the conference is sponsored by Heller consulting technology strategy and implementation for nonprofits with me for this conversation, a uh an NTC perennial for nonprofit radio, Janice Chan, you knew she was coming. She’s Director of Shift and Scaffold Janice. Welcome back to nonprofit radio. After many NTC appearances. Many thanks for having me back, Tony. Always good to see you and talk with you. Thank you. It’s a pleasure as well for me to be here in person with you. Not just on Zoom. Yes. Yes. Uh This year your session topic is strategic team meetings for teams of one. All right. All right. Before we get into that, I, I wanna, I wanna talk a little about, I knew that I remembered I was reminded that you were studying Japanese. I, I, when I read it, I had remembered from previous years. Now, you live in Japan? Yes, I, I have been studying Japanese because my husband and I were not realized. But we had decided to take this job opportunity for him, which was based in Tokyo. And so we’re like, all right, we should start trying to learn the language. So, you know, it would be helpful to live there if we’re going to live there. And so, yeah, so we moved about a year and a half ago in 2022 some delays due to the pandemic. Um but it’s been great so far. And yeah, working at learning the language at the place that I live in, I’m sure living there helps quite a bit. You’re immersed. Uh is, is, is English very common or not, not so much, you can definitely get around Tokyo in English outside of Tokyo a bit harder. Um I think they did a lot of things to prepare for the Olympics when they were supposed to be there in 2022. And you know, in terms of the train signage and things like that. So you can get, you can get by in the city, in the city. Actually Japanese people in school, study English for several years. But you know, studying in school is always a little different than talking to native speakers. So I’m having the experience in reverse of going to class and then attempting conversations and often just mangling my way through it. But people are very kind fortunate. You’re, I’m working at it. People appreciate the outreach. They, they’re happy to work with me too, which is nice and really helpful. Do you have Children? Did you bring Children abroad? We brought our cat, our 18 year old grandma cat. She’s lovely and sassy. At 18, she’s still, she’s more sassy now, I think. Well, I know some sassy, 8090 year olds. That’s not surprising. All right. And uh I also want folks to know that if you want to see some beautiful photography, go to uh shift and scaffold.com because you have one stunning one too. There are several but the one of the from the Metropolitan Museum, the Reflection the park is in the background in that room. Yeah. Is that the Egyptian room room? So there are many great photos that shift and scaffold that Janice took there. Alright. So let’s talk about uh team meetings for teams of one. What was the genesis for this uh this uh up the this uh this intuition, this uh creative burst redefinition. That’s what I want resurgence, redefinition, defining redefining one to be a team. So whether even when I’ve been in house and now I’m an independent consultant and so I work for myself. But even when I was in house, a lot of times I was the only person who did the technology, who did the knowledge management, who did the training sometimes. And so I spent basically my entire career mostly being a team of one. Um And, you know, there are certain practices and things that I’ve done over time that I find really helpful in that because sometimes I don’t always have somebody to bounce things off of. Or sometimes when I do, they have a really, they don’t have the same background that I do. Right. So they have a really different perspective which is useful. But sometimes I’m like, I just got to figure things out for myself. There’s nobody setting the strategy. Like my boss is a development director and I’m doing database management, for example, right? So, you know, they’re supportive, but they don’t actually understand my day to day work. And so I need to do a lot of that strategic work by myself. And there were some of these practices I developed over time. And one of them was that I would meet with myself before you have these good practices, which we will absolutely get to. When did you start to think of yourself as a team as a team that emerge? Probably. So I remember, I don’t know why this sticks in my head so much. I had this phone call with this director at my organization at the time and I was supposed to help her team with some and she had a team of like, you know, actual other people. She had about seven people on her team. And I was the grant writer at the time. And so she was like, we have some opportunities. There’s some partners we talked to and, you know, I’d love if we could get your help on applying for these grants, we have the opportunity to apply for these grants in multiple states, but they’re all due at the same time. And she was like, maybe you can get some help from your team. And I was like, listen, I am the team. You were talking to the entire team. I’m the grant rating team. So in addition to my other jobs foisted on you the redefinition, talk to get some support from your team, the rest of myself. So your best practices, these are things you’ve been doing through the years for yourself in your work. So a lot of times often, you know, either at times when I really needed to say plan for the year or I’m about to take on a big project or start something new or I really want to maybe make some changes. Often. I would kind of set aside some time and just sort of be with myself, but I would take notes during that time, right? I would have a little, ok, here’s the thing that I want to work on for this hour or two hours or something, right? I need to plan out 2024 or I need to figure out how to work with that stakeholder who is, you know, I’ve got some stakeholders that I have to manage. And I’m trying to get that on board. I’m kind of trying to come up with some strategies for that. And I’m kind of sitting down and having a little meeting with myself with an agenda because I would be like, wait, what was I supposed to focus on for this hour? Right. And so it’s like a little reminder to myself and I’ve always been a note taker And so it’s just kind of a thing that I kept doing and then I would do it for planning my week. I would do it for reflecting on things at the end of the month and I was talking to someone and I realized that maybe some other people do it, but not everybody thinks of it that way. Um And it was really helpful that I ended up just taking things that I sometimes did in meetings with other people. I was like, oh, you know what, this is really helpful to take notes this way or whatever it is. And then I would do that when I was still doing it just by myself. So that’s kind of where it came out of. What else should we be doing with our team of one. Um So I, so to back it up a little bit part of, I didn’t really think a lot about the practice of meeting with yourself in that I didn’t necessarily articulate it. I was just like, oh, this is what you do. Right. You had a to do list. I certainly had a, to do list, but you didn’t think of devoted time to specific tasks. Well, I did but I think I didn’t think of it as maybe a thing that other people didn’t think of. And I was so, I also like to do creative writing. I was at this conference last year for creative writing and I talked to someone and they were like, so I told my new manager that I don’t start work before 10. She works from 10 to 7, but I don’t start work before 10 because the first two hours of my morning are dedicated for writing. That’s my writing time. And I realized so I live in Japan and I work with clients in the US. And so sometimes I wake up really early for meetings. I have meetings at like six in the morning, sometimes five in the morning. But on days when I don’t have super early meetings, I’d still wake up, my body just wakes up at that time now. But I would just stay in bed, you scroll through my phone or something. Like I wasn’t doing anything at that time. And why would I get out of bed for, for clients or for other commitments? But I wouldn’t do that for myself and for my own work, my own creative writing, et cetera. And I think so I recently, at the end of last year, I was like, all right, I’m going to really make this a regular practice. Um Yeah, and I thought it would be a really interesting session and tool to share with other people at the ante community as well. OK. Um Other, I don’t know, other tactics for you say tactics to make time for strategic work as a team of one, you got to take care of yourself, you got to take care of your team, take care of your team of one. Exactly. So I think a lot of this, so there’s tools and strategies and then there’s the mindset. And so um maybe I’ll talk about the mindset first and then talk show and strategies. But I think sort of as that team of one, a decent host would have asked you about the, you’re suffering a lackluster host. You, you think the host would ask about the mindset and the culture of the team of one first before you get into the, the tactics and strategies. It’s OK. That’s why we’re here to learn. We’re all still learning. And, you know, I think a lot of times where we start, right is when we want to do something better. We’re like, oh what are the tactics we’re doing it better? What’s the technical stuff and not the organizational culture or the mindset, all the internal work that we need to do when we work with people or work with ourselves. And so I think one of the, I don’t remember what started it, but last year I had this epiphany one day of like, wait, who’s leading my team? Like, nobody’s leading my team. Wait, it’s supposed to be me and I’ve not been leading my team and it was a really big sort of flipping the lights of it, John in my head. And I think realizing also whether I’ve been an independent consultant or when I was in house, right. Yes, I could run around and do all of the things and I would do all the things but not necessarily in a, I think I assumed that because I was the same person that it was cohesive and coordinate, right? And it was in a unified direction, you’re only one person, right? So of course, clearly going in the same direction as myself, I would think. And then I realized at one point I was like, I don’t think that’s actually the case and the, and part of that, what does that feel like when you felt like you were not going in a unified direction, I felt really scattered. I felt like, ok, I’m doing these things because it seemed like a good idea at the time or like you’re supposed to post more regularly on social media or you’re supposed to, I don’t know, go out and meet people and network and things like that. But I wasn’t necessarily doing them all in a unified direction. And I realized that I was doing sort of the different job functions like business development and content development and my consulting work and things and, but I wasn’t sort of doing the work to actually unify them intentionally. And so part of that was, I didn’t necessarily think of myself as a team or as a business or as an organization. I just like, I’m just Janice, I’m just showing up and doing the things and, you know, that works, you can get away with that for a time. But I think also, and you see this also in people when they go from being an individual contributor to being a manager or they kind of step from the, I’m just doing the things that my boss told me to do. So now I have to set the direction even if I don’t have any direct reports. And I think really, I realized that it was, I was kind of lacking that direction and I hadn’t made the time or really put into place the practices to do that on a regular basis that I wasn’t leading my own team and that spot was kind of vacant. And I think that’s a really big shift, especially in small organizations where a lot of times you just get thrown into like, hey, we need you to do, you’re like, hired for communications, let’s say, and, and, you know, you’re the only communications person and so you’re doing the writing, you’re doing the graphic design, you’re doing all the digital things. Um And then you’re just, you know, fielding whatever people think is your job honestly, a lot of the time and there’s no, if nobody is trying to make all of that cohesive for, say your external audiences, who’s managing the stakeholders, who is making sure there’s a cohesive strategy, you know, it, it starts, you’re not as effective for your organization. And some of that is, it’s easy to get caught up in all the urgent stuff. But some of it is also just I think that a big part of that mindset shift is we don’t respect ourselves as leaders as teams in the same way that we respect other leaders and teams, right? Like if I saw this meeting with you, Tony, right? There wasn’t a time to show up here, right? There was a process, there’s things going on, you know, I noticed that I would show up to meetings with other people differently versus I will reschedule things on myself all the time. And I’m not going to say that I don’t still do that, right? But I think just being more conscious of like, OK, I’ve pushed aside, pushed aside my time that I set it aside to do the strategic work and I’m putting out fires for other people because they’re urgent, you know, and that happens a lot. But I think the, I think especially in the social impact space, a lot of us, we want to make things better for other people. We care about other people, those requests that other people are making are not unreasonable. But it can also be really hard to, you know, especially for those of us who are taught to put other people first or that we exist for the community, not only for ourselves. Right? And that’s a very common ethos in the nonprofits face as makes sense. And also, you know, depending on who we are, I’m a woman, I’m the daughter of immigrants. And so there are a lot of things that when somebody comes to me and ask me for my help to do something, right? I’m like, oh, let me figure out how I can help you. And it’s easier to keep putting my stuff on the back burner, put myself on the back burner. But then that builds up over time. So if you’re the only, let’s say you’re the entire technology team at your organization, your single team of one, then if you don’t make the time to do the strategic work, your organization is not going to be able to use technology strategically and effectively, you know, your organization is going to be a little bit hamstrung in advancing the mission because you’re not carving that time out and you’re not respecting the time and the energy you need for that. It’s time for a break. Virtuous is a software company committed to helping nonprofits grow generosity, virtuous beliefs that generosity has the power to create profound change in the world and in the heart of the giver, it’s their mission to move the needle on global generosity by helping nonprofits better connect with and inspire their givers. Responsive fundraising puts the donor at the center of fundraising and grows giving through personalized donor journeys. That response to the needs of each individual virtuous is the only responsive nonprofit CRM designed to help you build deeper relationships with every donor at scale. Virtuous. Gives you the nonprofit CRM fundraising, volunteer marketing and automation tools. You need to create responsive experiences that build trust and grow impact, virtuous.org. Now back to strategic meetings for teams of one with Janice Chan. I it’s interesting really, the realization that you treat others better than you treat yourself. Essentially, you treat others work more importantly and more respectfully than you treat your own. Like you’re talking about putting off your, putting off your own time, putting off your own tasks. Um Yeah, minimizing your own needs or the other, right? It’s just I’ll get to it. You wouldn’t do that for somebody. You wouldn’t, you wouldn’t procrastinate like that you wouldn’t put off the work of others that you might have been asked to do or that, you know, as an individual, as a solo consultant, you realize you need to do, you wouldn’t do that to your clients or to your, to your organization that you’re where you’re a team of one, you wouldn’t do that, but you’ll do it for your own, your own stuff. We need to shift that. This is the mindset that we’re talking about. This is the mindset. And, uh, you know, and some of that I just completely lost my train of thought. That’s, that’s right. I think, well, you made the point and I just was, like, underlining it. So, how about some of the other things that you do besides have, you know, agendas for your, for your solo time? What are some other, some other tips? Yeah. So the, you know, a lot of the things that are about running effective meetings and I know we all have this joke about meetings that should be emails. Um But I think there are times when it’s important to when the meeting is the right tool, when you’re making a decision, you’re trying to get alignment or you’re doing something where dialogue is essential to moving forward with care often, you know, to building relationships um and maintaining trust. And so a lot of the things that are crucial for effective meetings with other people are also useful when you’re by yourself, meeting with yourself, the agenda, taking notes, keeping track of decisions that were made, keeping track of the action items, not just in the notes, but hopefully in whatever project management tool or however you normally keep track of your action items. Um I would say the big difference when you’re meeting with yourself is, of course, there’s not, you know, in a, in most meeting notes, at least the way I take them in a group, I note down who is attending the meeting. Right. There were people we invited to the meeting. We’ve made sure there was somebody from finance and someone from programs and someone from fundraising or whatever. And when you’re meeting with yourself you’re like, oh, yeah, I don’t need to. It’s just Janice. right? Um And something that I find helpful that’s different for a meeting with yourself is to think about the different roles that you need at that meeting because I, so this is a pet peeve. I have of in meetings with other people where they’re like, OK, we finished the agenda for, let’s say the project’s status update or whatever. Actually, this is the same group of people that, you know, for the data working group. So could we just throw that in right now? Right. And then you’re like, I, that’s a total mind shift. Yeah, it’s a total mind shift. I didn’t prepare like I’m not ready. And also, now this was like an hour long meeting that was going to finish faster. And now you’ve just messed with my head because now we’re going to be here for an hour and a half. Right? And so, and I think not part of respecting yourself, right? Is to not do that to yourself either. And so being clear about what is the purpose of this meeting. We use different meeting types for different purposes, right? It’s very different that we’re like a strategic planning meeting and a project planning meeting. And a team general team, weekly meeting should not look and feel the same, you’re not doing the same things. And similarly, when we’re meeting with ourselves, let’s not do that to ourselves either. Um And so naming those roles who needs to be there. So, you know, if I am the communications team and I am the writer and the graphic designer and the digital person and also the uh communications director leading the team, right? Have all of those roles been represented in that time and space. And even if it’s something simpler, like as an independent consultant, right? Is it consultant me? Is it business owner me? You know, or at a more basic level, is it decision maker, me or implementer me? Because if it’s only implementation, that’s just like me writing the report, I’m not making decisions, this is not a meeting, I’m just working on something. So I think calling attention to those um is a key difference that I would say for meetings with yourself. I, I like the idea of different roles because I, I think it helps make you accountable for, for the different, for the different uh areas of responsibility that you have and not only areas of responsibility but individual tasks that you have, you know, the the the business development person is gonna come down on, on the uh the writer who hasn’t done a blog post for six, for six weeks. Right. So III I see an accountability role. Absolutely. I love that. Calling that out anything else? So I think there are a lot of different uh like let’s be real, right? We only have so many hours in the day, but more importantly, we only have so much mental energy and mental capacity for things, right? And so part of that, you know, it’s some tools and tactics for protecting your time. It might be things like no meeting Tuesdays or it might be the last Friday of the month is always dedicated to strategic work. So I think some of it is like making time and actually putting it on your calendar to do that work, right? Um And it’s helpful if your whole organization does it and put it in the calendar, put it in the calendar, this is an important time exactly like you would do for a meeting with three other people. So if you know, sometimes life happens, you need to reschedule, but reschedule it don’t just cross it off the list and then never come back to it. And, you know, there are also other things that, um you know, I think that that time thing is one thing, right? There’s only so many hours, but that’s also a little bit more straightforward in some ways, it’s much harder to protect your mental brain space to do strategic work. So for example, I’m an introvert. I like people. I love hanging out with people at N DC. And also at the end of the conference day, I go back to my hotel room and I’m like, I just need some quiet time for a little bit. But also I know that at the end of the day, I can expect of myself to do strategic work, right? Like maybe I reply to emails or something, but I’m not going back and planning out some major initiative at night because it’s not realistic of where, how tired my brain is. Um And so I think that’s harder because that’s also individual what works for one person isn’t going to work for another person. And so some of that is figuring out what you need to be able to get into that, to have that spaciousness to do the strategic work and to figure out how to ask for that for your team. Um And you know, that could be, it could be things like the no meeting Tuesdays or working from home instead of working in the office. But it could also be things like, you know what I need to go for a walk. I need to actually, when I’m doing this type of work, I need to not be at my regular desk. I need to be in a physically different location so I can get into a different mindset than my day to day, putting out fires, et cetera. Sometimes it might be just like, you know, um, knowing that your team, knowing that, hey, the first hour of my day, every day, that’s like I do not take meetings, right. I’m working, but I do not take meetings so that I can make sure I do the important work, whatever it might be. So it’s really helpful to make sure that you’re asking your boss or your team or your colleagues for that and making that clear. But in doing that, you’re also modeling that for other people as well as you honor yourself and your team. There’s nobody else to advocate for you. You go out and do it. You know, I mean, if you, if you, if that team leader role has been empty, that means there’s no one else that means you need to step into that role. So, you know, I told people in the session, give yourself that promotion already. If you haven’t, how about we leave it right there? That’s perfect. Wonderful. Give yourself that promotion. If you haven’t, she’s Janice Chan director at Shift and Scaffold, Shift and scaffold.com. Always a pleasure. I hope to see you 2025. You think you might come, come back. That’s the I, I’m hoping I will see you all in 2025 Baltimore. My old home city. It’ll be a little closer for you. Five hours closer. All your old home. I used to live in Baltimore. I look forward to seeing you. I know you’ll have a good topic. I don’t have to say, have a good you will. You will you so much to my p Thanks for sharing, Janice and thank you for sharing in our conversation about teams of one where we’re sponsored by Heller consulting, technology implementation and strategy for nonprofits. It’s time for a break. Donor box open up a new cashless in person donation opportunities with donor box like kiosk, the smart way to accept cashless donations. Anywhere anytime picture this a cash free on site giving solution that effortlessly collects donations from credit cards, debit cards and digital wallets. No team and member required. Plus your donation data is automatically synced with your donor box account. No manual data entry or errors, make giving a breeze and focus on what matters your cause. Try donor box live kiosk and revolutionize the way you collect donations. Visit donor box.org to learn more. It’s time for Tony’s take two, Alice Antoinette, Bernice Charlotte, Constance Deidra. Thank you, Kate. These are some of the delightful names that I’ve kept on a personal list for years now of women in their seventies, eighties and nineties. And there’s even one who was 100 years old on the list and I just II I just get nostalgic over names that are so uncommon now. I mean, these are women who were born in the 19 thirties and forties. So not surprisingly, you know, names change, of course. Uh, but yeah, I don’t know, the, the names just move me. Um, and so I’ve been keeping this personal list and I did, I, I posted some of it on linkedin and I thought I would share some of it today. Um, the, you know, it’s, it’s the names and, but it’s also the, the women’s stories, you know, growing up in the 19 thirties, 19 forties, fifties in the United States. Uh, what that was like, you know, education wise for some, some women went on beyond high school. Uh, a lot did not. Some women went on to marry and have families and some did not. So it’s, you know, it’s the combination of the stories and, and I guess the, the richness of the stories makes me love their names as well. Um, and just as I said, you know, get nostalgic for these names that we just don’t see anymore. Like Geraldine Gertrude, Gussie Hazel, Jacqueline Lenoir, Lottie Mabel Marlene Maxine. Many Myrna, Ophelia, Penelope, Rochelle Selma Veronica. All right. I’ve got a lot more on my list, but that’s just a sample of names that I find, uh, delightful and I get nostalgic about them. Have you got any if, uh, if, uh, if you wanna contribute your mom’s name or your grandmother’s name or maybe your own name. Uh, let me know. Love to hear it. Tony at Tony martignetti.com. Let’s see if the names you know, are on my list. That is Tony Stick two, Kate. I would like to add Carmella both with one L and then one with two Ls. Yes. All right. So share why the name Carmela is important to you is I had a great grandmother. You might know better than me. But, but that I’m, you know, my name is my first name is Carmella. Well, I know that, but listeners, listeners could very well not know that your name is Carmela. Kate. Mar uh Carmela and then Kate is, is short which I never understood. I don’t know how Kate is short for Carmella. Carmel. I could see Carmel what? I have an aunt Kate but I have like a grandmother. Caramel, right? So, yeah, but they’re two different, they’re two different women. So how does because Kate is not your middle name? No, it’s not. Anne is my middle name. Like great grandmother Ann or? Right. Where is your great grandmother, Anne? Who was my grandmother? Right? This Carmela was on your other side, on your mom’s side of the family. So I, I didn’t know, I didn’t know Carmella. I don’t know. I’m, I’m happy to call you Kate, although, you know, I often call you Carmela as well because nobody else does. So I like to be different and I think it’s a beautiful name but Kate being short for Carmela, I, I don’t know, it doesn’t make sense. No, it’s been 21 years. It’s never made sense to me. Well, we’ve got VU but loads more time here is cyber incident cases and takeaways. Hello and welcome to Tony Martignetti Nonprofit Radio’s continuing coverage of the 2024 nonprofit technology conference in Portland, Oregon. We are all convened at the Oregon Convention Center in downtown Portland and Nonprofit radio is sponsored at the convention at the conference by Heller consulting technology strategy and implementation for nonprofits with me. Now to have a conversation is Steve Sheer. He is CEO and co-founder of Riprap Security. Steve. Welcome to nonprofit radio. Thanks for having me. My pleasure. Have you done your session? I have done my session. We were the first in the first session on the first day. So you set the bar high. I feel bad for the presenters that came after you. We just met a few minutes ago and I’ve already, I already know that you set the set, the bar high. Uh gave quite a challenge to the uh to the presenters that that succeeded. You. Your topic is cyber incident, uh preparation and what we can learn from real world incidents. So it sounds like you uh you are bringing some stories that we all are glad that it did not happen to us. Um Maybe these are major headline stories. I don’t know, maybe these are some of the big ones, but we can uh we can take some things away. Exactly. Ok. Ok. Um Why did you feel the need for the session? Yeah. So um I run a cybersecurity consulting company that’s focused on mission driven and purpose driven organizations and helping them improve their cybersecurity. And one of the key ways that we start working with new clients is that they call us and they say, hey, my house is on fire. We’ve experienced an incident, we need help and so we go and we help them and it, when we go in and we’ve never met them before and they don’t, they’ve not really prepared for an incident. The incident is much more severe. They end up incurring a lot more losses. They have a lot, it’s all very, it’s all much more stressful and the chance of recovery is lower than if they had prepared ahead of time to deal with an incident. And so the, the talk is all about how organizations can prepare ahead of time to make it less stressful, to make it cost less to respond to an incident and really reduce the impact of the incidents that happened to the organization. Ok. Iii I don’t think I’ve, I’ve thought about that or I haven’t heard it said that way that you can make it less impactful, less of a crisis by preparing. I mean, what I’ve heard is you should prepare because you can, well, you can never eliminate the possibility. You can greatly reduce the possibility of being attacked having an incident yourself. But you can actually make it less with preparation? Ok. Excellent, excellent. So um is it, are we just gonna share a bunch of unfortunate stories and, and take away lessons from each one? Maybe we can talk through some of the best practices and I can weave in some, some stories here and there. So why don’t we start with some of your, your best advice? Sure. So I think the primary thing that you want to do is when you’re preparing for an incident is really ensure that you have really good buy in from your stakeholders in inside your organization. So people that are working in the marketing and communications portion, senior leadership members of the board, so that they’re involved in the planning and the preparation process. So that when you do have an incident, they’re not caught by surprise. This is not the first they’re hearing about how to deal with an incident. And so, you know, we, we tend for organizations that, that have not prepared. We, we end up spending a lot of time trying to brief the senior leadership and the board about what’s happening and they were very nervous and they don’t, they don’t let the, the the people responding to the incident have time to actually respond to the incident. And, and part of what they don’t have in place is a AAA management plan for this crisis, right? I mean, uh um if it’s, if it’s become public now, we have APR issue. So, who’s the, who’s the public facing voice? Is it our, is it a, is it a crisis communicator that we’ve, we, we knew we would hire in an emergency or are we scrambling for that? Should it be the CEO, should it be the board chair? You know, uh, should it be the chief technologist or if we have one, our audience is small and mid size nonprofit. So the likelihood that they have someone devoted to tech, tech is, you know, off and on because I’m certainly not 100% don’t, but, but a lot don’t. So you know, who should even be the voice? And then what should we be saying? How much should we be telling the public and our stakeholders? So, all right. So we need to have a plan in place um as well as managing the expectations that you’re saying of the board, the C Suite. Alright. What else? I think another important thing is really clearly defined roles and responsibilities of who’s going to be involved and when should they be involved in an incident? Right. So you touched on it already is, when do we bring in the CEO or the board to talk with the public on our behalf or? Hey, when does it make sense to not have them do that? Who is responsible for taking the operational steps to respond to the incident? The hands on keyboard, very technical investigation that goes along with responding to an incident. What third parties do you need to bring in? Um, depending on the type of incident you need to bring in your web development team if you’ve outsourced the web development team, because the website is having an incident, but you wouldn’t need to bring them in. Maybe if you’re having a ransomware attack on one of your, your computers, right. They’re not probably the right people to bring in. So you really want to make sure that you’re involving all the right internal first party and third party people and assigning them roles, specific roles and responsibilities. So that, you know, hey, we need to do this thing. We need to go talk to this person who’s directly responsible for this activity. OK. Yeah. Um Who’s gonna speak and then you know who’s gonna speak to uh are there aside from the public, if this involves donor data, volunteer data, who’s gonna speak to those groups? What do we say to them? How do we reassure them? Um Yeah, I’m giving chills. I mean, my synesthesia is kicking in. Actually, I really did. I just got chills thinking about because I’m, I’m not a CEO of a nonprofit. This is I’m a one person entrepreneur. It’s not gonna happen to me like most likely, but to put myself in that position and to try to figure that out and now maybe we’ve got press calling perhaps. I mean, I’m kind of thinking worst case the press is calling, what do we say to them? Like if you say no comment, that sounds bad. Do you not respond at all? And then they’ll just say, well, we’re not, was not immediately available for comment. Maybe that’s better. I don’t know. But ok, I don’t wanna have to and then it’s a crisis, it’s a crisis and the whole planning you deal with these. I mean, we do, let’s take a worst case scenario. I mean, how do you, how do you walk in and manage the, I’m gonna make it even worse. Do you get called in by organizations you’ve never talked to before? And that’s the most stressful. You don’t know anybody. We know, we don’t know anybody, we don’t know their technology, we don’t know much about them. And what do you do? We, you know, you learn real quick. Uh You ask a lot of pointed questions and you figure out who the right people to have in the room are because we find that there tend to be too many cooks in the kitchen when we show up. Right. There’s too many people involved and they’re causing more uh rotation and more work to be generated than really what there needs to be. So we really focus on, hey, who are the key people we need to bring in and then the people that are kind of excluded from that group, say more senior leadership, we promise them, hey, we’re gonna give you an update every hour or every three hours or every day so that they know what to expect when they’re going through an incident that they should. Ok. At three o’clock, someone’s gonna come and brief me on what’s going on and tell me what are our next steps, right. So we, we keep, keep everything really communicative and what that also prevents is we also tend to go in and serve as a bit of a firewall between the upper leadership and the board and the very technical people in terms of blocking and managing access to the people that are trying to do the hands on keyboard work so that they’re not disrupted by someone saying, oh, I need an update. I need an update is calling and I can now I can’t deal with the crisis. Oh man, how do you, that was like promotion for riprap security. How do people find you in that kind of crisis again? An organization you’ve never talked to before? Yeah. So it’s a lot of word of mouth. It tends to be, you know, who, who knows an organization that can, that can help us. Um And you know, there are a lot of organizations that can, can help, but there are not that many organizations that are equipped to work with nonprofits that are attuned to their needs and the times of data and stakeholders that they’re working with. And that’s why we like to work with these mission driven organizations is because we have a lot of experience there and we, we really can feel like we help them because we’ve, we’ve responded to incidents, all sorts of incidents with all kinds of different nonprofits and other mission driven organizations. All. Let’s, let’s take it down a notch now from the, from that worst case, like somebody you’ve never heard of before and they’ve never heard of you and they’re calling panicked. Right? I mean, they are panicked. Alright. We can remove ourselves from that situation. Let’s go back, let’s go back to some of your uh your, your advice for uh for preparing. Yeah, so, uh, I, I think the next thing to really understand is you got to really understand what your capabilities are. What, what about incidents and managing incidents? Are you realistically going to be able to handle on your own? Do you have a very technical person that’s going to be capable of doing the analysis and the investigation to figure out how the attacker got in where the attacker is, what the attacker is doing? Or do you need to make sure you go find somebody to help you do those things? I mean, the reality is most organizations they don’t have a person like that. Um, basically forensics, forensic forensics, deep digital forensics. And you know, we, unfortunately, we, we’ve come in in a lot of cases where our nonprofit, our nonprofit partners, they think they can rely on some existing third party relationship that they’ve got say with their it managed service provider or their web developer to help them address the incident. But the instant response is like pretty specialized set of capabilities, right? So you wanna certainly include those people in the incident response, but you really need to know you have someone that can help take you through from beginning to end from identifying that the incident has happened all the way through recovery to help you through that whole process. And though understanding your who’s, who’s on your team, who’s responsible for what um and really making sure that there’s clear lines and expectations is really key to making sure that you can successfully recover. Can we, can we launch into one of our unfortunate stories? Yeah. Yeah. Um Yeah. Uh we, we worked with one organization. Um It’s about 100 person um company and it’s a nonprofit. It’s a nonprofit. Yeah. And uh what happened to them is that they, uh uh they didn’t have multi factor authentication configured for uh their, their email. And uh an attacker was able to gain access to the emails of the CEO the coo and the CFO and the attacker sat for months watching emails come in and out of these three mailboxes and they were able to understand what, what, what is the process this nonprofit uses to get new vendors on boarded. What is the process for the vendors providing the bank account information for how to pay the vendors. What’s the process for when a vendor needs to send an invoice to the nonprofit, for the work that they’ve done and what they were able to do. So they’re, they’re, they, I went to law school. Well, I used to be, I used to practice law. They’re lying in. Wait, I would say this is what, this is what makes it a first degree murder and lying in. Wait type murder versus a heat of passion. This is lying in. Wait. Exactly. Yeah. And Attackers will maintain access for a long time in an organization to really learn about them in the same way that I learn about an organization when I’m trying to work with them, right? I want to profile all the activity and understand how to make them more. Did you used to be a bad guy? Did you come over the other side? Luckily not my style. Um And so what happened was that the, the attacker understood this payment flow and this vendor approval process and was able to issue their own invoices or they were able to issue their invoices to this nonprofit. The nonprofit was just paying them just they said, ok, this isn’t approved, everything looks fine. They posed as the CFO and the coo to like give the approvals, sending an email on their behalf and giving the approval stamp and just hundreds and hundreds of thousands of dollars just walked out the door over a six month period and no one, no one realized, right? So there’s, you know, the there’s the aspect of, hey, you should have had multi factor authentication configured to protect those accounts. So the attacker couldn’t even get in from the beginning. But there’s also the side of, hey, what is your, what is your vendor approval and uh vendor invoice approval process look like and how, how could an attacker use that process and take advantage of it to issue their own invoices and get the money sent to their own account. So there’s, there’s a bit of a traditional cybersecurity and it portion of this incident and how to recover from it and as well as a more financial and a financial process and accounting process that, that we help them improve um to make it less vulnerable to these kinds of attacks. Once the crisis is over, then make it less likely to happen again. So that money was never recovered, was never recovered. Um Do, do nonprofits typically co-operate with law enforcement or would they rather just let it go, make it go away and, and, and the uh end the nightmare? Yeah. Uh it’s about 5050. We find um you know, there are some, there are some nonprofits that have an obligation to report something like that if they’re working with say health data or something like that, really something to be truly sensitive. Um A lot of organizations we talk with them about that of like, hey, you know, it’s worth reporting this. Like you’re not gonna get in trouble for being attacked, you know, it’s, and uh I, we, we almost always recommend going to talk with law enforcement. We almost always recommend that we submit the, the technical indicators of the, of the, of the attack. Like how the attacker, what the attacker did, how they did it to the, the federal law enforcement authorities so that they can go and cross analyze that information and try to help more people and try to, in some rare cases, go and track down the Attackers and, and do things like make arrests and disrupt the operations, rare cases though. Ok. So at least contribute to the, the FB I’s database of forensics and then maybe not pursue prosecution or. Well, it doesn’t sound like there’s prosecutions very likely not. Like, can nonprofits participate like that? Like, anonymously, the FBI is not just not gonna reveal the identity. You could go to your FBI field office that’s in, that’s in your state or your city and go and make these reports if you need to. There’s, um, a federal cybercrime task force that has a forum open that we use pretty regularly. If you wanted to submit something anonymously, you could do that through that, that, that manner. Ok. Um, and do you do the forensics, can you, can you figure out how they got in what they did? Yeah. Yeah. So we, you know, we kind of the process and the workflow of the incident is after we get called or we see that there’s a potential incident happening. We start in the stage called identification. We’re really trying to profile what the threat is, what they’re doing, what they start to understand what the impact is so that we can go start taking steps to say, hey, let’s make a plan for how we’re going to contain the attacker. So the attacker cannot, we want to essentially put a force field around what they currently have access to and kick and start to limit their ability to escape out of and, and pivot away and gain more access to the environment. So after we are able to contain them, we work to eradicate their presence. So we, we remove access to accounts, we will pull computers from desks and erase them and reformat them. Um We’ve, we’ve done a lot of work. This is when the attacker knows now that, that they’re being, they’re being surveilled typically. Yes. Yeah. We, we, we’ll look under cabinets behind desks up in the drop ceiling in closets to make sure there’s no computers or devices that are hidden in those areas that the attacker is maybe using to. They’ve gained some physical access to the organization. It happens. Yeah. There’s sometimes there’s physical access. Oh my God, it’s even creepier. It’s way creepier. Where have they been? Right? Have you seen that? We’ve seen that damn. Is that, is that a disgruntled employee could be a disgruntled employee could be an attacker that, you know, they’re wearing an orange vest and they have a tool bag and they walk right in, you know, there’s a lot of these ways to, you know, just kind of walk waltz in and uh with Verizon, you optimize your, uh your wi fi we’ve seen evidence of degraded signal. We’re very proactive. Come on in. We’d all have, we all love higher performing wifi all. Oh my gosh, physical presence, man. Ok. Um Alright, so the takeaways from that, let’s just, just go a little more detail. That’s a, that’s a bad story, a couple, couple 100 1000 dollars. What do we take away from this? So what we take away is that you really have to understand the, the the impact of the incident to really understand what are the goals of the attacker? Is it opportunistic? Are they being specifically, is the organization being specifically targeted? We’re finding these days it’s more opportunistic of like the Attackers are not specifically targeting an organization. They’re just sort of, you know, hoping they get into any organization. And the question we get from a lot of nonprofits and any organization that we work with on an incident is like, why us, you know, and, and it’s unfortunately like it’s almost impossible to say, right? Um And they’re like, who would do this to us? I’m like, well, it could be anybody. Right. It’s, these people are all around the world. You know, it’s hard, they’re hard to track down. Um, even, even for the government, it’s hard to track these people down. And so we kind of help redirect that energy and it’s like, ok, you know, we, we may not be able to tell who did it or why they did it. But let’s get you to a better perspective. Let’s get you to a better place. Because what we end up doing after we’re able to remove the attacker is we, we have to work to help the organization recover and get back to business as normal. Now, most organizations that do this on their own without any help, they sort of kick the attacker out and then they just go back to doing business as usual without fixing the underlying reason. The attacker got in, in the first place and that’s a tough thing to come back or to return to somewhere or to get called in later or say we thought we had it under control, we won’t get struck by lightning twice. Exactly. Right. You know, if you’re not a, it’s not a good strategy if you don’t lock your front door, you know, it’s kind of like this happens again. Shame on you. Right. It’s like you gotta take the time. And so we work with the organizations who say, hey, how did the attacker get in? What are the things that we can do to close that method of access in the future. What are the other security capabilities that you can put into place the policies, the technology and what people need to be involved to make it so that you’re prepared for the next time. Um And then what we, what we always recommend and this is a thing that uh a lot of organizations skip as well is we, we have a very lengthy uh lessons learned session and the lessons learned sessions are really critical because you really want to bring in all the stakeholders from the dealing with the incident after everything is done while everything is still fresh in your mind. And you want to start understanding what did we do? Good? Like what do we do really well in the incident, we communicated, we bought pizza for everybody. So no one had to leave the office like simple things like this, right? And what, what didn’t we do? Well, like, ok, well, you know, it turns out the attacker was in the network for six months like that we should have known five months or 5.5 months ago. Um You know, things like that and then what we recommend is giving specific, having specific action items with specific due dates assigned to specific people so that things get followed up on. And that every time you have to step through this process, you’re improving a little bit more, you’re reducing the impact of future incidents and you’re just better prepared for the next time that it happens. What’s the, uh, proportion that you see that, uh, nonprofits take that proactive step after the crisis to mitigate the likelihood and the impact of a future crisis. Um, these days, the rate is much higher than it used to be. Five years ago. We wouldn’t have seen many follow through unless they’re quite a large organization. But people feel the pain and people see this in the news all the time. Right. They, they see major corporation Southwest. Yah. I don’t want our providers pipelines. Right. It’s always in the news. So people are a lot more aware of it. Want to have the conversation. It’s less of like, oh, no, we’re totally secure. Nothing can ever happen to us. Sort of just like hoping that nothing happens. But they, they want to engage more deeply and say, like, what do we really need to do? You know, what are the, what is the foundational things we need to put in place that we just don’t have. How did you come up with Riprap security? What’s the significance of that? Yeah. So, Riprap is a type of shoreline protection on, like, in a bay or on a river. It’s all rocky and the erosion patrol like those sort of not really rock walls but little rock islands or mounds that riprap. That’s exactly right. So you’re protecting the nation’s coastline, like our Coast Guard, our silent warriors. We’re not, we’re not quite as seaworthy, I think, but, uh, get nauseous sometimes. Um, let’s see, being able to hold the incident, incident, preparation discussions and leadership. Is that why we talked through a lot of that? Um Have you seen, I, I feel like I’m, I’m speaking to law enforcement, you know, like, uh about uh crime trends in the nonprofit community. Have you seen ransomware? Ransomware is a common one? We see you got a ransomware case story. You can tell we, we deal with these a little bit less these days than we used to. Um You know, honestly, the fact that people are more organizations are more fully remote means that the ransomware has trouble spreading to other devices on a network. So that definitely is a, is a nice thing to work from home or work remotely. Um But we’ve had cases where um we, we, we worked with one, this is one company. They’re, they’re quite small and um they’re 50% manufacturing company that we worked with and they called us up one day and they said, hey, we’re having this ransomware incident and our production floor of like they made um like metal machine parts, our production floor, everything is encrypted by ransomware. All the business side of the network was encrypted, everything was fully offline. They sent out most of their employees home and they’re just, you know, they turn the lights off right. They’re like, what do we do? And so we’re there, we’re trying to understand. We’ve identified obviously that there’s ransomware. We’re trying to understand, you know what it is, how they got in and the it director comes in and he’s like great news. I have backups like, oh, this is great. No one ever has backups. Right. Because if you’ve got backups, you can restore the data, you can get back to normal. No problem. So he stored them at his house in a little safe in his house, brought him back. He takes them out of the box and the, the, the backups are, they’re a week old, so it’s not ideal, but a week ago is better than nothing or two weeks. Um And he opens the box, it’s like an old tiny, like lunch crate, metal lunch crate. And they are tape drives and tape drives are uh like almost like a cassette deck. Um But they’re, they’re, they used to be used very frequently to store a large amount of data, but the downside is, are very slow to help move data on and off those tape drives. So I’m like, ok. All right. So he’s gonna say, oh, I’m gonna go restore the data to get us back up and running. He comes back a couple of hours later. He’s like, it looks like this is gonna take 14 days to restore our data. Like that’s a, that’s a really long time. And so ultimately, the leadership of the organization decided to pay the ransom because it was gonna cost them less. I think it was four or $500,000. It was gonna cost them less to get, to pay the ransom, to unlock the computers than it was for them to be down for two weeks. And that’s a hard choice for an organization to make. We’re paying the bad guys, but it’s a business decision. It’s a business. You see, are these foreign actors? Not this one specifically. But do you see a lot of foreign actors as the bad guy when you can identify, maybe, maybe, sometimes you can’t even identify where in the world they’re located. It tends to be pretty geographically spread. Um You know, there, there is a whole business model and, and business life cycle for these ransomware attacks. So an organization, uh 11, malicious organization will go and they’ll perform the initial um exploitation of a, of an organization. So they’ll go in, they’ll get access to a computer or an account and they do that tens of thousands of times and they’ll, they’ll collect all these logins and then they’ll sell them to ransomware Attackers. So there’s almost, they’re almost like a data broker providing these account credentials and this access to the ransomware Attackers and then the ransomware Attackers will go and they’ll install the ransomware on the computers that are associated with these accounts and they’ll just see who calls them back. And so there’s this whole ecosystem of, hey, you know, uh the Attackers know, like they need to be pretty, pretty quick to respond to their customers email, right? Their victims emails. Otherwise people aren’t going to trust that they’re going to provide the key if they get paid. And so we tend to, we tend to say that they’re so they’re good on customer service, customer service because there’s hundreds of thousands of dollars at stake. They, they, they’re great communicators, some big corporations, I promise we’ll get back to you within 15 minutes. Uh Crypto are they, are they typically paid in Cryptocurrency, typically paid in crypto? Um And they have a variety of different cryptocurrencies that they’re using almost as many as you can count. Um And they take pretty significant steps to once you’ve paid them, they typically give you one address to send the money, the, the, the, the digital currency to and from there, it’s almost immediately um essentially like chopped up into smaller chunks and sent out to, you know, potentially hundreds of other, you know, digital currency and Cryptocurrency accounts. So it’s very difficult to trace that, that kind of that kind of thing. Have you seen a case where the ransom was paid? And the key was not provided, the encryption key wasn’t provided. We’ve seen, we’ve seen where the attacker has provided the wrong decryption key by mistake. Uh But email them back back, he made a mistake they sent the customer, they got back to you. So you don’t have to go through a gateway or anything 800 number. Just go right to the right to the principal and then they provided the correct key. Now, now you do have to be careful. Right. We don’t, we don’t recommend paying the ransom. Not necessarily, but if it’s a business decision, um, you do have to be careful because, uh, the Department of Treasury and law enforcement agencies, they, um they’re very closely tracking these ransomware Attackers and what they do is they’ve placed some of these Cryptocurrency wallet addresses on the sanctions list. So the same sanctions list that has uh Russian oligarchs and um you know, um Chinese hackers through financial crimes enforcement network, Department of Treasury. I know exactly. So, what’s the, what’s the caveat there? The caveat is that you could potentially be in sanctions violations by paying one of these ransomware hackers. Um If it’s, if it’s a track sanctioned uh uh Cryptocurrency, it’s the Russian hacker or the Indian hacker and the Treasury Department are both, it’s not a good position, you want to call your lawyer for sure. All right. That’s a, that’s a great caveat. Alright. So what can we take away from this, uh, this uh lessons learned from this particular ransomware account at the manufacturer? Yeah. So I think the key thing is make sure you have ongoing current backups and uh and a lot of organizations they’ll set up backups, like in this story or they say, ok, we’re taking backups every week. That’s probably fine. But the downside was, they never tested it. Right. They never verified that the data was complete and they never made sure that they understood how long it was going to take them for them to recover. That if they had known they would have probably chosen a different, a different way to back up because it doesn’t cost that much more uh these days to not back up on a tape drive. Say, um are there where in the world are these, are these uh bad actors clustered? Are there, is there parts of the world like II, I mean, I mentioned India and Russia but I’m, you know, I’m not a cybersecurity uh professional. Where, where are these, can you say generalize where these folks might be clustered? So, so they, they tend to be pretty geographically spread. Um You know, the, the, the, the reality is that it’s, it’s no longer that hard for someone to gain the skills that are necessary to do, to perform some of these attacks. And we’re seeing more and more of these organizations of very young people going out and committing these types of crimes and, you know, ultimately being successful in a lot of cases. And so, you know, youtube is great for learning all sorts of things, you can learn how to hack and do all these things on youtube and by research there’s a lot of great information out there. Um, but the reality is like, it’s almost impossible to know who’s doing this in a lot of cases. Right. Either the Attackers are using all kinds of intermediaries and bouncing their communications off other computers all around the world and it’s very tricky to really track them down unless you’re a fins or a large government organization. Um Is there truth that if, if you, if you are a victim of a hack, uh let’s say it’s your credit card, you know, your credit card company says that uh your, your, not only your credit card number but your, your address and maybe your date of birth or something, you know, was, may have been, it may have been, may have been compromised and you know, they’ll typically give you one year in one case. I saw two years which double but still my question gets to the value of all this two years of like credit monitoring and you know, the suspicious monitoring alerts and things like that. But I’ve also read that the, the real value comes more comes longer from the, from the incident because because it’s harder to track back to where it happened, what the source of it was. So like 3 to 4 or five years later, your birth date hasn’t changed, your address might have changed, but a lot of people’s addresses haven’t, so they’ll use what they’ve got and they’ll get lucky and in a lot of the, a lot of their, uh, ill gotten file. So, is, is that true that the, the longer the time, the more value valuable your data is on the, I guess on the dark web in the black market. Yeah. And, and, you know, I think it speaks mostly to the following impact that can have. Right. If someone steals your data, that’s, and there’s a big breach, that’s one thing, but that data gets repackaged and sold to a variety of other people on the, on the dark web and, and, and the reality is that most people, they’re not going to be able to pay attention that long. Right? They can’t change some of these core things about them, like their phone number or their social security number, you know, some of these things. So you really have to be mindful all the time and really watch your accounts and really understand like, what is the impact here, you know, the one year of credit that they give you. I just don’t, I mean, yeah, sure, I’ll take it, I’ll sign up for it, but I don’t see the value because so my, what I’ve read is, is accurate, the longer, the longer the time, the more valuable actually. And the more likely it’ll be used after, after one or two years from the incident. Um, we got a little more time. You want to tell us one more story. And, and some lessons from it. Yeah. Yeah. So, I mean, we, we have, you know, we’ve, I’ve told a lot of, like, kind of dark stories, you know, but there are bright spots. Right. So, you know, we, we come in a lot of times, come in an organization, they, they’re having an incident, we work with them, we really, we help, you know, kick out the attacker and the leadership, they really get it right. They really want to understand they really want to learn because, you know, we hear things at conferences and read about online and hear on the news that all these bad things are happening, but it’s not until you really feel it and you’re really in it that you’re like, OK, this is, I understand this, you know, and that that’s a hard lesson to learn certainly. Um But we, we in a lot of cases have been able to say, hey, here’s how you fix the underlying root cause that caused the incident. But you know, here are, here are another 10 things that you could do that are low effort, low cost, very minimal business impact that you can do to really reduce the chance that this is gonna happen again. And it’s those organizations that tend to understand that security and it and operations and the success of their organization are all very deeply linked and that it requires, it’s not just like an activity for it to be worried about or security to worry about. It’s a whole security is a team sport. Everyone has to be involved and be a stakeholder. The reality is that an attacker is they’re gonna, they’re gonna target the CEO and the leadership of the organization when they’re trying to get in. Um And so by bringing all those people all together, it’s just, it leads to better outcomes um to have them involved and have that buy in um in a continuous way. So, is there a bright story? Yeah, the right story is that they were able to kind of plug the holes that they had and, and go on this journey where they were able to modernize their, their it stack and their tools that they’re using and their processes, um you know, really embed security very deeply into that and we’re able to reduce the, the likelihood of, of these kinds of incidents happening again. And we, we, we’re in a spot where we can watch the Attackers attempt these types of attacks and that’s what we really want. So you get early warning that there’s an attempt happening, we can take some additional steps without having to wait six months to learn that you’ve been compromised for six months. Steve Sheer. Thank you very much. He’s CEO and co-founder of Riprap security. Thank you for sharing, Steve. Excellent. Thank you and thank you for being with our coverage of 24 NTC, the 2024 nonprofit technology conference where we are sponsored by Heller consulting, technology strategy and implementation for nonprofits next week, more 24 NTC Goodness with intergenerational communication and the four day work week. If you missed any part of this week’s show, I beseech, you find it at Tony martignetti.com. We’re sponsored by Virtuous. Virtuous, gives you the nonprofit CRM fundraising volunteer and marketing tools. You need to create more responsive donor experiences and grow, giving virtuous.org and by donor box outdated donation forms blocking support, generosity. Donor box fast, flexible and friendly fundraising forms for your nonprofit donor box.org daughter box. It’s obvious. Well, who else would it be? It’s daughter Box to Box. Our creative producer is Claire Meyerhoff. I’m your associate producer, Kate Martinetti. The show, social media is by Susan Chavez, Mark Silverman is our web guide and this music is by Scott Stein. Thank you for that affirmation. Scotty be with us next week for nonprofit radio. Big nonprofit ideas for the other 95% come out and be great.