Tag Archives: cybersecurity

Nonprofit Radio for March 13, 2023: Beat Back Cyberattack

 

Michael EnosBeat Back Cyberattack

Cyberattacks against nonprofits are on the rise. While you cannot avoid them, you can make them a lot less likely to cost you big money, your data, your reputation, your donors, and your employees. Michael Enos from TechSoup helps us out.

 

 

Listen to the podcast

Get Nonprofit Radio insider alerts!

 

 

Apple Podcast button

 

 

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Transcript for 631_tony_martignetti_nonprofit_radio_20230313.mp3

Processed on: 2023-03-11T01:00:20.020Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2023…03…631_tony_martignetti_nonprofit_radio_20230313.mp3.38068433.json
Path to text: transcripts/2023/03/631_tony_martignetti_nonprofit_radio_20230313.txt

[00:01:26.42] spk_0:
And welcome to Tony-Martignetti non profit radio big, non profit ideas for the other 95%. I’m your Aptly named host of your favorite abdominal podcast. Oh, I’m glad you’re with me. I’d suffer the embarrassment of a phone. Yah. If I had to speak the words you missed this week’s show, beat back, cyber attack, cyberattacks against non profits are on the rise while you cannot avoid them, you can make them a lot less likely to cost you big money, your data, your reputation, your donors and your employees, Michael Enos from Techsoup Global helps us out on tony steak too. Get in people’s faces again. It’s a pleasure to welcome Michael Enos to non profit radio He is senior director of community and platform for Techsoup Global. He began his professional career in technology in 1996 and has since led team, tech teams at the national and individual office levels in increasing responsibilities on Mastodon. He’s at Michael underscore Enos at public good dot social and tech soup is where you’d expect them to be at techsoup dot org. Michael, welcome to non profit radio

[00:01:42.03] spk_1:
It’s great to be here. Tony Thank you for having me.

[00:01:46.69] spk_0:
My pleasure. My pleasure. Let’s please explain the work of tech soup. I think it’s so valuable, so many billions of dollars of software and hardware transferred to nonprofits. Make sure, let’s make sure everybody knows what techsoup is doing,

[00:02:52.57] spk_1:
you know? Absolutely. I mean, essentially our, our mission is to help civil society, organizations worldwide um better leverage technology to create impact in the missions um that they serve and to build communities. Um You know, that, that then can then foster that, that, that, that impact globally. Um We do that through a number of different ways. We do that by facilitating philanthropy from large tech donors. Um And you know, most of which are the ones that are just, you know, household names. Um We also do it through uh courses, services, consultations, um and through connecting organizations with each other and through also through engagements like this where we try to really uh to blogs, webinars and other facets where we help organizations understand how they could use tech um and protect their tech to uh enable uh and further have impact for their, their communities. They serve,

[00:03:17.12] spk_0:
I saw on tech soups website today, Microsoft Office or Microsoft 3 65 for a dollar. So

[00:03:18.55] spk_1:
that’s an example, right? And if you were to go to uh you know, Microsoft for nonprofits or Google for nonprofits, for example, um you know, the data validation platform that validates organizations worldwide is managed by Texas So, ultimately, we, we, we do many things but we’re also sort of a, I guess, data leading partner for, for a lot of these organizations that want to understand and make sure that their philanthropy is going into the right hands.

[00:03:48.25] spk_0:
You have, you have local uh connect groups to techsoup, connects groups.

[00:03:54.10] spk_1:
That’s great. That’s right.

[00:03:56.21] spk_0:
Yeah. You know, I know, I know you’re, well, you’re director of community and platform. So is that, is that part of your work

[00:04:42.76] spk_1:
director? I mean, you know, you know, I support that, that organization that we um we have, we have lots of different um areas and, you know, and, and in my role, I support them all um platform is a lot of the, you know, I oversee our enterprise, infrastructure and security as one of my fundamental sort of roles. I mean, obviously with the, with their expansive amount of technology that we have, that runs our platforms that, that consumes a lot of my time, but also the community side because of my background working in the tech for good space, you know, since, you know, for the length of my vocation, um you know, I have, I’ve accessed as a resource for a lot of other groups, including the connect group for when they need, you know, to understand, you know, how to, you know, for, for things like this and for, for other things um to help our communities um better leverage to the tech that they use. I mean, it’s one thing to, to uh provide the technology. It’s another thing to actually help people, you know, provide them the enablement to be able to use it and optimize it.

[00:05:08.91] spk_0:
Are there local meetups are the group’s going back

[00:05:50.06] spk_1:
to? Exactly. There are, there, there are, you know, communities within the regional and our, and that’s part of our connect program. Um And eli, the guy who runs that and, and the group that runs that are very, very energetic and it’s very community driven, which, which is fantastic and we’re sort of an enabler and facilitator in that work, which is wonderful. And that stems from the early days of us being part of the early groups that were involved with the, you know, tech for good space way back when technology was first getting launched, you know, and the internet was first launching different

[00:05:51.33] spk_0:
types of work. I mean, you know, n 10 doesn’t do consulting, which I wanted to ask you about very shortly. But, you know, they don’t do tech grants necessarily, but all, all very parallel with, with N 10.

[00:06:26.73] spk_1:
Yeah. Correct. And, and we, we have a close partner to put 10, 10 and, and we attend the events and such and we’ve long been sort of affiliated with that demand and other and other groups like like 10, 10. Um and we have partnerships that sort of expand throughout the different communities. Um And, and we try to be involved globally as well. You know, so there’s this sort of, you know, there’s the U S side of it, but then there’s also the everything that we’re doing outside of the U S and abroad because, you know, it’s um civil society is international and so, and tech soup is really involved with, with things not just within our own borders but, but outside of them um globally.

[00:06:50.58] spk_0:
Are you going to 23 NTCC the conference?

[00:06:51.42] spk_1:
Um myself. No, I’m not the, I know we have some, some other representatives that are there. I’ve been to many of those uh this year. I’m not specifically going, but we will have some representative from Texas there. I’m

[00:07:03.64] spk_0:
sure. Yeah. And non profit radio will be there as well. We’ll be on the exhibit floor.

[00:07:07.67] spk_1:
Excellent. That’s fantastic. Yeah. Yeah. Well, I’m sorry, I’m not going to be there to be in person to meet

[00:07:12.61] spk_0:
you. That’s all right. There. There are others every, every spring and

[00:07:17.31] spk_1:
virtually, by the way,

[00:07:18.97] spk_0:
that’s true. There is hybrid this year. That’s right. Um And, and texture is also consultants to consultants to nonprofits. Let’s make sure folks understand that too.

[00:08:46.84] spk_1:
Yeah, I mean, we, we provide, essentially, we help organizations connect with other organizations that then provide consultant services. We do some ourselves, but it’s very specific to some of the um because we, we provide a lot of, you know, what we’re doing to, to skills. So to speak what we, what we have is we’ve partnered with other organizations through our platforms to, to align organizations depending on exactly what type of consultation they need to inappropriate sort of resource for them. Um And that’s more uh our, our model in terms of we’re sort of a connector. So for example, if somebody needs, you know, specific sort of technology assessment uh for implementing uh Microsoft, we may do some, but then if it’s more advanced, we may work for them to, to impact or an organization that we partner with and then they provide that as a service to that organization. So, and we have other partners like that, who provide those similar sorts of services that are more hands on and direct than what tech soup can provide at this moment. And we may may expand that more and do some of that um more, more stuff ourselves and, and we are developing that and some of our customers success programs. Um and we do run a lot of sort of in the office programs where people could have webinars. And I’ve spoken in a few of those where we do it in in depth dive of a particular technology so that organizations can learn how to use them.

[00:09:00.19] spk_0:
I’ve always considered the big three to be Tech Soup N 10 and tech impact in terms of technology for nonprofits and, and all three of those of course, are nonprofits themselves. Right.

[00:09:12.87] spk_1:
Exactly. Yeah. All right,

[00:09:15.44] spk_0:
let’s talk about cyber attacks. Uh They are on the rise against nonprofits. What, what, what are you, what are you seeing? We’re going to get into the details, of course, but overall general, you know, kick us off. What are you seeing on this front?

[00:11:31.28] spk_1:
What, what we’re seeing is a lot more, um, targeted attacks, which, which is, which is unique because there’s, you know, speaking broadly about cyber activity, you know, there’s a lot of noise on the internet. There’s, you know, just all these robotic sort of in these bots that are flying around trying to find targets, right? And they’re sort of just, you know, you know, I guess, you know, they’re, they’re doing drive by sort of evaluations to see of anything, you know, just to see if there’s anything that they could get a finger in or, you know, just to explore and see if there’s sort of a, you know, something that they could find in there. What we’re seeing now is more targeted attacks, meaning there’s a specific purpose to it. Like somebody’s like, well, you know what we think that, you know, this is a, you know, a specific type of organization, they’re involved with a particular type of activity and we’re interested in knowing who’s donating to that activity and whether or not we could possibly have access to that information because that might be valuable or perhaps to the constituents that they’re serving because maybe that information is valuable as well, maybe for either financial reasons or, or, or or political reasons. And so we’re seeing a little bit more of that or, or perhaps because we really want to cause disruption in critical infrastructure. And one thing that um this is sort of a broader trend in cyber security around targets towards critical infrastructure and myself and and others in this space believe that civil society, organization data is part of critical infrastructure and critical infrastructure. So I mean, people are targeting things like, you know, we’ve we’ve heard about the target on power grids and uh gas pipelines and such. And you know, if you think about data that’s relative to communities that are specifically vulnerable in certain context or, or have access to information about others, then that’s critical infrastructure because we need these organizations to function in society. And so, you know, there could be other actors who say we want to disrupt that particular critical infrastructure for some reason and that reason could be varied just like it is for why people would disrupt any sort of critical infrastructure.

[00:12:55.08] spk_0:
I have an example that is pretty close to home. I I I own two homes in North Carolina. One of them was affected by that shooting at uh at the electrical substation in that was, that was in Moore County, North Carolina. Um And there’s a, there’s a possible correlation that, that that attack was to prevent a drag queen show from going on in the little town of Southern Pines, North Carolina, which is served by that substation that got shot at. Um So, I mean, it sounds like you’re saying, it’s not that far a leap like, you know, 11 cadre of bad actors uses guns. Another cadre of miscreants could be hackers that are looking for data at that maybe at that theater or, uh you know, among a nonprofit that may have been involved with

[00:13:45.30] spk_1:
maybe maybe the intent at the attendance list or the people who are donating to that event. And so, you know, this is the type of data and like I said, there’s, there’s different reasons why somebody might be targeting certain data. But this, these are the, this is, you know, this is like bingo on the nose, this is the kind of stuff that, that we’re seeing more and more and we’re very concerned about and why we’re really like soup is really sort of launching this um effort to help educate organizations on how to improve uh and understand what cyber security means in this space and how to prioritize it, but also how to um sort of get through the sort of complexity of it and, and, and find simple ways to knock off low hanging fruit to make it sort of actually, you know, doable for them with given their budgets and given their constraints that we a lot of smaller organizations in the, in the space you know, have, generally,

[00:14:39.67] spk_0:
it feels like in our polarized culture that there isn’t a nonprofit mission category that would be exempt from, from possible attack. I mean, you know, even feeding, feeding the hungry, you know, I could conceive of that being objectionable to some group of people that feels like why do those folks get food and, and I don’t get food or why are they entitled? And I’m not, or, you know, something that seems innocuous and purely beneficial. I, I can imagine, uh, another cadre of bad actors deciding that it’s, it’s, it’s worthless or worth worse than worthless. It’s detrimental to our culture for some reason and wanting to attack it. It doesn’t, it doesn’t feel like any particular mission would be more vulnerable or less than, than any other.

[00:15:59.15] spk_1:
Um, you’re correct. And one of the other things that is, has changed in, in this, in this sort of, you know, over time that I’ve seen is the availability of the tools to be able to perform exploits before you would actually have to be, you know, pretty well versed in hacking to be able to do any harm right now. It’s, you can, you can buy the service. I mean, you could just go to the market on the dark web and just say, hey, you know, I want to buy this, you know, uh, this hacking kit, you know, and, and, and, and there’s youtube tutorials on how to do it. I mean, it’s becoming, and, and these are, the tools are free and readily available. So what we’re seeing more of is not only just this trend of people wanting to and, you know, and maybe that hasn’t changed, it’s just that it’s more accessible, right? But, you know, people wanting to, you know, target communities and, and, and, and also try to find valuable data within these communities, but also their ability to do so it’s become easier and there, you know, and, and so you combine those things together and that’s why we’re seeing the trends we’re seeing. That’s one of the reasons

[00:16:21.11] spk_0:
you no longer have to be a sophisticated computer user. It doesn’t take a lot of study, you’re saying these things are available for cost or free to cause harm. All

[00:16:29.81] spk_1:
right.

[00:16:39.80] spk_0:
Alright. So how do we, how do we break this down for folks in small and mid sized nonprofits, you know, that, that they can sort of prioritize? I mean, is it as simple as let’s start having universal two factor authentication for everybody on your teams or maybe that’s passe maybe, maybe we’re past that now. I don’t know, how should

[00:19:30.66] spk_1:
we, you know, you, you make a good point. So for example, like the first thing I think people should do is, you know, or, or what you know, uh would be recommended and to think about it is to do the basics. Okay. What things like what you mentioned is like like multifactor authentication, um you know, anti malware on their clients, keeping things up to date and, and making sure you have backups of your data, these are sort of the basics, right? And so apart from the basics, though, you know, the next step above that is to then start looking at what we call privileged access management or role based security, not everybody needs to have access to everything, right? So, so, so let’s say, for example, a system was compromised with somebody’s permissions or credentials, depending on what they have access to, they could only do so much. And so there’s a, there’s a, there’s an important concept in cybersecurity that we call the privilege, the principle of least privilege. So, and that sort of dictates that a person really only needs access to the information that they need to do the role that they’re trained to do in their specific function. So if, if, if somebody is, you know, in I T, somebody who’s familiar with I T systems, uh they understand sort of the complexity involved and they may have access to privileged systems where they can perform things and have access to that sensitive data, but not the entire organization, right? And so we call that privileged access management. And sometimes, especially with today’s as we’ve moved into the cloud more when things get fired up and somebody spins up an app in the cloud, the cloud as well, generally have some basic role based permissions like the admin, you know, maybe a super user and then maybe some groups and then, and then just the regular users, right? You don’t want to give everybody admin rights. And so because then if somebody, if that just, that just provides more exposure and so these are small things that don’t take a lot of time or effort really to just sort of that, that’s a little bit beyond the basics though because um you know, and you know, for, you know, tech soup, for example, provides, you know, office 65 or 65 go for, for, for work space organizations. And once we, they provision, the next step is to really go in there and sort of harden them a little bit and lock them down and to go through that steps and understand what that looks like. So that um as people start doing things like maybe downloading spreadsheets that contain donor data or customer data that it’s not, somebody can’t accidentally just share that with somebody, you know, outside the organization or, or that becomes available on the general public internet.

[00:20:02.06] spk_0:
So how do we execute some of these things that are, that are more advanced, you know, beyond the backing up the multi factor authentication. Alright. So if you move into privileged access management, we need a, we, we either have a C T O which most listeners probably don’t or we need some outside help.

[00:21:13.19] spk_1:
No, actually, I think that a lot of these, you know, cloud based applications will provide guidance. The good news is is that they have an interest in protecting and wanting you as a, as a customer as well as, you know, the fact that it’s a shared data model. And so the the better that they do in terms of providing information about how this works, the better, you know, the, the the, you know, the people who use that product is going to benefit from it. And so generally in these, you know, you know, and these things aren’t if you have somebody who is at least responsible for the deployment of the technology and they don’t have to be an advanced, you know, computer scientists to do the work of the cloud app then. But somebody should be sort of designated within the organization to ensure some of the basics about the way data is handled. And, you know, getting to one of the export points, I wanted to bring up one of the most important things to understand for an organization is what data do they have? Where does it live and what is the value of it? And what is the value of Michael before we, before

[00:21:22.02] spk_0:
before we move to what, what’s our data inventory? I want to emphasize this, I wanna emphasize the value of being in the cloud. So there is there is value to using uh CRM databases that are cloud based versus server based at, in your office anymore.

[00:22:47.49] spk_1:
Correct. And for so many reasons and, you know, uh, and, and moving to that topic because a lot of the ways that systems are oftentimes breached is because what things we mentioned earlier, such as they’re not patched, there’s, um, not, not very good perimeter security on them. These things are taken care of for you, um, and they’re not backed up regularly. Um, those things, these things are taken care of for you in a sassy application. Um If it’s, if it’s a robust SAS application, like the kind that takes provides. And so when we, when we go to, you know, vet an offer that’s going to be in our marketplace, we we, we go through the list to ensure that this is gonna be a product that will serve the pole, the test of time and actually will, will be robust in, in the requirements necessary for our organization to protect their data. And so, and, and so that leads to, you know, also that making it more but maybe a little bit easier for organizations to then lock down their cybersecurity because they don’t have to have experts come into their closet or their data center and, and do this configuration and do all these updates are very technical on their firewalls and all the hardware and everything all the time in their own infrastructure, it can be managed within the cloud by people who are not necessarily have that sort of, you know, the Cisco CCN a sort of certification? Alright,

[00:23:07.85] spk_0:
thank you. I just, I wanted to drill down absolutely. Very

[00:23:11.75] spk_1:
good point.

[00:23:15.98] spk_0:
The value of from a security perspective, the value of the cloud. Alright, so let’s go to what you were, you were headed to what your data inventory, what what do you have? What what do we need to be? What do you want us to think about their?

[00:23:32.71] spk_1:
Yeah, so no data is not all data is not created equal, so to speak, right? So we have, we have data that it’s just things like, you know, my notes when I’m, you know, talking in a meeting or something like that. Okay. There’s nothing valuable with that. It’s, you know, generally not containing anything that’s sensitive. It’s sort of my notes from a meeting. Okay. Now, if that is something that, you know, maybe I don’t want to share, but it’s not something that, you know, if a hacker birds look at that so I can’t sell this and it doesn’t contain anything that’s gonna, I can do any harm with. Right.

[00:24:09.30] spk_0:
Well, it might depend, it might depend who’s leading the meeting. You might have different, you might have different sets of notes depending on who’s leading your meeting. You know, you might be commenting on the commenting on their uh I don’t know their, their capacity. I mean, not to suggest

[00:24:16.36] spk_1:
that people

[00:24:30.71] spk_0:
know, I’m actually, I’m actually having fun with you like, if somebody at tech soup was not a very good, not a very good speaker or supervisor, you know, then those notes you might not want in the public domain. But if the person is carrying their weight and they’re generally a good, good employee, you know, you have a brighter set of notes that you wouldn’t feel bad about getting exposed. That was my, my point. I guess I wasn’t, I wasn’t coming, I was coming across so dry. It was, it was desert, it was desert dry.

[00:27:18.46] spk_1:
No, I’m glad you brought into it. The, the, yeah, the types of data that you know, we think about when we think about the difference between data privacy and data protection to me, they’re very linked, right? So we, we have a responsibility to protect people’s data and the privacy of their data, but also to protect the security of that data. And so, you know, fundamentally speaking, generally in organizations in the sector, there’s gonna be some, you know, information that’s sensitive or may have some value and if we identify that and identify where that lives and then focus our energy on securing that, making sure that that data is backed up. Um and, and testing access to it, that’s, that’s, you know, if you have limited resources, that’s the place to really focus your attention. And then the other stuff is great. I mean, and use using robust tools like we provide um in our marketplace such as box for document repositories or even sharepoint, those can all be really configured for. So any type of theater, like even my notes from, you know that, you know, or my supervisor notes about me or your notes about me can be secured, you know, um you know, in a very robust way or shared. And one of the things we’re seeing, for example, especially the document collaboration software, it’s very easy to share things. They make it very easy to share with anybody, right? Just click and it always says like share with anybody with link, you know, you know, and so if you, if it’s something like, oh, you know, um uh oh somebody just sent me, you know, or they told me to put in my, you know, take a picture of my passport or something and, and stick it in here, right? And, and I, and the somebody has in the human resources once said, oh, I’m just gonna share this link and make it copied everybody. Now everybody has access to your past potential, everybody has access to your passport photo and I D so, you know, these are the things that we just have to sort of like start thinking twice, which brings me up to my next point. Um Security awareness within organizations, cybersecurity awareness, I cannot stress enough how important it is for organizations to have a cyber security awareness program within the organization. This these programs don’t cost a lot of money. They don’t take a lot of time and they go a long ways to prevent Uh an internal mistake that could lead to something 80% of cyber attacks happen from the inside.

[00:27:27.33] spk_0:
What does this cyber security awareness program look like?

[00:28:34.34] spk_1:
So essentially, so for example, um they’re usually conducted on point of like orientation for an employee that comes into an organization and they go through a video, you know, provided by a platform like no before which is in our marketplace. And, and what they do is they sort of go through this, this methodical sort of, you know, force to teach somebody about fishing about sensitive data about ways that people try to get access to information, either through cell phone, fishing through text fishing through um email phishing or through other means to or even on Slack to say, to try to fool you into providing some information um that they, that they can use a huge trend in this arena is what we call impersonation fishing. It’s a specifically targeted phishing email that looks like it’s coming from somebody within your organization such as your CEO, your CFO or uh the human resources director asking you to provide or update your banking information. And it’s very carefully crafted, crafted, it looks just like that and you really have to do a lot of due diligence to really go through there and say, oh, did this really come from our CEO having

[00:29:03.26] spk_0:
Haven’t there been cases where like a spoof email like this says, you know, wire $50,000 to this vendor account. You know, we’re, the payment is overdue. We need to wire this payment ASAP. And of course, it goes to the Bad Actors account. Isn’t there? Stuff like that? It looks like it’s like the treasurer saying, send a wire or the CEO saying, send, make a payment.

[00:29:40.35] spk_1:
That’s right. Exactly. And, and, and we’ve, um, and if you have an organization and people haven’t been trained to recognize that, you know, if somebody’s asking you for something and it’s something of value, double check it, you know, and, and to contact that individual in a different channel and say, did you really need me to send $50,000 in this wire transfer? I just want to check is this actually came from you? There’s other ways that they teach you in these orientation platforms or in these um security awareness platforms to check the email headers and, and the simple things, but essentially that’s the gist of it. And that’s why security awareness training is so important. So, so people are on their toes when they’re actually doing their work,

[00:30:03.43] spk_0:
do you recommend then ongoing training? You talked about orientation,

[00:30:51.51] spk_1:
there’s, there’s an orientation training and then, you know, most organizations will have it mandatory that they do an annual training and, and this just as a refresher course and also things change. So, you know, the space changes. Sometimes people are doing it now because of the trends more often like every six months. And then specifically for people who are in jobs where they’re doing data handling for, let’s say they’re doing data processing, they work in the donor uh services program or something where they’re managing sensitive data all day long. They’ll be specialized courses for people who are, are actually dealing with data on a day to day basis. So that’s a little bit more involved in terms of actually how to understand and, and that goes into things like, don’t download, you know, a C S V file on your computer and stick it onto a, you know, um, a thumb drive on your computer or transported or, you know, don’t, you know, send out, you know, via email to, to a coworker and, and these sorts of things that are specific to handling sensitive data.

[00:31:04.59] spk_0:
Okay. Interesting. Yeah. So even, even just emailing internally from employee to employee can be risky,

[00:31:37.20] spk_1:
yes, it can be stiff. It’s, and, and there’s because, for example, if, because that’s actually it’s going to stay within that email store wherever that is located. And it’s, um, if it’s unencrypted, it’s gonna be, it’s gonna be encrypted during transit, for example. Um, and, and encrypted at rest. But if somebody else had access to that access to your email server or a privileged access in your system, they could potentially go in and, you know, take over that account, log in as the CEO and have access to the deed and actually browse emails for, you know, and actually do queries and look for credit card information or, or look for email addresses and then they could potentially find information about donors or, or, or, or constituents that sensitive.

[00:35:08.08] spk_0:
It’s time for Tony’s take two. It’s time to get back in people’s faces. Again. Last month, I did a in person live face to face in person training on Long Island. I was in New York City for several days. What a joy. What a pleasure. What a difference, an improvement, you know, over virtual trainings. I mean, look zoom is, I’m all flustered. Zoom is, is necessary and I’m not saying necessary evil. It’s, it’s, it’s a part of the culture, whether it’s zoom or teams or Google meet, you know, whatever virtual meetings, they’re just a part of our lives now. No question about it. But don’t make those the default if you have the option to get back in front of people in person, I urge you choose that option. Uh You know, I could have passed on the opportunity to do the in person training, but I didn’t want to, I didn’t want to donor meetings to while I was in the city face to face meetings again, coffee lunches. It’s just so much better, so much more real than anything virtual can offer. Um I had a meeting, lunch meeting just about 10 days ago or so with someone from Heller consulting, which is gonna be Team Heller. They’re going to be our 23 NTC sponsors at the nonprofit technology conference coming up in Denver And the woman who works for Heller happens to live within 45 minutes of where I live in North Carolina. So we got together for a, a real lunch. We had lunch together over the same table. Remarkable. You know, it’s yeah, more real authentic. I urge you if you can meet someone in person instead of virtual, do it, do it. It makes the world of difference. It’s time to get back in people’s faces again. Don’t make virtual your your default. If there’s another way first, I urge you to do it. That is Tony’s take two. We’ve got Boo Koo but loads more time for beat back cyber attack with Michael Enos. Talk about not preserving data that you don’t need to preserve. Like credit card numbers, full numbers for instance, or dates of birth or other things that aren’t necessary for you to preserve. Isn’t there, isn’t there value in trimming down sensitive data that you don’t really need?

[00:35:40.17] spk_1:
Yes. And and one of the principal aspects of data handling is an optimization of data. So you know, there’s there’s transactional data that happens. And oftentimes, for example, with credit card things are processed nowadays, you’ll usually use a payment processor. So, you know, hopefully you’re not actually you know that server that actually storing that information is not on your box anymore because there’s, you know, you know, you can use an API and a web site and then it happened somewhere else and they take care of all that stuff for you. So, if your systems were hacked, they wouldn’t have access to the credit card data

[00:35:55.19] spk_0:
or,

[00:39:00.73] spk_1:
or Braintree or one of these sorts of services, you know? Exactly. And, and, and so those go to those payment processors and they manage all that, um, which is great because then you, it reduces the amount of exposure on your e commerce site or fundraising donor donation site. And if you’re using a donation software program, like, you know, donor perfect or one of these sites, that’s what they’re doing as well. You know. So they, you know, because, because they, they want to use because that you really have to have the best of breed technology to be able to make sure that that stuff gets that, that’s really super secure and they have higher standards and compliance standards by which they attest to the. Um, and so however though, let’s say you’re, you’re doing an email list to your constituents, right? Um You know, you’re gonna need some marketing data, you’re gonna, you know who to send this, this information to, but you don’t need everything about that individual. You don’t need things like that really. I mean, you may need the basics but you should be using a marketing provider that is secure and you should, you should transfer, get that information to them in a secure way and you should ensure that if that individual wants to opt out. Um and they, all these things should be an organization’s privacy policy so that people understand how their data is being used if they sign up for a newsletter or things of that nature. However, you know, I think your point specifically um oftentimes reports about, you know, activities, engagement, you know, that go into reports for executive or for things that are put into a PDF or in another format, the data should be anonymized. So the only thing that’s there is, you know, aggregated information about, you know, the engagement and not all they shouldn’t be able to drill down and see, oh who is this exact individual? Now if they need to know if it, if they want a donor report about, you know, I want to know exactly to see who um are the top donors and, and such, you know, there should only be limited people within the organization who have access to that data, to be able to see that information that goes back to my other point about um privileged access management. There are gonna be some, there’s gonna be some reason why people aren’t gonna wanna know specifically about, you know, who’s engaging with the community. And also oftentimes on the client level, we need to know that the people who are providing services to communities need to know exactly who these individuals are and more sense of information. And that’s why I was talking about earlier about, you know, understanding where that data lives and, and only having as much as you need to fulfill the function of that, you know, whatever you’re doing. Um and, and having that, you know, and making sure that’s really locked down when I worked in the food down. When I worked in the food and security sector, we had people going out in the communities and helping sign them up for, you know, um cal fresh, you know, essentially benefits, you know, for people to get, you know, you know, government assistance and they had to collect really sensitive information. But what they did is they had ways to you securely transmit that information to the local human resources agencies so that it was all encrypted, it was protected and then once we transmitted that we didn’t have access to it,

[00:39:44.68] spk_0:
what about vetting vendors? You know, if, if you’re offices using a male house, uh you know, some of the data that you just talked about for, for mailing? Um I can’t, I can’t think of other examples of vendors that could be. Well, events, events could have, could event management might have some sensitive data. What, how do you vet your vendors to make sure that they’re taking appropriate actions to prevent theft, fishing, you know, to, to defeat defeat, or at least you can’t defeat them, but at least minimize the threats. How do you, how do you check these third parties that you’re working

[00:41:16.80] spk_1:
with? Well, you know, that’s a big part of my roller tech soup. So whenever we, whenever we work with, with, whenever we’re going to be using a new product or app or something like that, it’s my job to go in and actually check and organizations, these, you know, these application providers will provide um on their site or they should and if they don’t, you shouldn’t use them, but most of them will provide on their site access to their information security program and what they do where their data is located, what they do to protect it, their compliance levels, their certification levels, um whether they do audits, whether or not they do penetration tests And what type of and, and, and everything to that order and that should be vetted by, by somebody before they onboard an aunt. And we do this all the time. We use a lot of different apps to Texas north of 100. And so we, every time we were on board one for some utility within the organization, we make sure that they meet this standard. There’s, and we actually, since we’re a third party vendor for other people, they have the same for us so that a lot of the work I do as well as to, you know, report out periodically to all the people who are using our, our platform to facilitate their data to organizations and you know, what sex, what tech soups information security program like. So this is, you know, because creates transparency, but it also helps people understand what the risks are, which helps when you’re in a situation where I needed to go and advocate for resources to institute a cybersecurity program.

[00:41:47.96] spk_0:
I want to ask you about the board’s role in all this. But, but is there anything more that you want before we get to the board? Anything more you want to talk about threat minimization policies? Anything we haven’t covered that you want folks to know about?

[00:44:14.11] spk_1:
Yeah, I think that one of the things that is, you know, that we haven’t mentioned yet is preparedness for an incident, essentially a security incident, incident response plan. This, you know, is another thing in that sort of list of five that an organization should understand. Um if you have a situation where your data’s been um breached. And, and one thing I do want to do is to describe quickly, even this kind of a dry topic is there is a difference between a security incident and a security data breach. A security incident is could be something as innocuous as somebody just knocking off your website and taking it down with a DDOS attack. Now that sounds in Oculus because it’s just, it doesn’t sound innocuous because it’s disruptive because nobody can get your website, but nobody’s taking the data. And as soon as that denial of service attack is stopped, your website maybe still functioning. Um But that’s an incident and a data breach is different because now you’ve got to do a couple different things. You’ve got to number one, find out how the breach occurred, which you should also do in case of the DDOS attack. Um But above that, you also need to then understand how to respond to, you know, what data was breached. What’s the scope of that data and who are the individuals and, and what’s our plan to reach out to those individuals and notify them about the breach? And was our policy around that? And who do we have to include in terms of communications internally and legally and, and to provide that transparency because for a number of different reasons, number one, it’s the right thing to do. Um and number two, because it actually helps build trust within, within communities because if people understand that, you know, these things happen and they happen to some very, very large organizations, right? We, we know about these, these really large breaches, but the more transparent they are the more the consumers or the constituents who used those products. Think gosh, they really responded well to this and they acted immediately, they communicated appropriately and they remediated, you know what happened and, and that was the responsible thing to do and you don’t wanna be doing that in the middle of a breach. So, having a plan up front helps during that process because otherwise it’s just too much at one time, everything and

[00:44:21.00] spk_0:
the plan is gonna lay out who’s in charge, who makes, what kinds of decisions, um,

[00:44:27.43] spk_1:
notify. Right. And what’s the playbook essentially? Yeah.

[00:44:52.19] spk_0:
Like, I mean, it could even, it could even break down to needing a remote place to work. I mean, go go that far or because we’re because we’re hopefully in the cloud we don’t like like if our physical infrastructure gets um compromised, do we need to go off site? And, and what’s the technology, the technology capabilities in our, in our off site work location?

[00:45:17.93] spk_1:
Well, that’s actually a little different. Um so we usually talk about that in terms of business continuity plan. So and, and that would be the same sort of plan you would enact case of a natural disaster or something like that. I mean, is a business continuity and, and that’s far exceeding the scope of what we can discussed today, although I’d be happy to discuss that. Let’s not let’s not

[00:45:22.65] spk_0:
I don’t want to panic folks. Okay. Alright.

[00:45:25.60] spk_1:
Alright. Alright,

[00:45:27.20] spk_0:
you got me focused on, you got me focused on like I don’t know, natural disasters and terrorism. All right, let’s

[00:48:44.52] spk_1:
go to the board. Okay. Alright. So, so one of the things that boards were all right. So organizations nowadays are let’s put cybersecurity is becoming and, and is becoming as important as sort of financial security with an organization. The two are becoming linked together An organization. And so for many years, as we all know, uh 501 C3 organizations in the us are generally bound to having a financial audit annually. Right. And then they report to the board and the board will make sure that, you know, there’s a financial audit to ensure that the funds are used judiciously. Um there’s oversight and governance over these matters. Cyber security is becoming as important as financial security because the two are linked together. If there’s a because it could affect it. If you have a ransomware attack, it could affect the viability and the business sustainability of an organization. So it’s a very serious matter. It’s becoming a very, very serious matter for organizations to then think about cybersecurity as a compliance issue, not just nice to have. And so helping the board’s understand that this has shifted from a situation where, oh, well, you know, there’s nobody’s going to attack a nonprofit and uh you know, and if they do, you know, it’s, our data isn’t very important. Um It’s things have shifted, right. So I think recently there was a community, um it’s one of these cities, for example, was an entire city was, has been locked down for days because our grants were attacked and so nothing can function within the city because, you know, um that’s going to affect everything within the city, not just their continuity and safety of people, but also um it’s gonna have a financial impact. So cyber security is becoming more like a compliance issue and a governance issue. And so I think if boards understood that, then they would understand the need to prioritize and to provide funding and resources for those within the organization. Whether that if a small organization that the CFO or the C 00 or even the CEO to then say, look, we need to carve out some resources to be able to understand our risk and the best way to do that would be to do a third party risk assessment and with, with somebody to come in and actually do an evaluation and say, because they’ll come in and do, you know and come in and say, hey, look, these are the, you know, we come in and, and these people are vetted, their, this is their job and you know, they’re safe to work with and go in and say this is where you really need to. These are the critical things, these are, you know, not important things and these are the nice to have and they’ll, they’ll lay it out for you and then you can develop as part of your strategic plan as an organization just like it should be part of your business plan and should be linked to the business plan because the strategic plan for the organization and then the funding, the budget resources, the resource planning and all these things should be baked into the operational strategic plan for an organization. That’s where we’re going in the sector.

[00:49:03.09] spk_0:
Okay. It belongs as part of your strategic plan, your business plan. Alright.

[00:49:50.46] spk_1:
Yeah, and, and that’s where I think that it’s um uh it’s just like I said, I think where a board comes in is to helps understand that so that they could then authorize and, and oversee and ensure that an organization is doing this work and it’s hard work because, you know, you may have limited resources where we’re gonna carve where we’re gonna carve this out. And however, the good news is that there are people who want to fund this, there are grantmakers who are super would be super happy to be able to say, look, I’m gonna help, I’m gonna capacity impact um grant to this organization to help improve their cybersecurity because of these trends that we’re seeing. And so, and then you can use that as a mechanism to possibly help fundraise to offset some of the funny. So it doesn’t have to come out necessarily of your operational costs.

[00:50:23.28] spk_0:
Okay. There are foundations that will fund fund this. Yeah. Alright. All right, we’re gonna leave it there, Michael. Thank you, Michael from Montana, Michael Eno’s Senior Director of Community.

[00:50:26.28] spk_1:
And it’s

[00:51:30.65] spk_0:
my pleasure to thank you, senior director of Community and platform for Techsoup Global he’s on Mastodon at Michael underscore Eno’s at public Good dot Social and Tech soup where you’d expect them to be techsoup dot org. Next week, I’m working on it. Uh, and I assure you that there will be a show next week because this is show number 630. And I’ve been producing a show every week for 13 years close to. So I assure you there will be a show next week. I just don’t know what it’ll be about, but don’t bet against me because there is gonna be a show. You know, you’re gonna lose if you bet against there being a show next week. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. Our creative producer is Claire Meyerhoff shows. Social media is by Susan Chavez, Mark Silverman is our web guy and this music is by Scott Stein. Thank you for that affirmation. Scotty B with me next week for nonprofit radio big nonprofit ideas for the other 95% go out and be great.

Nonprofit Radio for July 25, 2022: Cybersecurity 101

 

Matt Eshleman & Sarah Wolfe: Cybersecurity 101

Our #22NTC coverage picks back up with a summary of the tech threat landscape, key policies and procedures to have in place, and how to make the case for devoting resources to IT protection. Our guests are Matt Eshleman and Sarah Wolfe, both from Community IT Innovators.

 

 

 

 

Listen to the podcast

Get Nonprofit Radio insider alerts!

I love our sponsors!

Turn Two Communications: PR and content for nonprofits. Your story is our mission.

Fourth Dimension Technologies: IT Infra In a Box. The Affordable Tech Solution for Nonprofits.

Apple Podcast button

 

 

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Transcript for 601_tony_martignetti_nonprofit_radio_20220725.mp3

Processed on: 2022-07-23T23:48:11.167Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2022…07…601_tony_martignetti_nonprofit_radio_20220725.mp3.159997831.json
Path to text: transcripts/2022/07/601_tony_martignetti_nonprofit_radio_20220725.txt

[00:02:05.14] spk_0:
Hello and welcome to Tony-Martignetti non profit radio big non profit ideas for the other 95%. I’m your aptly named host of your favorite abdominal podcast my goodness. Last week’s show was great fun. They’re all fun. But the last weeks 600 show was great fun. Oh I’m glad you’re with me for this week’s fun show I’d be thrown into an echo Griffo sis if you clawed me with the idea that you missed this week’s show, Cybersecurity 101. Our 22 NTC coverage picks back up with a summary of the tech threat, landscape key policies and procedures to have in place and how to make the case for devoting resources to IT protection. Our guests are matt Eshelman and Sara Wolfe, both from community I. T. Innovators, non tony steak too. My boys just cracked like I’m 14 years old, please start your plan giving with wills. We’re sponsored by turn to communications. Pr and content for nonprofits. Your story is their mission turn hyphen two dot c o and by fourth dimension technologies I. T infra in a box. The affordable tech solution for nonprofits. tony-dot-M.A.-slash-Pursuant four D. Just like 3D but they go one dimension deeper Here is cybersecurity 101. Welcome to Tony-Martignetti non profit radio coverage of 22 NTC. The 2022 nonprofit technology conference hosted by N 10. Our coverage brings me now Matt Eshelman chief technology officer at community I T innovators and Sara Wolf sales

[00:02:15.50] spk_1:
manager

[00:02:16.64] spk_0:
Also at Community I. T. Innovators. Matt serra. Welcome to non profit radio

[00:02:23.14] spk_1:
Thanks. tony It’s good to be here.

[00:02:25.34] spk_2:
Thank you. Glad

[00:02:42.84] spk_0:
to have you. Pleasure to have both of you. Um Your session topic is defending against Bogart’s and boogie men understanding and pitching cybersecurity for the accidental techie sarah. Why don’t you get us started? Let’s define accidental techie. I think we have a lot of them listening but they may not know it.

[00:03:13.44] spk_2:
Yeah so accidental techies are the people at an organization that are not necessarily somebody who’s been trained in I. T. But is relatively tech savvy and so they end up being the ones who help their coworkers with tech issues or are the ones that end up wearing the I. T. Support hat even though they might necessarily have they haven’t necessarily gone through professional training for it?

[00:03:32.14] spk_0:
Okay. Right so they know enough that they know more than others but they’re not they’re not professionally trained in technology. Okay and and matt why are why are Bogart’s and boogie men your your description says an accidental techies biggest nightmare what’s lurking there?

[00:03:38.23] spk_1:
Well I think yeah

[00:03:51.34] spk_0:
I don’t even know. Yeah I’m not even an accidental techie. Okay there’s the first problem you like you’re suffering a lackluster host obviously. Okay. Alright

[00:04:28.24] spk_1:
so they I think the takes the form of kind of your your biggest fear and so yeah whenever it appears it it shows up as as what you’re most afraid of um you know and I think for for folks that are supporting nonprofit organizations. Yeah there is this fear of of kind of what could be lurking out there, What kind of threats could impact your organization. Uh and for many folks, especially the accidental techies, they don’t have that background training and experience in terms of how to protect their organization. And so that’s why we wanted to to have that session to help provide some tools and equipment so that people that, you know, have that responsibility, but maybe not the training can pick up a few, a few tips.

[00:04:40.74] spk_0:
Okay. Why don’t you, why don’t you start us off? What would uh what would you like folks to know about that? They don’t know well enough, but they ought to.

[00:05:30.74] spk_1:
I mean, I think the biggest thing for for folks to understand is just I think the importance of what’s called multi factor authentication. So M. F. A. It’s often referred to uh it’s something that, you know, which is your password and then something that you have and for most folks that would be an app on their smartphone. Um and what this gives is an extra layer of protection, you know, we all know people’s passwords get compromised and and kind of stolen all the time. But if you can add that extra layer of, you know, an app on your phone to protect that login, then you’re much much less likely to have your account compromised. And kind of, what we see is that most compromises then, you know, will then lead to other things that you know have significant damage in terms of, you know, emailing, you know, all of the contacts in your organization’s database, uh sending out malicious links, you know, sending out updated payment information so that can kind of lead to a lot of other bad things. And so if we can protect that account with M. F. A. Then the organization becomes a lot more secure.

[00:05:46.54] spk_0:
Okay. And you’d like to see this mandatory? Not opt in

[00:06:16.74] spk_1:
that is exactly right. You know, Microsoft and the other big Um you know, tech providers are starting to enforce that now as a as a requirement, but if you’ve been in office 365 or if you’ve been in Google apps for a long time, uh it’s not required and it’s something that organizations need to take a couple of steps in order to set it up and roll all their staff provide training uh just to make sure that it’s set up and working correctly.

[00:06:27.54] spk_0:
Okay. So we should be doing it, we should be opting in where it’s optional and we should make make it mandatory if we’re the we’re wearing the hat of the uh the accidental techie,

[00:06:32.04] spk_1:
yep. Exactly. Right.

[00:06:37.94] spk_0:
All right. All right. Sarah, what else, what else can you share for? Are these folks

[00:08:13.14] spk_2:
I think for the next biggest thing uh is, you know, making sure that your staff, you know, are actually aware of the different security risks and things like that? Having a security awareness training program is one of the best ways to make sure that even if something, you can have all of the fancy tools in the world, every single like filter and everything, something’s going to slip through. And if you have staff that know what to look for and know not to click on something or not to go on that website or not to, you know, enter their information in various different places. Them having the knowledge is going to be one of the biggest returns on investment in terms of security, antivirus. Uh, we only, we had so few um, issues with antivirus last year, out of the 696 security incidents that we were dealing with, Only seven of them were viruses and only 45 of them were malware. And so it’s much more important for staff to be able to identify what’s a spam email, what, spearfishing. How can I tell if I’m looking at an email from somebody else whose account has been compromised and having the training to make them aware of. That is definitely worth the investment. And there are great tools out there, like, no before that, you know, are really easy to use.

[00:08:31.84] spk_0:
Okay. And so, uh, no, first of all, it was no before like K N O W K N O W before. Okay, I didn’t know about this, but I figured out no. Before. All right. But that’s not that’s not really saying much but any case. Um So is that a security training? Like is that online security training that folks can get it? No before or like how is this accidental techie gonna push this and and offer the training in their in their non profit

[00:10:02.94] spk_2:
That’s great. Yeah. So uh that’s a learning management software and that’s specifically for cybersecurity behaviors and tools. The way that you’re going to pitch this for your organization is to first gather your data, get your plan of attack. And a lot of times you know that involves one Looking for friends in the company to support you to getting data and you know trying to make sure that if you are able to um like find partners either within the organization or maybe even reach out to your board governance committee, um those people are going to be able to you know, help leverage some of the existing requirements that you have, if an organization needs to apply for cyber liability insurance a lot of times multifactor authentication is going to be one of the requirements. A staff security training is going to be one of the requirements. And so being able to leverage those and then putting it putting your plea into terms that people understand if your E. D. Is looking at, you know, what is the comparing the cost of of security, education software versus you know, financial compromise. Like there is a definite argument to be made there

[00:11:03.94] spk_0:
it’s time for a break. Turn to communications, media relations and thought leadership. Peter pan a pinto, a turn to partner was on last week. He’s a former journalist at the Chronicle of philanthropy. His partner scott is also a former journalist so they know what to do and what not to do to build relationships with journalists. Those relationships are going to get, you heard turn to communications, your story is their mission turn hyphen two dot C. O. Now back to cybersecurity 101 you mentioned cyber liability insurance. Is that is that something else? We should be flagging for these for these poor accidental turkeys.

[00:11:08.54] spk_2:
The

[00:11:08.75] spk_0:
beleaguered, beleaguered, accidental techies.

[00:12:16.64] spk_1:
Yeah. I think we’re seeing more and more organizations go through a cyber liability insurance kind of renewal process. Typically that’s something that’s handled by the, you know, the finance department of the organization. What we’re seeing is that, you know, for cyber liability insurance or even for financial audits, they’re becoming a lot more technical. And so it’s likely that if you’ve got any any tech aptitude at all, then you’re being enlisted to help fill out these applications to provide the detailed information that’s being requested. And so yeah, we’re seeing a lot more sophistication being, you know kind of demanded by these insurance companies in terms of, you know understanding which controls are in place because we’re seeing even cases where if you have not turned on multi factor authentication for all your your systems you won’t even be eligible for coverage. Uh and so it’s pretty dramatic that you know organizations are now being, you know, it’s a good idea to protect the organization, you know, for these cyber security controls. But there’s this also this extra layer of requirement from you know, insurance carriers now to say hey like you have to have this so we’re not gonna provide you insurance.

[00:12:40.94] spk_0:
Okay, okay. Sarah, let’s go back to you. I’d ask you about cyber liability insurance and then matt usurped unceremoniously uh usurped your your your your platform. So let’s go back to you what else, what else can you contribute for these for these folks?

[00:13:53.94] spk_2:
Yeah. So with with cyber liability insurance it’s something that oftentimes is getting you know much more of a top down decision making process. Somebody will have, you know, these things like the ransomware and and wire fraud and issues like that have been, we have bubbled up more inter in like the public awareness and so there’s a lot of top down pressure for these things to get adopted and you know there one of the things that they’re also going to ask for is you know, what are your plans? Do you have an acceptable use policy for your I. T. Do you have a plan for when something does go wrong, you know what do people know what to do, who to reach out to, what steps to take? You know because you know you you hope for the best to plan for the worst. And there are a lot of really good resources out there for developing these sorts of acceptable use policies for for creating incident response plans and you know you can um really it can get overwhelming sometimes the number of you know different resources that are available and what to use and what not to use. So you know partnering with somebody who does know you know a little bit more about cybersecurity or is providing that knowledge to the community. Um

[00:14:43.94] spk_0:
Let me guess that that that’s the work of community I. T. Innovators. Am I going out on a limb taking a taking a stab in the dark? Yes. Okay well we’ll get I’ll give you a chance for this for the shout out. Alright explanation. But I’m gonna ask you first what are what are some resources for folks? I mean I’m you got me feeling bad now for these people because we’re like we’re enhancing their to do list but this isn’t even their job that they’re paid for. But yeah we’re talking about looking into insurance and having policies and now now now they are now realizing they are beleaguered because it’s not even their job, they’re just got foisted on them because they know more than all the baby boomers in the

[00:14:53.77] spk_1:
office.

[00:14:56.64] spk_2:
Sometimes it is baby boomers who are accidental techies.

[00:14:59.85] spk_0:
All right. It’s probably not too often. Thank you for that, but probably not not too often. All right. But so what are some resources that folks can can rely on? You said there’s there are many, where can we look?

[00:15:14.44] spk_2:
So I’m going to start with the the self interest pitch first. Uh community I. T. Has a great um library of publicly available resources on our website and our Youtube channel um that are really great for digging into these kinds of things. Um A great

[00:15:30.38] spk_0:
places website. The website

[00:16:00.74] spk_2:
is uh community I. T. Dot com. Um and the one of the other places that I know that matt has as our cybersecurity expert has a lot of people start is with the cybersecurity framework by nest the um and that website have a link to it. It’s N I S T dot gov two slash cybersecurity framework.

[00:16:03.65] spk_0:
Okay. And I S T dot gov slash cybersecurity framework. So N I S. T. Obviously is a government agency, National Institute

[00:16:11.61] spk_1:
of Standards

[00:16:12.97] spk_2:
and Technology

[00:16:24.44] spk_0:
Technology. Thank you. So. Okay. Um Alright, so there’s a couple of resources um including community I. T. Innovators. Anything else you’d like to share with that folks can rely on?

[00:16:47.44] spk_1:
I’d say that there’s no shortage of resources out there. Techsoup is also a great resource. So in addition to the donations that I think we’re all familiar with Techsoup also has a courses and training and so they have some free resources that I would encourage folks to check out there. Um, so I think, yeah, there’s, there’s no shortage of resources that are out there to help people learn. I think, you know, the big, the big challenges is really putting it into action.

[00:17:16.24] spk_0:
What about a little uh, can we give some uh, psychological support to these beleaguered folks? Now? I’m telling you, you have me feeling very badly for them? Um, what we’ll get back to the to the bog arts and boogie men, I promise. But but uh, let’s let’s take a little digression to how we can support these folks other than recommending things for them to be aware of just like how can how can we support them otherwise.

[00:17:25.34] spk_2:
So I think that, you know, I’m trying not to turn this into a pitch for joint for having an MSP come in and like do you own this stuff for you? Because

[00:17:33.45] spk_0:
what’s an MSP

[00:17:34.70] spk_2:
MSP is a managed service provider.

[00:17:38.13] spk_0:
Thank you. That’s what you are

[00:17:40.09] spk_2:
support, we have

[00:17:41.20] spk_0:
drug in jail on non profit radio So yeah, but I, I saved you from from any any lengthy sentence. Okay, a managed service provider. Okay,

[00:18:35.14] spk_2:
so that is that is one of the ways you know that you can get support. The other thing is you know, really leaning on the rest of the community Text suit is a great place to look for resources and you know, the entire community is a place to ask questions. Um There are also you know on linkedin and facebook and places like that. There are communities that you can reach out to for wanting to event looking for ideas, looking for recommendations. Those are all um possibilities. I uh definitely enjoy seeing how many you know how ready people are when people post on the N 10 forums like I need help with this and like there are definitely people jumping on,

[00:19:12.74] spk_0:
it’s an enormously supportive community. Yeah I I fear that even though I say it a lot because amy sample Ward is on the show very often. She’s our technology contributor. Um and so she’s often saying it to that intent is not only for technologists but I I still think people have that misconception. Um It can be for folks who are not even you know not even responsible for technology in their office but they’re just using it. You know you’re just using it in your non profit and In 2022 like who is not using technology? I don’t think we’re running everything by index cards even if you’re on an excel spreadsheet, you’re still using technology. So.

[00:19:22.64] spk_2:
Yeah.

[00:22:28.84] spk_0:
Yeah. Well that yeah and line printers now you’re talking about when I went to college so be careful Sara it’s time for a break. Fourth dimension technologies. You heard the four D. Ceo jug in last week. Talk about I. T. As a service for nonprofits. They know they’re in a service business. Their I. T. Infra in a box. The I. T. Buffet. If you will is structured around service, take what you need and what fits your budget, leave the rest behind. They know their work is to serve your I. T. Needs comes from the Ceo directly fourth dimension technologies tony-dot-M.A.-slash-Pursuant D. Just like three D. But they go one dimension deeper It’s time for Tony’s take two. This is my silver jubilee in planned giving and august is national make a will month next month. So let’s start talking about your planned giving program launch with wills wills. Why should you start your planned giving program with wills This week? three easy reasons. First they are the most popular planned gift by far expects 75-90% of your planned gifts forever to be the most simple planned gift. The gift by will. So it just makes sense to start with what’s gonna be At least three quarters of your gifts anyway Behind door number two there’s no donor education. Everybody knows what a will is. Everybody knows they need a will and everybody knows how will’s work. You don’t have to spend time and money educating donors explaining to them the concepts of life insurance as a planned gift or charitable gift annuities or remainder trusts. You’re sticking with the basics, something that everybody understands and Behind door number three there’s no staff education, everything I just said applies to your staff to everybody knows what wills are, everybody knows how they work and everybody knows that they need one. So you don’t have to train your staff on life insurance and gift annuities and charitable remainder trusts completely unnecessary. You’re starting with the basics and you may never ever decided to go further and that won’t matter. But the place to start is gifts by wills for those three reasons, three reasons for today in any case. And that is Tony’s take two. We’ve got just about a butt load more time for cybersecurity 101 with Matt Eshelman and Sara Wolf Matt.

[00:22:29.94] spk_2:
What

[00:22:30.17] spk_0:
else? Um, let’s go back to

[00:22:32.94] spk_2:
what,

[00:22:33.16] spk_0:
what we can the rockets and the boogie men that

[00:22:36.24] spk_1:
we want

[00:22:36.47] spk_0:
to help these folks look out for.

[00:23:01.04] spk_1:
Um, yeah, I would maybe also just kind of come back in terms of what’s good about investing in this training is that it’s, it’s good to see progress And I think that’s one of the benefits as Sarah mentioned the know before platform. It’s great. You know, spend a little bit of money to invest in a platform because then you can actually see the progress of, you know, how many people are taking and passing these little trainings and then know before does a little thing called test fishing and you can actually see the percentage change of how many people in your organization are kind of clicking on stuff that they shouldn’t. And so, you know, whenever you test, yes,

[00:23:34.04] spk_0:
it’s great test phishing emails to your enemies in the office, report them when they click, when they click after two days after the training and they click, you can, you can turn them in. Now organization advantage. Now there’s an advantage to being an accident that you’re no longer beleaguered. You’re empowered. Yes, send, send, send a, send a test phishing email to my boss who just turned me down for getting the day after christmas

[00:23:46.84] spk_1:
off. So

[00:23:47.30] spk_0:
yeah, so it’s great.

[00:24:31.44] spk_1:
You can, you know, you can see, you can see progress and so not all of cybersecurity is kind of like doom and gloom and you know, battening down the hatches, you know, against the onslaught. I think it can be fun. It can be engaging. You know, uh, you know, I think organizations that yeah, do elevate it. And it’s something that, you know, people can talk about and talk about openly as opposed to, you know, being being silenced and kind of feeling bad about themselves. If they, if they clicked on one of those messages, right? Like that’s not the approach you want to take. You want to take the approach of encouraging that learning because, you know, if you got caught by a suspicious message, uh, you know, it’s likely somebody else got that too. And so having this kind of culture of openness and engagement. Yeah, is really successful,

[00:24:37.54] spk_0:
right? I agree. Unless it’s your boss who turned you down for the day after christmas, that then it’s then it’s vindictive reported

[00:24:40.64] spk_1:
to the board.

[00:24:49.24] spk_0:
Yes. Oh, without a doubt. So All right, well let’s stay with you matt. What else? Um what else can we? Yeah,

[00:26:00.74] spk_1:
I think the other thing that we started to see more of would be kind of financial fraud or what’s kind of called in the, I think the official terminology wire fraud. So you know, it could be something as simple as those messages people get, you know, that look like they’re coming from the executive director saying, hey, I just need you to buy these gift cards. Call me real quick. I got something for you to do. You know, we’ve seen people get caught up by that, you know, even to more sophisticated cases where people are getting tricked by well crafted emails that say, oh, I need to update my payment information or hey, we’ve got a grantee and they had a problem with their bank account and here’s the new bank account information. So uh you know, that kind of falls into an area where it’s, it’s not just a technology control. You know, there isn’t some product that you can buy that’s gonna magically make that go away. Um but it’s a combination of having training, maybe having some good spam filtering tools in place, but then also having some policy and procedures so that you’re talking about that with your finance department, uh, so that you, you have good processes in place. So it’s payments aren’t made just by one person making a change, but there’s some some review and some betting maybe we need to call somebody. So I think again, it’s it’s not just technology solutions, but really that that kind of the people in process comes in into these equations as well.

[00:26:22.74] spk_0:
It seems like they’re getting more sophisticated. Uh, the little savvy er like uh your your account renewed for $399, you know, click here to see the invoice. You know, I don’t know, they just seem, they seem like they’re improving

[00:27:35.94] spk_1:
well. And I think you’ve identified a key understanding is that uh this is this is a cyber crime. This is a criminal enterprise, right? This is financially motivated. And the bad guys are doing it, you know, not just to kind of go in and wreak havoc on your network, but they’re doing it to make money. Uh and so I think that’s also helpful for organizations to keep in mind, right? You know, you can be the greatest nonprofit in the world and be, you know, have the most noble mission. No, they’re not attacking you because of your mission. They’re attacking you because you have money and, and you might get tricked into yeah, doing that $399 renewal or maybe you updated a payment information and and that was $25,000. And so uh, you know, the mission, you know, does not matter For those, uh, you know, cyber criminals who are financially motivated and it’s a lot easier to, to kind of trick somebody into giving you $400 than it is to, you know, write some super sophisticated virus that’s gonna go on to your computer and encrypt all your files. Then you’re gonna have to try to figure out how to pay them in Cryptocurrency. Yeah. It’s just, it’s a lot easier to try to trick people into giving you money than it is to write, write a new virus. Yeah.

[00:27:49.14] spk_0:
Okay. And then of course there is the community of nonprofits that, that are at risk because of their mission. And because you know, we’re living in a polarized time. It’s, it’s no longer

[00:27:54.27] spk_1:
just

[00:27:55.34] spk_0:
um, hot button issues, you know, like gun rights or, or abortion.

[00:28:00.21] spk_1:
I mean,

[00:28:06.74] spk_0:
it seems like a lot of missions could trigger someone to do something malicious, you know, technology wise. Uh,

[00:28:27.94] spk_1:
yeah, I would say so. We really see that, um, primarily for organizations that are in the space kind of like government think tanks, policy groups, you know, kind of good good government. Those tend to be the kind of attack attract the most attention. Um, and then I think organizations that work on, you know, human sexuality and uh, you know, family planning and abortion services like are in that category as well. Right,

[00:28:39.24] spk_0:
Sarah, let’s turn back to

[00:28:40.94] spk_1:
you, what,

[00:28:41.21] spk_0:
what, what more can you share with us?

[00:31:26.84] spk_2:
Well the one of the things that you know in in that theme of you know it is financial, these these this has become a business enterprise and it’s become you know not necessarily organized crime but it has become something that is a multibillion dollar business. And um That is something that we’ve definitely seen. We’ve seen an increase in the number of incidents that we end up responding to like from 2018 to 2021. The number of cybersecurity incidents is that that community I. T. Was able to track tripled. And so you know there isn’t a way to really fly under the radar anymore and you’re right, these people are getting smarter. It’s not just all Nigerian princes looking for for oil or gold or whatever. It’s you know, there have been times where you know, we’ve seen examples that have been caught in the tools or that did get through and did nearly create an issue. And I sat there and looked at the email chain and I was like, I can’t tell where this jumped in and then you like have to like really highlight and look in and look in the details and you go, oh, oh okay. Like there was just like a one letter change in somebody’s email address, you know, or and like that can you know if if you don’t have the training and you’re not necessarily aware of that stuff and then the redundancy that that matt was talking about um making sure that, you know, it isn’t just up that that all of the keys to the castle aren’t in one person’s hands. Uh so that you can, you know, make sure that there’s additional eyes to see, you know, what you missed or to make sure that this is the real deal is, you know, really important. Um you know what, it’s, it’s definitely a frame of mind thing. You don’t want to be constantly consumed with worry and you know, be paranoid about everything and because that just takes, we’ve got a whole lot of other things going on in the world right now that we don’t need to be panicking about cyber security all the time and just doing a few relatively low cost things can really help with peace of mind. And you know, it’s worth taking the time, you know, penny wise, pound foolish is one of the other sayings that comes around a lot, you know, just to make sure that, You know, you don’t end up having to deal with a $25,000 wire fraud

[00:31:30.01] spk_0:
issue sarah. What were some of the questions that you got from the accidental Tuckey folks who were watching,

[00:31:38.84] spk_2:
they

[00:31:38.91] spk_0:
were with you?

[00:32:14.44] spk_2:
Yeah, there were some questions on like where do we start, like how do I like uh we, we pointed people to the Nist Nist framework has a chess checklist um of things that you can start thinking about and looking at as you know, places to start. There were also um questions about how do I how do I make sure that I can, you know, convince my my edie about this and

[00:32:18.14] spk_0:
leadership by in

[00:33:06.84] spk_2:
leadership buy in and you know, we really for that we really said, you know, try if if if if you’re, if you’re leadership isn’t necessarily into it, you have to get like there’s no right or wrong way to go about things that can be top down, it can be bottom up but making sure that if it’s something where your leadership isn’t as invested, making sure you gather allies, you gather allies and you gather financially focused um data to back you up. You know, cyber security is getting more frequent and it is getting more costly to have to address issues after the fact. And so, you know, those were, you know, some of the really big questions and focuses

[00:33:34.34] spk_0:
you and you had mentioned allies early on the value of having having friends uh sympathetic to the to the cause all you know, making this case together to to the ceo or wherever it needs to go. Um All right, matt you want to leave us with some well matt, let me ask you any questions that you uh that that Sarah didn’t mention that you, that that hit you as particularly interesting important.

[00:34:43.34] spk_1:
Um I think it’s important for for folks to to realize that, you know, just because their data in the cloud doesn’t necessarily mean that it’s, it’s backed up or it’s protected in a way that they, that they think it is. And so I think, you know, nonprofits have done a really great job of getting their data in the cloud platforms. You know, there’s been a lot of great donation programs and discounts and so non profits, I think have done a really good job of technology adoption. Um, but what we see is that they haven’t been maybe as strict on kind of the policy and the governance and some of the other supporting, you know, processes. So we think it’s really important that you understand where your data is and understand how it’s protected and just make sure that that lines up with what you, you know, your organization expects, you know, is it okay if somebody downloads all of your organization data on their personal computer? Like is that an okay thing to have happened? Let’s make, let’s make sure that we talk about it and understand that, uh, you know, and I think the same thing goes again, you know, if somebody deletes a file today, do we need to be able to recover it, You know, a day from now, 30 days from now, a year from now. And so I think just having some of those baseline settings and kind of testing them is a really important step to take

[00:35:01.54] spk_0:
backup recovery. You know those are not necessarily covered by just being in the being in the cloud and how what’s the time to recover?

[00:35:22.44] spk_1:
Right. Yeah. So I think a lot of those, you know quote unquote old school you know security methods or techniques are still important even if you’ve got your date in the clouds again having that third party backup, having an offline copy. Uh those are all really important steps to take to make sure that your organization’s data is well protected.

[00:35:24.94] spk_2:
Okay.

[00:35:26.14] spk_1:
All

[00:35:29.04] spk_0:
right. Why don’t we leave it there then? I feel like we’ve covered this.

[00:35:31.14] spk_2:
I

[00:35:31.51] spk_1:
think we’ve got the foundational element. Is

[00:35:41.34] spk_0:
there anything alright, is there anything on your mind just like oh wait I gotta get this in. Is there anybody, I

[00:35:41.67] spk_1:
mean I’ll put in a plug for multi factor authentication again I think it’s worth saying at least a couple more times

[00:35:46.63] spk_0:
because

[00:35:47.47] spk_1:
it’s the it’s the most important step that that that many organizations can take.

[00:35:54.74] spk_0:
Okay Sarah parting thought

[00:36:16.33] spk_2:
just gonna emphasize what matt said about the managed backup just now um you know it’s really important to know your settings and to discuss them because you know a lot of times data loss is actually accidental and so if you have a way to get it back that can save you a whole lot of heartache and headache.

[00:36:20.38] spk_0:
Okay we want to avoid

[00:36:22.00] spk_1:
both. Thank

[00:36:34.53] spk_0:
you that’s Sara Wolf sales manager at community I. T. Innovators and also matt Eshelman Chief technology officer at community I. T. Innovators. Sarah matt, thank you both very much.

[00:36:37.33] spk_2:
Thank you so much.

[00:36:38.26] spk_1:
Thanks tony it’s good to get to talk to you.

[00:36:39.97] spk_0:
All right, pleasure and thank you for being

[00:36:42.51] spk_1:
with

[00:38:02.03] spk_0:
nonprofit radio coverage of 22 N. T C. The 2022 nonprofit technology conference. I’m glad you’re with us next week tech policies to reduce toxic productivity. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. This is # 601 by the way, I don’t know if you’re counting. We’re sponsored by turn to communications pr and content for nonprofits your story is their mission turn hyphen two dot C. O. And by 4th dimension technologies I. T. Infra in a box. The affordable tech solution for nonprofits tony-dot-M.A.-slash-Pursuant four D. Just like three D. But they go on to mention deeper. Our creative producer is claire Meyerhoff. The shows social media is by Susan Chavez, marc Silverman is our web guy and this music is by scott stein yeah thank you for that. Affirmation scotty be with me next week for non profit radio Big non profit ideas for the other 95% go out and be great. Mhm. Mhm

Nonprofit Radio for May 8, 2020: Data Privacy Practices

I love our sponsors!

WegnerCPAs. Guiding you. Beyond the numbers.

Cougar Mountain Software: Denali Fund is their complete accounting solution, made for nonprofits. Claim your free 60-day trial.

Turn Two Communications: PR and content for nonprofits. Your story is our mission.

Get Nonprofit Radio insider alerts!

Listen Live or Archive:

My Guest:

Jon Dartley: Data Privacy Practices

Let’s have a romp through the fields of data privacy and cybersecurity, musing as we frolic on just how important the right practices and policies are to your nonprofit. My guest is Jon Dartley, Of Counsel at Perlman+Perlman law firm.

 

 

 

Top Trends. Sound Advice. Lively Conversation.

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.

Get Nonprofit Radio insider alerts!

Sponsored by:

Cougar Mountain Software logo
View Full Transcript
Transcript for 488_tony_martignetti_nonprofit_radio_20200508.mp3

Processed on: 2020-05-09T00:45:18.281Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2020…05…488_tony_martignetti_nonprofit_radio_20200508.mp3.92969305.json
Path to text: transcripts/2020/05/488_tony_martignetti_nonprofit_radio_20200508.txt

[00:00:12.00] spk_0:
Hello and welcome to tony-martignetti non profit radio

[00:02:19.07] spk_2:
big non profit ideas for the other 95% on your aptly named host. This is our second non studio show produced using a dizzy audacity and zoom Oh, I’m glad you’re with me ID break out in Wall Dyer’s ring If I had to say the words you missed today’s show data privacy practices Let’s have a romp through the fields of data privacy and cybersecurity, musing as we frolic on just how important the right practices and policies are to your non profit. My guest is John Darkly of counsel at prominent Pullman law firm tony. Take two. Take another breath were sponsored by wegner-C.P.As. Guiding you beyond the numbers wegner-C.P.As dot com by Cougar Mountain Software Denali Fund. Is there complete accounting solution made for non profits? Tony-dot-M.A.-slash-Pursuant Mountain for a free 60 day trial? And by turning to communications, PR and content for non profits, your story is their mission. Turn hyphen two dot ceo. It’s a pleasure to welcome John Darkly to the show he founded and operated involve the Web application, development and design firm that pioneered online peer to peer fundraising list building and advocacy campaigns for non profits involved was acquired by Can. Terra. John probably made a lot of money there when Cantero was acquired by Blackboard John probably make money again, but he was also named senior deputy general counsel and information governance chair. Besides all that, he has more than 15 years experience representing nonprofit organizations. He’s of counsel at Perlman and Perlman law firm in New York City. The firm’s at Perlman and perlman dot com. And at tax exempt lawyer John Darley. Welcome the non profit radio.

[00:02:21.64] spk_5:
Glad to be here. Thanks for having me.

[00:02:23.19] spk_2:
Good to have you. That was, uh, that sounds like it was quite a run with involved in terra and black bod.

[00:02:29.54] spk_5:
It was definitely an interesting path. I like this day. It gave me a lot of kind of real world experience. Great to work on. Both sides. Both work on the software side now, back on representing clients. Yeah. Yes, it was interesting.

[00:02:43.11] spk_2:
How many years was that from? Like from the time from founding involved to being appointed senior deputy general counsel at Blackboard,

[00:02:52.74] spk_5:
right? About seven or eight years. And when I start with the ball off again, we working with some very large, not pop. It’s doing Web applications. This was like the first kind of friends asking, friends type approach on. Then we just kind of built out organically, like working with a non topic clients and eventually bought and bought again, as everyone knows a lot. Elation.

[00:03:26.39] spk_2:
Yeah, good, Wonderful. It’s a good trip. So it isn’t practicing law now. Boring. Without all that, you don’t have a let’s start up excitement and challenge and all those obstacles and frustrations.

[00:03:27.92] spk_5:
The grass is always greener. So, you know, when I was at that sign, it seemed like just being a lawyer would be very comforting. Now you’re like sometimes you miss the excitement. But I hope my clients and we have some smaller clients that are building, you know, interesting brands that you’re saying. All of this s o. I feel like I’m so not sure. I’m just advising my clients

[00:03:46.69] spk_2:
without without All the agita is the once removed once room from, uh, from rounds of rams of financing, et cetera,

[00:03:56.25] spk_5:
where you are like wearing having to pay painful, easy,

[00:04:32.40] spk_2:
right, Get back and I make right. Can I make the Yeah? Can I make salaries this week. Right? Right. So, um all right. Data data, privacy, cyber security. I think people probably understand, in our current environment, I’m not having to do with Corona virus, but just living in 2020. I think a lot of people are conscious of at least cybersecurity issues. Maybe not so much data data, privacy. But But let’s make sure, you know, give us some, uh, motivation for why data, privacy and cybersecurity should be paint paid attention to

[00:05:16.39] spk_5:
Yeah, I’m often accused of scaring people, and I think that’s a good thing, you know, frankly, I work with four profit stonework with non puppets now primarily. And from, you know, I was a non profit yourself 5 to 6 years behind the for profit world and taking privacy of cyber security. Seriously. Just, you know, in the for profit world is now a C suite. You know, job is open, it’s cheap. Obviously, Officer, there’s teams of people working on things, not hop it, and they are starting to learn the importance of taking the practices and putting these policies in place. But a lot of times is an infrastructure is do. The manpower is too but just to kind of take a context every year, the amount of breaches grow. Last year, $2 in 19 the amount of damages increase by about 17%. And just in the context of what that costs, the average reach across an organization almost $4 million now, given there are some very large reaches, so that kind of skews the results. But in terms of a per record, So think about donors. How many donors you have, Basically an average of $150 for every record loss is what you’re gonna pay in regulatory fees and other finds. Another kind of charges. So that’s, you know, a real real thing.

[00:05:44.28] spk_2:
Now, what about the comparison between, you know, corporate and non profit breaches mean? Well, I’m thinking off the top of my head of, ah, Marriott. Uh, you know, I don’t 100 million records or whatever. West maybe was only 10 million. I don’t remember, but many millions of records um, there have been other big corporate breaches, but have there been breaches? Maybe they’re just not as, uh as publicized on the non profit side.

[00:06:21.42] spk_5:
You’re actually exactly right. Uh, small and mid sized nonprofits are actually being increasingly target if they don’t have to sophisticated protocols in place to kind of to protect against some of these of these hacks. We don’t hear about the malls and not the big build. Another Facebooks of the world on an ID only they’ve been. Actually, some studies done is not evident. It totally they’ve been some studies done that, not pump it actually hurt more than four profits for data breach. I’ll give you an example. You know, Facebook gets breached. How many people actually got off Facebook and stop using it, right? Not pop it in a way, are more fungible. Some donors with donate more to more than one organization, studies have shown. If there’s a data breach at a non profit, donors are less likely to come back next year. Donate. I’ll just choose another organization. So in some ways, the bar and the risks are even higher for nonprofits,

[00:07:03.52] spk_2:
right? All right, right. I’m I’m more committed. I’m pretty committed to my Marriott Marriott Bon voy points. No, I don’t. I’m gonna keep using the brand because I’ve got a couple 100,000 points with them.

[00:07:29.30] spk_5:
Exactly. The reputational harm I have to say, tony, ITT’s organizations don’t think about that. But these days, I think we all were all more sensitive to write. Our data’s being treated. Yeah, they’re a lot more regulations out there which out there they will talk about. But the reputational harm can last for years, especially when organization is seen as either not doing the right things, not taking kind of, you know, appropriate precautions that could really be devastating.

[00:07:40.49] spk_2:
All right, since you mentioned regulations, um, uh, you know, we heard a lot about GDP. Are when? When that was knew. What was that, like, two years ago or so that

[00:07:50.44] spk_5:
that May of 2018 will into effect.

[00:07:53.86] spk_2:
Okay, pretty good. Usually I’m bad about the estimating time. All right, so it was two years ago this month. All right, um, so GDP are But you can acquaint us with that. What? I mean for a U. S. Charity? What? What do we need to be conscious of their

[00:08:44.74] spk_5:
Yeah, it’s funny when you came. In fact, it seemed like a few months, like just everyone was talking about it. Remember, a Woody Allen movie would talked about. He said soon will be, the Renaissance will be painting. Thing is like, I think soon it was like That’s all we’re talking about a CPR. It’s like literally a few months s. The only emails I got from clients was like, What is this thing with GDP on what I need to do now? It’s two years later, we’re still talking about it, But there are other regulations ever come into a factory plucked out as well. A general data protection regulation does affect not Klopp, which came into effect in 2018 and has very specific department. So does it affect your not profit? Some of listening? If you have a website, it probably does right. Judy PR affects anybody collecting any information from someone residing in the European Union between the UK, including Switzerland. So B e a, uh, and you know, if your only collecting a few names from from those countries I wouldn’t be is concerned. But if you collect a little bit more than that, then it probably makes sense to comply with GDP. Are

[00:09:39.37] spk_1:
it’s time for a break? Wegner-C.P.As. They have a bunch of covert 19. Resource is on their site. Tax questions related to Cove in 19. We received RP PP funding. Now what? Developing your 13 week cash flow forecast. Internal controls. Covitz style. What about cash? How are you controlling cash in a virtual environment? This is all at wegner-C.P.As dot com. Click resource is

[00:09:45.17] spk_2:
Okay. So, John, it’s only it’s only if you’re collecting data. Not not if you citizens or Swiss citizens are visiting your website merely visiting your website.

[00:09:55.14] spk_5:
But really, it is because what he has done has lowered the bar. What personal information is right? We all care. We were going to use the term sometimes P I I personally identifiable information. And so Jeannie pr is concerned about is if you collect P II. According to Judi pr and I key address. Right. We’ll have computers. We access a website. We have an I P. Address a stash. Consider P I So, technically, anybody accessing your website if you collect their i p address with, most people do automatically. You’re you’re technically subject that GDP are

[00:10:27.29] spk_2:
okay. Wait. All right, So you’re saying most web? Most websites automatically preserve the i p address of a visitor.

[00:10:36.34] spk_5:
Most do through, like, Google analytics or, you know, at least. Yeah, All these the analysts people use automatically get life he addressed with someone visits your website.

[00:10:43.64] spk_2:
Okay. And that then is an entering argument for GDP are to apply to your your website your your non profit

[00:11:34.01] spk_5:
Exactly. Just counsel our clients that you should really only be concerned if you’re collecting and be getting. Don’t you collecting information more than I p addresses to get it? It’s kind of Ah, it’s a risk reward. Be only getting a few I p addresses. You’re not doing anything with it. The odds are of GDP are becoming an issue on the regulators Looking at your not profit. Probably small, but okay, a lot not talk. But in this country that either have offices early, you or have people access routinely. So I’ll give you an example. We worked with a large, well known museum and when people come from your they often want to visit this museum in Manhattan. So they have ticketing and they’re having thousands of people not really least used to when people are travelling but museum tickets. Judy pr squarely applies. They have to comply.

[00:11:48.48] spk_2:
Okay, So beyond the beyond the this sort of perfunctory the i p address else. So if we don’t have ah location that people are buying tickets to come to, what other kind of data would would trigger the GDR for us?

[00:12:30.11] spk_5:
Any name and email address, you know, collecting that anybody resigned. And when I say the word residing, you don’t have to live there. So, technically, tony, if I went Teoh London and then made a donut, patients were not topping the US JD. Power applies to me with that trip is action. I’m now residing in the EU state token of somebody from the U is in the U. S. Exit donation to a non profit. Even though there are you sitting this in a transaction takes place in the U. S. GDP. Ours doesn’t apply. It’s a little bit complicated, but like I said it that today those

[00:12:30.46] spk_2:
those those are the exception. So let’s just deal with

[00:12:33.43] spk_5:
that at

[00:12:33.87] spk_2:
the mainstream. You got a new resident transacting from from the European Union. Um but let’s just assume all that you residents are in the the European Union for this conversation, right? None of them, they’re here. So

[00:14:01.36] spk_5:
So yeah, so replies just kind of get the kid like some of things you want to do. I say, like the low hanging fruit fidgety you are applies. The first thing is website privacy policy. I’m gonna talk about that a little bit more later in terms of a general privacy policy, the importance of it. But Virginia PRD is separate. Basically, GDP are notice that needs just list specific information. Uh, two people from the EU learning them of their rights. And some of the remedies they have, I’ve tell organizations of GDP are applies. The first thing you do is put a put a speeding car notice on your website. That’s something a regulator is the first thing they don’t look at. If you have, that is already one box check. That’s great. Thea. Other hurdle for a lot of non profit we work with is how to get, uh, what when someone wants upped and there’s no more opt out. Everything has to be in Upton and has to be a very specific and home up then, and this is probably the biggest challenge for a lot of non profits. It’s a much higher bar for consent. I’ll give you an example. No longer than you have to have a check. The box and the box says we are signing up to get email campaigns, periodic newsletters and other promotions, even if they check that box. Wegner Judy PR Let’s consider too broad, right? Every request for permission need to be very specific. You need to be clear and affirmative and very moment, one of the biggest challenges for Not

[00:14:10.45] spk_2:
question. So give me an example of of a consent that is properly worded.

[00:14:21.74] spk_5:
I hereby consent to the processing of my personal data for the price Rose Christ or period, not email newsletter, not general marketing purpose for a specific purpose. A price store. You could also say I’m I’m a I hereby consent to the processing of my data for your monthly newsletter. Now let’s say three months later, you have a new newsletter or different what you can no longer send them both newsletters. You don’t have to stand for that. You now have to go back to get the scent. You get one try. They don’t respond. You can’t go back to them again.

[00:14:47.79] spk_2:
Cannot. You can’t go back to them again.

[00:14:49.92] spk_5:
No. Cannot. And there’s no grandfather clause either. So you know a lot of people. At least couple years ago, I had all these names. They were wondering, what do we do? And you got one shot Thio going going to these folks and say, Hey, GDP, our allies way like to use your names. This way, please respond. Have you to get a response That said you can no longer market to these folks.

[00:15:30.84] spk_2:
Okay. All right. So you get one chance per each channel. Sort of. You don’t have to do it for each individual newsletter. I mean, individual mailing of the same newsletter. But But as you said, if you if you start a second newsletter on a different topic related to a different program, you’d have to get permission for that

[00:16:00.79] spk_5:
exactly right. And then the people that you do have kind of on your roster that you’re allowed Teoh work with the U there certain rights they have and these rights have to be passed on to the benders that not puppets work. With these age, everything’s in the cloud off. The odds are they’re using other folks that kind of help processes data. But anybody from the EU has the right of access. They have the right to know what you have about them. They have a right to a racer. They’re gonna ask you to delete their data at any time. You must comply with a certain period of time. They have the right to restrict processing. Yeah, you can use my data eat to give me a newsletter. But I don’t want to be in a cooperative where you’re sharing my name. Uh, they have the right the right to data portability. Give me everything you have and provide. Give it to this new provider on. They have the right to object to anything you’re doing with their data. And when we talk about the Jodi or notice the privacy policy, the privacy policy needs to kind of lift all these rights for EU people. You usually

[00:16:28.40] spk_2:
all right. And that policy needs to be on your website.

[00:16:31.95] spk_5:
Yeah, just like a regular privacy policy. But it needs to be a separate notice. It needs to be on the website prominently displayed.

[00:16:48.14] spk_2:
Okay. When you get consent for the processing of data around a particular purpose, do you need to remind people about their rights? Give them all these reactions, toe portability and the ratio, et cetera, or just one time on the website.

[00:16:55.11] spk_5:
No, No need to be part of your privacy notice. You don’t need to remind them proactively, but it needs to be listed in your GDP are profit privacy notice

[00:17:02.48] spk_2:
Privacy notice on your website.

[00:17:04.34] spk_4:
Yeah, right. Okay.

[00:17:05.86] spk_5:
And the fines are extremely high again for small missiles. Nonprofits to a very low interaction. I’m not concerned. Larger non puppets should be a little bit more aware and look concern. And, you know, one of the things you also need to be aware of. 1/3 party vendors GDP are now makes nonprofits directly responsible and liable for the axe or or emissions of the vendors that holding the state on your behalf. So you now need to give all these vendors specific provisions. Your mandated by GDP are specific. GDP are provisions that buying these benders to basically support your efforts to comply with GDP are so this is another hurdle.

[00:17:52.44] spk_2:
Okay. Um, all right, I would presume the largest vendors are acquainted with this by now, but you

[00:17:53.35] spk_5:
must have their own. Yeah,

[00:17:55.63] spk_2:
but you need to be proactive about ensuring that your vendors all do, whether small or large,

[00:18:00.84] spk_5:
Yeah, a lot profit use. It’s more of the small amount outside vendors, and they may have one in place, and the one they have a place might not be. You know, listen, that everyone takes a different approach. The vendor who supplies they’re all will be much more friendly towards them, so they should still be reviewed and negotiated.

[00:18:16.79] spk_2:
All right, so you’re asking, Are they GDP are compliant when you’re querying your vendors?

[00:18:23.40] spk_5:
Exactly. That May should also bishop. There needs to be the denim toe. Any contract that you have in place just not to get too technical, but the non profit who collects it. Who’s collecting? The data is called a data controller, right. They control the data, their vendors who helped process the data. So maybe a C. R M system, a black box, for example. They would be considered a data processor. Ben should be processing the data on behalf of the non profit who owns the data. So I’ll pop. It is data controller has kind of a much higher bar of requirements to me.

[00:19:03.14] spk_2:
All right. As long as you defined your terms, you keep yourself out of jargon. Jail on. All right. Um uh, Okay, well, there’s a New York law, but, you know, New York Shield, But our listeners are nationwide. So you want to just be much briefer about New York Shield just for our New York listeners?

[00:19:49.27] spk_5:
Yeah. Although New York still, tony, just like today PR, it doesn’t make a difference where you are. You collecting information from New York residents? It applies to you And I would argue is actually, it’s more important because the Jeep car that’s still question how the you will force it against a non profit who does not have offices in the U By how that happens. Nobody has seen yet. But but let’s put that aside, the New York Shelled Act gives the attorney general a public right of action. And certainly in New York, the New York Attorney General has a much further reach to go after not profit, whether they’re in New York or anywhere in the US, because we’re talking about the same country. So I would be as a non profit, more concern about New York Shield at this moment. First import most and then worry about you need your necks.

[00:20:01.72] spk_2:
Oh, all right, do other states. California is a pretty activist state. Do they have something similar that applies to all their residents?

[00:20:33.26] spk_5:
California has one called CCP A, but right now it does not apply to non profits. It only would implicate non profit ever have a four profit wing or Division A? Are there working with a four profit where, for example, be getting data from a company that’s getting from messages in CCP? A. The non papa should be concern at that vendor. Who’s providing you That data has complied with CCP A. But other than that, it doesn’t really apply to non profits.

[00:20:35.61] spk_2:
Okay, any other states.

[00:21:29.34] spk_5:
Massachusetts has had something for a long time, not too dissimilar from New York. But you need me. I think people are kind of and there are other unless there are other ones in the works. Colorado has won about us looking to pass something at some point. That’s in Kobe. 19 is for a lot of things on the back burner, but at some point we could have federal legislation, and you know what I counsel with non clap? It’s even which university BR came out and they said it doesn’t apply to me. I said, Even if it doesn’t, it probably makes sense of trying to comply his first ball. Everything’s moving towards greater accountability. Donors. Employees are getting more sensitive about Heather Data’s being used and starting to follow some of these protocols. Just make makes the non hop. It’s better stewards of the information they collect another day. We want to do like by these donors wanted to do right by our employees. The data were collected. So following somebody particles and they don’t apply is a smart practice because nothing wants unauthorized access to their systems.

[00:21:37.88] spk_2:
Okay, Okay. Um, the Massachusetts law is that limited to credit card information?

[00:22:05.54] spk_5:
No, let me call it. It’s a lot of different kinds of personal information, but has not been. I have not seen it really in forced on. A lot of organizations already have policies in place that kind of meet somebody obligations. And certainly if you’re if you start to meet the New York Field Act, which I think will be will be unless they enforce more vigorously, you’re probably OK on the on the Massachusetts

[00:22:10.22] spk_2:
front and the messages from Okay, so Yeah, that’s that’s true. In a lot of cases, like if you can comply with the New York law, you’re covered in a lot of other states because New York is so stringent. Um,

[00:22:22.40] spk_5:
I always say that you can make it here. You can make it anywhere. That was

[00:22:28.69] spk_2:
okay. Uh, yeah, but hey was intact. Think Sinatra was intending much more favorable. And the privacy compliance. All right, so what about New York Shield? You want toe? Give us an overview of that. What? What we should be concerned about this thing, This is if we’re collecting data from New York residents, that right?

[00:24:00.98] spk_5:
Exactly. Yeah, but I would argue I would take my most nonprofits to do any kind of real online access and gather data or getting donations. You probably have a, you know, at least amount from New York. But you know, many what may have a lot So certainly ones working on the East Coast would probably have a lot of New York residents accessing about side and giving information. So that’s about one of things. It expands. What constitutes a data breach, Uh, basically lowers that bar as well. So in terms of when you have to report a data breach, let’s put that piece of side. But this happened the most important thing for nonprofits to keep in mind. Now where? Why was them that says it may an individual one. Employees are pleased to coordinate data security program. This is key because most organizations don’t have one. This is the old saying. If you don’t know where you’re gullible, roads will take you there, and I’ve always counselled we have my non profit clients. If you don’t have somebody in charge of privacy, odds are nothing’s really happening on that front. So that’s good. This is a great example of even if you’re not collecting information of New York residents, you shouldn’t have a point person. Um, and what that point was it needs to do is he needs to look at, based upon your size and attack the information to collecting uh, that they have played a physical security tech technical security attacks, a compliance programs doing training were supposed to looking at Bender agreements and assessing risk. And now New York requires you to have certain provisions. Reasonable provision in every vendor agreement that makes me binds those vendors for doing the right things, that appropriate things in terms. Protecting the data you collect euros exposes, sensitively destroyed data when you no longer needed. And again, I know for many clients this ridiculous some of my clients and many non prop assistants in daunting. It’s not as hard to comply as they might think. And for some of our clients, I’m acting as that point person. It doesn’t have to be. And employees. It just needs to be somebody. So I’ve come in organizations. I’ve looked at the left look of the vendor agreements. Let’s see how things are being protected. Let’s look, if you’re doing training, just let’s look at the your overall approach to privacy and even and give a kind of annual advice that would get them a long way to comply. Europe show.

[00:25:04.84] spk_2:
Okay. Okay. Um, all right. And you know, good point also is you know, you said a few times Ah, it’s worthwhile to comply with these to the extent you can, even if you feel it doesn’t apply to you that the law may not apply, but it’s gets good practices.

[00:25:17.34] spk_5:
Yeah. I mean, listen, reaches typically happen from third party vendors That’s usually the case, because these days most people are using cloud providers or using third party vendors to kind of hold this data. If a breach occurs, a vendor’s Onley obligation is to tell you their client that the breach occurred. Your obligation under law. Is it now? No. Divide all the donors who stayed it might have been compromised. They could be credit monitoring costs. There could be legal costs that could be certain regulatory fines. So it’s it’s so example. New York, she’ll requires you to look at these vendor agreements and have certain terms in there. That’s just a smart thing to do. Third party vendor agreements are woefully one sided in favour of the vendors. They’re the ones drafting it on. And it just makes sense to review negotiate these agreements. We can certainly talk about you like five or six, uh, terms that should be in every vendor agreement you

[00:26:10.88] spk_4:
have. All right,

[00:26:11.21] spk_2:
You’re not gonna get to two. Ah, legalese on this. Are you mean I haven’t practiced? I haven’t practiced law since 1994 so

[00:26:19.35] spk_5:
I’m not

[00:26:20.09] spk_2:
gonna get technical for the non lawyer. The 99% of listeners who are not lawyers, right? Okay.

[00:27:12.94] spk_5:
You know, I can keep it. Very simple, just like. And I actually have a great checklist. I’m happy, you know, share with you, tony. People could reach out to me of things to keep in mind. But again, when you instill Ryan, you know, hopefully 98% of time, everything felt swimming. Well, it’s never an issue, but what they still wrong kind of pull out the contract. And again, these contracts very one sided, I joke because I mentioned before I used to work for a very large software company where I drafted a portion of their their client agreement. And then lately, I’ve had the opportunity to negotiate that agreement on behalf of clients. And I wind up rewriting the entire agreement and adding an extra 10 pages and and general counsel at this one company said, John. But you wrote the agreement, your last changing. But I’m on the other side of the deal. It’s a whole, uh, so it’s not just what’s in the agreement. That count

[00:27:20.67] spk_2:
doesn’t. That doesn’t make you That does not make you a hypocrite. People need to understand your allegiance at that time was different than your allegiance at the second time when you were rewriting the agreement that you were drafted in the first time. You’re not a hypocrite.

[00:27:29.68] spk_5:
No, no, no. We’ve fallen advocacy,

[00:27:31.74] spk_2:
advocacy. That’s what we call it. I have forgot that.

[00:27:34.82] spk_5:
Yeah, I’m advocating, but recognizing. I

[00:27:59.74] spk_2:
mean, you’re advocating. Okay. All right. Wait. So let me before you start taking these things off, just tell listeners eso if they would you want to reach you? If somebody wants to get this this checklist that you have He’s John J O N at Kerman and perlman dot com. And Perlman is p e r l m a n not like the, like, the gem or the stone. Whatever that. Whatever pearls are, it’s not like that. Okay, John, at prominent perlman dot com. Okay, you got 45 whenever five things, six. And

[00:30:18.68] spk_5:
get that quickly. Yeah, The 1st 1 is just the privacy of charity. You know, typically will be one of two sentences. We’ll take commercially reasonable practices, know in this day and age and with New York Shield when GDP are there apartments that they need to get a lot more meat on the bone in regard to how company will protect your information. So one of the elements you want to do is simply insert a lot of language that raises the bar again of what we spend it’s supposed to be doing and that they don’t do that. And there’s a breach. Now you have some kind of remedy, uh, to go back from limitation of liability. Every contact has it typically limits what a non topic can get. If there is any kind of loss or damage, anything goes wrong. So open just six months of these. Can’t you have to always negotiate that? They kind of data breach a date of event that we should be untapped direct at Mage is a but not profit is fully covered. The’s terms old Ausubel. I open get it, But you have to ask for it. You don’t ask for your not getting getting it. Uh, uh, rich notification really important. So if there’s a breach, I always put a section in that gets you both quick notification and get you all the credit monitoring and all the other costs. Regulatory fines cover. I’ve never had a better save. Noted that in the end it may take a few back and forth, you know, negotiations. Always a dance, but having a breach notification and uncovered cause it is essential to be two more transition service is when you want to leave the vendor. It’s very hard to leave fried when you’re working with somebody like relationship kind of know who who see the is added. That might broker but becomes very difficult. But transition service’s basically bond and surrender toe work with you for six months and with your new better of choice to make that transition seamless, very important to have that obligation in there. And finally, I would say, is, You know, during the court, in stage with when you’re working with a vendor, you get a whole types of promises. You’ll get lots of marking material. Here’s how the functionality hero features you got everything spray when you signed the contract, you’ll notice that almost there’s no mention just nowhere to be found. One of the biggest things I find my clients about difficulty with is where someone over promises and under delivers. How do you prove that it was not part of the contract? So all those kind of shining marking materials. All those handouts, all those things that give you. You have to attach that to the agreement reference, is it? So when I get things, don’t work out his plan. Now you can show why there’s a beach and what you can get out of the agreement. Very important.

[00:33:11.64] spk_1:
We need to take a break. Cougar Mountain Software. Their accounting product Denali, is built for non profits from the ground up. So you get an application that supports the way you work that has the features you need an exemplary support that understands the way you work. They have a free 60 day trial on the listener landing page at tony-dot-M.A.-slash-Pursuant. Now time for tony. Take two. Take another breath, doubling down on my advice from last week that you take some peaceful time. Um, whatever it is for you if it’s napping, if it’s walks. Um, I’m not thinking of exercise. Exercise is important, but I’m not thinking of runs right now or home workouts. I’m thinking of peaceful, relaxed, calm time putting your mind at ease. I’m talking like I’m tryingto get bring you down right now. I’m not. I’m just trying to give some ideas. This is not a meditation. That’s not a meditation minute. I did try meditation class. I loved it, Actually did something online with a woman who’s giving free meditation classes. Um, and for an hour, I was I was under hypnosis. Almost at almost. I was, uh, focused on breathing where the breath comes in, where I feel it very valuable. Eso maybe for you. It’s meditation, and I have never done that before. So that was unusual experience for me. But I loved it, and I hope to do some more with her. Whatever it is for you, you know you know what it is. Take it, Do it. Take the time for yourself. There’s a lot being asked of us that is unusual. And even if it’s more routine now than it was 456 weeks ago, it’s still stressful. We’re out of our routines, so be good to yourself. Self care, right self care. Take care of yourself. Do it each day. You deserve it. Please do it. That is tony. Take two Now back to data privacy practices.

[00:33:22.92] spk_2:
All right, if you were on both sides of this arguing because you said it’s a dance right so suppose you were on both sides. Which side would you? Which side would you give in and which side would win?

[00:34:09.68] spk_5:
You know, it’s funny, because I do represent, we have. We have clients that are often vendors. I think I’m very fair in Middle Road. I think, you know, given eight hours of myself come help with very for both sides. But you, tony, that’s a great example of Give you an answer. The limitation. Liability. I always think there should be reasonable carve outs. It shouldn’t be a car about unlimited liability again. It’s what offended would owe you. Something goes wrong. It shouldn’t be that anything goes wrong no matter what, Even if it’s not their fault, they should pay you. So, for example, a visit data peach. But they did everything they were supposed to do when they were so got hacked. That should not be uncapped. But I wait at my rivers, my clients, I I agree with that. But if they do something wrong and there’s a reach, their full, that’s beyond cat. What side of the Delamontagne? I’m always gonna push for both those.

[00:34:25.18] spk_2:
Okay. Okay. Eight hours with myself. I don’t know. I don’t know where I would go. I don’t want Oh, it’s not for public consumption, I’m sure. Um all right, so so is it. Is that what you say?

[00:34:36.09] spk_5:
I was thinking apocalypse. Now, that’s what happens when you have too much time on your

[00:34:44.04] spk_2:
OK. All right. Well, I was only r rated. All right, um, so it sounds like the difference. Maybe I’m getting too legalese now. It sounds like a different dream. Negligence, gross negligence and recklessness or something like that.

[00:35:21.99] spk_5:
Yeah, way. We’ll definitely end illegally. So I won’t go there. But those things are just sink. Since the name that contact get the most important thing for anybody listening is you need to have somebody review these agreements. Just don’t sign them. They’re always negotiable. Hopefully, you want somebody. And here is my biggest right. When I was at a black bond. Other companies that sometimes a lawyer who did not know understand technology, I wouldn’t really know what to ask, wouldn’t know had a mark up the agreement, make sure whoever you work with understands, right? They need to know what you’re getting. What the solution is to hopefully kind of protect your interests. So that would be like, he just have somebody who knows what they’re doing with you negotiating on your behalf.

[00:35:37.56] spk_2:
Okay. Cool. All right. Um, what else could we be looking at in this in this arena that can can protect us.

[00:37:17.21] spk_5:
Yeah. I’m gonna get you less than every non profit. If they don’t have, they should do immediately. That you have to think about updating. Are just checking in One is a plot privacy policy website. Privacy policies. Still a lot of non profit don’t have them if you have them. They’ve all from two drafted years ago. They have been updated. So the number of persons do is looking a privacy policy. Make sure it’s been updated. Last year, I would say it’s the transparency is the most important key. Do when you say it. Say what you do. Uh, in terms of the data you collect, you could almost almost do anything you want with it. If you’re transparent about it, you want to add you want oh, care with advertisers? Sure. You want to do you a cooperative? Fine. You want to even sell it? That’s often be possible. But you need to disclose that when somebody gives you the data, so having enough today, privacy policies really key if something goes wrong and people looking for privacy policy and you didn’t just close some of the ways you were sharing, and that’s where the data was lost to be a very big not only legal ramifications. Bobby CPR head. Andi even if we have a privacy policy and they need to be updated because things change all the time. What you were doing for years to the day, both in the back again in terms of how you’re analyzing in the front end has changed GDP. Ours would be an example in Europe shield. A lot of these things require certain statements in the privacy policy. Is your number one. Get a privacy policy. Make sure it’s updated. Make sure it’s accurate. Number two. You should also, in terms of use, terms of service that basically protects the organization, the views and don’t sweep it, then join your website. Very important, Uh, you know, what does that come from? Our what

[00:37:19.77] spk_2:
does that cover in terms of use in terms of service for website were just what does that cover what kind of

[00:37:24.71] spk_5:
anything anybody might do on the Web site in terms of making donations. When the rules, if you have a block, people post content. Or they can take your content, things that can and can’t do in the protection organization from a lot of different kind of legal planes. Just a kind of a standard document every non profit should

[00:37:40.00] spk_4:
have. Okay, Okay. Is that

[00:37:42.11] spk_2:
public to Is that on the website turned

[00:40:12.61] spk_5:
to use an exit privacy policy. Okay. Okay. Now a lot of charity navigator, uh, recommends that you actually have a separate donor profit privacy policy. Just why I read their privacy policy typically only covers when you collect online, they recommend to get the four stars that you have a separate donor privacy that speaks specifically to the information you collect from donors both offline and online. So some might want Consider whether it makes sense to have a separately for a daughter policy and a separate link for a privacy policy. Just like just why there, uh, we talk about bad nerves being an issue. So way kind of crossed that box. Look, pull out all your vendor agreements, see if you’re covered. It’s not when they come up for dual negotiate, I would say annually, no. Once a few years, you should do a privacy audit That’s more formal process where I typically even organization lots of different questions. All their different practices later the cyber security and privacy. And we see where the gaps are. But, you know, one thing I do is kind of a simple one is kind of member. The five W’s in the h. You’re kind of doing news. Recording the five question the six questions asked. They call the five W’s. What? Remember the what? Why, who, where, when and the how. So what is what data we’re collecting? A lot of organizations don’t understand all the data they’re collecting, so get a handle. What data is your collecting? Why, why? You clicked on the state of more many organizations like more David, I need more data. You have the work more risk. You have rights. Onley collected data you need who has access to the data again. People should only have access to the P I. I personally identifiable information you collect who need to have that access. More people have access. The more things that could go wrong. Where? Where’s a dork? Data store. It’s an offline. Are they locked in? Cabinets are there, you know, with vendors. Have it. Are there volunteers? You have access to it. So where is the data stored? When? When is the day to delete it? We’ll talk about that a couple minutes. But you should only keep dating for Florence. You needed and know lots of non profit clients get data for years and years. Even if somebody, for example, is and donated 10 years. The more data you key, the more risk of presidents a loss. And then how House of Data being protected, like in terms of all that, when the data’s being kept, How is it being protected? Really important question You kind of answer all those questions is initial step. You’ve already gone a lot further than a lot of organizations and and kind of being better stewards. That information you collect, uh,

[00:40:13.35] spk_2:
on the, um made 12th 7 dubbed 17 70 on the May 12th 2017 show, I had a guest on talking about cybersecurity insurance.

[00:40:27.61] spk_5:
Yeah,

[00:40:35.61] spk_2:
so now, so listeners could go back to that 5 12 17 show. You can get a lot more detail there because we spent the whole half hour talking just about insurance. But what? What are some key things you want to say about what cyber insurance could protect you against?

[00:42:00.94] spk_5:
You should definitely have a cybersecurity policy with two things. You should make sure your vendor has a cyber security policy. It should be large enough to protect you if something went wrong. So for these bigger vendors, that should be a minimum five million anywhere from 10 to 20 million. You should be named as what they call an additional assured on the benders policy. So you have a direct right and claim against their policy. Putting that aside you non toughest wanna have their own cyber security policy. Okay, they won’t have a policy that basically match the company’s risk that organizations risk that kind of work. They do. You need to make sure has the specific terms that that cover that organization. I’ll give you a great example. We have one plane, very large non profit. Had a head of non had a cyber security policy. They were paying over $100,000 a year for I read through it my joy is released. Things it didn’t apply to them. It was a sign of security policy for a service provider, not for a organization using service providers. So they had to get a new policy. Has something happened? They would have been covered. So I know people hate these policies along their involved, but somebody should read them before you sign them. Work with a good agent that have your attorney be the policy. But every organization listening should have their own cyber security policy a minimum of one million up to depends on the amount of data collecting, uh, you know, on an annual basis in the kind of transactions were doing.

[00:42:23.60] spk_2:
We all hate insurance, but you know, whether it’s auto or homeowners air, I got flood and wind, and but, you know, it’s peace of mind. So and all the you know, all the headlines we see. I mean, this stuff can apply to you as well. Like like we’re talking about. So, uh, you’re not You’re not. Yeah, you’re not. You’re not free because you’re not profit or you’re not, uh, safe.

[00:43:15.62] spk_5:
Yep. It’s all over. When There That you should have one is a data retention and destruction plan. And, you know, this goes back to some of the questions we’re talking about. A data audit you only want keep Davis, or as long as you need it and you want to make sure get rid of it the right way right away. That really destroys the data. So if you have your organization doesn’t have one. You really want a formal data retention destruction plan? By the way, if I didn’t mention it to your killer app requires you that have that a place. So again, you need to think about it. It’s a good practicing of New York shoulders, and if I every organization should have it. Also, business continuity plan. You know, this has come up a lot with Kobe. 19. You know, organization should have a plan in place when something China’s for profit happens, it would. You know, this pandemic was challenging forgiven organizations who had a plan. And I think now we’re over advising plans to take into account the sites of things. But you should have a planet. You know, one of your critical providers goes down. If there’s a data breach, who do you call? You know. How do you respond? New York Shield activity are required Response in a very short period of time. Tony, Order Gate to kind of mitigating organizational damage is the damage that can occur. You need to do the right things early on. So having that in place to support

[00:43:43.94] spk_2:
is this is this the same is a disaster recovery plan. Is that what

[00:43:47.66] spk_5:
you say? Yeah.

[00:43:48.11] spk_4:
Okay.

[00:44:07.99] spk_1:
Time for our last break. Turn to communications. They’re former journalists. So you get help getting your message through it is possible to be heard through the Corona virus cacophony. They know exactly what to do to make it happen. The turn hyphen two dot ceo we’ve got but loads more time for data Privacy practices.

[00:44:51.06] spk_2:
I had a whole show Are I have to show half an hour on disaster recovery plans. I don’t remember the date, but, um, the guest was dar d a r v vor ca v e v e r k a dar viveca choose from one of the non profit technology conference shows. So if you go toe tony-martignetti dot com when you’re looking for the 5 12 17 show on cyber insurance that when I did. I did get the date on that one. This? Ah, this one don’t have the date. But the guest was Dar v Barca on disaster recovery plans, including including sometimes that alternate locations. Even depending how bad the disaster is. You might need a backup location. Do you have that in place?

[00:44:59.89] spk_5:
Yeah, and usually that’s for the benders. Using someone hosting they should have that in place. But released are non profits. It’s more cola called when something bad happens. You know what the weather sex you take to mitigate into remedy.

[00:45:16.49] spk_4:
Okay. Okay. Um

[00:45:17.46] spk_5:
and then, tony, one other thing I’ll add is, you know, a lot of people in this goes to people working from home. It’s even more important. But a lot will use their own devices. Your own PC, sometimes accessing work stuff. You want to have what they called the wild, deep policy. Bring your own device to work one of the views. And, Jones, if you’re accessing information from your personal phone from your computer, what are you allowed to do when you What is it you shouldn’t do? A lot of this is just good training.

[00:45:53.59] spk_2:
Yeah, whether right. Whether even allowed to use your own device. But then there has to be a non profit provided advice and all right, what about? So this is you mentioned that? What about other? We have other data privacy concerns. I’m sure we do around, ah, distributed workforce. And, you know, I think they’re gonna be changes to do work life, and there may There may be a lot more remote employees going forward Then we’re accustomed to just two months ago. So what about this? Having a more distributed workforce and around data privacy?

[00:47:38.88] spk_5:
Yeah, exactly. I kind of when I think about over 19 have been speaking about There was a philosopher and physicist, Thomas Kuhn, and he had a term paradigm shift that, you know, once in a while once a couple 100 years is that is a paradigm shift that changed the way we think of the world. You know, Not Newton Newton’s right. What was a paradigm shift? Mechanics. The paradigm shift and you don’t usually know is a paradigm in ship until after it happens. Kind of like a recession. You can’t look back. I certainly think over 19 at least in the short term and made the lumber could be, you know, paradigm shift The way we’re approaching work when we approach our our lives outside of work has changed dramatically. And there’s challenges with that. Sure, only people working from home, uh, heightens the risk associated with with data breach and unauthorized access. I’ve talked to my colleagues that been studies. The amount of research that happened have gone up dramatically. I don’t know about you, tony, but literally every week I get emails from CBS Chase Bank Wal Mart over Me gift card. Tell me to click on a link. It looks like it’s CBs dot com, but look, the sub tomato. It’s nothing like that. Exactly. When people working from home, they’re not. They just can’t be a safe. So there are a lot of things digital kind of a 10 to Now that we have a remote workforce, Uh, like what? What’s that?

[00:47:39.46] spk_2:
Yeah, OK, I think we’re gonna go onto something else. Yeah, Like what?

[00:48:06.94] spk_5:
I don’t know. I can tell you. So you want to review if you have policies in place, review them. You don’t have policies in place. You need to kind of tell folks what’s expected of them when I’m working from home. Uh, need to communicate. You can’t over to communicate on these types of things. Training annual training would be helpful, but you’re a few of the things that could go wrong. Ah, lot of folks transfer, transfer organizational data to their email accounts and seventh and cells. A commercial email pound has a lot more protections in a personal email account. If they’re sending things from the from of the organization and downloading from emails, they should delete that email as soon as they get the day that they no longer need it. So don’t keep that in your emails that that could be hacked later on, uh, using personal cloud stores storage. Is that not all the same? Make sure the ones they’re using our secure physical document management. You know, we always think about digital data, but a lot of people bringing things from their office home and as a physical document, how is that being capped it when it’s all over leading houses being destroyed, it should be left in a car to be shredded. So let’s not. Let’s not forget about the security of physical documents, unsecured connections to employers if they’re not using BBN, that could be a problem. You need to make sure that people are accessing organizational information in a smart way.

[00:48:56.27] spk_4:
Yeah, that one.

[00:48:56.95] spk_2:
That that’s you. That’s where you have to look to your Internet service provider, right for the for the security that they’re providing on on your connection.

[00:49:42.97] spk_5:
Well, here’s the thing. That’s that’s about your home router. Personal public routers. Let’s talk about personal people have personal. Rather, you come into my home and you access trying to access my Internet. You need a 13 digit pass code. Most people don’t do that when they’re working from home. A lot of people keeping unsecured network. So would you recommend anybody work home should basically activate their round of firewall and, you know, and utilize malware on their computers and and make make everything password protected. So that’s a great example of you. Don’t people think I’m hold? Who’s gonna access my information? That could be easily hacked your home router?

[00:49:48.43] spk_2:
Yeah, okay. On our malware protection so that I mean, that’s something that the employees would have to subscribe to.

[00:49:55.27] spk_5:
Well, yeah. So we’re talking about non working shooters, right? Way are Yeah. You’re

[00:50:12.35] spk_2:
in your home? Yeah. I’m not writing home. I have next ride to where the company has got. The organization has to pay me to subscribe to, uh, malware bytes or something. One of the malware protection companies. Well, we’re in three Norton, 3 60 policies. Something like

[00:50:16.50] spk_5:
that. Yeah, well, working organization. But some of these things, like every router, comes to the ability to put put a password on it. So some of these things are just reminding employees and training them on best practices. Are you working from home here? Like the 10 tips you should be keeping in mind Remind them about from time to time. A lot of a lot of unauthorized access and data breaches. A large percentage could be avoided with just some kind of smart polluting practices.

[00:50:58.80] spk_2:
Okay. Okay. Yeah, there’s I think they’re gonna be a lot more people working from home. Ah, year from now than there were in 2019. Um, I mean, including on the employee side. I’ve heard from a few people that they like working from home. No. And there have been there. I just saw. I just saw study some research like yesterday or something, but were more productive when we’re working from home

[00:51:08.93] spk_5:
back. I

[00:51:45.12] spk_2:
don’t. Well, there’s a lot of reasons. Plus, it’s better for the environment. You save commuting costs, you save gas or public transit. We’re keeping people off the roads. It’s safer. Better for the environment. Yeah, there’s a lot of advantages. All right. Um, I’m you know, I’m a neo fighting all these things, but I know how to read. I can read and regurgitate. I’m like, I’m, like, a like a billboard that you put something on my forehead and then you can read it off my forehead. That Z that’s my role. Um, all right, so we got, like, another three minutes or so, Roughly. You want to leave us with? Yeah, I think you have some. Some resource is tools you can recommend.

[00:51:51.86] spk_5:
You know, I actually I have a lot of different checklists. You said you’re a billboard on a checklist maker s. So I have a variety demand check checklist related to both data data. Privacy on its GDP are policies which should be in there. Your privacy policy. What elements should be in there? No. People always ask me tony can you just give me privacy policy and, like, know who’s that? Privacy policy describes what you do. You know the worst thing that you take somebody else’s privacy policy from another wet side. A is copyright infringement, but it never fits where you’re doing. So I can give you a list, for example, elements that need to be every province in policy. But how you address those, for example, depends upon what your organization is doing with the data. How is it looking at in the back? It? How is this sharing what third party better is really working with? So a lot of my re sources are kind of best practices and tips. I’m happy. I know you get my email just before I’m strictly looking access. But what’s like? I’m happy to kind of, you know, give me some people toe, depending on their needs. Anything we talked about today, there’s a checklist for that.

[00:52:51.88] spk_2:
Uh, these aren’t on the check the silent on the Perlman website, though

[00:52:56.55] spk_5:
I don’t think we posted on the website. Typically, I like to hear what the client needs. Just before, I kind of threw out checklist because, you know, sometimes a lot of information to be overwhelming.

[00:53:14.11] spk_2:
Okay, so, John, at permanent perlman dot com. Um, all right, John. I mean, uh, is there anything you want, toe? I’ll give you a chance to close. And you want to close with?

[00:53:20.65] spk_5:
No, this is again. Thank you for the opportunity I started. I think our conversations saying that you know what I’ve seen? It’s not profits have really kind of lagged for profits and kind of, you know, taking some of these precautions. A lot of things you talk about are simply achieved. It takes a little time, little commitment, but taking some of these small steps, go a long way and come and you know you can never take it. You know, data breach on the north rise access off the table. But you can certainly kind of mitigate risks and be better stewards of the data you’re collecting on behalf of her donors. So I hope this was helpful again. And I love kind of counseling our clients on these types of information the sets of policies of because I know it puts them in better stead.

[00:54:46.34] spk_2:
Yeah. All right. John Janet Perlman and roman dot com. Thank you. very much for doing that, John. Thank you for sharing my pleasure. Next week. Maria Simple returns, plus a 20 NTC panel. If you missed any part of today’s show, I beseech you, find it on tony-martignetti dot com were sponsored by wegner-C.P.As guiding you beyond the numbers. Wegner-C.P.As dot com by Cougar Mountain Software Denali Fund Is there complete accounting solution made for nonprofits tony-dot-M.A.-slash-Pursuant Mountain for a free 60 day trial and by turned to communications, PR and content for nonprofits, your story is their mission. Turn hyphen. Two dot ceo Creative producer

[00:55:27.10] spk_0:
is clear. Meyer off. I did the postproduction. Sam Liebowitz managed The extreme shows Social Media is by Susan Chavez. Mark Silverman is our Web guy, and this music is by Scott Stein of Brooklyn. You with Me next week for non profit radio big non profit ideas for the other 95% Go out and be great talking alternative radio 24 hours a day.