Tag Archives: phishing

Nonprofit Radio for May 27, 2024: Strategic Meetings For Teams Of One & Cyber Incident Cases And Takeaways


Janice Chan: Strategic Meetings For Teams Of One

As our 2024 Nonprofit Technology Conference coverage continues, Janice Chan returns with the savvy idea of adapting team meeting principles to a team of just one. She’ll have you thinking of yourself as a team leader, rather than one person doing everything. Janice is at Shift and Scaffold.


Steve Sharer: Cyber Incident Cases And Takeaways

We’ve got good stories about bad actors. You’ll also hear the practical steps your nonprofit can take to prepare for cybersecurity incidents to reduce their impact. And we’ll empower you to hold incident prep discussions with your leadership or staff. Steve Sharer, who says “Security is a team sport,” joins from RipRap Security. This is also from 24NTC.


Listen to the podcast

Get Nonprofit Radio insider alerts!

I love our sponsors!

Virtuous: Virtuous gives you the nonprofit CRM, fundraising, volunteer, and marketing tools you need to create more responsive donor experiences and grow giving.


Donorbox: Powerful fundraising features made refreshingly easy.

Apple Podcast button




We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Welcome to Tony Martignetti Nonprofit radio. Big nonprofit ideas for the other 95%. I’m your aptly named host and the pod father of your favorite abdominal podcast. Oh, I’m glad you’re with us. I’d suffer the effects of formation if you made my skin crawl with the idea that you missed this week’s show. And if you think I said fornication, get your head out of the gutter, close the porn hub window. It’s formation. Here’s our associate producer, Kate to introduce this week’s show. Hey, Tony, we have strategic meetings for teams of one as our 2024 nonprofit technology conference coverage continues. Janice Chan returns with the savvy idea of adapting team meeting principles to a team of just one. She’ll have you thinking of yourself as a team leader rather than one person doing everything Janice is at shift and scaffold and cyber incident cases and takeaways. We’ve got good stories about bad actors. You’ll also hear the practical steps your nonprofit can take to prepare for cybersecurity incidents to reduce their impact and will empower you to hold incident prep discussions with your leadership or staff, Steve S who says security is a team sport joints from riprap security. This is also from 24 NTC on Tony’s take two delightful nostalgic women’s names. We’re sponsored by virtuous. Virtuous gives you the nonprofit CRM fundraising, volunteer and marketing tools. You need to create more responsive donor experiences and grow, giving, virtuous.org and by donor box, outdated donation forms, blocking support, generosity, donor box fast, flexible and friendly fundraising forms for your nonprofit donor box.org here is strategic meetings for teams of one. Welcome back to Tony Martignetti nonprofit radio coverage of the third day of the 2024 nonprofit technology conference. We are all together in Portland, Oregon. Nonprofit radio coverage of the conference is sponsored by Heller consulting technology strategy and implementation for nonprofits with me for this conversation, a uh an NTC perennial for nonprofit radio, Janice Chan, you knew she was coming. She’s Director of Shift and Scaffold Janice. Welcome back to nonprofit radio. After many NTC appearances. Many thanks for having me back, Tony. Always good to see you and talk with you. Thank you. It’s a pleasure as well for me to be here in person with you. Not just on Zoom. Yes. Yes. Uh This year your session topic is strategic team meetings for teams of one. All right. All right. Before we get into that, I, I wanna, I wanna talk a little about, I knew that I remembered I was reminded that you were studying Japanese. I, I, when I read it, I had remembered from previous years. Now, you live in Japan? Yes, I, I have been studying Japanese because my husband and I were not realized. But we had decided to take this job opportunity for him, which was based in Tokyo. And so we’re like, all right, we should start trying to learn the language. So, you know, it would be helpful to live there if we’re going to live there. And so, yeah, so we moved about a year and a half ago in 2022 some delays due to the pandemic. Um but it’s been great so far. And yeah, working at learning the language at the place that I live in, I’m sure living there helps quite a bit. You’re immersed. Uh is, is, is English very common or not, not so much, you can definitely get around Tokyo in English outside of Tokyo a bit harder. Um I think they did a lot of things to prepare for the Olympics when they were supposed to be there in 2022. And you know, in terms of the train signage and things like that. So you can get, you can get by in the city, in the city. Actually Japanese people in school, study English for several years. But you know, studying in school is always a little different than talking to native speakers. So I’m having the experience in reverse of going to class and then attempting conversations and often just mangling my way through it. But people are very kind fortunate. You’re, I’m working at it. People appreciate the outreach. They, they’re happy to work with me too, which is nice and really helpful. Do you have Children? Did you bring Children abroad? We brought our cat, our 18 year old grandma cat. She’s lovely and sassy. At 18, she’s still, she’s more sassy now, I think. Well, I know some sassy, 8090 year olds. That’s not surprising. All right. And uh I also want folks to know that if you want to see some beautiful photography, go to uh shift and scaffold.com because you have one stunning one too. There are several but the one of the from the Metropolitan Museum, the Reflection the park is in the background in that room. Yeah. Is that the Egyptian room room? So there are many great photos that shift and scaffold that Janice took there. Alright. So let’s talk about uh team meetings for teams of one. What was the genesis for this uh this uh up the this uh this intuition, this uh creative burst redefinition. That’s what I want resurgence, redefinition, defining redefining one to be a team. So whether even when I’ve been in house and now I’m an independent consultant and so I work for myself. But even when I was in house, a lot of times I was the only person who did the technology, who did the knowledge management, who did the training sometimes. And so I spent basically my entire career mostly being a team of one. Um And, you know, there are certain practices and things that I’ve done over time that I find really helpful in that because sometimes I don’t always have somebody to bounce things off of. Or sometimes when I do, they have a really, they don’t have the same background that I do. Right. So they have a really different perspective which is useful. But sometimes I’m like, I just got to figure things out for myself. There’s nobody setting the strategy. Like my boss is a development director and I’m doing database management, for example, right? So, you know, they’re supportive, but they don’t actually understand my day to day work. And so I need to do a lot of that strategic work by myself. And there were some of these practices I developed over time. And one of them was that I would meet with myself before you have these good practices, which we will absolutely get to. When did you start to think of yourself as a team as a team that emerge? Probably. So I remember, I don’t know why this sticks in my head so much. I had this phone call with this director at my organization at the time and I was supposed to help her team with some and she had a team of like, you know, actual other people. She had about seven people on her team. And I was the grant writer at the time. And so she was like, we have some opportunities. There’s some partners we talked to and, you know, I’d love if we could get your help on applying for these grants, we have the opportunity to apply for these grants in multiple states, but they’re all due at the same time. And she was like, maybe you can get some help from your team. And I was like, listen, I am the team. You were talking to the entire team. I’m the grant rating team. So in addition to my other jobs foisted on you the redefinition, talk to get some support from your team, the rest of myself. So your best practices, these are things you’ve been doing through the years for yourself in your work. So a lot of times often, you know, either at times when I really needed to say plan for the year or I’m about to take on a big project or start something new or I really want to maybe make some changes. Often. I would kind of set aside some time and just sort of be with myself, but I would take notes during that time, right? I would have a little, ok, here’s the thing that I want to work on for this hour or two hours or something, right? I need to plan out 2024 or I need to figure out how to work with that stakeholder who is, you know, I’ve got some stakeholders that I have to manage. And I’m trying to get that on board. I’m kind of trying to come up with some strategies for that. And I’m kind of sitting down and having a little meeting with myself with an agenda because I would be like, wait, what was I supposed to focus on for this hour? Right. And so it’s like a little reminder to myself and I’ve always been a note taker And so it’s just kind of a thing that I kept doing and then I would do it for planning my week. I would do it for reflecting on things at the end of the month and I was talking to someone and I realized that maybe some other people do it, but not everybody thinks of it that way. Um And it was really helpful that I ended up just taking things that I sometimes did in meetings with other people. I was like, oh, you know what, this is really helpful to take notes this way or whatever it is. And then I would do that when I was still doing it just by myself. So that’s kind of where it came out of. What else should we be doing with our team of one. Um So I, so to back it up a little bit part of, I didn’t really think a lot about the practice of meeting with yourself in that I didn’t necessarily articulate it. I was just like, oh, this is what you do. Right. You had a to do list. I certainly had a, to do list, but you didn’t think of devoted time to specific tasks. Well, I did but I think I didn’t think of it as maybe a thing that other people didn’t think of. And I was so, I also like to do creative writing. I was at this conference last year for creative writing and I talked to someone and they were like, so I told my new manager that I don’t start work before 10. She works from 10 to 7, but I don’t start work before 10 because the first two hours of my morning are dedicated for writing. That’s my writing time. And I realized so I live in Japan and I work with clients in the US. And so sometimes I wake up really early for meetings. I have meetings at like six in the morning, sometimes five in the morning. But on days when I don’t have super early meetings, I’d still wake up, my body just wakes up at that time now. But I would just stay in bed, you scroll through my phone or something. Like I wasn’t doing anything at that time. And why would I get out of bed for, for clients or for other commitments? But I wouldn’t do that for myself and for my own work, my own creative writing, et cetera. And I think so I recently, at the end of last year, I was like, all right, I’m going to really make this a regular practice. Um Yeah, and I thought it would be a really interesting session and tool to share with other people at the ante community as well. OK. Um Other, I don’t know, other tactics for you say tactics to make time for strategic work as a team of one, you got to take care of yourself, you got to take care of your team, take care of your team of one. Exactly. So I think a lot of this, so there’s tools and strategies and then there’s the mindset. And so um maybe I’ll talk about the mindset first and then talk show and strategies. But I think sort of as that team of one, a decent host would have asked you about the, you’re suffering a lackluster host. You, you think the host would ask about the mindset and the culture of the team of one first before you get into the, the tactics and strategies. It’s OK. That’s why we’re here to learn. We’re all still learning. And, you know, I think a lot of times where we start, right is when we want to do something better. We’re like, oh what are the tactics we’re doing it better? What’s the technical stuff and not the organizational culture or the mindset, all the internal work that we need to do when we work with people or work with ourselves. And so I think one of the, I don’t remember what started it, but last year I had this epiphany one day of like, wait, who’s leading my team? Like, nobody’s leading my team. Wait, it’s supposed to be me and I’ve not been leading my team and it was a really big sort of flipping the lights of it, John in my head. And I think realizing also whether I’ve been an independent consultant or when I was in house, right. Yes, I could run around and do all of the things and I would do all the things but not necessarily in a, I think I assumed that because I was the same person that it was cohesive and coordinate, right? And it was in a unified direction, you’re only one person, right? So of course, clearly going in the same direction as myself, I would think. And then I realized at one point I was like, I don’t think that’s actually the case and the, and part of that, what does that feel like when you felt like you were not going in a unified direction, I felt really scattered. I felt like, ok, I’m doing these things because it seemed like a good idea at the time or like you’re supposed to post more regularly on social media or you’re supposed to, I don’t know, go out and meet people and network and things like that. But I wasn’t necessarily doing them all in a unified direction. And I realized that I was doing sort of the different job functions like business development and content development and my consulting work and things and, but I wasn’t sort of doing the work to actually unify them intentionally. And so part of that was, I didn’t necessarily think of myself as a team or as a business or as an organization. I just like, I’m just Janice, I’m just showing up and doing the things and, you know, that works, you can get away with that for a time. But I think also, and you see this also in people when they go from being an individual contributor to being a manager or they kind of step from the, I’m just doing the things that my boss told me to do. So now I have to set the direction even if I don’t have any direct reports. And I think really, I realized that it was, I was kind of lacking that direction and I hadn’t made the time or really put into place the practices to do that on a regular basis that I wasn’t leading my own team and that spot was kind of vacant. And I think that’s a really big shift, especially in small organizations where a lot of times you just get thrown into like, hey, we need you to do, you’re like, hired for communications, let’s say, and, and, you know, you’re the only communications person and so you’re doing the writing, you’re doing the graphic design, you’re doing all the digital things. Um And then you’re just, you know, fielding whatever people think is your job honestly, a lot of the time and there’s no, if nobody is trying to make all of that cohesive for, say your external audiences, who’s managing the stakeholders, who is making sure there’s a cohesive strategy, you know, it, it starts, you’re not as effective for your organization. And some of that is, it’s easy to get caught up in all the urgent stuff. But some of it is also just I think that a big part of that mindset shift is we don’t respect ourselves as leaders as teams in the same way that we respect other leaders and teams, right? Like if I saw this meeting with you, Tony, right? There wasn’t a time to show up here, right? There was a process, there’s things going on, you know, I noticed that I would show up to meetings with other people differently versus I will reschedule things on myself all the time. And I’m not going to say that I don’t still do that, right? But I think just being more conscious of like, OK, I’ve pushed aside, pushed aside my time that I set it aside to do the strategic work and I’m putting out fires for other people because they’re urgent, you know, and that happens a lot. But I think the, I think especially in the social impact space, a lot of us, we want to make things better for other people. We care about other people, those requests that other people are making are not unreasonable. But it can also be really hard to, you know, especially for those of us who are taught to put other people first or that we exist for the community, not only for ourselves. Right? And that’s a very common ethos in the nonprofits face as makes sense. And also, you know, depending on who we are, I’m a woman, I’m the daughter of immigrants. And so there are a lot of things that when somebody comes to me and ask me for my help to do something, right? I’m like, oh, let me figure out how I can help you. And it’s easier to keep putting my stuff on the back burner, put myself on the back burner. But then that builds up over time. So if you’re the only, let’s say you’re the entire technology team at your organization, your single team of one, then if you don’t make the time to do the strategic work, your organization is not going to be able to use technology strategically and effectively, you know, your organization is going to be a little bit hamstrung in advancing the mission because you’re not carving that time out and you’re not respecting the time and the energy you need for that. It’s time for a break. Virtuous is a software company committed to helping nonprofits grow generosity, virtuous beliefs that generosity has the power to create profound change in the world and in the heart of the giver, it’s their mission to move the needle on global generosity by helping nonprofits better connect with and inspire their givers. Responsive fundraising puts the donor at the center of fundraising and grows giving through personalized donor journeys. That response to the needs of each individual virtuous is the only responsive nonprofit CRM designed to help you build deeper relationships with every donor at scale. Virtuous. Gives you the nonprofit CRM fundraising, volunteer marketing and automation tools. You need to create responsive experiences that build trust and grow impact, virtuous.org. Now back to strategic meetings for teams of one with Janice Chan. I it’s interesting really, the realization that you treat others better than you treat yourself. Essentially, you treat others work more importantly and more respectfully than you treat your own. Like you’re talking about putting off your, putting off your own time, putting off your own tasks. Um Yeah, minimizing your own needs or the other, right? It’s just I’ll get to it. You wouldn’t do that for somebody. You wouldn’t, you wouldn’t procrastinate like that you wouldn’t put off the work of others that you might have been asked to do or that, you know, as an individual, as a solo consultant, you realize you need to do, you wouldn’t do that to your clients or to your, to your organization that you’re where you’re a team of one, you wouldn’t do that, but you’ll do it for your own, your own stuff. We need to shift that. This is the mindset that we’re talking about. This is the mindset. And, uh, you know, and some of that I just completely lost my train of thought. That’s, that’s right. I think, well, you made the point and I just was, like, underlining it. So, how about some of the other things that you do besides have, you know, agendas for your, for your solo time? What are some other, some other tips? Yeah. So the, you know, a lot of the things that are about running effective meetings and I know we all have this joke about meetings that should be emails. Um But I think there are times when it’s important to when the meeting is the right tool, when you’re making a decision, you’re trying to get alignment or you’re doing something where dialogue is essential to moving forward with care often, you know, to building relationships um and maintaining trust. And so a lot of the things that are crucial for effective meetings with other people are also useful when you’re by yourself, meeting with yourself, the agenda, taking notes, keeping track of decisions that were made, keeping track of the action items, not just in the notes, but hopefully in whatever project management tool or however you normally keep track of your action items. Um I would say the big difference when you’re meeting with yourself is, of course, there’s not, you know, in a, in most meeting notes, at least the way I take them in a group, I note down who is attending the meeting. Right. There were people we invited to the meeting. We’ve made sure there was somebody from finance and someone from programs and someone from fundraising or whatever. And when you’re meeting with yourself you’re like, oh, yeah, I don’t need to. It’s just Janice. right? Um And something that I find helpful that’s different for a meeting with yourself is to think about the different roles that you need at that meeting because I, so this is a pet peeve. I have of in meetings with other people where they’re like, OK, we finished the agenda for, let’s say the project’s status update or whatever. Actually, this is the same group of people that, you know, for the data working group. So could we just throw that in right now? Right. And then you’re like, I, that’s a total mind shift. Yeah, it’s a total mind shift. I didn’t prepare like I’m not ready. And also, now this was like an hour long meeting that was going to finish faster. And now you’ve just messed with my head because now we’re going to be here for an hour and a half. Right? And so, and I think not part of respecting yourself, right? Is to not do that to yourself either. And so being clear about what is the purpose of this meeting. We use different meeting types for different purposes, right? It’s very different that we’re like a strategic planning meeting and a project planning meeting. And a team general team, weekly meeting should not look and feel the same, you’re not doing the same things. And similarly, when we’re meeting with ourselves, let’s not do that to ourselves either. Um And so naming those roles who needs to be there. So, you know, if I am the communications team and I am the writer and the graphic designer and the digital person and also the uh communications director leading the team, right? Have all of those roles been represented in that time and space. And even if it’s something simpler, like as an independent consultant, right? Is it consultant me? Is it business owner me? You know, or at a more basic level, is it decision maker, me or implementer me? Because if it’s only implementation, that’s just like me writing the report, I’m not making decisions, this is not a meeting, I’m just working on something. So I think calling attention to those um is a key difference that I would say for meetings with yourself. I, I like the idea of different roles because I, I think it helps make you accountable for, for the different, for the different uh areas of responsibility that you have and not only areas of responsibility but individual tasks that you have, you know, the the the business development person is gonna come down on, on the uh the writer who hasn’t done a blog post for six, for six weeks. Right. So III I see an accountability role. Absolutely. I love that. Calling that out anything else? So I think there are a lot of different uh like let’s be real, right? We only have so many hours in the day, but more importantly, we only have so much mental energy and mental capacity for things, right? And so part of that, you know, it’s some tools and tactics for protecting your time. It might be things like no meeting Tuesdays or it might be the last Friday of the month is always dedicated to strategic work. So I think some of it is like making time and actually putting it on your calendar to do that work, right? Um And it’s helpful if your whole organization does it and put it in the calendar, put it in the calendar, this is an important time exactly like you would do for a meeting with three other people. So if you know, sometimes life happens, you need to reschedule, but reschedule it don’t just cross it off the list and then never come back to it. And, you know, there are also other things that, um you know, I think that that time thing is one thing, right? There’s only so many hours, but that’s also a little bit more straightforward in some ways, it’s much harder to protect your mental brain space to do strategic work. So for example, I’m an introvert. I like people. I love hanging out with people at N DC. And also at the end of the conference day, I go back to my hotel room and I’m like, I just need some quiet time for a little bit. But also I know that at the end of the day, I can expect of myself to do strategic work, right? Like maybe I reply to emails or something, but I’m not going back and planning out some major initiative at night because it’s not realistic of where, how tired my brain is. Um And so I think that’s harder because that’s also individual what works for one person isn’t going to work for another person. And so some of that is figuring out what you need to be able to get into that, to have that spaciousness to do the strategic work and to figure out how to ask for that for your team. Um And you know, that could be, it could be things like the no meeting Tuesdays or working from home instead of working in the office. But it could also be things like, you know what I need to go for a walk. I need to actually, when I’m doing this type of work, I need to not be at my regular desk. I need to be in a physically different location so I can get into a different mindset than my day to day, putting out fires, et cetera. Sometimes it might be just like, you know, um, knowing that your team, knowing that, hey, the first hour of my day, every day, that’s like I do not take meetings, right. I’m working, but I do not take meetings so that I can make sure I do the important work, whatever it might be. So it’s really helpful to make sure that you’re asking your boss or your team or your colleagues for that and making that clear. But in doing that, you’re also modeling that for other people as well as you honor yourself and your team. There’s nobody else to advocate for you. You go out and do it. You know, I mean, if you, if you, if that team leader role has been empty, that means there’s no one else that means you need to step into that role. So, you know, I told people in the session, give yourself that promotion already. If you haven’t, how about we leave it right there? That’s perfect. Wonderful. Give yourself that promotion. If you haven’t, she’s Janice Chan director at Shift and Scaffold, Shift and scaffold.com. Always a pleasure. I hope to see you 2025. You think you might come, come back. That’s the I, I’m hoping I will see you all in 2025 Baltimore. My old home city. It’ll be a little closer for you. Five hours closer. All your old home. I used to live in Baltimore. I look forward to seeing you. I know you’ll have a good topic. I don’t have to say, have a good you will. You will you so much to my p Thanks for sharing, Janice and thank you for sharing in our conversation about teams of one where we’re sponsored by Heller consulting, technology implementation and strategy for nonprofits. It’s time for a break. Donor box open up a new cashless in person donation opportunities with donor box like kiosk, the smart way to accept cashless donations. Anywhere anytime picture this a cash free on site giving solution that effortlessly collects donations from credit cards, debit cards and digital wallets. No team and member required. Plus your donation data is automatically synced with your donor box account. No manual data entry or errors, make giving a breeze and focus on what matters your cause. Try donor box live kiosk and revolutionize the way you collect donations. Visit donor box.org to learn more. It’s time for Tony’s take two, Alice Antoinette, Bernice Charlotte, Constance Deidra. Thank you, Kate. These are some of the delightful names that I’ve kept on a personal list for years now of women in their seventies, eighties and nineties. And there’s even one who was 100 years old on the list and I just II I just get nostalgic over names that are so uncommon now. I mean, these are women who were born in the 19 thirties and forties. So not surprisingly, you know, names change, of course. Uh, but yeah, I don’t know, the, the names just move me. Um, and so I’ve been keeping this personal list and I did, I, I posted some of it on linkedin and I thought I would share some of it today. Um, the, you know, it’s, it’s the names and, but it’s also the, the women’s stories, you know, growing up in the 19 thirties, 19 forties, fifties in the United States. Uh, what that was like, you know, education wise for some, some women went on beyond high school. Uh, a lot did not. Some women went on to marry and have families and some did not. So it’s, you know, it’s the combination of the stories and, and I guess the, the richness of the stories makes me love their names as well. Um, and just as I said, you know, get nostalgic for these names that we just don’t see anymore. Like Geraldine Gertrude, Gussie Hazel, Jacqueline Lenoir, Lottie Mabel Marlene Maxine. Many Myrna, Ophelia, Penelope, Rochelle Selma Veronica. All right. I’ve got a lot more on my list, but that’s just a sample of names that I find, uh, delightful and I get nostalgic about them. Have you got any if, uh, if, uh, if you wanna contribute your mom’s name or your grandmother’s name or maybe your own name. Uh, let me know. Love to hear it. Tony at Tony martignetti.com. Let’s see if the names you know, are on my list. That is Tony Stick two, Kate. I would like to add Carmella both with one L and then one with two Ls. Yes. All right. So share why the name Carmela is important to you is I had a great grandmother. You might know better than me. But, but that I’m, you know, my name is my first name is Carmella. Well, I know that, but listeners, listeners could very well not know that your name is Carmela. Kate. Mar uh Carmela and then Kate is, is short which I never understood. I don’t know how Kate is short for Carmella. Carmel. I could see Carmel what? I have an aunt Kate but I have like a grandmother. Caramel, right? So, yeah, but they’re two different, they’re two different women. So how does because Kate is not your middle name? No, it’s not. Anne is my middle name. Like great grandmother Ann or? Right. Where is your great grandmother, Anne? Who was my grandmother? Right? This Carmela was on your other side, on your mom’s side of the family. So I, I didn’t know, I didn’t know Carmella. I don’t know. I’m, I’m happy to call you Kate, although, you know, I often call you Carmela as well because nobody else does. So I like to be different and I think it’s a beautiful name but Kate being short for Carmela, I, I don’t know, it doesn’t make sense. No, it’s been 21 years. It’s never made sense to me. Well, we’ve got VU but loads more time here is cyber incident cases and takeaways. Hello and welcome to Tony Martignetti Nonprofit Radio’s continuing coverage of the 2024 nonprofit technology conference in Portland, Oregon. We are all convened at the Oregon Convention Center in downtown Portland and Nonprofit radio is sponsored at the convention at the conference by Heller consulting technology strategy and implementation for nonprofits with me. Now to have a conversation is Steve Sheer. He is CEO and co-founder of Riprap Security. Steve. Welcome to nonprofit radio. Thanks for having me. My pleasure. Have you done your session? I have done my session. We were the first in the first session on the first day. So you set the bar high. I feel bad for the presenters that came after you. We just met a few minutes ago and I’ve already, I already know that you set the set, the bar high. Uh gave quite a challenge to the uh to the presenters that that succeeded. You. Your topic is cyber incident, uh preparation and what we can learn from real world incidents. So it sounds like you uh you are bringing some stories that we all are glad that it did not happen to us. Um Maybe these are major headline stories. I don’t know, maybe these are some of the big ones, but we can uh we can take some things away. Exactly. Ok. Ok. Um Why did you feel the need for the session? Yeah. So um I run a cybersecurity consulting company that’s focused on mission driven and purpose driven organizations and helping them improve their cybersecurity. And one of the key ways that we start working with new clients is that they call us and they say, hey, my house is on fire. We’ve experienced an incident, we need help and so we go and we help them and it, when we go in and we’ve never met them before and they don’t, they’ve not really prepared for an incident. The incident is much more severe. They end up incurring a lot more losses. They have a lot, it’s all very, it’s all much more stressful and the chance of recovery is lower than if they had prepared ahead of time to deal with an incident. And so the, the talk is all about how organizations can prepare ahead of time to make it less stressful, to make it cost less to respond to an incident and really reduce the impact of the incidents that happened to the organization. Ok. Iii I don’t think I’ve, I’ve thought about that or I haven’t heard it said that way that you can make it less impactful, less of a crisis by preparing. I mean, what I’ve heard is you should prepare because you can, well, you can never eliminate the possibility. You can greatly reduce the possibility of being attacked having an incident yourself. But you can actually make it less with preparation? Ok. Excellent, excellent. So um is it, are we just gonna share a bunch of unfortunate stories and, and take away lessons from each one? Maybe we can talk through some of the best practices and I can weave in some, some stories here and there. So why don’t we start with some of your, your best advice? Sure. So I think the primary thing that you want to do is when you’re preparing for an incident is really ensure that you have really good buy in from your stakeholders in inside your organization. So people that are working in the marketing and communications portion, senior leadership members of the board, so that they’re involved in the planning and the preparation process. So that when you do have an incident, they’re not caught by surprise. This is not the first they’re hearing about how to deal with an incident. And so, you know, we, we tend for organizations that, that have not prepared. We, we end up spending a lot of time trying to brief the senior leadership and the board about what’s happening and they were very nervous and they don’t, they don’t let the, the the people responding to the incident have time to actually respond to the incident. And, and part of what they don’t have in place is a AAA management plan for this crisis, right? I mean, uh um if it’s, if it’s become public now, we have APR issue. So, who’s the, who’s the public facing voice? Is it our, is it a, is it a crisis communicator that we’ve, we, we knew we would hire in an emergency or are we scrambling for that? Should it be the CEO, should it be the board chair? You know, uh, should it be the chief technologist or if we have one, our audience is small and mid size nonprofit. So the likelihood that they have someone devoted to tech, tech is, you know, off and on because I’m certainly not 100% don’t, but, but a lot don’t. So you know, who should even be the voice? And then what should we be saying? How much should we be telling the public and our stakeholders? So, all right. So we need to have a plan in place um as well as managing the expectations that you’re saying of the board, the C Suite. Alright. What else? I think another important thing is really clearly defined roles and responsibilities of who’s going to be involved and when should they be involved in an incident? Right. So you touched on it already is, when do we bring in the CEO or the board to talk with the public on our behalf or? Hey, when does it make sense to not have them do that? Who is responsible for taking the operational steps to respond to the incident? The hands on keyboard, very technical investigation that goes along with responding to an incident. What third parties do you need to bring in? Um, depending on the type of incident you need to bring in your web development team if you’ve outsourced the web development team, because the website is having an incident, but you wouldn’t need to bring them in. Maybe if you’re having a ransomware attack on one of your, your computers, right. They’re not probably the right people to bring in. So you really want to make sure that you’re involving all the right internal first party and third party people and assigning them roles, specific roles and responsibilities. So that, you know, hey, we need to do this thing. We need to go talk to this person who’s directly responsible for this activity. OK. Yeah. Um Who’s gonna speak and then you know who’s gonna speak to uh are there aside from the public, if this involves donor data, volunteer data, who’s gonna speak to those groups? What do we say to them? How do we reassure them? Um Yeah, I’m giving chills. I mean, my synesthesia is kicking in. Actually, I really did. I just got chills thinking about because I’m, I’m not a CEO of a nonprofit. This is I’m a one person entrepreneur. It’s not gonna happen to me like most likely, but to put myself in that position and to try to figure that out and now maybe we’ve got press calling perhaps. I mean, I’m kind of thinking worst case the press is calling, what do we say to them? Like if you say no comment, that sounds bad. Do you not respond at all? And then they’ll just say, well, we’re not, was not immediately available for comment. Maybe that’s better. I don’t know. But ok, I don’t wanna have to and then it’s a crisis, it’s a crisis and the whole planning you deal with these. I mean, we do, let’s take a worst case scenario. I mean, how do you, how do you walk in and manage the, I’m gonna make it even worse. Do you get called in by organizations you’ve never talked to before? And that’s the most stressful. You don’t know anybody. We know, we don’t know anybody, we don’t know their technology, we don’t know much about them. And what do you do? We, you know, you learn real quick. Uh You ask a lot of pointed questions and you figure out who the right people to have in the room are because we find that there tend to be too many cooks in the kitchen when we show up. Right. There’s too many people involved and they’re causing more uh rotation and more work to be generated than really what there needs to be. So we really focus on, hey, who are the key people we need to bring in and then the people that are kind of excluded from that group, say more senior leadership, we promise them, hey, we’re gonna give you an update every hour or every three hours or every day so that they know what to expect when they’re going through an incident that they should. Ok. At three o’clock, someone’s gonna come and brief me on what’s going on and tell me what are our next steps, right. So we, we keep, keep everything really communicative and what that also prevents is we also tend to go in and serve as a bit of a firewall between the upper leadership and the board and the very technical people in terms of blocking and managing access to the people that are trying to do the hands on keyboard work so that they’re not disrupted by someone saying, oh, I need an update. I need an update is calling and I can now I can’t deal with the crisis. Oh man, how do you, that was like promotion for riprap security. How do people find you in that kind of crisis again? An organization you’ve never talked to before? Yeah. So it’s a lot of word of mouth. It tends to be, you know, who, who knows an organization that can, that can help us. Um And you know, there are a lot of organizations that can, can help, but there are not that many organizations that are equipped to work with nonprofits that are attuned to their needs and the times of data and stakeholders that they’re working with. And that’s why we like to work with these mission driven organizations is because we have a lot of experience there and we, we really can feel like we help them because we’ve, we’ve responded to incidents, all sorts of incidents with all kinds of different nonprofits and other mission driven organizations. All. Let’s, let’s take it down a notch now from the, from that worst case, like somebody you’ve never heard of before and they’ve never heard of you and they’re calling panicked. Right? I mean, they are panicked. Alright. We can remove ourselves from that situation. Let’s go back, let’s go back to some of your uh your, your advice for uh for preparing. Yeah, so, uh, I, I think the next thing to really understand is you got to really understand what your capabilities are. What, what about incidents and managing incidents? Are you realistically going to be able to handle on your own? Do you have a very technical person that’s going to be capable of doing the analysis and the investigation to figure out how the attacker got in where the attacker is, what the attacker is doing? Or do you need to make sure you go find somebody to help you do those things? I mean, the reality is most organizations they don’t have a person like that. Um, basically forensics, forensic forensics, deep digital forensics. And you know, we, unfortunately, we, we’ve come in in a lot of cases where our nonprofit, our nonprofit partners, they think they can rely on some existing third party relationship that they’ve got say with their it managed service provider or their web developer to help them address the incident. But the instant response is like pretty specialized set of capabilities, right? So you wanna certainly include those people in the incident response, but you really need to know you have someone that can help take you through from beginning to end from identifying that the incident has happened all the way through recovery to help you through that whole process. And though understanding your who’s, who’s on your team, who’s responsible for what um and really making sure that there’s clear lines and expectations is really key to making sure that you can successfully recover. Can we, can we launch into one of our unfortunate stories? Yeah. Yeah. Um Yeah. Uh we, we worked with one organization. Um It’s about 100 person um company and it’s a nonprofit. It’s a nonprofit. Yeah. And uh what happened to them is that they, uh uh they didn’t have multi factor authentication configured for uh their, their email. And uh an attacker was able to gain access to the emails of the CEO the coo and the CFO and the attacker sat for months watching emails come in and out of these three mailboxes and they were able to understand what, what, what is the process this nonprofit uses to get new vendors on boarded. What is the process for the vendors providing the bank account information for how to pay the vendors. What’s the process for when a vendor needs to send an invoice to the nonprofit, for the work that they’ve done and what they were able to do. So they’re, they’re, they, I went to law school. Well, I used to be, I used to practice law. They’re lying in. Wait, I would say this is what, this is what makes it a first degree murder and lying in. Wait type murder versus a heat of passion. This is lying in. Wait. Exactly. Yeah. And Attackers will maintain access for a long time in an organization to really learn about them in the same way that I learn about an organization when I’m trying to work with them, right? I want to profile all the activity and understand how to make them more. Did you used to be a bad guy? Did you come over the other side? Luckily not my style. Um And so what happened was that the, the attacker understood this payment flow and this vendor approval process and was able to issue their own invoices or they were able to issue their invoices to this nonprofit. The nonprofit was just paying them just they said, ok, this isn’t approved, everything looks fine. They posed as the CFO and the coo to like give the approvals, sending an email on their behalf and giving the approval stamp and just hundreds and hundreds of thousands of dollars just walked out the door over a six month period and no one, no one realized, right? So there’s, you know, the there’s the aspect of, hey, you should have had multi factor authentication configured to protect those accounts. So the attacker couldn’t even get in from the beginning. But there’s also the side of, hey, what is your, what is your vendor approval and uh vendor invoice approval process look like and how, how could an attacker use that process and take advantage of it to issue their own invoices and get the money sent to their own account. So there’s, there’s a bit of a traditional cybersecurity and it portion of this incident and how to recover from it and as well as a more financial and a financial process and accounting process that, that we help them improve um to make it less vulnerable to these kinds of attacks. Once the crisis is over, then make it less likely to happen again. So that money was never recovered, was never recovered. Um Do, do nonprofits typically co-operate with law enforcement or would they rather just let it go, make it go away and, and, and the uh end the nightmare? Yeah. Uh it’s about 5050. We find um you know, there are some, there are some nonprofits that have an obligation to report something like that if they’re working with say health data or something like that, really something to be truly sensitive. Um A lot of organizations we talk with them about that of like, hey, you know, it’s worth reporting this. Like you’re not gonna get in trouble for being attacked, you know, it’s, and uh I, we, we almost always recommend going to talk with law enforcement. We almost always recommend that we submit the, the technical indicators of the, of the, of the attack. Like how the attacker, what the attacker did, how they did it to the, the federal law enforcement authorities so that they can go and cross analyze that information and try to help more people and try to, in some rare cases, go and track down the Attackers and, and do things like make arrests and disrupt the operations, rare cases though. Ok. So at least contribute to the, the FB I’s database of forensics and then maybe not pursue prosecution or. Well, it doesn’t sound like there’s prosecutions very likely not. Like, can nonprofits participate like that? Like, anonymously, the FBI is not just not gonna reveal the identity. You could go to your FBI field office that’s in, that’s in your state or your city and go and make these reports if you need to. There’s, um, a federal cybercrime task force that has a forum open that we use pretty regularly. If you wanted to submit something anonymously, you could do that through that, that, that manner. Ok. Um, and do you do the forensics, can you, can you figure out how they got in what they did? Yeah. Yeah. So we, you know, we kind of the process and the workflow of the incident is after we get called or we see that there’s a potential incident happening. We start in the stage called identification. We’re really trying to profile what the threat is, what they’re doing, what they start to understand what the impact is so that we can go start taking steps to say, hey, let’s make a plan for how we’re going to contain the attacker. So the attacker cannot, we want to essentially put a force field around what they currently have access to and kick and start to limit their ability to escape out of and, and pivot away and gain more access to the environment. So after we are able to contain them, we work to eradicate their presence. So we, we remove access to accounts, we will pull computers from desks and erase them and reformat them. Um We’ve, we’ve done a lot of work. This is when the attacker knows now that, that they’re being, they’re being surveilled typically. Yes. Yeah. We, we, we’ll look under cabinets behind desks up in the drop ceiling in closets to make sure there’s no computers or devices that are hidden in those areas that the attacker is maybe using to. They’ve gained some physical access to the organization. It happens. Yeah. There’s sometimes there’s physical access. Oh my God, it’s even creepier. It’s way creepier. Where have they been? Right? Have you seen that? We’ve seen that damn. Is that, is that a disgruntled employee could be a disgruntled employee could be an attacker that, you know, they’re wearing an orange vest and they have a tool bag and they walk right in, you know, there’s a lot of these ways to, you know, just kind of walk waltz in and uh with Verizon, you optimize your, uh your wi fi we’ve seen evidence of degraded signal. We’re very proactive. Come on in. We’d all have, we all love higher performing wifi all. Oh my gosh, physical presence, man. Ok. Um Alright, so the takeaways from that, let’s just, just go a little more detail. That’s a, that’s a bad story, a couple, couple 100 1000 dollars. What do we take away from this? So what we take away is that you really have to understand the, the the impact of the incident to really understand what are the goals of the attacker? Is it opportunistic? Are they being specifically, is the organization being specifically targeted? We’re finding these days it’s more opportunistic of like the Attackers are not specifically targeting an organization. They’re just sort of, you know, hoping they get into any organization. And the question we get from a lot of nonprofits and any organization that we work with on an incident is like, why us, you know, and, and it’s unfortunately like it’s almost impossible to say, right? Um And they’re like, who would do this to us? I’m like, well, it could be anybody. Right. It’s, these people are all around the world. You know, it’s hard, they’re hard to track down. Um, even, even for the government, it’s hard to track these people down. And so we kind of help redirect that energy and it’s like, ok, you know, we, we may not be able to tell who did it or why they did it. But let’s get you to a better perspective. Let’s get you to a better place. Because what we end up doing after we’re able to remove the attacker is we, we have to work to help the organization recover and get back to business as normal. Now, most organizations that do this on their own without any help, they sort of kick the attacker out and then they just go back to doing business as usual without fixing the underlying reason. The attacker got in, in the first place and that’s a tough thing to come back or to return to somewhere or to get called in later or say we thought we had it under control, we won’t get struck by lightning twice. Exactly. Right. You know, if you’re not a, it’s not a good strategy if you don’t lock your front door, you know, it’s kind of like this happens again. Shame on you. Right. It’s like you gotta take the time. And so we work with the organizations who say, hey, how did the attacker get in? What are the things that we can do to close that method of access in the future. What are the other security capabilities that you can put into place the policies, the technology and what people need to be involved to make it so that you’re prepared for the next time. Um And then what we, what we always recommend and this is a thing that uh a lot of organizations skip as well is we, we have a very lengthy uh lessons learned session and the lessons learned sessions are really critical because you really want to bring in all the stakeholders from the dealing with the incident after everything is done while everything is still fresh in your mind. And you want to start understanding what did we do? Good? Like what do we do really well in the incident, we communicated, we bought pizza for everybody. So no one had to leave the office like simple things like this, right? And what, what didn’t we do? Well, like, ok, well, you know, it turns out the attacker was in the network for six months like that we should have known five months or 5.5 months ago. Um You know, things like that and then what we recommend is giving specific, having specific action items with specific due dates assigned to specific people so that things get followed up on. And that every time you have to step through this process, you’re improving a little bit more, you’re reducing the impact of future incidents and you’re just better prepared for the next time that it happens. What’s the, uh, proportion that you see that, uh, nonprofits take that proactive step after the crisis to mitigate the likelihood and the impact of a future crisis. Um, these days, the rate is much higher than it used to be. Five years ago. We wouldn’t have seen many follow through unless they’re quite a large organization. But people feel the pain and people see this in the news all the time. Right. They, they see major corporation Southwest. Yah. I don’t want our providers pipelines. Right. It’s always in the news. So people are a lot more aware of it. Want to have the conversation. It’s less of like, oh, no, we’re totally secure. Nothing can ever happen to us. Sort of just like hoping that nothing happens. But they, they want to engage more deeply and say, like, what do we really need to do? You know, what are the, what is the foundational things we need to put in place that we just don’t have. How did you come up with Riprap security? What’s the significance of that? Yeah. So, Riprap is a type of shoreline protection on, like, in a bay or on a river. It’s all rocky and the erosion patrol like those sort of not really rock walls but little rock islands or mounds that riprap. That’s exactly right. So you’re protecting the nation’s coastline, like our Coast Guard, our silent warriors. We’re not, we’re not quite as seaworthy, I think, but, uh, get nauseous sometimes. Um, let’s see, being able to hold the incident, incident, preparation discussions and leadership. Is that why we talked through a lot of that? Um Have you seen, I, I feel like I’m, I’m speaking to law enforcement, you know, like, uh about uh crime trends in the nonprofit community. Have you seen ransomware? Ransomware is a common one? We see you got a ransomware case story. You can tell we, we deal with these a little bit less these days than we used to. Um You know, honestly, the fact that people are more organizations are more fully remote means that the ransomware has trouble spreading to other devices on a network. So that definitely is a, is a nice thing to work from home or work remotely. Um But we’ve had cases where um we, we, we worked with one, this is one company. They’re, they’re quite small and um they’re 50% manufacturing company that we worked with and they called us up one day and they said, hey, we’re having this ransomware incident and our production floor of like they made um like metal machine parts, our production floor, everything is encrypted by ransomware. All the business side of the network was encrypted, everything was fully offline. They sent out most of their employees home and they’re just, you know, they turn the lights off right. They’re like, what do we do? And so we’re there, we’re trying to understand. We’ve identified obviously that there’s ransomware. We’re trying to understand, you know what it is, how they got in and the it director comes in and he’s like great news. I have backups like, oh, this is great. No one ever has backups. Right. Because if you’ve got backups, you can restore the data, you can get back to normal. No problem. So he stored them at his house in a little safe in his house, brought him back. He takes them out of the box and the, the, the backups are, they’re a week old, so it’s not ideal, but a week ago is better than nothing or two weeks. Um And he opens the box, it’s like an old tiny, like lunch crate, metal lunch crate. And they are tape drives and tape drives are uh like almost like a cassette deck. Um But they’re, they’re, they used to be used very frequently to store a large amount of data, but the downside is, are very slow to help move data on and off those tape drives. So I’m like, ok. All right. So he’s gonna say, oh, I’m gonna go restore the data to get us back up and running. He comes back a couple of hours later. He’s like, it looks like this is gonna take 14 days to restore our data. Like that’s a, that’s a really long time. And so ultimately, the leadership of the organization decided to pay the ransom because it was gonna cost them less. I think it was four or $500,000. It was gonna cost them less to get, to pay the ransom, to unlock the computers than it was for them to be down for two weeks. And that’s a hard choice for an organization to make. We’re paying the bad guys, but it’s a business decision. It’s a business. You see, are these foreign actors? Not this one specifically. But do you see a lot of foreign actors as the bad guy when you can identify, maybe, maybe, sometimes you can’t even identify where in the world they’re located. It tends to be pretty geographically spread. Um You know, there, there is a whole business model and, and business life cycle for these ransomware attacks. So an organization, uh 11, malicious organization will go and they’ll perform the initial um exploitation of a, of an organization. So they’ll go in, they’ll get access to a computer or an account and they do that tens of thousands of times and they’ll, they’ll collect all these logins and then they’ll sell them to ransomware Attackers. So there’s almost, they’re almost like a data broker providing these account credentials and this access to the ransomware Attackers and then the ransomware Attackers will go and they’ll install the ransomware on the computers that are associated with these accounts and they’ll just see who calls them back. And so there’s this whole ecosystem of, hey, you know, uh the Attackers know, like they need to be pretty, pretty quick to respond to their customers email, right? Their victims emails. Otherwise people aren’t going to trust that they’re going to provide the key if they get paid. And so we tend to, we tend to say that they’re so they’re good on customer service, customer service because there’s hundreds of thousands of dollars at stake. They, they, they’re great communicators, some big corporations, I promise we’ll get back to you within 15 minutes. Uh Crypto are they, are they typically paid in Cryptocurrency, typically paid in crypto? Um And they have a variety of different cryptocurrencies that they’re using almost as many as you can count. Um And they take pretty significant steps to once you’ve paid them, they typically give you one address to send the money, the, the, the, the digital currency to and from there, it’s almost immediately um essentially like chopped up into smaller chunks and sent out to, you know, potentially hundreds of other, you know, digital currency and Cryptocurrency accounts. So it’s very difficult to trace that, that kind of that kind of thing. Have you seen a case where the ransom was paid? And the key was not provided, the encryption key wasn’t provided. We’ve seen, we’ve seen where the attacker has provided the wrong decryption key by mistake. Uh But email them back back, he made a mistake they sent the customer, they got back to you. So you don’t have to go through a gateway or anything 800 number. Just go right to the right to the principal and then they provided the correct key. Now, now you do have to be careful. Right. We don’t, we don’t recommend paying the ransom. Not necessarily, but if it’s a business decision, um, you do have to be careful because, uh, the Department of Treasury and law enforcement agencies, they, um they’re very closely tracking these ransomware Attackers and what they do is they’ve placed some of these Cryptocurrency wallet addresses on the sanctions list. So the same sanctions list that has uh Russian oligarchs and um you know, um Chinese hackers through financial crimes enforcement network, Department of Treasury. I know exactly. So, what’s the, what’s the caveat there? The caveat is that you could potentially be in sanctions violations by paying one of these ransomware hackers. Um If it’s, if it’s a track sanctioned uh uh Cryptocurrency, it’s the Russian hacker or the Indian hacker and the Treasury Department are both, it’s not a good position, you want to call your lawyer for sure. All right. That’s a, that’s a great caveat. Alright. So what can we take away from this, uh, this uh lessons learned from this particular ransomware account at the manufacturer? Yeah. So I think the key thing is make sure you have ongoing current backups and uh and a lot of organizations they’ll set up backups, like in this story or they say, ok, we’re taking backups every week. That’s probably fine. But the downside was, they never tested it. Right. They never verified that the data was complete and they never made sure that they understood how long it was going to take them for them to recover. That if they had known they would have probably chosen a different, a different way to back up because it doesn’t cost that much more uh these days to not back up on a tape drive. Say, um are there where in the world are these, are these uh bad actors clustered? Are there, is there parts of the world like II, I mean, I mentioned India and Russia but I’m, you know, I’m not a cybersecurity uh professional. Where, where are these, can you say generalize where these folks might be clustered? So, so they, they tend to be pretty geographically spread. Um You know, the, the, the, the reality is that it’s, it’s no longer that hard for someone to gain the skills that are necessary to do, to perform some of these attacks. And we’re seeing more and more of these organizations of very young people going out and committing these types of crimes and, you know, ultimately being successful in a lot of cases. And so, you know, youtube is great for learning all sorts of things, you can learn how to hack and do all these things on youtube and by research there’s a lot of great information out there. Um, but the reality is like, it’s almost impossible to know who’s doing this in a lot of cases. Right. Either the Attackers are using all kinds of intermediaries and bouncing their communications off other computers all around the world and it’s very tricky to really track them down unless you’re a fins or a large government organization. Um Is there truth that if, if you, if you are a victim of a hack, uh let’s say it’s your credit card, you know, your credit card company says that uh your, your, not only your credit card number but your, your address and maybe your date of birth or something, you know, was, may have been, it may have been, may have been compromised and you know, they’ll typically give you one year in one case. I saw two years which double but still my question gets to the value of all this two years of like credit monitoring and you know, the suspicious monitoring alerts and things like that. But I’ve also read that the, the real value comes more comes longer from the, from the incident because because it’s harder to track back to where it happened, what the source of it was. So like 3 to 4 or five years later, your birth date hasn’t changed, your address might have changed, but a lot of people’s addresses haven’t, so they’ll use what they’ve got and they’ll get lucky and in a lot of the, a lot of their, uh, ill gotten file. So, is, is that true that the, the longer the time, the more value valuable your data is on the, I guess on the dark web in the black market. Yeah. And, and, you know, I think it speaks mostly to the following impact that can have. Right. If someone steals your data, that’s, and there’s a big breach, that’s one thing, but that data gets repackaged and sold to a variety of other people on the, on the dark web and, and, and the reality is that most people, they’re not going to be able to pay attention that long. Right? They can’t change some of these core things about them, like their phone number or their social security number, you know, some of these things. So you really have to be mindful all the time and really watch your accounts and really understand like, what is the impact here, you know, the one year of credit that they give you. I just don’t, I mean, yeah, sure, I’ll take it, I’ll sign up for it, but I don’t see the value because so my, what I’ve read is, is accurate, the longer, the longer the time, the more valuable actually. And the more likely it’ll be used after, after one or two years from the incident. Um, we got a little more time. You want to tell us one more story. And, and some lessons from it. Yeah. Yeah. So, I mean, we, we have, you know, we’ve, I’ve told a lot of, like, kind of dark stories, you know, but there are bright spots. Right. So, you know, we, we come in a lot of times, come in an organization, they, they’re having an incident, we work with them, we really, we help, you know, kick out the attacker and the leadership, they really get it right. They really want to understand they really want to learn because, you know, we hear things at conferences and read about online and hear on the news that all these bad things are happening, but it’s not until you really feel it and you’re really in it that you’re like, OK, this is, I understand this, you know, and that that’s a hard lesson to learn certainly. Um But we, we in a lot of cases have been able to say, hey, here’s how you fix the underlying root cause that caused the incident. But you know, here are, here are another 10 things that you could do that are low effort, low cost, very minimal business impact that you can do to really reduce the chance that this is gonna happen again. And it’s those organizations that tend to understand that security and it and operations and the success of their organization are all very deeply linked and that it requires, it’s not just like an activity for it to be worried about or security to worry about. It’s a whole security is a team sport. Everyone has to be involved and be a stakeholder. The reality is that an attacker is they’re gonna, they’re gonna target the CEO and the leadership of the organization when they’re trying to get in. Um And so by bringing all those people all together, it’s just, it leads to better outcomes um to have them involved and have that buy in um in a continuous way. So, is there a bright story? Yeah, the right story is that they were able to kind of plug the holes that they had and, and go on this journey where they were able to modernize their, their it stack and their tools that they’re using and their processes, um you know, really embed security very deeply into that and we’re able to reduce the, the likelihood of, of these kinds of incidents happening again. And we, we, we’re in a spot where we can watch the Attackers attempt these types of attacks and that’s what we really want. So you get early warning that there’s an attempt happening, we can take some additional steps without having to wait six months to learn that you’ve been compromised for six months. Steve Sheer. Thank you very much. He’s CEO and co-founder of Riprap security. Thank you for sharing, Steve. Excellent. Thank you and thank you for being with our coverage of 24 NTC, the 2024 nonprofit technology conference where we are sponsored by Heller consulting, technology strategy and implementation for nonprofits next week, more 24 NTC Goodness with intergenerational communication and the four day work week. If you missed any part of this week’s show, I beseech, you find it at Tony martignetti.com. We’re sponsored by Virtuous. Virtuous, gives you the nonprofit CRM fundraising volunteer and marketing tools. You need to create more responsive donor experiences and grow, giving virtuous.org and by donor box outdated donation forms blocking support, generosity. Donor box fast, flexible and friendly fundraising forms for your nonprofit donor box.org daughter box. It’s obvious. Well, who else would it be? It’s daughter Box to Box. Our creative producer is Claire Meyerhoff. I’m your associate producer, Kate Martinetti. The show, social media is by Susan Chavez, Mark Silverman is our web guide and this music is by Scott Stein. Thank you for that affirmation. Scotty be with us next week for nonprofit radio. Big nonprofit ideas for the other 95% come out and be great.

Nonprofit Radio for March 13, 2023: Beat Back Cyberattack


Michael EnosBeat Back Cyberattack

Cyberattacks against nonprofits are on the rise. While you cannot avoid them, you can make them a lot less likely to cost you big money, your data, your reputation, your donors, and your employees. Michael Enos from TechSoup helps us out.



Listen to the podcast

Get Nonprofit Radio insider alerts!



Apple Podcast button




We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Transcript for 631_tony_martignetti_nonprofit_radio_20230313.mp3

Processed on: 2023-03-11T01:00:20.020Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2023…03…631_tony_martignetti_nonprofit_radio_20230313.mp3.38068433.json
Path to text: transcripts/2023/03/631_tony_martignetti_nonprofit_radio_20230313.txt

[00:01:26.42] spk_0:
And welcome to Tony-Martignetti non profit radio big, non profit ideas for the other 95%. I’m your Aptly named host of your favorite abdominal podcast. Oh, I’m glad you’re with me. I’d suffer the embarrassment of a phone. Yah. If I had to speak the words you missed this week’s show, beat back, cyber attack, cyberattacks against non profits are on the rise while you cannot avoid them, you can make them a lot less likely to cost you big money, your data, your reputation, your donors and your employees, Michael Enos from Techsoup Global helps us out on tony steak too. Get in people’s faces again. It’s a pleasure to welcome Michael Enos to non profit radio He is senior director of community and platform for Techsoup Global. He began his professional career in technology in 1996 and has since led team, tech teams at the national and individual office levels in increasing responsibilities on Mastodon. He’s at Michael underscore Enos at public good dot social and tech soup is where you’d expect them to be at techsoup dot org. Michael, welcome to non profit radio

[00:01:42.03] spk_1:
It’s great to be here. Tony Thank you for having me.

[00:01:46.69] spk_0:
My pleasure. My pleasure. Let’s please explain the work of tech soup. I think it’s so valuable, so many billions of dollars of software and hardware transferred to nonprofits. Make sure, let’s make sure everybody knows what techsoup is doing,

[00:02:52.57] spk_1:
you know? Absolutely. I mean, essentially our, our mission is to help civil society, organizations worldwide um better leverage technology to create impact in the missions um that they serve and to build communities. Um You know, that, that then can then foster that, that, that, that impact globally. Um We do that through a number of different ways. We do that by facilitating philanthropy from large tech donors. Um And you know, most of which are the ones that are just, you know, household names. Um We also do it through uh courses, services, consultations, um and through connecting organizations with each other and through also through engagements like this where we try to really uh to blogs, webinars and other facets where we help organizations understand how they could use tech um and protect their tech to uh enable uh and further have impact for their, their communities. They serve,

[00:03:17.12] spk_0:
I saw on tech soups website today, Microsoft Office or Microsoft 3 65 for a dollar. So

[00:03:18.55] spk_1:
that’s an example, right? And if you were to go to uh you know, Microsoft for nonprofits or Google for nonprofits, for example, um you know, the data validation platform that validates organizations worldwide is managed by Texas So, ultimately, we, we, we do many things but we’re also sort of a, I guess, data leading partner for, for a lot of these organizations that want to understand and make sure that their philanthropy is going into the right hands.

[00:03:48.25] spk_0:
You have, you have local uh connect groups to techsoup, connects groups.

[00:03:54.10] spk_1:
That’s great. That’s right.

[00:03:56.21] spk_0:
Yeah. You know, I know, I know you’re, well, you’re director of community and platform. So is that, is that part of your work

[00:04:42.76] spk_1:
director? I mean, you know, you know, I support that, that organization that we um we have, we have lots of different um areas and, you know, and, and in my role, I support them all um platform is a lot of the, you know, I oversee our enterprise, infrastructure and security as one of my fundamental sort of roles. I mean, obviously with the, with their expansive amount of technology that we have, that runs our platforms that, that consumes a lot of my time, but also the community side because of my background working in the tech for good space, you know, since, you know, for the length of my vocation, um you know, I have, I’ve accessed as a resource for a lot of other groups, including the connect group for when they need, you know, to understand, you know, how to, you know, for, for things like this and for, for other things um to help our communities um better leverage to the tech that they use. I mean, it’s one thing to, to uh provide the technology. It’s another thing to actually help people, you know, provide them the enablement to be able to use it and optimize it.

[00:05:08.91] spk_0:
Are there local meetups are the group’s going back

[00:05:50.06] spk_1:
to? Exactly. There are, there, there are, you know, communities within the regional and our, and that’s part of our connect program. Um And eli, the guy who runs that and, and the group that runs that are very, very energetic and it’s very community driven, which, which is fantastic and we’re sort of an enabler and facilitator in that work, which is wonderful. And that stems from the early days of us being part of the early groups that were involved with the, you know, tech for good space way back when technology was first getting launched, you know, and the internet was first launching different

[00:05:51.33] spk_0:
types of work. I mean, you know, n 10 doesn’t do consulting, which I wanted to ask you about very shortly. But, you know, they don’t do tech grants necessarily, but all, all very parallel with, with N 10.

[00:06:26.73] spk_1:
Yeah. Correct. And, and we, we have a close partner to put 10, 10 and, and we attend the events and such and we’ve long been sort of affiliated with that demand and other and other groups like like 10, 10. Um and we have partnerships that sort of expand throughout the different communities. Um And, and we try to be involved globally as well. You know, so there’s this sort of, you know, there’s the U S side of it, but then there’s also the everything that we’re doing outside of the U S and abroad because, you know, it’s um civil society is international and so, and tech soup is really involved with, with things not just within our own borders but, but outside of them um globally.

[00:06:50.58] spk_0:
Are you going to 23 NTCC the conference?

[00:06:51.42] spk_1:
Um myself. No, I’m not the, I know we have some, some other representatives that are there. I’ve been to many of those uh this year. I’m not specifically going, but we will have some representative from Texas there. I’m

[00:07:03.64] spk_0:
sure. Yeah. And non profit radio will be there as well. We’ll be on the exhibit floor.

[00:07:07.67] spk_1:
Excellent. That’s fantastic. Yeah. Yeah. Well, I’m sorry, I’m not going to be there to be in person to meet

[00:07:12.61] spk_0:
you. That’s all right. There. There are others every, every spring and

[00:07:17.31] spk_1:
virtually, by the way,

[00:07:18.97] spk_0:
that’s true. There is hybrid this year. That’s right. Um And, and texture is also consultants to consultants to nonprofits. Let’s make sure folks understand that too.

[00:08:46.84] spk_1:
Yeah, I mean, we, we provide, essentially, we help organizations connect with other organizations that then provide consultant services. We do some ourselves, but it’s very specific to some of the um because we, we provide a lot of, you know, what we’re doing to, to skills. So to speak what we, what we have is we’ve partnered with other organizations through our platforms to, to align organizations depending on exactly what type of consultation they need to inappropriate sort of resource for them. Um And that’s more uh our, our model in terms of we’re sort of a connector. So for example, if somebody needs, you know, specific sort of technology assessment uh for implementing uh Microsoft, we may do some, but then if it’s more advanced, we may work for them to, to impact or an organization that we partner with and then they provide that as a service to that organization. So, and we have other partners like that, who provide those similar sorts of services that are more hands on and direct than what tech soup can provide at this moment. And we may may expand that more and do some of that um more, more stuff ourselves and, and we are developing that and some of our customers success programs. Um and we do run a lot of sort of in the office programs where people could have webinars. And I’ve spoken in a few of those where we do it in in depth dive of a particular technology so that organizations can learn how to use them.

[00:09:00.19] spk_0:
I’ve always considered the big three to be Tech Soup N 10 and tech impact in terms of technology for nonprofits and, and all three of those of course, are nonprofits themselves. Right.

[00:09:12.87] spk_1:
Exactly. Yeah. All right,

[00:09:15.44] spk_0:
let’s talk about cyber attacks. Uh They are on the rise against nonprofits. What, what, what are you, what are you seeing? We’re going to get into the details, of course, but overall general, you know, kick us off. What are you seeing on this front?

[00:11:31.28] spk_1:
What, what we’re seeing is a lot more, um, targeted attacks, which, which is, which is unique because there’s, you know, speaking broadly about cyber activity, you know, there’s a lot of noise on the internet. There’s, you know, just all these robotic sort of in these bots that are flying around trying to find targets, right? And they’re sort of just, you know, you know, I guess, you know, they’re, they’re doing drive by sort of evaluations to see of anything, you know, just to see if there’s anything that they could get a finger in or, you know, just to explore and see if there’s sort of a, you know, something that they could find in there. What we’re seeing now is more targeted attacks, meaning there’s a specific purpose to it. Like somebody’s like, well, you know what we think that, you know, this is a, you know, a specific type of organization, they’re involved with a particular type of activity and we’re interested in knowing who’s donating to that activity and whether or not we could possibly have access to that information because that might be valuable or perhaps to the constituents that they’re serving because maybe that information is valuable as well, maybe for either financial reasons or, or, or or political reasons. And so we’re seeing a little bit more of that or, or perhaps because we really want to cause disruption in critical infrastructure. And one thing that um this is sort of a broader trend in cyber security around targets towards critical infrastructure and myself and and others in this space believe that civil society, organization data is part of critical infrastructure and critical infrastructure. So I mean, people are targeting things like, you know, we’ve we’ve heard about the target on power grids and uh gas pipelines and such. And you know, if you think about data that’s relative to communities that are specifically vulnerable in certain context or, or have access to information about others, then that’s critical infrastructure because we need these organizations to function in society. And so, you know, there could be other actors who say we want to disrupt that particular critical infrastructure for some reason and that reason could be varied just like it is for why people would disrupt any sort of critical infrastructure.

[00:12:55.08] spk_0:
I have an example that is pretty close to home. I I I own two homes in North Carolina. One of them was affected by that shooting at uh at the electrical substation in that was, that was in Moore County, North Carolina. Um And there’s a, there’s a possible correlation that, that that attack was to prevent a drag queen show from going on in the little town of Southern Pines, North Carolina, which is served by that substation that got shot at. Um So, I mean, it sounds like you’re saying, it’s not that far a leap like, you know, 11 cadre of bad actors uses guns. Another cadre of miscreants could be hackers that are looking for data at that maybe at that theater or, uh you know, among a nonprofit that may have been involved with

[00:13:45.30] spk_1:
maybe maybe the intent at the attendance list or the people who are donating to that event. And so, you know, this is the type of data and like I said, there’s, there’s different reasons why somebody might be targeting certain data. But this, these are the, this is, you know, this is like bingo on the nose, this is the kind of stuff that, that we’re seeing more and more and we’re very concerned about and why we’re really like soup is really sort of launching this um effort to help educate organizations on how to improve uh and understand what cyber security means in this space and how to prioritize it, but also how to um sort of get through the sort of complexity of it and, and, and find simple ways to knock off low hanging fruit to make it sort of actually, you know, doable for them with given their budgets and given their constraints that we a lot of smaller organizations in the, in the space you know, have, generally,

[00:14:39.67] spk_0:
it feels like in our polarized culture that there isn’t a nonprofit mission category that would be exempt from, from possible attack. I mean, you know, even feeding, feeding the hungry, you know, I could conceive of that being objectionable to some group of people that feels like why do those folks get food and, and I don’t get food or why are they entitled? And I’m not, or, you know, something that seems innocuous and purely beneficial. I, I can imagine, uh, another cadre of bad actors deciding that it’s, it’s, it’s worthless or worth worse than worthless. It’s detrimental to our culture for some reason and wanting to attack it. It doesn’t, it doesn’t feel like any particular mission would be more vulnerable or less than, than any other.

[00:15:59.15] spk_1:
Um, you’re correct. And one of the other things that is, has changed in, in this, in this sort of, you know, over time that I’ve seen is the availability of the tools to be able to perform exploits before you would actually have to be, you know, pretty well versed in hacking to be able to do any harm right now. It’s, you can, you can buy the service. I mean, you could just go to the market on the dark web and just say, hey, you know, I want to buy this, you know, uh, this hacking kit, you know, and, and, and, and there’s youtube tutorials on how to do it. I mean, it’s becoming, and, and these are, the tools are free and readily available. So what we’re seeing more of is not only just this trend of people wanting to and, you know, and maybe that hasn’t changed, it’s just that it’s more accessible, right? But, you know, people wanting to, you know, target communities and, and, and, and also try to find valuable data within these communities, but also their ability to do so it’s become easier and there, you know, and, and so you combine those things together and that’s why we’re seeing the trends we’re seeing. That’s one of the reasons

[00:16:21.11] spk_0:
you no longer have to be a sophisticated computer user. It doesn’t take a lot of study, you’re saying these things are available for cost or free to cause harm. All

[00:16:29.81] spk_1:

[00:16:39.80] spk_0:
Alright. So how do we, how do we break this down for folks in small and mid sized nonprofits, you know, that, that they can sort of prioritize? I mean, is it as simple as let’s start having universal two factor authentication for everybody on your teams or maybe that’s passe maybe, maybe we’re past that now. I don’t know, how should

[00:19:30.66] spk_1:
we, you know, you, you make a good point. So for example, like the first thing I think people should do is, you know, or, or what you know, uh would be recommended and to think about it is to do the basics. Okay. What things like what you mentioned is like like multifactor authentication, um you know, anti malware on their clients, keeping things up to date and, and making sure you have backups of your data, these are sort of the basics, right? And so apart from the basics, though, you know, the next step above that is to then start looking at what we call privileged access management or role based security, not everybody needs to have access to everything, right? So, so, so let’s say, for example, a system was compromised with somebody’s permissions or credentials, depending on what they have access to, they could only do so much. And so there’s a, there’s a, there’s an important concept in cybersecurity that we call the privilege, the principle of least privilege. So, and that sort of dictates that a person really only needs access to the information that they need to do the role that they’re trained to do in their specific function. So if, if, if somebody is, you know, in I T, somebody who’s familiar with I T systems, uh they understand sort of the complexity involved and they may have access to privileged systems where they can perform things and have access to that sensitive data, but not the entire organization, right? And so we call that privileged access management. And sometimes, especially with today’s as we’ve moved into the cloud more when things get fired up and somebody spins up an app in the cloud, the cloud as well, generally have some basic role based permissions like the admin, you know, maybe a super user and then maybe some groups and then, and then just the regular users, right? You don’t want to give everybody admin rights. And so because then if somebody, if that just, that just provides more exposure and so these are small things that don’t take a lot of time or effort really to just sort of that, that’s a little bit beyond the basics though because um you know, and you know, for, you know, tech soup, for example, provides, you know, office 65 or 65 go for, for, for work space organizations. And once we, they provision, the next step is to really go in there and sort of harden them a little bit and lock them down and to go through that steps and understand what that looks like. So that um as people start doing things like maybe downloading spreadsheets that contain donor data or customer data that it’s not, somebody can’t accidentally just share that with somebody, you know, outside the organization or, or that becomes available on the general public internet.

[00:20:02.06] spk_0:
So how do we execute some of these things that are, that are more advanced, you know, beyond the backing up the multi factor authentication. Alright. So if you move into privileged access management, we need a, we, we either have a C T O which most listeners probably don’t or we need some outside help.

[00:21:13.19] spk_1:
No, actually, I think that a lot of these, you know, cloud based applications will provide guidance. The good news is is that they have an interest in protecting and wanting you as a, as a customer as well as, you know, the fact that it’s a shared data model. And so the the better that they do in terms of providing information about how this works, the better, you know, the, the the, you know, the people who use that product is going to benefit from it. And so generally in these, you know, you know, and these things aren’t if you have somebody who is at least responsible for the deployment of the technology and they don’t have to be an advanced, you know, computer scientists to do the work of the cloud app then. But somebody should be sort of designated within the organization to ensure some of the basics about the way data is handled. And, you know, getting to one of the export points, I wanted to bring up one of the most important things to understand for an organization is what data do they have? Where does it live and what is the value of it? And what is the value of Michael before we, before

[00:21:22.02] spk_0:
before we move to what, what’s our data inventory? I want to emphasize this, I wanna emphasize the value of being in the cloud. So there is there is value to using uh CRM databases that are cloud based versus server based at, in your office anymore.

[00:22:47.49] spk_1:
Correct. And for so many reasons and, you know, uh, and, and moving to that topic because a lot of the ways that systems are oftentimes breached is because what things we mentioned earlier, such as they’re not patched, there’s, um, not, not very good perimeter security on them. These things are taken care of for you, um, and they’re not backed up regularly. Um, those things, these things are taken care of for you in a sassy application. Um If it’s, if it’s a robust SAS application, like the kind that takes provides. And so when we, when we go to, you know, vet an offer that’s going to be in our marketplace, we we, we go through the list to ensure that this is gonna be a product that will serve the pole, the test of time and actually will, will be robust in, in the requirements necessary for our organization to protect their data. And so, and, and so that leads to, you know, also that making it more but maybe a little bit easier for organizations to then lock down their cybersecurity because they don’t have to have experts come into their closet or their data center and, and do this configuration and do all these updates are very technical on their firewalls and all the hardware and everything all the time in their own infrastructure, it can be managed within the cloud by people who are not necessarily have that sort of, you know, the Cisco CCN a sort of certification? Alright,

[00:23:07.85] spk_0:
thank you. I just, I wanted to drill down absolutely. Very

[00:23:11.75] spk_1:
good point.

[00:23:15.98] spk_0:
The value of from a security perspective, the value of the cloud. Alright, so let’s go to what you were, you were headed to what your data inventory, what what do you have? What what do we need to be? What do you want us to think about their?

[00:23:32.71] spk_1:
Yeah, so no data is not all data is not created equal, so to speak, right? So we have, we have data that it’s just things like, you know, my notes when I’m, you know, talking in a meeting or something like that. Okay. There’s nothing valuable with that. It’s, you know, generally not containing anything that’s sensitive. It’s sort of my notes from a meeting. Okay. Now, if that is something that, you know, maybe I don’t want to share, but it’s not something that, you know, if a hacker birds look at that so I can’t sell this and it doesn’t contain anything that’s gonna, I can do any harm with. Right.

[00:24:09.30] spk_0:
Well, it might depend, it might depend who’s leading the meeting. You might have different, you might have different sets of notes depending on who’s leading your meeting. You know, you might be commenting on the commenting on their uh I don’t know their, their capacity. I mean, not to suggest

[00:24:16.36] spk_1:
that people

[00:24:30.71] spk_0:
know, I’m actually, I’m actually having fun with you like, if somebody at tech soup was not a very good, not a very good speaker or supervisor, you know, then those notes you might not want in the public domain. But if the person is carrying their weight and they’re generally a good, good employee, you know, you have a brighter set of notes that you wouldn’t feel bad about getting exposed. That was my, my point. I guess I wasn’t, I wasn’t coming, I was coming across so dry. It was, it was desert, it was desert dry.

[00:27:18.46] spk_1:
No, I’m glad you brought into it. The, the, yeah, the types of data that you know, we think about when we think about the difference between data privacy and data protection to me, they’re very linked, right? So we, we have a responsibility to protect people’s data and the privacy of their data, but also to protect the security of that data. And so, you know, fundamentally speaking, generally in organizations in the sector, there’s gonna be some, you know, information that’s sensitive or may have some value and if we identify that and identify where that lives and then focus our energy on securing that, making sure that that data is backed up. Um and, and testing access to it, that’s, that’s, you know, if you have limited resources, that’s the place to really focus your attention. And then the other stuff is great. I mean, and use using robust tools like we provide um in our marketplace such as box for document repositories or even sharepoint, those can all be really configured for. So any type of theater, like even my notes from, you know that, you know, or my supervisor notes about me or your notes about me can be secured, you know, um you know, in a very robust way or shared. And one of the things we’re seeing, for example, especially the document collaboration software, it’s very easy to share things. They make it very easy to share with anybody, right? Just click and it always says like share with anybody with link, you know, you know, and so if you, if it’s something like, oh, you know, um uh oh somebody just sent me, you know, or they told me to put in my, you know, take a picture of my passport or something and, and stick it in here, right? And, and I, and the somebody has in the human resources once said, oh, I’m just gonna share this link and make it copied everybody. Now everybody has access to your past potential, everybody has access to your passport photo and I D so, you know, these are the things that we just have to sort of like start thinking twice, which brings me up to my next point. Um Security awareness within organizations, cybersecurity awareness, I cannot stress enough how important it is for organizations to have a cyber security awareness program within the organization. This these programs don’t cost a lot of money. They don’t take a lot of time and they go a long ways to prevent Uh an internal mistake that could lead to something 80% of cyber attacks happen from the inside.

[00:27:27.33] spk_0:
What does this cyber security awareness program look like?

[00:28:34.34] spk_1:
So essentially, so for example, um they’re usually conducted on point of like orientation for an employee that comes into an organization and they go through a video, you know, provided by a platform like no before which is in our marketplace. And, and what they do is they sort of go through this, this methodical sort of, you know, force to teach somebody about fishing about sensitive data about ways that people try to get access to information, either through cell phone, fishing through text fishing through um email phishing or through other means to or even on Slack to say, to try to fool you into providing some information um that they, that they can use a huge trend in this arena is what we call impersonation fishing. It’s a specifically targeted phishing email that looks like it’s coming from somebody within your organization such as your CEO, your CFO or uh the human resources director asking you to provide or update your banking information. And it’s very carefully crafted, crafted, it looks just like that and you really have to do a lot of due diligence to really go through there and say, oh, did this really come from our CEO having

[00:29:03.26] spk_0:
Haven’t there been cases where like a spoof email like this says, you know, wire $50,000 to this vendor account. You know, we’re, the payment is overdue. We need to wire this payment ASAP. And of course, it goes to the Bad Actors account. Isn’t there? Stuff like that? It looks like it’s like the treasurer saying, send a wire or the CEO saying, send, make a payment.

[00:29:40.35] spk_1:
That’s right. Exactly. And, and, and we’ve, um, and if you have an organization and people haven’t been trained to recognize that, you know, if somebody’s asking you for something and it’s something of value, double check it, you know, and, and to contact that individual in a different channel and say, did you really need me to send $50,000 in this wire transfer? I just want to check is this actually came from you? There’s other ways that they teach you in these orientation platforms or in these um security awareness platforms to check the email headers and, and the simple things, but essentially that’s the gist of it. And that’s why security awareness training is so important. So, so people are on their toes when they’re actually doing their work,

[00:30:03.43] spk_0:
do you recommend then ongoing training? You talked about orientation,

[00:30:51.51] spk_1:
there’s, there’s an orientation training and then, you know, most organizations will have it mandatory that they do an annual training and, and this just as a refresher course and also things change. So, you know, the space changes. Sometimes people are doing it now because of the trends more often like every six months. And then specifically for people who are in jobs where they’re doing data handling for, let’s say they’re doing data processing, they work in the donor uh services program or something where they’re managing sensitive data all day long. They’ll be specialized courses for people who are, are actually dealing with data on a day to day basis. So that’s a little bit more involved in terms of actually how to understand and, and that goes into things like, don’t download, you know, a C S V file on your computer and stick it onto a, you know, um, a thumb drive on your computer or transported or, you know, don’t, you know, send out, you know, via email to, to a coworker and, and these sorts of things that are specific to handling sensitive data.

[00:31:04.59] spk_0:
Okay. Interesting. Yeah. So even, even just emailing internally from employee to employee can be risky,

[00:31:37.20] spk_1:
yes, it can be stiff. It’s, and, and there’s because, for example, if, because that’s actually it’s going to stay within that email store wherever that is located. And it’s, um, if it’s unencrypted, it’s gonna be, it’s gonna be encrypted during transit, for example. Um, and, and encrypted at rest. But if somebody else had access to that access to your email server or a privileged access in your system, they could potentially go in and, you know, take over that account, log in as the CEO and have access to the deed and actually browse emails for, you know, and actually do queries and look for credit card information or, or look for email addresses and then they could potentially find information about donors or, or, or, or constituents that sensitive.

[00:35:08.08] spk_0:
It’s time for Tony’s take two. It’s time to get back in people’s faces. Again. Last month, I did a in person live face to face in person training on Long Island. I was in New York City for several days. What a joy. What a pleasure. What a difference, an improvement, you know, over virtual trainings. I mean, look zoom is, I’m all flustered. Zoom is, is necessary and I’m not saying necessary evil. It’s, it’s, it’s a part of the culture, whether it’s zoom or teams or Google meet, you know, whatever virtual meetings, they’re just a part of our lives now. No question about it. But don’t make those the default if you have the option to get back in front of people in person, I urge you choose that option. Uh You know, I could have passed on the opportunity to do the in person training, but I didn’t want to, I didn’t want to donor meetings to while I was in the city face to face meetings again, coffee lunches. It’s just so much better, so much more real than anything virtual can offer. Um I had a meeting, lunch meeting just about 10 days ago or so with someone from Heller consulting, which is gonna be Team Heller. They’re going to be our 23 NTC sponsors at the nonprofit technology conference coming up in Denver And the woman who works for Heller happens to live within 45 minutes of where I live in North Carolina. So we got together for a, a real lunch. We had lunch together over the same table. Remarkable. You know, it’s yeah, more real authentic. I urge you if you can meet someone in person instead of virtual, do it, do it. It makes the world of difference. It’s time to get back in people’s faces again. Don’t make virtual your your default. If there’s another way first, I urge you to do it. That is Tony’s take two. We’ve got Boo Koo but loads more time for beat back cyber attack with Michael Enos. Talk about not preserving data that you don’t need to preserve. Like credit card numbers, full numbers for instance, or dates of birth or other things that aren’t necessary for you to preserve. Isn’t there, isn’t there value in trimming down sensitive data that you don’t really need?

[00:35:40.17] spk_1:
Yes. And and one of the principal aspects of data handling is an optimization of data. So you know, there’s there’s transactional data that happens. And oftentimes, for example, with credit card things are processed nowadays, you’ll usually use a payment processor. So, you know, hopefully you’re not actually you know that server that actually storing that information is not on your box anymore because there’s, you know, you know, you can use an API and a web site and then it happened somewhere else and they take care of all that stuff for you. So, if your systems were hacked, they wouldn’t have access to the credit card data

[00:35:55.19] spk_0:

[00:39:00.73] spk_1:
or Braintree or one of these sorts of services, you know? Exactly. And, and, and so those go to those payment processors and they manage all that, um, which is great because then you, it reduces the amount of exposure on your e commerce site or fundraising donor donation site. And if you’re using a donation software program, like, you know, donor perfect or one of these sites, that’s what they’re doing as well. You know. So they, you know, because, because they, they want to use because that you really have to have the best of breed technology to be able to make sure that that stuff gets that, that’s really super secure and they have higher standards and compliance standards by which they attest to the. Um, and so however though, let’s say you’re, you’re doing an email list to your constituents, right? Um You know, you’re gonna need some marketing data, you’re gonna, you know who to send this, this information to, but you don’t need everything about that individual. You don’t need things like that really. I mean, you may need the basics but you should be using a marketing provider that is secure and you should, you should transfer, get that information to them in a secure way and you should ensure that if that individual wants to opt out. Um and they, all these things should be an organization’s privacy policy so that people understand how their data is being used if they sign up for a newsletter or things of that nature. However, you know, I think your point specifically um oftentimes reports about, you know, activities, engagement, you know, that go into reports for executive or for things that are put into a PDF or in another format, the data should be anonymized. So the only thing that’s there is, you know, aggregated information about, you know, the engagement and not all they shouldn’t be able to drill down and see, oh who is this exact individual? Now if they need to know if it, if they want a donor report about, you know, I want to know exactly to see who um are the top donors and, and such, you know, there should only be limited people within the organization who have access to that data, to be able to see that information that goes back to my other point about um privileged access management. There are gonna be some, there’s gonna be some reason why people aren’t gonna wanna know specifically about, you know, who’s engaging with the community. And also oftentimes on the client level, we need to know that the people who are providing services to communities need to know exactly who these individuals are and more sense of information. And that’s why I was talking about earlier about, you know, understanding where that data lives and, and only having as much as you need to fulfill the function of that, you know, whatever you’re doing. Um and, and having that, you know, and making sure that’s really locked down when I worked in the food down. When I worked in the food and security sector, we had people going out in the communities and helping sign them up for, you know, um cal fresh, you know, essentially benefits, you know, for people to get, you know, you know, government assistance and they had to collect really sensitive information. But what they did is they had ways to you securely transmit that information to the local human resources agencies so that it was all encrypted, it was protected and then once we transmitted that we didn’t have access to it,

[00:39:44.68] spk_0:
what about vetting vendors? You know, if, if you’re offices using a male house, uh you know, some of the data that you just talked about for, for mailing? Um I can’t, I can’t think of other examples of vendors that could be. Well, events, events could have, could event management might have some sensitive data. What, how do you vet your vendors to make sure that they’re taking appropriate actions to prevent theft, fishing, you know, to, to defeat defeat, or at least you can’t defeat them, but at least minimize the threats. How do you, how do you check these third parties that you’re working

[00:41:16.80] spk_1:
with? Well, you know, that’s a big part of my roller tech soup. So whenever we, whenever we work with, with, whenever we’re going to be using a new product or app or something like that, it’s my job to go in and actually check and organizations, these, you know, these application providers will provide um on their site or they should and if they don’t, you shouldn’t use them, but most of them will provide on their site access to their information security program and what they do where their data is located, what they do to protect it, their compliance levels, their certification levels, um whether they do audits, whether or not they do penetration tests And what type of and, and, and everything to that order and that should be vetted by, by somebody before they onboard an aunt. And we do this all the time. We use a lot of different apps to Texas north of 100. And so we, every time we were on board one for some utility within the organization, we make sure that they meet this standard. There’s, and we actually, since we’re a third party vendor for other people, they have the same for us so that a lot of the work I do as well as to, you know, report out periodically to all the people who are using our, our platform to facilitate their data to organizations and you know, what sex, what tech soups information security program like. So this is, you know, because creates transparency, but it also helps people understand what the risks are, which helps when you’re in a situation where I needed to go and advocate for resources to institute a cybersecurity program.

[00:41:47.96] spk_0:
I want to ask you about the board’s role in all this. But, but is there anything more that you want before we get to the board? Anything more you want to talk about threat minimization policies? Anything we haven’t covered that you want folks to know about?

[00:44:14.11] spk_1:
Yeah, I think that one of the things that is, you know, that we haven’t mentioned yet is preparedness for an incident, essentially a security incident, incident response plan. This, you know, is another thing in that sort of list of five that an organization should understand. Um if you have a situation where your data’s been um breached. And, and one thing I do want to do is to describe quickly, even this kind of a dry topic is there is a difference between a security incident and a security data breach. A security incident is could be something as innocuous as somebody just knocking off your website and taking it down with a DDOS attack. Now that sounds in Oculus because it’s just, it doesn’t sound innocuous because it’s disruptive because nobody can get your website, but nobody’s taking the data. And as soon as that denial of service attack is stopped, your website maybe still functioning. Um But that’s an incident and a data breach is different because now you’ve got to do a couple different things. You’ve got to number one, find out how the breach occurred, which you should also do in case of the DDOS attack. Um But above that, you also need to then understand how to respond to, you know, what data was breached. What’s the scope of that data and who are the individuals and, and what’s our plan to reach out to those individuals and notify them about the breach? And was our policy around that? And who do we have to include in terms of communications internally and legally and, and to provide that transparency because for a number of different reasons, number one, it’s the right thing to do. Um and number two, because it actually helps build trust within, within communities because if people understand that, you know, these things happen and they happen to some very, very large organizations, right? We, we know about these, these really large breaches, but the more transparent they are the more the consumers or the constituents who used those products. Think gosh, they really responded well to this and they acted immediately, they communicated appropriately and they remediated, you know what happened and, and that was the responsible thing to do and you don’t wanna be doing that in the middle of a breach. So, having a plan up front helps during that process because otherwise it’s just too much at one time, everything and

[00:44:21.00] spk_0:
the plan is gonna lay out who’s in charge, who makes, what kinds of decisions, um,

[00:44:27.43] spk_1:
notify. Right. And what’s the playbook essentially? Yeah.

[00:44:52.19] spk_0:
Like, I mean, it could even, it could even break down to needing a remote place to work. I mean, go go that far or because we’re because we’re hopefully in the cloud we don’t like like if our physical infrastructure gets um compromised, do we need to go off site? And, and what’s the technology, the technology capabilities in our, in our off site work location?

[00:45:17.93] spk_1:
Well, that’s actually a little different. Um so we usually talk about that in terms of business continuity plan. So and, and that would be the same sort of plan you would enact case of a natural disaster or something like that. I mean, is a business continuity and, and that’s far exceeding the scope of what we can discussed today, although I’d be happy to discuss that. Let’s not let’s not

[00:45:22.65] spk_0:
I don’t want to panic folks. Okay. Alright.

[00:45:25.60] spk_1:
Alright. Alright,

[00:45:27.20] spk_0:
you got me focused on, you got me focused on like I don’t know, natural disasters and terrorism. All right, let’s

[00:48:44.52] spk_1:
go to the board. Okay. Alright. So, so one of the things that boards were all right. So organizations nowadays are let’s put cybersecurity is becoming and, and is becoming as important as sort of financial security with an organization. The two are becoming linked together An organization. And so for many years, as we all know, uh 501 C3 organizations in the us are generally bound to having a financial audit annually. Right. And then they report to the board and the board will make sure that, you know, there’s a financial audit to ensure that the funds are used judiciously. Um there’s oversight and governance over these matters. Cyber security is becoming as important as financial security because the two are linked together. If there’s a because it could affect it. If you have a ransomware attack, it could affect the viability and the business sustainability of an organization. So it’s a very serious matter. It’s becoming a very, very serious matter for organizations to then think about cybersecurity as a compliance issue, not just nice to have. And so helping the board’s understand that this has shifted from a situation where, oh, well, you know, there’s nobody’s going to attack a nonprofit and uh you know, and if they do, you know, it’s, our data isn’t very important. Um It’s things have shifted, right. So I think recently there was a community, um it’s one of these cities, for example, was an entire city was, has been locked down for days because our grants were attacked and so nothing can function within the city because, you know, um that’s going to affect everything within the city, not just their continuity and safety of people, but also um it’s gonna have a financial impact. So cyber security is becoming more like a compliance issue and a governance issue. And so I think if boards understood that, then they would understand the need to prioritize and to provide funding and resources for those within the organization. Whether that if a small organization that the CFO or the C 00 or even the CEO to then say, look, we need to carve out some resources to be able to understand our risk and the best way to do that would be to do a third party risk assessment and with, with somebody to come in and actually do an evaluation and say, because they’ll come in and do, you know and come in and say, hey, look, these are the, you know, we come in and, and these people are vetted, their, this is their job and you know, they’re safe to work with and go in and say this is where you really need to. These are the critical things, these are, you know, not important things and these are the nice to have and they’ll, they’ll lay it out for you and then you can develop as part of your strategic plan as an organization just like it should be part of your business plan and should be linked to the business plan because the strategic plan for the organization and then the funding, the budget resources, the resource planning and all these things should be baked into the operational strategic plan for an organization. That’s where we’re going in the sector.

[00:49:03.09] spk_0:
Okay. It belongs as part of your strategic plan, your business plan. Alright.

[00:49:50.46] spk_1:
Yeah, and, and that’s where I think that it’s um uh it’s just like I said, I think where a board comes in is to helps understand that so that they could then authorize and, and oversee and ensure that an organization is doing this work and it’s hard work because, you know, you may have limited resources where we’re gonna carve where we’re gonna carve this out. And however, the good news is that there are people who want to fund this, there are grantmakers who are super would be super happy to be able to say, look, I’m gonna help, I’m gonna capacity impact um grant to this organization to help improve their cybersecurity because of these trends that we’re seeing. And so, and then you can use that as a mechanism to possibly help fundraise to offset some of the funny. So it doesn’t have to come out necessarily of your operational costs.

[00:50:23.28] spk_0:
Okay. There are foundations that will fund fund this. Yeah. Alright. All right, we’re gonna leave it there, Michael. Thank you, Michael from Montana, Michael Eno’s Senior Director of Community.

[00:50:26.28] spk_1:
And it’s

[00:51:30.65] spk_0:
my pleasure to thank you, senior director of Community and platform for Techsoup Global he’s on Mastodon at Michael underscore Eno’s at public Good dot Social and Tech soup where you’d expect them to be techsoup dot org. Next week, I’m working on it. Uh, and I assure you that there will be a show next week because this is show number 630. And I’ve been producing a show every week for 13 years close to. So I assure you there will be a show next week. I just don’t know what it’ll be about, but don’t bet against me because there is gonna be a show. You know, you’re gonna lose if you bet against there being a show next week. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. Our creative producer is Claire Meyerhoff shows. Social media is by Susan Chavez, Mark Silverman is our web guy and this music is by Scott Stein. Thank you for that affirmation. Scotty B with me next week for nonprofit radio big nonprofit ideas for the other 95% go out and be great.

Nonprofit Radio for July 25, 2022: Cybersecurity 101


Matt Eshleman & Sarah Wolfe: Cybersecurity 101

Our #22NTC coverage picks back up with a summary of the tech threat landscape, key policies and procedures to have in place, and how to make the case for devoting resources to IT protection. Our guests are Matt Eshleman and Sarah Wolfe, both from Community IT Innovators.





Listen to the podcast

Get Nonprofit Radio insider alerts!

I love our sponsors!

Turn Two Communications: PR and content for nonprofits. Your story is our mission.

Fourth Dimension Technologies: IT Infra In a Box. The Affordable Tech Solution for Nonprofits.

Apple Podcast button




We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Transcript for 601_tony_martignetti_nonprofit_radio_20220725.mp3

Processed on: 2022-07-23T23:48:11.167Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2022…07…601_tony_martignetti_nonprofit_radio_20220725.mp3.159997831.json
Path to text: transcripts/2022/07/601_tony_martignetti_nonprofit_radio_20220725.txt

[00:02:05.14] spk_0:
Hello and welcome to Tony-Martignetti non profit radio big non profit ideas for the other 95%. I’m your aptly named host of your favorite abdominal podcast my goodness. Last week’s show was great fun. They’re all fun. But the last weeks 600 show was great fun. Oh I’m glad you’re with me for this week’s fun show I’d be thrown into an echo Griffo sis if you clawed me with the idea that you missed this week’s show, Cybersecurity 101. Our 22 NTC coverage picks back up with a summary of the tech threat, landscape key policies and procedures to have in place and how to make the case for devoting resources to IT protection. Our guests are matt Eshelman and Sara Wolfe, both from community I. T. Innovators, non tony steak too. My boys just cracked like I’m 14 years old, please start your plan giving with wills. We’re sponsored by turn to communications. Pr and content for nonprofits. Your story is their mission turn hyphen two dot c o and by fourth dimension technologies I. T infra in a box. The affordable tech solution for nonprofits. tony-dot-M.A.-slash-Pursuant four D. Just like 3D but they go one dimension deeper Here is cybersecurity 101. Welcome to Tony-Martignetti non profit radio coverage of 22 NTC. The 2022 nonprofit technology conference hosted by N 10. Our coverage brings me now Matt Eshelman chief technology officer at community I T innovators and Sara Wolf sales

[00:02:15.50] spk_1:

[00:02:16.64] spk_0:
Also at Community I. T. Innovators. Matt serra. Welcome to non profit radio

[00:02:23.14] spk_1:
Thanks. tony It’s good to be here.

[00:02:25.34] spk_2:
Thank you. Glad

[00:02:42.84] spk_0:
to have you. Pleasure to have both of you. Um Your session topic is defending against Bogart’s and boogie men understanding and pitching cybersecurity for the accidental techie sarah. Why don’t you get us started? Let’s define accidental techie. I think we have a lot of them listening but they may not know it.

[00:03:13.44] spk_2:
Yeah so accidental techies are the people at an organization that are not necessarily somebody who’s been trained in I. T. But is relatively tech savvy and so they end up being the ones who help their coworkers with tech issues or are the ones that end up wearing the I. T. Support hat even though they might necessarily have they haven’t necessarily gone through professional training for it?

[00:03:32.14] spk_0:
Okay. Right so they know enough that they know more than others but they’re not they’re not professionally trained in technology. Okay and and matt why are why are Bogart’s and boogie men your your description says an accidental techies biggest nightmare what’s lurking there?

[00:03:38.23] spk_1:
Well I think yeah

[00:03:51.34] spk_0:
I don’t even know. Yeah I’m not even an accidental techie. Okay there’s the first problem you like you’re suffering a lackluster host obviously. Okay. Alright

[00:04:28.24] spk_1:
so they I think the takes the form of kind of your your biggest fear and so yeah whenever it appears it it shows up as as what you’re most afraid of um you know and I think for for folks that are supporting nonprofit organizations. Yeah there is this fear of of kind of what could be lurking out there, What kind of threats could impact your organization. Uh and for many folks, especially the accidental techies, they don’t have that background training and experience in terms of how to protect their organization. And so that’s why we wanted to to have that session to help provide some tools and equipment so that people that, you know, have that responsibility, but maybe not the training can pick up a few, a few tips.

[00:04:40.74] spk_0:
Okay. Why don’t you, why don’t you start us off? What would uh what would you like folks to know about that? They don’t know well enough, but they ought to.

[00:05:30.74] spk_1:
I mean, I think the biggest thing for for folks to understand is just I think the importance of what’s called multi factor authentication. So M. F. A. It’s often referred to uh it’s something that, you know, which is your password and then something that you have and for most folks that would be an app on their smartphone. Um and what this gives is an extra layer of protection, you know, we all know people’s passwords get compromised and and kind of stolen all the time. But if you can add that extra layer of, you know, an app on your phone to protect that login, then you’re much much less likely to have your account compromised. And kind of, what we see is that most compromises then, you know, will then lead to other things that you know have significant damage in terms of, you know, emailing, you know, all of the contacts in your organization’s database, uh sending out malicious links, you know, sending out updated payment information so that can kind of lead to a lot of other bad things. And so if we can protect that account with M. F. A. Then the organization becomes a lot more secure.

[00:05:46.54] spk_0:
Okay. And you’d like to see this mandatory? Not opt in

[00:06:16.74] spk_1:
that is exactly right. You know, Microsoft and the other big Um you know, tech providers are starting to enforce that now as a as a requirement, but if you’ve been in office 365 or if you’ve been in Google apps for a long time, uh it’s not required and it’s something that organizations need to take a couple of steps in order to set it up and roll all their staff provide training uh just to make sure that it’s set up and working correctly.

[00:06:27.54] spk_0:
Okay. So we should be doing it, we should be opting in where it’s optional and we should make make it mandatory if we’re the we’re wearing the hat of the uh the accidental techie,

[00:06:32.04] spk_1:
yep. Exactly. Right.

[00:06:37.94] spk_0:
All right. All right. Sarah, what else, what else can you share for? Are these folks

[00:08:13.14] spk_2:
I think for the next biggest thing uh is, you know, making sure that your staff, you know, are actually aware of the different security risks and things like that? Having a security awareness training program is one of the best ways to make sure that even if something, you can have all of the fancy tools in the world, every single like filter and everything, something’s going to slip through. And if you have staff that know what to look for and know not to click on something or not to go on that website or not to, you know, enter their information in various different places. Them having the knowledge is going to be one of the biggest returns on investment in terms of security, antivirus. Uh, we only, we had so few um, issues with antivirus last year, out of the 696 security incidents that we were dealing with, Only seven of them were viruses and only 45 of them were malware. And so it’s much more important for staff to be able to identify what’s a spam email, what, spearfishing. How can I tell if I’m looking at an email from somebody else whose account has been compromised and having the training to make them aware of. That is definitely worth the investment. And there are great tools out there, like, no before that, you know, are really easy to use.

[00:08:31.84] spk_0:
Okay. And so, uh, no, first of all, it was no before like K N O W K N O W before. Okay, I didn’t know about this, but I figured out no. Before. All right. But that’s not that’s not really saying much but any case. Um So is that a security training? Like is that online security training that folks can get it? No before or like how is this accidental techie gonna push this and and offer the training in their in their non profit

[00:10:02.94] spk_2:
That’s great. Yeah. So uh that’s a learning management software and that’s specifically for cybersecurity behaviors and tools. The way that you’re going to pitch this for your organization is to first gather your data, get your plan of attack. And a lot of times you know that involves one Looking for friends in the company to support you to getting data and you know trying to make sure that if you are able to um like find partners either within the organization or maybe even reach out to your board governance committee, um those people are going to be able to you know, help leverage some of the existing requirements that you have, if an organization needs to apply for cyber liability insurance a lot of times multifactor authentication is going to be one of the requirements. A staff security training is going to be one of the requirements. And so being able to leverage those and then putting it putting your plea into terms that people understand if your E. D. Is looking at, you know, what is the comparing the cost of of security, education software versus you know, financial compromise. Like there is a definite argument to be made there

[00:11:03.94] spk_0:
it’s time for a break. Turn to communications, media relations and thought leadership. Peter pan a pinto, a turn to partner was on last week. He’s a former journalist at the Chronicle of philanthropy. His partner scott is also a former journalist so they know what to do and what not to do to build relationships with journalists. Those relationships are going to get, you heard turn to communications, your story is their mission turn hyphen two dot C. O. Now back to cybersecurity 101 you mentioned cyber liability insurance. Is that is that something else? We should be flagging for these for these poor accidental turkeys.

[00:11:08.54] spk_2:

[00:11:08.75] spk_0:
beleaguered, beleaguered, accidental techies.

[00:12:16.64] spk_1:
Yeah. I think we’re seeing more and more organizations go through a cyber liability insurance kind of renewal process. Typically that’s something that’s handled by the, you know, the finance department of the organization. What we’re seeing is that, you know, for cyber liability insurance or even for financial audits, they’re becoming a lot more technical. And so it’s likely that if you’ve got any any tech aptitude at all, then you’re being enlisted to help fill out these applications to provide the detailed information that’s being requested. And so yeah, we’re seeing a lot more sophistication being, you know kind of demanded by these insurance companies in terms of, you know understanding which controls are in place because we’re seeing even cases where if you have not turned on multi factor authentication for all your your systems you won’t even be eligible for coverage. Uh and so it’s pretty dramatic that you know organizations are now being, you know, it’s a good idea to protect the organization, you know, for these cyber security controls. But there’s this also this extra layer of requirement from you know, insurance carriers now to say hey like you have to have this so we’re not gonna provide you insurance.

[00:12:40.94] spk_0:
Okay, okay. Sarah, let’s go back to you. I’d ask you about cyber liability insurance and then matt usurped unceremoniously uh usurped your your your your platform. So let’s go back to you what else, what else can you contribute for these for these folks?

[00:13:53.94] spk_2:
Yeah. So with with cyber liability insurance it’s something that oftentimes is getting you know much more of a top down decision making process. Somebody will have, you know, these things like the ransomware and and wire fraud and issues like that have been, we have bubbled up more inter in like the public awareness and so there’s a lot of top down pressure for these things to get adopted and you know there one of the things that they’re also going to ask for is you know, what are your plans? Do you have an acceptable use policy for your I. T. Do you have a plan for when something does go wrong, you know what do people know what to do, who to reach out to, what steps to take? You know because you know you you hope for the best to plan for the worst. And there are a lot of really good resources out there for developing these sorts of acceptable use policies for for creating incident response plans and you know you can um really it can get overwhelming sometimes the number of you know different resources that are available and what to use and what not to use. So you know partnering with somebody who does know you know a little bit more about cybersecurity or is providing that knowledge to the community. Um

[00:14:43.94] spk_0:
Let me guess that that that’s the work of community I. T. Innovators. Am I going out on a limb taking a taking a stab in the dark? Yes. Okay well we’ll get I’ll give you a chance for this for the shout out. Alright explanation. But I’m gonna ask you first what are what are some resources for folks? I mean I’m you got me feeling bad now for these people because we’re like we’re enhancing their to do list but this isn’t even their job that they’re paid for. But yeah we’re talking about looking into insurance and having policies and now now now they are now realizing they are beleaguered because it’s not even their job, they’re just got foisted on them because they know more than all the baby boomers in the

[00:14:53.77] spk_1:

[00:14:56.64] spk_2:
Sometimes it is baby boomers who are accidental techies.

[00:14:59.85] spk_0:
All right. It’s probably not too often. Thank you for that, but probably not not too often. All right. But so what are some resources that folks can can rely on? You said there’s there are many, where can we look?

[00:15:14.44] spk_2:
So I’m going to start with the the self interest pitch first. Uh community I. T. Has a great um library of publicly available resources on our website and our Youtube channel um that are really great for digging into these kinds of things. Um A great

[00:15:30.38] spk_0:
places website. The website

[00:16:00.74] spk_2:
is uh community I. T. Dot com. Um and the one of the other places that I know that matt has as our cybersecurity expert has a lot of people start is with the cybersecurity framework by nest the um and that website have a link to it. It’s N I S T dot gov two slash cybersecurity framework.

[00:16:03.65] spk_0:
Okay. And I S T dot gov slash cybersecurity framework. So N I S. T. Obviously is a government agency, National Institute

[00:16:11.61] spk_1:
of Standards

[00:16:12.97] spk_2:
and Technology

[00:16:24.44] spk_0:
Technology. Thank you. So. Okay. Um Alright, so there’s a couple of resources um including community I. T. Innovators. Anything else you’d like to share with that folks can rely on?

[00:16:47.44] spk_1:
I’d say that there’s no shortage of resources out there. Techsoup is also a great resource. So in addition to the donations that I think we’re all familiar with Techsoup also has a courses and training and so they have some free resources that I would encourage folks to check out there. Um, so I think, yeah, there’s, there’s no shortage of resources that are out there to help people learn. I think, you know, the big, the big challenges is really putting it into action.

[00:17:16.24] spk_0:
What about a little uh, can we give some uh, psychological support to these beleaguered folks? Now? I’m telling you, you have me feeling very badly for them? Um, what we’ll get back to the to the bog arts and boogie men, I promise. But but uh, let’s let’s take a little digression to how we can support these folks other than recommending things for them to be aware of just like how can how can we support them otherwise.

[00:17:25.34] spk_2:
So I think that, you know, I’m trying not to turn this into a pitch for joint for having an MSP come in and like do you own this stuff for you? Because

[00:17:33.45] spk_0:
what’s an MSP

[00:17:34.70] spk_2:
MSP is a managed service provider.

[00:17:38.13] spk_0:
Thank you. That’s what you are

[00:17:40.09] spk_2:
support, we have

[00:17:41.20] spk_0:
drug in jail on non profit radio So yeah, but I, I saved you from from any any lengthy sentence. Okay, a managed service provider. Okay,

[00:18:35.14] spk_2:
so that is that is one of the ways you know that you can get support. The other thing is you know, really leaning on the rest of the community Text suit is a great place to look for resources and you know, the entire community is a place to ask questions. Um There are also you know on linkedin and facebook and places like that. There are communities that you can reach out to for wanting to event looking for ideas, looking for recommendations. Those are all um possibilities. I uh definitely enjoy seeing how many you know how ready people are when people post on the N 10 forums like I need help with this and like there are definitely people jumping on,

[00:19:12.74] spk_0:
it’s an enormously supportive community. Yeah I I fear that even though I say it a lot because amy sample Ward is on the show very often. She’s our technology contributor. Um and so she’s often saying it to that intent is not only for technologists but I I still think people have that misconception. Um It can be for folks who are not even you know not even responsible for technology in their office but they’re just using it. You know you’re just using it in your non profit and In 2022 like who is not using technology? I don’t think we’re running everything by index cards even if you’re on an excel spreadsheet, you’re still using technology. So.

[00:19:22.64] spk_2:

[00:22:28.84] spk_0:
Yeah. Well that yeah and line printers now you’re talking about when I went to college so be careful Sara it’s time for a break. Fourth dimension technologies. You heard the four D. Ceo jug in last week. Talk about I. T. As a service for nonprofits. They know they’re in a service business. Their I. T. Infra in a box. The I. T. Buffet. If you will is structured around service, take what you need and what fits your budget, leave the rest behind. They know their work is to serve your I. T. Needs comes from the Ceo directly fourth dimension technologies tony-dot-M.A.-slash-Pursuant D. Just like three D. But they go one dimension deeper It’s time for Tony’s take two. This is my silver jubilee in planned giving and august is national make a will month next month. So let’s start talking about your planned giving program launch with wills wills. Why should you start your planned giving program with wills This week? three easy reasons. First they are the most popular planned gift by far expects 75-90% of your planned gifts forever to be the most simple planned gift. The gift by will. So it just makes sense to start with what’s gonna be At least three quarters of your gifts anyway Behind door number two there’s no donor education. Everybody knows what a will is. Everybody knows they need a will and everybody knows how will’s work. You don’t have to spend time and money educating donors explaining to them the concepts of life insurance as a planned gift or charitable gift annuities or remainder trusts. You’re sticking with the basics, something that everybody understands and Behind door number three there’s no staff education, everything I just said applies to your staff to everybody knows what wills are, everybody knows how they work and everybody knows that they need one. So you don’t have to train your staff on life insurance and gift annuities and charitable remainder trusts completely unnecessary. You’re starting with the basics and you may never ever decided to go further and that won’t matter. But the place to start is gifts by wills for those three reasons, three reasons for today in any case. And that is Tony’s take two. We’ve got just about a butt load more time for cybersecurity 101 with Matt Eshelman and Sara Wolf Matt.

[00:22:29.94] spk_2:

[00:22:30.17] spk_0:
else? Um, let’s go back to

[00:22:32.94] spk_2:

[00:22:33.16] spk_0:
what we can the rockets and the boogie men that

[00:22:36.24] spk_1:
we want

[00:22:36.47] spk_0:
to help these folks look out for.

[00:23:01.04] spk_1:
Um, yeah, I would maybe also just kind of come back in terms of what’s good about investing in this training is that it’s, it’s good to see progress And I think that’s one of the benefits as Sarah mentioned the know before platform. It’s great. You know, spend a little bit of money to invest in a platform because then you can actually see the progress of, you know, how many people are taking and passing these little trainings and then know before does a little thing called test fishing and you can actually see the percentage change of how many people in your organization are kind of clicking on stuff that they shouldn’t. And so, you know, whenever you test, yes,

[00:23:34.04] spk_0:
it’s great test phishing emails to your enemies in the office, report them when they click, when they click after two days after the training and they click, you can, you can turn them in. Now organization advantage. Now there’s an advantage to being an accident that you’re no longer beleaguered. You’re empowered. Yes, send, send, send a, send a test phishing email to my boss who just turned me down for getting the day after christmas

[00:23:46.84] spk_1:
off. So

[00:23:47.30] spk_0:
yeah, so it’s great.

[00:24:31.44] spk_1:
You can, you know, you can see, you can see progress and so not all of cybersecurity is kind of like doom and gloom and you know, battening down the hatches, you know, against the onslaught. I think it can be fun. It can be engaging. You know, uh, you know, I think organizations that yeah, do elevate it. And it’s something that, you know, people can talk about and talk about openly as opposed to, you know, being being silenced and kind of feeling bad about themselves. If they, if they clicked on one of those messages, right? Like that’s not the approach you want to take. You want to take the approach of encouraging that learning because, you know, if you got caught by a suspicious message, uh, you know, it’s likely somebody else got that too. And so having this kind of culture of openness and engagement. Yeah, is really successful,

[00:24:37.54] spk_0:
right? I agree. Unless it’s your boss who turned you down for the day after christmas, that then it’s then it’s vindictive reported

[00:24:40.64] spk_1:
to the board.

[00:24:49.24] spk_0:
Yes. Oh, without a doubt. So All right, well let’s stay with you matt. What else? Um what else can we? Yeah,

[00:26:00.74] spk_1:
I think the other thing that we started to see more of would be kind of financial fraud or what’s kind of called in the, I think the official terminology wire fraud. So you know, it could be something as simple as those messages people get, you know, that look like they’re coming from the executive director saying, hey, I just need you to buy these gift cards. Call me real quick. I got something for you to do. You know, we’ve seen people get caught up by that, you know, even to more sophisticated cases where people are getting tricked by well crafted emails that say, oh, I need to update my payment information or hey, we’ve got a grantee and they had a problem with their bank account and here’s the new bank account information. So uh you know, that kind of falls into an area where it’s, it’s not just a technology control. You know, there isn’t some product that you can buy that’s gonna magically make that go away. Um but it’s a combination of having training, maybe having some good spam filtering tools in place, but then also having some policy and procedures so that you’re talking about that with your finance department, uh, so that you, you have good processes in place. So it’s payments aren’t made just by one person making a change, but there’s some some review and some betting maybe we need to call somebody. So I think again, it’s it’s not just technology solutions, but really that that kind of the people in process comes in into these equations as well.

[00:26:22.74] spk_0:
It seems like they’re getting more sophisticated. Uh, the little savvy er like uh your your account renewed for $399, you know, click here to see the invoice. You know, I don’t know, they just seem, they seem like they’re improving

[00:27:35.94] spk_1:
well. And I think you’ve identified a key understanding is that uh this is this is a cyber crime. This is a criminal enterprise, right? This is financially motivated. And the bad guys are doing it, you know, not just to kind of go in and wreak havoc on your network, but they’re doing it to make money. Uh and so I think that’s also helpful for organizations to keep in mind, right? You know, you can be the greatest nonprofit in the world and be, you know, have the most noble mission. No, they’re not attacking you because of your mission. They’re attacking you because you have money and, and you might get tricked into yeah, doing that $399 renewal or maybe you updated a payment information and and that was $25,000. And so uh, you know, the mission, you know, does not matter For those, uh, you know, cyber criminals who are financially motivated and it’s a lot easier to, to kind of trick somebody into giving you $400 than it is to, you know, write some super sophisticated virus that’s gonna go on to your computer and encrypt all your files. Then you’re gonna have to try to figure out how to pay them in Cryptocurrency. Yeah. It’s just, it’s a lot easier to try to trick people into giving you money than it is to write, write a new virus. Yeah.

[00:27:49.14] spk_0:
Okay. And then of course there is the community of nonprofits that, that are at risk because of their mission. And because you know, we’re living in a polarized time. It’s, it’s no longer

[00:27:54.27] spk_1:

[00:27:55.34] spk_0:
um, hot button issues, you know, like gun rights or, or abortion.

[00:28:00.21] spk_1:
I mean,

[00:28:06.74] spk_0:
it seems like a lot of missions could trigger someone to do something malicious, you know, technology wise. Uh,

[00:28:27.94] spk_1:
yeah, I would say so. We really see that, um, primarily for organizations that are in the space kind of like government think tanks, policy groups, you know, kind of good good government. Those tend to be the kind of attack attract the most attention. Um, and then I think organizations that work on, you know, human sexuality and uh, you know, family planning and abortion services like are in that category as well. Right,

[00:28:39.24] spk_0:
Sarah, let’s turn back to

[00:28:40.94] spk_1:
you, what,

[00:28:41.21] spk_0:
what, what more can you share with us?

[00:31:26.84] spk_2:
Well the one of the things that you know in in that theme of you know it is financial, these these this has become a business enterprise and it’s become you know not necessarily organized crime but it has become something that is a multibillion dollar business. And um That is something that we’ve definitely seen. We’ve seen an increase in the number of incidents that we end up responding to like from 2018 to 2021. The number of cybersecurity incidents is that that community I. T. Was able to track tripled. And so you know there isn’t a way to really fly under the radar anymore and you’re right, these people are getting smarter. It’s not just all Nigerian princes looking for for oil or gold or whatever. It’s you know, there have been times where you know, we’ve seen examples that have been caught in the tools or that did get through and did nearly create an issue. And I sat there and looked at the email chain and I was like, I can’t tell where this jumped in and then you like have to like really highlight and look in and look in the details and you go, oh, oh okay. Like there was just like a one letter change in somebody’s email address, you know, or and like that can you know if if you don’t have the training and you’re not necessarily aware of that stuff and then the redundancy that that matt was talking about um making sure that, you know, it isn’t just up that that all of the keys to the castle aren’t in one person’s hands. Uh so that you can, you know, make sure that there’s additional eyes to see, you know, what you missed or to make sure that this is the real deal is, you know, really important. Um you know what, it’s, it’s definitely a frame of mind thing. You don’t want to be constantly consumed with worry and you know, be paranoid about everything and because that just takes, we’ve got a whole lot of other things going on in the world right now that we don’t need to be panicking about cyber security all the time and just doing a few relatively low cost things can really help with peace of mind. And you know, it’s worth taking the time, you know, penny wise, pound foolish is one of the other sayings that comes around a lot, you know, just to make sure that, You know, you don’t end up having to deal with a $25,000 wire fraud

[00:31:30.01] spk_0:
issue sarah. What were some of the questions that you got from the accidental Tuckey folks who were watching,

[00:31:38.84] spk_2:

[00:31:38.91] spk_0:
were with you?

[00:32:14.44] spk_2:
Yeah, there were some questions on like where do we start, like how do I like uh we, we pointed people to the Nist Nist framework has a chess checklist um of things that you can start thinking about and looking at as you know, places to start. There were also um questions about how do I how do I make sure that I can, you know, convince my my edie about this and

[00:32:18.14] spk_0:
leadership by in

[00:33:06.84] spk_2:
leadership buy in and you know, we really for that we really said, you know, try if if if if you’re, if you’re leadership isn’t necessarily into it, you have to get like there’s no right or wrong way to go about things that can be top down, it can be bottom up but making sure that if it’s something where your leadership isn’t as invested, making sure you gather allies, you gather allies and you gather financially focused um data to back you up. You know, cyber security is getting more frequent and it is getting more costly to have to address issues after the fact. And so, you know, those were, you know, some of the really big questions and focuses

[00:33:34.34] spk_0:
you and you had mentioned allies early on the value of having having friends uh sympathetic to the to the cause all you know, making this case together to to the ceo or wherever it needs to go. Um All right, matt you want to leave us with some well matt, let me ask you any questions that you uh that that Sarah didn’t mention that you, that that hit you as particularly interesting important.

[00:34:43.34] spk_1:
Um I think it’s important for for folks to to realize that, you know, just because their data in the cloud doesn’t necessarily mean that it’s, it’s backed up or it’s protected in a way that they, that they think it is. And so I think, you know, nonprofits have done a really great job of getting their data in the cloud platforms. You know, there’s been a lot of great donation programs and discounts and so non profits, I think have done a really good job of technology adoption. Um, but what we see is that they haven’t been maybe as strict on kind of the policy and the governance and some of the other supporting, you know, processes. So we think it’s really important that you understand where your data is and understand how it’s protected and just make sure that that lines up with what you, you know, your organization expects, you know, is it okay if somebody downloads all of your organization data on their personal computer? Like is that an okay thing to have happened? Let’s make, let’s make sure that we talk about it and understand that, uh, you know, and I think the same thing goes again, you know, if somebody deletes a file today, do we need to be able to recover it, You know, a day from now, 30 days from now, a year from now. And so I think just having some of those baseline settings and kind of testing them is a really important step to take

[00:35:01.54] spk_0:
backup recovery. You know those are not necessarily covered by just being in the being in the cloud and how what’s the time to recover?

[00:35:22.44] spk_1:
Right. Yeah. So I think a lot of those, you know quote unquote old school you know security methods or techniques are still important even if you’ve got your date in the clouds again having that third party backup, having an offline copy. Uh those are all really important steps to take to make sure that your organization’s data is well protected.

[00:35:24.94] spk_2:

[00:35:26.14] spk_1:

[00:35:29.04] spk_0:
right. Why don’t we leave it there then? I feel like we’ve covered this.

[00:35:31.14] spk_2:

[00:35:31.51] spk_1:
think we’ve got the foundational element. Is

[00:35:41.34] spk_0:
there anything alright, is there anything on your mind just like oh wait I gotta get this in. Is there anybody, I

[00:35:41.67] spk_1:
mean I’ll put in a plug for multi factor authentication again I think it’s worth saying at least a couple more times

[00:35:46.63] spk_0:

[00:35:47.47] spk_1:
it’s the it’s the most important step that that that many organizations can take.

[00:35:54.74] spk_0:
Okay Sarah parting thought

[00:36:16.33] spk_2:
just gonna emphasize what matt said about the managed backup just now um you know it’s really important to know your settings and to discuss them because you know a lot of times data loss is actually accidental and so if you have a way to get it back that can save you a whole lot of heartache and headache.

[00:36:20.38] spk_0:
Okay we want to avoid

[00:36:22.00] spk_1:
both. Thank

[00:36:34.53] spk_0:
you that’s Sara Wolf sales manager at community I. T. Innovators and also matt Eshelman Chief technology officer at community I. T. Innovators. Sarah matt, thank you both very much.

[00:36:37.33] spk_2:
Thank you so much.

[00:36:38.26] spk_1:
Thanks tony it’s good to get to talk to you.

[00:36:39.97] spk_0:
All right, pleasure and thank you for being

[00:36:42.51] spk_1:

[00:38:02.03] spk_0:
nonprofit radio coverage of 22 N. T C. The 2022 nonprofit technology conference. I’m glad you’re with us next week tech policies to reduce toxic productivity. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. This is # 601 by the way, I don’t know if you’re counting. We’re sponsored by turn to communications pr and content for nonprofits your story is their mission turn hyphen two dot C. O. And by 4th dimension technologies I. T. Infra in a box. The affordable tech solution for nonprofits tony-dot-M.A.-slash-Pursuant four D. Just like three D. But they go on to mention deeper. Our creative producer is claire Meyerhoff. The shows social media is by Susan Chavez, marc Silverman is our web guy and this music is by scott stein yeah thank you for that. Affirmation scotty be with me next week for non profit radio Big non profit ideas for the other 95% go out and be great. Mhm. Mhm