Steve Sharer & Danielle Elizer: We’ve Been Hacked!
Our panel from the 2025 Nonprofit Technology Conference (#25NTC), helps you with actionable takeaways to strengthen your incident response plan. You do have an incident response plan, right? They reveal the right responses and responsibilities for your leadership, IT, communications, and other key roles. They’re Steve Sharer from RipRap Security and Danielle Eliser with Chef Ann Foundation.
Brian Cavanaugh & Tiffany Nyklickova: Smart Data Storage
Brian Cavanaugh and Tiffany Nyklickova want you to avoid common data pitfalls while ensuring your data is smart, secure and searchable. They consider the pros and cons of cloud versus onsite storage, and explain how folder structures, filenames and metadata make your data organized and easy to retrieve. Brian is at The Vilcek Foundation and Tiffany is from Services in Action. This is also part of our 25NTC coverage.
Listen to the podcast
Podcast: Play in new window | Download
Get Nonprofit Radio insider alerts
We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners
Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.
Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript
And welcome to Tony Martignetti Nonprofit Radio, big nonprofit ideas for the other 95%. I’m your aptly named host and the podfather of your favorite hebdominal podcast. And I’m glad you’re with us. I’d suffer the embarrassment of Salpingium fraxis if I had to hear that you missed this week’s show. Here’s our associate producer, Kate, with what’s coming. Hey Tony, this week we return to our 25 NTC coverage with. We’ve been hacked. Our panel from the 2025 nonprofit technology conference helps you with actionable takeaways to strengthen your incident response plan. You do have an incident response plan, right? They reveal the right responses and responsibilities for your leadership, IT, communications, and other key roles. They are Steve Scherer from a riprap Security and Danielle Ellizeer with Chef Anne Foundation. Then Smart data storage. Brian Kavanagh and Tiffany Nilikova want you to avoid common data pitfalls while ensuring your data is smart, secure, and searchable. They consider the pros and cons of cloud versus on-site storage and explain how folder structures, file names, and metadata make your data organized and easy to retrieve. Brian is at the Vilcek Foundation, and Tiffany is from Services in Action. On Tony’s take 2. Self-care. Here is, we’ve been hacked. Hello and welcome to Tony Martignetti nonprofit radio coverage of 25 NTC, the 2025 nonprofit Technology Conference at the Baltimore Convention Center. Our coverage is sponsored by Heller Consulting, technology consulting for nonprofits. With me now are Steve Scherer and Danielle Elliser. Steve is CEO and co-founder of Rip Riprap Security, and Danielle Elliser is senior director of technology at Chef and Foundation. Steve, Danielle, welcome. Thanks so much. Thanks. Thank you. Last year’s NTC as well. Um, your session topic. We’ve been hacked! exclamation mark an interactive incident response tabletop exercise workshop. It’s a lot there, yeah, but you did, yeah, there’s only one verb in all that, right? There is only one verb in all that in that in those two sentences. Um, Steve, our resident security expert, uh, why don’t you give us a High level view of what your session covered yesterday, yeah, yeah, so our session was all about how to prepare for a cybersecurity incident and how one of the main ways that you can prepare is by undergoing a tabletop exercise to simulate what an an incident is like uh with your staff before you actually have an incident so you get a chance of what it feels like and. And what you should be doing and if your plans are are set up in a way that’s actually gonna help you. All right, now we’re not gonna have the luxury of an exercise here on nonprofit radio, but I know you both have takeaways, uh, either from the strategies in general, but also maybe takeaways from yesterday’s session. Um, so let’s see, uh, Danielle, why don’t you, why don’t you start with some substance like what should we be thinking about? This is all in preparation. Uh, so we’re not gonna have, like I said, we’re not gonna be doing the exercise, but what should we be thinking about in advance so that when we do call Steve because we’ve been hacked, uh, his response can be, I guess, as as seamless as possible or at least we’re we’re best prepared as we can be for the for the what we hope never happens. Sure, um, I think the big thing we realized when we were putting this presentation together was that a a tabletop game is very similar to a cybersecurity incident and that. You have some rules but you don’t know all of the information and it’s going to change and you are not gonna be able to predict where you go um and so you really have to be flexible when an incident occurs I think the first step is calling someone trusted or having someone on your team to cover the security um and then just giving them as much information that you know. And working from there um it’s a really flexible process that you have to be able to pivot through um depending on what you find out. So you really would like to know who you’re gonna be calling. Maybe maybe it’s two different teams in case one is not available or something or. I step one is have somebody on your phone, yeah, um, because time is of the essence um and you don’t have a lot of time to spare so knowing who you’re gonna call is is probably the the first step, um. We were very fortunate that when we had an incident we had riprap um already contracted with us and they were my very first call and they jumped in right away um so knowing who you have on your team that’s gonna be able to help support you is gonna be such such an easier path than. Trying to figure it out when you’re in the crisis. Yeah, I mean you’d be interviewing firms in the midst of a crisis. Your head is not gonna be on the the interview process and you know what’s your timeline and what’s our budget? I mean, we need to, right, so these things all need to be in place should be having these conversations. Now unfortunately it’s very common to find somebody while you’re in the middle of a crisis. I know um Steve has mentioned that a little bit of they often get these panicked calls and you know everybody jumps on board and does the best they can but it’s so much easier to have somebody beforehand. Oh, they don’t know your platforms, they don’t know your user base. I mean, well, Steve is gonna tell us all the things that he wants to know when you make that call. Um, what can you share about the the chef Anne hacking? Yeah, so I’ll keep it general, um, we had actually started working with Rip rap a couple of months prior and so we had some things in place but not nearly we weren’t, you know, robust uh in the way that we had hoped and um you know we just started getting prepared and uh and an email came through to our accounting department they had they had the right form they had the right invoice they had everything looked good um I was like oh my gosh, we have to get this check out by the end of this week. Can you guys just make this happen? Everything looked good. Um, and somebody within our accounting platform just flagged it a little bit of like this is unusual usually I hear about this beforehand and pass it up to me or instinct instinct is Steve instinct for sure there’s a ton of value and instincts, yeah, for sure. I mean it’s that listen to your gut that if it looks weird, smells weird, it most likely is weird yeah yeah a flag like this person in accounting, and she was even apologetic too. She was like, I, I just don’t wanna bother you and I was like, oh no, no, no. You think this is weird? I think this is weird. Let’s go, um, and so we were able to bring in riprap immediately and resolve it, um, and thankfully there was no impact, um, we caught it early, but I I can’t overstate how quick it was, um, and how um unexpected it was, you know, it was a random Tuesday, you know, like nobody expects this on a Tuesday, um. And so it was really, really, really beneficial to have somebody on our side already um and just not something we ever expected even though we had already been preparing with them. So it can really happen to anyone. And after the fact that you rip wrap like maybe did forensic work for you or something. Did you figure out was it, was it uh based on artificial intelligence or had they penetrated part of your system to, to get the, you said it looked authentic, it had, it had the right data and what how did they how did they get what they needed to make it look so good? Yeah, um. I’m trying to remember, this is about a year ago. Yeah, so a lot of times the attackers will try to um Illicit like payment forms, invoice forms from organizations by pretending to be somebody that’s maybe in the world or in the network saying hey we’re a new vendor, and they’ll get some of this paperwork already um even if they haven’t conducted a breach of the actual nonprofit so that that wasn’t their case luckily they didn’t have the attackers did not have access to the Chef Anne Foundation computing resources, which is, which is great, um but you these these attackers, they don’t. Needed a lot of the times they can they can socially engineer and elicit a lot of this information from the finance staff and the other staff that are out there in the community. I have a panel coming up on the show, uh, yeah, later later today talking about the use of artificial intelligence in in in gathering personally personally identifiable information. So then not not again like to your point, not needing to go into the platform or the resources of the organization. But through artificial intelligence, putting it all together to make an invoice look real or you know whatever it is that they’re whatever they whatever their mechanism is for infiltrating making it look very authentic because it has so much personal data. Yeah right, right. So but that didn’t, that didn’t happen in your case, uh just before the explosion of large language models and BT a little ahead of a little ahead of that, yeah, OK. Oh, you said last year it was sometime last year. OK. Uh, so Steve, uh, all right, so hopefully, uh, folks have, uh, riprap security or another, uh, exemplary. It’s hard to imagine, uh, any other firm being as good as riprap Security, but, but, uh, you have, uh, you found one of the few that are, or you’re using riprap. What do you wanna know? Uh, first call, yeah, yeah, so I mean I, I think the, the first call we, we try to understand what are the timelines, who’s involved, like what are the broad sketches of the story, what’s happened to dates and what what systems are affected? What things are do we suspect that the attacker might have access to and that sort of starts to help us orient who in the organization that we’re working with we should talk to, what systems we should start focusing our forensics and technical experts on. And really start trying to work the problem and understand. I mean, um, a lot of the times our our customers when they have an incident they’re they have limited information they, they know that they had a weird email on a Tuesday and but they’re they’re looking to fill in the gaps, right? This is, this is as much of those kind of classic mysteries, you know, as it’s no longer, it’s not just a, you know, 22 minute like murder mystery on TV. It’s usually many days, but we, we try to sketch out and do that kind of. Investigative work to understand the timeline of that incident. I just thought of another reason why you’d want to have an agency lined up ahead of time for for you obviously need remote access immediately. Now we’ve got, you know, maybe we have to go through a hurdle to get that done. If it’s not lined up in advance, time is of the essence as you said, Danielle. And I, I think trust is a big area too, right? By the time the chef and staff had their incident, we had already spent much, a lot of time with Danielle and with the executive staff and other members that are, you know, doing the more hands-on work. So they knew me. They knew our team, they were comfortable with us. We didn’t have to build that rapport, you know, in a relatively short time. It’s just, it’s just a lot better and in the midst of a crisis in the midst of a crisis, right? I don’t know if I can trust these people, but he said something weird, but I don’t have time to worry about it, right? So I have a flag, but I can’t wave it. No. All that is resolved if you, I’ve already hopefully encouraged folks to have a relationship in advance. You know who you’re gonna call. OK, OK, um. All right, next step. I don’t know, Steve, you want to lead us through. All right, so you’ve gotten your preliminary information. Do you need the client to do something or what’s next? Yeah, yeah, so something we covered in the talk is how, how can you how can you best use the organization’s existing capabilities, tools and talents to help you with the incident. So we often talk a lot about engaging the communications and the marketing staff because they they know they already have a way that they communicate with their with their donors with their stakeholders with the with the the beneficiaries of the of the organization and by using their expertise you can craft really really clear transparent timely uh communications to the people that might be affected with the incident. We, we see that’s interesting so you’re you’re the guy you’re the you’re the tech guy, but you’re concerned about the, the outward communication. Absolutely, because I mean what what’s a nonprofit without a lot of trust, right? And, and we, we see a lot of examples in the tech industry in broader business world and nonprofits that. Organizations that have incidents that aren’t transparent about it that aren’t sharing the whole story they’re not being timely about sharing the information the trust in their reputation is severely damaged and so they get less interest they have you know if they’re a company they they lose a lot of customers um and. The instant response process is about trying to maintain that trust and that reputation and reduce the impact of the incident. Danielle, so what’s going on at the Chef Ann Foundation now in the 24 hours since you’ve called Steve, what’s happening. So Steve is doing, Steve and his team are doing all the investigative work of like, OK, what has truly gone wrong? Like what do we need to find what’s out there? What’s the scope of this because often it feels just like the tip of an icebergs are they. In the system, you know, um, and so he’s handling a lot of that also communicating to my team. My role at the time was to communicate to our internal team because I know Steve. I’ve been on a call with Steve every week for 3 months, but they may not know Steve as well, and now my board wants answers. So my role turned into very much that internal communication network of like, OK. C-suite, here’s what’s going on on the edge of the cliff. I know, I know the ending was I already know the ending, but I’m still intrigued by the by the time by the unfolding. Yeah, because everyone’s everyone’s concerned, everyone’s just here to do their job to make the world a better place. That’s what we’re here for. We’re not here to build like a Fort Knox system, so when something goes wrong, it’s like, oh no, have we been too focused on. The healthy meals for kids, it’s chef Anne for sake, it’s not we make lovely food. It’s not, uh, you know, it’s, it’s not nuclear nuclear arms negotiations. Does someone have a vendetta against whole grains? I don’t know. I really like quinoa, you know just not agree with my stomach. And I’m lashing out. She had a recipe on she had a quinoa pudding recipe on the website just last week and I was very annoyed. So let’s go ahead and, yeah, exactly. So it’s, it’s, it’s a big sea change for the organization, um, especially the teams that you work regularly with to shift and say, oh no, this is actually now a current crisis and something we have to worry about that presentation next week is no longer my priority. And so it’s often a lot of soothing the internal team and also trying to communicate in the easiest method possible to the internal team like they don’t care that it was a business email compromise with uh like an MFA concern like they don’t want to know all of that they just wanna know we’re safe, we’re OK, we’re working on it, keep doing your job, we’ll let you know when we need something from you. And same with the board. The board just wants to know we’ve got it covered, so it was a very easy thing to be able to call my CEO and say hey this is what’s going on. I have this update. I’m gonna send this to the board. I just want you in the loop. You can send it to the board. I don’t really care how this process works. I just need to communicate what I have, um, and so it really became more of a like a switchboard operator of trying to keep the organization. Calm and steady and on the right path while rip rap was able to like resolve and actually investigate a lot of these technical pieces. And how about with your uh your marketing communications team that Steve mentioned were you were you talking to them or did Steve talk to them directly or what we loop them in um Steve’s recommendation. Uh, we were very fortunate that we didn’t have a public, uh, kind of incident. Um, it was very internal, so we, we loop them in just in case there was a larger impact that we needed to involve them on, but, um, they were, they were ready they were right on board. I mean the marketing teams can spend on a dime, so they were prepped, they were ready they had some language already written up by the end of the first day just in case. So it was really a coordination between all of the parties in the first 24 hours you’re not sure what Steve’s. All I know is that all of my meetings have been canceled and my CEO was trying to buy me pizza and my husband was bringing me coffee and I was like, alright, we’re we’re in it now, you know, um, you’re still in the eye of the storm. Um, all right, what, uh, Steve, lead us to the timeline. So we’re outside the 24 hours now. You, you know more. What, what, what have you, what did you, were you, yeah, what are you able to uncover in the 1st 24 hours? Yeah, so it’s, it’s a lot of um timeline information, right? When is the, when is the email sent? When is it opened? How many people receive it? How many people looked at it in the organization, um, what can we learn about the the information that you don’t get to see in the body of the email but that’s attached to it so information about the email itself when it was sent who sent it doing that kind of deep forensics work to understand can we track down who was responsible for it. Um, and can we, can we report them right, and, and try to shut down the fraud. That’s good. All right, let’s keep that open. There’s a mystery that I don’t know the answer to, um, but there is, there’s a ton of email sometimes you see it when, uh, an email is undeliverable, then you see all this string of, I don’t know if it’s called metadata or accompanying like emails fly all over the world instantaneously and, and sometimes you see this. This is just to me it’s just meaningless characters, but you can decipher a lot of information about an individual message. Exactly, yeah, so we we get a lot of information about how the email traveled across the internet from where it was sent, the computer that it was sent to where it was received. Uh, we can understand if the person sending the email uh is trying to hide their the the true email address of the um the person that sent it. Um, and we, we can use it to uncover all of these indicators that yes, it is a malicious email because a normal person isn’t sending an email with all these weird kind of factors in this metadata that you see. And so it it is um it is a lot, it is possible to. Um, understand a lot more by looking at this metadata and then to use that to pivot the investigation to say have we ever seen the same person try to attempt the same thing against the organization or other organizations that might be in the chef An network right partner organizations, um, you know, beneficiary organizations to say let’s just make sure that. Um, the attacker, if they really do hate quinoa that they’re not going into the quinoa Association and trying the same attack on them and so we, we look for these opportunities to say, hey, how can we help other people in the network or how can we make sure that other people in the network aren’t affected because we know nonprofits are so highly connected. Oh wow I’m I’m impressed by your uh. Holistic thinking like the marketing communications team, get them involved. I wouldn’t have expected the IT forensics, you know, expert to suggest get marketing involved and same thing with, you know, other agencies that we don’t even work with, you know, but can we support the network or at least, you know, inform the network about potential, should we? I’m impressed by your holistic approach we try because I think. So much of the risk is from third parties, right? It’s not always your organization that’s gonna get attacked. It’s maybe your vendor that gets attacked and that they the the attacker is able to gain access to that vendor’s email system and then the attacker is sending invoices from a legitimate vendor’s email address to you to try to get you to send money to a new bank account, right? That’s a very common thing we see. So it’s not even, you know, the chef and foundation can do everything right 100% of the time with security. But if their partner organizations aren’t doing the same thing, they’re they’re still potentially at risk for getting these, these kind of attacks. All right, take us through the timeline now. We’re beyond 24 hours. What’s unfolding? Sure, so we, we think we, we really understood after that 24 hour period that the incident was really limited, that there was, there was the funds were stopped. That’s, you know, of course the main thing. There was no access from the attacker into the organization. Danielle, what was the? I think they timed it perfectly. It was like 49,000. It was just under the cusp of that 50,000 where a lot of organizations want to review. OK, maybe require more signatures or or additional review. 9 999 car dealership. OK, I’m sorry, that’s OK. Yeah, so I think knowing being able to communicate that there that while there was the email that got sent, there wasn’t a true incident in that no money exchanged hands. There was no um breaching of chefan accounts or computer systems. And then being able to communicate that it just sort of brings down the stress level of everyone and says, OK, like this is, it was, it was an event, right? It’s not an incident because there’s no real impact because there’s no money changed hands. It’s very limited scope you can reassure the board, CEO, yeah, my accountant can stop hyper hyperventilating, uh, you know, like so everybody can just kind of calm a little bit and and we start, we start turning. We start moving towards closing out the incident, but and but it’s, it’s and this is where we say we like to use the phrase like never waste an incident. Right, never, never waste the opportunity to learn from what happened in the incident and make changes based of it. We see a lot of organizations that have these lesson learned sessions afterwards. Oh, we did this well, we didn’t do this well, but what we see the gap is nobody is assigned specific action items with due dates of things like, hey, we want you to go and turn on this technology or for any invoice over $5000 it needs to have a second set of eyes on it. And so taking these learnings and applying them to the organization and working it into the workflows, not just the IT and the technology side, but the finance side and the and the communication side just so that you’re more prepared next time and you’re you’re. You’re, you’re building some muscle memory for the Danielle, so in the session, uh, what did you see what shortcomings did you see that folks, you know, in their in their tabletop exercises were not, you know. Yeah, it was really interesting um so the way we structured the session was the 1st 20 minutes were like a quick. Slide show presentation of here’s what you need to know. He’s kind of the stuff that’s gonna come at you and then the incident that the exercise began and um it was really interesting because they wanted more information oftentimes they’re like, OK, so somebody sent you know somebody sent a bad invoice now what? and I was like, yeah, now what. You get to figure that out and they’re like, no, but the page is only like, yeah, that’s part of it like you only get like 3 touch points of information to lead your way into this process um and it was really interesting to see how that clicked on and they were like, oh this is this is like just like it would be, um, and they started asking the questions of like, well, could we do this? Could we do that? How, how did you handle this, Danielle and I was like yeah yeah. You’re gonna have Danielle’s expertise. Daniel’s wisdom from born from born of experience when you have your crisis. Right, right. I mean we do want to give them a little, a little nudge here and there, but there are no wrong answers, just trying to learn the process and I think the other thing was a lot of them saw um how stressful it can be um even in a purely hypothetical. You’re at a table with 5 strangers at a conference rolling a dice, you know, it’s still stressful, right, there’s this is, this is purely hypothetical, but still imagining your organization going through something like that or making it real of like who would I call? What would I say to the CEO who who’s the marketing head? Um, was a really good way for them to kind of envision and realize, oh this is just, this is at the lowest possible stake level, which means when this happens, if this happens, this is going to be so much more stressful and we really need a plan. Um, all right, so I don’t know who I should ask to, uh. Uh, we opened with you, Danielle, so I’ll give Steve the opportunity to bring closure to, uh, to our incident. Uh, what, what, who is it from? What were we able to find out? We were there any we able to point the finger at a person or an agency or a company or a country or and, and what, what was the. Yeah, yeah, yeah, so often times these things are the the sort of uh the the end of the story, sort of the the final uh solving of the mystery is is kind of anticlimactic. I I know I wish I could point to, oh yeah, that guy Paul in Saint Louis, like he was the guy that sent it. You often can’t get that level of information. Um, but we’re, we were able to understand, hey, these are the computers that send these emails we’re able to disclose them to entities like the FBI just to make it part of their larger cybercrime tracking domestic it was from inside the US it was from inside the US, um, and then what we, what we really spent a lot of time on is, hey, is the plan that we’ve made for cybersecurity in the road map we’ve worked on with Danielle and her team, what changes do we need to make? Uh, to that plan of how we’re gonna improve how we’re gonna work together to improve cybersecurity based on what we learned from the incident. There are certain projects that we, we pulled up, may may happen sooner, some we delayed, um, and it really, it really. Led to a situation where we’re just constantly able to update the, the strategy for the Chef Anne Foundation to say, hey, we have this thing we learned a lot from it and here’s how we’re gonna apply that in all the work that we do, uh, going forward. Danielle, I guess, uh, kind of epilogue, what made you contract with riprap three months in advance? What obviously not knowing what was coming. Well, what, what was the impetus for putting a relationship in place? Yeah, actually a little bit of a full full circle, um. I had attended the uh nonprofit tech conference in Denver and that’s where I met Riprap um at their presentation was just 2 years ago that was 2 years ago yeah and so um started working with them after that and I really really enjoyed our partnership. They completed a full road map assessment and so it’s um it’s pretty fun that we met at an NTC and now we’re presenting about this at an NTC. That’s great. I got chills synes. I got I got chills um so that’s. Good. The the epilogue is is excellent. All right, even if the, the outcome, so, uh, just going, Steve, going back to the uh what you were able to pinpoint like could you get to a county or a state? We have a rough like right we we get rough information, right? You get like, you know, rough geography here’s the the town or the city that they’re kind of by was, you know, I think Washington state based somewhere in in the Seattle area, but from there it’s a little hard to to to pinpoint beyond that. You have to really be law enforcement. or you know some spy agency that you can’t glean from from our side or while they’re doing all this incredible investigative work, you know, I’m trying to keep my people calm, having that final report to my board, to my C-suite to say, hey, here’s what we learned, here’s what we’re doing, here’s how we’ve processed this was really, really tremendously helpful. It gained a huge amount of trust from the board that our organization was taking this seriously and that we were prepared. Um, and we’ve gotten so many kudos from them on that incident, so it was, it was truly a learning opportunity that we were able to grow into something more. Yeah, and I appreciate the trust building too that they know that you’re on top of, well, you are the senior senior director of technology that they know technology is secure. It’s something that, you know, maybe you’ll report once a year or something, you know, but they don’t have to be concerned about as a board or even the CEO, you know, all right. Outstanding. It’s a good story. It’s a good story. It’s a good story with a good ending. Yeah, yeah, I’m glad we got the epilogue out. That was very good. Uh, they are Steve Scherer, CEO and co-founder of Riprap Security, and Danielle Eller, senior director of technology at the Chef and Foundation. Steve and Danielle, thanks. Thanks very much for sharing that story. Thanks for having us. Good to see you again. Thank you so much. Thank you and thank you for being with nonprofit Radio’s coverage of 25 NTC, the 2025 nonprofit technology conference where we are sponsored by Heller Consulting. It’s time for Tony’s take two. Thank you, Kate. Self-care. We just had the long holiday weekend, 4th of July. I hope you took care of yourself as well as family or friend obligations. Hope you’re taking care of yourself this summer with time. With the sort of chaos that’s uh emerged from the, the budget bill that passed and it’s bad impacts in a lot of areas including Our community. I it’s just so important for you to be thinking about yourself. It’s not selfish to do self-care. That is not selfish. That’s the best way. For you to care for others. You have to take care of yourself first on an airplane, you put your oxygen mask on first, then you help them, then you help the children who are with you, right? You put your mask on first. You gotta take care of yourself first, then you can be your best person bringing your best self to taking care of others, helping others, even working, just working with others. So please, uh, several weeks ago, I reminded you about your meds from Mico Marquette Whitlock, taking care of mindset, exercise, diet, and sleep, the meds. And I would also refer you to an episode from March, March 31st. It was with Jennifer Walter, the social worker. That episode was Mental Wellness Among the chaos, March 31st. Please Take care of yourself this summer. It’s essential. That’s Tony’s take too. Kate Though I was gonna miss my cue, didn’t. You thought I was gonna miss my cue again. You set you up I set you up. People can’t see obviously as when we, when we speak as a podcast, but Uncle Tony kind of, he leaned in and then like took it back and then he went for it. Yeah, set you up. led you in, led you in thinking, oh my God, 2 weeks in a row, he’s gonna miss his cue or miss the queue, miss my cue, I should say. Well, at least you’re not forgetting my name. Yes, right, we’re improving. It’s, it’s an upward slope. Things are getting better. I remembered your name this week. We’ve got Beu but loads more time. Now it’s time for smart data storage. Hello and welcome to Tony Martignetti nonprofit radio coverage of 25 NTC, the 2025 nonprofit Technology Conference at the Baltimore Convention Center. We’re sponsored here by Heller Consulting. Our topic right now is data disasters, smart storage for nonprofits. Bringing that to us are, uh, Brian Cavanaugh, director of digital at the Vilcek Foundation, and Tiffany Nilikova, the information specialist at Services in Action. Welcome, Brian, welcome Tiffany. Thank you for having us. Thank you pleasure, pleasure. Um, let’s start with an overview. Uh, why don’t we start with you, uh, Brian, just as we have plenty of time together, but if you could just give, uh, an overview of the Amy, he’s gonna do an overview of his session and, uh, what, uh, why, why you, you all believe this is important for, uh, for our, for our nonprofit community. Well, we’re using data disasters that nonprofits face, uh, the hardware failures, natural disasters, uh, staff turnover, funding cuts, etc. uh, as ways to talk about data resilience and how data resilience can make organizations information more smart, secure and accessible, uh, to deliver programs, uh, and mission critical work. OK, now you did not put data resilience in your session topic. Maybe that was, uh, maybe I was gonna turn people off like data resilience. Oh my God, I can’t imagine anything duller than the data disaster. Now we’ve got, now we’ve got an alliteration. We’ve got disasters, we’ve got crisis like there’s tornadoes whirling around us. There’s a sense of urgency, yeah, right, um. uh, but you, Tiffany, please, uh, why don’t you define data resilience for us? Data resilience is about taking care of your data in a way that protects the organization’s, uh, integrity. It’s uh. Data resilience is about um building a structure where you can rely on it we talked about how you can manage your information in a way that it’s faster it’s quicker you can respond to things a lot better when you manage your data and the resilience of it. Um, so I imagine there are some things that we’re not doing quite right about, uh, data, data management, and you specifically say data storage. Uh, I think we want to talk about, uh, cloud versus uh local. Why don’t you keep going for the time being, Tiffany, um, lead us into like some, some of the pitfall. What, what’s some things we should be doing smarter? So like you said, there are local storage solutions and their cloud-based storage solutions, and they offer a lot of pros and. Cons and it really depends on what you’re looking for. So with the cloud obviously you can work collaborative collaboratively with your colleagues you can access your data from anywhere. It’s a very robust system it can grow with your organization the fees are fairly low, uh, but you do have the risk of unauthorized access. uh, you know there are cyber threats that are much more real. Um, also you have authorized access so one of the things that we were discussing is when you click I agree, what are you exactly agreeing to? That nobody reads all that, right? I mean there’s 19 pages scroll to the bottom to say I agree. Absolutely sometimes I think it’s a game to see how fast, well, you know, no I don’t, not every time but before this session I specifically do sometimes, but you know what, this is a great way to use chat uh use AI Chat GPT can read it for you now and you can ask the chat GPT questions. What do I care about? What stands out for me? How does this compare against other companies? Uh, and one of the things that I care a lot about is the authorized access. So when I click I agree, I’m giving, let’s say Google Drive access to my data. They scan it for their own compliance with uh policies, but also, um, they might use it in their marketing. How do I feel about that? Is my community vulnerable or are they up against discrimination possibly? So what are my responsibilities with that and when, when I expose my data. I’m exposing a lot of people, so your local solutions are, you know, uh, external hard drive or network attached storage or a solid state drive, uh, external hard drives, there’s all sorts of ways that you can move your data from when you’re working on it to storing it that doesn’t involve the Internet. So the pitfalls of that are you can’t just access it from everywhere. You don’t work collaboratively, so you might end up with tons of drafts of the same document. Uh, but you also have much more control because it remains within a physical space. Uh, you are, it is, um, vulnerable to attacks to, uh, sorry to inadvertent loss or to, um, to, you know, damage it can be, you know, fire, fire damage we talked about, uh, just going kind of extinct some, you know, like floppy disks where are they? No’s using those anymore, you know, so that can happen in the future. So like I said, there’s pros and cons to both. Um, what else in terms of, uh, pitfalls, what, what else, Brian, could we be doing smarter besides uh storage? Uh, well, we need to think about antigrated file types. Uh, so we’re talking about the WordPerfects and the quark files and the floppy disks and all the type of data that may not be as accessible as it once was. And so we need to think about futureproofing that data by using recommended and preferred file types. Um, which is something that that the Library of Congress does very well, uh, by researching and publishing, uh, those recommended file formats in a statement, um, and so you can, you know, think about your data, uh, as a long term investment. Um, by using those recommended file types so that you can have access, you know, long into the future. What are the preferred formats? Are you able to name the top two or three? Sure, so for digital text-based formats, um, you’re gonna look at PDF, uh, PDFA, uh, for digital images, you’re gonna be looking at TIFS primarily, uh, JPEG 2000s, um, and for video you’re looking at IMF. What is um what is PDFA? What does that mean? There are different types of uh coding uh in in the PDF, uh, and oftentimes if you’re using a solution like Acrobat or some of the other free tools, um, you can save the PDF in in multiple different formats and they go back into the early 2000s. Uh, it’s just different layers of uh options and features and functionality. Um, that are built in and every year they advance, um, so the most, you know, the most common has, you know, a wider set of features um than it once did. OK, so there are preferred formats for files and why, why is this? Oh, just so they don’t get out outdated for one. OK, yeah, exactly, yeah, otherwise. You’re stuck, um, you know, using an emulator or a very old machine that may not be secure in the first place to try to open up, you know, some type of file that you haven’t needed or wanted access to for, you know, 15 years, but now you need it and you can’t can’t open it. Yeah, OK, or you’ve got some legacy machine to do it and has its own vulnerabilities, right? OK. I could be a data data storage scientist, aren’t you? That’s not true at all, um. Uh, searchable so we need to be able to get our data, right, Tiffany, let’s talk about accessing the data. I mean, yeah, let’s talk about you gotta get the data out. You gotta be able to find your data so you have to be able to to categorize it and label it in ways that make sense to you. I mean we can get deep into a database structure system, but I’m gonna talk a little bit more about just the files that people use every day. Uh, you know, how do you know that the file you’re looking for is the most recent version, or, uh, you know, let’s say you have an opportunity to write a grant application, but it’s due at 5 o’clock and you know you’ve written a document before that would apply to this. Where is it? So that’s when what you label your document is particularly important. I used to label documents, Tony. I used to label them by the mood of my day and I never could find things again and that is a terrible way to name documents. There’s a lot of swear words in it, but and so it’s cathartic, but it’s not very helpful when you’re looking for things. So the analogy to that is having on your desktop. Oh my goodness, I sometimes I go and I see someone’s desktop. I think my heart rate starts increasing. Yeah, I feel how can you like the desktop is just loaded with folders and files. I feel that way when I see an inbox with like thousands of unread messages. Yeah, you learned you’ve you’ve come to the bright side now from your, from your archaic dark dark days of file naming. So there now there’s two ways of doing things now you might surprise you, but I’m a bit type A, so I prefer a deep hierarchy where you have things, you know, in general, and they get narrow and narrow and narrow and it’s really important when you label a document that it doesn’t duplicate any of the naming. Sure that you’ve used in the folders before that so you don’t have to repeat the year again and again and again um some people prefer to leave everything on like a flat surface on their desktop and then use their search that’s one way not my preferred method so what I’m gonna say when you’re labeling things you use descriptors that everybody agrees on is it a letter or is it um a document or is it communication you have to agree on the terms you’re using as a group. It’s got to go deeper than that. That that’s just, that sounds like a very basic policy place to start. By the way, I love the hierarchy. I mean, I’m very hierarchical thinking you look, uh, look, I use Apple, uh, laptops and, you know, I don’t repeat. I I don’t say that client name, you know, contract. I just say contract because it’s in the file for legal for the. For that, for that client, which is in clients current, exactly not clients historical, that’s a different. I move them from clients current to I hardly ever have any clients leave, of course, not so much client current file is loaded clients historical is is infinitely small. It’s like 2 now there are 2. I mean, I’ve been in business for 28 years, so I haven’t, you know, a couple have just ended, uh, very amicable, but now so anyway. The hierarchy, very, I, I just, I, but that’s the way I think. But suppose somebody doesn’t think that way. That’s not you suppose the organization thinks that way, but you don’t personally. You gotta be dragged along, right? You do. So when you use descriptive words, people who prefer to search and leave everything flat now know the terms in which to search. Things have changed over the years because now. We have AI embedded into our own databases so for example if you use Google Drive, Gemini is within there. Now the policy say because I read them, uh, that it doesn’t share your database with its own it doesn’t teach it’s own AI based on your data, but who’s to say that’s gonna change so you can search now within Gemini of your own database to find things so your naming structures a little less particular. But I’m still gonna say the more descriptive you can be, the more you can match both those type A and type B people. OK, OK, um. What else? So this has to be a written, written policy in terms of file naming. Now what about folder naming? How is that different than file naming or is basically the same regimen? Yeah, I would say the same thing same with what you just described like legal contract. I would say it’s the same thing. Yeah, OK, so hierarchical is preferred we’re not using the Dewey decimal system. OK. Oh, I love the DDS. Oh, the DDS. I never heard I gee I didn’t you go to the library you have a degree in library, it’s like, yes, I did library. Does anybody still use the library still use Dewey Decimal or that that that. The spine of the books suggested they have card catalogs in libraries? No, no, no, I haven’t seen in ages ages. Thank you very much, Tiffany. OK, um, we should talk maybe about cost, cost, uh, let’s go to you, Brian. Uh, I mean, we spend a lot. I guess we can get the ultimate in security and storage and cutting edge, but we got to spend a lot, right? Where do we find our balance? Yeah, and the reality is that a lot of nonprofits don’t have the budgets to spend a whole lot. Um, the good thing is that, you know, a lot of the solutions that we’re looking at in the session um are low cost and and free. Um, you know, a lot of the solutions like Google Drive and Dropbox, Box, etc. um, they provide discounts to nonprofits, uh, free and low cost solutions, um, but to your point, uh, the more features and security that you’re looking for data loss prevention, data classification tools, they may be at a higher tier and so you may have to, you know, be paying for uh some additional things like that, um. That said though, um, you know, you need to be considering your backup solutions and other types of costs as as a holistic view of your organization’s data practices and security and so it may not just be enough to consider the cost for storage, but you also need to consider the cost of your backup and other policies and tools that your governance policy dictates. Let’s talk about doing some sample retrievals, right, so let’s say we use the cloud. I think most, most nonprofits probably use the cloud now. I mean, is it? Yeah 100%. There are some people who have local storage, I guess, but let’s let’s go with a cloud-based example. Should you be testing your, your retrieval every once in a while, make sure this, this structure is working like I’m trying to find this, maybe I know exactly what I’m looking for, but I’m gonna try to find it without going right to it. Yes, uh, yeah, OK, absolutely. Like any policy, uh, or protocol that the nonprofit has in place, you need to be testing it regularly. Um, so that includes going into your storage, uh, platform solution, um, finding and retrieving things, downloading them, um, and you know some advanced tools will do data verification checksums for you, um, but more often than not, um, just having that one on one experience of finding something, retrieving it, understanding what your users will be going through. Um, and simulating that action for them to understand, are there any pitfalls, are there any difficulties in doing this, and also just making sure the data is valid, um, that the file is working, it’s not corrupt, um, and, uh, that, you know, it will set your users up for success. Uh, we have jargon jail on the nonprofit radio. You mentioned, uh, data verification and checksums. You need to flesh that out to get yourself on probation parole, parole. You’re already in jail. Uh, so, uh, when, when you’re validating data, uh, you’re looking at, you know, things like file size, um, all the different types of metadata that are embedded within that file. Um, and some solutions will check over time, uh, if they have changed, um, and if there’s something that goes awry. Uh, you know, a check some verification or data valification can send up a red flag and and alert someone. OK, so it’s a way of verifying data integrity that happens automatically. It can, yeah, OK, OK. um, Tiffany, you asked a rhetorical question earlier about making sure, how do you know whether you have the most recent version of a file. Uh, right, we’re in the cloud. I see, or some, some, somebody did not or some, let’s just one person, uh, 11. Scofflaw, the word I was looking for. One scofflaw did not follow the policy. And now we’ve got, I see multiple versions. I see multiple files with the exact same file name. What do I do? I used to work with this guy. Oh my goodness, he was such a treat. He had, he was, oh, he was, but he was the boss was he was actually a felon, not just a scofflaw, and to me a scofflaw is like turnstile jump right but this guy sounds like a felon. Yeah, somewhere in there he had master document. I was looking for something. I was helping him organize his uh information management system, and I found what I what what was called the master file. And I thought well that’s gotta be it, right? That’s gotta be it. And then I found Master File too. And then master file 3 and then master file 4 and I don’t know the end number so I don’t know how many master files I’m looking for so that was like that was a whole day of like finding all the master files I could when you, when you have that you have to well, ensure that the last one is the best one and then delete just delete them, get rid of them, move them off maybe you want to store them in a secret spot from the scuff law so he doesn’t keep make I’m referring to him you know because this guy’s in my mind. Um, but you, you know, maybe move them to the side for a little while, yeah, in the archive, your secret one, so it’s not lost forever, but it can’t be part of your system because it’s just gonna clutter it. uh, I’m a big fan when you’re working on a project, have like the whole story complete when you’re done, put everything in one file and it’s all complete and it’s all there and you know where it is and you don’t have those extra drafts because they’re gonna get confusing even if it’s just. Copy and paste or cut and paste put it all into one thing and then follow the naming convention exactly and then you always know where it is and then you have your cultural posterity. Like your your cultural, your organization’s culture, you’ve got your, um, but, you know, do I need this file name can I just use keyword searches? I know the I know the word that’s in there, at least I, I believe I do until my search is unsuccessful. I’m screwed. Mhm. Yeah, we have to accommodate them don’t we? We do we do because we expect them to get up and running right away and if you know if they come in and there’s all these names that don’t mean anything, they’re not going to be able to do that not gonna be able to find things and they’re gonna start doing things from the very beginning, writing that grant proposal from the very beginning, yeah, and they don’t, you know. They’re just redoing work and it’s just a waste of time and energy. Logarithmic, uh, file, file creation, right? I mean, I guess it just plateau eventually, but it could be, it could go crazy with new, a couple of new employees recreating everything and now we’ve got duplicate files and and half of them aren’t named right and you’ve lost your donors. you’ve lost your volunteers along the way. See, this is all motivation maybe we should talk about this. Well, you have a lackluster host, not scofflaw, but lackluster, um, you know, we should talk about in the beginning, but these folks have been with us for 19 minutes, so hopefully they’re seeing now why these things are important. You have to pay attention to data integrity, data management, right, um. What haven’t we talked about user friendliness. There’s something else from your, from your session, uh, description, user friendliness. We’ve got these policies, but, uh, people don’t, you know, they’re not adhering because they’re too technical or something, you know, again, balancing, right? Brian, uh, balancing Brian, what, you know, what are we gonna do? Uh, we now we got trouble, people are not using them, uh. You need to be able to show why there’s value in doing things like file naming conventions, folder name conventions, um, so to your point about, you know, using keyword searching it works until it doesn’t work, uh, and so show people the value, uh, in, you know, adhering to the policies, um, and working through a lot of the steps that may feel like extra work to be honest, um. And then once you demonstrate that value, it begins to sink in that you can then take it to the next step, provide more training and resources and education. Um, it might take a crisis to make the point. It it might because we have the grant deadline that you hypothesized before and, uh, Tiffany, and we don’t have it. We haven’t found it. We blew the deadline. That’s a disaster. That’s disasters. All right, now we all learned a lesson. OK, sorry. It’s OK, um, uh, or you know, let’s say someone accidentally deleted a file or misplaced it or overwritten it, it’s, it’s gone. Um, and that keyword search no longer works because you’re trying to recover something that’s based on either a piece of metadata or a file name, um, and so, you know, in that instance, uh, you may not be able to recover that data and you know it’s lost and it impacts someone’s job. Yeah. All right. Uh, we can wrap up. Let’s see, uh, who opened? Tiffany, did you open? I think I did. Let’s give Brian a chance to close. Leave us some with some, uh, not motivation, we just did motivation. We just spent 10 minutes on motivation, but, uh, some promising words. Yeah, some promise for our for our future. Let’s look forward to a bright future with no data disasters. Bring us, bring us to this nirvana. Thank you. Uh, let me recognize, uh, Mark Topher, uh, the Vilcek Foundation’s archivist, uh, who, who’s not joining us here today, but, but joined us for the session here at NTC, um, and to, to his point and to in using his words, you know, consistency is key. Uh, and so making sure that everyone in the organization is on board, um, they’re using the best practices, um, and they’re making sure that they’re taking proactive steps to make sure the information that they are, um, good stewards of, um, is smart and secure and in doing so, um, we’re going to be protecting, um, the, the people that matter most to our organizations because at the end of the day. Um, we’re here to serve people and um all those people, whether they are in vulnerable, um, populations, um, or you know just in tricky situations these days, um, that’s what matters most and we want to be good stewards of data um and and make sure that you know nothing bad happens um to those communities. That’s Brian Cavanaugh, director of digital at the Vilcheck Foundation. With Brian is Tiffany Nicklichkova, information specialist at Services in Action. All right, Brian, Tiffany, thank you very much for sharing. Thanks for having us. Thank you. Thank you. My pleasure and thank you for being with Tony Martignetti nonprofit radio coverage of 25 NTC, where we are sponsored by Heller Consulting. Next week, our 25 NTC coverage continues with your intergenerational people pipeline. If you missed any part of this week’s show. I beseech you. Find it at Tony Martignetti.com. Our creative producer is Claire Meyerhoff. I’m your associate producer Kate Martignetti. The show’s social media is by Susan Chavez. Mark Silverman is our web guy, and this music is by Scott Stone. Thank you for that affirmation, Scotty. Be with us next week for nonprofit Radio, big nonprofit ideas for the other 95%. Go out and be great.
As our 2024 Nonprofit Technology Conference coverage continues, Janice Chan returns with the savvy idea of adapting team meeting principles to a team of just one. She’ll have you thinking of yourself as a team leader, rather than one person doing everything. Janice is at 
We’ve got good stories about bad actors. You’ll also hear the practical steps your nonprofit can take to prepare for cybersecurity incidents to reduce their impact. And we’ll empower you to hold incident prep discussions with your leadership or staff. Steve Sharer, who says “Security is a team sport,” joins from 
