Tag Archives: security

Nonprofit Radio for July 25, 2022: Cybersecurity 101


Matt Eshleman & Sarah Wolfe: Cybersecurity 101

Our #22NTC coverage picks back up with a summary of the tech threat landscape, key policies and procedures to have in place, and how to make the case for devoting resources to IT protection. Our guests are Matt Eshleman and Sarah Wolfe, both from Community IT Innovators.





Listen to the podcast

Get Nonprofit Radio insider alerts!

I love our sponsors!

Turn Two Communications: PR and content for nonprofits. Your story is our mission.

Fourth Dimension Technologies: IT Infra In a Box. The Affordable Tech Solution for Nonprofits.

Apple Podcast button




We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Transcript for 601_tony_martignetti_nonprofit_radio_20220725.mp3

Processed on: 2022-07-23T23:48:11.167Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2022…07…601_tony_martignetti_nonprofit_radio_20220725.mp3.159997831.json
Path to text: transcripts/2022/07/601_tony_martignetti_nonprofit_radio_20220725.txt

[00:02:05.14] spk_0:
Hello and welcome to Tony-Martignetti non profit radio big non profit ideas for the other 95%. I’m your aptly named host of your favorite abdominal podcast my goodness. Last week’s show was great fun. They’re all fun. But the last weeks 600 show was great fun. Oh I’m glad you’re with me for this week’s fun show I’d be thrown into an echo Griffo sis if you clawed me with the idea that you missed this week’s show, Cybersecurity 101. Our 22 NTC coverage picks back up with a summary of the tech threat, landscape key policies and procedures to have in place and how to make the case for devoting resources to IT protection. Our guests are matt Eshelman and Sara Wolfe, both from community I. T. Innovators, non tony steak too. My boys just cracked like I’m 14 years old, please start your plan giving with wills. We’re sponsored by turn to communications. Pr and content for nonprofits. Your story is their mission turn hyphen two dot c o and by fourth dimension technologies I. T infra in a box. The affordable tech solution for nonprofits. tony-dot-M.A.-slash-Pursuant four D. Just like 3D but they go one dimension deeper Here is cybersecurity 101. Welcome to Tony-Martignetti non profit radio coverage of 22 NTC. The 2022 nonprofit technology conference hosted by N 10. Our coverage brings me now Matt Eshelman chief technology officer at community I T innovators and Sara Wolf sales

[00:02:15.50] spk_1:

[00:02:16.64] spk_0:
Also at Community I. T. Innovators. Matt serra. Welcome to non profit radio

[00:02:23.14] spk_1:
Thanks. tony It’s good to be here.

[00:02:25.34] spk_2:
Thank you. Glad

[00:02:42.84] spk_0:
to have you. Pleasure to have both of you. Um Your session topic is defending against Bogart’s and boogie men understanding and pitching cybersecurity for the accidental techie sarah. Why don’t you get us started? Let’s define accidental techie. I think we have a lot of them listening but they may not know it.

[00:03:13.44] spk_2:
Yeah so accidental techies are the people at an organization that are not necessarily somebody who’s been trained in I. T. But is relatively tech savvy and so they end up being the ones who help their coworkers with tech issues or are the ones that end up wearing the I. T. Support hat even though they might necessarily have they haven’t necessarily gone through professional training for it?

[00:03:32.14] spk_0:
Okay. Right so they know enough that they know more than others but they’re not they’re not professionally trained in technology. Okay and and matt why are why are Bogart’s and boogie men your your description says an accidental techies biggest nightmare what’s lurking there?

[00:03:38.23] spk_1:
Well I think yeah

[00:03:51.34] spk_0:
I don’t even know. Yeah I’m not even an accidental techie. Okay there’s the first problem you like you’re suffering a lackluster host obviously. Okay. Alright

[00:04:28.24] spk_1:
so they I think the takes the form of kind of your your biggest fear and so yeah whenever it appears it it shows up as as what you’re most afraid of um you know and I think for for folks that are supporting nonprofit organizations. Yeah there is this fear of of kind of what could be lurking out there, What kind of threats could impact your organization. Uh and for many folks, especially the accidental techies, they don’t have that background training and experience in terms of how to protect their organization. And so that’s why we wanted to to have that session to help provide some tools and equipment so that people that, you know, have that responsibility, but maybe not the training can pick up a few, a few tips.

[00:04:40.74] spk_0:
Okay. Why don’t you, why don’t you start us off? What would uh what would you like folks to know about that? They don’t know well enough, but they ought to.

[00:05:30.74] spk_1:
I mean, I think the biggest thing for for folks to understand is just I think the importance of what’s called multi factor authentication. So M. F. A. It’s often referred to uh it’s something that, you know, which is your password and then something that you have and for most folks that would be an app on their smartphone. Um and what this gives is an extra layer of protection, you know, we all know people’s passwords get compromised and and kind of stolen all the time. But if you can add that extra layer of, you know, an app on your phone to protect that login, then you’re much much less likely to have your account compromised. And kind of, what we see is that most compromises then, you know, will then lead to other things that you know have significant damage in terms of, you know, emailing, you know, all of the contacts in your organization’s database, uh sending out malicious links, you know, sending out updated payment information so that can kind of lead to a lot of other bad things. And so if we can protect that account with M. F. A. Then the organization becomes a lot more secure.

[00:05:46.54] spk_0:
Okay. And you’d like to see this mandatory? Not opt in

[00:06:16.74] spk_1:
that is exactly right. You know, Microsoft and the other big Um you know, tech providers are starting to enforce that now as a as a requirement, but if you’ve been in office 365 or if you’ve been in Google apps for a long time, uh it’s not required and it’s something that organizations need to take a couple of steps in order to set it up and roll all their staff provide training uh just to make sure that it’s set up and working correctly.

[00:06:27.54] spk_0:
Okay. So we should be doing it, we should be opting in where it’s optional and we should make make it mandatory if we’re the we’re wearing the hat of the uh the accidental techie,

[00:06:32.04] spk_1:
yep. Exactly. Right.

[00:06:37.94] spk_0:
All right. All right. Sarah, what else, what else can you share for? Are these folks

[00:08:13.14] spk_2:
I think for the next biggest thing uh is, you know, making sure that your staff, you know, are actually aware of the different security risks and things like that? Having a security awareness training program is one of the best ways to make sure that even if something, you can have all of the fancy tools in the world, every single like filter and everything, something’s going to slip through. And if you have staff that know what to look for and know not to click on something or not to go on that website or not to, you know, enter their information in various different places. Them having the knowledge is going to be one of the biggest returns on investment in terms of security, antivirus. Uh, we only, we had so few um, issues with antivirus last year, out of the 696 security incidents that we were dealing with, Only seven of them were viruses and only 45 of them were malware. And so it’s much more important for staff to be able to identify what’s a spam email, what, spearfishing. How can I tell if I’m looking at an email from somebody else whose account has been compromised and having the training to make them aware of. That is definitely worth the investment. And there are great tools out there, like, no before that, you know, are really easy to use.

[00:08:31.84] spk_0:
Okay. And so, uh, no, first of all, it was no before like K N O W K N O W before. Okay, I didn’t know about this, but I figured out no. Before. All right. But that’s not that’s not really saying much but any case. Um So is that a security training? Like is that online security training that folks can get it? No before or like how is this accidental techie gonna push this and and offer the training in their in their non profit

[00:10:02.94] spk_2:
That’s great. Yeah. So uh that’s a learning management software and that’s specifically for cybersecurity behaviors and tools. The way that you’re going to pitch this for your organization is to first gather your data, get your plan of attack. And a lot of times you know that involves one Looking for friends in the company to support you to getting data and you know trying to make sure that if you are able to um like find partners either within the organization or maybe even reach out to your board governance committee, um those people are going to be able to you know, help leverage some of the existing requirements that you have, if an organization needs to apply for cyber liability insurance a lot of times multifactor authentication is going to be one of the requirements. A staff security training is going to be one of the requirements. And so being able to leverage those and then putting it putting your plea into terms that people understand if your E. D. Is looking at, you know, what is the comparing the cost of of security, education software versus you know, financial compromise. Like there is a definite argument to be made there

[00:11:03.94] spk_0:
it’s time for a break. Turn to communications, media relations and thought leadership. Peter pan a pinto, a turn to partner was on last week. He’s a former journalist at the Chronicle of philanthropy. His partner scott is also a former journalist so they know what to do and what not to do to build relationships with journalists. Those relationships are going to get, you heard turn to communications, your story is their mission turn hyphen two dot C. O. Now back to cybersecurity 101 you mentioned cyber liability insurance. Is that is that something else? We should be flagging for these for these poor accidental turkeys.

[00:11:08.54] spk_2:

[00:11:08.75] spk_0:
beleaguered, beleaguered, accidental techies.

[00:12:16.64] spk_1:
Yeah. I think we’re seeing more and more organizations go through a cyber liability insurance kind of renewal process. Typically that’s something that’s handled by the, you know, the finance department of the organization. What we’re seeing is that, you know, for cyber liability insurance or even for financial audits, they’re becoming a lot more technical. And so it’s likely that if you’ve got any any tech aptitude at all, then you’re being enlisted to help fill out these applications to provide the detailed information that’s being requested. And so yeah, we’re seeing a lot more sophistication being, you know kind of demanded by these insurance companies in terms of, you know understanding which controls are in place because we’re seeing even cases where if you have not turned on multi factor authentication for all your your systems you won’t even be eligible for coverage. Uh and so it’s pretty dramatic that you know organizations are now being, you know, it’s a good idea to protect the organization, you know, for these cyber security controls. But there’s this also this extra layer of requirement from you know, insurance carriers now to say hey like you have to have this so we’re not gonna provide you insurance.

[00:12:40.94] spk_0:
Okay, okay. Sarah, let’s go back to you. I’d ask you about cyber liability insurance and then matt usurped unceremoniously uh usurped your your your your platform. So let’s go back to you what else, what else can you contribute for these for these folks?

[00:13:53.94] spk_2:
Yeah. So with with cyber liability insurance it’s something that oftentimes is getting you know much more of a top down decision making process. Somebody will have, you know, these things like the ransomware and and wire fraud and issues like that have been, we have bubbled up more inter in like the public awareness and so there’s a lot of top down pressure for these things to get adopted and you know there one of the things that they’re also going to ask for is you know, what are your plans? Do you have an acceptable use policy for your I. T. Do you have a plan for when something does go wrong, you know what do people know what to do, who to reach out to, what steps to take? You know because you know you you hope for the best to plan for the worst. And there are a lot of really good resources out there for developing these sorts of acceptable use policies for for creating incident response plans and you know you can um really it can get overwhelming sometimes the number of you know different resources that are available and what to use and what not to use. So you know partnering with somebody who does know you know a little bit more about cybersecurity or is providing that knowledge to the community. Um

[00:14:43.94] spk_0:
Let me guess that that that’s the work of community I. T. Innovators. Am I going out on a limb taking a taking a stab in the dark? Yes. Okay well we’ll get I’ll give you a chance for this for the shout out. Alright explanation. But I’m gonna ask you first what are what are some resources for folks? I mean I’m you got me feeling bad now for these people because we’re like we’re enhancing their to do list but this isn’t even their job that they’re paid for. But yeah we’re talking about looking into insurance and having policies and now now now they are now realizing they are beleaguered because it’s not even their job, they’re just got foisted on them because they know more than all the baby boomers in the

[00:14:53.77] spk_1:

[00:14:56.64] spk_2:
Sometimes it is baby boomers who are accidental techies.

[00:14:59.85] spk_0:
All right. It’s probably not too often. Thank you for that, but probably not not too often. All right. But so what are some resources that folks can can rely on? You said there’s there are many, where can we look?

[00:15:14.44] spk_2:
So I’m going to start with the the self interest pitch first. Uh community I. T. Has a great um library of publicly available resources on our website and our Youtube channel um that are really great for digging into these kinds of things. Um A great

[00:15:30.38] spk_0:
places website. The website

[00:16:00.74] spk_2:
is uh community I. T. Dot com. Um and the one of the other places that I know that matt has as our cybersecurity expert has a lot of people start is with the cybersecurity framework by nest the um and that website have a link to it. It’s N I S T dot gov two slash cybersecurity framework.

[00:16:03.65] spk_0:
Okay. And I S T dot gov slash cybersecurity framework. So N I S. T. Obviously is a government agency, National Institute

[00:16:11.61] spk_1:
of Standards

[00:16:12.97] spk_2:
and Technology

[00:16:24.44] spk_0:
Technology. Thank you. So. Okay. Um Alright, so there’s a couple of resources um including community I. T. Innovators. Anything else you’d like to share with that folks can rely on?

[00:16:47.44] spk_1:
I’d say that there’s no shortage of resources out there. Techsoup is also a great resource. So in addition to the donations that I think we’re all familiar with Techsoup also has a courses and training and so they have some free resources that I would encourage folks to check out there. Um, so I think, yeah, there’s, there’s no shortage of resources that are out there to help people learn. I think, you know, the big, the big challenges is really putting it into action.

[00:17:16.24] spk_0:
What about a little uh, can we give some uh, psychological support to these beleaguered folks? Now? I’m telling you, you have me feeling very badly for them? Um, what we’ll get back to the to the bog arts and boogie men, I promise. But but uh, let’s let’s take a little digression to how we can support these folks other than recommending things for them to be aware of just like how can how can we support them otherwise.

[00:17:25.34] spk_2:
So I think that, you know, I’m trying not to turn this into a pitch for joint for having an MSP come in and like do you own this stuff for you? Because

[00:17:33.45] spk_0:
what’s an MSP

[00:17:34.70] spk_2:
MSP is a managed service provider.

[00:17:38.13] spk_0:
Thank you. That’s what you are

[00:17:40.09] spk_2:
support, we have

[00:17:41.20] spk_0:
drug in jail on non profit radio So yeah, but I, I saved you from from any any lengthy sentence. Okay, a managed service provider. Okay,

[00:18:35.14] spk_2:
so that is that is one of the ways you know that you can get support. The other thing is you know, really leaning on the rest of the community Text suit is a great place to look for resources and you know, the entire community is a place to ask questions. Um There are also you know on linkedin and facebook and places like that. There are communities that you can reach out to for wanting to event looking for ideas, looking for recommendations. Those are all um possibilities. I uh definitely enjoy seeing how many you know how ready people are when people post on the N 10 forums like I need help with this and like there are definitely people jumping on,

[00:19:12.74] spk_0:
it’s an enormously supportive community. Yeah I I fear that even though I say it a lot because amy sample Ward is on the show very often. She’s our technology contributor. Um and so she’s often saying it to that intent is not only for technologists but I I still think people have that misconception. Um It can be for folks who are not even you know not even responsible for technology in their office but they’re just using it. You know you’re just using it in your non profit and In 2022 like who is not using technology? I don’t think we’re running everything by index cards even if you’re on an excel spreadsheet, you’re still using technology. So.

[00:19:22.64] spk_2:

[00:22:28.84] spk_0:
Yeah. Well that yeah and line printers now you’re talking about when I went to college so be careful Sara it’s time for a break. Fourth dimension technologies. You heard the four D. Ceo jug in last week. Talk about I. T. As a service for nonprofits. They know they’re in a service business. Their I. T. Infra in a box. The I. T. Buffet. If you will is structured around service, take what you need and what fits your budget, leave the rest behind. They know their work is to serve your I. T. Needs comes from the Ceo directly fourth dimension technologies tony-dot-M.A.-slash-Pursuant D. Just like three D. But they go one dimension deeper It’s time for Tony’s take two. This is my silver jubilee in planned giving and august is national make a will month next month. So let’s start talking about your planned giving program launch with wills wills. Why should you start your planned giving program with wills This week? three easy reasons. First they are the most popular planned gift by far expects 75-90% of your planned gifts forever to be the most simple planned gift. The gift by will. So it just makes sense to start with what’s gonna be At least three quarters of your gifts anyway Behind door number two there’s no donor education. Everybody knows what a will is. Everybody knows they need a will and everybody knows how will’s work. You don’t have to spend time and money educating donors explaining to them the concepts of life insurance as a planned gift or charitable gift annuities or remainder trusts. You’re sticking with the basics, something that everybody understands and Behind door number three there’s no staff education, everything I just said applies to your staff to everybody knows what wills are, everybody knows how they work and everybody knows that they need one. So you don’t have to train your staff on life insurance and gift annuities and charitable remainder trusts completely unnecessary. You’re starting with the basics and you may never ever decided to go further and that won’t matter. But the place to start is gifts by wills for those three reasons, three reasons for today in any case. And that is Tony’s take two. We’ve got just about a butt load more time for cybersecurity 101 with Matt Eshelman and Sara Wolf Matt.

[00:22:29.94] spk_2:

[00:22:30.17] spk_0:
else? Um, let’s go back to

[00:22:32.94] spk_2:

[00:22:33.16] spk_0:
what we can the rockets and the boogie men that

[00:22:36.24] spk_1:
we want

[00:22:36.47] spk_0:
to help these folks look out for.

[00:23:01.04] spk_1:
Um, yeah, I would maybe also just kind of come back in terms of what’s good about investing in this training is that it’s, it’s good to see progress And I think that’s one of the benefits as Sarah mentioned the know before platform. It’s great. You know, spend a little bit of money to invest in a platform because then you can actually see the progress of, you know, how many people are taking and passing these little trainings and then know before does a little thing called test fishing and you can actually see the percentage change of how many people in your organization are kind of clicking on stuff that they shouldn’t. And so, you know, whenever you test, yes,

[00:23:34.04] spk_0:
it’s great test phishing emails to your enemies in the office, report them when they click, when they click after two days after the training and they click, you can, you can turn them in. Now organization advantage. Now there’s an advantage to being an accident that you’re no longer beleaguered. You’re empowered. Yes, send, send, send a, send a test phishing email to my boss who just turned me down for getting the day after christmas

[00:23:46.84] spk_1:
off. So

[00:23:47.30] spk_0:
yeah, so it’s great.

[00:24:31.44] spk_1:
You can, you know, you can see, you can see progress and so not all of cybersecurity is kind of like doom and gloom and you know, battening down the hatches, you know, against the onslaught. I think it can be fun. It can be engaging. You know, uh, you know, I think organizations that yeah, do elevate it. And it’s something that, you know, people can talk about and talk about openly as opposed to, you know, being being silenced and kind of feeling bad about themselves. If they, if they clicked on one of those messages, right? Like that’s not the approach you want to take. You want to take the approach of encouraging that learning because, you know, if you got caught by a suspicious message, uh, you know, it’s likely somebody else got that too. And so having this kind of culture of openness and engagement. Yeah, is really successful,

[00:24:37.54] spk_0:
right? I agree. Unless it’s your boss who turned you down for the day after christmas, that then it’s then it’s vindictive reported

[00:24:40.64] spk_1:
to the board.

[00:24:49.24] spk_0:
Yes. Oh, without a doubt. So All right, well let’s stay with you matt. What else? Um what else can we? Yeah,

[00:26:00.74] spk_1:
I think the other thing that we started to see more of would be kind of financial fraud or what’s kind of called in the, I think the official terminology wire fraud. So you know, it could be something as simple as those messages people get, you know, that look like they’re coming from the executive director saying, hey, I just need you to buy these gift cards. Call me real quick. I got something for you to do. You know, we’ve seen people get caught up by that, you know, even to more sophisticated cases where people are getting tricked by well crafted emails that say, oh, I need to update my payment information or hey, we’ve got a grantee and they had a problem with their bank account and here’s the new bank account information. So uh you know, that kind of falls into an area where it’s, it’s not just a technology control. You know, there isn’t some product that you can buy that’s gonna magically make that go away. Um but it’s a combination of having training, maybe having some good spam filtering tools in place, but then also having some policy and procedures so that you’re talking about that with your finance department, uh, so that you, you have good processes in place. So it’s payments aren’t made just by one person making a change, but there’s some some review and some betting maybe we need to call somebody. So I think again, it’s it’s not just technology solutions, but really that that kind of the people in process comes in into these equations as well.

[00:26:22.74] spk_0:
It seems like they’re getting more sophisticated. Uh, the little savvy er like uh your your account renewed for $399, you know, click here to see the invoice. You know, I don’t know, they just seem, they seem like they’re improving

[00:27:35.94] spk_1:
well. And I think you’ve identified a key understanding is that uh this is this is a cyber crime. This is a criminal enterprise, right? This is financially motivated. And the bad guys are doing it, you know, not just to kind of go in and wreak havoc on your network, but they’re doing it to make money. Uh and so I think that’s also helpful for organizations to keep in mind, right? You know, you can be the greatest nonprofit in the world and be, you know, have the most noble mission. No, they’re not attacking you because of your mission. They’re attacking you because you have money and, and you might get tricked into yeah, doing that $399 renewal or maybe you updated a payment information and and that was $25,000. And so uh, you know, the mission, you know, does not matter For those, uh, you know, cyber criminals who are financially motivated and it’s a lot easier to, to kind of trick somebody into giving you $400 than it is to, you know, write some super sophisticated virus that’s gonna go on to your computer and encrypt all your files. Then you’re gonna have to try to figure out how to pay them in Cryptocurrency. Yeah. It’s just, it’s a lot easier to try to trick people into giving you money than it is to write, write a new virus. Yeah.

[00:27:49.14] spk_0:
Okay. And then of course there is the community of nonprofits that, that are at risk because of their mission. And because you know, we’re living in a polarized time. It’s, it’s no longer

[00:27:54.27] spk_1:

[00:27:55.34] spk_0:
um, hot button issues, you know, like gun rights or, or abortion.

[00:28:00.21] spk_1:
I mean,

[00:28:06.74] spk_0:
it seems like a lot of missions could trigger someone to do something malicious, you know, technology wise. Uh,

[00:28:27.94] spk_1:
yeah, I would say so. We really see that, um, primarily for organizations that are in the space kind of like government think tanks, policy groups, you know, kind of good good government. Those tend to be the kind of attack attract the most attention. Um, and then I think organizations that work on, you know, human sexuality and uh, you know, family planning and abortion services like are in that category as well. Right,

[00:28:39.24] spk_0:
Sarah, let’s turn back to

[00:28:40.94] spk_1:
you, what,

[00:28:41.21] spk_0:
what, what more can you share with us?

[00:31:26.84] spk_2:
Well the one of the things that you know in in that theme of you know it is financial, these these this has become a business enterprise and it’s become you know not necessarily organized crime but it has become something that is a multibillion dollar business. And um That is something that we’ve definitely seen. We’ve seen an increase in the number of incidents that we end up responding to like from 2018 to 2021. The number of cybersecurity incidents is that that community I. T. Was able to track tripled. And so you know there isn’t a way to really fly under the radar anymore and you’re right, these people are getting smarter. It’s not just all Nigerian princes looking for for oil or gold or whatever. It’s you know, there have been times where you know, we’ve seen examples that have been caught in the tools or that did get through and did nearly create an issue. And I sat there and looked at the email chain and I was like, I can’t tell where this jumped in and then you like have to like really highlight and look in and look in the details and you go, oh, oh okay. Like there was just like a one letter change in somebody’s email address, you know, or and like that can you know if if you don’t have the training and you’re not necessarily aware of that stuff and then the redundancy that that matt was talking about um making sure that, you know, it isn’t just up that that all of the keys to the castle aren’t in one person’s hands. Uh so that you can, you know, make sure that there’s additional eyes to see, you know, what you missed or to make sure that this is the real deal is, you know, really important. Um you know what, it’s, it’s definitely a frame of mind thing. You don’t want to be constantly consumed with worry and you know, be paranoid about everything and because that just takes, we’ve got a whole lot of other things going on in the world right now that we don’t need to be panicking about cyber security all the time and just doing a few relatively low cost things can really help with peace of mind. And you know, it’s worth taking the time, you know, penny wise, pound foolish is one of the other sayings that comes around a lot, you know, just to make sure that, You know, you don’t end up having to deal with a $25,000 wire fraud

[00:31:30.01] spk_0:
issue sarah. What were some of the questions that you got from the accidental Tuckey folks who were watching,

[00:31:38.84] spk_2:

[00:31:38.91] spk_0:
were with you?

[00:32:14.44] spk_2:
Yeah, there were some questions on like where do we start, like how do I like uh we, we pointed people to the Nist Nist framework has a chess checklist um of things that you can start thinking about and looking at as you know, places to start. There were also um questions about how do I how do I make sure that I can, you know, convince my my edie about this and

[00:32:18.14] spk_0:
leadership by in

[00:33:06.84] spk_2:
leadership buy in and you know, we really for that we really said, you know, try if if if if you’re, if you’re leadership isn’t necessarily into it, you have to get like there’s no right or wrong way to go about things that can be top down, it can be bottom up but making sure that if it’s something where your leadership isn’t as invested, making sure you gather allies, you gather allies and you gather financially focused um data to back you up. You know, cyber security is getting more frequent and it is getting more costly to have to address issues after the fact. And so, you know, those were, you know, some of the really big questions and focuses

[00:33:34.34] spk_0:
you and you had mentioned allies early on the value of having having friends uh sympathetic to the to the cause all you know, making this case together to to the ceo or wherever it needs to go. Um All right, matt you want to leave us with some well matt, let me ask you any questions that you uh that that Sarah didn’t mention that you, that that hit you as particularly interesting important.

[00:34:43.34] spk_1:
Um I think it’s important for for folks to to realize that, you know, just because their data in the cloud doesn’t necessarily mean that it’s, it’s backed up or it’s protected in a way that they, that they think it is. And so I think, you know, nonprofits have done a really great job of getting their data in the cloud platforms. You know, there’s been a lot of great donation programs and discounts and so non profits, I think have done a really good job of technology adoption. Um, but what we see is that they haven’t been maybe as strict on kind of the policy and the governance and some of the other supporting, you know, processes. So we think it’s really important that you understand where your data is and understand how it’s protected and just make sure that that lines up with what you, you know, your organization expects, you know, is it okay if somebody downloads all of your organization data on their personal computer? Like is that an okay thing to have happened? Let’s make, let’s make sure that we talk about it and understand that, uh, you know, and I think the same thing goes again, you know, if somebody deletes a file today, do we need to be able to recover it, You know, a day from now, 30 days from now, a year from now. And so I think just having some of those baseline settings and kind of testing them is a really important step to take

[00:35:01.54] spk_0:
backup recovery. You know those are not necessarily covered by just being in the being in the cloud and how what’s the time to recover?

[00:35:22.44] spk_1:
Right. Yeah. So I think a lot of those, you know quote unquote old school you know security methods or techniques are still important even if you’ve got your date in the clouds again having that third party backup, having an offline copy. Uh those are all really important steps to take to make sure that your organization’s data is well protected.

[00:35:24.94] spk_2:

[00:35:26.14] spk_1:

[00:35:29.04] spk_0:
right. Why don’t we leave it there then? I feel like we’ve covered this.

[00:35:31.14] spk_2:

[00:35:31.51] spk_1:
think we’ve got the foundational element. Is

[00:35:41.34] spk_0:
there anything alright, is there anything on your mind just like oh wait I gotta get this in. Is there anybody, I

[00:35:41.67] spk_1:
mean I’ll put in a plug for multi factor authentication again I think it’s worth saying at least a couple more times

[00:35:46.63] spk_0:

[00:35:47.47] spk_1:
it’s the it’s the most important step that that that many organizations can take.

[00:35:54.74] spk_0:
Okay Sarah parting thought

[00:36:16.33] spk_2:
just gonna emphasize what matt said about the managed backup just now um you know it’s really important to know your settings and to discuss them because you know a lot of times data loss is actually accidental and so if you have a way to get it back that can save you a whole lot of heartache and headache.

[00:36:20.38] spk_0:
Okay we want to avoid

[00:36:22.00] spk_1:
both. Thank

[00:36:34.53] spk_0:
you that’s Sara Wolf sales manager at community I. T. Innovators and also matt Eshelman Chief technology officer at community I. T. Innovators. Sarah matt, thank you both very much.

[00:36:37.33] spk_2:
Thank you so much.

[00:36:38.26] spk_1:
Thanks tony it’s good to get to talk to you.

[00:36:39.97] spk_0:
All right, pleasure and thank you for being

[00:36:42.51] spk_1:

[00:38:02.03] spk_0:
nonprofit radio coverage of 22 N. T C. The 2022 nonprofit technology conference. I’m glad you’re with us next week tech policies to reduce toxic productivity. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. This is # 601 by the way, I don’t know if you’re counting. We’re sponsored by turn to communications pr and content for nonprofits your story is their mission turn hyphen two dot C. O. And by 4th dimension technologies I. T. Infra in a box. The affordable tech solution for nonprofits tony-dot-M.A.-slash-Pursuant four D. Just like three D. But they go on to mention deeper. Our creative producer is claire Meyerhoff. The shows social media is by Susan Chavez, marc Silverman is our web guy and this music is by scott stein yeah thank you for that. Affirmation scotty be with me next week for non profit radio Big non profit ideas for the other 95% go out and be great. Mhm. Mhm

Nonprofit Radio for January 4, 2019: Stay Secure In 2019

I love our sponsors!

Do you want to find more prospects & raise more money? Pursuant is a full-service fundraising agency, leveraging data & technology.

WegnerCPAs. Guiding you. Beyond the numbers.

Credit & debit card processing by telos. Payment processing is now passive revenue for your org.

Fundraising doesn’t have to be hard. Txt2Give makes it easy to receive donations using simple text messages.

Get Nonprofit Radio insider alerts!

Listen Live or Archive:

My Guest:

Jordan McCarthy: Stay Secure In 2019 
Let’s resolve to keep our technology and data safe in the New Year. Jordan McCarthy will help. He’s with Tech Impact and he’s got simple, proactive measures for the short term as well as bigger long-term initiatives for your consideration. Stay safe!

Top Trends. Sound Advice. Lively Conversation.

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.

Get Nonprofit Radio insider alerts!

Sponsored by:

View Full Transcript

Transcript for 420_tony_martignetti_nonprofit_radio_20180104.mp3.mp3

Processed on: 2019-01-04T22:17:46.089Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2019…01…420_tony_martignetti_nonprofit_radio_20180104.mp3.mp3.454052384.json
Path to text: transcripts/2019/01/420_tony_martignetti_nonprofit_radio_20180104mp3.txt

Oppcoll. Hello and welcome to Tony Martignetti Non-profit Radio Big Non-profit ideas for the other ninety five percent. I’m your aptly named host. Happy New Year. Welcome. Welcome to Non-profit radio two point zero one nine. Whatever the hell that means. Welcome to the new Year. Oh, I’m glad you’re with me. I’d suffer the embarrassment of Pem Fergus Arithmetic. Assis, If you made me face the idea that you missed today’s show, stay secure in twenty nineteen. Let’s resolve to keep our technology and data safe in the new year. Jordan McCarthy will help. He’s with tech impact. And he’s got simple, proactive measures for the short term as well as bigger long term initiatives. For your consideration, stay safe on Tony’s Take two Time to be an insider. We’re sponsored by pursuant full service fund-raising data driven and technology enabled. Tony Dahna may slash pursuant by Wagner CPAs guiding you beyond the numbers regular cps dot com. Bye. Tell us Attorney credit card processing into your passive revenue stream. Tony dahna slash Tony Tell us and by text to give mobile donations made easy text. NPR to four four, four nine nine nine How police to welcome Jordan McCarthy to the show. He is infrastructure and security lead at tech impact. He works with organizations of every shape and size from three person grassroots advocacy groups to three hundred plus Persson social service providers to help them figure out what kinds of technical tools, analyses and strategies will maximize their social impact. Yes. A decade of experience and systems and network administration, technical writing and education and technology policy analysis. Tech impact is at tech impact dot org’s and at tech underscore impact. Welcome to the show, Jordan. Thank you so much. It’s a real pleasure to be here. Thank you. And happy New Year. Oh, you as well, Thank you very much. Thanks. Um, Tech impact is Ah, non-profit itself. What? What are you doing there? So quite a lot. We are an interesting organization because we have the heart and soul of a non-profit, um and to some extent, you know, the constant, you know, running from one thing to the next. But we provide services in the style of a more traditional tea shop to other non-profit. That’s not the only thing we do. We actually have several arms, one of which I’m really, really fundez works arm, and they’re sort of a more traditionally non-profit ah division that does workforce development in Philadelphia, Wilmington in Las Vegas. I bring in underserved young people and giving them a solid foundation of skills in its various kinds of support and allows them to go back in their communities and give back and start off on really solid careers. But, um, I was out of the house. We provided all sorts of technical services advising, consulting, implementations and an ongoing support. Two non-profits of every shape and size. And what we do for each non-profit really depends on who they are and what they need. So we try to meet folks where they’re at and, you know, get a sense of who they are and then sculpt a package of services, whether ongoing or short term. There really helps them be more effective at whatever it is that they do using technology related. Yes, exactly. Right. So you know, we aren’t necessarily going to help for supply cars, but anything related to information technology. It pretty much falls under arm broke Now I saw that in training you partner with Idealware Idealware Sze CEO Karen Graham is bound to show a couple of times. I’m a big fan of Idealware. Did I see that right? You You do some partnering with them? Actually, yes. And we’ve partnered more closely than ever because we have actually merged with Idealware second back and idealware. Yeah are now basically part in parcel of the same organization. So we are tremendously excited about that, Looking forward to working with Karen and her team to really redouble our efforts in the area of education and training and really trying to get people empowered to do some more of that stuff on their own. So they don’t have to, you know, exclusively, Rely on, you know, chops like that Come back. We will be here still that people need us. But we want to give people a much much of the tooling and resources that they I can stomach so that they can be as effective as they can on their own looking Look at Non-profit radio outside the loop. I did not know that you had merged. Is there going to be a common name? But between you and idealware. So they are, I believe now, but we’re keeping the name check impact it’s sort of, you know, it’s It’s a nice broad umbrella Idealware is keeping their name is well, but I think there now, you know, one of our major flagship. Yeah, Not not. I don’t know what we’re calling it the subdivision because they are, you know, really powerhouse in their own right. But they’re a member of the family. Let’s say OK, how recent is that merger that I that I didn’t know? Only in the past couple months. Oh, good. Okay. I don’t feel so bad. All right. No, more like two or three months behind. Oh, that’s not so bad. I’m still reading the newspapers from October then. Okay, Trump. Um, So you want to see, um, social progress? You say that you want to see social progress shaped technology usage, not the other way around. What do you feel like? Non-profits are not doing as well as they as well as they could in this. That’s very interesting and complex questions. All right. What we have in our you know, I mean, we go. Don’t take. Don’t take a full hour on it, you know? But now I don’t know if we have time. You don’t want the one you don’t want to tail wag the dog? Yes, exactly like that. One of my personal driving philosophies, that sort of really, um they put me where I am today through various stint in higher education and the D. C think tank world. And what I know what that means to me. I think, is that I see, you know, technology is everywhere in today’s world, and we’re doing a lot with it. But a lot of what’s being done is not all that socially oriented, right? You know, I several years ago was already sort of concerned about what Facebook was doing to all of us. And now, you know, come two thousand eighteen and we get a really big download of exactly what’s been going on there and how they have not really been all that interested in doing good by the world on. You know, Facebook is obviously the bookie man of the day. But you could look at any big tech company, really and and ask. Okay, well, how much of this is socially relevant? And to be fair, many of these cos I do have a lot of really powerful, um, philanthropy arms, and they do a lot of really good work. But at a zoo community, I feel like the technology space isn’t as focused as it should be on solving the really big problems that we face as a society as a world, you know, matters of civil rights and environmental destruction so forth, Um, and I think that the non-profit community really does tackle those problems day in and day out. You know, that is their core focus. They’re kind of safety net providers in the whole bunch of different spaces where you know other sectors just aren’t quite stepping up. And so what I would really like to see is a fusion of the spirit and the really innovative thinking in terms of social development and progress on the non-profit side and be able to fuse that with the you know, really, under a nouriel creativity of the technology space so that we can see maur tools, Mohr types of work that leverage this tremendously powerful tool kit that we’ve developed over the past twenty years or so to really maximize the number of people who can be reached by a particular social intervention, you know, the number people who are aware of various pressing problems really raise the level of engagement. OK, tidy as a whole. Uh, Jordan, I want Our people are not only more aware of what’s going on, what’s really important, but that they also empowered to do something about it. That’s meaningful. Unhelpful. Okay, we got to take our first break, but I want to continue this thread of the conversation talking about Cem Cem. You know, idealware non-profit technology network and I feel like there’s we’re making inroads to this, but time for a break right now pursuing two New resource is on the listener landing page. The field guide to data driven fund-raising is practical steps to achieve your fund-raising goals using data and they’ve integrated case studies included and demystifying the donor experience guide you through creating a donor journey. That donor journey map plus savvy stewardship strategies. You find those two resource is on the listener landing page at Tony Dahna may slash pursuant capital P for please. All right, now, back to stay secure in twenty. Nineteen. Right. Jordan sometimes might take these brakes. I forget where we were, but I did not forget where we are. This time. But future breaks, I may ask you, Teo, be my crutch. Remind me what? That we were just talking about. OK, so where you want to see this fusion between social progress and the technology tools that can enable it support it? We’re making inroads, though. I mean, there’s there’s tech impact. There’s a non-profit technology network there’s idealware. Let’s see, I just had a guest on and Mae Chang a few weeks ago talking about instead of lean, startup lean impact, you know, howto iterated and learn fast from buy-in in your in your non-profits. I mean, that’s sort of ah, that is broader than just technology. But she was taking that technology that that tech startup theory of lean impact from Eric Reese and applying it here to non-profits. I feel like we’re making inroads, right? Oh, yeah. Okay. Which is not where you want it or not, where you want to be yet, right? I think you know the corporate world is really good about innovating rapidly and figuring out new things, Teo. New products to bring to market and new ways to capture the public attention and so forth. I mean, there was really good at it. That’s what they do. And I feel like the non-profit and civil society space. You know, it’s so focused on its core work, which is some of the most important work being done out there, right? You know, it is life saving work. It is world saving work that they don’t necessarily have much time to throw at considerations that might seem, in some ways, like overhead. You know, obviously fund-raising that one is a given, right? Everyone needs to do that. Yeah, but way. I’ll know that mandate all too well, but there are other things that are perhaps equally important, like keeping abreast of what opportunities are out there in the way of technical tools that could really help, you know again, reach more people or make your operations more efficient or save money or saved. The’s are all important investments and unfortunately, overhead. Gotta bad label several years ago. But, you know, Ah, non-profit radio were always bristling at that. That that thought that, Oh, you know, if it’s not direct service related, it’s wasted money and people won’t. Our donors won’t understand it on DH. They’ll think that we’re not good stewards of the money that they give us. That’s that that thinking has got to go out because we’re talking about investment in your organization and your people and in the services that you’re providing. That’s exactly right. Yeah, I mean and invested time and money to end up with a better, more efficient, leaner you gnome or impactful and state like that’s just there’s no way around it, right? I mean, you can’t deny that the most Well, I was gonna say most admired companies, Let’s just say the wealthiest cos whether they’re most admired. That’s ah, value judgment, but that you can’t deny that they’re constantly investing in in themselves in their people. Amazon, Google, Facebook. Was that Fang Netflix? You know, the company’s heir, constantly investing in technology, and there’s a lot of lessons to be learned in those types of investments. Oh, most definitely. And I think you know, I I also share your frustration with the whole idea that overhead is a bad thing because you know, it doesn’t matter and you know not to stare at their do it, Lee. But information security is often seen his overhead right. It’s something that you have to deal with on a regular basis. You know, you do it right. It’s always in the back of your mind and always take some resource is an attention, and you don’t really see immediate, tangible benefits because by definition, good security is not getting broken into right. And it’s hard to measure the value of a negative. I know, until, of course, you do get broken into and you see just how bad it can be. So I completely agree. I think overhead is a sort of A I wish it were not a bad term, but since it is, let’s get rid of it and call it something like, you know, core structural support, investment. That’s what investment you’re investing. Exactly. Yeah, that’s even better. And people understand that. And you’re asking people to invent me? If you’re talking to donors, you’re asking them to invest and you’re investing in the work that they’re investing in. You just give it to you, and you invest duitz. Okay? All right, Let’s school. Good. Uh, love that opening. So let’s let’s get to some some details. Tech impact has this excellent resource which we’re goingto sort of talk through. So if you could just goto tech impact dot or GE, is that the way to get it? I got it. But I forget, how did what did I do? You go to Tech Impact or GE. And then where, then Eleanor website. There’s a whole bunch of menus, and there’s a menu item for things that we do on underneath that there is a security section and I’ll go there. You’ll get brought Teo Page that ask you for just basic information. And then you get a quick security checklist of the top things that you can do is a non-profit or honestly, for that matter, as any kind of organisation or even a person to be safer in a world that is getting less safe. Okay, Yes. And I I want to thank Thank you that I appreciated that it was very minimal information that you asked for sometimes to get the resource, you know? Yes, it’s free. But you have to give up your your physical address. Ah, phone number. You know, I bristle it that for this resource, it was this name and email. That was it, that’s all. And that’s all I asked for When people join our list. Name and email. So thank you for that. Thank you for not going overboard with data collection. You know, I mean privacy, because then you have to preserve lead right to you. If you take my address, then you will have to preserve it and secure it. All right, So we’re gonna get to that. OK? Eso what kinds of risks are you concerned about your welcome to share client stories. I know you. You know, you do direct work with clients non-profits clients. So what types of risk air you seeing? So I think I unfortunately have gotten pretty Harry particularly. I would say over the past year, twenty eighteen was not a good year in so many ways. So what we’ve seen is that, ah, the tax that previously were targeted, let’s say, mostly at bigger fish especially, you know, corporate fish are now coming downstream to smaller organizations. And that is ah, indicative of AA few things. One important thing to understand about the space of ideas, security or insecurity, if you like, is that it is and has been for a while. It is dominated by big, actually corporate actors. I mean, These are international crime syndicates who exist in their their core business model is to break into other organizations and steal their intellectual property. Used there are rather abuse their infrastructure. For other, you know, malicious reasons just generally do as much damage as possible. Like steal half a billion addresses and credit card numbers from it was, Well, Marriott, Whatever the weight of a company emerged with Marriott last year. Spring him not Spring Hill, but Starwood Starwood, right. Half a billion addresses, credit card, a data passport information for some people compromise. And that’s just one example of yeah, well, you go back, you know, even a couple of years. And, you know, many, many big names just, you know, fly off the pages of a Home Depot. There was target argast, you know, the Office of Management and budget in the federal government like you be. These attackers have targeted very successfully the some of the largest institutions out there that have truly massive databases of personal information. But Betsy’s coming down, proceed. You Ah, go and steal people’s identities or you know what? They generative process, right? They take the information that they’ve stolen, and they use it to try to extract as much value from that data set and then build dated today to set further. So they might use those emails to send more spam, encouraging people to log into a fake. You know, Google, Sinan Page or something and thereby build their database even further on. And they really refined this. It’s not a technique, it’s a hole. World of techniques, really. It’s a business model over several years. Two at the point where it’s really a precision engineered process, and they have a specialization. They’re different parts of this black market ecosystem that specialize in breaking into accounts. They’re different ones that specialize in spamming. They’re different ones of specialized in setting up and distributing attack tool kits that make it even make it easy for people to start performing these attacks. So there’s a lot of specialization, a lot of a lot of different firms engaged in this process, and there’s a CZ. You pointed out this billions of dollars to be made in compromising organizations. Now rhetorically again. And even now, of course, the Holy Grail, if you will, is to break into a target or a Home Depot or something because they have millions upon millions of records, latto payment information and so on. But of course, you know, this is an arms race, and so the big companies have gotten somewhat better at securing themselves. Many of them have been hacked and therefore have been paying a lot of attention to their borders and making sure that you know they’re relatively safe and At the same time, the attacks have gotten cheaper to run because they’ve been systematized and really reached a sort of industrial level of scale, which means that it is easy and cheap to run attacks against smaller and smaller organizations profitably. And so that’s exactly what’s been happening is that, um, these very sophisticated attack tool kits and procedures have been used to go after smaller and smaller organizations. Ah, and another important thing to understand is that most of this work is not at all targeted. It’s very opportunistic. So you know, a. A big crime syndicate will get a big list of E mail addresses by way of breaking into a company’s database. And you know, there’ll be all sorts people on that on that email list. You know, private individuals, partners of the company and so on. And the attackers will just use that database and send out fairly generic phishing emails to everyone on the list on the assumption that sure most people will recognise this email that’s coming in is not actually asking to reset their Gmail password. But even one percent of the people on that you know, many million person list do actually take the bait that represents thousands and thousands of more accounts they’ve just broken into and a hand that can now use to execute even more attacks. And so there’s a lot of daisy chaining that’s going on here a lot of building on prior work or prior attacks to create even Mohr devastating attacks that target even more people. And so the non-profit space is sort of squarely in the sights of this black market ecosystem now. And so, you know, at any given day I c e mails coming in both to Tech impact itself and to our partners, who then forward them on to me. You know, maybe somewhere between five and ten fairly well crafted emails. Ah, on all sorts of subjects. You know, some of them say your Gmail account has been compromised. Please click here to reset your password. I saw a brilliant one just yesterday purportedly from American Express saying something is wrong with your card. You need to click here to review some another as transactions. This email wass spectacular. He had all the right branding. It was formatted exactly right. All of the links in the email even went to valid American Express Web pages except the big click Here button, which set you to the attack Paige that tried to get you to divulge your log in information for your American Express account. You’re saying that was very high level of sophistication mary-jo right now, very hot again, basically targeting everyone at this point. Okay. And that was very high quality, so very equality. And I mean, I think the big theme is I have seen a steady progression of the quality. So it started out, you know, in let’s say, Well, that’s a year ago, January of last year, Most of the stuff I was seeing was pretty shoddy, right? It had lots of spelling errors, very little in the way of visual branding. Um, you know, the formatting was terribly off. The email address didn’t look even remotely convincing. But you know the email I got yesterday again, everything about it was perfect. Except that one button and even the button. I mean, it was, well formatted. You would have to actually hover over it and noticed that the link point somewhere other than an American Express. But Paige Teo be able to tell that anything was wrong. Okay? S so natural. You know, next question is, what the hell are we going to do about this? So you’re you’re resource papers, got ideas, and you really want to start not with the technology, but with your people. Exactly. There’s a misconception in the general, you know, world at large that because this is a high tech problem, it must have Ah, hi tech solution. And more to the point that you know that high tech solution probably going to cost a lot of money. And it is true that there are some high tech solutions out there or I wouldn’t call them high tech. I would just call them, you know? Yes. Technical solutions. None of them are that involved. And, you know, you shouldn’t have to pay that much, if anything, for most of them. On the most effective solution to this kind of problem, um, is getting your team, your staff on board with the project of keeping the organization’s safe and helping them to understand just how pervasive and sophisticated the threats really are. You know, it’s hard to get a bunch of dedicated, hardworking, you know, non-profit staffers into a room for an hour and get them to listen to a lecture on you know how they need to care about security. You know, for all the reasons we talked about you so much rather be getting their work done. But if you can get your team to understand that this is the risk Israel, the threats are, you know they’re significant and growing. I get people to just adopt a stance of reasonable vigilance, you know, not full blown paranoia, but just being a little bit, you know, thoughtful about everything they click on, whether it be an E mail that comes in from that they weren’t expecting, even if it comes from someone they know. Because part of this whole like iterative process in the attack space is that attackers will break into an email account and then send emails to every single person in that now hijacked account’s address book so that the emails do, in fact, come from someone that that person know you can’t even now just say, Oh, as long as I know the person, it’s fine may very well not be fine because you maybe not. But when you open an email and you’re not expecting it. And I’d ask you to go. You know, you this special report that, you know, if for your eyes only and what not especially if the person that you, uh, get this email from would never write that way. That should be a red flag. And similarly, whenever you’re browsing online, you need to be vigilant about what you click on you. No, don’t click obviously, on anything that says you’ve won a thousand dollars, because that is never true either. It’s certainly not true in real space, and it’s doubly not true online. And, you know, you always just have to be a little bit, you know, a little bit suspicious in back of your head. Think, Okay. Could there be another you No ulterior motive here? Like what? What’s the agenda of the person who sent me this thing or, you know, showing me this web page? Um, you know, is that someone I trust on? Do I have some context for why I’m being asked to enter my password here or provide this information Or click on this button? Um, is this going to do what I wanted to do? And if you can adopt that kind of a mind set and get your entire team to adopt that kind of a mind set. You become exponentially safer than most other folks around. Because this is a new mindset. It’s hard to shift your thinking, particularly the non-profit space, where we operate largely on the basis of trust. Right? You know, we have a lot of partners. Uh, you know, we have to trust that our partners are also interested in doing the same good work that we are. You know, we don’t want to wander around being endlessly suspicious of everyone, but unfortunately, the state of security online. Yeah. Yeah, You really have to be all the more vigilant. We just We just have about two minutes before break, tell us what’s been going on at Tech. Impact yourself. You’re you’re you’re CEO. You’re some sort Your CFO has been getting emails that purportedly come from your executive director. Oh, yeah. And we’re not alone. So the more sophisticated version of we’ve only really talked about one type of attack. And there are others that we might want to talk about. But, you know, let’s go quickly. There’s a different variant that isn’t quite fishing. So fishing is trying to get you to divulge your own personal information over email. But there’s a variant of that attack where someone writes into an organization pretending to be someone high up in the leadership team, the executive director or the CFO or someone like that and ask various members of the staff, Oh, I’m out of the office right now, but I really need you to conduct a transaction for me. I need you to buy some gift cards. Some of them get really creative, and they say, and they and they do their background research. And they say, Uh, we just had this annual conference, and I need to send gift cards to all of our speakers. Could you go out and buy those for me and then send me the codes from the back of those gift cards so I can, you know, send them along to peep folks by email. Those e mails, when they’re well done, can look exactly like they come from the executive director of the C. F O or whoever. And of course they don’t. And if you reply to them and do what they ask, you will be sending all sorts of things potentially financial information out to someone you’re never gonna be able to find again. Because they set up a fake e mail account for the purpose of trying to infiltrate your organization. And once they’ve done that, they’re going to get rid of it, and it’s going to be on Treyz schnoll. All right, we’re going where we’re going to take a take a break. And when we come back, I want youto continue this because I’m going to ask Ah, Jordan, how could this possibly happened? Attack impact. Okay, so ah, stand by for that weather. CPAs nufer the New Year. They’re kicking off a remote non-profit roundtable. Siri’s. They used to just be on location. Now they’re doing it remotely. Livestreaming each quarter a wagner’s C P a C P a will cover a topic that they’re intimately expert in. So they’re the experts, but you need to have a basic understanding of it. All right. I mean, you want to know what you want to have a rough idea of what you’re seeing is doing and what to do in the non-profit realm. That’s what they’re talking about. The first one is on January fifteenth about revenue recognition for your grants and contracts, you goto wagner cps dot com Click Resource is than seminars Now Time for Tony. Take two. It’s time for you to be an insider. A non-profit radio insider also nufer the New Year. I’m kicking off something expanded guest interviews that are going to be exclusively for non-profit radio insiders. Each week, I’m going to dive a little deeper into a topic with a guest or cover something we didn’t talk about on the show in these three to five minute videos. All right, the video is going to be on a private playlist entirely for insiders. Have you become an insider? Sounds like something that you would have to pay for. And you’re right. It does sound that way, but you don’t have to pay. Other people might charge for something like this, but I will not. Ah, all I do. All you do is go to twenty martignetti dot com. Click the insider alerts, button name and email Like George and I were just talking about that’s all you got to give and you become an insider. Tony martignetti dot com. Now let’s go back to Jordan on DH Stay secure in twenty nineteen Jordan How could this happen to tech impact? No. The unfortunate thing is this is really easy to do, and it’s easy to do for someone with not that much technical skill. And just because you get one of these emails that looks really carefully crafted and whatnot doesn’t mean anything has actually been weak or that you’ve been broken into every one of us as an organization has tons of information about us online, right? Certainly the names of our executive directors are incredibly easy to find. If nothing else, you can get them from our tax returns, right? And attackers again have built out this elaborate process that involves doing some basic background research on any organization that they want to attack. I’m sure that they go to the organization’s websites and maybe even look at their tax forms and find out other things about the organization’s. Actually, I read recently that many of these militias actors air now doing extensive Lincoln research on a particular people within an organization is they’re trying to go after, so you don’t know what they’re doing. They built the whole process around this on. They use the publicly available information to construct, you know, eh uh, intact. It is as plausible as they can make it. So, you know, if they see a mention on the Web site that there was a annual conference recently, they might throw that into the E mail again to try to make it that much more authentic. They might mention someone else on the team and say, Oh, you know, like, you know, pretend that the message was coming from your executive director. Oh, I tried to contact, You know, Jim our c F. O. And he was out of the office, but I really need this done. Can you help? It is very common behavior. Now, I will say each second a background research. That hacker does represent one less second of profit. Right. They don’t want to put in that much time. So you know, you shouldn’t worry generally unless you are really, really big and really, really interesting about, you know, hypothetical attackers scouring your web page and every other thing you’ve done publicly for information about you. They’re not going to do that, but it probably will spend, you know, a minute looking at the stuff they confined most easily. And then they’re gonna construct attacks based on what they found, uh, and make it seem like you know the emails. They’re sending our legitimate as possible. They also will do that, actually, not only even just pretending to be part of the organization, they will also try to extort you and say, you know, I found out all of this fallacious information about, you know, your executive director, or you know what your organisation’s doing on. They’ll drop some publicly available details that aren’t even remotely interesting and say, But I have so much Mohr and, you know, if you don’t want us to go out, then you have to pay me a lot of money. I actually saw entire wave of the attacks last month, and they they weren’t particularly well done. But they bothered to do a little bit of background research. So the bottom line is you’re going to get these emails on. They will contain information about you and that should not be as big of a red flag You as you might think. You shouldn’t respond to them. You shouldn’t do anything except, you know, look at them carefully make sure that there isn’t anything in there that really is private and that someone has figured out, because if that’s the case, you need to do a lot more work to get things locked down. Um, and again, just be suspicious. Don’t believe someone when they ask you to do something, you know, unless you have actually had a conversation about that request before. Better yet, I encourage every organization to have a basic policy that says no one in the organization is going to ask anyone else to authorize a financial transaction or a password reset or anything sensitive over email alone. That’s just never gonna happen, and it’s never going to be allowed. You always have to actually talk to the person who’s making the request to confirm that they, in fact, made it before anybody acts on anything. Sounds like a sound policy. Okay, Labbate. Let’s let’s bring it back to what we can do to protect our organizations. So after staff training, what what would you say is next? So after staff training and then again, building a sort of culture of vigilance and everyone being it together on everyone having each other’s back, I would say there are some basic technicals. Defense is you can put in place. Um, because the most dominant type of attacks that we’re seeing right now are definitely email based and identity based. That is, they’re trying to convince you that you know, the attacker is someone they’re not, or and most often there, trying to steal your own account credentials and then use them for exactly the same purpose. One of the best things you can do to protect identity online is too not used, just a password alone. Wherever possible, passwords are kind of outdated security mechanism. They were only added back, you know, twenty thirty years ago, when the original researchers who were building Internet realized Oh, really? You know, not everybody should have the ability to read everybody else’s email without a password. That’s how open everything wass until they tacked on the password, kind of as an afterthought to fix the security hole and a force. As the Internet has evolved to do all sorts of incredibly sensitive things. The password as a security mechanism really hasn’t kept up to speed. It’s not good enough for the level of security. We really need of our bank websites and our social services websites and our, you know, electronic health record websites. So there’s a new standard which itself is not perfect. Nothing ever will be, but it’s a whole lot better than just a user name and password. And this technique or technology is called a couple of different things depending on who you talk to. But they all mean the same thing. You can hear the phrase, multifactorial indication or dual factor authentication or two step verification and all of those terms mean you can. You still have a user name and password, but you also need to supply something else whenever you log in to prove that you are who you claim to be, so that someone who managed to steal someone’s password can’t get in with John. That stuff this is this is Well, I think it’s we’re starting to see this. I see it on a lot of options, you know? Do you want to enable? I usually see there’s, like, two factor authentication, and this is where it’s a code will be sent to your to your phone number to your to your cell, and then you have to enter that number into the site that you’re tryingto log into is that yes, we’re talking about. That’s exactly right in the core idea There is. It’s actually just terrifyingly easy to steal someone’s username and password, particularly if you build a Web page. It looked exactly like the Gmail log in Paige, but it’s going very, very difficult for someone to simultaneously steal someone else’s phone. It is possible are, but it’s just so much so non-profits can implement this a CZ. When people come in in the morning latto log onto the system, they have to provide two factor authentication. You can do that. I would say it’s less important to do that on, you know, your PCs, you know, so that when you grow up coming in the morning, you have to go to this process. Certainly, hospitals do do that. Everyone has, you know, their little cars, that they swipe against some sort of scanner and that that council there’s there in a second factor. But most of us, I think, are now using something like Google Sweet or Office three sixty five, which is accessible from anywhere. And that’s where the attacker’s really have a have a party right they can get because you could get into the system from anywhere. The attackers can get in from Russia, Thailand, South Africa, lots of various places where they tend to work out on. And so those kinds of cloud based systems, as convenient as they are, also present a pretty big security risk that literally anyone on Earth put attack. And so those are the platforms where you really want to make sure you have multi factor authentication turned on. And the good news is, in most of these platforms, turning on multifactorial education is free and pretty easy. It’s, you know, there’s a few steps to it, but you basically just go to someone’s account. You say this person should now be required to use this second, you know, step verification or multi factor authentication. You have to have your your team signed up. You know, basically, just put in their phone number that they want to receive those authorisation codes at and then you’re done. That’s it. You know, they’re they’re logging process is going to be a little bit harder in some cases, but the whole it’s pretty painless and it’s so affected by locking these kind of so much worth the extra minute that it takes just to enable this, okay? Let’s say we got We got a couple minutes before another break, so give us No, we have to go to a break. Sorry. My mistake. So hang on there, Jordan. Think. Think of the next thing we’re going to talk about Xero tell us. Can use more money. Do you need a new revenue source? This is your long stream of passive revenue that you get when companies that you refer process credit card transactions through. Tell us watch the video. Send potential companies to watch the video. After you do, you go when you want to see it first. And then if they use, tell us for processing you. Your NON-PROFIT gets fifty percent of the fee for each transaction. This adds up small dollars. Adding up the video is that tony dot m a slash Tony. Tell us time for live listener love. We’ve got to do it. There’s so much of it. I get it. I get three sheets of paper, but do not. Eight and a half by eleven sheets. Uh, Northvale, New Jersey. The live love to Northvale, New Jersey. Wow, Northvale. Hello. That’s like that’s two minutes from where I grew up in uh, old Japan. Ah, New Bern, North Carolina. Live Love to you, Carmel, California Paddocks. Kala Patasse, Piela, Ohio Pascal or Patasse Piela Live Love goes out. However you pronounce it even if you pronounce it differently than either of those two ways. Live loves going to Ohio. Jacksonville Beach, Florida Atalanta. Oh, California Tampa, Florida All right, Awesome. Lots of live listener love today. And let’s go abroad. Uh, why wouldn’t we? No reason not to, um Tokyo and Cicada. Oh, Japan. Wonderful. Konnichi wa Hanoi, Vietnam. Ah, Social Korea, on your own. Haserot comes a ham Nida for our Korean listener. Beijing, Beijing, China. Of course we know d how everybody knows that Mexico City, Mexico I was always said, guten tag. No, that’s not right. Mexico City. Mexico would be good afternoon. What a star days when a star dies. Of course. Iran. That’s not guten tag either. But Iran is listening. Laos and Egypt. Well, look. Ah, Middle East. Checking in love it Lots of live love going out to all those people. And they maybe others that we can’t see. Sometimes there’s masked cities, et cetera. Um and ah, the podcast pleasantries. The podcast pleasantries have to go out to our over thirteen thousand podcast listeners right on the heels of the live list. Their love comes my gratitude to our the bulk of our audience, which is sitting podcast in the time shift. Whatever time device, however, you squeeze non-profit radio into your life, whether it’s Sunday nights or Saturday mornings. Pleasantries to you. Very glad that you’re with us. Thank you. Okay, we’ve got several more minutes left for we got lots of time left. Oh, yeah. We got latto two time left for Jordan McCarthy and stay secure in twenty nineteen. What’s next? Jordan? What? What should we attack after we take on too factor with simple enabling of two factor authentication? I don’t want to sound like I don’t make it sound is difficult. Once we once we checked out off, where should we go next? It is really not not hard at all again, just so valuable. So we talked about fishing. We talked about email based attacks on identity based attacks. Again, I would say they are the most frequent, Andi increasingly sophisticated type of attack we’re seeing so that definitely your number one priority, I would say. But then there’s a whole other universe of things that also are happening at the same time. So let’s talk about malware and others have more software based attack. So in addition to the attackers, just constantly, you know, trolling around, trying to find people who they can trick into divulging their passwords. There also constantly scanning every system connected to the Internet to see if those systems are susceptible to various kinds of software attack that can sort of worm their way onto PCs, possibly even then spread to other PCs on the network. Um, and again, all these attacks, very opportunistic, automated. It’s very rare that you’ll see someone actively targeting you because they care about you. They just want a, you know, hit the low hanging fruit. Um, but that means they’re going to put up a malicious file that looks like, I don’t know, maybe a pdf of, you know, um, various discount code for something that that’s that’s a common technique. Or or even better yet, a free version of Adobe Photo Job. Right, look, one one deal. What, one day deal, you know, download adobe photo job for nothing here, right? Of course, that’s ridiculous. That would never happen. And if you click on that link and download the software, you may get some variant of Adobe. But you’re also going to get a boat load of malicious software along with it. And once that software is on your machine, that could do anything it wants. Pretty much, you know, they can watch every keystroke that entered into the BC. It can even take video and audio recordings. It can hijack the computing a network power of the PC and use it to attack other targets. Um, until malware is Avery Big deal. And it’s producing a pretty big deal because the most rallies not even that recent anymore, but one of the more modern variants or evolutions of malware. Let’s say it’s called crypto ransomware, which is a mouthful. But what that basically means is this malware is very sophisticated and what it does. Once it gets onto a machine, it takes a look around. It finds every file. It looks like it might contain something useful to you. So every word document, every picture, every email, takes all of that data and steals it, put it into an encrypted archive, delete the original copies from your computer entirely, and then puts up a message on the screen saying, We have your files. If you ever want to see them again, you have to pay us about a thousand dollars. That was last year. The British medical system, right? And the entire city of Atlanta. All right, let’s get to what we can do. The help mitigate the likelihood minimized. I know we can’t prevent. What can we do to minimize the likelihood of this? So when you were talking about malware again, the number one thing going back even earlier discussion is, too promote that culture of vigilance and thoughtfulness. But technical safeguards there your most powerful defense of your software systems and your system security is to keep your systems up to date and that that sounds deceptively simple for anyone who’s actually tried to do it. You know, it’s next to impossible because everyone is very busy and no one wants to take the time to reboot their computer ten times a day to keep everything up to date. So it’s a challenge. But there are various tools that can help you do that shit. Um, e-giving mind when I say keeping up to date? I’m talking about not only your computer’s operating system so Windows or the Mac OS. I’m also talking about your phone operating system, whether it be Android or IOS. I’m also talking about various programs on your PCs, especially Web browsers on other boardmember that connect to the Internet quite a bit from all of that needs to be kept up to date because any one of those pieces could theoretically, if they get out of date, be broken into by one of these automated attack phones. Khun B phones could be turned. Phones could be turned around into microphones against you, right? Exactly. And you know, phones or general purpose computers, too. So if the phone gets compromised, theoretically, you could end up You know, using that phone is a launching point onto other devices are connected to it. OK, what are we going to do? What? You scared us enough. You scared me. And it was very good, too. Sorry. Didn’t get a little bit late for Halloween anyway, so there’s a few tools that can help you. There are tools that very simply watch all of the program’s installed on your PC and alert you. If any of them get out of date, some of them will automatically install patches for those tools for you on. Most of them are free. You know, if you just do a quick online search for, you know, keep my PC updated, that kind of thing. You’ll get some good options whenever you download anything online. As part of this, you know, theme of vigilance. You wantto look for reviews, make sure other people have used that tool and like it. But there are a lot of tools out there to do this work. That’s very ad hoc, right? Each piece he would have to have that installed, and, you know, someone could uninstall it. It would be kind of messy for organizations that are I would say above, let’s say ten people inside. It probably makes sense to aim for some degree of centralization. Uh, you can monitor and enforce the prompt application of software updates for both the operating system and other applications on there’s a variety of tool kits that can do this that there’s a too big name, um, types of rockets that are useful in this case. One of them is called a mobile device. Management took it. And again, if you do a quick Web search for mobile device management, you’ll find a bunch of different options. Um, some of the big players in the space there include things like Microsoft in Tune, Cisco Air Watch, um, IBM mas three sixty and there are a bunch of others. But those are just some that come to mind, and those are really, really good at managing the security of mobile. As their name suggests mobile devices. So many of them focusedbuyer merrily on the the mobile phone space. But many of them can also handle desktops and laptops as well for desktops and laptops. Then there’s another tool kit or a type of tool kit that really focuses in on that space and those air remote management and monitoring toolkit abbreviated are. Mm. On the first one was abbreviated mdm tonight. We love acronyms. I’m not really sure why, but but thankfully, you kept yourself out of jargon jail by actually using the full name before you even said that with him. So yeah, I get that way. That’s why we have debts when non-profit idea has jargon jail. Oh, thank you. I What? All right, finish your sentence, and then we gotta take our last break. Okay? So remote management and Mandarin monument and management and monitoring tools do exactly what I proposed. It needs to be done. They help you watch species for anything that might need to be updated and get those that they supplied promptly. They can also do more than that. They can watch and monitor and a virus programs which are not actually as useful as you might think. So that’s why I didn’t put them first on my list. Keeping yourself repeated is actually more important than having antivirus programs in place generally. But it is a good last line of defense. And these talk is gonna help make sure that those you’ll stay in place and are updated as well. All right. Jordan and Jordan, Wait. Take your last break. When we come back from this break, I want you to list list again. The resource is that you named so that people can have a place to ah t check out and you know, the ones that you believe are our sound. Do you think hoexter give can use more money again? I need a new revenue source. Here’s another way. Mobile e-giving. You could learn about it with text to gives five part email. Many course. Now, this is an E mail that is bona fide. So you don’t have to worry about is being a phishing e mail. You know, you’re just five e mails away through this many course. One each day from raising more money are raising money to get started through mobile giving. It’s cheap to get started. Its easy for your donors. The way to start the many course. You text NPR to four, four, four, nine, nine nine. All right. And we still got several more minutes. Force they secure in twenty. Nineteen with Jordan McCarthy. Alright, Jordan, what’s your What’s your list of resource is that users can trust. So first of all users listening listeners, listeners, contrast. Who’s you? Well, they are users, too, but listeners is what we’re talking about here. You want to look at whatever vendors you use and you want to see. You wanna have a look at what they say about their own security? So, you know, look at go to the web page of, you know, blackbaud sales force, Microsoft, Google and, you know, just say all right. Tell me about your security. What do you do? What do you offer? What can you help me to nail down? Okay, because many of these platforms will have a lot of security features built in that you may not be taking advantage of. So start simple. Start free. You use a totally ordinary included but may not know about you already included. Ok, then you want to start looking for other resource is to tell you you know, about what else you, Khun Dio? What else? What what? What are the sort of tools of record that really are effective and secure and we’ll increase your security So I mean not to be too self promoting, but idealware is a phenomenal resource for this kind of thing. That haserot hutchisson tons of resources and listeners know that idealware idealware knows dimension of, you know, I, including security brought up Yes. Objective, objective, objective. Other indexes as well. So if you look at sites like PC World, um, com p world ars technica Wired, they usually do reviews of various security tools I go to them routinely to see. All right, what is the latest on the mobile device management tool kit? There really top notch? What antivirus programs are recommended this year because they always cycle in and out. Okay, no. In terms of the tools that I use quite a bit and trust, I would call out for things like authentication. Obviously, Office three sixty five and the Google Sweet are phenomenal talk it They can both do a lot for you in terms of keeping things safe and helping you to monitor the security of your communications and your files and everything. So either this platform’s, I think are exemplary. And both have built in multi factor authentication. You just need to turn it on. Um, if you’re looking for something that can be, go beyond those core platforms and spanning multiple product, you might want to look at. Ah, couple of tool kits that focused squarely on authentication, safeguarding identity. Those tools are duo. Do you and octa O K E A. And these They’re both really big names in the space of again. Just making sure that people’s identities were kept saying that they cannot get attacked by simply divulging their passwords. Both of them provide multifaceted indication toe a wide range of other tools so you could end up just logging in with your duo or octa credentials and then be granted access to a bunch of other things. But but in a very secure way. Okay, excellent. We just have about a minute left. Jordan. So I feel like we did enough on why you should be paying attention to this. Let’s not. Let’s not wrap up with that. But I’ll leave it to you. How do you want to close? You got a minute? I think I would say that. You know, things are pretty scary right now, and I don’t want to sugarcoat that way. As you say. We said enough about it, but there is a lot that any given non-profit Khun do it doesn’t It’s not rocket science. You know, you might be told that you need to pay a butt load of money or hyre, you know, a really fancy consultant to tell you what to do. Ah, and if you find it helpful, sure, by all means, go and get some help. And you know, if you want a lightweight approach or even something more in depth, tech impact is here to help where we’re more than happy to meet you at whatever level the support you need. But having said that, a lot of this stuff is really not that difficult. It can be done by someone who just has the time. I mean, that’s sort of our all of our scarcest resource. I know. So that’s easier said than done. But if you have the time and you know, you can set aside some resources to dig in and turn on mold a factor authentication and figure out how to keep yourself up to date, you were going to be so much safer as a result. And for most non-profits, that’s exactly what they need to do as long as they are safer. Than the average. They are totally not interesting. Okay, hackers we got Okay, We got to leave it there. Don’t be interesting. Two attackers. Ah, he’s Jordan McCarthy. Infrastructure and security of the tech impact. You’ll find them at tech impact dot or GE, which is where you’ll find there the resource paper with even more ideas. And they are at tech. Underscore impact. Thank you so much, Jordan. It’s really a pleasure. Thank you. Thanks. My inside a video with Jordan. We’re going to talk about single sign on next week. The annual zombie loyalists replay with Peter Shankman. His customer service ideas are excellent, so it’s very worth Well, he worth replaying it. Do it every year. If you missed any part of today’s show, I beseech you, find it on tony martignetti dot com. We’re sponsored by pursuing online tools for small and midsize non-profits data driven and technology enabled Tony dahna slash pursuant Capital P. Well, you see, piela is guiding you beyond the numbers regular cps dot com by tell us credit card and payment processing your passive revenue stream. Tony dahna slash Tony Tell us and by text to give mobile donations made easy Text n p. R. To four four four nine nine nine. A creative producer was Claire Meyerhoff. Sam Liebowitz is the line producer shows Social Media is by Susan Chavez. Mark Silverman is our Web guy and his music is by Scott Stein. You with me next week for Non-profit radio Big non-profit ideas for the other ninety five percent Go out and be great. What duitz? You’re listening to the talking alternative network you get to thinking. Things xero. You’re listening to the talking alternative now, are you stuck in a rut? Negative thoughts, feelings and conversations got you down. Hi, I’m nor in Santa the potential tune in every Tuesday at nine to ten p. M. Eastern time and listen for new ideas on my show Yawned Potential live life Your way on talk radio dot N y c geever Hey, all you crazy listeners looking to boost your business. Why not advertise on talking alternative with very reasonable rates interested? Simply email at info at talking alternative dot com. You like comic books and movies, HOWBOUT TV and pop culture. Then you’ve come to the right place. Hi, I’m Michael Gulch, a host of Secrets of the Sire, joined every week by my co host, Hassan, Lord of the Radio Godwin. Together we have over fifteen years experience creating graphic novels, screenplays and more. Join us as we bring you the inside scoop on the pop culture universe you love to talk about. Wednesday nights eight p. M. Eastern Talk radio dot and wives. Did you know you’ve been playing poker your whole life, even if you’ve never played a hand of cards? Hi, I’m Ellen Lake and author of Polka Woman and host of the new show Poker Divas. On the show, I talk about poker. Strategy helps you win in business. Life and Love tune in Live every Thursday one p. M. To two p. M. Eastern Standard Time on talk radio dot N. Y. C. You’re listening to talking alt-right work at www dot talking alternative dot com, now broadcasting twenty four hours a day. Are you a conscious co creator? Are you on a quest to raise your vibration and your consciousness? Um, Sam Liebowitz, your conscious consultant. And on my show, that conscious consultant, our awakening humanity. We will touch upon all these topics and more. Listen, live at our new time on Thursdays at twelve Noon Eastern time. That’s the conscious consultant, Our Awakening Humanity. Thursday’s twelve noon on talk radio dot you’re listening to the talking alternative network. Yeah.

Nonprofit Radio for October 26, 2018: HTTPS & Does Your Website Suppress Giving?

I love our sponsors!

Do you want to find more prospects & raise more money? Pursuant is a full-service fundraising agency, leveraging data & technology.

WegnerCPAs. Guiding you. Beyond the numbers.

Credit & debit card processing by telos. Payment processing is now passive revenue for your org.

Fundraising doesn’t have to be hard. Txt2Give makes it easy to receive donations using simple text messages.

Get Nonprofit Radio insider alerts!

Listen Live or Archive:

My Guests:

Ben Byrne & Katherine White: HTTPS
Do you need the security of HTTPS for your website and how easy is it to start implementation? Probably and quite. Our panel is Ben Byrne with Cornershop Creative and Katherine White from Kanopi Studios. (Recorded at #18NTC, the Nonprofit Technology Conference.)







Rachel Clemens: Does Your Website Suppress Giving?
Rachel Clemens is concerned that your website is holding you back from raising all the money you can. Are you confusing donors? Overloading them? She’s chief marketing officer at Mighty Citizen. (Also recorded at the Nonprofit Technology Conference.) It’s website day!




Top Trends. Sound Advice. Lively Conversation.

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.

Get Nonprofit Radio insider alerts!

Sponsored by:

View Full Transcript

Transcript for 413_tony_martignetti_nonprofit_radio_20181026.mp3

Processed on: 2018-10-24T15:18:27.166Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2018…10…413_tony_martignetti_nonprofit_radio_20181026.mp3.465323320.json
Path to text: transcripts/2018/10/413_tony_martignetti_nonprofit_radio_20181026.txt

Hello and welcome to tony martignetti non-profit radio big non-profit ideas for the other ninety five percent. I’m your aptly named host. Oh, i’m glad you’re with me. I’d be hit with strep. Oh, simba, leah if i had to read that you missed today’s show working virtual we talk through the issues encountered when managing remote staff technological, generational, emotional measurement, recruiting and retaining. Our panel is heather martin from inter faith family and alice hendricks with jackson river. I was recorded at eighteen ntcdinosaur non-profit technology conference and map your data to your audiences. Feed your folks the data they crave. Courtney clarke and david mask arena have identified five audience types and their data needs she’s with forum one and he’s fromthe conrad and hilton foundation that’s also recorded at eighteen. Auntie si, tony, take two who’s on first, we’re sponsored by pursuant full service fund-raising david driven and technology enabled tony dahna slash pursuant capital p well, you see, piela is guiding you beyond the numbers. Wagner, cps dot com bye! Tell us attorney credit card processing into your passive revenue stream. Tony dahna slash tony tell us and by text to give mobile donations made. Easy text npr to four, four, four, nine, nine, nine. Here’s working virtual welcome to tony martignetti non-profit radio coverage of eighteen ntc non-profit technology conference twenty eighteen we’re coming to you from the convention center in new orleans second interview of the second day of our coverage all our ntcdinosaur interviews are sponsored by network for good, easy to use dahna management and fund-raising software for non-profits my guests right now are heather martin, ceo of inter paid family, and alice hendricks, ceo of jackson river. Heather alice, welcome. Thank you. Welcome to non-profit radio. What have you wanted to be here ? How’s ? The conference going for you ladies ? Great. Have you done ? Yeah. Excellent. Okay, great. Next one. That goes good. Superlative. Have you done your session yet ? We did. We were on yesterday morning. Okay. So, it’s all relaxing now ? Right now, we’re just partying. Drinks last night. Exactly. Okay, all right. Your workshop topic is working virtual attracting and managing the best talent. I’m sure we have stats on how many organs non-profits have virtual employees. Or at least what the trends are. It’s it’s obviously growing. It’s really growing wouldn’t be here. And not only in the nonprofit world in the for-profit world as well, and especially in tech. Yeah, okay, absolutely it’s becoming it because of the technology that can enable easily to work from home, your chat technologies, videoconferencing, it’s become a thing and everyone is doing it now on exploring whether it works for their organizations a lot. Let me dive into the word, everyone not to quibble with you at all, but i was thinking generationally, are there fifty and sixty some things that are comfortable working, being virtual ? Not well, maybe we’ll get to whether they’re comfortable having virtual employees. They will get to that. My voice is cracked like i’m fourteen get that, but how about being virtual employees themselves ? Are they comfortable ? I’m over fifty, so include myself in that ? Are we comfortable doing that ? Or, you know, i think it actually depends on the organization and it’s really dependent on the organization making the employees comfortable, and so i’m not sure i don’t know if you have any stats, but i don’t know from an age perspective, there’s a very good question about an older generation being comfortable having virtual employees under the managing them, however, as being the virtual employee, i think it’s all about how the organisation sets it up. Okay. Excellent. All right, so that there’s promised them for those fifteen. Sixty something ? Absolutely. Okay. Okay, let’s, talk about it. Since since we’re skirting around it, how about comfort or discomfort with having employees being virtual when you’re over fifty ? So i again, i i think that there might be an age discrepancy in the comfort, but i also think it’s just personality, and i’m finding that when i talked to a lot of people who are looking to work virtual and they’re asking me, what can i do to go to my manager, my supervisor and quote unquote, sell them on me working virtually my answer to them is find out what the resistance is. There is part of the resistance as we’ve always done it this way i need to see my employees to know that they’re working. And how do you get around that ? Some of the key things that we talked about in our session are setting very clear goals and making sure that those goals are being met. But let’s, go to alice talk to flush out the gold. Gold setting a little. Yeah, i mean, i think that there’s not that much difference in terms of goal setting in terms of accountability for delivery, bols, that you’re supposed to be doing so used that the real issue is communication making sure you have a structure where there’s frequent communication and proof that you’re doing the delivery ble. So you’re measured not on a punch clock style of i get to work at nine. And i leave at five. And therefore i must have worked during that eight hour period you’re measured based on what is the work you were set out to do. And did you actually do that work in the time period ? I said i would do it. So if you’re a project manager are working on a program area you work with your you work with your supervisor on here, the things that i’m going to get done at a particular time. And if that’s not done that’s ah, that that could be a concerned that’s a problem, but that’d be a problem in the non workplace too, but rather than time. It’s mostly based on work product. Okay, okay. So that should apply even if you don’t have any virtual, i think one of the things we found is that working virtually is this, or managing virtually is the same as managing in an office. But you just have to be much more intentional about what you’re doing. Much more intentional about your communication, understanding that you’re not gonna have that water cooler conversation, that someone’s not going over here. Something and understand where you are in a project and b ready to communicate with those people who are not physically in the office. But the management and the psychology of the management is very similar. Okay, it’s, very valuable, you know, and make explicit. Yeah. How about attracting people, teo a virtual or attracting the right talent so that we’re comfortable that they’re gonna work in this work environment ? What do you, what you thought ? Well, there’s. Two thoughts on that that i have one is what one is that your talent pool is the entire country or world, should you see fit ? And there are wonderfully talented people in places that aren’t in the city or town in which your organization is located, and it gives you this ability to recruit from a wide place. And you can also hyre incredibly talented people from who have a wonderful life style. In a less cost of in my organization, we have people who live in a lower cost of living state than washington, d c where were based, and that allows me to provide a living wage and for my employees in that. But the other thing is just you, when you’re recruiting, you have to be very mindful of the interview process, and i think one of the things we talked about in our session was helping people figure out who these folks, how well they’ll respond to working virtually how do you do that in an interview ? Yeah, who’s best with that, heather so so some of the things that that we recommend, some of the things that we recommend is number one, we use technology as a tool to enhance communication in a virtual environment. So sometimes you’re using video comp, renting just for a regular meeting, and you’re talking through instant messenger and there’s other ways you’re using technology. So in the interview process, i always recommend that people use the technology that you’re going to require those employees to be using during their job if they can’t do an interview on skype or zoom or appearance and it’s very uncomfortable, it’s not to say that that might not be a good employee for you, but you have to be aware that there might need to be some training or development on that tool for them and no going. Into that is important when you’re hiring that person, and if you see generally a discomfort with technology that’s a pretty big red flag, or or or a red flag that you might need to overcome or that person’s not right for the position, and then the other question is some positions just don’t lend themselves to working virtually, and you have to be aware of that when you’re hiring also what are from ? Well, one of the easiest ones that we look at it if you’re an office manager and you’re managing the physical office days, it’s really difficult to be virtual when you need thio notice that there’s a crack in the ceiling where the vendor needs toe, you know, deliver something and be their way. We don’t have a tool for measuring the coffee level. Zack remotely happen. And now there’s an app for that you can probably it’s time for a break pursuing they’re e book is fast non-profit growth stealing from the start ups. They want you to see this because they’ve taken the secrets from the fastest growing startups and applied those to your non-profit it’s free as all the pursuant resource is, are you accustomed to that ? Come on, it doesn’t even bear saying it’s on the listener landing page that’s at do you know where tony dahna slash pursuant capital p for please now back to working virtual or any others that stand out to you ? I think it depends on the industry and what the job you’re doing. If you’re someone who does intake or you have to be there to welcome people into the office, you need someone physically there. There may be hybrids where sometimes people could work in the office and sometimes people could work from home. And i think thinking this through before you moved to a virtual environment or virtual job for that specific role is ki you can’t just say, ok, tomorrow we’re just gonna go virtual zoho alice, how do you how do you create this environment ? Gonna be hospitable ? Toe virtual ? I mean it’s all about culture. You have to create a culture where everyone is communicating well with each other, where people know what the expectation is on response times of communication has got to start at the top. It has to start a willingness that you absolutely to accommodate virtual employees. Okay, so it starts there and how does that how does the ceo trickling down ? You adhere to it. So rather than walking from my office into someone else’s office and telling them what i think they should know that maybe two other people who aren’t physically, they’re also need to know i will do that on a slack channel, for example. So i’ll use an instant messenger chat program, and i’ll put them all on the channel and talk to them all together at once, even though you were the mark, even if that’s the situation. Yeah, because it requires amount of discipline because you don’t want to leave people out. The interstitial conversation that happens at the water cooler can also be done virtually and that’s pretty important, too. Okay. All right. We’re going to get the tools you mentioned. Slack, slack channel. Is that that it’s ? All okay, okay. A chat. It’s. Simple chance a chance. A chance for you. You’re over my head, but i’m trainable. Alt-right i could be a virtual employees trust way. Mind of some technology challenges there, but we could get there. I’ll be there immediately. Got the radio stuff ? Yeah. I’m very good at that. I mean, i got knobs and everything in front of buttons and all. I don’t know what they do. Okay, what else ? Uh, anything else about creating the environment, making inhospitable ? I think some of the things that seem or some of the other things are making sure that your remote employees have the tools, whether it’s, the technology or even a monitor to go along with that laptop that you’ve given them because some some people who go into a new job, they’re given a laptop, they say work from home and it’s not as easy as just is your home office conducive and being able to help them think through what are the things that they need to set up in a virtual environment to make them successful and effective at what they’re doing. We talked about it a little bit about security and knowing what the security measures are. You can’t go into a coffee shop and work from your computer. Number one. Are you on the y fire you on the public wifi ? Are you on a virtual private network ? Are you using your hot spot ? You’ve to go the bathroom and your computer’s sitting in starbucks do you leave it there and ask the person next youto watch your computer while you go to i mean, we set policies around these things, especially in organizations that have a lot of regulations on data and accessibility for their information. These are things you have to think about when you’re creating a virtual environment. Okay ? It could be hip, baby what’s the credit card p c m p c i b c i okay, what do you do when you’re at starbucks alone ? You’re on you’re on a vpn virtual private network ? Yeah, you have to go the bathroom. You gotta close up. You use the diaper changing table in and you pull it down in the restroom and put your laptop on that. Take care of your business. Okay ? It’s ? Very. You know, i love the ditty gritty. This are listen, i mean, we’re all about real life here. Way need detail. You need clear policies around policies that people sign and everyone is very well aware of what the security policies, our protection use of technology. You said the company’s versus your pride, your personal technology home versus away from home. Okay, all right. Help me out here. Getting else what else belongs all this ? What else belongs in our policy ? Well, so there’s, we’re talking about there’s communication policies. How ? I mean, one of the things that we found when we first started having more virtual employees. We started as an in office, evan was in the office, and as we grew into different communities, we had employees in different cities and states than our headquarters were located in and things like when i sent an email, i just need you to acknowledge that the email resent if you’re in the office and i send you an e mail and you haven’t responded, i could walk into your office and say, hey, you get my e mail even if you’re not ready to respond to it. I know you’ve gotten it, and by five o’clock that day, i’ll get an answer when someone’s virtual and you send an e mail, you have no idea if it got lost, did it go into their spam and you have to get some kind of communication with one quick got it. So we said a communication policy that says if i asked you something or requested something, you send an email back saying, i got it, and i’ll get back to you by wednesday period the end it’s all set, and so that that you need to be very much more aware of those types of things and other community way have communication policies that go along with that. Okay, alice, you want teo or policy statement ? I mean, the security, i think, is the most important, you know, the email security, the hacking potentials. You know what happens also, when someone is let go, the lockout procedures, they have access to all of your systems, and they’re, you know, in north dakota somewhere to coffee shop, you have to shut down all of their access to things. So all of that needs to be planned at the level in the company. What are you going to do and how you handling staff with remote devices ? Can we do this if we don’t have a dedicated staff person ? And we don’t have a dedicated staff person ? Yes, face-to-face so the family says the answer is yes, okay, because are you know, we’re small and midsize non-profits in this audience, listeners. So you you on board someone with technology when they leave, you do the same thing on lee with a virtual person, you don’t physically have them there, and so you have to do the same thing you would do if someone was in the office, but make sure you couldn’t do it while they’re not physically there. How did they get your computer back to you ? Do they fedex it to you ? Are you going to go pick it up somewhere if they’re not there ? And so just those types of things need to be thought through, okay ? No. Excellent. I love the policy statement details because this is stuff you have to think through, and then alice to your point, has to be activated, implemented on from the top absolutely can’t just have a policy and ignore it. You know, if if it’s the ceo hyre it’s a sea level person whose whose distant you know, they too have to say, i got your e mail and i’ll get back to you by wednesday, everybody has to play by the same rules. There shouldn’t be exceptions or any accommodations or anything else. Yeah. Okay, um, how about let’s talk about some of the needs that your remote staff has we’ve been talking about managing the office ? What what special needs to the people ? But we only see a couple of times a year that’s a great question, okay ? I mean, i think they way it took that long, they need community, they need a partner, they need a buddy, they need to know that they’re not all alone. I’m so frequent meetings daily standup calls on dh heather’s organization native oppcoll standup called well, it’s a it’s, a phrase for a daily time when you just spend fifteen minutes sort of roll going around the company’s saying who’s doing what that day or our a team, if you’re working on a project together, you know everyone’s together on either a video chat or a conference call, or it could even be during us dahna slack channel or a skype group or a google hangout, or any type of technology that people can come together for a period of time. The more frequent that happens, the more connected they feel, and there is an issue of feeling lonely, it’s not that you’re just going off on your back room and typing all day long on your own, you need to be part of a community and part of a team. And the technology helps enable that. And heather’s organization there’s you do ? What is it a buddy ? So anyone who is new who comes on board there’s a couple things we do one is, no matter what level you’re at, you come to boston for a couple days, toe on board. You actually see physical people that’s probably essential. It’s, really ? It was one of like he learnings when i started working virtually is to know that there’s a physical person and a physical space or just seeing meeting someone face-to-face gives you much more of a connection to them immediately. The other thing we do is when we hire people we kind of give them we give them a partner. So we hyre associate director her in l a and we put them with the associate director in atlanta. This is not a mentor. This is not a supervisor. This is someone you can ask the dumb questions too. Like, how do i get my expenses paid ? Or i’m sure they told me this during orientation, but i don’t know what. To do about x, y and z and just having that person that you know you can go to is critical, especially when you’re by yourself in an office or in your home, and you’re trying to go up the learning curve of starting a new job. Okay ? All right ? What else ? Uh, anything else to be a empathetic to our remote employees again, this is a typical management. I would say this you should be doing this any time is just everyone’s intent is good. Assume that is good and there’s a good intent all all the time. That could be that that that’s going to have implications for chatting any female ? No, you can’t you’ll never hear the well, not never, but most of the communications you’re not going to hear the inflection in the person you don’t see the sometimes you don’t see the physical, you don’t see the physical, you don’t get the inflection, and so before you jump into anything or someone sent and i get this all the time and sends me an email and says i need blank, well, that could be taken in so many different ways. Are you demanding something from me did ice not get you something there’s so much in just those three words ? And so my first thing is tio okay, they have good intentions. Let me follow-up you need blank by when ? What is this for ? Get mohr information, they’re not now. They could be like you haven’t done something, i need it now and could be screaming it could be screaming at you with the default is the default is not do that and what we do actually, as we have everyone’s created communications charter that says how they like to be interacted with. And so i understand if you are one of these people who sends very short emails, i also have the flipside where someone sends me seven paragraph emails to describe one thing. And so if i understand how you interact, i could read that email with that understanding, not teo immediately assume that you’re yelling at me in the e mails. Excellent. Okay, very valuable. Are anything else ? Anything else to be supportive again ? Empathetic to the remote employees if we covered it, recovered it ? But i want to make sure we’re the only other thing i can think of is definitely getting together at least once a year with the whole team culture building wants that, yeah, it’s tough, it’s, tough in a non-profit environment where you’ve got a very tight budget, but we have prioritized and all in person meeting in boston, so we’ve got staff in california, in chicago, in atlanta and philadelphia. We make sure that we try in our budgeting process to bring everyone to boston for two days during the summer, not only for good brainstorming and thinking and strategy conversations, but also so they can connect with each other and have that community and build that in person conversation and feel comfortable with each other, and you feel like once a year is sufficient, you know, if i had the budget to do it more, i want a little longer, but all of that, yes. And so you have to take it for one of the that the tools that we talk about is the airplane. I mean, yes, it’s expensive, but it’s a really helpful tool to really get past some of the boundaries that are put up when you don’t actually physically meet in person. Alice, do you have a virtual employees also ? Jackson river, thirty thirty. Thirty. Revoting entire organization is ritual. Oh, my god. Okay, where’s, the is there a physical office ? There is a physical office with three people in washington d c yeah, but so we all behave as if were virtual. And there are many days that i don’t go into the office so in it. So you know, it saves a lot of money and transportation costs. It stays dry cleaning bills for everyone. It saves child care expenses. If you know it’s a very great way to have a lifestyle. Because yu yu have that flexibility, there’s also downsides to it. There are days that i wake up in the morning at six a, m and check email and all the sudden it’s too. And i haven’t eaten breakfast yet. And then i’m until six at night. So you know it’s a the same type of work-life integration needs to happen in a virtual environment as well as a physical office space. You know, you need to know how to take a break. You mentioned saving childcare expenses. So so the the remote employee it needs to be understood that the remote employee may not be immediately accessible right for a quick, you know, for for a last minute way gotta talk right now. So i think it’s about have something going on that is going to hold him up for ten or fifteen way try and make sure that people have adequate coverage to do their job during the day, the hours that they need to work. So we have a lot of employees that are at thirty hours a week because they want to spend more time with their families. Um, older children can be met at the bus stop and take care of themselves for a few hours in the afternoon, but the expectations of performance are still there. You know, we’re pretty high street standards of that, you know, we don’t want you to be distracted from your work. He managed the west coast versus east coast. Well, what is the west coast people have to do ? The westfield people have to start at six a m local time. I think a lot of people do different policies on that. Our policy is that you work for the day that work the business day in the time zone in which you live. So it’s, sometimes hard if we’re dealing with europe and the west coast at at the same time because the time zones i don’t overlap is, well, every boy’s in europe, we don’t have employees in your body to have clients in europe. So it’s ah it’s a situation where we have to manage that, but there are organizations that have west coast people working east coast, ours you have that way don’t have explicit policy that you work those hours, but we ask people how early on the west coast, how early would you be willing to have a meeting ? So we will not set meetings with some people ? Some people are early morning people and they would rather work from seven to three rather than nine to five, and so we’ll work with your schedule individually and so we so there are some meetings i will have on the west coast is seven o’clock in the morning, but that’s due to that person willing to do that, we have a few minutes left still let’s talk about some of the tech tech tools back-up that was i gotta ask you about slack. But what ? Black dot com how ? Do we find it or what you do for us ? Blackbaud comets, how you find it, you know, it’s it’s equivalent to skype or there’s google chat any type of chat software where everyone can log into and then there’s you can make groups in them. So the term for a group in slack is called a channel. And in our organization we have a channel for one of the channels is named lunch and if you’re going to be away for twenty minutes are going to lunch. We just take we just like everyone who’s in the company on that channel and say, hey, stepping away for a bit, i’ll be back in half an hour so we are all know it’s almost a cz though you would see me walk out the door, you know, and i instead of walking out the door i’m just telling that channel what’s happening there’s channels for each project also. So slack is a good one. Scott argast black is already a verb. Just like someone you’d like someone it’s a verbal. You skype someone you trust someone. Do you remember a well, instant messenger ? That that was a one man was that you could use that well, i was. But okay, so slack for for chatting. A quick, quick chat about document sharing is simple google docks or something better. It’s a simple a school back and microsoft has a great year. We have this product microsoft’s one dr sharepoint microsoft suite has has a document sharing software. Ah, cloud based saving system skype is now skype for businesses and integrated with it. And so we’re using that in the office and then there’s there’s a ton of independent ones out there. And it’s, whether it’s, videoconferencing or it’s document sharing or it’s chatting there’s a ton out there. And i think it could be overwhelming. And for us it was evaluating what was best for our organisation and what our upper management was able. Teo use we talked about this before is modeling the behavior you want from your staff and so getting upper management on board was key. So one of our project management software we use a sauna, and we’ve tried three or four of them and our ceo like hassan, and so if she was going to use a sauna, we’re all going to use this on you and so i think that’s really important. It’s got to be easy to use and work for your organization. Calenda ring simple is good calendar ring, yet you have any other tools besides google calendar ? We’re using outlooks calendar. Yeah, okay. Microsoft again. Yeah. All right. I think what other categories we need. Teo a video chat video is really important to scrape. A couple couldn’t do one on video with skype you khun duvette dio with google hangouts, but any time you can actually have an opportunity to see someone’s face and most of the calls we try to do as videos on dh, we find that that works really well. River again, the sense of community and if you can’t get together, that’s almost the next best thing and video has come a long way. The technology is more seamless than ever before, and so at least you’re seeing the person you might not get all of the nuance of the physical that that’s in the room. But you can see it in emotion or you can see a reaction to something which is super helpful or their cat walking of the cat we could get a lot of pets walking in front of the camera while people are on video that’s gonna be a lot of fun to talk about cats, but, you know, you have thirty virtual employees. You have fun doing it. I mean, oh, it’s awesome. Oh, it’s completely awesome is i love it. And well, you know, the best thing is that that people have really formed strong relationships with each other, they when you ask them what they like most about working here is they say each other, they say the people i’m here because i have connected relationships with other people on the team and to be able to create a culture where people feel connected to each other in a remote environment is is like, that’s the thing i’m most proud of, anything we’ve ever done, it doesn’t have to do their software product or what we’ve done to impact non-profits is the fact that we’ve had a culture of people that have had a wonderful time working and doing productive, impactful things. Jackson river always had a largest proportion of employees virtual from the beginning, when the beginnings and the culture to start about about it in the family way started as a two and a half person organization in the same way got to probably about eight to ten people in the office. And then our growth took us into different cities and communities. And that’s when we became virtual because of the growth, and so were probably half in the office in boston. And then half of our staff is outside and there’s one or two people in a city by themselves. We’re gonna leave it there. Excellent. Very much. Thank you. Alright. They are heather martin, ceo of interfaith family and alice hendricks, ceo of jackson river. This interview sponsored by network for good, easy to use dahna management and fund-raising software for non-profits. And this is tony martignetti non-profit radio coverage of eighteen ntc ladies. Thank you so much. Thank you. Thank you. Way. We need to take a break. Wagner, cps. Do you need help with your nine ? Ninety or your brooks ? Are your brooks or your books of those books ? And brooks properly managed ? Well, i could help you with the books. Eyes financial oversight in place so that your money isn’t going to fly out the door over the brook talkto wagner, partner, eat huge tomb. I’ve gotten to know him. I trust him. He’ll be honest about whether wagner is able to help you. You know where to go. Wagner, cps dot com now, tony steak too. I was at the lou costello statue in paterson, new jersey. Remember lou costello of abbott and costello and who’s on first. So what’s the connection, i hope, you know what’s on first is you’ve got to know that i mean who’s on first. Now who’s, what’s on second. I don’t know’s on third. I hope you know what i’m talking about. The connection is you gotta have some sense of history because this this comedy routine and the abbott and costello you they were from the forties, and if you want to be really successful, implant giving and you going to be actively talking to planned giving donors, you need to have some sense of history from the forties or fifties and vietnam. My video is that tony martignetti dot com now it’s time to map your data to your audience. Nces, welcome to tony martignetti non-profit radio coverage of eighteen ntcdinosaur the twenty eighteen non-profit technology conference day two we’re kicking off our date to coverage with courtney clarke and david mask arena all of our eighteen ntcdinosaur views are sponsored by network for good, easy to use donor-centric software for non-profits courtney clarke. Hello. Hello to you. Welcome. Let me give you a proper introduction. David, you could say hello. Hello, david. Mastering it from the convent and hilton foundation introduced himself. All right, david happens to be the digital communications manager at the conrad hilton foundation. And courtney clarke is managing director of user experience forum one. Welcome. Good morning. Thanks for having us kicking off. Thanks for kicking off with us. Hey, happy to be here. You’re workshop topic is data and audience connecting to create impact. Okay, let’s, start with you. David. What do you think ? Non-profits aren’t getting quite right in this subject. Like, why do we need this workshop ? To be honest with you, tell you, please beyond yeah, don’t wear really blunt with the arika there’s a lot of data collection that’s happening in the nonprofit sector, but people don’t really do anything with it. There’s like a statistics where it’s like a very, very small percentage of non-profits you do something with data ? And, you know, for example, there’s so many data points that in any day, that non-profit collectibe we have overload, i mean, really was data over there’s like there’s, like this just beautiful dash was like, what do we do with this ? You have to stay close to michael, okay ? All right, so we’re overloaded. So courtney, what we’re trying to do and have you had your workshop yet ? Yes, we had it yesterday, so you’re on the downside. Yeah, this is easy for you. So what you were doing and then ? And what we’re going to do now is trying make sense of data that well don’t feel overloaded. Well, it’s, it’s mostly around communicating data and really being clear about who your audiences are when you’re doing that cause we have identified five different data, sort of consumers or data people who will consume your data, but they all need different amounts of information, different formats. So for example, like a data consumer, this is like an interested person in the public. Maybe they’re a news consumer. They don’t have a lot of domain knowledge always, and they don’t have a lot of data skills, so what, you’re giving them is going to be very different than, say, a policy maker or a date. A producer. Okay, someone who’s more in depth in the details of it already knows, has has a yeah, you’ve identified let’s. Take it from there. We’ve identified five different audiences. Is that right ? That’s ? Different, different types of audiences. Okay, what are what are the five ? We should start there. Yeah. That’s okay, what ? Five ? I’ll start. Okay. The next one. So data consumer two and then three e before there’s a ping pong tournament here. But we’re not. We’re not going out today. Okay, fair enough. So first is i mentioned the data consumer. This is i hate it when people say general public, because here you’re not really targeting everyone in the whole world. So let’s be a little bit more specific news consumers, people who are already interested a little bit. Okay, okay. Like i said, not a lot of dough mean knowledge. Not a lot of data skill. What you’re calling this group the data consumer. So this is the person you’re like scrolling through your news feed you’re looking at your phone. Ahn, do you see an instagram ? Post or something on facebook, or even in the press in the news. And what do you see ? You see an infographic that’s, simple right language that’s easy to understand. The point is very clear. That’s for the data consumer. They don’t have a lot of power, but there are a lot of those people. Okay ? Hey, name another one. The next one is the data actor. So this is who everybody is targeting. This is decision makers, policymakers on dh. These folks may have some domi. Knowledge may have a lot of durney domain knowledge, but they don’t have time. So even if they do have dana skills, the ability to analyze and understand massive amounts of data didn’t have time to do that. They have analysts who are helping them do that sort of thing. But very important people. They have the staff, they have the cloud. They have our policymakers decision. Is that right ? Yeah. Okay. Okay, david, just give us our remaining three. So, of course, to consume someone has to share it. So you got a date ? A promoter. So these were the bloggers he got you get the journalist. The advocacy for folks. This software developers, the entrepreneur. So these people are the ones who are, like projecting that data out there so that the consumer and the actor be able to see that. And then you have the analyst, which is very, very important a lot. You missed this one too. It’s, like now i have all these data is beautifully being shared out being read, who in a way is a domain expert, this staffer that’s going to be able to analyze and help advice, what to do with the data. And then finally, the researcher you got, you know, these air, the phd folks, these are you know, i was talking about like jin ho was their learning officer, that comet and hilton foundation she’s a researcher, and we recently did a site visit nairobi, kenya, for one of our grantees, shopko shining hope for community and they have rich, rich data they’re collecting around there, committing kibera and compare, by the way, is the largest of informal settlement in africa and think about, like, a size of, you know, central park in a compressor that seven thousand people and there’s so much data that they’re collecting about the community and helping them with their health care and, you know, with an education and such and community services in the way when she’s taught dana, she was just, like, drooling all over it. But she’s, like, i want to do something that and she’s such an academic she just wants to, like, basically designed something around it. So these air, like the data modelers is with the academics of phd folks that will help let’s take the data to a new level. Alright, much so our audience is small and midsize. Yeah, non-profit twelve thousand. So we’re talking a lot of people there in small, small and midsize shop. Yeah, they need to identify which of these audiences they’re talking to some some may never be talking to to the researcher, right ? Or the or the data actor. They might not be doing lobbying, so they may not be. So you have to identify which audiences you’re talking to, right ? You guys hear me ? Okay. And your headsets ? Yeah. Yeah. Okay, good. I don’t hear myself too well, but as long as you hear me, ok, you have to identify who you’re talking to you and then okay, so so i guess we’re going to get through now there are different data needs different ways of conversing about data with data to each of these different audience that’s right ? You don’t have that, right ? Yes, we’re mapping needs and method to the five different audiences and the knowledge that they have tio and the time, right ? So i mentioned the policymaker. They may have some expertise. They don’t have time right on time, don’t time like the researcher. Whereas the researchers, like, get out of my way. Just give me the spreadsheet, all query my own database, okay ? And then also in the spirit of being totally honest, so they have to be honest with yourself who you’re going to deliver the data to, like. If it’s your board, it’s your board and it’s. Okay, you know, and some people are like, oh, this is only for one very specific orders and that’s. Good, you know, because they’re being very, very honest with yourself. Okay, very good. So let’s, start with the ones that are most likely for a small and midsize not to be talking. So certainly data consumer. Yeah. That’s your nose. Your nose could be your donors. I know you’re not calling your donor’s, maybe even just board members. Okay ? Data actor. Maybe it could be any decision maker that could be your board as well. It could be. It could be your boss. It could be somebody who is influencing budgets influencing programming. This is the person who has the power to make a change. So it’s therein you figure out which ones were going teo so they’re they’re in data promoter. That could be a journalist. Yes. Right. So that’s potential. The analyst remind me. What’s what’s the likelihood of a small mid size shot talking to the analyst sometimes yeah, for smaller medium non-profit portable. Forget it. Yeah, yeah. Bonem altum but scale that xero scales up now we’re not going right. We’re not going treatable, but let’s, just talk about it, okay ? I think what i think what’s different, though, for smaller midsize non-profits is that the people listening may be the ones doing the analysis themselves. They may not have a supper analyst. Okay. Yeah, and many came from currently hilton foundations. They get smaller foundation. And a lot of us were multiple hats. So someone might be liberta both, but yet, yet they still move every important. Okay ? They’re all in. Okay ? Yeah. All right. So what do we do for the data consumer ? How do we have a retailer to that audience ? Yeah. They’re a couple of key things. That’s. What we need. Yeah. So one is use plain language when you’re communicating to them, they may not know who you are, what you do, why it matters. Plain language is really key. Sometimes people get a little too marketing me. Sometimes they get a little too research. E you need to be able to say what you want to say in a really simple visual with some simple language like you’re talking to your friends. Yeah, we were at a dinner party. You’ve got ten seconds to explain what this is and what matter-ness schooling for. Graphic. That will do it for you or something like that, right ? Or even just like a data point point. Okay, we got to take a break. Tell us, for pete’s sake, think of the companies you can refer and start asking them that’s the first step. Well, actually, the first step is watching the video. Then you start referring the companies and talking. To them, you’ve heard the testimonials from the charity’s. You’ve heard the testimony from the companies. It’s. Time to get that long stream of passive revenue for yourself. Start with the video. That is the first step video. Is that tony dot, m a slash tony tello’s. Now back to courtney clarke and david mask arena from eighteen. Ntc what’s. The summary. Yeah, and a couple of that with something you mentioned visually could be motion. Could be a visual visualization of data. It could be a story. It could be a video that couples with the data because just it’s. Just a lot more impact for when you, when you when you pair it, but okay, let’s, start to make sense. Your data consumer is gonna be a lot more interesting story then your analyst or your research eggs ? Absolutely. And during our session yesterday, there are people in the audience who talked. We talked a lot about how we paired data with stories because the narrative makes it so much more riel, it elevates the people that are actually being affected by this data. So there were some great stories about that. Okay, okay. Back-up let’s, go to the well, anything else about the consumer ? I mean, this is this is this is probably our largest constituency. Yeah, so i think the other thing is to be clear about what action you want them to take because your data should support that action don’t just and and actually that came up from an audience member yesterday who said people weren’t being moved by the data and so that’s why they started pairing it with stories and once somebody gets hooked and they feel those heartstrings being cold or they feel that passion rise that’s when you gotta capitalize and be really clear what the action is, whether it’s donating, volunteering on asking for more information yeah, signing up for the male daughter, give us your new gives your email yeah, and think about the safety step back a little bit this like you have to identify goal, like whether you’re trying to accomplish with this data set and it would help you help you with to decide like what to share in how to share that welfare that’s always important place to start gold. What was the purpose of this, exactly what we’re trying to move people and then we try to move people to do and then be clear about exactly called. Okay ? That’s, right ? And the goal is the hardest part. Frankly, knowing the goal is the hardest part. It’s on so simple, but it’s like that ask why five times you got to get to the real root of why you’re doing this. All right ? We’re talking about our actor actor. Okay, refresh my recollection, who’s, this decision makers, policymakers, people who are going to make the change that you want, sir. Yeah. Okay. Okay. How do we talk to these people that data. So the format is briefings sometimes it’s in the form of a press release. They need, like, think about a policy maker who has a staff and maybe they have to vote on a bill or make a decision. The staff member is the one who’s calling non-profits calling agencies and saying what’s happening in my district around this topic. So being able to slice your data by topic and location is really valuable to these folks and getting this summary out and again the action. What ? Why does this matter and their actions going to be different than the consumer ? Usually you’re looking for a decision, a vote, something exactly what you want to say more about the actual, i think something that’s adjustable something that if you could package it for them, like staying here, the key takeaways from this a swell, you know, think of this, like, you know, you know, working the communications team. And, you know, we provide press kits for people. And if you could provided that, you know, so so they could easily digest and help, um, guide them through the decision making process, i think will be the key. Okay. Yeah. Okay. And i guess also keeping in mind you you may not be talking to the principal. Yeah, right, right. It could be a staff staff, something. Usually it is so it’s. Gotta be it’s. Gotta be so your your urine for always going through someone to the decision maker way don’t love that. Right ? Twice removed, twice removed from your there once removed from your data. Yeah, it happens. I mean, that’s what ? Any communication, though. Anytime you’re putting something out, somebody could take it. Andi at their own commentary around it. That’s what ? The data promoter that’s a that’s a benefit in a risk, right ? Because they could date a promoter could be multiplying. Your audience is your audience, but they could be putting their own message. They could be manipulating the data in a way that may not be true to it. But, you know, were you everybody has had, you know, that journalist didn’t get the quote quite right ? Yeah, you are taking over simplification exactly. If the press often has to do to make something interesting to readers, you know, put in a headline. Yeah, yeah, and the promoter should also think about, like, segmenting looking if they could do, like, a more targeted in a way, like, if they know specifically that they’re going to try to communicate. Teo, i think they’ll be the key as well. And you get to know your trusted data promoters, right ? You know, the journalists or the bloggers are the advocates who you trust, who you align with the messaging around. So identifying those folks or maybe you don’t know them and you do a little research and you find out who you are, where, wes, you need to know within your sector who the influencers are. Absolutely yeah, i get a little bit of research. Goes a long way. Yeah. Back-up how do you feel about the standard press release ? Since we’re talking about the audience of promoters, we’ll be sending it to either of you have, ah, opinion on press releases. Are they outdated there ? Some school of thought that press release is dead. But it’s it’s still being used is using it. You’re still using journalists say they ignore them. Yeah, andi, and honestly goes back to relationship building, you know, like in communications, that our primary key is build relationships with with journalists. So when our press release passes through their deaths, they’d be able to, like sick. Oh, let me take a look at this and then dig deeper into the story for us. Just a little more let’s. Talk about building a relationship with a journalist before you want them. Tio, take some action for you to write about you in to quote you on that day’s breaking news. Yeah. How do we build that relationship when we don’t have a need ? But, you know, we want to be in front of the person. Yeah. I mean, honestly, like i just it’s a good old fashioned relation building, you know, you have called them, reach out them email and called, you know, like you have no agenda, but i mean, this marketplace exactly you often cover way. Have coffee, exactly. What a concept. I mean, like, i’m also part of communications network conference, just another communications based non-profit unconference and a lot of journalists attend that and it’s a great opportunity, this plate, this form and ten is a another great form to meet people like i would add to that you need to be you need to understand that audience and you need to be curious about they have their own set of requirements that they’re trying to meet. They’ve got an editorial calendar there. Boss has told them what topics to focus on. They’re looking for. They need they need to youto help them connect the dots. So maybe don’t start with the ask, understand what they’ve been working on for the last month. What stories ? What topics ? And then being able to which, which, by the way, does not mean ask them what have you been writing me out ? It means doing your research before you do the outreach, so that you know, so that, you know, you’ve shown that, you know, you show that you’ve taken the time to know what their beat is exactly not just asking you what do you write about lately ? Well, it’s in the paper buy-in there dubai it’s on it’s, on the site, in the research, and then and then what are you working on next or what’s ? The story you’ve been dying to write that you haven’t had the chance to there’s always a good answer for that and there’s a great conversation starter, especially like imagine putting yourself in their shoes, you know, like someone just roundly wants to have coffee with you, but you have no idea who they are didn’t even do any sort of research like and, you know, you have very, very busy schedule, and you have multiple crowdster headlines like we just need to remember they’re people tio don’t waste their time any more than you would waste. Teo spend the time with a potential donor. Exactly ask them what you’re worth. You’re not gonna ask them things that you want to know already write, write, write what is it about our work that he loves ? Well. I’ve been giving to you for fifteen years, i think it’s, probably in my e-giving history, you know, don’t waste people’s time exactly, but but it is important to build relationships with exactly these influences. Okay, i would add to that there channels are largely on social media. If you talk to any journalists, they spend all their time on twitter. So if your twitter gene is not great it’s time it’s time. Learn what hashtags there using. Follow those channels, see who they’re following. See what they’re talking about. A great way to do research on also how to start to engage early on, even if it’s just observing. Okay. Okay. Very good. Okay, so i want you. I want to spend more time on that. I want to check my mike. Want to make sure that everything is good here. Okay, a little insecure about the way i sound. I don’t know. I sound you don’t sound good to me, it’s. Not okay to you, though, right ? It’s ? A little soft. Like i can hear myself. Really ? I could hear myself, teo. You don’t hear me. According to richard it’s. Not as clear. Yeah, in-kind okay. And give. Myself a lot more volume. All right, now, my too loud. Ok, it’s. Good. Allright. Thank you. Time for our last break. Hoexter give quote, i compared a bunch of companies in my search for it hoexter donate company and text to give is the best hands down. They have b been beyond helpful. I can’t imagine anyone doing this better exclamation mark end quote that’s lauren bouchard from global commission partners in clermont, florida. Satisfied ? She is with text to give you will be, too for info text npr to four, four, four, nine nine, nine. We’ve got several more minutes, and here they are for map your data to your audiences. Let’s, continue the analysts. Right. Data analyst. Refresh our recollection. David who is this ? So this is the data expert this’s. The staffer that’s or consultant ? That would help be a read data. Okay, and analyze it for you, like they be in a foundation. Now. I like the way i sound better. Okay ? Like they’d be a foundation program, officer. It could be. Is that an example or no, i’m not necessarily. I mean, it could be a learning officer for the foundation meeting the one. Who’s like analyzing all the learning and data sets. Ok, he could be a data manager, you know, within an organization. Where would you ? Where would you put a program, officer out of foundation ? Someone who’s evaluating your grant proposal. Where ? Where would they fit in these audience ? Most like, i mean, it’s a little bit of both between the consumer and the actor, to be honest with you, because they’re both a decision maker. So they’re going to read the data and they’re also going to get this just like, okay, this is how my program is going and here’s how i’m going to act upon it. And here’s how i’m gonna adjust my strategy with it. Okay ? Yeah. All right. So, let’s, go back to the analyst. How do we, uh, david ? You keep going. What do we do with this ? How do we talk to the analyst with our data ? Go. No. Gosh, just give it all to them. Honestly, rod, they love him. They loved it. They love spreadsheets there. Said if they see a string of numbers, imagine like matrix type of thing. They’re like oh, my gosh, this is habit. Okay, okay. Yeah. It’s that simple ? Well, they have, i would add that they usually have the domain a knowledge. Do you think of a policy maker ? They haven’t education expert on staff or they may have an expert in international relations it’s that person who knows the domain quite well and feels comfortable digging through the data and furthermore to add to that, too is like if he providing which your goals and what your strategy is for and what they’re trying to provide the otherwise they’d be able to help you got guide you through the breeding process say more about that ? Yeah, what shit a little bit, so think of him like, you know, like, if i’m like, if i am se the heather communications in the foundation and i’m like, i’m gonna talk to a data analyst we’re trying to accomplish x can you help me read through this day that what types of data sets can leave first collect and what’s up days says comey can provide so they’ll be able to accomplish that goal, then they were able to narrow down because otherwise they could they could. You stand in any sort of ways, but if you provide some sort of direction or gold. They’re able to, like filter things a little bit better for you. Okay, yeah, very good. Really good. And our last left audiences the researcher buy-in courtney yeah, the researchers are get out of my way and give me this red sheet they the like they may scan through your infographic, your visualization, your query tool. But really, they’re going to build their own query tool. They’re goingto grab that they’re the ones who are in sequel making pivot table like they’re doing all of it. Okay, we have jargon jail on twenty sequel i think people will know, but i’m going to pivot table. Alright, excel itself. Okay, sorry, i’m taking a data analytics class so i’m learning this stuff, so i’m excited to be able to talk about it just dropping, dropping top, but, yeah, i imagine you’ve got an excel table that is so large that you can’t open it x l can’t open it. That is what these researchers are are working in and they’re very comfortable working in and they’re the ones who may even be collecting data as well as analyze sing it for themselves, so think of it like a like a layer deeper than unless they got analysts who may rely also some visualizations. And of course, like a deep amount of pressure. But these guys are like they’re just like neck or forehead, deep of like numbers and data, and they want to do everything themselves. Yeah, yeah. So one one important thing here we have worked on a number of data projects and for non-profits or foundations any group who wants to attract many of these audiences, the keeping with researchers is you have, like, the get data page or sometimes we’ll put it in the footer and it’s, like, just download the excel spreadsheet because i keep saying it, but you got to get out of their way. Just give them what they want, okay ? Okay. We have, like, another minute and a half or so do you have tools ? And, uh, in your description, you mentioned choosing the right data tools. Any tools we can introduce briefly that you like, i mean, to be honest and this is like, tio, you get off being out of keeping it will be really hash tag riel here, please place if you’re old website have google and alex installed. I mean, you’d be surprised how many webs are out there and smashing non-profits believe that twenty nine, twenty nine percent of them are using do or not. Okay, okay did not have google and licks and police bare minimum do that and they said, like have i think the fun ? Nothing is like have goals, you know, before it was like before you venture into the day the world ? Yeah, there is there’s a great study that every action did called the state of non-profit data. And you can it’s from twenty sixteen. But it’s a great read a page i recommended. Okay, we’re gonna leave it with we’ll leave it there without recommendation. All right, all right. They’re courtney clarke, managing director of user experience at forum one. And david mask arena digital communications manager at the conrad hilton foundation. Courtney and david. Thank you so much. Thank you so much. Pleasure. This interview along with all of our eighteen ntcdinosaur views sponsored by network for good, easy to use dahna management and fund-raising software for non-profits. Thank you for being with non-profit radios coverage of eighteen ntc next week the buy-in bitches getting buy-in from your leadership. If you missed any part of today’s show, i beseech you, find it on tony martignetti dot com, responsive by pursuing toe online tools for small and midsize non-profits data driven and technology enabled. Tony dahna slash pursuant capital p well, you see, piela is guiding you beyond the numbers. Bradunas cps dot com by tello’s, credit card payment processing, your passive revenue stream. Durney dahna slash tony, tell us and by text to give mobile donations made easy text npr, to four, four, four, nine, nine, nine a. Creative producers. Claire meyerhoff, sam leave lorts is the line producer shows social media is by susan chavez. Mark silverman is our web guy, and this music is by scott stein. You need me next week for non-profit radio. Big non-profit ideas for the other ninety five percent. Go out and be great. You’re listening to the talking, alternate network, waiting to get you thinking. Dahna good. You’re listening to the talking alternative net. Are you stuck in a rut ? Negative thoughts, feelings and conversations got you down ? Hi, i’m nor in sumpter, potentially ater tune in every tuesday at nine to ten p m eastern time and listen for new ideas on my show. Yawned potential. Live life your way on talk radio, leo dot n y c geever. Hey, all you crazy listeners looking to boost your business, why not advertise on talking alternative with very reasonable rates ? Interested simply email at info at talking alternative dot com. Do you like comic books and movie howbout, tv and pop culture ? Then you’ve come to the right place. Hi, i’m michael gulch, a host of secrets of the sire, joined every week by my co host, hassan lord of the radio godwin. Together, we have, over fifteen years experience creating graphic novels, screenplays and more. Join us as we bring you the inside scoop on the pop culture universe you love to talk about wednesday nights eight p, m eastern, talk radio, dot and wives. Dahna did you know you’ve been playing poker your whole life, even if you’ve never played a hand of cards ? Hi, i’m ellen lake and author of polka woman and host of the new show. Poker divas on the show. I talk about poker strategy helps you win in business, life and love. Tune in live every thursday, one p, m to two p m eastern standard time on talk radio dot n y c you’re listening to talking alternative network at www dot talking alternative dot com, now broadcasting twenty four hours a day. Are you a conscious co creator ? Are you on a quest to raise your vibration and your consciousness ? Um, sam liebowitz, your conscious consultant, and on my show, that conscious consultant, our awakening humanity, we will touch upon all these topics and more. Listen, live at our new time on thursdays at twelve noon eastern time. That’s, the conscious consultant, our awakening humanity, thursday’s twelve, noon on talk radio. Dot buy-in. Dafs you’re listening to the talking alternative network. Yeah. Buy-in.

Nonprofit Radio for May 12, 2017: Your Cyber Risk & Beyond Online To IRL

I love our sponsors!

Do you want to find more prospects & raise more money? Pursuant is a full-service fundraising agency, leveraging data & technology.

It’s not your 7th grade spelling bee! We Bee Spelling produces charity fundraiser spelling bees with stand-up comedy, live music & dance. It’s all in the video!

Get Nonprofit Radio insider alerts!

Listen Live or Archive:


My Guests:

Marc Schein: Your Cyber Risk

Bad things can happen to all that data you store on donors, volunteers, employees, vendors and others. But, there are ways to minimize your risk and protect your nonprofit if a breach occurs. Marc Schein of Marsh & McLennan Agency shares his wisdom.



Maria Semple: Beyond Online To IRL

Maria Semple

Maria Semple, our prospect research contributor and The Prospect Finder, reminds you that real-life conversations (remember those?) can tell you so much more about your potential donors than online research. Book those meetings!


Top Trends. Sound Advice. Lively Conversation.

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.

Get Nonprofit Radio insider alerts!

Sponsored by:

View Full Transcript

Transcript for 339_tony_martignetti_nonprofit_radio_20170512.mp3

Processed on: 2018-11-11T23:40:51.720Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2017…05…339_tony_martignetti_nonprofit_radio_20170512.mp3.365018991.json
Path to text: transcripts/2017/05/339_tony_martignetti_nonprofit_radio_20170512.txt

Oppcoll hello and welcome to tony martignetti non-profit radio big non-profit ideas for the other ninety five percent. I’m your aptly named host. Oh, i’m glad you’re with me. I’d go into burbage oration if you repeated the idea that you missed today’s show your cyber risk bad things can happen to all that data you store on donors, volunteers, employees, vendors and others, but there are ways to minimize your risk and protect your non-profit if a breach occurs, mark shine of marsh and mclennan agency shares his wisdom and beyond online. Teo i r l maria semple are prospect research contributor, and the prospect finder reminds you that ria life conversations remember those little things i can tell you so muchmore about your potential donors than online research. Plus, she has conferences you need to know about on tony’s take two i’m wagging my finger, responsive by pursuing full service fund-raising data driven and technology enabled, you’ll raise more money pursuant dot com and by we be spelling supercool spelling bee fundraisers. We b e spelling dot com here is mark shine with your cyber risk. I’m very glad to welcome mark shine to the studio he is a risk management consultant with martian mclennan agency and an authority on cyber insurance providing strategies to protect sensitive employee, customer and business information. He’s a c i c a c l c s and are i am to find out that very shortly on dh the company is at mm. A hyphen. Any dot com mark is at em. Shine that’s s c h e i n c i c c l c s mark, welcome to studio. Thank you for having me. My pleasure coming closer to mike so we can hear you even shatter. Okay, um, we won’t talk about cyber. Cyber exposure would share what is define it for us first everybody’s talking about the same thing. Sure. So when we look at a cyber attack, you know certain industries think that it has to do with a nation state coming and hacking and things of that nature which which it does it could be, which it does absolutely. Okay, but there’s other exposures that really come tto tto light as well. Three idea we look att information and the type of information that businesses or not-for-profits have. And it really falls into three silos. Person identifiable. Information. P i at nonpublic names, phone numbers, so security numbers, email addresses, physical addresses, things of that nature. Ok, then when we look at p c i, the payment card industry that’s really looking at the credit cards, how many credit cards do you have on file that kind of that kind of information? And then you take a look at p h i information, which is the health care information, and so we look at it from three different from three different segments on dh for not-for-profits when we take a look at it, typically the way that they’re asking their donors to donate is video website and when they go on to the website. Typically what we’ve seen from our clients is you have to put in your name your address, your email addresses, personal latto personal info, a tremendous amount on, and then they ask you for your credit card information in order to make the donation. So now when we look at not-for-profits several years ago, the cyber exposure didn’t necessarily exist. Now there’s certain first party legal responsibilities in the event of a data breach that these non-profits have to comply with. Ok, ok. And you mentioned a whole bunch of acronyms p c i and c i a, which i’m glad you’ve defined because i’m non-profit radio. We have george in jail and i would hate to put you in there on the outside. Sit on. It reminds me that i forgot to go back and look at your acronyms. So you’ve got a bunch of letters after your name? Yes. Ah, i see. I see what’s the c i c commercial. Certify insurance counselor. Sort of what you even get. Confuse yourself, eh? So many. So many seas after my name that yeah, there are. There are three. Ok? So certify insurance, counselor. And then you’re also a c l c s yes, commercial lines covered specialist commercial lines covered specials. Now you must be especially proud of those because those were in your twitter id. Yes. Okay, but then rim what’s his rimming work. You know, what’s rim. I’m not sure what the rim that you’re referring grimm are i am response. The responsible that rim counts. I sit on the rim. Counsel for the pondimin institute, which is the leading organisation for cyber stats in the country. Cyber stats open among latto department institute looks like pokemon but it’s not a problem on that end. Exactly. Okay on dream is responsible information management correct at the pokemon that the bonem mind the parliament, its ottoman parliament. Sorry. Alright. Thank you. Okay, um all right. So we’ve got your credentials are clear. You got a lot of letters, a lot of professional certifications. All right, um, now i i mean, when we think of cyber breaches, i mean, i think of yahoo and target on dh even the democratic national committee meets off these highly sophisticated organizations, i think, a toast in terms of i t i would think that they are are vulnerable than surely small, a midsize non-profits have vulnerabilities to be concerned about. Sure. So so what you’re saying? And again, we’re not going to comment on any specific client just because of the nature of the business and who we are. But we’ll talk about is the exposure’s they all do face on dh. I mean, if these big organizations are at risk with yahoo five hundred million user i ds and, you know, passwords and things, right? I mean, this is so again when you’re looking at a hacker forgetting who the company is, you take a look at the breaches that are going on there now targeting the vendors of some of these larger entities because they realised that the vendors don’t have the same protocols. They don’t have the same budgets to implement the cybersecurity best practices that some of the fortune one thousand companies that you know you previously mentioned half alright, so sometimes it za something that’s, a contractor’s exactly it’s the low hanging fruit that they’re looking for. All right, so there’s a real easy. They don’t want to work any harder than anybody else does. So if they’re able to get into a smaller entity who has access into another larger entities, well, that could be the treasure so that they were just looking for okay, so that raises a good point if we are outsourcing any database management in terms of the of the type of data that you were talking about those three different categories we need to be sure that the vendors were hiring have have either insurance well, insurance, which would you’re not going to talk about and or on dh really should be end high. High levels of security. Correct. So we gotta make sure our subcontractors are vendors. Basically, you want to make sure that you’re doing your due diligence when it comes to your vendor selection. That’s a very important step on duitz something that businesses are now starting to pick up on something of march that we march my client agencies that we recommend when we’re talking to our clients and you hit the nail on the head. Ok, ok, it doesn’t happen often. So thank you for acknowledging the one of the rare instances. All right, right now, if we happen to be ah, ah, a target or a victim of ah, of a cyber exposure. I’m the first thing that occurs to me is a bad press. Yeah, what else? What? One of the risks are way suffer. I mean, not in terms of the data, but just in terms of costs and things like that. Sure. So so when you look at a data breach and you see what the average cost of a data breach was and, you know, the parliament institute, which were just reference the average cost of a data breach was about seven million dollars. In two thousand sixteen and when we look at it, what is the first party legal responsibilities that the business has or the non-profit has to do in the event of a data breach? First, they have to notify they put in a call to there hyre insurance broker they want put the carrier on notice, let him know that the possibility of a claim might be coming down the pike line. Let them work with the prefer providers that the cyber insurance provides toothy entity, then they’ll work with the data breach coach, which is the attorney who let them know what they’re for with their first party league responsibility’s ours builders that forward on then the notification because you not only have to notify the affected individuals in your non for-profit that were affected. But you also have to notify the estate attorney generals where those individuals reside as well. Okay, all right. We’re gonna unpack some of that. We got to go out for a break. Sharon, we come back, mark and i are going to keep talking about that and some of the other the hard costs of recovery. And then, of course, the ways of ensuring against a loss stay with us, you’re tuned to non-profit radio. Tony martignetti also hosts a podcast for the chronicle of philanthropy. Fund-raising fundamentals is a quick ten minute burst of fund-raising insights, published once a month. Tony’s guests are expert in crowdfunding, mobile giving event fund-raising direct mail and donor cultivation. Really, all the fund-raising issues that make you wonder, am i doing this right? Is there a better way there is? Find the fund-raising fundamentals archive it. Tony martignetti dot com that’s marketmesuite n e t t i remember there’s, a g before the end, thousands of listeners have subscribed on itunes. You can also learn maura, the chronicle website, philanthropy dot com fund-raising fundamentals the better way. Welcome back to big non-profit ideas for the other ninety five percent. We’re talking about cyber exposure, cyber breaches and what can happen if you and your constituents are our victim with marke shine, risk management consultant with marshall mclennan agency. Okay, mark, um, before the right before the break, we return about notification. Yes. All right, you gotta let the individual’s no. Yes. And the angels that were affected, that information could be compromised. Attorney general, you mentioned so when the state where the individuals reside, you have to also notify that a state attorney general all those states exactly could be notifying fifty. Well, forty general, forty seven different states have forty seven different state breach notification laws, which make it so complicated in the event of a major breach where you have donors, you know, across multiple different sametz one of the three states where they don’t care about their residents breach of data where those three states, when the close call in after we’ll play the game and we’ll let them call in and figure out if they could guess that. Oh, way. Don’t have way don’t have life callers. Okay, you got to reveal it. Shocking. What are the three? Sure, so, it’s. Some of the provinces province’s, yes way, have forty seven different states that have it it’s. I put you on the spot. Hey, gip. No, no it’s, not a problem. Okay, i get it. I’ll get back to way. We got about fifteen or eighteen more minutes. Ok? That’s right. Just seems to me like those states aren’t protecting. Their citizens are thin this narrow respect. Okay, um, attorneys general, individuals, of course. And you mentioned carrier if you have. Ah, if you have to have a cyber insurance carrier, they have obviously no. Also, exactly. Because the cyber insurance pays for these exposed the first party legal responsibilities the notification that we just went over then the forensic cost. You need to figure out how the breach happened. What did they take? When did it stop? Did you fix the issue now? Carries will pay for the forensic investigation. You also have to provide credit monitoring for the affected individuals. Roughly about twenty dollars per an up individual to provide credit money. Let me ask you about that part. The credit monitoring that i’ve seen the breaches that i’ve been notified about. It’s so it’s. Always been a year. A year of credit monitoring could be too it’s. Okay, i guess i haven’t been lucky. I’ve always been one, so now is that? Is that really valuable? Because i’ve read that this data is actually valuable three or four years later, after it’s been sold and those of us who are the victims have for gotten about the breach, so we’d like we can’t identify where it came from because it’s like two, three, four years later and the credit monitoring is long expired, then sure is that is that true? I mean, is the data more valuable to up to a bad guy? A few years after the breach? Typically the data when it’s out in the market, it’s its most valuable when it first comes out first, comes out when he first comes out. Precisely. You know you look at you. Look at a credit card. You know my credit card has been compromised before. Where there’s been fraudulent charges the next day, my credit card provider sends me a new credit card. Right? Ok. Ok. Credit card. I could see that. But what if it’s ah, date of birth. The address, you know, maybe maybe it’s password to for ah site. I mean, does that? It doesn’t have residual value, you know. Like, years later? Sure as well, you always want to make sure that you have it for when you’re when a company is goingto offer credit monitoring in the event of a data breach, you always want to make sure the year taking the full limits of whatever they’re giving, whether it’s a year or two can information be used. Five, six, seven, ten years down the road. Yeah, absolutely. But if the entity is going to be able to provide you with two years of credit monitoring it’s better than running around without after your information was just out there compromised. Okay? And i guess in terms of the credit card example and that it would cover you that way, but usually goes get a zoo. Said it was get canceled immediately. All right. Um all right. So we’re going to get to the insurance, you know, like the details of insurance. Um, so does that. Does that cover? Like what? That cover everything that the organization should do if they do suffer a breach each. These these notifications. Anything else? So? So they provide the notifications. They deal with the data breach, coach. They could do a forensic. Investigation. You know, some entities will be responsible for pc i fines or penalties or re issuing debit cards or credit cards. The’s a role different coverages that khun b now implemented within a privacy. A network security policy within insurance when we look at most other insurance policies, whether it’s, worker’s, comp, general liability, ah, professional and, you know, exposure, whatever it may be it’s all based off of an isil form and with the ghisolf whoa jargon job. Okay, s o form. Yes, what’s s oh. So i suppose the insurance services organization on dh what they are is they basically provide a vanilla form or vanilla suggestion and each carriers than able to change it a little bit and that’s what they have done to help develop property liability auto so on and so forth, when we look at cyber, there is no isil form, so one carrier can be all the way on one side of the room offering terms and conditions. Another carrier can be all the way on the other side and the prices and the terms khun b wildly different. And the coverage is okay, okay, we’re still going to get to that. More detail. I want to flush out a little something that you mentioned now. Twice. The data breach. Coach? Yes. What is his or her job? Who is that? Sure. So typically, what happens is each insurer will have ah, panel counsel or they’ll let you select your data breach, coach. And they will walk you through what your liabilities are, who to speak to who, not to speak to what you should be saying. What? Just not what? Your first party legal responsibilities are there going to be your end? All be all guide. Okay? On dh, they come from the carrier. Typically us okay? Or recommended by the carriers, like, typically comes from a panel counsel that the carriers have already selected. Ok, ok. Um all right. So why don’t we get into a little bit of detail about, um, different types of policies now, there’s there’s to protect yourself? Particular organization? No, that i know. There’s. Cyber insurance and there’s cyber liability. These two different categories of coverage. What? We’re all interchangeable. Okay, so same thing. Really? Okay. Privacy in network security is the technical term cyber insurance or cyber liabilities? The street name, if you will. Ok, i’m a street guy. We’re going to be okay, so what what what are we looking for? If where if we want to be out in the cyber insurance policy marketplace, what features should we be looking for? Well, you think it really depends on, you know, the entity and what their concerns are, because you want to make sure that this coverage specifically is highly customized for the specific business, so one of your not-for-profits that might have five hundred employees might have a dramatically different exposure than a company who has fifty employees out in north dakota, so we need to again figure out what their true exposures are. So we work with a client like we do on a daily basis, talk to them, figure out what their risk tolerance is, because cyber insurance, although it’s a technical challenge, the risks still is transferred to an insurance carrier or it’s held within to ah, an anti itself now are their policies that are for small organizations like suppose an organization has just eight or ten employees, maybe they have fifteen hundred donors, two thousand donors, they have some credit card info that they’re saving, which i guess we’re talking about whether they really need to save it. Or just transact with it, but they’ve got they’ve got that they’ve got some personal information because they like to send paper mail as well, and they’ve got is email addresses. Is there coverage for, ah, smaller organization like that? Absolutely they i mean, you could get privacy in network security first, a company smaller than that. Ok, eso eso absolutely size is not an issue when it come comes to obtaining this type of coverage. Okay, um, i don’t suppose it’s possible tow the premiums could are gonna vary wildly depending on what the what the risk precise exposure is like. So you can’t really ask, no point really, and asking what? Like what a premium thing would look like. All right, i don’t think, you know, i mean, you hit the nail on the head. It varies dramatically between the amount of records that you have, the type of information that you’re collecting the way that you’re storing the information, all of those play factors. And when trying to quantify what the premiums would be a first, i relied bilich policy, i have no one had twice, twice in one interview. It’s don’t get that’s a record, thank you now should i should’ve vendor of of these kinds of policies be able to help you determine whether you’re saving info that you don’t need to save and, you know, going to the point that you just mentioned if you are with the info that you are safe, so are you savings stuff you don’t need to do and what you are saving. Are you saving it in the right way under security under the right security? Is that is that part of this or that something separate? No, no, it’s absolutely. We want to make sure that we understand the culture of the business, and we want to make sure that they take cyber security to the highest regard in two thousand seventeen. This is one of the crown jewels, the intangible information that a business has on their donors, their clients, etcetera s o typically, what we like to recommend is some type of vulnerability and penetration testing an ongoing test that will say where where you guys are from a security standpoint right now, what the culture looks like, which changed? Andi in-kind gives you a snapshot in time of where we currently stand. Oh, this sounds like a very sophisticated vulnerability and penetration testing. Correct? Excuse me. Who does the who runs a test like that? I mean that something has been sighted. Offers cybersecurity firms, firms. Okay, it doesn’t have to engage a firm. Exactly. Go on, attack your precisely your size or your social media ate your internal networks, your servers, that nature. Exactly. Okay. Um, all right, what else? What else should we be thinking about? Is we’re going out into the marketplace? E think it’s, even before you go out to the market place that’s really, what your listeners need to think about is the proactive steps that they could do in order to make themselves a better risk. So when they’re out in the marketplace, a carrier wants to give them more favorable terms. So doing things like creating an incident response plan that basically says who’s in charge of what information who’s going to be notifying who in the event of a data breach which information was classified? Where, who had access to what? All of those different types of questions you want to make sure that you have that document in hand? It’s kind of like a fire. Drill back when you’re in elementary school, you want to make sure when the fire happens, you knew exactly where to meet the teacher the you know, the corner of the road, it’s the same thing when a data breach happened, you want to know exactly who is going to be dealing with the vendors and who had access to the information. The time to figure this out is before breach not after you in a crisis, their precise that’s the third time in the interview here, here, if they knew this guy’s coming back. Oh, my god. Okay, yeah, you’re in crisis and yeah, all right, what else? Things. These are things that you mentioned underwriter. So these are things you can do that will bring your policy, your premium down, you’ll look more favorable to an insurer. You will be a more favorable real scared. The more that you put involving your in growing efforts on cybersecurity, the more better off that a business is going to be going forward. Okay, don’t see intangible property going away any time soon. More people more aunties or collecting mohr information in two thousand seventeen than ever before. There’s a trend? That’s not going away. So we advise our clients to be proactive rather than reactive when that’s what we work with them on what else besides the incident response plan, could we could we be doing proactively? Sure what you want to engage with attorney to again draw the instant response plan? You will make sure you doing your vulnerability and penetration test. That’s what? I want to deal with your cyber insurance broker to make sure that things on the applications or actually being done and you’re not making a material misrepresentation when filling out an application. So if you spat that’s bad, absolute if you’re claiming claiming you have a plan or you’ve done vulnerability testing or something, and then then there’s a claim, and it turns out that you haven’t. Yeah, yeah, that could be trouble. Precisely. We don’t want to line an application. We make sure that our clients are truthful on. We work with them to find the best carrier for their certain circumstances. Okay? Okay. Anything else we can do proactively before we’re in crisis mode or, you know, we just maybe it’s part of our strategic plan. We’re planning for this. What if? There’s one thing that i can recommend to the management of the not-for-profits that listen to this organ, this radio station, you want to make sure that your training, your employees, the employees error factor can be the difference between a data breach in a non data breach if they know to what to look for in terms of a phishing attack on that can lead to some type of rain somewhere. These rural types of methods now that entities are individuals are using to try and breach a company, so we want to make sure that we train our employees thoroughly. What to look out for what to click on what not to click on that’s one of the biggest things that i would recommend when i go out and i do my talks, his employee training because employees era unfortunately causes a tremendous amount of breaches. Ok? Yeah, we’ve been thinking about the bad actors coming in, but you can keep them from coming in precise don’t click on the attachment there sametz expecting or doesn’t look familiar to you. Yeah, and on the same point of the employee training, what happens when the employees sent an e mail to jane doe and i’m supposed to go to john doe. And now all of that census information or the credit cards from your donors are now out there in the public. Well, now you have a data breach. So again, making sure the right protocols are in place. So an email doesn’t get sent. Teo, you know john dahna supposed to go to change original employee training. I can’t stress it. Enough is one of the biggest thing. I get your passion here. I feel it it’s it’s palpable in the studio. What else can we be training on them? This because this is valuable for people who even may not be. Then there may not be in the insurance marketplace or they may not be out looking. But but there are things that they can do to help protect themselves. Or what else can we include in employee training around this? Sure. You wanna make sure the policies and procedures in place classifications, policies things of that nature. Pacification of the information. What information was segmented? Was all of your information on your server? Was the secretary ableto access the same information? Is the ceo yes, levels? Right. So levels of employee access exactly. People classification. Okay, okay. You find that in database precise programs are apt aps typically, you know, somebody’s a super user. Only certain people can see social security numbers. Percent have access to things like that. And you want to make sure again the ceo is able to see certain information that perhaps the you know, the rank and file doesn’t necessarily need to see. Okay, so if there’s information out there that is highly sensitive and employees don’t need to see it there’s no actual there’s. No reason to give them access to it. Right? You have a business need exactly exactly, exactly so, it’s, just again. Doing your due diligence ahead of time rather than post. Ok. Anything else? Try employee training. This is gold. This is charlie’s gold for listeners. So what else can what else could be, including employee training again, i think we hit on a bunch of the major. But this way, you know, if you like one of your guests, i could put you in touch with a good friend of mine who does some of the training. And they could go into more detail. But my really okay experiences qualifying. Quantifying what a breach could come or cost and not for profit. And how come the bottom line of their piano? Right. Okay. Okay. Uh, now we still have some more time left. Eso let’s. Okay, like two or three minutes left to share. What happened? I asked you that you want to talk about i think the trends of the way that the breach has been happening. We’re seeing now certain thie carriers are now changing the policies because of the way that the attacks are happening. You know, what’s happened things like social engineering, social deception, that’s now you can now get incorporated into the cyber liability policies. What is this social engineering, social deception with so have you have you have you heard about the types of emails that are coming to the c suites? Were the rank and file from the c suite saying, can you make a payment to x y z company? We’re looking to acquire somebody, right? We call it voluntary parting of funds and this is now the need for a holistic point of view from a risk management standpoint when looking at a cyber exposure because this is a part where the crime policy and the cyber policy can interline to try and provide coverage so it may not just be crime may not should be cyber, but if yu of the overlap of the two, that might be the best form. So we want to make sure that we truly again understand the client specific needs. Because what we talked about today was all generalizations way need to understand their actual risk profile that you mentioned a crime policy. Now, this is something we haven’t talked about. This is something unrelated, right? Precisely. Coverage against crimes against the organization. Different types of crimes. Could be. You know, for this, the voluntary parting of funds, if somebody’s willing to transfer monies if sounds so innocuous. Voluntary parting of funds that sounds like i write my niece a check. That’s a voluntary parting of fund. I gave her fifty dollars for a birthday. It was young that’s. Why? Fifty dollars is enough. Don’t you think, uncle, you wanted to give you you needs to fifty dollars. Typically when these air going on this is ah, bad actor that it tricked and employees to release the funds like your example? Okay. Precise. Alright, thank you very much. We’re going to be there. Absolutely. Thanks for having me. Thank you for being in the studio. Mark shine. You’ll find him at m a c h e i n and then his credentials c i c c l c s thank you very much again, mark. Thanks don’t appreciate the very timely discussion we had because just today ah, sixteen health facilities in britain were breached. People couldn’t reach their own data. Medical facilities couldn’t reach patient data. Patients had to be diverted. So that’s, just today’s headline we got maria simple coming up with beyond online to hell first. Pursuant, they’ve got a new paper it’s free. Of course. Lots of free content from pursuant breakthrough fund-raising achieved the impossible with a new way of thinking. What is brick troop? What does break through thinking? And can you say it? And how do you get it? To help? Ah, use it to help you overcome your organization’s challenges like speaking and moving lips and tongue in move in precise ways that will actually form syllables which turn into words and sentences. How do you do that? Breakthrough thinking of course. How do you set a breakthrough outcome? How do you make sure that that outcome is going to reach far enough and achieve something that seems out of reach to you? But is not all right identifying actionable strategies to create a culture of breakthrough that’s, what’s all in this paper? Learn breakthrough fund-raising you can learn it, go to pursuing dot com click resource is than content papers. I hope you have more success reading it. Then i did talking about it. We’ll be spelling. Do you need to raise more money? One engage millennials, perhaps host of fund-raising spelling bee it’s a night out at a local place that’s devoted to raising money for your non-profit check out their video at we b e spelling dot com, and they get in touch with ceo alex greer. Very nice guy, stupid, stupendous guy, he’s an amazing guy. I love this guy, alex career ceo on duh you’ll find out more he’ll fill you in now. Time for tony’s take two. Are you properly registered in each state where you solicit donations? I’m wagging my finger at you if you are a northern louisiana charity, perhaps and you’re sending email to southern arkansas needs a register in both states if you’re in eastern oregon non-profit and you’re hosting an event in western idaho, you need to register in both wherever you are. If you mail solicitation pieces to retirees in florida, you need to register down there. Don’t get caught with your shorts down, please. That reminds me i wrote that. But then this reminds me of ah, this company truck that i saw once said ganz or electric, let us check your shorts. I love that. Ah that’s another that reminds me of another one. Um, it was roofing fiedler roofing it’s only done right if there’s a fiedler on the roof. I love those. I don’t know if ganz or electric and fiedler roofing. They’re out there somewhere. Okay. Charity registration back to that. I can help you. If you want help, i can help you do it. The video explaining what you got to do and what this is all about is that tony martignetti dot com. And that is tony’s. Take two. You probably very much looking forward to maria semple because i’ve i don’t know. It’s it’s, philo rough today. So let’s zoho maria semple to do a lot of talking and ill will just have sam bring my mike down. She’s the prospect finder she’s, a trainer and speaker on prospect research. Her latest book is magnify your business tips, tools and strategies for growing your business or your non-profit she’s our doi and of dirt cheap and free she’s at the prospect finder dot com and at maria simple. Welcome back, maria. Thanks for having me, it’s. Great to be here. And you’re in the studio today. Absolutely. That’s that’s, always special in the studio share is it’s not a great day to be in the studio with me, even though the first part was pre recorded. I don’t know how you can help me change the trajectory. There you go of my performance. Yeah, don’t don’t take your mic down because then it’s no fun. Okay, well, that’s ah, today that’s a debatable question. Typically, i would agree with you. All right, so we’re talking about going on beyond online and this is actually a topic that i think brought you and i together in early days, back when i used to write blawg posts actually write words i wrote something. On the value of going not only is researching online, but the value of actually talking to your potential donors, and i’m pretty sure you commented on it. Yeah, probably, yeah, there was one of the only things yes together. Yeah, yeah. So, you know, so many times when you think about prospect research and even on the shows that we’ve had, we’ve really focused a lot on the online stuff, you know, the technology and, you know, how can we get information? But, you know, we we haven’t spent a lot of time talking about, well, what are some of those offline strategies, those people, two people strategies that you can use to elicit cem, great information. And, you know, sometimes when i’m sitting there typing up profiles on individuals, there are things that i just, i guess, out of curiosity really want to know about that person, you know, i want to know more about what makes them tick and, you know, the strength of their marriage, strange from their kids, like those kind of questions, maybe no, but we have to get along with her parents just really what, what, what their interests are what are they? Really doing in the non-profits more conventional. Yeah, yeah. How are they spending? You know, even how, but but maybe even how are they spending there? Ah, they’re free time. Like how do they spend it? Are they volunteering? Are they? You know, vacationing? Are they advocating? You know, what are they doing so very often? I wish i could, you know, call up that person that i’m researching and say, hey, i got a couple of holes missing here in this profile and a love to ask you a few questions, and i have thought and going back to that blood posted i wrote years ago, you know, talking to the person and there’s other people who could talk to do we’re going to we’re going to talk about that, but talking to the person i’ve always thought is just a great source of information just ask open ended questions, right? And you find out about not only about their interests within the organization, but they’re family circumstances where they like to vacation, you know? I mean, who they who their friends are that might be affiliated with the organization that they might be willing to bring in and you know, you just you find out so much if you would just, uh yeah, talk to people. Absolutely, absolutely. So, you know, if if you know, if you’re doing the prospect research for the organization, i’m going to give you some some questions to think about. But also, you might think about ceding your your your development staff, your executive director and you’re bored with some of these questions that they might just curious, you know, in their conversations with people they might be ableto ask so that you can fill in maybe some some holes that you might have on the donor profile that you might be, you know, compiling on this person or just, you know, at some point filling in night now you and i have talked about boards being valuable for prospect research and occasionally or you think you advocate even regularly making part of boardmember or period board meetings or periodically list of prospects? Yes, a swell as institutional funders, funders and people thes air these these are the people in the organizations that are on our screen right now. Yeah. How can you help us with any of these? Right? Right. So it could be it could be through that process that you could elicit the information another way you could potentially do this is, you know, tony, you’ve, you’ve probably heard this phrase where if you want to get money, ask people for their opinion, has them for their opinion and they’ll give you money. So if you can figure out a way, tio, engage people either through a formal feasibility study or bring together some sort of small focus groups where you’re really getting people engaged and asking them questions and making sure that they understand there’s, there’s, there’s nothing behind this, we’re not you’re not being brought in the room to to solicit you in any way. We just really want your opinion, and i think that people start to feel more engaged and and committed to an organization once they understand that. Oh, you know that they want to know what i think about this organization and how to move it forward into the future. So, you know, i you know, kind of came up with my top ten questions that i thought i would love to ask, okay? Okay, we’ll get to those, um we’re going to get there. Um, so we mentioned the board as a good source. Focusedbuyer oops, sorry, focus group staff, you’re you’re you’re might be development staff, but not necessarily could be staff that’s interacting with people in a different in a different way besides fund-raising that’s, right? That’s, right? So maybe it is staff that’s involved with really just ah, organizing your volunteers so you might have a volunteer engagement person on staff that really just that focuses on your special events? Ah, you’re runs your walks, things like that s so they could be sort of armed with this set of questions as well, so they could just happy just be kind of on their radar and be always looking to collect this type of data because the type of data that we’re about to talk about a lot of times, you just can’t even find it on you. Yeah, and ah, and i think it goes to really good development work to be able to source that data and fill in some of those holes and missing piece puzzle pieces, so dismayed now this raises the question of social media, so when you’re researching prospects, do you go to their social media accounts to see what what might be public like if a lot of their facebook posts are public now, some people keep them private, but or only to their friends. But do you do you look at social media? Tio try to fill in hold while i tell you what i actually do? Because one of the things that i do, of course, is i google somebody’s name. So when i do that and on page one of google search results very often will be their social media accounts, they’re linked in their facebook instagram, right? So even even you think okay, well, it’s an instagram account it’s all photos. What am i going to gain from that? But you can really gain a lot of information avectra their second home? Yeah, their boat, their plane? Yeah, i mean, our just, you know, maybe maybe there really into birding, for example. So they’ve got, you know, a lot of pictures around that and you think ok, well, gee were an environmental organization. We didn’t realise they had this particular interest within our scope. Eso you, khun really? Maybe even learn a lot, you know? They say a picture’s worth a thousand words, right before you just filled with the old the old saying, zoho yes, yes, i’ve heard that you have heard that, you know, so you know for sure on dh, then then let’s not forget some of the some of these platforms that also allow for video, so my goodness, when they then not only have photos up there, but then they’re involving video as well. So if it’s if it’s public right? Um and, you know, that’s not somehow password protected or privacy protected, then it’s in the public domain, you’re not going in friending all these prospect? No, no, no, no, to try to sneak in, no, no, and become their friends absolutely know you’re going? No, no, absolutely not. But i will say one thing about the linked in if you’re doing the research there. Ah, there is a way to set your your privacy settings in such a way that you will like if i’m researching you, tony, or if i’m just looking at your linked in profile, i go in as anonymous an anonymous user, so you won’t know that i was looking at your profile really, however, give up the ability to see who’s been looking at mine. Oh, well, i wouldn’t care about that. How do we set that? So you go into the privacy settings, and, um, and one of the options is, you know how you want to appear to others. When you are looking at their profiles, they’re three settings there’s one that’s, fully transparent. So your your your picture will be there. Your name will be there, and your headline will be there. Right? That’s the setting that allows you to also then see who’s been looking at your profile. If you choose that setting, then there’s two private settings. One is semi private, so i could come across as just somebody who’s in the management consulting industry in the greater new york city area. Or i could be anonymous. Okay, so those air, the two private and semi private said they’re either naked, topless for that’s. Fully clue, fully clothed. Okay, um, all right. And that’s. Very interesting. I mean, i would i could care less. Who looks looks at mine. I get those e mails. I know it is an option. I can turn off, but i just haven’t. But, you know, whatever. Twelve fourteen people looked at your your your profile this because i don’t care and okay, but so now so if i turn around but you could turn it on and off you can’t you don’t want to you want to be if you want to be naked sometimes and fully exposed could do that if you want to put your clothes on top and bottom tops and bottoms like jammies like foot season, everything right on the twenty years and everything, you know and hoody you could do that to write. Okay, you go back for all right? This is all online. And what i promised was we’re going to go beyond online in real life. But this is all valuable. So we do whatever the hell i want the okay, um, he’s going rogue it’s my show now, it’s not rogue. It sze mainstream sametz dream it’s twenty martignetti non-profit radio. All right, now you have questions that are good for in real life. Real life questions. So let’s, talk about some of those for aa for a couple minutes before we take a break. So what kind of things should we be putting out into? Our among? Our people, because it is not just for us to be asking, but all the people that we just think about a few minutes ago, and also these would work really well in, like i said, a focus group or or a feasibility study type of the situation. So question number one, what do you feel are the most pressing challenges for our community? And i often can’t find that type of information, right? So you’re now you’re getting into the mind of that individual and you’re getting them to talk about what are the challenges that you see, not only with regard to the service types of services that we provide, but in our community? What are the challenges that you see? And then, you know, hopefully from their conversation will will happen around, you know, how does does this particular non-profit even address any of those challenges? And it may not be appropriate that in fact, that’s your next suggestion? What role do you see? Non-profits playing resolving the issues, right? That that are pressing for you, actually, that you feel, you know, i like this, you know? What do you feel? Because you’re asking the person what’s their opinion where their feelings about write something good, open ended questions. Yeah, yeah, yeah. You definitely want to make sure that they are open ended and not just yes or no questions, right? Because what you’re looking to do here is really just listen, um, and and i think that, you know, this is something that i think especially those of us in the northeast. We’re so used to talk, talk, talk, talk that we have that we have trouble just listening. I don’t know you may have that trouble. I don’t feel i have that trouble. Well, you know, you’re already transitioning to the south so well, slowly but that’s like degree of sarcasm. Okay. So, you know, how do you see us fitting into it? Yeah. How do you see are not fitting into this into addressing this particular in need. You know what? How can we help address this need in our community, in the community? Is it appropriate for us to be addressing this need within our community? All right. Do you feel like this should be? It should be a priority for us. Yeah, it is. Or it isn’t. And some of these i think are things that i mean? I hope that fundraisers, frontline fundraisers have in mind, and they are asking people, you know, a taste. These last couple that we talked about, you know, what are we doing right? How do we, how do you think we fit in? How do you feel about the work that we do have to fit into the community? You know, what else should we be hitting on that we’re not things like that, all right, we got to go take our car break. When we come back, we got live, listen, love, et cetera, et cetera, stay with us. Like what you’re hearing a non-profit radio tony’s got more on youtube, you’ll find clips from stand up comedy tv spots and exclusive interviews catch guests like seth gordon. Craig newmark, the founder of craigslist marquis of eco enterprises, charles best from donors choose dot org’s aria finger, do something that or neo-sage levine from new york universities heimans center on philantech tony tweets to he finds the best content from the most knowledgeable, interesting people in and around non-profits to share on his stream. If you have valuable info, he wants to re tweet you during the show. You can join the conversation on twitter using hashtag non-profit radio twitter is an easy way to reach tony he’s at tony martignetti narasimhan t i g e n e t t i remember there’s a g before the end he hosts a podcast for the chronicle of philanthropy fund-raising fundamentals is a short monthly show devoted to getting over your fund-raising hartals just like non-profit radio, toni talks to leading thinkers, experts and cool people with great ideas. As one fan said, tony picks their brains and i don’t have to leave my office fund-raising fundamentals was recently dubbed the most helpful non-profit podcast you have ever heard. You can also join the conversation on facebook, where you can ask questions before or after the show. The guests were there, too. Get insider show alerts by email, tony tells you who’s on each week and always includes link so that you can contact guess directly. To sign up, visit the facebook page for tony martignetti dot com. I’m chuck longfield of blackbaud. And you’re listening to tony martignetti non-profit radio. Big non-profit ideas for the other ninety five percent. We have got live listeners all over the country, it’s amazing, but we’re booming today from new bern, north carolina. Bradenton, florida, and tampa, florida. Basically, we’ve got all this is that this is a first for non-profit radio for sure, we’ve got all five boroughs of the city checked in bayside and rochdale in queens, bronx. Cancel your neighborhood, brooklyn can’t see your neighborhood. Manhattan and staten island got all five boroughs checked in live listener love throughout the city of new york throughout the five boroughs. Also blair’s town new jersey used to go to boy scout camp in blair’s town no, be bosco stood for north bergen boy scouts no be bosco bladders in blair’s town and that’s, where they filmed friday the thirteenth one of kevin bacon’s early movies flight friday, the thirteenth films at that boy scout camp in blast down new jersey live listener love to you blessed town also woodbridge new jerseys with us i’m nowhere altum pandu jersey is where my mother and father are they did not check in they’re checking out there so i don’t know but they’re not checked in we got all way all the way west coast. Can’t washington live? Listen, love out to the upper northwest? Um, i think that’s, everybody so far in the us of a how about germany, multiple cities in germany? Guten tag, spain. I can’t see your city, i’m sorry, but spain, buenos di days. I’ve got a newcomer. Ah, the area of the stars of by john the town is tub breeze and that’s, iran welcome, iran live with their love to you in iran, give us a high five from iran. On the heels of the live listen, love, of course, comes the podcast pleasantries, maria samples getting close to her, mike thinking that’s her time to talk again. But it’s? Not quite because we’ve got to do the podcast pleasantries, she’s trying to cut you off podcast listeners. She doesn’t want me to do it, but her restraints are are ill are feeble against my will to do podcast pleasantries to the over twenty, twelve thousand listeners, whenever you are whatever device i am so glad you’re with us pleasantries to you and the affiliate affections to our am and fm listeners throughout the country. So glad that you are with us as well affections to you on those analog devices glad you’re with us. Ok, marie simple. Now it’s back your turn. You can sit up straight again. Maria sample. You’ll find her at the prospect finder dot com and she’s at maria simple. Um, yeah. So more questions we got. We got some more questions that we’d like to be asking. Yeah, absolutely, absolutely. So these next two questions are very inter related, and they may be difficult for you to ask directly to someone it might work. Better in mohr of aa group situation, and i think it would work really well if you had, i’m going to say, ah, third party may be a consultant or other volunteers, perhaps asking this question, so the questions are, what are we doing right? And what can we improve? Because i think you’re going to learn a lot about how your organization is serving the community. And maybe there is some gaps that that that these potential donors feel thatyou’re not filling but should be filling eso it sounds particularly student to a focus group, right? Or a feasibility study, a consultant asking feasibility study questions of individuals or couples one on one yeah, yeah, absolutely, absolutely. And this next question really has to do more with your communications and how you’re communicating with people and, you know, you know, are we transparent and communicating effectively regarding our programs and achievements? S o you know, i think that fund-raising and communications marketing, pr, whatever you want to call it are they cannot live in silos, they absolutely are interrelated when one one part of that is not going well, it’s going to impact thie other side and vice versa. So i think it is important to have an understanding of, you know, are you over communicating under communicating, you know, sometimes donors feel like, you know, g the only time we ever hear from this organization is when they’re asking for money that’s always about right, right? So, you know, are you adequately communicate? And also, how would you like to be communicated with right? Do you prefer email, paper, mail, phone twitter, you know, how would you like us to be talking to you, right, exactly what channel? So yeah and thiss next question i really like because now we’re going to start to understand, will these people be willing to make a major number seven minutes if you like this one? Where was this number seven? Well, no, i mean, because now we’re getting into more of a major gift flow of questions arc to the right, right? We’re approaching danamon right there, and then we’re going on that we’re goingto leave xena, ok, exactly. Bonem so have you ever made a multi year commitment to a non profit organization? And would you ever consider doing so? So not necessarily to your non-profit to a nonprofit organization ok, you need to go through the next couple quickly. Okay, great. We have a few minutes left and we got to talk about conferences. Okay. Great. Read them off. All right. So how many non-profits do you typically support in a given year? Do you give more to an organization when you are involved in its leadership? Would you like to be a boardmember? Etcetera? Volunteermatch ok. And who else should we be talking to? Excellent. Right? Because you you who have your in your network and you bring to us, right? Who in your circle of influence should we be talking? Teo? All right. Excellent. In real life, go there. Don’t ignore the in real life. It’s it’s it’s part of you being a human being. It’s not all digital. Okay, let’s, go to conferences. If you want to meet in real life, we have a nap. Unconference association of professional researchers in advancement, right? Where’s that that’s, right? So they’re big annual conference it’s their thirtieth actually is happening in anaheim, california. This year on july twenty sixth through the twenty nine, you’re going to be there? I am not. No, i’m not. I’m not going to. Be attending it this year, but i do want to make sure that everybody is, you know, he’s aware that it’s there in case they want to get some extra education and this information as well as a lot of this other stuff i’m going to bring up now is all available on apple. His website, which is a p r a home dot org’s. So that’s apra home dot order s so that’s, the big, the big international conference. A bunch of statewide stuff just passed in in april, but a couple of other upcoming things that i did want to bring to your attention. So if you are members of the florida chapter of apra, they’ve gotta state conference coming up june eighth through the ninth, we’ve got anapa overdrive one day conference coming up in seattle, washington may twenty fifth, there’s a couple of webinars coming up a free one on june fifteenth. Ah, getting the most out of wealth screening and they’ve got one that they’re running in conjunction with a f p called you khun do it research at your finger tips and that’s going to be on august twenty third i don’t know about all these is available on apple home dot org’s. Yes, yes, it iss that’s. That’s exactly where i got it from. Okay, very good. We gotta leave it there. She’s a prospect. Find her again at maria simple and at the prospect finder. Dotcom. Thank you, sir, for being in the studio. I was so glad to be here too. Two force cracked like a fourteen year old is unbelievable. Next week, health care funding options and jean takagi is back. If you missed any part of today’s show, i beseech you, find it on tony martignetti dot com. We’re sponsored by pursuant online tools for small and midsize non-profits data driven and technology enabled and by we be spelling supercool spelling bee fundraisers we b e spelling dot com our creative producers claire meyerhoff. Sam liebowitz is the line producer. Betty mcardle is our am and fm outreach director shows social media is by susan chavez. And this cool music is by scott stein you with me next week for non-profit radio big non-profit ideas for the other ninety five percent. Hopefully i’ll be more articulate, go out and be great. What’s not to love about non-profit radio tony gets the best guests check this out from seth godin this’s the first revolution since tv nineteen fifty and henry ford nineteen twenty it’s the revolution of our lifetime here’s a smart, simple idea from craigslist founder craig newmark insights orn presentation or anything? People don’t really need the fancy stuff they need something which is simple and fast. When’s the best time to post on facebook facebook’s andrew noise nose at traffic is at an all time hyre on nine a, m or eight pm so that’s, when you should be posting your most meaningful post here’s aria finger ceo of do something dot or ge young people are not going to be involved in social change if it’s boring and they don’t see the impact of what they’re doing. So you got to make it fun and applicable to these young people look so otherwise a fifteen and sixteen year old they have better things to do if they have xbox, they have tv, they have their cell phone. Amador is the founder of idealised took two or three years for foundation staff sort of dane toe add an email. Address their card. It was like it was phone. This email thing is fired-up that’s why should i give it away? Charles best founded donors choose dot or ge somehow they’ve gotten in touch kind of off line as it were on dno, two exchanges of brownies and visits and physical gift mark echo is the founder and ceo of eco enterprises. You may be wearing his hoodies and shirts. Tony talked to him. Yeah, you know, i just i’m a big believer that’s not what you make in life. It sze, you know, tell you make people feel this is public radio host majora carter. Innovation is in the power of understanding that you don’t just do it. You put money on a situation expected to hell. You put money in a situation and invested and expect it to grow and savvy advice for success from eric sabiston. What separates those who achieve from those who do not is in direct proportion to one’s ability to ask others for help. The smartest experts and leading thinkers air on tony martignetti non-profit radio big non-profit ideas for the other ninety five percent.

Nonprofit Radio for February 3, 2017: Grow Your Sustainer Revenue & Protect Your Donors’ Data

Big Nonprofit Ideas for the Other 95%

I love our sponsors!

Do you want to find more prospects & raise more money? Pursuant is a full-service fundraising agency, leveraging data & technology.

It’s not your 7th grade spelling bee! We Bee Spelling produces charity fundraiser spelling bees with stand-up comedy, live music & dance. It’s all in the video!

Get Nonprofit Radio insider alerts!

Listen Live or Archive:


My Guests:

Allison Weston, Chrissy Hyre: Grow Your Sustainer Revenue

(L to R) Hyre & West  at 16NTC

You want more sustainers? We’ve got the formula: Multichannel. Upsell. Benchmark. Avoid attrition. The panel is Allison Weston & Chrissy Hyre, from Chapman Cubine Adams + Hussey, and Sabra Lugthart with The Trust for Public Land. This was recorded at the 2016 Nonprofit Technology Conference.



Tracey Lorts & Joshua Allen: Protect Your Donors’ Data

(L to R) Lorts & Allen at 16NTC

You don’t want to be the next headline. You don’t want a fight with a donor over whether you compromised their credit card number. We’ll keep you safe and in compliance. Also from 16NTC are Tracey Lorts and Joshua Allen, both with Greater Giving.



Top Trends. Sound Advice. Lively Conversation.

You’re on the air and on target as I delve into the big issues facing your nonprofit—and your career.

If you have big dreams but an average budget, tune in to Tony Martignetti Nonprofit Radio.

I interview the best in the business on every topic from board relations, fundraising, social media and compliance, to technology, accounting, volunteer management, finance, marketing and beyond. Always with you in mind.

Get Nonprofit Radio insider alerts!

Sponsored by:

View Full Transcript

Transcript for 325_tony_martignetti_nonprofit_radio_20170203.mp3

Processed on: 2018-11-11T23:41:13.912Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2017…02…325_tony_martignetti_nonprofit_radio_20170203.mp3.878948250.json
Path to text: transcripts/2017/02/325_tony_martignetti_nonprofit_radio_20170203.txt

Hello and welcome to tony martignetti non-profit radio big non-profit ideas for the other ninety five percent. I’m your aptly named host oh, i’m glad you’re with me. I’d be thrown into vou care. Arai assis, if you wormed in with the idea that you missed today’s show, grow your sustainers revenue you want more sustainers we’ve got the formula multi-channel up, sell benchmark avoid attrition. The panel is alison weston and chrissy hyre from chapman, cubine adams and husi and sabra lugthart with the trust for public land, this was recorded at the twenty sixteen non-profit technology conference and protect your donor’s data. You don’t want to be the next headline. You don’t want to fight with a donor over whether you compromised their credit card number. We’ll keep you safe and in compliance. Also from sixteen ntc are tracy lorts and joshua alan, both with greater e-giving tony, take two seventeen and tc responsive by pursuant full service fund-raising data driven and technology enabled, you’ll raise more money pursuant dot com and by we be spelling supercool spelling bee fundraisers. Wee bey e spelling dot com here’s, our first panel on growing your sustainers revenue from the sixteen ntc, welcome to tony martignetti non-profit radio coverage of sixteen ntc non-profit technology conference with the convention center in san jose, california. My guests now our chrissy hyre alison weston and several lugthart chrissy is see you’re strategist at chapman, kyu buy-in, adams and pronounce all those hyre directly did even cubine you did? Yeah, i should have asked you before, but we’re rolling now. Alison weston is, uh, also with chapman, cubine adams and yep. Okay, what do you do there, though? Does have a title for you. I’m a digital account executive. Okay. Excellent. And say piela oneaccord is associate director of annual giving at the trust for public land. It was a very simple one. Thank you. We love everything documented here correctly. Thank you. Before we start with shot out swag arse crack item for this interview is from cornershop, cornershop, creative it’s ah it’s vegetables. We’ve got sure that’s an eggplant got tomato stress balls no pair stress ball also. But all the vegetables items are not stress balls. We have a banana pen. We had a chili pepper osili all from cornershop creative. So thank you very much. This goes into our swag. Pile ilsen would you help me budged? And those items put him up front. There we go. Oh, the implant. Okay, but all this way, swag pile. Thank you very much. Okay, ladies. Let’s, get serious about sustainers now, sabre, you have to depart a little early. So when sabelo leaves it’s not because my questions suck or anything like that because you have to go because we’re running a little behind. So let’s, start with you. Make sure you get. Yeah e-giving for some time. What is the problem that non-profits are not getting things quite right with sustaining don’t? Well, first, i’ll preface that i’m a client of cch that’s, right? I think we’ll give my organization has an example before i started working at the trust republic land way just didn’t have a sustainers program in place there nobody we didn’t have a dedicated staff member. Um, well, you know, sustainers air worth so much in revenue. So, you know, we did all of these things we work towards that teo grow our program and really recruit sustainers so i think, really the bottom line is is over time when you build your sustainers program, it just generates so much revenue for your organization so it’s worth focusing on okay, we’re we’re for some reason we’re not what we what we alison, what do we not quite getting right about building our sustainers base? I think a lot of regulations do get some things right. I wouldn’t marry you. What herself not getting quite right, i think you know, a big factor for continued, most like sustainers growth online is continue testing so there’s a lot of things to do with donation forms and, you know, i think once you find something that works, that doesn’t mean it’s going to continue to work. So i think one thing we talked about in our sessions, they was keep testing online and keep holding it on things in your donation form and making sure that, you know, you’re continuing to grow and try new things, okay, chrissy, if you want to add to our overviewing this point, i think, you know, maybe two things that i would add to what these ladies have said that, you know, having organizations make sure that they’re taking a multi channel approach to sustain a recruitment that they’re using all the same channels. That there, soliciting one time, gibson for sustainers recruitment and then really evaluating on the back end. Making sure that once they go to all of the trouble of making sure that folks have become monthly donors, that they’re staying monthly donors. And they’re staying engaged in the organization. Why do you think some organizations aren’t taking st multi-channel approach for sustainers that they are for other types of dahna with what’s happening disconnect? Well, i think that, you know, i think that people get a little bit overwhelmed sometimes by, you know, the number of thing are the kind of logistical set up that it takes to start a sustainers program, and so it seems, i think sometimes like, oh, the easy way to do this would be just to do it online let’s, just sell this through email let’s just do a light box, let’s just do it digital ads, you know? And that seems like kind of an easier kind of entry point into sustainers e-giving whereas you know something like telemarketing, for example, which is what i really focus on with my clients can feel a little bit scarier, a little bit more, a little bit bigger, maybe a little bit tougher to bite off, okay, yeah, i think also for a lot of non-profits data is just a challenge, even just getting everything set up in the back, and i know sabra, you had a lot of leg work to do before you got started so i would say, yeah, just getting your house in order before you can even get started and keeping it in order and keeping your data clean. It’s a big challenge, especially with this scene. E-giving okay, all right, so let’s, start with our multi-channel approach to sustain. E-giving now, of course, we’re talking about monthly monthly. Sustainers is that right? Is that we’re all so everyone’s on the same page, okay, monthly sustainers huh? Our multi-channel approach are we trying to convert existing donors to sustaining or we try to require new donors? Sustainers or both, you can do it all, you can have it all. So, you know, i think that’s sort of the lowest hanging fruit is converting the people who are already connected to your organisation as donors and two monthly givers. I think that a lot of organizations also find tremendous success with kind of warm prospects, online activists and that kind of audience and then certainly alison and sabelo could speak to this, but one of the things we find works really well, digitally is using sustainers e-giving is an acquisition tool. Yeah, so i mean, i think there’s, the biggest factor we’ve seen in converting to see here, has been doing a recent cso like christie said, making sure that you’re getting people that sustaining ask after they’ve made a one time gift anything there’s a lot of ways to do that online, trust me publicly, and they do, you know, a few different things. One of them is a rolling email out to you one time donors, ten days post donations so that’s a good way of you know, reaching out to people when they’re current. In recent donors, you’re tuned to non-profit radio. Tony martignetti also hosts a podcast for the chronicle of philanthropy. Fund-raising fundamentals is a quick ten minute burst of fund-raising insights, published once a month. Tony’s guests are expert in crowdfunding, mobile giving event fund-raising direct mail and donor cultivation. Really, all the fund-raising issues that make you wonder, am i doing this right? Is there a better way there is? Find the fund-raising fundamentals archive it. Tony martignetti dot com that’s marketmesuite n e t t i remember there’s, a g before the end, thousands of listeners have subscribed on itunes. You can also learn maura, the chronicle website, philanthropy dot com fund-raising fundamentals, the better way. Dahna oppcoll okay, let’s, let’s, drill down. But what does that email saying? Thanks them for their gift? Sabelo what does it say? Yes, so the again the emails sent out ten days after the after donor-centric thank you, basically, thank you very much for your recent gift that builds a case for support of why sustaining gifts are so important and it’s all wrapped around the mission of our organization at the end, it says, would you please consider becoming a monthly donor and that’s about what’s in the mail and a link to click to, of course, yes, all of the links to other clip now, when they get there, do they also get a written acknowledgement for their one time give if in our organization, if they give online, they get an automated and they get an automated email and sustainers get a different kind of automated email. So okay, we’re not going out there, and i’m still the one time donor. If they make an online gift to get a in ordinated email on our ana made it basically, thank you eat tax receipt online and then if they don’t, it makes a gift off line they get, you know, they get mail ok in that in that offline, direct mail are they also invited to become sustainers in direct mail? Yeah, so we do dio way doo doo like a b r e slip and direct mail asking has a sustainers ask, and we do do some segmentation and email like we recently sent out a tax receipt that asked people to become, you know, if they had recently given a one time gift, asked them to become a sustainers consider becoming a sustainers and i think that that’s actually really speaks to kind of some of the multi-channel approach that we’re talking about, which yet, you know, it’s, not even just which channels you’re inviting people to become a sustainers through, but branding the program across everything that you send a donor so thinking them with that, you know, and making that sustainers asking, just kind of keeping that in the forefront of their mind as they go through. Sort of their donor life cycle. Okay. Uh r r one time donors asked again before their other once on gift if they hyre turn down the first sustainers nasco they then asked, like i said before there before their other annual gift. Yeah, good question we solicit our month. Well, we are monthly donors on a limited mail solicitation track, so we only send the mailings three times a year. Um and yeah, so we will when it that time is appropriate. The year and campaign. We will ask them to make a one time contribution or we’ll ask them to upgrade their gifts. So we do. Sorry, i’m kate reverting back to monthly donor is not one time your gifts. Sorry, my question was, how often do you ask one time donors to become sustainers you ask them the first time after ten days after their first there one time gift, how often after that? Before their next one time. We don’t have a player friend. Yeah, we don’t have a plan for that right now. Okay? Alison and christine, do you think that is advisable? Or should you just continue to wait until they made their other? Their next one time? Well, one of the things that we find to be really successful is again, kind of, you know, you’re asking the multiple times, but maybe you’re not asking them in the same way, so you’re, you know, you’re thanking them for their gift and there’s this kind of soft asked for them to become a sustainers then you send them an email and explain the program to them and ask them to become a sustainers that way, then you call them and ask them to become a sustainers and then you follow up from that and say, thanks so much for listening. Is this something you would consider so it’s? Not it’s, kind of a cohesive strategy that asked them multiple times, but it’s not necessarily like these kind of random, you know, isolated asks it’s, sort of an overarching okay, okay, that make sense. Yeah, it sure does. And allison, to your point about the importance of data earlier now, obviously way. Have to have good data for all these channels. Christy just described we need a phone number. I need their e mail. We need accurate mailing address, right? The importance of good data. Before we could do anything. Yeah, no, that’s that’s. Definitely right. Okay, way also need to know piggybacking on that how they want to be communicated with. So suppose somebody doesn’t want to receive phone calls. Yeah, i mean that that definitely has to be taken into account. You don’t make the donor injury. You want to communicate with them in the channel that they prefer to be communicated with thin. But that doesn’t necessarily mean that someone who donates online is only ever going to donate online that’s. Why i keep talking about the multi-channel approach. So in fact, forty five percent of the stayner’s that we see recruited into programs are actually recruited as a sustainers by a different channel in the first channel, they gave a gift to the organization, and so we brought them in through mail. But then they became a sustainers through the phone or online, or they came in on line. And then we made the ms sustainers half convert. They’re giving channel. Exactly. Okay, use the right language that you did. It was very krauz. All right, so we still have a good amount of time together. Sabelo before you have to. Go now. Yeah. Okay. She was taken by your sorry have really thank you. Nothing duitz conversation. Okay, thank you for saying that. Even if not sabelo breaks down. So it was like that. All right, thank you. Say thanks for joining us. Okay, now we’re now we’re just left with the consultant. So now we’re in a big, big loss. I did play e-giving fund-raising. Well, it was not it was not serious. Where should we take this next? Right. We talked about how i’m gonna convert at a game. What else have we, uh, not talk about that? We should in this hole multi-channel topic. Campaign ideas. You have some campaign ideas? Yeah. I mean, i could talk a little bit out some different things that we’ve seen we’re calling, why don’t you? Okay, i hold out on non-profit radio. Sure. So i think one of the things we’ve seen work really well with a lot of clients in a lot of different areas has been sustainers up so light box. So that means basically, on your one time get form, somebody makes the onetime gift and before their gift actually process is a light box pops up. And says, hey, things for your let’s define like box everybody doesn’t know whether it’s opaque shoretz i’m not okay. You know, when you go on a site and kind of the site gray’s out and then something pops up to the forefront that’s basically what? George in jail on non-profit radio yeah, try to help you out of it. Sorry, so you can still see through? You can still see through it. So pictures yeah, so picture this you’ve made, you’ve made a gift, then you know you’re you hit process, and then the screen kind of gray’s out in a box pops up and it says, you know, has a nice image and it says, you know, thanks for your gifts before we process your one time gift, would you like to turn this into a monthly gift and you can click no or you can click x and x out of it, and you’re one time gift will still process. But if you could yes, then it will convert to you become a sustainers so you’re catching people right at the moment when they’re making a gift and you just get people to convert and we’ve seen that works really well for bringing a new sustainers, but also doesn’t depress one time. Revenue does not. Okay, okay, what do we know about what? What amounts to ask them to? Would you like to make this gift to sustaining you? Well know, the mountains is different. So in the back end of the light box itself, there’s kind of an ask string tree, so basically gives a range. So if you make a gift between, say, five and fifteen dollars, and you ask for a five dollars monthly gift or, you know, if you kind of move up and you make a thirty two fifty dollars, gift your ass for a little bit hyre maybe, you know, fifteen or twelve dollars monthly gift so it’s kind of tiered. So you’re making sure that you’re asking for the right amount from people what we call that strategy. That’s the sustainer, upsell, lightbox okay, sustainers yeah, i terminology, yeah, as long as you define it joining way don’t like talking about it. Criminology sustainers upset like box, of course, who doesn’t know what that is like? Everybody who listens to cop radio does now that you know, you just treyz down. So i don’t think so. Sustainers upsell white-collar christine woman a woman who sat in your seat before this interview was so that was misty magog a chrissy hyre christy, what other campaign strategy can you share? Well, campaign strategies? Um, you know, i think that as alison alluded to one of the most important things that we see for organizations to remember, no matter what channel they’re trying to recruit, sustainers through is really the recency of the gift. So i think that a lot of times organizations have a little bit of a fear that if they asked too close lead to this is to the person’s original gift that it’s going to seem ungrateful to be like. Well, now, could you do ten dollars a month? Like ten days? Seems to be okay. Ten days a spine. In fact, the most successful phone programs we do call people within thirty days, which that’s really close? I mean, they just gave a gift. But you really want their commitment and their passion for the organization to be top of mind. And any time in the thirty days, not the next day. Not the next day. No, typically. The window starts kind of two weeks after their gift for two weeks to thirty days, you’re safe in asking for sustainers gift after someone made a one time yep, absolutely and of course, you know you want you want to thank them, you want to appreciate them for the amazing donorsearch es are but that’s, you know, that’s totally acceptable. And i think the other thing that we talked a lot about today and that we could go into a little bit more now is sort of what to do with sustainers once you bring them on, and so i think that you know, sustainers support is great because it’s the stable monthly revenue, but it’s not a set it and forget it kind of strategy and so there’s a lot of work that has to be done once you actually bring these folks to the table to become monthly donors, to make sure that they stay engaged and passionate and interested and that they continue to give and you don’t lose them because their credit card expired or they just sort of became disa passion with your organization. Okay, very important too. Yes, yes, we don’t, we don’t. Want to lose? You don’t want to lose our donors. What do we know about out? After someone becomes a sustainers do they then keep up their their annual giving, too? So this is something that a lot of organizations kind of go back and forth with. Do you continue to ask sustainers for one time gifts? Do you try to just upgrade their sustainers gift, like what is the perfect mix of howto results in them? And so one of the things that we found is that, you know, thes air your most committed, passionate donors, and so it is completely acceptable to ask them for a one time gift. A lot of folks use a strategy called the thirteenth gift, where in december they’ll ask sustainers to give sort of the thirteenth gift of the year. If you have, like, a key matching gift campaign or something really urgent happening within the organization sustainers air great group of people to reach out to on dh, then organizations have seen success upgrading sustainers is close to their original sustaining gift is three months after they give it. So you know, there’s there’s really no hard and fast rule it’s kind of about testing and finding what works best for the organization. Okay, even okay, things. That that sound unusual to me, even just within three months of their first sustainers gift it’s okay, in some cases to ask the upgrade that absolutely so we worked with a really large non-profit that has an extraordinarily large sustainers program and what they they tested six months versus three months in terms of a sustainers upgrade and found no difference. At three months that is many people upgraded the donor’s weren’t displeased to be getting called again so quickly that folks felt really engaged and excited. They kind of under you just always have to explain what their support is doing. Why is that additional three dollars, a month so important? Allison, could you help us with went to be thanking our sustaining donors? I think is pretty well recognized don’t think them every month, but do we thank them every year? What’s appropriate? Yeah, i think i think they definitely need to think them, but not overthink them, but i think something else that you can do more often is kind of keep those engagement touches going, so send engaging emails that aren’t just asking people for money, sending them something that’s going to keep them tied. To the mission of the organization and kind of keep the organization top of mind without asking them for money every single time they’re opening an e mail from you. Eso whether that’s a quiz about your organization reading article, you know something, something fun like that to keep them engaged, it informed, i think, is really important and sustainers going, of course, be lumpkins that along with everyone else on your email list on your contact list, but i think you know it’s nice at the end of the year at the beginning of the year to send out a nice impact email or an impact, you know, whatever you’re doing to show, um, you know how much their support meant to you over the year and all the stuff that you were able to do because of all the, you know, consistent support that sustainers gave you okay? So generally recognized that end of the year is is the best time or if there’s, another key bowman in your organization? I don’t think it’s a problem to thank donors, but i think you can do really consistent engagement emails, teo, to keep folks, you know, tied to your organization okay, way too little a budgeting conversation. Okay. Dahna what? What are expense items that we need to factor into creating a sustaining sustainers? Provoc well, i think that in some regards and allison definitely jump in. I think that when you think about sustainers recruitment, you almost have to think about it in the same way you think about acquisition, and so, you know, you’re going to invest in acquisition, but it’s a long term kind of long game strategy and sustainers recruitment is the same way, so you know that obviously one of the biggest cost is making sure you have the back and systems to process the spokes monthly, that you’re not gonna lose track of that. And, you know, all of that is part of the organizational budget i would assume and then additionally, you know, making sure that you are kind of realizing that if you’re starting a program from scratch, this is like the long game, this isn’t something that’s going to pay off in three months. This is something that you’re looking at in some cases, if you really want to build a large program, the big net is going to happen. After a year, maybe two years, maybe three years, depending on how big you want to go. Okay, so you gotta be in it for a longer term, right? Any other budget type factors? Allison, you want to jump in? No, i think you pretty much well covered it, but i think, you know, if you’re sending out e mails, you obviously have to have a sierra. So i think a lot of the stuff you know, most organizations already have but it’s a matter of using it for recruiting sustainers but definitely i think the biggest hurdle for a latto organizations is getting that peanut processing set up. Okay, got a meat processing that you trust? Are there payment processors that you like? You want to give a shout out to particularly well. Okay, what about strength? Yeah. So, you know, i think that this isn’t so much about the actual monthly processing, but, you know, there’s there are a lot of great tools out there right now, like stripe or a man tive that help recapture credit card information before it lapses, which really helps organizations that are trying to build sustainers program stem. That sustainers attrition on. Dit could be a really huge factor and turning around sustainers avenue. Okay, now, what was the second advantage vantive used to be? Lytle now, it’s canton. Okay, so we know that when credit cards laps, we’re likely to lose sustainers donors so just kind of some quick stats i can share with you, so i work with pretty large sized political action committee, and they’re very committed growing their sustainers program, they spend a lot of money investing in this new sustainers growth and so this year or in twenty fifteen, rather we saw this pattern where we were exceeding our budget projections for new sustainers revenue every single month and our sustainers number was decreasing every single month, so just, like, made no sense, right defied logic, so we dug in to see, you know, what’s going on? Why are all these people falling off the file? Because the problems really attrition and of those folks who are falling off, eighty percent of them were falling off because of bad credit card numbers. So this was sort of during that time where we all got this new chip cards or their expiration dates were expiring, theyjust were getting new cards and we weren’t able to contact them quickly enough to get that new credit card back on file. So with this process all of a sudden, you know, we implement this in december, and we go from losing thousands of dollars every month to seeing, like, twenty three percent growth since december through february. Okay, so what are we doing in advance of the credit card lapse? So a little bit technical and that’s? Not really my bailiwick, i will tell you, but so basically, what thes companies do is they contract with banks so that they have a relationship with the bank to update your credit card before it ever even expires. So, for example, if you have a netflix account, you probably notice that your credit card never actually expires. No matter what. You know how many cards your bank is sending you in the mail and that’s because they’re contracting with them directly to get that information so that you, the consumer, don’t have to go in and update all of that. Oh, i see. Ok, so it’s all happening transparent to you. It happens automatically, right? You never have to decide. I’ve given enough. To this organization, exactly it’s a customer service convenience that actually saves organizations a lot of money. Yes, it’s also non-profit exactly. All right. All right. We still have a couple of minutes left. Zoho some benchmark benchmark’s is for sustainers growth. Allison, help us with that. Yeah. I mean, i think it depends where different organizations are in their sustaining journey about growing their program. So i think, you know, when folks are thinking about starting or growing at sustainers program, you have to kind of set your own benchmarks that i can throw it a couple stats. I think you know, some things to consider. You know, overall good, healthy benchmark would be about having ten percent of your revenue comes from sustaining, giving. So, you know, that varies from organization organization, but i think that’s kind of ah, national benchmark it like a good back of the napkin calculation on that. I also think some other things to consider are just, you know, benchmarking and kind of setting some goals for how much revenue goals you want to have come from a scene e-giving and also thinking through, you know, looking at how much you want to spend to acquire these donors and then what’s the return on investment. How long are these sustainers staying on the file? Are they lapsing off? Is there a certain channel that’s? Not really working very well. Maybe honing in on, you know, tweaking your strategy a little bit. So i think there’s different things and it’s it’s going to be different for every organization you know, not everyone is the same place in there seeing e-giving program. But those air something’s toe consider. Okay. Okay, christy, i want to leave us with i think that ultimately what i would say is that while building a sustainers program is an investment, it ultimately is so worth it. It is probably the number one thing that organizations khun due to help grow their files. Folks who become a credit card sustainers will stay on your vile for thirty seven months or longer. They’re your best prospects for plan giving. They’re your best prospects for mid level upgrading. And they are ultimately kind of the core of your fund-raising once you develop that audience is ideal, concise, beautiful. Thank you, ladies. Thank you. Ok, they are christy hyre and she’s, a senior strategist. At chapman cubine adams and she was right. Okay on. Alison is also there doing marcus ellis, a digital account exec. You can’t exactly fucking watch, ladies. Thank you. Martignetti. Non-profit radio coverage of sixteen non-profit technology conference san jose, california. Thank you so much for being with us. Protect your donor’s data is coming up first. Pursuant. Have you checked out their white paper overcoming the major donor dilemma? It’ll help you. The research is free. It’s valuable it is. I can make it any simpler. This stuff is helpful. This one, the overcoming the major dahna dilemma covers identification, engagement and cultivation of new major donors. So you’re finding them, you’re getting them active and then you’re cultivating for the solicitation. Overcoming the major donor dilemma it’s at pursuing dot com you click resource is and then content papers. We’ll be spelling spelling bees for fund-raising have you checked out their latest video, it’s from a night that raised money for help for children raised over one hundred ten thousand dollars, the organisation needed help. It turned to re be spelling. You can see it all documented. They’re documentarians it’s all there on the video at we b e spelling dot com now for tony’s take two, the twenty seventeen non-profit technology conference so we got two interviews today from twenty sixteen. I urge you, i can’t be seat you because that belongs elsewhere, but i urge you, i implore you to check out the twenty seventeen non-profit technology conference it’s march twenty third, twenty fourth, twenty fifth in washington d c there’s always there’s like one hundred or more there’s more than one hundred smart speakers, smart seminar leaders they’re all talking about how to use technology smarter, more efficiently, brighter all just better to help you do your work and is not only for technically oriented people mean, i go and i interviewed people and i can hold my own in the conversation so you can too on you don’t even have to converse with them. I mean, if you don’t talk to somebody and then just don’t talk, just listen but it’s not on ly for geeks, which is no longer a pejorative now than it was when i was growing up. But now it’s ah, people boast about being geeks but it’s not only for them, so if you’re using technology and ah, you’re odds are you’re listening on a smartphone, so guess what xero embedded in your life using it to do your work accomplish your mission. Then i would check out twenty seventeen and tc get latto all the info at and ten and tn dot or ge and that is tony steak too. Here’s, our second panel on protecting your donor’s data. Welcome to tony martignetti non-profit radio coverage of sixteen ntc this is also part of ntc conversations. We are at the san jose convention center kicking off our day to coverage. My guests are tracy lorts and joshua. Alan tracy is community marketing manager for greater e-giving on dh joshua is not listed in the program. How come? Last minute addition in addition, okay, joshua, tell us your title and your organization. So students engineer with greater e-giving what kind of engineer? Solutions solutions engineer with greater e-giving okay, they’re seminar topic is super boring. Crazy important p c i and protecting protecting your donor’s data. What? Thank you, joshua. Welcome. Thank you. All right, we have to acquaint listeners with what? P c i is i’m going to assume that a lot of people don’t know a post. We have jargon jail on tony martignetti non-profit radio, so we want to start off with you in prison in george in jail. That was tracy, since you’re most concerned about prison justin, maybe you’ve done time, so i don’t know, but you’re not not it’s. Not about jargon. Jail. All right, tracy, what is p c i? So p c i is an acronym that stands for the payment card industry. So it’s, a set of standards that’s put forth by all major card brains around the world to ensure a set of security standards are implemented by everyone involved in the card processing services. Okay, security standards, if you’re involving card processing, is it also dependent on what kind of data you save and whether you save data? Yeah, s o p c i has a set of data security standards called tell them the twelve pc ideas s going to get more darken. And thats the data security standard. Okay, so it’s a set of twelve requirements that are kind of a minimum standard for anyone involved in card processing that you have to meet those standards in order to be compliant with pcs. Okay, joshua, you’re doing this session so safe to assume that a lot of non-profits i don’t know what pc is my assumption, correct? They may not know what it is or they know what it is, and i’m not sure how to start so that that’s what our purpose far session is to is to get people acquainted with with what they what they should start learning to know and then and protect themselves and their donors. Data. Okay, okay, what is it? What is the best way to get started with learning pc? I mean, is it just a matter of twelve gss is or is there a better way to make entry into this for people aren’t familiar? Yeah, you need to know more if they are a little familiar. Yeah. There’s a four different levels of pc i compliance and it’s, based off of the number of transactions that you’re doing on a yearly basis. S oh, that would be the number of people that would be impacted if your organization were to have a breach so larger businesses processing, you know, billions of transactions annually have more stringent requirements than someone on ly processing in the thousand thousand transactions per year range. I’m so most, you know, most large large companies air having to do really, really strict requirements for p s p c i but if you’re a smaller processor, you really just have to complete what’s called the self assessment questionnaire that’s put forth by the p c i council and you have to do it on an annual basis and it’s basically as self verification that you are complying with all the requirements of pcs. Okay, let’s, just take one step back. Joshua if people maybe you’re in a smaller organization on, they don’t really want to take this on which we’re going to be talking about for the next twenty minutes. They could just accept gifts by check. Yeah, that’s always a possibility. Absolutely they could. But as we’re as we’re going into the digital age it’s very important that organizations open themselves up to the other fund-raising streams, including credit card payments and okay, i just want to put it out there. Yeah, just briefly, you could. This really scares you. And it was really small shop. You could just not accept credit card donation, right? But you’re missing out on the town. Of donations. Okay, this is it. It’s. Really? Not a big scary idea. You know that twelve requirements are really simple. Concepts like having a firewall in place. That’s one of the twelve. So they’re things that should be a part of your security process and your security policies is a non-profit to begin with. So they’re things that you should already be doing. It’s really? Just about ensuring that all of the checks and balances are in place. Ok. Ok. What are what are the four different categories? There’s twelve? No, twelve other. There are four categories based on the tear, your revenue, your number of processes for per year. Yes. Okay. You just lay out what? Those forty years. You could just tears called him. Tier one tier don’t know the terminology. I gotta be on the terminology. Okay? Right here. One through four. There’s. Some specific data. So i think she’s. Yeah. So okay, a tier one eye merchants going to be processing over six million transactions annually. That’s, that’s. A lot of, um a tier two. Going to be processing one million to six million. Tier three is twenty thousand to a million and then tear. Forest. Twenty thousand or less. Okay, so we would expect most to be three or four correct, vast majority for yes, okay, but we’re looking in the three and forty years, yes, level for most for most. Non-profits. Okay, all right, we’re just going to go through the, uh, that twelve. Yeah, we can ok. Have all these twelve applied to the tiers three and four, they d’oh okay, no matter what, okay, okay. It’s, just that simple. Should we just took him off? We can. Twelve. Yeah, okay, is there anything else we need to any other ground work we need to set for people who don’t know this stuff like me and anything else i should know before we go through the twelve? Well, i think it may be important that even though you do these twelve steps, it does not automatically prevent you from being breeched or unable to continue with these steps, right? But this is the industry standard is the industry standard. So even if you are breached, you can at least say we’re meeting the industry standards. But we still got, you know, we still got our data stolen or reached, right? It’s it’s not the it’s, not the end. All prevention from right, there’s. Almost nothing. I mean, if you have a bad guy in your or bad woman in your office nothing’s going to prevent that or right out of your office or out of it, so okay, all right, well, we can’t prevent one hundred per cent. We could be industry compliant, and we’ll get into some trouble. If we’re not industry complaint, maybe we should just have a little a little more motivation. What happens if you decide? You don’t want to do the pc adhere to the pc high standards? Are there civil or criminal? Sametz people there can be yes, definitely if you if you have a breach and you’re not complain with p c i or even if you are and you still have a breech, there are some potential ramifications. There’s actually quite a if you um most notably there’s some fees associate it that that your non-profit can receive on and there could be legal action taken against you. Obviously, if there was something that came up, that was ah, a major issue for your organization. So you’re better off. Obviously, if you’re our complaint can’t find them, tracy can’t okay. Joshua said, fees it’s a lot of information. All right, give us an idea of a penalty regularly. Regulatory notification requirements that just be like letting people know that you had a data breach, which is not good. You’re bad organization. Weren’t you weren’t complaining? Definitely. Loss of reputation, loss of donors, potential financial liabilities like fees and fines. And in some situations, litigation could be taken against you. Okay. Okay. And and all those situations, you’re in a much better position if your pc i compliant. Definitely. Okay, alright. Still more motivation. All right, let’s, start with our, uh we got the twelve. These are the twelve gss requirements. Yes, right. And what is the ss again? Data security standard. That a security standard requirements? Yes. Okay, s the number one isn’t install and maintain a fire wall pretty commonly done across most organizations. But obviously important to keep in mind that it’s up to date and that you’re continually checking on its security and making sure that it’s working accurately. Um yes, but you don’t have a three year old firewall. No, no. That’s. Not gonna do you any good. Okay. Ah, number twos do not use vendor supply defaults for system passwords. Okay, let’s, dive into this a little more now. Passwords. Don’t you? What you want to amplify what we should be doing with our passwords. Don’t use password. Wei had panel yesterday. Password? One, two, three, four, five, six, seven, six and p word or so there was another one. Password with a zero for the o that’s. Really common. We actually cover the top twenty five most commonly used passwords in the last year in our presentation. Right? We’ll roll a few off these. They’re all bad people do not use the first one to say this is a list of what not to do with your password. Not what to do? Yes, exactly. Please don’t use these this’s good information for your daily life as well. S o so some of the top passwords are one, two, three. Four five six password one two three four five six seven eight corti more number strings football baseball welcome let me in, master monkey princess, my two favorite that made the list this year were as solo and star wars solo and star wars. Yes, alright, so they’re related. All right, bad passwords don’t use these, don’t you? You’re opening yourself up means the top twenty five passwords in the country. You’ve got to have something a lot more secure than one of the top twenty five, and you have to bet that that hackers that are out there no thes passwords are commonly is and all the other, you know, simple variations like using numbers to substitute for letters in the top things, you know, just don’t do it for god’s sake, how much plainer can we make it? And if you have passwords protecting your donor’s data, don’t use it across all of your your different systems that use that your your organization that is very important as well you’re saying have different passwords for the different software system? Absolutely all right, so don’t use the user default. I mean, don’t use a default password. What else was buried in that one, tracy there’s, little more. I thought, um, that was it. Don’t use vendor supplies, defaults, orb system, password. Now you’re decent password. Joshua wanted to read the next one protect card stored cardholder data. So this’s big now, yeah, that starts going into your files and being sure that the information that you do collect is relevant and important, too, maintaining accurate files, handup, but keeping them in a locked, stored area where they tried to help me out here. What was the research on this one? You want to cut back your risk of someone getting access to cardholder dahna? Obviously on dso, you wanna make sure that if you were using digital systems that use encryption, truncation are masking of card numbers, which means masking would be if you are, if you have a set of credit card numbers that your entire string except for, say, the last four digits, which is the most commonly used, wait up tio mask a card number, all of those air exes except for the last four Numbers so that would be 1 way to protect to the data that you’re storing. Let me ask a threshold question similar to my, you know, accepting check questions. What have you do? Credit card processing? What? You’re not storing credit card numbers, you’re still going to be able to benefit from no credit card transactions, right? But just don’t they have to store the numbers with the advantage there you don’t. So i would say that most on profits or using some sort of external service to actually process card data they, of course, as the merchant in that situation are having they do have access to card numbers for a short period of time when they’re transitioning it from there, their hands into their processors hands isn’t microseconds it’s, it’s seconds, but you never know what could happen, and you also never know, especially if it’s in a digital situation who could be watching what you’re doing that also includes the last four digits of a number or the expiration date as well. That all pertains that cardholder data. So even if you’re only storing the last four digits, yeah, you have to do this. We’re going to make sure it’s secure, okay, so in storing all sixteen and storing all only for no difference, you have to do all these things. All right, it’s. All right, so all right, so back to my simple minded question, maybe. Do you do you need to start, right? So i’m asking, do you need to store it? You’re saying you do have it in your possession for a short time, the microseconds or whatever that it goes to the processor that’s still considered you storing it right? And how did you get that data? To begin with that’s? The other questions to come encrypted. It has to come in in some fashion. So i mean, could it be a donation envelope that had that information written down on it? What do you do with it after you’ve processed it donation envelope? Can you shred it? What if you just shred it? That would be a great way to get rid of it, okay? Or burn it burning well, about having that’s always dramatic, but it actually works. We’ve talked about having burned piles in the office. You have a pc. I burn party. You could end of every week. Yeah, yeah, but you just want to make sure that it is completely, you know, it’s completely out of your hands, you’re no longer have access to it anymore, especially when it includes all of that. Really important cardholder data. Okay? And we’re talking about address name? Just a number. Correct. Not just the card number, but they’re mailing address their zip code. That’s the kind of stuff you do need to save because you wanted to mailings. Correct? Yeah. And and most of the time, you know, that kind of information is stored on under management system and those those systems are secure, so you obviously have to have access to them using a log in and password on dh. That information generally is going to be going to be secure as long as you’re using a really good password. Obviously, yes, way covered, that one. Don’t go back now way, have twelve to cover. I’m sure we’re gonna get it, but they all were with each other. That’s, your sister, all right. Like what you’re hearing a non-profit radio tony’s got more on youtube, you’ll find clips from stand up comedy tv spots and exclusive interviews catch guests like seth gordon. Craig newmark, the founder of craigslist marquis of eco enterprises, charles best from donors choose dot org’s aria finger, do something that worked neo-sage levine from new york universities heimans center on philantech tony tweets to he finds the best content from the most knowledgeable, interesting people in and around non-profits to share on his stream. If you have valuable info, he wants to re tweet you during the show. You can join the conversation on twitter using hashtag non-profit radio twitter is an easy way to reach tony he’s at tony martignetti narasimhan t i g e n e t t i remember there’s a g before the end he hosts a podcast for the chronicle of philanthropy fund-raising fundamentals is a short monthly show devoted to getting over your fund-raising hartals just like non-profit radio, toni talks to leading thinkers, experts and cool people with great ideas. As one fan said, tony picks their brains and i don’t have to leave my office fund-raising fundamentals was recently dubbed the most helpful non-profit podcast you have ever heard. You can also join the conversation on facebook, where you can ask questions before or after the show. The guests were there, too. Get insider show alerts by email, tony tells you who’s on each week and always includes link so that you can contact guest directly. To sign up, visit the facebook page for tony martignetti dot com. I’m jonah helper, author of date your donors. And you’re listening to tony martignetti non-profit radio. Big non-profit ideas for the other ninety five percent. Oppcoll Joshua read another 1 please. The next one encrypt transmission of cardholder data across your open public networks. So if you are a larger non-profit working, you know, with the main central office, you want to make sure that any of the cardholder data that you are sending is encrypted, you know, meaning you’re using. No, sorry. What of encryption protocols are in place? Couldn’t find the words are okay. All right, so you need to know. You need yes. You need some kind of expertise to know that you’re encryption. Protocol is correct. Yep. Okay. And that includes obviously working with your particular vendor that’s processing your cards for you that the system that they’re using is goingto also encrypt the data for you. Okay, that was a two way street that they’re encrypting also. All right, what else we got? Joshua let’s. Go ahead. You would protect all systems and gets malware and regularly update antivirus software program. So that mcafee system that it’s always bugging you in your in your bottom, right hand corner to update. You want to make sure that you’re continually keeping up to date with those. Oh, and updating to the latest software, especially with your your your donor management system software as well. So any bugs could be worked out routinely and kept up to date on this. Okay, okay, that was that was malware was an anti virus that is now wearing it tomorrow. You want to make sure they’re europe today and that that that system wide, teo. Obviously, a lot of you know, large organizations have hundreds of computers that are using that network. So you have to make sure that every single device that’s accessing your network is secure and updated on a regular basis. Okay. Okay, tracy want teo, don’t you give us a couple all right, number six, develop and maintain secure systems and applications. S o that’s just basically saying, you know, there are tons of vulnerabilities out there to your security system, and the landscape is constantly changing, so you need to make sure they hear up to date with, you know, vendor provided security patch is kind of like what josh was mentioning with your dahna management system that you’re keeping it up today if there’s any updates that come out with that on dh, that all systems have software patches and are just, you know, you’re managing and maintaining them on an annual basis. Okay, this sounds like another one. That is a pretty common sense. You should be doing this anyway. Yeah, irrespective of your this storage or not, of your credit of credit card data. In-kind yeah, big cognizant of who has access to that. Data in your in your office as well. Okay. Okay. Area right. And what machines it’s on? Yes. All right. All right. S o the number seven is restrict access to cardinal data by business. Need to know s o that just basically means that the people within your organization that have access to cardholder data is limited. And then it’s on ly the people that really need to know what that data is. Eso you just, you know, you want to have someone who’s, the authorized person to take care of of those transactions and that it isn’t open to just anyone, you know, accessing that information. And you really should just generally have a deny all setting for things like processing cards, denial, setting. What does that mean? It just means that that for the baseline, no one has access to it. But that there is, you know, one or there are one or two people that do so the default thie developed is no one touches him. And then we work up from there. Correct? Okay. Okay. Yeah, yeah. I mean, this should be in the hands of you’re donor-centric gift processing department. Wherever that is, someone on the development team, right? But, you know, like the director of development and the vice president for institutional advancement, do they need to know credit card numbers? Not necessarily not know. Yeah, probono depending on the size of your organization. That’s true, that could be the gift processors. Yeah, director development could be the gift processor. It’s alright, but yet fair. Okay, let’s. Give joshua shot hyre let’s. See, i identify and authenticate access to system components. So it’s really important. Tio this hyre goes back in and ties in some of the other, the last two. You wantto uniquely hold everybody accountable for their actions. So the people who do have access, who are processing the cards, you have a system set in place where they have the checks and balances needed to hyre go through the crucial data and systems that can be traced back to them. So a lot of the love, the systems that that are in place, you can you contract who actually process that credit card to access that person’s record because just record in their dinner, we should be able to track treyz back all all transactions and viewings and things like that all right? Yeah. Okay. Is that standard in in aa cms zsystems? Absolutely. Yes. You just have to make sure, obviously, that when you set it up for your organization that you make sure that each person has their own unique logging. So, like, for example, some limes, it’s like admin doc development that’s not really going to be effective and tracking before people could be twelve people. Exactly. Disaster. If it’s more than one. The chicken finger point yet. So all right. You right. You have to have unique log. Yeah. E-giving each person their own unique identification. Okay, report. All right, go ahead. Who’s. Next restrict physical access to cardholder data, which is ah, tracy is a really good example of this. When she used to work for a nonprofit, she is really embarrassing. Way won’t name the non-profit, but she probably could tell the story better, but i attended this organization’s fund-raising ah, year before i started working for them. And they tried to kind of daisy chain a system together to be able teo capture credit card information. A check in it failed them on of that night and their internet dropped and they couldn’t collect card holder information to process card payments for purchases. Made it the event. So they walked around with donation cards and just had people hand right in all of their credit card information on these donations. Pompel pretty common practice, you know, non usual, however, start working for the organization years down the road. I’m going through some old files and what i find all of the donation forms with everyone’s. Credit card information from that event, which was three years previous was laying in an old just laying in an old file disaster. God, numbers, addresses everything. Expiration date, everything. Security codes. Exactly what you don’t want to have happen. So i you know her. I can attest that. You know, this kind of information needs to be out there in the nonprofit world. And organizations really should be considering following the pc. I guidelines. You should be just doing it. Yes. Okay. What a fine. Oh, my god. I got a chill. I don’t think it’s the air conditioning today afternoon, the air conditioning came on. I would say maybe was the air conditioning. But today is it’s not blasting? Yeah, that’s. That’s really is chilling it. Is what did you do? I immediately started all of it. Yes, absolutely. I think they had a burn party, fire bond fire departments to be on call. And what about now? Did you bring it to the attention of of management? They’re absolutely yes, yes, that changed their yes behavior. Yes, definitely. You know, a lot of things. A lot of things have changed since then. It was just, you know, it was an oversight on someone’s part along the way, and it just kind of got for gotten and in the shuffle. And, you know, it was just one of those things that happened, and you just have to it does have to, you know, really you don’t you want to minimize the risks of exposure to that kind of problem within your organization. Let’s, move on. Go ahead, joshua. You want to track and monitor all access to network resource is and that called cardholder data. So if it is, if you if you are storing the physical copies of the last four digits of the number with everything else blacked out or anything you want, teo have that restricted access in a locked filing cabinet with one person having the key and you want to know who has it as well? Okay, excellent locked access, one person, one person. Qi is pretty common sense. Pretty simple, but, uh, they’re easy to spell out and miss one of these. Yeah. Okay. Now what if that person ah, is sick for a day? You know, should narrow. Shouldn’t be some redundancy. Like we have multiple people who consign checks should there be a second key holder so that if a person is out for a day, we need to access that? Yeah. You know, we definitely encourage that you don’t want to give all of the keys to the kingdom toe one person. There shouldn’t be one individual person that’s accountable for all of that. That data and access to that data so definitely should be more than one person that that’s that’s managing. But they’re still has to be controlled, like, maybe have to sign in cracked, you know which, which is an honor system. Okay? Or or maybe now, don’t we use this to, um where this where this data is stored in this physical location, maybe there should be a camera focused on that spot. Just like we have cameras that focused on the desk where the cash gets counted. Right? Ok, so that would be a method of determining who’s been in there. Okay, go ahead. Um, did you just do ten? Ok, alright, eleven regularly test security systems and processes test. Okay, how do we do this? So, obviously you know what? You know when you wanna have a security policy in place, but if you don’t test it to make sure it’s goingto work it’s not going to work s so there could be a potential gap somewhere along the way that you missed on dh the only way they’re going to find out that it was mrs by testing. All right. So what are we testing? We’re pretending there was a brief if you have that camera set up, are you actually actively looking at the camera? Occasionally. Are you testing? Were you testing your checks and balances? Right? Orders the video get get re recorded over every twelve hours. Exactly north. Maybe. You know, maybe seventy two hours is okay. I don’t know how long it may be. Should be a week. I don’t know, but yeah, if it’s too. Short, the video is worthless. What else? What else? I mean, how do you how do you run these tests? What do you what? You’re testing s o i mean, you want to test all of your, you know, excuse me, all of your software components, those need to be tested on a regular basis on dh that i’m that your network is continuing to be secure, that you’re updating and changing passwords to be able to access your network on you know, this is a this is ah, one of the areas of the pc i that’s kind of it it’s definitely the most important because lots of people don’t conduct those scans. I’m but it’s frequently overlook. Okay, how many do we have left on? I was eleven or twelve. Alright, maintain a policy that addresses information security for all personnel. Gotta have a policy, right? Absolutely information. Security name just took off a couple of things and then we got to wrap up. That should be in your policy. Yeah. So you want to make sure that you have ah, usage policy for technology. So if you’re giving access to computers to your users, you want to make sure that, you know, you have things in place to ensure password security. So you want to have restrictions on what passwords can be? How many characters it has to be on let’s. Joshua would give the last word another tickle. Fight him on this number twelve. And this needs to be policy. Yeah. This needs to be incurred grunts with your privacy policy that that that you display with your donors as well like that, they know that you’re being good stewards of their data. Okay? Data as well as biographical and all the other demographic info that you have on them. Absolutely. Okay, we gotta wrap it up there. That’s ah, tracy lords, community marketing manager for greater giving. And joshua alan is an engineer. Solutions lucien’s engineer that’s also a greater e-giving. Okay, tracy. Joshua. Thank you very much. Thank you. Tony martignetti non-profit radio coverage of sixteen ntcdinosaur profit technology conference. Thank you for being with us next week. A new accounting rule that you need to know. Do not roll your eyes. We will make it interesting. I will. I guarantee it. This is going to be with the huge tomb who’s been on. The show before. If you missed any part of today’s show, i beseech you, find it on tony martignetti dot com, responsive by pursuing online tools for small and midsize non-profits data driven and technology enable pursuant dot com, and by we be spelling supercool spelling bee fundraisers. We b e spelling dot com. Our creative producer is claire meyerhoff. Sam liebowitz is the line producer. Gavin dollars are am and fm outreach director shows. Social media is by the excellent susan chavez, and this cool music is by scott stein. Be with me next week for non-profit radio. Big non-profit ideas for the other ninety five percent. Go out and be great. What’s not to love about non-profit radio tony gets the best guests check this out from seth godin this’s the first revolution since tv nineteen fifty and henry ford nineteen twenty it’s the revolution of our lifetime here’s a smart, simple idea from craigslist founder craig newmark insights orn presentation or anything? People don’t really need the fancy stuff they need something which is simple and fast. When’s the best time to post on facebook facebook’s andrew noise nose at traffic is at an all time hyre on nine a m or eight pm so that’s, when you should be posting your most meaningful post here’s aria finger ceo of do something dot or ge young people are not going to be involved in social change if it’s boring and they don’t see the impact of what they’re doing. So you got to make it fun applicable to these young people look so otherwise a fifteen and sixteen year old they have better things to do if they have xbox, they have tv, they have their cell phones. Me dar is the founder of idealist took two or three years for foundation staff to sort of dane toe add an email address card. It was like it was phone. This email thing is right and that’s why should i give it away? Charles best founded donors choose dot or ge. Somehow they’ve gotten in touch kind of off line as it were on dh and no two exchanges of brownies and visits and physical gift. Mark echo is the founder and ceo of eco enterprises. You may be wearing his hoodies and shirts. Tony talked to him. Yeah, you know, i just i’m a big believer that’s not what you make in life. It sze, you know, tell you make people feel this is public radio host majora carter. Innovation is in the power of understanding that you don’t just do it. You put money on a situation expected to hell. You put money in a situation and invested and expected to grow and savvy advice for success from eric sacristan. What separates those who achieve from those who do not is in direct proportion to one’s ability to ask others for help. The smartest experts and leading thinkers air on tony martignetti non-profit radio big non-profit ideas for the other ninety five.