Michael Enos: Beat Back Cyberattack
Cyberattacks against nonprofits are on the rise. While you cannot avoid them, you can make them a lot less likely to cost you big money, your data, your reputation, your donors, and your employees. Michael Enos from TechSoup helps us out.
Listen to the podcast
Podcast: Play in new window | Download
Get Nonprofit Radio insider alerts!
We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners
Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.
Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript
Transcript for 631_tony_martignetti_nonprofit_radio_20230313.mp3
And welcome to Tony-Martignetti non profit radio big, non profit ideas for the other 95%. I’m your Aptly named host of your favorite abdominal podcast. Oh, I’m glad you’re with me. I’d suffer the embarrassment of a phone. Yah. If I had to speak the words you missed this week’s show, beat back, cyber attack, cyberattacks against non profits are on the rise while you cannot avoid them, you can make them a lot less likely to cost you big money, your data, your reputation, your donors and your employees, Michael Enos from Techsoup Global helps us out on tony steak too. Get in people’s faces again. It’s a pleasure to welcome Michael Enos to non profit radio He is senior director of community and platform for Techsoup Global. He began his professional career in technology in 1996 and has since led team, tech teams at the national and individual office levels in increasing responsibilities on Mastodon. He’s at Michael underscore Enos at public good dot social and tech soup is where you’d expect them to be at techsoup dot org. Michael, welcome to non profit radio [00:01:42.03] spk_1:
It’s great to be here. Tony Thank you for having me. [00:01:46.69] spk_0:
My pleasure. My pleasure. Let’s please explain the work of tech soup. I think it’s so valuable, so many billions of dollars of software and hardware transferred to nonprofits. Make sure, let’s make sure everybody knows what techsoup is doing, [00:02:52.57] spk_1:
you know? Absolutely. I mean, essentially our, our mission is to help civil society, organizations worldwide um better leverage technology to create impact in the missions um that they serve and to build communities. Um You know, that, that then can then foster that, that, that, that impact globally. Um We do that through a number of different ways. We do that by facilitating philanthropy from large tech donors. Um And you know, most of which are the ones that are just, you know, household names. Um We also do it through uh courses, services, consultations, um and through connecting organizations with each other and through also through engagements like this where we try to really uh to blogs, webinars and other facets where we help organizations understand how they could use tech um and protect their tech to uh enable uh and further have impact for their, their communities. They serve, [00:03:17.12] spk_0:
I saw on tech soups website today, Microsoft Office or Microsoft 3 65 for a dollar. So [00:03:18.55] spk_1:
that’s an example, right? And if you were to go to uh you know, Microsoft for nonprofits or Google for nonprofits, for example, um you know, the data validation platform that validates organizations worldwide is managed by Texas So, ultimately, we, we, we do many things but we’re also sort of a, I guess, data leading partner for, for a lot of these organizations that want to understand and make sure that their philanthropy is going into the right hands. [00:03:48.25] spk_0:
You have, you have local uh connect groups to techsoup, connects groups. [00:03:54.10] spk_1:
That’s great. That’s right. [00:03:56.21] spk_0:
Yeah. You know, I know, I know you’re, well, you’re director of community and platform. So is that, is that part of your work [00:04:42.76] spk_1:
director? I mean, you know, you know, I support that, that organization that we um we have, we have lots of different um areas and, you know, and, and in my role, I support them all um platform is a lot of the, you know, I oversee our enterprise, infrastructure and security as one of my fundamental sort of roles. I mean, obviously with the, with their expansive amount of technology that we have, that runs our platforms that, that consumes a lot of my time, but also the community side because of my background working in the tech for good space, you know, since, you know, for the length of my vocation, um you know, I have, I’ve accessed as a resource for a lot of other groups, including the connect group for when they need, you know, to understand, you know, how to, you know, for, for things like this and for, for other things um to help our communities um better leverage to the tech that they use. I mean, it’s one thing to, to uh provide the technology. It’s another thing to actually help people, you know, provide them the enablement to be able to use it and optimize it. [00:05:08.91] spk_0:
Are there local meetups are the group’s going back [00:05:50.06] spk_1:
to? Exactly. There are, there, there are, you know, communities within the regional and our, and that’s part of our connect program. Um And eli, the guy who runs that and, and the group that runs that are very, very energetic and it’s very community driven, which, which is fantastic and we’re sort of an enabler and facilitator in that work, which is wonderful. And that stems from the early days of us being part of the early groups that were involved with the, you know, tech for good space way back when technology was first getting launched, you know, and the internet was first launching different [00:05:51.33] spk_0:
types of work. I mean, you know, n 10 doesn’t do consulting, which I wanted to ask you about very shortly. But, you know, they don’t do tech grants necessarily, but all, all very parallel with, with N 10. [00:06:26.73] spk_1:
Yeah. Correct. And, and we, we have a close partner to put 10, 10 and, and we attend the events and such and we’ve long been sort of affiliated with that demand and other and other groups like like 10, 10. Um and we have partnerships that sort of expand throughout the different communities. Um And, and we try to be involved globally as well. You know, so there’s this sort of, you know, there’s the U S side of it, but then there’s also the everything that we’re doing outside of the U S and abroad because, you know, it’s um civil society is international and so, and tech soup is really involved with, with things not just within our own borders but, but outside of them um globally. [00:06:50.58] spk_0:
Are you going to 23 NTCC the conference? [00:06:51.42] spk_1:
Um myself. No, I’m not the, I know we have some, some other representatives that are there. I’ve been to many of those uh this year. I’m not specifically going, but we will have some representative from Texas there. I’m [00:07:03.64] spk_0:
sure. Yeah. And non profit radio will be there as well. We’ll be on the exhibit floor. [00:07:07.67] spk_1:
Excellent. That’s fantastic. Yeah. Yeah. Well, I’m sorry, I’m not going to be there to be in person to meet [00:07:12.61] spk_0:
you. That’s all right. There. There are others every, every spring and [00:07:17.31] spk_1:
virtually, by the way, [00:07:18.97] spk_0:
that’s true. There is hybrid this year. That’s right. Um And, and texture is also consultants to consultants to nonprofits. Let’s make sure folks understand that too. [00:08:46.84] spk_1:
Yeah, I mean, we, we provide, essentially, we help organizations connect with other organizations that then provide consultant services. We do some ourselves, but it’s very specific to some of the um because we, we provide a lot of, you know, what we’re doing to, to skills. So to speak what we, what we have is we’ve partnered with other organizations through our platforms to, to align organizations depending on exactly what type of consultation they need to inappropriate sort of resource for them. Um And that’s more uh our, our model in terms of we’re sort of a connector. So for example, if somebody needs, you know, specific sort of technology assessment uh for implementing uh Microsoft, we may do some, but then if it’s more advanced, we may work for them to, to impact or an organization that we partner with and then they provide that as a service to that organization. So, and we have other partners like that, who provide those similar sorts of services that are more hands on and direct than what tech soup can provide at this moment. And we may may expand that more and do some of that um more, more stuff ourselves and, and we are developing that and some of our customers success programs. Um and we do run a lot of sort of in the office programs where people could have webinars. And I’ve spoken in a few of those where we do it in in depth dive of a particular technology so that organizations can learn how to use them. [00:09:00.19] spk_0:
I’ve always considered the big three to be Tech Soup N 10 and tech impact in terms of technology for nonprofits and, and all three of those of course, are nonprofits themselves. Right. [00:09:12.87] spk_1:
Exactly. Yeah. All right, [00:09:15.44] spk_0:
let’s talk about cyber attacks. Uh They are on the rise against nonprofits. What, what, what are you, what are you seeing? We’re going to get into the details, of course, but overall general, you know, kick us off. What are you seeing on this front? [00:11:31.28] spk_1:
What, what we’re seeing is a lot more, um, targeted attacks, which, which is, which is unique because there’s, you know, speaking broadly about cyber activity, you know, there’s a lot of noise on the internet. There’s, you know, just all these robotic sort of in these bots that are flying around trying to find targets, right? And they’re sort of just, you know, you know, I guess, you know, they’re, they’re doing drive by sort of evaluations to see of anything, you know, just to see if there’s anything that they could get a finger in or, you know, just to explore and see if there’s sort of a, you know, something that they could find in there. What we’re seeing now is more targeted attacks, meaning there’s a specific purpose to it. Like somebody’s like, well, you know what we think that, you know, this is a, you know, a specific type of organization, they’re involved with a particular type of activity and we’re interested in knowing who’s donating to that activity and whether or not we could possibly have access to that information because that might be valuable or perhaps to the constituents that they’re serving because maybe that information is valuable as well, maybe for either financial reasons or, or, or or political reasons. And so we’re seeing a little bit more of that or, or perhaps because we really want to cause disruption in critical infrastructure. And one thing that um this is sort of a broader trend in cyber security around targets towards critical infrastructure and myself and and others in this space believe that civil society, organization data is part of critical infrastructure and critical infrastructure. So I mean, people are targeting things like, you know, we’ve we’ve heard about the target on power grids and uh gas pipelines and such. And you know, if you think about data that’s relative to communities that are specifically vulnerable in certain context or, or have access to information about others, then that’s critical infrastructure because we need these organizations to function in society. And so, you know, there could be other actors who say we want to disrupt that particular critical infrastructure for some reason and that reason could be varied just like it is for why people would disrupt any sort of critical infrastructure. [00:12:55.08] spk_0:
I have an example that is pretty close to home. I I I own two homes in North Carolina. One of them was affected by that shooting at uh at the electrical substation in that was, that was in Moore County, North Carolina. Um And there’s a, there’s a possible correlation that, that that attack was to prevent a drag queen show from going on in the little town of Southern Pines, North Carolina, which is served by that substation that got shot at. Um So, I mean, it sounds like you’re saying, it’s not that far a leap like, you know, 11 cadre of bad actors uses guns. Another cadre of miscreants could be hackers that are looking for data at that maybe at that theater or, uh you know, among a nonprofit that may have been involved with [00:13:45.30] spk_1:
maybe maybe the intent at the attendance list or the people who are donating to that event. And so, you know, this is the type of data and like I said, there’s, there’s different reasons why somebody might be targeting certain data. But this, these are the, this is, you know, this is like bingo on the nose, this is the kind of stuff that, that we’re seeing more and more and we’re very concerned about and why we’re really like soup is really sort of launching this um effort to help educate organizations on how to improve uh and understand what cyber security means in this space and how to prioritize it, but also how to um sort of get through the sort of complexity of it and, and, and find simple ways to knock off low hanging fruit to make it sort of actually, you know, doable for them with given their budgets and given their constraints that we a lot of smaller organizations in the, in the space you know, have, generally, [00:14:39.67] spk_0:
it feels like in our polarized culture that there isn’t a nonprofit mission category that would be exempt from, from possible attack. I mean, you know, even feeding, feeding the hungry, you know, I could conceive of that being objectionable to some group of people that feels like why do those folks get food and, and I don’t get food or why are they entitled? And I’m not, or, you know, something that seems innocuous and purely beneficial. I, I can imagine, uh, another cadre of bad actors deciding that it’s, it’s, it’s worthless or worth worse than worthless. It’s detrimental to our culture for some reason and wanting to attack it. It doesn’t, it doesn’t feel like any particular mission would be more vulnerable or less than, than any other. [00:15:59.15] spk_1:
Um, you’re correct. And one of the other things that is, has changed in, in this, in this sort of, you know, over time that I’ve seen is the availability of the tools to be able to perform exploits before you would actually have to be, you know, pretty well versed in hacking to be able to do any harm right now. It’s, you can, you can buy the service. I mean, you could just go to the market on the dark web and just say, hey, you know, I want to buy this, you know, uh, this hacking kit, you know, and, and, and, and there’s youtube tutorials on how to do it. I mean, it’s becoming, and, and these are, the tools are free and readily available. So what we’re seeing more of is not only just this trend of people wanting to and, you know, and maybe that hasn’t changed, it’s just that it’s more accessible, right? But, you know, people wanting to, you know, target communities and, and, and, and also try to find valuable data within these communities, but also their ability to do so it’s become easier and there, you know, and, and so you combine those things together and that’s why we’re seeing the trends we’re seeing. That’s one of the reasons [00:16:21.11] spk_0:
you no longer have to be a sophisticated computer user. It doesn’t take a lot of study, you’re saying these things are available for cost or free to cause harm. All [00:16:29.81] spk_1:
right. [00:16:39.80] spk_0:
Alright. So how do we, how do we break this down for folks in small and mid sized nonprofits, you know, that, that they can sort of prioritize? I mean, is it as simple as let’s start having universal two factor authentication for everybody on your teams or maybe that’s passe maybe, maybe we’re past that now. I don’t know, how should [00:19:30.66] spk_1:
we, you know, you, you make a good point. So for example, like the first thing I think people should do is, you know, or, or what you know, uh would be recommended and to think about it is to do the basics. Okay. What things like what you mentioned is like like multifactor authentication, um you know, anti malware on their clients, keeping things up to date and, and making sure you have backups of your data, these are sort of the basics, right? And so apart from the basics, though, you know, the next step above that is to then start looking at what we call privileged access management or role based security, not everybody needs to have access to everything, right? So, so, so let’s say, for example, a system was compromised with somebody’s permissions or credentials, depending on what they have access to, they could only do so much. And so there’s a, there’s a, there’s an important concept in cybersecurity that we call the privilege, the principle of least privilege. So, and that sort of dictates that a person really only needs access to the information that they need to do the role that they’re trained to do in their specific function. So if, if, if somebody is, you know, in I T, somebody who’s familiar with I T systems, uh they understand sort of the complexity involved and they may have access to privileged systems where they can perform things and have access to that sensitive data, but not the entire organization, right? And so we call that privileged access management. And sometimes, especially with today’s as we’ve moved into the cloud more when things get fired up and somebody spins up an app in the cloud, the cloud as well, generally have some basic role based permissions like the admin, you know, maybe a super user and then maybe some groups and then, and then just the regular users, right? You don’t want to give everybody admin rights. And so because then if somebody, if that just, that just provides more exposure and so these are small things that don’t take a lot of time or effort really to just sort of that, that’s a little bit beyond the basics though because um you know, and you know, for, you know, tech soup, for example, provides, you know, office 65 or 65 go for, for, for work space organizations. And once we, they provision, the next step is to really go in there and sort of harden them a little bit and lock them down and to go through that steps and understand what that looks like. So that um as people start doing things like maybe downloading spreadsheets that contain donor data or customer data that it’s not, somebody can’t accidentally just share that with somebody, you know, outside the organization or, or that becomes available on the general public internet. [00:20:02.06] spk_0:
So how do we execute some of these things that are, that are more advanced, you know, beyond the backing up the multi factor authentication. Alright. So if you move into privileged access management, we need a, we, we either have a C T O which most listeners probably don’t or we need some outside help. [00:21:13.19] spk_1:
No, actually, I think that a lot of these, you know, cloud based applications will provide guidance. The good news is is that they have an interest in protecting and wanting you as a, as a customer as well as, you know, the fact that it’s a shared data model. And so the the better that they do in terms of providing information about how this works, the better, you know, the, the the, you know, the people who use that product is going to benefit from it. And so generally in these, you know, you know, and these things aren’t if you have somebody who is at least responsible for the deployment of the technology and they don’t have to be an advanced, you know, computer scientists to do the work of the cloud app then. But somebody should be sort of designated within the organization to ensure some of the basics about the way data is handled. And, you know, getting to one of the export points, I wanted to bring up one of the most important things to understand for an organization is what data do they have? Where does it live and what is the value of it? And what is the value of Michael before we, before [00:21:22.02] spk_0:
before we move to what, what’s our data inventory? I want to emphasize this, I wanna emphasize the value of being in the cloud. So there is there is value to using uh CRM databases that are cloud based versus server based at, in your office anymore. [00:22:47.49] spk_1:
Correct. And for so many reasons and, you know, uh, and, and moving to that topic because a lot of the ways that systems are oftentimes breached is because what things we mentioned earlier, such as they’re not patched, there’s, um, not, not very good perimeter security on them. These things are taken care of for you, um, and they’re not backed up regularly. Um, those things, these things are taken care of for you in a sassy application. Um If it’s, if it’s a robust SAS application, like the kind that takes provides. And so when we, when we go to, you know, vet an offer that’s going to be in our marketplace, we we, we go through the list to ensure that this is gonna be a product that will serve the pole, the test of time and actually will, will be robust in, in the requirements necessary for our organization to protect their data. And so, and, and so that leads to, you know, also that making it more but maybe a little bit easier for organizations to then lock down their cybersecurity because they don’t have to have experts come into their closet or their data center and, and do this configuration and do all these updates are very technical on their firewalls and all the hardware and everything all the time in their own infrastructure, it can be managed within the cloud by people who are not necessarily have that sort of, you know, the Cisco CCN a sort of certification? Alright, [00:23:07.85] spk_0:
thank you. I just, I wanted to drill down absolutely. Very [00:23:11.75] spk_1:
good point. [00:23:15.98] spk_0:
The value of from a security perspective, the value of the cloud. Alright, so let’s go to what you were, you were headed to what your data inventory, what what do you have? What what do we need to be? What do you want us to think about their? [00:23:32.71] spk_1:
Yeah, so no data is not all data is not created equal, so to speak, right? So we have, we have data that it’s just things like, you know, my notes when I’m, you know, talking in a meeting or something like that. Okay. There’s nothing valuable with that. It’s, you know, generally not containing anything that’s sensitive. It’s sort of my notes from a meeting. Okay. Now, if that is something that, you know, maybe I don’t want to share, but it’s not something that, you know, if a hacker birds look at that so I can’t sell this and it doesn’t contain anything that’s gonna, I can do any harm with. Right. [00:24:09.30] spk_0:
Well, it might depend, it might depend who’s leading the meeting. You might have different, you might have different sets of notes depending on who’s leading your meeting. You know, you might be commenting on the commenting on their uh I don’t know their, their capacity. I mean, not to suggest [00:24:16.36] spk_1:
that people [00:24:30.71] spk_0:
know, I’m actually, I’m actually having fun with you like, if somebody at tech soup was not a very good, not a very good speaker or supervisor, you know, then those notes you might not want in the public domain. But if the person is carrying their weight and they’re generally a good, good employee, you know, you have a brighter set of notes that you wouldn’t feel bad about getting exposed. That was my, my point. I guess I wasn’t, I wasn’t coming, I was coming across so dry. It was, it was desert, it was desert dry. [00:27:18.46] spk_1:
No, I’m glad you brought into it. The, the, yeah, the types of data that you know, we think about when we think about the difference between data privacy and data protection to me, they’re very linked, right? So we, we have a responsibility to protect people’s data and the privacy of their data, but also to protect the security of that data. And so, you know, fundamentally speaking, generally in organizations in the sector, there’s gonna be some, you know, information that’s sensitive or may have some value and if we identify that and identify where that lives and then focus our energy on securing that, making sure that that data is backed up. Um and, and testing access to it, that’s, that’s, you know, if you have limited resources, that’s the place to really focus your attention. And then the other stuff is great. I mean, and use using robust tools like we provide um in our marketplace such as box for document repositories or even sharepoint, those can all be really configured for. So any type of theater, like even my notes from, you know that, you know, or my supervisor notes about me or your notes about me can be secured, you know, um you know, in a very robust way or shared. And one of the things we’re seeing, for example, especially the document collaboration software, it’s very easy to share things. They make it very easy to share with anybody, right? Just click and it always says like share with anybody with link, you know, you know, and so if you, if it’s something like, oh, you know, um uh oh somebody just sent me, you know, or they told me to put in my, you know, take a picture of my passport or something and, and stick it in here, right? And, and I, and the somebody has in the human resources once said, oh, I’m just gonna share this link and make it copied everybody. Now everybody has access to your past potential, everybody has access to your passport photo and I D so, you know, these are the things that we just have to sort of like start thinking twice, which brings me up to my next point. Um Security awareness within organizations, cybersecurity awareness, I cannot stress enough how important it is for organizations to have a cyber security awareness program within the organization. This these programs don’t cost a lot of money. They don’t take a lot of time and they go a long ways to prevent Uh an internal mistake that could lead to something 80% of cyber attacks happen from the inside. [00:27:27.33] spk_0:
What does this cyber security awareness program look like? [00:28:34.34] spk_1:
So essentially, so for example, um they’re usually conducted on point of like orientation for an employee that comes into an organization and they go through a video, you know, provided by a platform like no before which is in our marketplace. And, and what they do is they sort of go through this, this methodical sort of, you know, force to teach somebody about fishing about sensitive data about ways that people try to get access to information, either through cell phone, fishing through text fishing through um email phishing or through other means to or even on Slack to say, to try to fool you into providing some information um that they, that they can use a huge trend in this arena is what we call impersonation fishing. It’s a specifically targeted phishing email that looks like it’s coming from somebody within your organization such as your CEO, your CFO or uh the human resources director asking you to provide or update your banking information. And it’s very carefully crafted, crafted, it looks just like that and you really have to do a lot of due diligence to really go through there and say, oh, did this really come from our CEO having [00:29:03.26] spk_0:
Haven’t there been cases where like a spoof email like this says, you know, wire $50,000 to this vendor account. You know, we’re, the payment is overdue. We need to wire this payment ASAP. And of course, it goes to the Bad Actors account. Isn’t there? Stuff like that? It looks like it’s like the treasurer saying, send a wire or the CEO saying, send, make a payment. [00:29:40.35] spk_1:
That’s right. Exactly. And, and, and we’ve, um, and if you have an organization and people haven’t been trained to recognize that, you know, if somebody’s asking you for something and it’s something of value, double check it, you know, and, and to contact that individual in a different channel and say, did you really need me to send $50,000 in this wire transfer? I just want to check is this actually came from you? There’s other ways that they teach you in these orientation platforms or in these um security awareness platforms to check the email headers and, and the simple things, but essentially that’s the gist of it. And that’s why security awareness training is so important. So, so people are on their toes when they’re actually doing their work, [00:30:03.43] spk_0:
do you recommend then ongoing training? You talked about orientation, [00:30:51.51] spk_1:
there’s, there’s an orientation training and then, you know, most organizations will have it mandatory that they do an annual training and, and this just as a refresher course and also things change. So, you know, the space changes. Sometimes people are doing it now because of the trends more often like every six months. And then specifically for people who are in jobs where they’re doing data handling for, let’s say they’re doing data processing, they work in the donor uh services program or something where they’re managing sensitive data all day long. They’ll be specialized courses for people who are, are actually dealing with data on a day to day basis. So that’s a little bit more involved in terms of actually how to understand and, and that goes into things like, don’t download, you know, a C S V file on your computer and stick it onto a, you know, um, a thumb drive on your computer or transported or, you know, don’t, you know, send out, you know, via email to, to a coworker and, and these sorts of things that are specific to handling sensitive data. [00:31:04.59] spk_0:
Okay. Interesting. Yeah. So even, even just emailing internally from employee to employee can be risky, [00:31:37.20] spk_1:
yes, it can be stiff. It’s, and, and there’s because, for example, if, because that’s actually it’s going to stay within that email store wherever that is located. And it’s, um, if it’s unencrypted, it’s gonna be, it’s gonna be encrypted during transit, for example. Um, and, and encrypted at rest. But if somebody else had access to that access to your email server or a privileged access in your system, they could potentially go in and, you know, take over that account, log in as the CEO and have access to the deed and actually browse emails for, you know, and actually do queries and look for credit card information or, or look for email addresses and then they could potentially find information about donors or, or, or, or constituents that sensitive. [00:35:08.08] spk_0:
It’s time for Tony’s take two. It’s time to get back in people’s faces. Again. Last month, I did a in person live face to face in person training on Long Island. I was in New York City for several days. What a joy. What a pleasure. What a difference, an improvement, you know, over virtual trainings. I mean, look zoom is, I’m all flustered. Zoom is, is necessary and I’m not saying necessary evil. It’s, it’s, it’s a part of the culture, whether it’s zoom or teams or Google meet, you know, whatever virtual meetings, they’re just a part of our lives now. No question about it. But don’t make those the default if you have the option to get back in front of people in person, I urge you choose that option. Uh You know, I could have passed on the opportunity to do the in person training, but I didn’t want to, I didn’t want to donor meetings to while I was in the city face to face meetings again, coffee lunches. It’s just so much better, so much more real than anything virtual can offer. Um I had a meeting, lunch meeting just about 10 days ago or so with someone from Heller consulting, which is gonna be Team Heller. They’re going to be our 23 NTC sponsors at the nonprofit technology conference coming up in Denver And the woman who works for Heller happens to live within 45 minutes of where I live in North Carolina. So we got together for a, a real lunch. We had lunch together over the same table. Remarkable. You know, it’s yeah, more real authentic. I urge you if you can meet someone in person instead of virtual, do it, do it. It makes the world of difference. It’s time to get back in people’s faces again. Don’t make virtual your your default. If there’s another way first, I urge you to do it. That is Tony’s take two. We’ve got Boo Koo but loads more time for beat back cyber attack with Michael Enos. Talk about not preserving data that you don’t need to preserve. Like credit card numbers, full numbers for instance, or dates of birth or other things that aren’t necessary for you to preserve. Isn’t there, isn’t there value in trimming down sensitive data that you don’t really need? [00:35:40.17] spk_1:
Yes. And and one of the principal aspects of data handling is an optimization of data. So you know, there’s there’s transactional data that happens. And oftentimes, for example, with credit card things are processed nowadays, you’ll usually use a payment processor. So, you know, hopefully you’re not actually you know that server that actually storing that information is not on your box anymore because there’s, you know, you know, you can use an API and a web site and then it happened somewhere else and they take care of all that stuff for you. So, if your systems were hacked, they wouldn’t have access to the credit card data [00:35:55.19] spk_0:
or, [00:39:00.73] spk_1:
or Braintree or one of these sorts of services, you know? Exactly. And, and, and so those go to those payment processors and they manage all that, um, which is great because then you, it reduces the amount of exposure on your e commerce site or fundraising donor donation site. And if you’re using a donation software program, like, you know, donor perfect or one of these sites, that’s what they’re doing as well. You know. So they, you know, because, because they, they want to use because that you really have to have the best of breed technology to be able to make sure that that stuff gets that, that’s really super secure and they have higher standards and compliance standards by which they attest to the. Um, and so however though, let’s say you’re, you’re doing an email list to your constituents, right? Um You know, you’re gonna need some marketing data, you’re gonna, you know who to send this, this information to, but you don’t need everything about that individual. You don’t need things like that really. I mean, you may need the basics but you should be using a marketing provider that is secure and you should, you should transfer, get that information to them in a secure way and you should ensure that if that individual wants to opt out. Um and they, all these things should be an organization’s privacy policy so that people understand how their data is being used if they sign up for a newsletter or things of that nature. However, you know, I think your point specifically um oftentimes reports about, you know, activities, engagement, you know, that go into reports for executive or for things that are put into a PDF or in another format, the data should be anonymized. So the only thing that’s there is, you know, aggregated information about, you know, the engagement and not all they shouldn’t be able to drill down and see, oh who is this exact individual? Now if they need to know if it, if they want a donor report about, you know, I want to know exactly to see who um are the top donors and, and such, you know, there should only be limited people within the organization who have access to that data, to be able to see that information that goes back to my other point about um privileged access management. There are gonna be some, there’s gonna be some reason why people aren’t gonna wanna know specifically about, you know, who’s engaging with the community. And also oftentimes on the client level, we need to know that the people who are providing services to communities need to know exactly who these individuals are and more sense of information. And that’s why I was talking about earlier about, you know, understanding where that data lives and, and only having as much as you need to fulfill the function of that, you know, whatever you’re doing. Um and, and having that, you know, and making sure that’s really locked down when I worked in the food down. When I worked in the food and security sector, we had people going out in the communities and helping sign them up for, you know, um cal fresh, you know, essentially benefits, you know, for people to get, you know, you know, government assistance and they had to collect really sensitive information. But what they did is they had ways to you securely transmit that information to the local human resources agencies so that it was all encrypted, it was protected and then once we transmitted that we didn’t have access to it, [00:39:44.68] spk_0:
what about vetting vendors? You know, if, if you’re offices using a male house, uh you know, some of the data that you just talked about for, for mailing? Um I can’t, I can’t think of other examples of vendors that could be. Well, events, events could have, could event management might have some sensitive data. What, how do you vet your vendors to make sure that they’re taking appropriate actions to prevent theft, fishing, you know, to, to defeat defeat, or at least you can’t defeat them, but at least minimize the threats. How do you, how do you check these third parties that you’re working [00:41:16.80] spk_1:
with? Well, you know, that’s a big part of my roller tech soup. So whenever we, whenever we work with, with, whenever we’re going to be using a new product or app or something like that, it’s my job to go in and actually check and organizations, these, you know, these application providers will provide um on their site or they should and if they don’t, you shouldn’t use them, but most of them will provide on their site access to their information security program and what they do where their data is located, what they do to protect it, their compliance levels, their certification levels, um whether they do audits, whether or not they do penetration tests And what type of and, and, and everything to that order and that should be vetted by, by somebody before they onboard an aunt. And we do this all the time. We use a lot of different apps to Texas north of 100. And so we, every time we were on board one for some utility within the organization, we make sure that they meet this standard. There’s, and we actually, since we’re a third party vendor for other people, they have the same for us so that a lot of the work I do as well as to, you know, report out periodically to all the people who are using our, our platform to facilitate their data to organizations and you know, what sex, what tech soups information security program like. So this is, you know, because creates transparency, but it also helps people understand what the risks are, which helps when you’re in a situation where I needed to go and advocate for resources to institute a cybersecurity program. [00:41:47.96] spk_0:
I want to ask you about the board’s role in all this. But, but is there anything more that you want before we get to the board? Anything more you want to talk about threat minimization policies? Anything we haven’t covered that you want folks to know about? [00:44:14.11] spk_1:
Yeah, I think that one of the things that is, you know, that we haven’t mentioned yet is preparedness for an incident, essentially a security incident, incident response plan. This, you know, is another thing in that sort of list of five that an organization should understand. Um if you have a situation where your data’s been um breached. And, and one thing I do want to do is to describe quickly, even this kind of a dry topic is there is a difference between a security incident and a security data breach. A security incident is could be something as innocuous as somebody just knocking off your website and taking it down with a DDOS attack. Now that sounds in Oculus because it’s just, it doesn’t sound innocuous because it’s disruptive because nobody can get your website, but nobody’s taking the data. And as soon as that denial of service attack is stopped, your website maybe still functioning. Um But that’s an incident and a data breach is different because now you’ve got to do a couple different things. You’ve got to number one, find out how the breach occurred, which you should also do in case of the DDOS attack. Um But above that, you also need to then understand how to respond to, you know, what data was breached. What’s the scope of that data and who are the individuals and, and what’s our plan to reach out to those individuals and notify them about the breach? And was our policy around that? And who do we have to include in terms of communications internally and legally and, and to provide that transparency because for a number of different reasons, number one, it’s the right thing to do. Um and number two, because it actually helps build trust within, within communities because if people understand that, you know, these things happen and they happen to some very, very large organizations, right? We, we know about these, these really large breaches, but the more transparent they are the more the consumers or the constituents who used those products. Think gosh, they really responded well to this and they acted immediately, they communicated appropriately and they remediated, you know what happened and, and that was the responsible thing to do and you don’t wanna be doing that in the middle of a breach. So, having a plan up front helps during that process because otherwise it’s just too much at one time, everything and [00:44:21.00] spk_0:
the plan is gonna lay out who’s in charge, who makes, what kinds of decisions, um, [00:44:27.43] spk_1:
notify. Right. And what’s the playbook essentially? Yeah. [00:44:52.19] spk_0:
Like, I mean, it could even, it could even break down to needing a remote place to work. I mean, go go that far or because we’re because we’re hopefully in the cloud we don’t like like if our physical infrastructure gets um compromised, do we need to go off site? And, and what’s the technology, the technology capabilities in our, in our off site work location? [00:45:17.93] spk_1:
Well, that’s actually a little different. Um so we usually talk about that in terms of business continuity plan. So and, and that would be the same sort of plan you would enact case of a natural disaster or something like that. I mean, is a business continuity and, and that’s far exceeding the scope of what we can discussed today, although I’d be happy to discuss that. Let’s not let’s not [00:45:22.65] spk_0:
I don’t want to panic folks. Okay. Alright. [00:45:25.60] spk_1:
Alright. Alright, [00:45:27.20] spk_0:
you got me focused on, you got me focused on like I don’t know, natural disasters and terrorism. All right, let’s [00:48:44.52] spk_1:
go to the board. Okay. Alright. So, so one of the things that boards were all right. So organizations nowadays are let’s put cybersecurity is becoming and, and is becoming as important as sort of financial security with an organization. The two are becoming linked together An organization. And so for many years, as we all know, uh 501 C3 organizations in the us are generally bound to having a financial audit annually. Right. And then they report to the board and the board will make sure that, you know, there’s a financial audit to ensure that the funds are used judiciously. Um there’s oversight and governance over these matters. Cyber security is becoming as important as financial security because the two are linked together. If there’s a because it could affect it. If you have a ransomware attack, it could affect the viability and the business sustainability of an organization. So it’s a very serious matter. It’s becoming a very, very serious matter for organizations to then think about cybersecurity as a compliance issue, not just nice to have. And so helping the board’s understand that this has shifted from a situation where, oh, well, you know, there’s nobody’s going to attack a nonprofit and uh you know, and if they do, you know, it’s, our data isn’t very important. Um It’s things have shifted, right. So I think recently there was a community, um it’s one of these cities, for example, was an entire city was, has been locked down for days because our grants were attacked and so nothing can function within the city because, you know, um that’s going to affect everything within the city, not just their continuity and safety of people, but also um it’s gonna have a financial impact. So cyber security is becoming more like a compliance issue and a governance issue. And so I think if boards understood that, then they would understand the need to prioritize and to provide funding and resources for those within the organization. Whether that if a small organization that the CFO or the C 00 or even the CEO to then say, look, we need to carve out some resources to be able to understand our risk and the best way to do that would be to do a third party risk assessment and with, with somebody to come in and actually do an evaluation and say, because they’ll come in and do, you know and come in and say, hey, look, these are the, you know, we come in and, and these people are vetted, their, this is their job and you know, they’re safe to work with and go in and say this is where you really need to. These are the critical things, these are, you know, not important things and these are the nice to have and they’ll, they’ll lay it out for you and then you can develop as part of your strategic plan as an organization just like it should be part of your business plan and should be linked to the business plan because the strategic plan for the organization and then the funding, the budget resources, the resource planning and all these things should be baked into the operational strategic plan for an organization. That’s where we’re going in the sector. [00:49:03.09] spk_0:
Okay. It belongs as part of your strategic plan, your business plan. Alright. [00:49:50.46] spk_1:
Yeah, and, and that’s where I think that it’s um uh it’s just like I said, I think where a board comes in is to helps understand that so that they could then authorize and, and oversee and ensure that an organization is doing this work and it’s hard work because, you know, you may have limited resources where we’re gonna carve where we’re gonna carve this out. And however, the good news is that there are people who want to fund this, there are grantmakers who are super would be super happy to be able to say, look, I’m gonna help, I’m gonna capacity impact um grant to this organization to help improve their cybersecurity because of these trends that we’re seeing. And so, and then you can use that as a mechanism to possibly help fundraise to offset some of the funny. So it doesn’t have to come out necessarily of your operational costs. [00:50:23.28] spk_0:
Okay. There are foundations that will fund fund this. Yeah. Alright. All right, we’re gonna leave it there, Michael. Thank you, Michael from Montana, Michael Eno’s Senior Director of Community. [00:50:26.28] spk_1:
And it’s [00:51:30.65] spk_0:
my pleasure to thank you, senior director of Community and platform for Techsoup Global he’s on Mastodon at Michael underscore Eno’s at public Good dot Social and Tech soup where you’d expect them to be techsoup dot org. Next week, I’m working on it. Uh, and I assure you that there will be a show next week because this is show number 630. And I’ve been producing a show every week for 13 years close to. So I assure you there will be a show next week. I just don’t know what it’ll be about, but don’t bet against me because there is gonna be a show. You know, you’re gonna lose if you bet against there being a show next week. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. Our creative producer is Claire Meyerhoff shows. Social media is by Susan Chavez, Mark Silverman is our web guy and this music is by Scott Stein. Thank you for that affirmation. Scotty B with me next week for nonprofit radio big nonprofit ideas for the other 95% go out and be great.
Processed on: 2023-03-11T01:00:20.020Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2023…03…631_tony_martignetti_nonprofit_radio_20230313.mp3.38068433.json
Path to text: transcripts/2023/03/631_tony_martignetti_nonprofit_radio_20230313.txt
And welcome to Tony-Martignetti non profit radio big, non profit ideas for the other 95%. I’m your Aptly named host of your favorite abdominal podcast. Oh, I’m glad you’re with me. I’d suffer the embarrassment of a phone. Yah. If I had to speak the words you missed this week’s show, beat back, cyber attack, cyberattacks against non profits are on the rise while you cannot avoid them, you can make them a lot less likely to cost you big money, your data, your reputation, your donors and your employees, Michael Enos from Techsoup Global helps us out on tony steak too. Get in people’s faces again. It’s a pleasure to welcome Michael Enos to non profit radio He is senior director of community and platform for Techsoup Global. He began his professional career in technology in 1996 and has since led team, tech teams at the national and individual office levels in increasing responsibilities on Mastodon. He’s at Michael underscore Enos at public good dot social and tech soup is where you’d expect them to be at techsoup dot org. Michael, welcome to non profit radio [00:01:42.03] spk_1:
It’s great to be here. Tony Thank you for having me. [00:01:46.69] spk_0:
My pleasure. My pleasure. Let’s please explain the work of tech soup. I think it’s so valuable, so many billions of dollars of software and hardware transferred to nonprofits. Make sure, let’s make sure everybody knows what techsoup is doing, [00:02:52.57] spk_1:
you know? Absolutely. I mean, essentially our, our mission is to help civil society, organizations worldwide um better leverage technology to create impact in the missions um that they serve and to build communities. Um You know, that, that then can then foster that, that, that, that impact globally. Um We do that through a number of different ways. We do that by facilitating philanthropy from large tech donors. Um And you know, most of which are the ones that are just, you know, household names. Um We also do it through uh courses, services, consultations, um and through connecting organizations with each other and through also through engagements like this where we try to really uh to blogs, webinars and other facets where we help organizations understand how they could use tech um and protect their tech to uh enable uh and further have impact for their, their communities. They serve, [00:03:17.12] spk_0:
I saw on tech soups website today, Microsoft Office or Microsoft 3 65 for a dollar. So [00:03:18.55] spk_1:
that’s an example, right? And if you were to go to uh you know, Microsoft for nonprofits or Google for nonprofits, for example, um you know, the data validation platform that validates organizations worldwide is managed by Texas So, ultimately, we, we, we do many things but we’re also sort of a, I guess, data leading partner for, for a lot of these organizations that want to understand and make sure that their philanthropy is going into the right hands. [00:03:48.25] spk_0:
You have, you have local uh connect groups to techsoup, connects groups. [00:03:54.10] spk_1:
That’s great. That’s right. [00:03:56.21] spk_0:
Yeah. You know, I know, I know you’re, well, you’re director of community and platform. So is that, is that part of your work [00:04:42.76] spk_1:
director? I mean, you know, you know, I support that, that organization that we um we have, we have lots of different um areas and, you know, and, and in my role, I support them all um platform is a lot of the, you know, I oversee our enterprise, infrastructure and security as one of my fundamental sort of roles. I mean, obviously with the, with their expansive amount of technology that we have, that runs our platforms that, that consumes a lot of my time, but also the community side because of my background working in the tech for good space, you know, since, you know, for the length of my vocation, um you know, I have, I’ve accessed as a resource for a lot of other groups, including the connect group for when they need, you know, to understand, you know, how to, you know, for, for things like this and for, for other things um to help our communities um better leverage to the tech that they use. I mean, it’s one thing to, to uh provide the technology. It’s another thing to actually help people, you know, provide them the enablement to be able to use it and optimize it. [00:05:08.91] spk_0:
Are there local meetups are the group’s going back [00:05:50.06] spk_1:
to? Exactly. There are, there, there are, you know, communities within the regional and our, and that’s part of our connect program. Um And eli, the guy who runs that and, and the group that runs that are very, very energetic and it’s very community driven, which, which is fantastic and we’re sort of an enabler and facilitator in that work, which is wonderful. And that stems from the early days of us being part of the early groups that were involved with the, you know, tech for good space way back when technology was first getting launched, you know, and the internet was first launching different [00:05:51.33] spk_0:
types of work. I mean, you know, n 10 doesn’t do consulting, which I wanted to ask you about very shortly. But, you know, they don’t do tech grants necessarily, but all, all very parallel with, with N 10. [00:06:26.73] spk_1:
Yeah. Correct. And, and we, we have a close partner to put 10, 10 and, and we attend the events and such and we’ve long been sort of affiliated with that demand and other and other groups like like 10, 10. Um and we have partnerships that sort of expand throughout the different communities. Um And, and we try to be involved globally as well. You know, so there’s this sort of, you know, there’s the U S side of it, but then there’s also the everything that we’re doing outside of the U S and abroad because, you know, it’s um civil society is international and so, and tech soup is really involved with, with things not just within our own borders but, but outside of them um globally. [00:06:50.58] spk_0:
Are you going to 23 NTCC the conference? [00:06:51.42] spk_1:
Um myself. No, I’m not the, I know we have some, some other representatives that are there. I’ve been to many of those uh this year. I’m not specifically going, but we will have some representative from Texas there. I’m [00:07:03.64] spk_0:
sure. Yeah. And non profit radio will be there as well. We’ll be on the exhibit floor. [00:07:07.67] spk_1:
Excellent. That’s fantastic. Yeah. Yeah. Well, I’m sorry, I’m not going to be there to be in person to meet [00:07:12.61] spk_0:
you. That’s all right. There. There are others every, every spring and [00:07:17.31] spk_1:
virtually, by the way, [00:07:18.97] spk_0:
that’s true. There is hybrid this year. That’s right. Um And, and texture is also consultants to consultants to nonprofits. Let’s make sure folks understand that too. [00:08:46.84] spk_1:
Yeah, I mean, we, we provide, essentially, we help organizations connect with other organizations that then provide consultant services. We do some ourselves, but it’s very specific to some of the um because we, we provide a lot of, you know, what we’re doing to, to skills. So to speak what we, what we have is we’ve partnered with other organizations through our platforms to, to align organizations depending on exactly what type of consultation they need to inappropriate sort of resource for them. Um And that’s more uh our, our model in terms of we’re sort of a connector. So for example, if somebody needs, you know, specific sort of technology assessment uh for implementing uh Microsoft, we may do some, but then if it’s more advanced, we may work for them to, to impact or an organization that we partner with and then they provide that as a service to that organization. So, and we have other partners like that, who provide those similar sorts of services that are more hands on and direct than what tech soup can provide at this moment. And we may may expand that more and do some of that um more, more stuff ourselves and, and we are developing that and some of our customers success programs. Um and we do run a lot of sort of in the office programs where people could have webinars. And I’ve spoken in a few of those where we do it in in depth dive of a particular technology so that organizations can learn how to use them. [00:09:00.19] spk_0:
I’ve always considered the big three to be Tech Soup N 10 and tech impact in terms of technology for nonprofits and, and all three of those of course, are nonprofits themselves. Right. [00:09:12.87] spk_1:
Exactly. Yeah. All right, [00:09:15.44] spk_0:
let’s talk about cyber attacks. Uh They are on the rise against nonprofits. What, what, what are you, what are you seeing? We’re going to get into the details, of course, but overall general, you know, kick us off. What are you seeing on this front? [00:11:31.28] spk_1:
What, what we’re seeing is a lot more, um, targeted attacks, which, which is, which is unique because there’s, you know, speaking broadly about cyber activity, you know, there’s a lot of noise on the internet. There’s, you know, just all these robotic sort of in these bots that are flying around trying to find targets, right? And they’re sort of just, you know, you know, I guess, you know, they’re, they’re doing drive by sort of evaluations to see of anything, you know, just to see if there’s anything that they could get a finger in or, you know, just to explore and see if there’s sort of a, you know, something that they could find in there. What we’re seeing now is more targeted attacks, meaning there’s a specific purpose to it. Like somebody’s like, well, you know what we think that, you know, this is a, you know, a specific type of organization, they’re involved with a particular type of activity and we’re interested in knowing who’s donating to that activity and whether or not we could possibly have access to that information because that might be valuable or perhaps to the constituents that they’re serving because maybe that information is valuable as well, maybe for either financial reasons or, or, or or political reasons. And so we’re seeing a little bit more of that or, or perhaps because we really want to cause disruption in critical infrastructure. And one thing that um this is sort of a broader trend in cyber security around targets towards critical infrastructure and myself and and others in this space believe that civil society, organization data is part of critical infrastructure and critical infrastructure. So I mean, people are targeting things like, you know, we’ve we’ve heard about the target on power grids and uh gas pipelines and such. And you know, if you think about data that’s relative to communities that are specifically vulnerable in certain context or, or have access to information about others, then that’s critical infrastructure because we need these organizations to function in society. And so, you know, there could be other actors who say we want to disrupt that particular critical infrastructure for some reason and that reason could be varied just like it is for why people would disrupt any sort of critical infrastructure. [00:12:55.08] spk_0:
I have an example that is pretty close to home. I I I own two homes in North Carolina. One of them was affected by that shooting at uh at the electrical substation in that was, that was in Moore County, North Carolina. Um And there’s a, there’s a possible correlation that, that that attack was to prevent a drag queen show from going on in the little town of Southern Pines, North Carolina, which is served by that substation that got shot at. Um So, I mean, it sounds like you’re saying, it’s not that far a leap like, you know, 11 cadre of bad actors uses guns. Another cadre of miscreants could be hackers that are looking for data at that maybe at that theater or, uh you know, among a nonprofit that may have been involved with [00:13:45.30] spk_1:
maybe maybe the intent at the attendance list or the people who are donating to that event. And so, you know, this is the type of data and like I said, there’s, there’s different reasons why somebody might be targeting certain data. But this, these are the, this is, you know, this is like bingo on the nose, this is the kind of stuff that, that we’re seeing more and more and we’re very concerned about and why we’re really like soup is really sort of launching this um effort to help educate organizations on how to improve uh and understand what cyber security means in this space and how to prioritize it, but also how to um sort of get through the sort of complexity of it and, and, and find simple ways to knock off low hanging fruit to make it sort of actually, you know, doable for them with given their budgets and given their constraints that we a lot of smaller organizations in the, in the space you know, have, generally, [00:14:39.67] spk_0:
it feels like in our polarized culture that there isn’t a nonprofit mission category that would be exempt from, from possible attack. I mean, you know, even feeding, feeding the hungry, you know, I could conceive of that being objectionable to some group of people that feels like why do those folks get food and, and I don’t get food or why are they entitled? And I’m not, or, you know, something that seems innocuous and purely beneficial. I, I can imagine, uh, another cadre of bad actors deciding that it’s, it’s, it’s worthless or worth worse than worthless. It’s detrimental to our culture for some reason and wanting to attack it. It doesn’t, it doesn’t feel like any particular mission would be more vulnerable or less than, than any other. [00:15:59.15] spk_1:
Um, you’re correct. And one of the other things that is, has changed in, in this, in this sort of, you know, over time that I’ve seen is the availability of the tools to be able to perform exploits before you would actually have to be, you know, pretty well versed in hacking to be able to do any harm right now. It’s, you can, you can buy the service. I mean, you could just go to the market on the dark web and just say, hey, you know, I want to buy this, you know, uh, this hacking kit, you know, and, and, and, and there’s youtube tutorials on how to do it. I mean, it’s becoming, and, and these are, the tools are free and readily available. So what we’re seeing more of is not only just this trend of people wanting to and, you know, and maybe that hasn’t changed, it’s just that it’s more accessible, right? But, you know, people wanting to, you know, target communities and, and, and, and also try to find valuable data within these communities, but also their ability to do so it’s become easier and there, you know, and, and so you combine those things together and that’s why we’re seeing the trends we’re seeing. That’s one of the reasons [00:16:21.11] spk_0:
you no longer have to be a sophisticated computer user. It doesn’t take a lot of study, you’re saying these things are available for cost or free to cause harm. All [00:16:29.81] spk_1:
right. [00:16:39.80] spk_0:
Alright. So how do we, how do we break this down for folks in small and mid sized nonprofits, you know, that, that they can sort of prioritize? I mean, is it as simple as let’s start having universal two factor authentication for everybody on your teams or maybe that’s passe maybe, maybe we’re past that now. I don’t know, how should [00:19:30.66] spk_1:
we, you know, you, you make a good point. So for example, like the first thing I think people should do is, you know, or, or what you know, uh would be recommended and to think about it is to do the basics. Okay. What things like what you mentioned is like like multifactor authentication, um you know, anti malware on their clients, keeping things up to date and, and making sure you have backups of your data, these are sort of the basics, right? And so apart from the basics, though, you know, the next step above that is to then start looking at what we call privileged access management or role based security, not everybody needs to have access to everything, right? So, so, so let’s say, for example, a system was compromised with somebody’s permissions or credentials, depending on what they have access to, they could only do so much. And so there’s a, there’s a, there’s an important concept in cybersecurity that we call the privilege, the principle of least privilege. So, and that sort of dictates that a person really only needs access to the information that they need to do the role that they’re trained to do in their specific function. So if, if, if somebody is, you know, in I T, somebody who’s familiar with I T systems, uh they understand sort of the complexity involved and they may have access to privileged systems where they can perform things and have access to that sensitive data, but not the entire organization, right? And so we call that privileged access management. And sometimes, especially with today’s as we’ve moved into the cloud more when things get fired up and somebody spins up an app in the cloud, the cloud as well, generally have some basic role based permissions like the admin, you know, maybe a super user and then maybe some groups and then, and then just the regular users, right? You don’t want to give everybody admin rights. And so because then if somebody, if that just, that just provides more exposure and so these are small things that don’t take a lot of time or effort really to just sort of that, that’s a little bit beyond the basics though because um you know, and you know, for, you know, tech soup, for example, provides, you know, office 65 or 65 go for, for, for work space organizations. And once we, they provision, the next step is to really go in there and sort of harden them a little bit and lock them down and to go through that steps and understand what that looks like. So that um as people start doing things like maybe downloading spreadsheets that contain donor data or customer data that it’s not, somebody can’t accidentally just share that with somebody, you know, outside the organization or, or that becomes available on the general public internet. [00:20:02.06] spk_0:
So how do we execute some of these things that are, that are more advanced, you know, beyond the backing up the multi factor authentication. Alright. So if you move into privileged access management, we need a, we, we either have a C T O which most listeners probably don’t or we need some outside help. [00:21:13.19] spk_1:
No, actually, I think that a lot of these, you know, cloud based applications will provide guidance. The good news is is that they have an interest in protecting and wanting you as a, as a customer as well as, you know, the fact that it’s a shared data model. And so the the better that they do in terms of providing information about how this works, the better, you know, the, the the, you know, the people who use that product is going to benefit from it. And so generally in these, you know, you know, and these things aren’t if you have somebody who is at least responsible for the deployment of the technology and they don’t have to be an advanced, you know, computer scientists to do the work of the cloud app then. But somebody should be sort of designated within the organization to ensure some of the basics about the way data is handled. And, you know, getting to one of the export points, I wanted to bring up one of the most important things to understand for an organization is what data do they have? Where does it live and what is the value of it? And what is the value of Michael before we, before [00:21:22.02] spk_0:
before we move to what, what’s our data inventory? I want to emphasize this, I wanna emphasize the value of being in the cloud. So there is there is value to using uh CRM databases that are cloud based versus server based at, in your office anymore. [00:22:47.49] spk_1:
Correct. And for so many reasons and, you know, uh, and, and moving to that topic because a lot of the ways that systems are oftentimes breached is because what things we mentioned earlier, such as they’re not patched, there’s, um, not, not very good perimeter security on them. These things are taken care of for you, um, and they’re not backed up regularly. Um, those things, these things are taken care of for you in a sassy application. Um If it’s, if it’s a robust SAS application, like the kind that takes provides. And so when we, when we go to, you know, vet an offer that’s going to be in our marketplace, we we, we go through the list to ensure that this is gonna be a product that will serve the pole, the test of time and actually will, will be robust in, in the requirements necessary for our organization to protect their data. And so, and, and so that leads to, you know, also that making it more but maybe a little bit easier for organizations to then lock down their cybersecurity because they don’t have to have experts come into their closet or their data center and, and do this configuration and do all these updates are very technical on their firewalls and all the hardware and everything all the time in their own infrastructure, it can be managed within the cloud by people who are not necessarily have that sort of, you know, the Cisco CCN a sort of certification? Alright, [00:23:07.85] spk_0:
thank you. I just, I wanted to drill down absolutely. Very [00:23:11.75] spk_1:
good point. [00:23:15.98] spk_0:
The value of from a security perspective, the value of the cloud. Alright, so let’s go to what you were, you were headed to what your data inventory, what what do you have? What what do we need to be? What do you want us to think about their? [00:23:32.71] spk_1:
Yeah, so no data is not all data is not created equal, so to speak, right? So we have, we have data that it’s just things like, you know, my notes when I’m, you know, talking in a meeting or something like that. Okay. There’s nothing valuable with that. It’s, you know, generally not containing anything that’s sensitive. It’s sort of my notes from a meeting. Okay. Now, if that is something that, you know, maybe I don’t want to share, but it’s not something that, you know, if a hacker birds look at that so I can’t sell this and it doesn’t contain anything that’s gonna, I can do any harm with. Right. [00:24:09.30] spk_0:
Well, it might depend, it might depend who’s leading the meeting. You might have different, you might have different sets of notes depending on who’s leading your meeting. You know, you might be commenting on the commenting on their uh I don’t know their, their capacity. I mean, not to suggest [00:24:16.36] spk_1:
that people [00:24:30.71] spk_0:
know, I’m actually, I’m actually having fun with you like, if somebody at tech soup was not a very good, not a very good speaker or supervisor, you know, then those notes you might not want in the public domain. But if the person is carrying their weight and they’re generally a good, good employee, you know, you have a brighter set of notes that you wouldn’t feel bad about getting exposed. That was my, my point. I guess I wasn’t, I wasn’t coming, I was coming across so dry. It was, it was desert, it was desert dry. [00:27:18.46] spk_1:
No, I’m glad you brought into it. The, the, yeah, the types of data that you know, we think about when we think about the difference between data privacy and data protection to me, they’re very linked, right? So we, we have a responsibility to protect people’s data and the privacy of their data, but also to protect the security of that data. And so, you know, fundamentally speaking, generally in organizations in the sector, there’s gonna be some, you know, information that’s sensitive or may have some value and if we identify that and identify where that lives and then focus our energy on securing that, making sure that that data is backed up. Um and, and testing access to it, that’s, that’s, you know, if you have limited resources, that’s the place to really focus your attention. And then the other stuff is great. I mean, and use using robust tools like we provide um in our marketplace such as box for document repositories or even sharepoint, those can all be really configured for. So any type of theater, like even my notes from, you know that, you know, or my supervisor notes about me or your notes about me can be secured, you know, um you know, in a very robust way or shared. And one of the things we’re seeing, for example, especially the document collaboration software, it’s very easy to share things. They make it very easy to share with anybody, right? Just click and it always says like share with anybody with link, you know, you know, and so if you, if it’s something like, oh, you know, um uh oh somebody just sent me, you know, or they told me to put in my, you know, take a picture of my passport or something and, and stick it in here, right? And, and I, and the somebody has in the human resources once said, oh, I’m just gonna share this link and make it copied everybody. Now everybody has access to your past potential, everybody has access to your passport photo and I D so, you know, these are the things that we just have to sort of like start thinking twice, which brings me up to my next point. Um Security awareness within organizations, cybersecurity awareness, I cannot stress enough how important it is for organizations to have a cyber security awareness program within the organization. This these programs don’t cost a lot of money. They don’t take a lot of time and they go a long ways to prevent Uh an internal mistake that could lead to something 80% of cyber attacks happen from the inside. [00:27:27.33] spk_0:
What does this cyber security awareness program look like? [00:28:34.34] spk_1:
So essentially, so for example, um they’re usually conducted on point of like orientation for an employee that comes into an organization and they go through a video, you know, provided by a platform like no before which is in our marketplace. And, and what they do is they sort of go through this, this methodical sort of, you know, force to teach somebody about fishing about sensitive data about ways that people try to get access to information, either through cell phone, fishing through text fishing through um email phishing or through other means to or even on Slack to say, to try to fool you into providing some information um that they, that they can use a huge trend in this arena is what we call impersonation fishing. It’s a specifically targeted phishing email that looks like it’s coming from somebody within your organization such as your CEO, your CFO or uh the human resources director asking you to provide or update your banking information. And it’s very carefully crafted, crafted, it looks just like that and you really have to do a lot of due diligence to really go through there and say, oh, did this really come from our CEO having [00:29:03.26] spk_0:
Haven’t there been cases where like a spoof email like this says, you know, wire $50,000 to this vendor account. You know, we’re, the payment is overdue. We need to wire this payment ASAP. And of course, it goes to the Bad Actors account. Isn’t there? Stuff like that? It looks like it’s like the treasurer saying, send a wire or the CEO saying, send, make a payment. [00:29:40.35] spk_1:
That’s right. Exactly. And, and, and we’ve, um, and if you have an organization and people haven’t been trained to recognize that, you know, if somebody’s asking you for something and it’s something of value, double check it, you know, and, and to contact that individual in a different channel and say, did you really need me to send $50,000 in this wire transfer? I just want to check is this actually came from you? There’s other ways that they teach you in these orientation platforms or in these um security awareness platforms to check the email headers and, and the simple things, but essentially that’s the gist of it. And that’s why security awareness training is so important. So, so people are on their toes when they’re actually doing their work, [00:30:03.43] spk_0:
do you recommend then ongoing training? You talked about orientation, [00:30:51.51] spk_1:
there’s, there’s an orientation training and then, you know, most organizations will have it mandatory that they do an annual training and, and this just as a refresher course and also things change. So, you know, the space changes. Sometimes people are doing it now because of the trends more often like every six months. And then specifically for people who are in jobs where they’re doing data handling for, let’s say they’re doing data processing, they work in the donor uh services program or something where they’re managing sensitive data all day long. They’ll be specialized courses for people who are, are actually dealing with data on a day to day basis. So that’s a little bit more involved in terms of actually how to understand and, and that goes into things like, don’t download, you know, a C S V file on your computer and stick it onto a, you know, um, a thumb drive on your computer or transported or, you know, don’t, you know, send out, you know, via email to, to a coworker and, and these sorts of things that are specific to handling sensitive data. [00:31:04.59] spk_0:
Okay. Interesting. Yeah. So even, even just emailing internally from employee to employee can be risky, [00:31:37.20] spk_1:
yes, it can be stiff. It’s, and, and there’s because, for example, if, because that’s actually it’s going to stay within that email store wherever that is located. And it’s, um, if it’s unencrypted, it’s gonna be, it’s gonna be encrypted during transit, for example. Um, and, and encrypted at rest. But if somebody else had access to that access to your email server or a privileged access in your system, they could potentially go in and, you know, take over that account, log in as the CEO and have access to the deed and actually browse emails for, you know, and actually do queries and look for credit card information or, or look for email addresses and then they could potentially find information about donors or, or, or, or constituents that sensitive. [00:35:08.08] spk_0:
It’s time for Tony’s take two. It’s time to get back in people’s faces. Again. Last month, I did a in person live face to face in person training on Long Island. I was in New York City for several days. What a joy. What a pleasure. What a difference, an improvement, you know, over virtual trainings. I mean, look zoom is, I’m all flustered. Zoom is, is necessary and I’m not saying necessary evil. It’s, it’s, it’s a part of the culture, whether it’s zoom or teams or Google meet, you know, whatever virtual meetings, they’re just a part of our lives now. No question about it. But don’t make those the default if you have the option to get back in front of people in person, I urge you choose that option. Uh You know, I could have passed on the opportunity to do the in person training, but I didn’t want to, I didn’t want to donor meetings to while I was in the city face to face meetings again, coffee lunches. It’s just so much better, so much more real than anything virtual can offer. Um I had a meeting, lunch meeting just about 10 days ago or so with someone from Heller consulting, which is gonna be Team Heller. They’re going to be our 23 NTC sponsors at the nonprofit technology conference coming up in Denver And the woman who works for Heller happens to live within 45 minutes of where I live in North Carolina. So we got together for a, a real lunch. We had lunch together over the same table. Remarkable. You know, it’s yeah, more real authentic. I urge you if you can meet someone in person instead of virtual, do it, do it. It makes the world of difference. It’s time to get back in people’s faces again. Don’t make virtual your your default. If there’s another way first, I urge you to do it. That is Tony’s take two. We’ve got Boo Koo but loads more time for beat back cyber attack with Michael Enos. Talk about not preserving data that you don’t need to preserve. Like credit card numbers, full numbers for instance, or dates of birth or other things that aren’t necessary for you to preserve. Isn’t there, isn’t there value in trimming down sensitive data that you don’t really need? [00:35:40.17] spk_1:
Yes. And and one of the principal aspects of data handling is an optimization of data. So you know, there’s there’s transactional data that happens. And oftentimes, for example, with credit card things are processed nowadays, you’ll usually use a payment processor. So, you know, hopefully you’re not actually you know that server that actually storing that information is not on your box anymore because there’s, you know, you know, you can use an API and a web site and then it happened somewhere else and they take care of all that stuff for you. So, if your systems were hacked, they wouldn’t have access to the credit card data [00:35:55.19] spk_0:
or, [00:39:00.73] spk_1:
or Braintree or one of these sorts of services, you know? Exactly. And, and, and so those go to those payment processors and they manage all that, um, which is great because then you, it reduces the amount of exposure on your e commerce site or fundraising donor donation site. And if you’re using a donation software program, like, you know, donor perfect or one of these sites, that’s what they’re doing as well. You know. So they, you know, because, because they, they want to use because that you really have to have the best of breed technology to be able to make sure that that stuff gets that, that’s really super secure and they have higher standards and compliance standards by which they attest to the. Um, and so however though, let’s say you’re, you’re doing an email list to your constituents, right? Um You know, you’re gonna need some marketing data, you’re gonna, you know who to send this, this information to, but you don’t need everything about that individual. You don’t need things like that really. I mean, you may need the basics but you should be using a marketing provider that is secure and you should, you should transfer, get that information to them in a secure way and you should ensure that if that individual wants to opt out. Um and they, all these things should be an organization’s privacy policy so that people understand how their data is being used if they sign up for a newsletter or things of that nature. However, you know, I think your point specifically um oftentimes reports about, you know, activities, engagement, you know, that go into reports for executive or for things that are put into a PDF or in another format, the data should be anonymized. So the only thing that’s there is, you know, aggregated information about, you know, the engagement and not all they shouldn’t be able to drill down and see, oh who is this exact individual? Now if they need to know if it, if they want a donor report about, you know, I want to know exactly to see who um are the top donors and, and such, you know, there should only be limited people within the organization who have access to that data, to be able to see that information that goes back to my other point about um privileged access management. There are gonna be some, there’s gonna be some reason why people aren’t gonna wanna know specifically about, you know, who’s engaging with the community. And also oftentimes on the client level, we need to know that the people who are providing services to communities need to know exactly who these individuals are and more sense of information. And that’s why I was talking about earlier about, you know, understanding where that data lives and, and only having as much as you need to fulfill the function of that, you know, whatever you’re doing. Um and, and having that, you know, and making sure that’s really locked down when I worked in the food down. When I worked in the food and security sector, we had people going out in the communities and helping sign them up for, you know, um cal fresh, you know, essentially benefits, you know, for people to get, you know, you know, government assistance and they had to collect really sensitive information. But what they did is they had ways to you securely transmit that information to the local human resources agencies so that it was all encrypted, it was protected and then once we transmitted that we didn’t have access to it, [00:39:44.68] spk_0:
what about vetting vendors? You know, if, if you’re offices using a male house, uh you know, some of the data that you just talked about for, for mailing? Um I can’t, I can’t think of other examples of vendors that could be. Well, events, events could have, could event management might have some sensitive data. What, how do you vet your vendors to make sure that they’re taking appropriate actions to prevent theft, fishing, you know, to, to defeat defeat, or at least you can’t defeat them, but at least minimize the threats. How do you, how do you check these third parties that you’re working [00:41:16.80] spk_1:
with? Well, you know, that’s a big part of my roller tech soup. So whenever we, whenever we work with, with, whenever we’re going to be using a new product or app or something like that, it’s my job to go in and actually check and organizations, these, you know, these application providers will provide um on their site or they should and if they don’t, you shouldn’t use them, but most of them will provide on their site access to their information security program and what they do where their data is located, what they do to protect it, their compliance levels, their certification levels, um whether they do audits, whether or not they do penetration tests And what type of and, and, and everything to that order and that should be vetted by, by somebody before they onboard an aunt. And we do this all the time. We use a lot of different apps to Texas north of 100. And so we, every time we were on board one for some utility within the organization, we make sure that they meet this standard. There’s, and we actually, since we’re a third party vendor for other people, they have the same for us so that a lot of the work I do as well as to, you know, report out periodically to all the people who are using our, our platform to facilitate their data to organizations and you know, what sex, what tech soups information security program like. So this is, you know, because creates transparency, but it also helps people understand what the risks are, which helps when you’re in a situation where I needed to go and advocate for resources to institute a cybersecurity program. [00:41:47.96] spk_0:
I want to ask you about the board’s role in all this. But, but is there anything more that you want before we get to the board? Anything more you want to talk about threat minimization policies? Anything we haven’t covered that you want folks to know about? [00:44:14.11] spk_1:
Yeah, I think that one of the things that is, you know, that we haven’t mentioned yet is preparedness for an incident, essentially a security incident, incident response plan. This, you know, is another thing in that sort of list of five that an organization should understand. Um if you have a situation where your data’s been um breached. And, and one thing I do want to do is to describe quickly, even this kind of a dry topic is there is a difference between a security incident and a security data breach. A security incident is could be something as innocuous as somebody just knocking off your website and taking it down with a DDOS attack. Now that sounds in Oculus because it’s just, it doesn’t sound innocuous because it’s disruptive because nobody can get your website, but nobody’s taking the data. And as soon as that denial of service attack is stopped, your website maybe still functioning. Um But that’s an incident and a data breach is different because now you’ve got to do a couple different things. You’ve got to number one, find out how the breach occurred, which you should also do in case of the DDOS attack. Um But above that, you also need to then understand how to respond to, you know, what data was breached. What’s the scope of that data and who are the individuals and, and what’s our plan to reach out to those individuals and notify them about the breach? And was our policy around that? And who do we have to include in terms of communications internally and legally and, and to provide that transparency because for a number of different reasons, number one, it’s the right thing to do. Um and number two, because it actually helps build trust within, within communities because if people understand that, you know, these things happen and they happen to some very, very large organizations, right? We, we know about these, these really large breaches, but the more transparent they are the more the consumers or the constituents who used those products. Think gosh, they really responded well to this and they acted immediately, they communicated appropriately and they remediated, you know what happened and, and that was the responsible thing to do and you don’t wanna be doing that in the middle of a breach. So, having a plan up front helps during that process because otherwise it’s just too much at one time, everything and [00:44:21.00] spk_0:
the plan is gonna lay out who’s in charge, who makes, what kinds of decisions, um, [00:44:27.43] spk_1:
notify. Right. And what’s the playbook essentially? Yeah. [00:44:52.19] spk_0:
Like, I mean, it could even, it could even break down to needing a remote place to work. I mean, go go that far or because we’re because we’re hopefully in the cloud we don’t like like if our physical infrastructure gets um compromised, do we need to go off site? And, and what’s the technology, the technology capabilities in our, in our off site work location? [00:45:17.93] spk_1:
Well, that’s actually a little different. Um so we usually talk about that in terms of business continuity plan. So and, and that would be the same sort of plan you would enact case of a natural disaster or something like that. I mean, is a business continuity and, and that’s far exceeding the scope of what we can discussed today, although I’d be happy to discuss that. Let’s not let’s not [00:45:22.65] spk_0:
I don’t want to panic folks. Okay. Alright. [00:45:25.60] spk_1:
Alright. Alright, [00:45:27.20] spk_0:
you got me focused on, you got me focused on like I don’t know, natural disasters and terrorism. All right, let’s [00:48:44.52] spk_1:
go to the board. Okay. Alright. So, so one of the things that boards were all right. So organizations nowadays are let’s put cybersecurity is becoming and, and is becoming as important as sort of financial security with an organization. The two are becoming linked together An organization. And so for many years, as we all know, uh 501 C3 organizations in the us are generally bound to having a financial audit annually. Right. And then they report to the board and the board will make sure that, you know, there’s a financial audit to ensure that the funds are used judiciously. Um there’s oversight and governance over these matters. Cyber security is becoming as important as financial security because the two are linked together. If there’s a because it could affect it. If you have a ransomware attack, it could affect the viability and the business sustainability of an organization. So it’s a very serious matter. It’s becoming a very, very serious matter for organizations to then think about cybersecurity as a compliance issue, not just nice to have. And so helping the board’s understand that this has shifted from a situation where, oh, well, you know, there’s nobody’s going to attack a nonprofit and uh you know, and if they do, you know, it’s, our data isn’t very important. Um It’s things have shifted, right. So I think recently there was a community, um it’s one of these cities, for example, was an entire city was, has been locked down for days because our grants were attacked and so nothing can function within the city because, you know, um that’s going to affect everything within the city, not just their continuity and safety of people, but also um it’s gonna have a financial impact. So cyber security is becoming more like a compliance issue and a governance issue. And so I think if boards understood that, then they would understand the need to prioritize and to provide funding and resources for those within the organization. Whether that if a small organization that the CFO or the C 00 or even the CEO to then say, look, we need to carve out some resources to be able to understand our risk and the best way to do that would be to do a third party risk assessment and with, with somebody to come in and actually do an evaluation and say, because they’ll come in and do, you know and come in and say, hey, look, these are the, you know, we come in and, and these people are vetted, their, this is their job and you know, they’re safe to work with and go in and say this is where you really need to. These are the critical things, these are, you know, not important things and these are the nice to have and they’ll, they’ll lay it out for you and then you can develop as part of your strategic plan as an organization just like it should be part of your business plan and should be linked to the business plan because the strategic plan for the organization and then the funding, the budget resources, the resource planning and all these things should be baked into the operational strategic plan for an organization. That’s where we’re going in the sector. [00:49:03.09] spk_0:
Okay. It belongs as part of your strategic plan, your business plan. Alright. [00:49:50.46] spk_1:
Yeah, and, and that’s where I think that it’s um uh it’s just like I said, I think where a board comes in is to helps understand that so that they could then authorize and, and oversee and ensure that an organization is doing this work and it’s hard work because, you know, you may have limited resources where we’re gonna carve where we’re gonna carve this out. And however, the good news is that there are people who want to fund this, there are grantmakers who are super would be super happy to be able to say, look, I’m gonna help, I’m gonna capacity impact um grant to this organization to help improve their cybersecurity because of these trends that we’re seeing. And so, and then you can use that as a mechanism to possibly help fundraise to offset some of the funny. So it doesn’t have to come out necessarily of your operational costs. [00:50:23.28] spk_0:
Okay. There are foundations that will fund fund this. Yeah. Alright. All right, we’re gonna leave it there, Michael. Thank you, Michael from Montana, Michael Eno’s Senior Director of Community. [00:50:26.28] spk_1:
And it’s [00:51:30.65] spk_0:
my pleasure to thank you, senior director of Community and platform for Techsoup Global he’s on Mastodon at Michael underscore Eno’s at public Good dot Social and Tech soup where you’d expect them to be techsoup dot org. Next week, I’m working on it. Uh, and I assure you that there will be a show next week because this is show number 630. And I’ve been producing a show every week for 13 years close to. So I assure you there will be a show next week. I just don’t know what it’ll be about, but don’t bet against me because there is gonna be a show. You know, you’re gonna lose if you bet against there being a show next week. If you missed any part of this week’s show, I beseech you find it at tony-martignetti dot com. Our creative producer is Claire Meyerhoff shows. Social media is by Susan Chavez, Mark Silverman is our web guy and this music is by Scott Stein. Thank you for that affirmation. Scotty B with me next week for nonprofit radio big nonprofit ideas for the other 95% go out and be great.
Happy New Year! There’s a software risk gaining attention and there’s a good chance you’ll need help diagnosing and repairing it. You don’t need to horde gas, cash and toilet paper. Just be aware and do the repair. Joshua Peskay, from 
