Community IT Innovators Nonprofit Technology Topics

Cybersecurity Basics for Nonprofits: Defending Against Boggarts and Boogiemen

May 02, 2022 Community IT Innovators Season 3 Episode 20
Community IT Innovators Nonprofit Technology Topics
Cybersecurity Basics for Nonprofits: Defending Against Boggarts and Boogiemen
Show Notes Transcript


Are you afraid to think about cybersecurity basics for your nonprofits needs? 

Are you an “accidental techie” – tasked with keeping the IT running at your nonprofit even though you don’t *really have an IT background? *at all

Wondering where to start building a case for cybersecurity basics to your nonprofit executives and board?

Join Community IT CTO Matt Eshleman and Sales Manager Sarah Wolfe in a new webinar presented at the 2022NTC Conference.

Cybersecurity: “the measures taken to ensure an organization is protected against the criminal or unauthorized use of electronic data.” AKA “An accidental techie’s biggest nightmare.”

With all the million dollar attacks on nonprofits in the news – whether ransomware, internal data leaks, or wire fraud scams – cybersecurity can really give you bad dreams. And if you are unsure of the lingo or where to turn for help it can be daunting to even make a start.

You know you need to put together a case to convince your executives and your board – but are there low-cost tools and preventative measures you can put in place quickly? What are the best practices when your organization is reluctant to invest in a strong cybersecurity stance?

After this presentation on cybersecurity basics for nonprofits, “accidental techies” will feel confident in their knowledge of current cybersecurity trends and best practices, as well as language to use when seeking buy-in from leadership and/or staff.

The presentation

  • Summarizes the current and forecasted “threat landscape”
  • Shares three key policies & procedures to roll out for basic peace of mind
  • Reviews persuasion points to make while requesting time and funding

As with all our webinars, this presentation is appropriate for an audience of varied IT experience. 

Community IT and NTEN, the membership organization and sponsor of the NTC conference, are proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.

NTC is the signature conference in Nonprofit Tech every year, hosted by NTEN. In 2022 it featured over 180 live, interactive, and thought-provoking sessions including this one; daily inspiring keynote speakers; and ways to connect, including opportunities for one-on-one connections, small group meetings, and sponsor conversations. In 2023 NTC plans to be in-person in Denver, in March.

Presenters:

A DC Area native, Sarah Wolfe joined Community IT Innovators in March 2018 as Account Associate before being promoted to Sales Manager. She is responsible for ensuring our partner organizations are receiving the right combination of IT support services to meet their organizational needs and goals. She is a founder of the internal BLM working group at Community IT. Prior to joining Community IT, Sarah was a science teacher at various schools in Maryland. She attended Oberlin College in Ohio, graduating in 2008 with a Bachelor of Arts in Biology, and took classes at UMCP for her teaching certification. 

As the Chief Technology Officer at Community IT, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. While working full time at Commun

_______________________________
Start a conversation :)

Thanks for listening.


Cybersecurity Basics for Nonprofits:

DEFENDING AGAINST BOGGARTS AND BOOGIEMEN

for 22NTC


Sarah Wolf:  Hello everyone. Thank you for joining us today for Defending Against Boggarts and Boogiemen, Understanding and Pitching Cybersecurity for the Accidental Techie. 


My name is Sarah Wolf, I am the Sales Manager for Community IT and I use she/her pronouns. And I'm living on Anacostia land. I am a Colombian-American woman with dyed maroon hair and wearing a gray sweater. 


Community IT is a 100% employee-owned, managed service provider, which means outsourced IT support. And we have worked exclusively with nonprofit organizations for over 20 years, and our mission is to help nonprofits accomplish their missions through the effective use of technology. I joined Community IT in 2018, as the Account Associate, AKA client wrangler and moved into sales management, September of last year. With me today is our Chief Technology Officer and Cybersecurity Expert, Matt Eshleman.


Matthew Eshleman:  Hi Sarah, thanks for your introduction. As Sarah said, my name is Matthew Eshleman. I'm the Chief Technology Officer at Community IT. I actually joined Community IT as an intern all the way back in 2000 and have played many different roles from network support tech to engineer, up into my current role where I'm responsible for technology strategy and also cybersecurity.


Learning Objectives


Sarah Wolf:  So after this session - you know, it's 30 minutes, we're trying to pack a lot in - we are hoping that you're able to:


  • Summarize the current and forecasted cybersecurity threat landscape 
  • Describe key policies and procedures that you need implementation to others and 
  • have some points for being able to persuade leadership while you're seeking buy-in, personnel and/or funding.


Matthew Eshleman:  So to talk a little bit before we dive into how you can protect your organization, I do think it's important to provide some education around the cybersecurity landscape as we see it. As Sarah said, we're a managed services provider. In our work, we get to work with about 150 different nonprofit organizations that represent about 6,000 staff. 


Cybersecurity Landscape

So we have a pretty good perspective on what nonprofit organizations are seeing from a cybersecurity perspective. And what they're seeing is really persistent and ongoing brute-force attacks on your digital identity. It's great that everything's in the cloud and that you can log into it from anywhere, but it also means that the bad guys are able to do that as well. 


We know that there are many, many attacks that are launched via email using sophisticated spear phishing techniques. I think nonprofit organizations do a really great job of their branding and their staffing, but we find that it gets used by the threat actors. They know who the finance person is, who the operations people are, what are the relationships, the names of the people on your board. And so that information is used to create kind of targeted emails to try to get people to take certain actions. 


We also see that organizations are targeted because of the work that they do. This is specifically applied to organizations that we find that are international think tanks or policy organizations. We also see this with organizations that are in the space of defending democracy, women's reproductive health and those sorts of areas. They tend to have a higher threat profile than some of the, for example, social service organizations.


And then finally, I think it's important to acknowledge that there are attacks that are targeting vendors. So vendors like us, your managed service provider because of the access we have, we become a big target for threat actors. So it's important to understand the security controls that your partners have in place as well.


This all is also well documented by big vendors like Microsoft. This comes from a report that they put out a couple years ago, they talked about recent cyber-attack victims by sector. 


IT is the biggest target (44%), but then think tank and NGO organizations occupy a relatively large space in terms of organizations that are targeted and attacked from their cybersecurity landscape (18%). 


So in terms of the cybersecurity landscape, NTEN itself actually put out a report a couple years ago that polled organizations as well. And during that time we said, we found that 60% of organizations didn't have, or didn't know how they would handle risk. And so the policy development, we find still needs a lot of work here in the nonprofit space, 74% of organizations haven't implemented multifactor authentication. We'll get to that later, but again, that's a very important security control.


A lot of organizations have unsecured wireless or Bluetooth (46%). And so anything can connect to the trusted network. 


And then a lot of people, the vast majority (92%) are able to connect to their organizational resources from personal devices. And I think we've seen this happen a lot as we've all been working remotely and working from home, over the last two years, making due with whatever we had. This also means that staff were connecting to corporate or organizational resources from their personal devices. Maybe they're syncing their Dropbox files or their OneDrive. 


We've seen organizations have a lot of turnover. And so that means, we've also seen organizations with staff that have left the organization, but maybe still had data on their personal devices. There's lots of different avenues for data to leave an organization. And it's important that we  have a holistic view and a perspective on that.


Sarah Wolf:  The poll on the screen asks, 


What is your biggest cybersecurity concern? 

  • Advanced persistent threat, 
  • ransomware, 
  • compromised account, 
  • wire fraud or financial loss, 
  • data exfiltration or, 
  • all of the above?


Matthew Eshleman:  So I'd love to get your input in terms of what are the biggest concerns that you have in terms of security at your organization. So Sarah, you --


Sarah Wolf:  Yep. I have put it in the chat and everybody's saying F, all of the above. Everything's on their mind.


Matthew Eshleman:  Yes. So all of the above.


Sarah Wolf:  And C. Compromised accounts.


Matthew Eshleman:  Yeah, so thanks for that input. And hopefully, we'll find some ways to make sure that is less likely to occur at your organization. 


Every year, Community IT for the last three years, and we're working on putting the final touches on our fourth report, but we generate a nonprofit incident report based on all of those 6,000 nonprofit staff that we support to see just how many incidents have occurred and that we've responded to over time. 


This is some preliminary classification for the data that we saw in 2021. We see things like spam and spear phishing really topped the list. Spam, and the definitions for this should be in the collaborative notes, is unwanted email. 


The more serious issue that we see is really related to spear phishing.


And that's when we have individuals sending messages trying to get you to take some action, whether that's click on a malicious link to enter your password to steal it. Maybe they're trying to get you to buy gift cards for that new person that just started. There could be many different ways that's manifested itself, but we see a lot of spear phishing. 


And then further on down the line, we can see that we've got a lot of account compromise. We've had to update our incident classification. We investigate a lot of suspicious activities, but we've only had 32 compromised accounts; that's actually the same as we had in previous years. 


The good news is, we've seen relatively low virus activity and relatively little ransomware activity in the organizations that we support.


So it is still a risk, maybe occupies an outsized influence in our minds. But it is a risk that we're seeing in organizations. I think it's less significant than compromised accounts. 


So this is just a little bit of a visual for what we see year over year. As we mentioned, we've got about four years of data now. 


The good news is that we're seeing security incidents flatten a little bit. When we first did it, we classified 233 incidents that jumped to a little over 500 in 2019, and then 690 in 2020, and just under 700, last year. We're looking into the reasons for that. 


I think we've had organizations be pretty successful in adopting some new security tools to help, particularly on the email side, since email attacks are so prevalent, to really reduce those threats. But again, we see a slow and steady increase. 


I don't think we're at a point where we say the cybersecurity threats are diminishing, but certainly they seem to be holding steady and holding steady at a pretty high level. 


Overall, incidents have kind of flattened a little bit for what we're seeing in the data that we have. I also think it's important that third party vendors and partners are a notable threat vector, broadly speaking.


Just in the news in the last week we saw that there was a notable breach of a vendor that Okta used. Okta is a very popular enterprise, single sign-on solution. One of their contractors had a computer that was compromised and that support engineer had access to hundreds of clients. Why would you target one specific organization when you can target the vendors that have access to hundreds or thousands of different organizations? That's a big threat that the sector really has to wrestle with. 


On the positive side, moving down into the fourth bullet point, we can see that protecting your accounts is pretty straightforward. Multifactor authentication we'll see is very effective.


Compromised accounts that we responded to last year, the good news is, that none of those accounts actually had multifactor authentication enabled. So we can see that having multifactor authentication is very effective in preventing attacks that most nonprofit organizations are going to face. You are not going to face targeted advanced threat actors that are really going after you. It's likely that you're going to be caught up in widespread brute-force password attacks or password stealing. 


If we can put multifactor authentication in place on any account that you can access from online, it really improves the security of your organization and the data that you have access to.


Sarah Wolf:  I just want to take a moment and say, thank you so much for the questions that are popping up in chat. We're going to be answering some of them as we go along, and then I'm going to try and make sure that there's time for them at the end. 


One of the things that we wanted to emphasize with this slide is that this is from Google's Project Zero, and it compares what experts recommend versus what regular people think are top online safety practices. 


And so you see this nonexperts’ prioritization of using antivirus, strong passwords that are getting changed frequently, and visiting familiar websites, and not sharing personal information, including not sharing passwords. 


Security experts however prioritize 

  • installing software updates, 
  • using unique passwords, 
  • paired with multifactor authentication or MFA, 
  • and a password manager, 
  • making sure those passwords are strong.


So there is definitely overlap and the glossary and the collaborative notes reviews the Microsoft guidelines for creating a strong password. Honestly, at this point, because I have a password manager, usually I let the password manager make the passwords for me. We are hoping to see the trust that we have in antivirus software, shifting to password managers and multifactor authentication.


Matthew Eshleman:  Yeah, I think that's great. The use of the password manager is really a good way to make password generation really easy, because for each site that you go to, you can generate a new unique password that doesn't get shared between systems. So, if one system gets compromised, then you're not immediately worried that all the other places where you use that password are going to be at risk as well. I think that's really, really good advice. And it's nice to see that represented here in the graph.



Basics for Securing Your Organization


For organizations or if you're a staff person at an organization that's getting started with what to do, it can feel really overwhelming because there's so many buzzwords. There's so much jargon and so much unknown that it can be really hard to know where to get started. 


These are the three things that you should make sure are in place at your organization, if you're responsible for the cybersecurity there and then we'll go into some next level steps. So if you've already checked off all these three, that's great. We'll have some more recommendations to go into next.


  1. The first thing is to start with policy. Maybe it sounds funny as a tech company that we want to start with policy, but I really think that having a good IT acceptable use policy in place first can help build that foundation for making good technology choices later on. 

It can help define things like, what is your password policy? Which information systems do you use? How are you handling the use of personal devices in your organization? Having a conversation in your organization about those topics and coming to agreement on it is a great place to start because it helps you identify which projects or which things to prioritize.


  1. The second thing that I would suggest doing is implementing security awareness training. We've got some links here at the end and in the collaborative notes as well. Security awareness training is a great tool because it really educates and empowers your users. So there's no shortage of fancy tech that you can throw at spam and spear phishing, but really the best resource is your staff and making sure that they feel competent and trained, so they can identify those malicious messages that are invariably going to land in their inbox, no matter what you put in place to go in front of it. So again, there's some free training resources out there. So I would say to stay safe online is a great place to go to get started with some free resources. We've published some resources as well for some basic security awareness training that you can use. 


Provide education for your staff, so that they know how to hover over a link to make sure it goes where it's supposed to, how to look for messages that may be obfuscating the sender, and some really basic information that gives that additional level of comfort when you've got staff trying to evaluate, is this message legitimate or not? 


  1. And then the final piece on our list is multifactor authentication. 


If there's one thing that you can do to really have a meaningful impact in the security of your online account it is to implement that multifactor authentication. 


It is easy to do, it's also free. If you're in Google Workspace, you can implement it for free there. If you're an Office 365 customer, you can implement it for free there, as well. If you go to our YouTube channel there's a short video that I put together that walks you through the entire process of turning on multifactor authentication for Office 365 and getting it set up in the most secure way you can.



Additional Steps to Secure Your Network


If you've already done all those things and that all seems like easy stuff to do, these are the additional steps that we would recommend making sure that you have in place at your organization. These are what we consider our foundational IT security controls. 


  • Making use of a password manager so you can generate unique and strong passwords for each site you go to is an important step to take. 


  • Making sure that you have backups, this may seem old school and a basic control, but again, it's important that you have an understanding of what your organization's backup requirements are. What is provided by the online platform you're using? And does it meet your organization's requirements? If you're using Office 365, or even Google, you may need to have a third party backup solution, so you can get your data out and put it into a different platform. You can retain that data for a year or for seven years or whatever your organization requirements are.


  • I've got a couple acronyms here for MDM, which is Mobile Device Management, and RMM Remote Management and Monitoring. Ensure that the devices that you are using to access information are protected and up-to-date. 


  • We have some recommendations around spam filtering and business email compromise and website protection. We like to use a vendor called Cloudflare as a way to provide some protection in front of your organization's website. 


  • And then finally, if you've already got that IT acceptable use policy, the next steps would really be to look at and define your organization's data privacy, incident response, and then looking at cyber liability insurance as a way to make sure that you have everything covered there.



In terms of getting started, there's no one one right way to do it. I think this is really dependent on your organization and the organization culture. It can be successful as a bottom up approach. 


If you're the accidental techie at your org, and you've got some good ideas and you've got some energy around it, it can be successful provided that you have executive buy-in. I think that's the key for many of these initiatives, the executive group needs to identify this as a priority. But we've seen it successful from a bottom up approach. 


It can also be effective from the top down. I think boards are being much more engaged around the topic of cybersecurity and making sure that organizations are well protected. And so, you may find some resources at your board that you can align with to help move some of these initiatives forward.



Gather Support


Sarah Wolf:  Yeah. So the other thing is to gather support. You don't want to be the only one who's trying to rally the bell. 

One of the things that you can do is leverage your existing requirements. A lot of times, cyber liability insurance has requirements that need to be met in order to qualify. Things like learning management trainings, and managed backups. Also there are sometimes software requirements. Salesforce in February rolled out a requirement that everybody used MFA to access their database. 


If you're able to establish an IT working group. Smaller organizations, if there are only four of you, once a month, make a meeting that's devoted specifically to identifying your IT needs and planning for how you're going to meet them.


For larger organizations, try to have each department represented by somebody and have those conversations as well. 


Connect with a partner either internally or externally, who can help not only with implementation, but also training - that change management question that came up earlier - and management, because it's not a one and done thing. You've got to constantly be keeping things updated. 


Since boards are accountable for the organization, we're actually seeing more cases where the boards themselves are proactively asking about the cyber security controls in place at the organizations they are working with. So you might have some allies there, particularly if you do have a governance committee and that can help to improve making cybersecurity a priority.


Matthew Eshleman:  Making that pitch to whoever's making the decisions, I think it's important to understand that cybersecurity incidents are on the rise and that they're costly to respond to. 


Recent industry data shows that for small to midsize organizations, it costs about $150,000 of direct expense to react to a data breach security incident at an organization. 


Our eyes kind of glaze over at the colonial pipeline hacks and millions of dollars, but for small and midsize organizations, the numbers are $150,000, which is a significant amount of money to have to deal with. 


As Sarah mentioned earlier, you may be required to implement some of these controls as part of your cyber liability insurance renewal. We're seeing much, much more stringent requirements when it comes to those policy renewals. That started about six months ago as cyber liability insurance vendors are in a situation where they're paying out much more in claims than they're receiving in fees. They are really ramping up the requirements for what it takes to get coverage issued. 


And then, I think it's also important to keep in mind that effective cybersecurity takes time and attention. And while you can do some things for free, it is going to take some resources in order to make that deployment effective and meaningful at your organization. 



Questions


Sarah Wolf:  We've got a lot of questions.


Matthew Eshleman:  We've got a lot of questions here. Do you want to tell me what the hot topics are, Sarah?


Sarah Wolf:  Frameworks. Is there an actual framework somewhere that they can use to address cybersecurity concerns? There's so many different things, where would you start and end? We gave those three options, but where do we start?


Matthew Eshleman:  Yeah. So if you're looking for a formal evaluation framework, there are a number of them out there. 


We think the NIST cybersecurity framework is a good place to start. We have a free survey that you can take that will ask you a whole bunch of questions and then generate an automated report. That's about an hour of time on your part. You can go through and that's a formal evaluation framework.


Once you check off all those boxes, then extending out into the fullness framework can be something to consider. I mean, that ends up being about a 1600 line spreadsheet. So there's no shortage of things to do, but so NIST would be the place to start if you're just starting your journey on compliance and cyber security controls.


Sarah Wolf: Somebody was concerned about Dropbox security. And somebody asked which Cloud Document Storage Option is the most secured in your opinion?


Matthew Eshleman:  Any of the main line commercial solutions are going to have a great level of security built into them. It really does become a question of how you use them. I don't necessarily think is Dropbox more secure than Box, more secure than SharePoint? They can all be used in a very secure manner that would support any compliance standard. But it really comes into, how are you using that? If you configure Dropbox, but you don't have a good password and you haven't implemented strong account controls and people are sharing passwords, even though your data is encrypted at rest and in transit with Dropbox, that doesn't make it very secure. You can use them in an insecure manner.


It really comes down to making sure that you're using the tools effectively and then picking well regarded vendors and being diligent in how you set up those systems and administer them and also monitor them over time.


Sarah Wolf:  This is a question I don't know the answer to, which is would managed services fall into the supply chain line?


Matthew Eshleman:  Yeah. Supply chain attack is an example of where one organization or vendor is used to attack somebody else. And so this could be that your managed service provider gets compromised and then your organization is impacted. 


We also see it as, if a nonprofit organization has a compromised account, then that account is used to send spear phishing emails to other partner organizations. And then, those attacks are pretty successful because you've got email coming from a trusted sender as opposed to a generic or  spoofed account. 


Supply chain attacks can manifest themselves in many different ways. That's why it is important to have an understanding of not only your own organization's practices of what you do to secure yourself, but also the organizations you rely on, what do they do to protect themselves? How did they secure their data? How do they secure their access to your information? Because with cloud services, you're putting a lot of trust in other partners. And so, it's important that whenever you have a relationship with those vendors, you understand how they're handling your data, what systems they have in place to protect it. Because it's not all equal.


Sarah Wolf:  Katie wanted to talk about change management when it comes to implementing MFA. 


Matthew Eshleman:  These are technical solutions, but they do impact end user behavior. And so it's important to plan them out well and get buy-in before you just roll it out and everybody gets kind of smacked in the face with some MFA requirement that they weren't expecting. 


So what we like to do is to start with a pilot group. Usually there are some willing volunteers that want to see how it works or maybe are a little bit more tech-savvy. And so that can be a good way to work out any kinks in terms of your deployment process. 


We typically will roll out an MFA initiative and we'll take a few minutes at a staff meeting to say, here's what we're doing. We're rolling out MFA; here's why we're doing it. If you don't have MFA, your account gets compromised, we've already had our pilot group and here's their experience of MFA and --


Sarah Wolf:  We're over the cutoff. So quickly put up the resource slide. (30:11)


Katie, please reach out. You're talking about doing MFA for teachers, we do support schools and have experience with that. 


We've got some great free cyber security resources. They’re available also on the Google Work doc. And Matt and I are both available. I'm going to be around. Thank you so much for your time and attention. And please do not forget to do your session survey, because if you do your session survey, and it goes well, we know what to improve and we also maybe get asked back next year. So, thank you so much for your time.


Matthew Eshleman:  Great. Thank you. It's been great to join you today.