Security Training for Nonprofit Grantees pt 2

Show Notes

In this podcast pt 2, Matt Eshleman and guest Jada Breegle from Legal Services Corporation dig a little deeper into how to get buy-in from executives and answer some audience questions on international training, zero trust, and other issues.

This wide-ranging discussion focuses on cybersecurity at nonprofits and how funders can work collaboratively with grantees to instill a staff culture of healthy skepticism as part of a strong cyber defense. Research shows that short, frequent and realistic trainings are more valuable than a once-a-year security video at creating an email safety culture at nonprofits. You can have all the correct security tools in place but the number one way a hack will happen is when someone on your staff clicks on the wrong link in a compromised email that looks real.

In this webinar, Matt and Jada answer attendee questions about working with funders to improve cybersecurity at nonprofits, including important security training for nonprofit grantees.

If you are a funder, you’ll learn how to work with your grantees to help them protect your financial investments in them and better ensure they are able to deliver their important nonprofit missions without the delays and financial burdens of being hacked.

If you are a grantee, we explore ways to approach your funders about cybersecurity training and support to help strengthen your staff and qualify for necessary cyber insurance.

_______________________________
Start a conversation :)

• Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
• email Carolyn at cwoodard@communityit.com
• on LinkedIn

Thanks for listening.

Transcript

SECURITY TRAINING FOR NONPROFIT GRANTEES

October 2022

 

Carolyn Woodard:  Welcome, everyone, to the Community IT Innovators’ Webinar Security Training for Nonprofit Grantees. Whether you are a funder or an IT person or a grantee yourself, we're glad that you're here and we're looking forward to sharing this case study about the Legal Services Corporation and their work over the past year to ensure their grantees have the training to spot phishing emails and be able to protect their organizations.

Matthew Eshleman:  My name is Matt Eshleman. I'm the Chief Technology Officer at Community IT. 

Carolyn Woodard:  Thanks, Matt. My name is Carolyn Woodard. I'm in charge of Outreach at Community IT. I

And now it gives me great pleasure to introduce our guest speaker and practitioner, Jada Breegle from the Legal Services Corporation, Jada.

Jada Breegle:  Hi, good afternoon everyone. Legal Services Corporation is the largest funder of civil legal aid for low income Americans in the nation. We were established in 1974. We operate as a nonprofit. We get an appropriation from Congress and we distribute more than $420 million annually to 132 grantees around the country. I have been the CIO at LSC for five years, and I'm thrilled that we are able to offer free cybersecurity training to our grantees and all of their staff and really look forward to the discussion today.

 

Questions and Answers

 

Matthew Eshleman:  Actually, one of the things that we often hear is, 

 

How do you get executives to take this seriously? 

 

It's often viewed as security is something that I'm going to make other people do, but I -- executives, I can't get that done. How have you approached that, at your own organization? What is the expectation around training for your own staff?

 

Jada Breegle:  The sad thing is when something like BEC (business email compromise) happens to you, everybody knows how important it is. When you start losing money, it's just the forcing function. I had very good support before that, but it has even increased. In our world at LSC, we do phishing tests every month. If you fail, you get remedial training. It's only 15 minute training, but it makes people sit up and say, Oh God. 

 

I have a security person. And he tells them what they should have seen in that email, that they should have known it was phishing. Every year we do regular testing. You have to get it done in the month of October, or else I cut you off the network.

 

Matthew Eshleman:  It's amazing. It's fantastic!

 

Jada Breegle:  This is from my DOD days, we would totally do stuff like that. But our management is totally on board with this.

 

Matthew Eshleman:  Yeah. I think that's a great example because I think you set a very high but achievable bar to say, this is serious, this is important. And you do it internally and I think we have reasonable expectations for providing and expecting it to be completed by the organizations that you're funding as well.

 

Carolyn Woodard:  Those are great questions. We have some questions coming in from the audience as well. 

 

Are there consequences if someone falls for a real scam? 

 

You said, Jada, your organization had an actual business email compromise and I don't know if he means are there consequences, do people get fired, or what are the other consequences that can happen?

 

Jada Breegle:  I think it depends on your organization, and it depends on what happens. What happened at our organization, there was an investigation. How did this occur? Was the person negligent? That person no longer works at LSC. There were real consequences. And I don't want everybody at LSC to be scared. I want them just to be heads-up aware. And I think they are. 

 

I get 10 emails a day to my help desk saying, is this real? I don't care if they send a 100. I want to see them all. We'll tell you if they're real. And so there are consequences, real consequences.

 

Matthew Eshleman:  I would just add in. I know we did a webinar specifically on cyber fraud with Your Part-Time Controller. They shared a similar story where a targeted business email compromise took an organization for large sums of money. 

 

Through the investigation there, the problem is not with the user clicking on something and being scammed into it, it’s in not reporting it. The coverup is the crime. 

 

In cybersecurity, as Jada mentioned, the ounce of prevention is worth a pound of cure.

 

And so if there's ever any question, absolutely send it, ask for help. I think that's part of building an effective cybersecurity culture. Just feel like you can ask your IT team or ask your IT provider or ask your colleague to take a look at it. 

 

I know from reviewing the security tickets that we respond to, we can see pretty clearly where somebody submitted a message. They said, “I didn't click on this, but it looks weird.” And then a week or two later we get an alert that their account has been compromised. If we would've known that they actually clicked on the link and entered their password, then we can take appropriate actions. Not being sure is not a bad thing.

 

Jada Breegle:  We would so much rather someone call us and say, “I just clicked on something. I don't know what's happening, but I think something bad is happening,” because we know what to do. We had something happen a couple weeks ago. Once we figured out what had happened, “Turn your computer off. We're changing all of your passwords. We're going to send FedEx, we're going to take your computer, we'll get you a new one tomorrow.” It was that bad.

 

Carolyn Woodard:  That's something I think is so good about this kind of training is, like you said Matt, it kind of sensibilizes people to report it right away instead of being embarrassed about it and thinking, “Oh, I think I can fix this myself.” No, you need to bring it to people's attention. 

 

We have a bunch more questions coming in. 

 

What do you think about using YubiKey versus the single sign-on method? So that's kind of a specific one.

 

Matthew Eshleman:  Yeah. YubiKey would be like a physical security token that would be part of multifactor authentication (MFA). 

 

Multifactor authentication, something that you know, which is your password, along with something that you have, for most organizations it’s probably an app on your phone, maybe you're using text messaging. 

 

YubiKey, or FIDO security key, is a physical device. We're in the technical weeds here, but single sign-on just means that you can get into multiple applications with one user credential. And as much as you can protect that user identity, the better off you are.

 

I've had physical security keys for quite a while. We're now deploying those across our organization because they increase your level of security because they are nearly impossible to spoof. 

 

If you were following the Uber hack, the way the bad guys got in there was to just keep trying to log in and the text phone kept going off with an MFA request. The hacker knew who they were and they called them on WhatsApp and said, “Hey, respond to this. We're trying to test something.” And they clicked okay to finish the MFA request, and then the bad guys got in. So that's an almost impossible thing to do with physical security keys.

 

If you're going through a multifactor authentication project, yeah, I would totally look at incorporating FIDO keys or security keys as part of it because you get better protection than just a mobile app.

 

Carolyn Woodard:  Thank you, Matt. 

 

How about international organizations that are having difficulties in IT? Is there possibility or are there training processes to be able to understand which messages to respond to or not? 

 

So I know KnowBe4 is a specific tool that you need to sign up for and have a license to. Do you know of any, maybe free versions, or just websites that have information on email phishing scams in general? 

 

Matthew Eshleman: There are free resources available. Stay safe online (www.staysafeonline.org), which is a U.S. government resource, provides some good foundational information that organizations can get started with. 

 

For organizations that are looking for paid training, particularly if you're multinational, I do think KnowBe4, and I assume other security awareness training tools, have multilingual training and test phishing messages as well. So you can provide language appropriate stuff. It's not all U.S. English-centric. There are platforms that will support and send those messages in whatever geographic location and language you need to use.

 

Carolyn Woodard:  Sounds good. Thank you. 

 

Someone asks, what is the number of clicks, phishing email failures, within a particular period of time that should be allowed? Is there a rule of thumb for this type of tool or for KnowBe4 specifically?

 

Jada Breegle:  I was wondering if we were talking about for an individual or for the organization. For an individual, it's zero. You click, you get more training. Because, in the real world, you click, you could be taken to all kinds of bad places. 

 

For the organization, Matt, you probably know what sort of click percentage should be your goal.

 

Matthew Eshleman:  Yeah, at an organizational level, we had the metric on earlier. I think we see high teens as where most organizations are whenever they come into a training. Again, between 10% and 20% of messages will get clicked on. 

 

Over time, we are typically doing monthly test phishings ongoing and that rate typically goes down to the low single-digits. 

 

Jada Breegle: I want mine around 5% or 6%.

 

Matthew Eshleman:  Yeah. So that's typically where organizations get to, after 90, 120 days in a training program: low single-digit percentage. 

 

I think our goal is to provide training and education, so folks know what to look for. Again, this is not designed to be punitive, but designed to be educational. 

 

But, you can identify those folks that are your frequent flyers and then require some additional attention beyond just some additional online training. If you've got somebody who's perennially clicking on things, and also may be in a position where they have access to finance or HR type positions, I think we’d be particularly sensitive there.

 

Jada Breegle:  Two more things that we do - we don't require grantees to do this, but just internally - our accounting staff gets an extra training each year, because people go after your accounting team, anybody that can release money. 

 

And the other thing is, every so often you do get that person that clicks through. You do monthly testing like three times in a row. They've already gotten remedial training. Then I go to their supervisors and say, I need a little help here.I'm not sure what's going on. If they have too much to do and they're just rushing through things, but I need your help on mentoring and educating.

 

Carolyn Woodard:  I think that was great, the way you put it, Matt, is that the first email, that link that you click on that goes to the wrong place. It's not like it builds up and it gets worse over time. The first one can be the worst one. 

 

Encouraging that community of reporting it, knowing who to turn to and who to report it to, what to do, I think is so great about some of these tools. 

 

Will there be a move to Zero Trust? I'm not totally sure what that is. So Matt, can you explain that?

 

 

Matthew Eshleman:  Zero Trust is one of those like buzzy terms that gets thrown around a lot in the cybersecurity world. Essentially, Zero Trust means you're always going to reauthenticate and verify the user is who they say they are. 

 

In our old school, come into the office world, once you log into your computer, you're in the office, you have access to everything in the office. Zero Trust would say there needs to be some kind of continuous evaluation process to verify that nothing has changed and you are the correct person that needs to have access to these systems or processes. Zero Trust is this framework that we're always going to re-authenticate or re-verify the user is who they say they are.

 

Again, the Uber breach is a good example. They had VPN multifactor authentication that was able to be compromised. Then once the threat actor was on the local network, they were able to just get access to other systems because there wasn't any additional verification. And they were able to find a network script that contained some embedded credentials. And there was no additional process to verify access on that system. And so the threat actor was able to get in. 

 

Zero Trust, seems like a lot of marketing buzz. I think it's helpful to think practically, what does that mean for your organization? How often are you going to reauthenticate people? What are the tools you're going to give them to do that? What are the different checks that need to be in place? 

 

Security is often about a balance. You could have a super secure system where you had a notepad in a closed room, right? Very secure, but nobody can really get to it. Can't do much with that. So I think there's that balance of providing authentication and making sure people can get access, and want to make security easy to use in its default configuration.

 

Jada Breegle:  And from a nonprofit perspective, I have so many basics that I need to get better at and get in place and put money into. Zero Trust is this government wide very lofty goal that I can't get to yet.

 

Carolyn Woodard:  I have a little follow-on question though, because I feel like this part of the discussion touches on that tension between the convenience and the ease of using it for your staff to get their work done.

 

Matt, you talked at the outset about all the competing priorities, and maybe somebody's just going really quickly and just has to answer all of these emails versus having that security in place. 

 

Jada, maybe you could answer in your experience with this project. 

 

How do you feel like you navigated that tension of making it easy to use, but making people have to use it?

 

Jada Breegle:  I feel like there's a base level of what you have to do. Cybersecurity training is a base level, and if you think about one hour a year that you're spending reminding your users about the potential problems that are out there, and it's not just for work, it's for their personal life too. The stuff comes to you in your personal email too. I think it's worth it. 

 

You need executive buy in to say, yes, you're going to do it. The first year I did it internally, there were people that were like, Oh, I'm really busy. I'm on all these trips. 

 

We give you a month, you can take an hour out of your work days that month. So I think you just have to do it.

 

Carolyn Woodard:  Thank you. Yes, I agree. There's no silver bullet, easy pill. You have to just put the time in and realize how dangerous it is to your organization. 

 

I want to make sure that we are mindful of people's time. So I'm hoping Matt, if you could put up the slide with our webinar for next month, so I can just quickly tell people how exciting it is. 

 

Next month, on November 16th, we're having a webinar. I invite you back for Staffing IT Positions at Nonprofits. With the labor market the way it is, and with lots of nonprofits learning over the last two years what tech projects are working, and where they need work, staffing is just so difficult for nonprofit tech roles. 

 

Our CEO, Johan Hammerstrom is going to be talking with Nura Aboki about finding those unicorns who have a tech background and understanding of nonprofit culture and budgets and who can take on a strategic role and really help your organization plan and budget for IT as a crucial part of your operations, which is a lot of what we were just talking about today.

 

It's not just nice to have, it's cybersecurity. Your IT working, being able to work in a modern office, or work remotely is all essential for your nonprofit to perform and staffing appropriately is part of that. When does it make sense to outsource that expertise and then how do you outsource it? 

They're going to be taking questions on that next month at 3:00 p.m. Eastern, noon Pacific on November 16th. So we invite you back for that. 

And I just want to go quickly back over our learning objectives. I think we hit them.

You should be able to 

●      describe the cybersecurity landscape for nonprofits. 

●      Why cybersecurity awareness training is important, email training particularly, and the anti-phishing email, and 

●      how effective is security awareness training. 

So we talked a lot about that. And we answered a bunch of Q&A from the attendees. Thank you all so, so much for joining us. We really appreciate it. 

Thank you Jada, for sharing this case study with us and your experience. Thank you Matt, for answering our questions about how to do this training and how it was working in this project. And thank you again to all the attendees for joining us for this hour.