Community IT Innovators Nonprofit Technology Topics

Cybersecurity Readiness for Nonprofits Playbook with Matt Eshleman pt 1

Community IT Innovators Season 5 Episode 43

Share episode


Is your nonprofit struggling to understand cybersecurity fundamentals? 
Are you unsure what level of protection you need or can afford?

In part 1, Matt discussed the cybersecurity landscape for nonprofits and some of the changes that prompted this update to the Playbook. In pt 2, Matt walks through the "foundational" suggestions and takes audience questions.

October is Cybersecurity month! Community IT Chief Technology Officer Matt Eshleman walked through our revised Playbook on Cybersecurity Readiness for Nonprofits in a webinar designed to get your nonprofit prepped to face cyberliability insurance requirements and ever-evolving threats. 

Learn the Community IT approach to cybersecurity and how even small changes will protect your organization against threats big and small. 


2024 Updated Playbook on Cybersecurity Readiness for Nonprofits – Download

Matt shares updated advice on security improvements that provide protection against the most common attacks. You will learn about AI and cybersecurity, best practices in staff training, how to qualify for cyber insurance, and why you need written IT documentation and governance policies. Do you have an approach to compliance? Do you know if your staff are following your cybersecurity policies and procedures? 

With the rise of automated and realistic AI tools and more sophisticated methods of identity and email verification, your nonprofit can’t afford not to prioritize cybersecurity. It may be difficult to qualify for business insurance if you don’t complete certain checklists of cybersecurity precautions. But if you don’t know where to start, it can be tempting to delay indefinitely.

This Playbook gives you a simple structure to understand how to think about cybersecurity risks and costs for your nonprofit. Matt’s presentation gives you tips you can put in place quickly and train your staff on immediately. You can download the new Playbook for free here.

This webinar is appropriate for nonprofit executives, managers, accounting, development, and nonprofit IT personnel – and as with all our webinars, it is appropriate for a varied audience.

Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.

Presenter:

As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.

Matt joined Community IT as an intern in the summer of 2000 and after finishing his dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, he rejoined Community IT as a network administrator in January of 2001. Matt has steadily progressed up at Community IT and while working full time received his MBA from the Carey School of Business at Johns Hopkins University.

Matt is a frequent speake

_______________________________
Start a conversation :)

Thanks for listening.


Carolyn Woodard: Welcome to the Community IT webinar, celebrating the re-release of our Playbook on Cybersecurity Readiness for Nonprofits with the author, Matt Eshleman. This free download covers the essentials you need to know to get to what we call a foundational level of managing for cybersecurity. And we also cover additional levels of optimized and proactive and where those might be your most appropriate strategies.

The Playbook is easy to use, but I'm really happy that Matt's here to help us walk through it today. I'm so happy he's the author and cybersecurity expert, and we're going to go into some of the updates that we made in this revised edition. 

My name is Carolyn Woodard. I'm the Outreach Director for Community IT, and I'm the moderator today. 

First, I want to go over our learning objectives. By the end of the session today, we hope that you will be able to 

·       learn our basic approach to cybersecurity, 

·       learn about the foundational level that we recommend all nonprofits try to get to, 

·       understand those optimized and proactive options, and then 

·       take away maybe your first steps and best practices in managing cybersecurity at your nonprofit. 

Matt, would you like to introduce yourself?

Matt Eshleman: Yes. Thank you for the introduction. It's great to be with you here today.

My name is Matt Eshleman, and I am the Chief Technology Officer at Community IT. I've been with Community IT for over 20 years, and I've gotten to work with over 1,000 nonprofit organizations during that time. 

I'm really excited to be able to talk about this Cybersecurity Playbook as a revision and a complement to our incident report which we released earlier in the year. We get some of the data, and now we get to talk about how to practically apply that today. Looking forward to our conversation so we can answer any questions that come up along the way.

Carolyn Woodard: Before we begin, if you're not familiar with Community IT, I'll give you a little bit about us. We are a 100 percent employee-owned managed services provider. We provide outsourced IT support. We work exclusively with non-profit organizations, and our mission is to help non-profits accomplish their missions through the effective use of technology. We are big fans of what well-managed IT can do for your non-profit, and we believe all non-profits deserve well-managed IT. We serve non-profits across the United States. We've been doing this for over 20 years, and we are technology experts. We are consistently given the MSP 501 recognition for being a top MSP, which is an honor we received again in 2024. 

I just want to remind everyone that for these presentations, Community IT is vendor agnostic. We only make recommendations to our clients and only based on their specific business needs. We never try to get a client into a product because we give an incentive or benefit from that. 

But we do consider ourselves a best of breed IT provider. It's our job to know the landscape, know what tools are available, reputable, and widely used. We make recommendations on that basis for our clients based on their budget needs, their priorities, their business needs. We got a lot of good questions at registration so we're going to try and answer as many of them as we can. But anything we can't get to; I'll have Matt give us some written thoughts and I'll append that onto the transcript. 

Cybersecurity Fears

As I mentioned, we had at registration a question where you could put in your greatest fears around cybersecurity and October is cybersecurity month. So scary. I thought it was really interesting. I took those fears, and I made this word cloud out of them. You can see ransomware came up. Many people had put that in.  

Matt, did you want to talk about this visual at all though?

Matt Eshleman: Yeah, I think it's really interesting to get that perspective for what the biggest concerns that individuals or organizations face. And I think that ransomware term really does catch a lot of our imagination. It certainly makes the news.

And I think ransomware attacks preoccupy a big part of our brain whenever we think about cybersecurity and how do we protect ourselves. I will say, whenever we look at the data for the organizations that we support, we support about 200 nonprofit organizations, we haven't had a ransomware incident at our clients for I think over five years now.  

I do think that there's a difference between the big enterprise and kind of the on-prem server infrastructure that a lot of organizations still maintain that is still very vulnerable to ransomware and the distributed cloud environment that many of our non-profit customers have been moving to. We're really getting rid of servers; many organizations are 100 percent in the cloud. And there are other risks to be sure. But ransomware, whenever we actually look at our numbers for the non-profit sector, is not kind of the most common or even a very likely threat.

So, I put together a word cloud for how I think about cybersecurity and the issues that our clients are actually facing. And the big word that you'll see front and center is fraud. And maybe this needs to be wire fraud, tied to scammers.

But I think understanding that most of the cyber issues are really driven by cyber criminals. And that this is a financial enterprise is helpful to keep in mind. Ransomware certainly has that end result, right? Encrypting your files, extorting people for Bitcoin or for whatever to pay to release that information.  

But what we see for small to mid-sized organizations is that the biggest issue that they face is wire fraud that is related to updating payment information, changing banking account for partners or even employees and redirecting those payments into accounts that are controlled by the hackers, not by the individuals. A lot of that is initiated because of compromised accounts that are stolen through weak MFA controls or attacker-in-the-middle.

That's what we see a lot. And so that also informs the Playbook in terms of what we're focusing on and some of the emphasis that we have on protections around email that you'll see whenever we get into it. I think this graphic to me really highlights the things that you should be worried about. And that helps, I think, align and prioritize some of the protections that organizations should be investing in.

Carolyn Woodard: We have a question about a couple of the acronyms there. What is BEC?

Matt Eshleman: BEC stands for Business Email Compromise. I think that's a term that the FBI uses. It's an email-initiated attack. And we see this most often is a spoof message, right? It looks like it's coming from somebody you know. It could be your executive director or the finance director, right, emailing, “hey, can you update this payment information? We had a problem.” It could also be initiated from maybe a partner organization that had one of their staff compromised, said, “hey, we had a problem receiving that grant. Our bank had some issues. Here's the updated information. Please apply the payment here.”

So that that act of email-initiated kind of fraud is called business email compromise.

Carolyn Woodard: And then the other question is about AITM.

Matt Eshleman: AITM is the acronym for attacker-in-the-middle. That is the method where these threat actors are able to steal what's called your session token. 

Even if you have MFA, using the Microsoft Authenticator or Google Authenticator app, the bad guys are able to use these attacker-in-the-middle frameworks to basically run your login through a system that they control and they can steal that access. Then it appears and you are authenticated and can send emails and do that kind of thing. 

That’s what we really saw in our incident report is that a large number of accounts can get compromised even though they had MFA because of these new sophisticated frameworks that are available for hackers to buy that allow them to create these proxy systems so they can steal your authentication requests.

Carolyn Woodard: Yeah, it's kind of a big freak out because we've been telling everyone for several years now, MFA will really protect you. And so of course, hackers are looking for ways to subvert your MFA. We did talk a lot about it when we did the webinar about the incident report. I did put that in the chat. It'll be in the transcript. It's communityit.com/nonprofit-cybersecurity-incident-report. If you're looking for that webinar and that report. 

How many audience members have been victims of a cybersecurity attack? 

I think let's go ahead and launch this poll. We wanted to find out about you. And the poll is, has your organization had a cyber incident? There's a lot of stigma, a lot of shame around being the victim of a scam or attack. Your organization will not be visible in your answer. We're just trying to show how pervasive the problem is and different levels of stress you're probably under and why you need a plan and cybersecurity controls to help prevent attacks. The answers you could choose are no, not that we know. Number two is not sure. Number three is yes, but we discovered it with time to mitigate the impact. Number four is yes, and we suffered significant impact. And number five is not applicable or other.

We're all potential victims of an attack, I would say. So, we just wanted to see how many of you are in this webinar because you haven't had an attack and you're with looking to prevent it. And how many of you are really interested in cybersecurity for specific reasons that you were attacked?

Matt Eshleman: All right. Of the respondents overall, it looks like a big chunk, about 40 percent of folks said no, not that we know, right? Another 14 percent said not sure. And then we do have a pretty significant number of respondents, about 30 percent said yes, they have been a victim of a cybersecurity incident, but they were able to identify it and respond rather quickly. And then another 14 percent said yes and suffered a significant impact as a result. 

Now, we didn't dive into that, but I assume that that could be significant financial loss, which is something we've certainly seen, or a big incident response, maybe cyber reliability insurance was involved, and forensic response and that all gets very expensive very quickly.

Carolyn Woodard: So stressful. I think one of the biggest outcomes to nonprofits is the stress that the whole staff goes under when you have to respond to any kind of attack like this. It just saps your energy. It's very, very stressful. 

Well, thank you, everyone, for responding to that. Really appreciate it. Before we get to the Playbook, Matt, I wanted to ask you the bigger picture of what we are seeing in cybersecurity these days. 


Why did we update the Playbook now?

Matt Eshleman: Yeah. I think the last time we launched Playbook was maybe back in 2021. Several years ago. And things change over time. The IT landscape is certainly very different now than it was in 2021. And we're seeing certainly different results. 

That MFA example is, I think, a good one. When we first did our incident report, if you had MFA, you were basically immune from being hacked. But now the old MFA methods haven't really kept up.

For us, it's really a good time to review what we've put in place, what has been working, and match that up with what current protections are in place for organizations as they are in a new environment. 

Cybersecurity is really a journey. It's not a destination.

You're never going to get to a place where you can say, all right, we're done. We've put in place all the protections and we don't really need to make any more changes. This is something that grows and evolves over time and requires ongoing attention and investment.

In terms of the cybersecurity landscape, I think this top bullet point has probably been in every presentation I've ever given about cybersecurity for the last 10 years, but it's still worth saying that cybersecurity impacts every organization. Nonprofits are not too small to fly under the radar. I was actually just looking at Microsoft's Digital Defense Report that came out. The top three sectors that are targeted by cybercriminals are IT, education, and then the nonprofit public sector. There is a need for ongoing education that just because you're a nonprofit, you have a great mission, you have great staff, doesn't mean that the bad guys will leave you alone. 

That leads into the second point, which is this really is a cyber-criminal enterprise. This is a business opportunity for organized criminal groups. Yes, there are the proverbial hacker kids in their parents' basement, but what we really see are well-organized, maybe even well-funded groups that are doing this as a financial means. If they can send you a well-crafted email and get a $200 gift card to Amazon, that may be a good use of an hour of their time, or maybe they set up a well-crafted phishing campaign and are able to nab a $20,000 wire transfer. That's a good investment of time. Cybersecurity is something every organization needs to pay attention to, and you're targeted because you have money. That's the short summary of that.

I think the other thing that we have seen, and this has been a trend for a while, is that cyber liability insurance is normalizing those controls. I think the good news is that the year-over-year cyber liability insurance premiums are starting to recede or not increase as much. But the number of controls that they expect to be in place is certainly getting a lot stricter.

Five years ago, you could put down whatever you want, and you could get cyber liability insurance. Now, that's not the case. Unless you have MFA, unless you have a security awareness training program in place, unless you have third-party spam filtering, they may not write you a policy unless those things are actually in place and in use.

The note here, I don't think you can have a presentation and not mention AI, but I think that really is changing the game, both on the defense side and attack side. There's lots of tool investment in terms of helping to filter and cut down on the response time needed to analyze an attack. But then also, the bad guys have AI too. It's really easy to use these AI conversational tools to write a compelling and well-crafted email that's going to get you to click on something.

Just as you may be using AI tools to craft fundraising emails, the bad guys on the other side are crafting well-written emails to get you to click on something. A lot of things that maybe we used to rely on in terms of poorly worded messages or incorrect grammar, you can't rely on that anymore.

Carolyn Woodard: If you haven't downloaded the Playbook yet, I'm going to put that in the chat. You can download it here. It's a free download, about 20 pages. We're going to walk through part of it today, but we can't get into all of the details that are in that Playbook. I really hope that you'll download it and share it. You can read it online. You can share the link for people to download it themselves. Hopefully, that is helpful for all of you.


Cybersecurity Basics
 

This slide covers our approach to cybersecurity. Matt, do you want to talk a little bit about this graphic?

Matt Eshleman: This is a graphic that we've used for a while, and there have been a couple of edits. But I think in general, this holds up and is still reflective of the lens that we view our approach, which is really rooted in policy. Having a strong policy foundation really helps to inform how and which types or the method that you're going to go about implementing some technical solutions.

That policy work is important for organizations to do, just to develop common ground that they can all understand and be on the same page in terms of, how are we handling corporate devices versus BYOD devices, or how are we handling information systems? What types of data are we going to store? Establishing that security policy foundation gives you a good place to build. 

The next thing on the list is really security awareness training. As the CTO, I love all the tech things. There's lots of awesome technology tools that can be used to protect organizations. 

But I really think that investing in your people gives you probably the best return on any cybersecurity investment that you can make.  

Having your staff be engaged, knowing what to look for, knowing who to talk to if they have an issue, all of those things help to protect your organization. Because at the end of the day, we don't want people to open up stuff they're not supposed to, click on links that are dangerous. Get tricked into providing their credentials, or providing their credit card information to somebody that's asking. Educating staff is really important, and something I would really focus on after that policy layer. 

Then we have lots of different technology solutions. That blue line is representative of the different control areas, so your identity and account management, the data that you have, the devices that are being used to access organizational data, your network perimeter, whatever that looks like. It could be an office firewall, but you may have 50 home internet connections that you need to think about, securing your own website and public web presence. 

Then finally, this top layer, we refer to now as compliance.

Carolyn Woodard: That is the piece of this graphic that's changed from last time, so I'm glad we get to talk about it.

Matt Eshleman: Yeah, because I think what we see is that it started with cyber liability insurance being a real driver for organizations to make real technical changes to their organization. But we are now seeing compliance standards being implemented or demanded by funders, for organizations that maybe have government or federal contracts. Adopting some sort of formal compliance standard and being able to demonstrate that yes, we are following the CIS controls. Or we are following NIST with that top level control that drives some of these decisions as well. 

It also could be for organizations that may not yet have those formal compliance requirements. You know, governance may also be a new term, right? How do we make decisions around what we're investing in protecting and how we're going about making those choices is really at the top. 

If you have that good foundation of policy, that allows you to build and make good decisions around some of the technology and process tools that you need to implement along the way.

Carolyn Woodard: I like how that we were talking a little bit before about how that helps wrap this graphic and our approach together. You have those security policies as your foundation, that are the bottom layer of what you need to be able to manage your cybersecurity. But if nobody is checking them, if you're not monitoring that those policies are being followed, and no one at your organization owns that compliance with your own policies, then it doesn't matter that you have the policies.

If you don’t have someone checking, you are going to go in and find that you still have 20, 50 accounts for employees who have left your organization, and maybe you had a policy for offloading, offboarding those people, but you didn't follow it. So, you didn't ever delete those accounts, and then now you've got a cybersecurity liability there of risk, where people could be using those accounts to get into your system. 

I like this change that we've made - not just having the policies but checking up on them. 

And then we didn't change this piece of our approach. This remains the same, but that is something in this Playbook that I think, I hope is very helpful for people using it.

Our approach recognizes the unique operating environments of small to mid-sized nonprofit organizations

I think some security firms probably are telling you, “you have to do everything, and we'll charge you for all of it.” But we really wanted to look at appropriate approaches for nonprofits. Some of the things that we recommend are really not very expensive to do. 

We looked at those eight elements that you talked about in the last slide, Matt, and then we ran them through these three different layers. 

There's foundational, which is what we hope everyone gets to.

Then there's a little bit more intense, optimized.

And then at the top we have proactive, which is the most intense, the most expensive. 

And I think we do need to find a better way to show this, to illustrate this because in our view, we don't think proactive is, quote unquote, better than foundational. So, it may be appropriate that you have a more proactive stance if you're working in a country where you might have more cybersecurity risks. If your advocacy that you're working on means that there are more targets on you, more targeted attacks. 

But you also might shift between these levels for some aspects and maybe beyond foundational for other aspects. You may have some tools that you're using or some things that you're doing where you need to have a more optimized approach.

And when you do your assessment, you're going to see that that has a return on your investment and that you are going to make that investment in a little bit more security in those levels. 

So all this just to let you know, don't feel like you have to get to proactive. But we do want you to get to foundational.

That's really important. 


Doing an Assessment

Matt, could you talk a little bit about assessments? We've had a couple of people ask already; how do you do an assessment? Do you always need to hire someone to do that assessment for you? How do you get this information of where you're at and where you want to get to?

Matt Eshleman: Yeah. I think it's a good question. And before I talk a little bit about assessments, I do think this kind of idea that security is a journey, not a destination, I think means that there is some kind of logical way that you kind of proceed through these things. One of the things that always comes up in terms of a security assessment is, “do you do pen testing? I heard we need to do pen testing, that's going to make us more secure.” (Penetration Testing is where a security firm will do an exercise to break into your IT and learn where your vulnerabilities are.)

Well, pen testing is a very expensive process to go through. And unless you've really invested in some of the foundational elements, you're just going to get an assessment that exploits all of these underlying weaknesses and it's not really going to be a good use of those dollars that you do have to invest in cybersecurity control. 

I think cybersecurity is additive, it builds on things. Having a good framework in place to help make those decisions is important.  

We do a couple of different things for assessments. We have a free assessment tool that we can use that will kind of give kind of a quick dashboard view of some of the areas for investment. 

Because we have worked with nonprofits for over 20 years, we've developed our own assessment framework that really looks at key areas as a way to rank and identify different areas of investment for improving the overall cybersecurity protection of an organization. 

There's lots of formal cybersecurity assessment frameworks that are out there. The resources to do them are free. The two popular ones that we use are the Center for Internet Securities, V8 Cybersecurity Controls. You can go to their website and get an account and download the 153 areas that they look at and go through and assess it yourself. Those tools are out there. The same thing with NIST. Those are the kinds of public resources that are available. 

I think the benefit and reason why people pay for an independent assessment is, is they're complex. It's really tedious to go through and I think just explaining and understanding what they're asking and why they're asking does provide value. 

I think the real benefit of going through an assessment (with an expert provider) is you actually have some sort of meaningful road map of recommendations to actually take once you get through the process, right? Because once you get through 153 different controls, trying to figure out where to start can be a challenge.

Carolyn Woodard: That's a great segue into in the Playbook when you download it, we do estimate some of the costs for some of the different recommendations that we make. There are estimates. They're kind of our best guesses, but it can really change how many people you have, how many licenses you have, what risks you're actually undergoing.

And another thing we wrestled with is whether we could estimate time for some of these projects because time is usually your biggest cost – staff time to be able to prioritize and do some of the things that you need to do to get up to that foundational level. 

We’ve talked about doing the assessment and building out your plan, but we couldn't really make estimates of how long it's going to take you. You need to prioritize what you're going to need to prioritize, and then you need to look at your schedule and see, make your guess of how long it's going to take you and how much you're going to be able to work on it, along with all of your other priorities that you have.