Community IT Innovators Nonprofit Technology Topics
Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com
Community IT Innovators Nonprofit Technology Topics
Cybersecurity Readiness for Nonprofits Playbook with Matt Eshleman pt 2
Is your nonprofit struggling to understand cybersecurity fundamentals?
Are you unsure what level of protection you need or can afford?
In part 1, Matt discussed the cybersecurity landscape for nonprofits and some of the changes that prompted this update to the Playbook. In pt 2, Matt walks through the "foundational" suggestions and takes audience questions.
October is Cybersecurity month! Community IT Chief Technology Officer Matt Eshleman walked through our revised Playbook on Cybersecurity Readiness for Nonprofits in a webinar designed to get your nonprofit prepped to face cyberliability insurance requirements and ever-evolving threats.
Learn the Community IT approach to cybersecurity and how even small changes will protect your organization against threats big and small.
2024 Updated Playbook on Cybersecurity Readiness for Nonprofits – Download
Matt shares updated advice on security improvements that provide protection against the most common attacks. You will learn about AI and cybersecurity, best practices in staff training, how to qualify for cyber insurance, and why you need written IT documentation and governance policies. Do you have an approach to compliance? Do you know if your staff are following your cybersecurity policies and procedures?
With the rise of automated and realistic AI tools and more sophisticated methods of identity and email verification, your nonprofit can’t afford not to prioritize cybersecurity. It may be difficult to qualify for business insurance if you don’t complete certain checklists of cybersecurity precautions. But if you don’t know where to start, it can be tempting to delay indefinitely.
This Playbook gives you a simple structure to understand how to think about cybersecurity risks and costs for your nonprofit. Matt’s presentation gives you tips you can put in place quickly and train your staff on immediately. You can download the new Playbook for free here.
This webinar is appropriate for nonprofit executives, managers, accounting, development, and nonprofit IT personnel – and as with all our webinars, it is appropriate for a varied audience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Presenter:
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course.
_______________________________
Start a conversation :)
- Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
- email Carolyn at cwoodard@communityit.com
- on LinkedIn
Thanks for listening.
Carolyn Woodard: Welcome to the Community IT Webinar, celebrating the re-release of our Playbook on Cybersecurity Readiness for Nonprofits with the author, Matt Eshleman. My name is Carolyn Woodard. I'm the Outreach Director for Community IT, and I'm the moderator today.
Matt Eshleman: My name is Matt Eshleman, and I am the Chief Technology Officer at Community IT.
Carolyn Woodard: Moving back to this slide, the foundational, and our approach, you have your policies, your security awareness, the five technical tool aspects there, and then compliance.
Foundational Level Cybersecurity Policies for Nonprofits
Matt, would you like to talk a little bit about, for the foundational level, the types of policies and the type of security training that we would recommend?
Matt Eshleman: Sure. I think this is an area that's changed since the 2021 version. We’re certainly investing more in the policy side of things at the foundational level now.
I think all organizations should have an IT acceptable use policy establishing basic guidelines for the organization. I mentioned some of that earlier.
How do you handle personal devices? A password policy, how are you handling mobile devices within the organization? How are you handling access to systems?
All of the basic information that an organization needs to operate really is in that IT acceptable use policy.
The data privacy policy is something that we typically see organizations have maybe as part of a website. Or if they have a CRM or something, that maybe they already have that piece that talks about how you use data in the organization that you are caretakers of. Defining that and being able to communicate that to your stakeholders is important.
The new addition here of the AI acceptable use policy for organizations that are thinking about or already are using AI or have staff who are adopting AI tools that the organization isn't yet aware of. That provides an area for conversation and decision making around, how are we as an organization going to interact with these AI tools that are just being included in all of our platforms, whether we wanted them or not?
So, AI use is a new policy that's included in this foundational tier, along with some policies that have been in place for a long time, like backups and disaster recovery. Even as systems have moved into the cloud, it's still an important exercise to go through and understand, how is that data being protected? How can I recover it if there's some sort of corruption or deletion, either intentional or unintentional? Just because it's in the cloud doesn't mean you don't have to think about those things anymore, you need to have a system in place to deal with that.
And then the last two here, incident response and cyber insurance. We see many organizations being intentional about purchasing cyber liability insurance because of the risk associated with a breach, and then that kind of ties into having an incident response policy as an organization, because the organization itself needs to have a clear standard on what happens, who's going to be involved, who's our insurance provider, how are we going to interact with our MSP.
This is something that at Community IT, we have an incident response policy for when something happens to our client, but we are relying on the client to have their own policy that talks about how and when we are involved and how we interact with people and that kind of thing. Even if you have an outside partner that works with you on IT things, it's important for the organization itself to define those policy responses for themselves.
Carolyn Woodard: Yeah, you don't want to be realizing as something is unfolding that you don't have somebody's phone number that you need to call. Running through that scenario and just figuring out who's on your call list is important to have ahead of time.
Matt Eshleman: Yep, and having that printed out on somebody's desk, right? So the incident response is not located on the same system that just got encrypted or deleted.
On the security training side there's lots of training that organizations can kind of dip their toe in and start for free. I think we still have a free video on our website about training. There are a lot of free training resources that are out there. So just getting started is important.
And then also defining those policies and training around remote work. How safe workspaces, how do you handle shared computing, maybe at the home, right? So just talking about defining and educating staff around good practices in these areas. It doesn't have to be expensive, but it does need to be intentional.
Cybersecurity Training Best Practices
Carolyn Woodard: We have a question about approaches and training for mid-size nonprofit organizations. So especially frequency, would you recommend an annual all-staff training on cybersecurity is enough? Or do we recommend doing maybe smaller, shorter security training throughout the year? What works?
Matt Eshleman: This is one of my favorite things to talk about because I think training is so great. We spend a lot of time investing in our training program for our clients. And I think what we found works the best is that shorter but more frequent trainings are more effective.
I think the traditional approach has been, once a year there's a meeting or you have some online training. It takes an hour. You do it, you check it off and you kind of go on with your life.
What we like to do is quarterly trainings that are online. They have a variety of topics that are included. And so, the minimum standard would be quarterly. I like that because it keeps it shorter, more concise and you can talk about different areas that are relevant at the time.
Alongside of the training, we like to include some test phishing. So again, you're doing some testing, you're providing some practical ways for your staff to kind of be engaged and click on that report button so that they have a way to interact with IT that says, “hey, this looks weird, I'm going to report this. Is this a test phishing message? Is it real? Is it fake?”
That's a good way to make training a two-way or an interactive process, not just sitting in a conference room for an hour to once a year to check the box and move on.
Foundational Cybersecurity Tools and Practices for Nonprofits
Carolyn Woodard: And so then moving up through those are our two lower levels, policies and staff awareness training. And then at the foundational level, those different tools that we recommend. Can you talk about that?
Matt Eshleman: These are all those technical controls. And I think we kind of keep packing more and more into what's the minimum standard that we expect organizations to have.
As I mentioned before, multi-factor authentication is essential. And we are actually going through and updating our MFA guidance. We are now recommending what's called fish-resistant MFA, particularly for organizations that have internal IT or HR and finance contacts.
That's to combat this attacker-in-the-middle phenomenon where they're able to steal those authentication tokens from the app-based authentication. We’re moving to physical security keys or Windows Hello as a way to provide device-bound MFA authentication sessions. Kind of a technical term, but the idea is that we need to take some additional steps to secure our identities.
And that's really at the root of a lot of this. Same thing with using a password manager. If you're just getting started, use a password manager so that you're not reusing the same password over and over again or creating some pattern of passwords.
I literally know, I don't know, three passwords. I know the password of my computer, password manager, and my encryption key. That's it. We want new unique passwords for all the systems that we're using at a basic level is the approach to take.
Carolyn Woodard: I have to jump in and just say that all of this is in the Playbook. And also, we have a lot of resources on our website for many of these tools that are on this list for those five different areas that you'd want to make sure that you're taking steps in all of those areas.
The five areas of identity, data, devices, perimeter, and web. And for each of those, we do have some subtitles, sub headers. Under identity, MFA, and password manager, under data, we have backups.
Under devices, you'd want to have OS or third-party updates and antivirus. Under perimeter, you want to invest in spam filtering, test phishing messages, business email compromise prevention, and DMARC and DKIM. And under web, you want to make sure you're investing in a secure website platform and that you're securing your website domains.
All of this advice can be found in the Cybersecurity Readiness Playbook, which is available as a free download on our site, communityit.com.
But just in the interest of time, I don't know that we're going to be able to go through all of them. So, I just recommend that you check them out on our website. We have podcasts about, for example, the DMARC DKIM, which you may not know what that acronym is. Listen to the podcast, you will learn all about it. It's about email verification, that the email is coming from where it says that it's coming from.
Foundational Cybersecurity Compliance Best Practices for Nonprofits
I wanted to just be able to move on to the compliance issue as well, Matt. At this level, at the foundational level, there aren't really tools that you can implement that will make sure you're compliant with all of the things you need to be compliant with. So, can you talk a little bit about what we recommend, how you should approach it?
Matt Eshleman: Yeah, I think that's right. I think at the foundational level, if you haven't done so already, it's just really important to invest in leadership and identify at the organization who owns IT security or who's accountablefor that happening.
Again, you don't have to be an IT person yourself, but our perspective is that the organization itself needs to own that responsibility.
It's not something you can outsource even to a great provider like Community IT. We can do a lot, but we can't own the security decisions at your organization. From that leadership role at the organization, then you can make the decisions around where to go and how to do planning and make some of those prioritization choices at your organization.
Carolyn Woodard: Like that great question about how often you should do training. That's something that ideally whoever owns cybersecurity at your organization and maybe a committee, or stakeholders, or a leadership team would sit down and prioritize. How are we going to do training and how often are we going to do it?
A Foundational Level Cybersecurity Roadmap for Nonprofits
To do that, we recommend that you create an IT roadmap. Now we have another webinar that's exclusively on creating an IT roadmap for all of your IT at your nonprofit. But you can do that for your cybersecurity strategy specifically.
Once you've gone through an assessment, whether you do it yourself or you get an outsourced provider or a consultant to do it for you, and you have this list of the things where you are, and the things you need to work on to get up to where you need to be, to be safer, you can create a document out of that. We have a little example here. You can see that it lays out the urgency, the complexity, the impact, how many people at your organization is this going to touch.
If you're requiring everyone to use MFA, then that's going to hit everyone at your organization, and you have to be prepared for that to be a bigger project to roll that out. There may be some cybersecurity projects that only relate to a certain database that you have. And so just the people who work with that database are going to need to have that training, so it might have a lower impact.
But then you would make a roadmap like this. You would add a timeline to it. You could add the people responsible for it. And I really love having a roadmap like this because it helps you report back on your progress. Sometimes working on IT and especially cybersecurity can feel like you're swimming in place. There's always something new coming in. There's always something you have to change. We're just talking about the MFA, how that now has some extra things that you can do to make it more secure.
Sometimes it can be hard to feel like you're making progress. Having a checklist or timeline can help your leaders and your team feel like you're accomplishing something.
You can look back and say, “well, we started at this level of cybersecurity, and we have through our work and the time that we spent on it, we've gotten up to this level, this foundational level, and that can help us also respond when there are new threats to address.”
We have a whole other webinar on this, the Designing an IT Roadmap. But I wanted to make sure that we have some time, Matt, for you to talk about the types of attacks that have changed, and that have helped change our recommendation, especially around financial fraud, as you were saying.
Matt Eshleman: Yeah, coming back to those earlier slides, that's the big word in my mind, in terms of thinking about how we protect our clients from these financial fraud attacks, because phishing is more dangerous. They're very well-crafted messages that are coming from obfuscated sources, or because of the attacker-in-the-middle frameworks, coming from actual trusted partners that you work with. It's not uncommon for clients to get a malicious link that's sent from a trusted partner to a SharePoint or OneDrive file that is managed by the hacker and is used to launch those attacks.
We see increasing danger and effectiveness of those phishing campaigns. The other note that we've seen here is that, particularly for policy organizations, and I think that is really a special case. Those are very well crafted.
We had a couple of cases this past year where the attack thread seems to be targeted to, “hey, we want to have this meeting” or “we're going to invite you to this conference,” or “we need your input into this policy document,” or “hey, let's come to this hotel for this meeting. Here's the agenda.” We actually had people or clients show up at a restaurant or hotel expecting a meeting with the foreign minister's attaché and nobody's there. It's just James Bond level intrigue, but these threat actors are using it all under the guise of trying to be a trusted partner and get you to open up a document.
Carolyn Woodard: Get you to click on something. Yes.
We did have a question earlier about the optimized and proactive levels. I would say, we talked a little bit before, doing your risk assessment is your first step. Both the risk assessment of what you think are your biggest risks, but also where you're at now, what policies and practices do you have in place.
Foundational, Optimized, Proactive
Matt, would you talk a little bit more about this idea of optimized and then proactive?
Matt Eshleman: Yeah. I think at the Foundational level we have this layer of things that we just know we need to do regardless.
Then I think as you move up or you have those baseline controls in place, then the questions become around what other areas may need protection, or maybe we need to extend protections or provide a more sophisticated solution in place because of the risk that we face.Those different control areas.
Then you start getting into more formal compliance standards, and a lot of the solutions that we talk about in the guide really do map to some of those formal compliance standards. Figuring out which ones to invest in, how to go about doing that, is really the work in those more optimized and proactive perspectives so that you can get to a place probably in the proactive area where you're meeting those formal compliance standards. You have a good place to document, and to demonstrate, and to provide feedback to executive leadership and write the whole thing works to report and secure itself when you get to that more sophisticated tier.
Carolyn Woodard: They might also be if you've suffered a hack, because then some of your information is out there. We do know that organizations are more likely to be attacked again if they've already been attacked before. So that might also inform how much you're going to put into your cybersecurity.
But I want you to let you have a chance to talk a little bit about our cybersecurity offerings. And I'm going to put the link in the chat now. It's communityit.com/cybersecurity.
And that's also where people would talk to you, Matt, and schedule an assessment.
Matt Eshleman: I love talking to folks about this topic and identifying, I think, areas to start.
Because we're practitioners at Community IT, the assessment piece is really interesting because it allows us to get to providing meaningful protections to organizations. And so those different resources that we have are really aligned around, okay, let's identify what we have, but let's now be able to act on that.
We don't just make a pretty report, but we have a list of steps that we can take that are providing improvements, right? I think at the back of my mind, I'm always thinking, well, how can I reduce the calls or help desk about security incidents? I respond to them, it's not that much fun.
And so if I can not have to respond to them because we can get some of these proactive solutions in place, then I think that's a benefit to everyone.
Carolyn Woodard: And here is the exact link that you would use to schedule some time with Matt.
Cybersecurity Risks When Changing Vendors
I am going to go ahead and ask one of the questions that we got at registration, which I just thought was so interesting. So, this was how to transition from one vendor to another without causing disruption or bad feelings. And I don't know. I mean, I don't know that that's a huge cybersecurity risk in itself, but definitely when you cause bad feelings with a vendor, with staff, that gives something extra that you have to think about.
Do you have advice on changing vendors?
Matt Eshleman: Yeah, I mean, we do it all the time. I think we exemplify what we would like to have in the partners that we're transitioning with. And I think having clear documentation, identifying the systems that are in place, the tools that are in place, the accounts, can be lacking. I think that's one of the things that we often find is that when we inherit a client from somebody else, there will be leftover admin accounts or other things imbedded in the systems that weren't necessarily disclosed.
And so that is a security issue, right? And working with an MSP, right? That you're providing a lot of access to those partners.
Whenever you transition, it's important to make sure that you really go through a thorough clean out process to make sure that anything that a previous provider had access to is taken care of.
Make sure that the new provider is using new, strong, unique passwords for all those systems. Open communication, I think, is really important. And good documentation. It's always the answer.
Carolyn Woodard: Yeah, that would be my advice too. I know sometimes it might be tempting to just say, we're changing providers and it's going to happen next week. But I don't think that's a great option in this case. You really want to have some time for that handoff to happen.
Accounting Tools and Systems and Cybersecurity
There's a great question in the Q&A, which is, are there stronger or weaker cloud-based accounting systems? Systems like QuickBooks, bill.com, Expensify, and or donor systems as well.
For those databases and tools where you're tracking your donors and your accounting, are there any specific ones that are stronger or are there cybersecurity practices that you would emplace no matter what tool you're using?
Matt Eshleman: Yeah. I'm not an expert in accounting packages. I'll just start off saying that.
I do think there are several standards or certifications you can look for. An SOC 2 compliance audit is a good one to look at, and you can get copies of that from these big commercial and reputable vendors.
But I also would say that no platform itself is just inherently secure or more secure.
You could use a very secure platform like Microsoft 365, very insecurely. So as long as you're not picking some kind of like a fly-by-night, very under-resourced provider that's just cobbling things together, you should be relatively secure. I think at this point, good commercial solutions can generally be trusted, but it's important to also have good security controls in place so that you don't make everybody an admin in the system.
You want to make sure that people can only see what they need to do for their job. You want to make sure people aren't putting social security numbers in unencrypted systems and that kind of thing. So again, any system can be used insecurely, and it's important to have a deliberate approach to implementing those tools.
Carolyn Woodard: That makes sense.
Backups and Cybersecurity for Nonprofits
We have another question about backups. If you have moved into cloud storage, do you need a local backup, like a local on-premises backup system? What do you recommend in that case?
Matt Eshleman: For cloud file sharing solutions like Box or Dropbox or Google Drive, or even SharePoint, we find that there are cloud-to-cloud backup solutions that are good to have in place, and you don't need to have that on-prem.
I will say it's expensive, and I would say this is one thing where the big cloud providers are typically providing some nonprofit discounts for their service because they can subsidize it, whereas maybe the backup service providers don't do that same level of discounting.
But I do think it's important to have data in a separate and disconnected system in the event that that primary data is compromised or corrupted or something.
And so, making sure you have data somewhere else is still a good approach, right? We talked about it at the beginning, right? Just because your data is not in the server down the hall, doesn't mean you don't really need to think about backups anymore.
It may make it easier. There might be more versioning and there's other stuff. But if you didn't have access to that folder in the box, what is the process (to recover it)?
Can you get back a file from a month ago or three months ago or a year ago? If you need to be able to do that, and if you're not able to do that within the native platform, then look for a backup solution that will allow you to meet those organizational requirements.
Carolyn Woodard: Thank you so much. I just want to go back over our learning objectives. We hope that today you learned the basic approach to cybersecurity that we have, the foundational level we recommend.
Once you read the Playbook, it will become clearer, I think. We didn't have a chance to get really into the optimized and proactive options, but those are in the Playbook. I hope that you were able to take away some first steps and best practices in managing cybersecurity at your nonprofit.
The big takeaway I hope that you get is that you need to start. You need to pay attention to it. It can seem really overwhelming and really make you anxious, because people are out there trying to get you and get you to click on something.
But really, you can start at yourself, download the Playbook, that's a really good start. Then just get in touch with us if you have more questions about that sort of thing.
I want to make sure to tell you next month we're doing something really different, which is talking about de-stressing and self-care in nonprofit IT roles.
There's a lot of research out there on how important it is to us to stay healthy, mentally and physically, and how de-stressing is a big part of that. I think I can speak for many of us when I say having a nonprofit IT role can be extremely stressful. You have a lot of demands, you have a lot of budget constraints, you have demands from both sides, both from your leadership and from the staff that are trying to use the tools.
Cybersecurity, anxieties. We're going to talk about things that you can do specifically while you're in this role to help yourself stay healthy so that you can be doing this role and helping your nonprofit achieve your mission. I hope you can join us for that.
I just want to thank you, Matt, for your time today.
Thank you everyone who joined us for this webinar. Your time is a gift. Thank you for giving it to us for this hour.
I hope this was helpful to you. Matt, thank you so much for sharing your expertise with us and helping us get smarter about cybersecurity.
Matt Eshleman: Great. Thank you. It was a real pleasure.