Community IT Innovators Nonprofit Technology Topics
Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com
Community IT Innovators Nonprofit Technology Topics
Cybersecurity Readiness for Accountants with Matt Eshleman
Cybersecurity Readiness for Nonprofit Accountants, Hosted by Jitasa University
Join Matt Eshleman, cybersecurity expert and author of the re-released Community IT Cybersecurity Readiness for Nonprofits Playbook, in a short presentation on how to use the playbook to protect your organization if you are a financial manager or accountant.
In this video, you will
- Learn about the free downloadable Playbook on Cybersecurity Readiness for Nonprofits and how financial officers and accountants can utilize this Playbook
- Learn the most common scams and trends in cybersecurity for nonprofits
- Understand the current cybersecurity landscape and the role of AI in new risks
- Learn tips for getting buy-in from stakeholders
- Understand cybersecurity training best practices for nonprofit staff
This video is designed for financial professionals in nonprofits, from CFOs to accountants. This Cybersecurity Playbook covers issues and best practices important to any nonprofit staff and leadership; this video concentrates on the questions and issues relevant to financial staff, and is hosted by Jitasa University. You do not need to be an IT professional to find value in this playbook.
Download the free Cybersecurity Playbook here: https://communityit.com/download-cybersecurity-readiness-for-nonprofits-playbook/
_______________________________
Start a conversation :)
- Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
- email Carolyn at cwoodard@communityit.com
- on LinkedIn
Thanks for listening.
Carolyn Woodard: Welcome to the Community IT Innovators Technology Topics Podcast. My name is Carolyn Woodard. I am your host, and today, we have a special podcast that is hosted by Jitasa University.
You’re going to hear my colleague, Matt Eshleman, our cybersecurity expert, talking about the re-release of our Cybersecurity Readiness for Nonprofits Playbook, specifically for an accounting or financial staff perspective.
What are the best practices and tips in our Playbook that you can take as a financial staff person to protect your nonprofit from cybersecurity fraud, wire fraud, phishing attacks, attacker in the middle, attempts to get your MFA tokens, all of the new and trending scams and frauds that are coming at financial officers and accountants? I think this is particularly relevant now.
If you listened to the podcast recently from Johan Hammerstrom about the new auditing requirements, SAS 145, that require financial auditors for nonprofits to, for the first time, audit your IT management and IT cyber risk mitigation as part of their financial audit of the security and best practices that your nonprofit financial team are taking, I’m hoping that this presentation from Jitasa will be helpful for you. You’re going to hear the Jitasa introduction and then Matt talking about our Playbook.
Jitasa University: Welcome to Jitasa University, where our goal is to empower nonprofits through free educational content. These short videos are all provided by trusted partners within our network as well, so each topic will be relevant to every organization, regardless of size. Let’s dive right in.
This month, we’re featuring Matthew Eshleman, the Chief Technology Officer at Community IT Innovators. As a 100% employee-owned and managed outsourced IT services provider, they exclusively assist nonprofit organizations in utilizing technology to accomplish their missions and have been doing so for over 20 years. Let’s pass things over to Matt and get started with the content.
Matt Eshleman: Thanks for joining this presentation on our Playbook for Cybersecurity Readiness for Nonprofits. My name is Matthew Eshleman and I’m the Chief Technology Officer at Community IT. In my role, I’m responsible for managing our backend team that supports nearly 200 clients and 8,000 non-profit users and also get to work with our clients on cybersecurity strategy and technology roadmap planning. It’s through this process that we’ve developed this updated cybersecurity playbook.
The Costs of Cyber Attacks
Whenever we talk about cybersecurity, the biggest financial risk to non-profits is actually through organizational fraud, precipitated by a compromised account or through spear phishing. These are the top words that come to mind.
It’s fraud, it’s an attacker in the middle, that acronym AITM, it’s BEC or Business Email Compromise, phishing. Those are the things that organizations really need to be protecting against in this new digital era.
The World Economic Forum reports that scammers stole over $1 trillion in the US equivalent globally from victims in 2023. This means that companies lost an average of about a point and a half of profits in fraud, and consumers themselves faced over $8 billion in US losses directly. We know that cybercrime is a major issue, and that it’s something that impacts every organization. Our goal in developing the Cybersecurity Playbook is to provide a roadmap for organizations to follow to help them protect their own organization.
I think it’s helpful for us to understand a little bit more about the overall cybersecurity landscape, because things have changed over time. And the first point here is that cybersecurity is something that impacts every organization. No organization is immune, or no organization can fly under the radar. The cyber criminals don’t really care about how great your mission is, or all the good work that you do, or how dedicated your volunteers are. They’re just looking for a payday, and your organization has what they want, which is financial resources. The cyber criminals view this as a job. It’s not like a fun thing that they can do. They’re not sitting in their basement working on this. This is an actual full-time job, and they are working really hard to get paid.
Defense against Cyber Attacks
Now, on the other side, we see that many organizations have adopted cyber liability insurance, which is a great step to take. And through that process, many organizations are taking additional steps to secure their organization. We see cyber liability insurance as being something that organizations are using to adopt additional cyber security controls.
And that’s also the case as financial audits become more expansive and have reached into the cyber world. You may notice that your audit now includes questions about cyber controls, and that’s because of the financial risk associated with poorly implemented or lacking controls. So again, organizations are really taking steps to improve cyber security because of those external requirements.
I think the other piece that’s helpful to think about is just how the AI impact is changing the cyber security landscape as well. Just as many of us are using AI tools to help us record meetings and write better emails, the bad guys are too. And so a lot of the things that we used to be able to rely on, such as poorly worded messages, misspellings, that thing, in phishing messages, that really has gone away because the hackers are able to load up content into many of the popular AI tools and generate well crafted, well worded, compelling messages that are designed to trick us into clicking on links.
And then I would say as we wrap up in terms of the landscape, I think it’s important to remember that cybersecurity, it’s not a destination. We’re never going to get to a place where we’ve done all the things that we can do, and we can finish and rest. Cybersecurity protection really is a journey with changes that are going to need to be made along the way.
Just to remind us that nonprofits don’t get to fly under the radar. And cybersecurity is an area that just requires a continued investment and attention as we deal with new threats from AI. Hackers are ever increasingly motivated to get that financial return.
Cybersecurity Readiness for Nonprofits Playbook
I’m going to be talking specifically about some of the resources in our Nonprofit Cybersecurity Playbook, which you can download here.
The link is communityit.com/download-cybersecurity-readiness-for-nonprofits-playbook/
This is a free resource from Community IT. And this is our second revision that has been updated here in 2024 to incorporate some of the new changes that have occurred in the cybersecurity landscape.
In the report, we use this diagram to illustrate how we think about cybersecurity at Community IT.
We think about things rooted in policy, and so that’s why that forms the foundation of this diagram. We want to make good decisions informed by our organization’s policies to help guide technical decisions as we evaluate other products and tools.
Building on policy, we have this layer of security awareness. I’m the CTO, I love technology toys, all the new and shiny things, right? There’s lots of really cool products out there that are available, particularly in the cybersecurity world. But I think fundamentally, educating and engaging staff is the best investment that an organization can make in terms of protecting your data and your resources from hackers. Once we have a good policy foundation, we like to invest in our people first.
The blue boxes represent different areas of technical controls around protecting an organization’s identity, your data, the devices that staff use to access information, and your network perimeter, whether you still have an office with a firewall, or whether you’re now managing home office internet connections for your staff. And then finally, thinking about the web presence for your organization, right? All of those technical areas have associated controls.
The layer that we have on top is called compliance. We’ve revised this to reflect the fact that for most organizations, they may not have had to follow any specific formal compliance standard. But that is starting to change as we see more and more organizations being asked for their compliance against industry standard frameworks, such as CIS or NIST, as part of government funding or third-party funders saying, “you need to follow these standards to ensure that you’re protecting your organization’s data.” We as a funder need to know that we’re making a good investment that’s not going to be lost or stolen because of poor cybersecurity controls. So, as organizations work their way up, compliance ends up being an additional driver for adopting some of these controls.
Nonprofit Cybersecurity Maturity
We have this diagram of how we think about the controls and all the different pieces that an organization needs to have in place. There’s the dimension of how mature the organization is. You know, I think as we’ve talked about before, cybersecurity protection is really a journey and not a destination.
And it’s also reflective of this hierarchy. We want to make sure that organizations are investing in those foundational protections, the basic things that every organization needs to have in place before moving on in making investments in some of the higher level or more sophisticated tools that you may see in some different compliance frameworks.
In our Playbook, we talk about controls that should be implemented at the foundational level.
Once you’ve gone through that process, you know, maybe your organization is ready to move up to optimized. And then finally, once those pieces are in place, you will want to move up to that proactive level.
This is iterative, and we want to make sure we have a good foundation. We’re ordering things in the right way, so that we, for example, make sure that all of our organizational users have strong MFA enabled. That’s a good investment to make, as opposed to maybe investing in a network penetration test, which sounds really sophisticated. You know, sounds like it would get a lot of value. But in fact, if you haven’t done a lot of these underlying controls, the pen test is just going to provide you with the feedback that you should really invest in these other areas.
The Playbook Foundational Level of Cybersecurity
In our Playbook document, we provide recommendations for these different areas to help organizations on their cybersecurity journey.
Let’s take a look at some of those things that are in the foundational layer.
And I must admit, as a revision, there are quite a few additional controls in this foundational layer that weren’t there whenever we did this initial draft about four years ago. There are a range of IT policies that we expect and that many standard cybersecurity frameworks also expect to have in place, ranging from the basics of IT acceptable use. A lot of these things have been in here before.
AI Acceptable Use Policy
The new one that I would add in here is an AI acceptable use policy. Many organizations are thinking about or considering the use of AI in their work, and unless an organization has taken proactive steps to either prohibit or allow, it is very likely that your organizational staff are already using AI tools in the absence of any formal guidance or technology controls.
From a policy perspective, organizations do need to invest in that time to, as an organization, decide how are they going to adopt these AI tools. How are they going to make sure that their data is protected? How are they going to use this effectively? What are the guardrails that are going to be in place? And communicate that to staff so that staff know, “we are going to use AI, and here are the tools that are available for me that are official and sanctioned,” as opposed to, “oh, I’m just going to use Gemini or ChatGPT because it’s a great and helpful tool,” but maybe staff aren’t aware of the ramifications of putting data in those public systems.
Community IT also has, I think, a really helpful AI adoption policy template. That’s another resource available on our website that you can download to help get your organization started and have those conversations about how to adopt and implement AI tools effectively.
Security Awareness Training
On the security training, this is an area where there’s lots of free resources available. If you’re just getting started, there are lots of free tools that can help you get started. There’s a lot of resources on our website that give users an opportunity to learn more.
Making an expectation and working with staff on some of that basic education is a really good investment in protecting your organization from cyber criminals.
Security Control Tools
Moving on up from some of these policy and personnel initiatives, we’re talking about some of the technology controls.
So, we invest a lot here in identity. From our perspective, your organization’s digital identity is probably your most critical asset. We see a lot more issues related to compromised accounts than we do for viruses, for example. So not saying you necessarily pick one or the other but highlighting the fact that your digital identity needs to have the same level of protection as you would invest in your endpoint antivirus, for example.
Implementing tools such as MFA, and particularly now, not just the one-time passcode or the push authentication from Microsoft Authenticator, but so-called phish-resistant MFA. Because of some of those acronyms I referred to at the beginning of my presentation, that AITM or attacker in the middle, the bad guys have figured out a way that even though your account is protected with MFA, they can still intercept your session and then steal it and then access your account from somewhere else. So that is an unfortunate side effect of these MFA methods that we’ve all started to implement.
Microsoft and others have implemented the so-called phish-resistant MFA that ties your login to the specific device that you’re making that connection from. And so that can’t be stolen. It’s not portable. It can’t be moved to a different device. There could be things like passkeys, things like Windows Hello, things like FIDO security keys, physical keys that you plug into your computer that really validate that you are who you say you are and you’re coming from an approved device.
Making an investment in those MFA technologies is absolutely critical for organizations so they can protect their users and their organizations’ data.
Carolyn Woodard:
There’s a lot of other controls on this sheet that I think should be familiar to many of you and form that basis or that foundational set of IT controls. Those other controls are for identity, MFA and password manager. For data, you want to make sure you have backups. For devices, you want to have OS third-party updates, and you want to have antivirus installed and managed. For the perimeter, you want to have spam filtering. To prevent business email compromise, you want to make sure you have protections in place to identify, trigger, and investigate potential compromises. You want to have DMARC and DKIM, which Matt is going to explain a little bit more about. We also have a podcast that talks about DMARC and DKIM in depth, which is a way of verifying that your email is coming from the email server that it’s supposed to be coming from to other servers who are receiving your email. And then for your website, you want to make sure you have secure website platforms and that you secure your website domains. You don’t want a hacker to take over your dot org address. Making sure you have a reputable vendor, that you are securing your domain, and that you are using a secure platform in a secure way are important for your website.
Matthew Eshleman:
There are a couple of acronyms under the perimeter area that I do think it’s worth talking through just a little bit more to help build some more understanding. As I mentioned, mostly the hacks that we see start with email and then are exploiting weak authentication or user login information. From our perspective, that means investing in good email protection, not just basic spam protection, but more sophisticated email tools that can identify and block that business email compromise or that spear phishing, that targeted message that’s really trying to get you to click on something is really worth doing.
The other things that are worth investing in are configuring and using DMARC and DKIM. These are two email technologies that provide some additional authentication and verification that messages are coming from who they say they’re coming from, and that really helps to protect organizations from having their email spoofed.
DMARC is now being enforced, and so that is a technology that Google and other big email providers are requiring more and more, and so you can get a DMARC administration account set up, and then you can say to all the email servers on the world, “we’re using Office 365, you should only get email from this Office 365 account, and if something else says it’s coming from our domain, but it’s not here, then that’s probably a scam,” and then the incoming mail servers will quarantine that.
Those are some new things that we’ve added into the foundational layer because it’s so important, because it makes such a big impact.
Compliance and Leadership
When we get to the compliance layer of this foundational IT controls, the big takeaway is that organizations need to invest in their own internal leadership and capacity to make decisions about cybersecurity for their own organizations. IT risk is not something that can be completely outsourced to a third-party provider.
We’re a managed service provider. We provide a range of cybersecurity solutions. We do a very good job at that, but we still rely on the organization and executive leadership to make decisions about that.
We can support internal leadership, but we’re not going to be able to take on all of that risk or make all the decisions around cybersecurity for an organization. That person in the organization doesn’t have to be in IT. They don’t have to even be very technical, but they do need to own that role of IT management.
The other thing that I would say is really important, even at the most basic level, is to have some sort of an IT roadmap that talks about where are we going as an organization? What are we going to prioritize? What are we going to invest in? And how does cybersecurity fit into that overall model?
At Community IT, we do some IT roadmapping. This is a very basic example of what that IT roadmap resource would look like. Here we can see it has all the tasks and the urgency laid out, but not necessarily a timeline. This is something that you can create as an action plan for your IT team that incorporates security, as this one does. And we have a number of webinars on our website that talk about this process, to build out this framework. There are several initiatives, security, networking, the back office, some policy decisions, the cloud, the specific recommendation, and then a couple of dimensions that talk about the relative urgency, complexity, and impact of a project.
So that can help in the decision-making process to say, “well, what are the things that we really, really need to do right away, because they’re very urgent, and what are the things that are high impact? They’re going to make a big difference in our security to help prioritize.” So this is one way to develop an IT roadmap to help give some organization and guidance for the IT initiatives that need to happen at your organization.
Having a formal checklist or timeline is a good way to get people on the same page and give you a sense of progress that you are accomplishing things, checking things off and moving your organization forward.
Conclusion: Cybersecurity Readiness for Accountants
As we wrap up, I think it’s good to just review some of the things that are happening with the new cybersecurity world that we are all living in. Through the use of AI tools, we’re seeing that phishing attacks are much more dangerousand much more effective because a lot of the things that we used to be able to rely on are being removed as barriers through these AI tools.
We still see that viruses themselves are relatively infrequent, but social style engineering attacks, where people get pop-ups on their computers, warning them of a virus and including a phone number to call, or QR codes that invite people to click on them and then take them to a document to open. These sorts of tricky ways to get people to click on or open or install software to allow an attacker to access a computer are becoming more common. Because it’s a lot easier to just ask somebody to install software than it is to design a really sophisticated piece of software to do the same thing. If you can trick somebody into installing it for you, then that gets you most of the way there towards perpetrating some fraud or scam activity.
The attacks are also not just limited to our organization’s emails. One of the other things that we see quite often is smishing or SMS phishing where you’re getting text messages to your phones indicating that a package wasn’t delivered or maybe your taxes are overdue, just creating that sense of unease to get you to take action. Click on a link, call some number.
Being mindful of these new ways that attackers are trying to trick people into engaging with them is important to keep in mind as we look to design solutions to protect organizations.
Then the final piece here, I’ve talked about it in previous slides, is just that MFA isn’t 100 percent guarantee of safety anymore.
Moving from that text message-based MFA or the one-time passcode MFA to new phish-resistant MFA methods is a really important step that organizations should take, particularly for people in positions of authority, finance, IT, to make sure that we’re protecting their identities.
At Community IT, we have a range of cybersecurity services, ranging from free initial assessments and discussions. We have some free assessment tools that organizations can use to dip their toe in and get a sense of where they are and what areas they need to initially invest in. If an organization has done some of the basics, then we also offer more in-depth cybersecurity assessments using our organization’s best practices. And then also some more sophisticated, formalized vendor compliance framework assessments. We provide a range of services that are designed to help nonprofit organizations secure their staff, their organization, and their data. So, I’m happy to take some questions about the Cybersecurity Playbook.
Q&A
Jitasa University: Awesome. Thanks, Matt. There is a lot of great information in there. Appreciate you taking the time. Just a couple of questions came in.
Do you have any tips for getting some buy-in from stakeholders that shows that IT and these safeguards are important?
Matt Eshleman: I think in terms of generating buy-in, there are some resources from the FBI for identifying that this is a real risk that organizations face. I think for some folks, seeing the dollar amount can be a good way to have that discussion.
I think another good way is to tell stories. I think many of us have stories that we’ve heard of, or we’ve experienced with peer organizations. This organization had wire fraud; this organization had ransomware. I think making a connection between something that happened at an organization similar to your own can be a good way for leadership to see more clearly, “this could happen to someone like us.”
Jitasa University: Got it. Yeah, that makes sense. Then you mentioned compliance from funders.
Is there a new standard that organizations need to have, such as policies or safeguards now in order to receive that funding? And what does that look like now?
Matt Eshleman: So, I would say this is not universal, but this is something that we have started to see in the last 12 months, is that organizations are getting requests to comply with like a NIST 800 standard, or CIS, from the funder to say, we are using this formal compliance standard to judge the cybersecurity controls at the organizations that we are supporting, and you need to have this in place. So, there’s nothing new in terms of, there’s no new standard, but I think it’s just an increase in sophistication, and I think an increase in visibility for these funders to try to find a way to make sure that the organizations that they’re supporting have a good set of cybersecurity controls in place.
[ALSO: SAS145 Auditing Guidelines for nonprofit auditors now require IT risk evaluation, so you may be getting new questions from your auditor about cybersecurity practices you have in place, such as staff awareness training.]
Jitasa University: Lastly, for the security for staff,
Is there a good frequency that you recommend that’s helpful but not too overly done where staff get burnt out? Is there a good frequency for that?
Matt Eshleman: At Community IT, we have a pretty well-defined cybersecurity training schedule. And what we like to do is have test phishing messages that go out on a monthly basis, randomly throughout the month, to keep people on their toes, give them an ability to report messages that they think are suspicious back to the IT team, or to us, as their outsourced provider. That helps build that conversation and relationship with IT, so users know that they can report stuff to IT, and IT will be responsive. We like that monthly cadence for fake phishing messages.
And then from a training perspective, I like to have initial training for users that are onboarded. One of the things that we see through that test phishing data is that new users are much, much more likely to click on phishing messages than staff that have been around for a while. You want to educate new staff in particular when they get onboarded.
And then we like to adopt a quarterly training cadence. Short, interactive, 5-10 minute videos, quizzes, fun little interactive games just to introduce new concepts and to make it something that’s infused into the organization culture as opposed to saying once a year, “we’re going to have this hour long training as part of a staff meeting.” People don’t pay attention, they fall asleep, and then they forget about it. More frequent, but less duration is something that we find really effective.
Jitasa University: Awesome. Those are all the questions that came up. I just want to say thank you for taking the time and for speaking with us today and hope to have you and Community IT on again in the future.
Matt Eshleman: Great. Thank you so much. I really appreciate it.