Community IT Innovators Nonprofit Technology Topics
Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com
Community IT Innovators Nonprofit Technology Topics
Cybersecurity Awareness Training Tips pt 1 with Matt Eshleman
Are your staff as ready as they can be for the next attack?
Our cybersecurity training team manages hundreds of clients and shares our knowledge on what works to keep your staff prepared, not just scared.Matt Eshleman, our CTO and cybersecurity expert answers your questions on how to manage frequent, timely, and engaging training.
Part 1 covers the cybersecurity landscape and types of threats facing nonprofits, our framework for how to think about cybersecurity and where staff training fits in your strategy, and the basic philosophy of security awareness training. Pt 2 gets into the details and examples of a typical cybersecurity training program, and Matt answers audience Q&A.
Cybersecurity Awareness Training Tips
We often say that staff training is a foundation for cybersecurity protections. As the risks are always evolving, your training needs to be current too. Gone are the days when your staff could be adequately protected by watching an hour long video with a quiz once a year.
But managing more frequent training is difficult. We will discuss the tool we use, KnowBe4, which makes it easy to stay up to date and administer training to all staff. There are other training tools out there that work for nonprofit staff – the most important tip is to commit to training and to prioritize it as a team. Your staff and leadership are your best defense of the organization you care about.
In addition, with new auditing requirements SAS145 your auditor must assess IT risks to your financial processes – and it will be necessary to demonstrate staff cybersecurity training in your audits.
Learn about these issues and more with our experts! If you’ve been putting off implementing a comprehensive cybersecurity awareness training regime, don’t wait any longer.
Join CTO Matthew Eshleman and host Carolyn Woodard to learn how to implement an up-to-date and flexible cybersecurity awareness training program this year.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community. There are multiple cybersecurity awareness training vendors with products that work for nonprofits. We will be discussing the tool we have selected and use, KnowBe4, which offers nonprofit discounts, but our insights and tips will be useful no matter what training program you are using, or if you want to create and run cybersecurity awareness training in house.
Many questions asked at registration or live at the virtual event will be answered in the transcript. Check back after the webinar for additional resources.
_______________________________
Start a conversation :)
- Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
- email Carolyn at cwoodard@communityit.com
- on LinkedIn
Thanks for listening.
Carolyn Woodard: Welcome to the Community IT Innovators Technology Topics Podcast. I'm your host, Carolyn Woodard, and today we're going to have part one of a two-part series from our recent webinar on cybersecurity awareness training tips.
You will hear about the cybersecurity landscape and why these attacks are very dangerous and costly for the nonprofit sector. You'll hear a little bit more about our cybersecurity framework and how staff training fits into that strategic planning and implementation. And we'll go over some of the basics of training programs.
Welcome, everyone, to the Community IT Innovators webinar on cybersecurity awareness training tips.
Do you know how to keep your staff trained in identifying phishing emails?
Do your staff know what to do when they see something suspicious?
Did you know that many insurance policies and nonprofit auditors are asking for proof of staff training in cybersecurity?
Today, we have two experts in managing cybersecurity training who are going to give us tips to keep your program current, engaging and up to standards. Correction, we had two experts. My name is Carolyn Woodard. I'm the Outreach Director for Community IT. I'll be the moderator today. And unfortunately, Ana Zambrano was feeling under the weather, so, I'm also going to be stepping in for her with her notes.
But I'm very happy to hear from our resident cybersecurity expert. So Matt, would you like to introduce yourself?
Matt Eshleman: Great. Thanks. It's great to be with you all here today to talk about security awareness training, which I think is an absolutely critical part of any effective cybersecurity program.
My name is Matt Eshleman, and I just celebrated my 23rd anniversary at Community IT. I spent 23 years full-time and have a little bit of extra time before that as an intern. I've done a lot of different things in my time here at Community IT and spend a lot of time now focusing on cybersecurity and strategy and just helping to protect organizations against the myriad of threats that exist out there against nonprofit organizations.
Carolyn Woodard: I'm going to talk about our learning objectives. We're going to go over the cybersecurity landscape, why it's important to pay attention to cybersecurity training and protecting your nonprofit. We're going to give a little overview of our cybersecurity framework, talk about the importance of the training, and then give a little example of training and practice.
Before we begin, if you're not familiar with Community IT, a little bit about us. We are a 100% employee-owned managed services provider. We provide outsourced IT support. We work exclusively with nonprofit organizations, and we help nonprofits accomplish their missions through the effective use of technology. We serve nonprofits across the United States. We've been doing this for over 20 years, and we are technology experts and are consistently given the MSP 501 recognition for being a top MSP, which is an honor we received again in 2024.
I want to remind everyone that for these presentations, Community IT is vendor agnostic. We only make recommendations to our clients and only based on their specific business needs. We never try to get a client into a product because we get an incentive or benefit from that. We do consider ourselves a best of breed IT provider. It's our job to know the landscape, what tools are available, reputable, and widely used. and we make recommendations on that basis for our clients based on their business needs, priorities, and budget.
Today, we're going to be talking about a specific training tool that we use with our clients and that we use ourselves called KnowBe4. There are a lot of training tools out there. We've selected this one because we think it is the best available. And we're going to talk a little bit about the features that weighed into our thinking on that.
Today is not a KnowBe4 demo. You can find that on their site, if you're interested in it. Today, we're going to be talking about the ways this tool fits into an overall strategy that places training your people at a foundational level in your cybersecurity strategy and planning.
A little bit more about us. Our mission is to create value for the nonprofit sector through well-managed IT. We also identify four key values as employee owners that define our company: trust, knowledge, service, and balance. We seek to always treat people with respect and fairness, to empower our staff, clients, and sector to understand and use technology effectively, to be helpful with our talents, and we recognize that the health of our communities is vital to our well-being and that work is only a part of our lives.
One thing that can really throw you out of balance is feeling the stress of experiencing a cybersecurity incident. We know from experience with our clients that even if you do avoid the worst circumstances, just having a close call can be incredibly stressful to all of your staff. So, we're going to launch a quick poll, which is what kind of cybersecurity incident did you have in the past year? And this is multiple choice.
· You can choose none.
· Phishing, which is an email trying to get something from you.
· Smishing, which is a spam text trying to get something from you, get you to do something.
· A malicious browser pop-up.
· Attempted gift card fraud.
· Ransomware.
· Attempted wire fraud where the money was not sent. You found it in time and were able to not send money.
· A successful wire fraud attack where you did, in fact, wire the money to the hacker's account. Compromised account, which is the credentials were either suspected or confirmed to have been hacked. So, someone got access to one of your accounts for one of your subscriptions or your email was able to send emails either from you or from within your organization.
· Something else, which if you had something else happen, go ahead and put it in the chat if you are comfortable doing that and then not applicable.
· So, if you're joining us, maybe not from a nonprofit or don't really know if something happened, maybe you're brand new at your nonprofit, you can go ahead and choose not applicable.
I'm going to end the poll and share the results. And Matt, can you see that?
Matt Eshleman: Yes. Thanks to everyone who responded. Always curious. We kind of know what the metrics are for our clients. They're always curious to see what the broader experience is.
So about 20 percent of folks said none, none at all, which I do think I would be suspicious of that given that everybody gets spam messages and I would say most organizations are having staff that are getting those weird or strange text messages to their personal phones.
The majority of folks did say, yes, they had experienced phishing.
Almost half of the respondents said that they had received those spam texts. And I'll say we're seeing that probably started about a year and a half, maybe two years ago, but that is a really common method of ways to create engagement. And then the hackers go on from there.
Malicious browser pop-ups, a few people have reported. About a third of the participants have said that they have been on the receiving end of maybe some attempted gift card fraud.
No ransomware, which is great to see, and again, aligns with what we see across our clients that we support. Ransomware seems to be something that targets larger organizations with a lot more of that server infrastructure.
21% that attempted wire fraud or it was caught in time, so that's great. We see that as a big risk to organizations.
About 17% have said they experienced confirmed account compromise, which again is something that we again see, unfortunately, with a lot of regularity, even as more and more accounts are protected with MFA.
Thanks for sharing and participating as we just learn more about each other.
Carolyn Woodard: Yeah, that is great. Thank you, everyone, for coming out. We did have somebody that mentioned in the chat that emails were sent to their staff about verifying Zelle information, but luckily, they don't use Zelle, so they were able to identify those pretty quickly. But yeah, I think those types of phishing, they're just hoping that they're going to choose some tool that you do use, and then you'll think, oh, I need to verify that.
And we have a quick question, Matt.
What is your opinion on an executive telling IT to allow local admin rights for a staff member to take a bar exam on an organization-owned laptop?
Matt Eshleman: I think the standard practice would be staff should just have standard permissions and not need to take that additional step. I think usually whenever we have cases where there's some sort of testing software or proctoring software, there end up being a lot of extra special cases that need to happen. We understand there might be some special one-off cases, if it's possible to install that software and then remove the admin permissions, that would be preferable. But again, just be flexible and be able to manage and report it. It's not a long-term solution.
Carolyn Woodard: Yeah, I would guess it would be case by case. I also think that hopefully is something that's in your acceptable use policies. So, if it's they're taking the bar exam because you are a legal organization and that's part of their job, then that might be covered by your policies.
But if it's not, then, or if it's some other testing that really doesn't have anything to do with their job, but they just want to use their company owned laptop, then that might be something to just make sure to look at your policies about. But I agree that if you do give them that kind of admin, you'd want to make sure to take it away from them before things got out of control.
So Matt, I think you are going to talk a little bit more about why this is so important.
Matt Eshleman: Yeah. With all these cybersecurity presentations, I think it's helpful to understand just the operating environment that we all find ourselves in.
I think the big takeaway (from this slide) is that the amount of cyber-crime and cyber threats that are facing all sorts of organizations, nonprofits included, is really going up over time. As much as we'd like to say we've reached the peak, we're going to see a receding of cyberattacks and this malicious activity, that is just not the case.
I think now, especially with how prevalent AI type solutions are, that just gives the hackers even more tools to have well-crafted e-mails, perhaps generate more malicious code that's more effective. So, it is kind of a dangerous world that we're operating in, and the FBI stats certainly support that in terms of just the amount of crime types that are being reported. Maybe some moderation from back in 2022 or 2021, but still just a staggering number of direct losses, right?
The FBI numbers here that you can see in that chart on the bottom left-hand side, is $37.4 billion is lost to cybercrime, and that impacts every type of organization and individual. So again, it's a serious crime, a serious impact across all sectors of our economy.
Maybe the one good spot is the actual ransomware amount is paid (is going down.) This chart now has some 2024 data from a vendor called Chain Analysis. They do a bunch of blockchain analysis and related services, but they were tracking ransomware payment, and that amount has fallen and fallen significantly now to its second-lowest level in the last five years.
Ransomware is something that makes the news, gets a lot of mind space, but is generally targeting organizations that have a lot more physical server infrastructure. For many of the organizations that we work with, that under-200-seat-class, most of that infrastructure is in the cloud, software-as-a-service applications. There aren't really servers to infiltrate or firewalls to attack. The attack surface has changed quite a bit.
And we have not seen it, asterisks, yet, but in terms of ransomware, attacking Google Workspace or SharePoint, it's not to say it's not going to come, but I think we have other threats that we're concerned about. Mostly they're going to be targeting your users through email. So hence all the focus on security awareness training.
Maybe just a little bit of a preview for some data to come at our April webinar on our Incident Reports. At Community IT, we support about 200 nonprofit organizations. We have a fantastic help desk. We categorize all the incidents that are reported to us. This represents the last several years of that data. Again, reiterating that the amount of spam that our clients are reporting, the amount of spear phishing and phishing messages that are reporting, the number of account compromises continues to go up year over year.
And unfortunately, we're not seeing that re-seed yet. And it's a call that we need to continue to escalate our protections that we have in place, the education that we provide to our staff, and the tools that we have in place to protect our organization from the never-ending barrage of cyberattacks.
And then in terms of how we look at or think about cyber security and talk about it with organizations and leadership is through this graphic.
I put this together because I wanted to highlight the fact that while the technology tools really get a lot of the marketing dollars, and it's really fun to look at all of that stuff, while it's not as exciting, it's much more important to start with a good foundation of security policy. Set the ground rules so that your organization has a common understanding about what is acceptable, what's not. Answer those questions, for example can I use my personal phone? Can I use my personal computer to access work resources? Maybe that question we had earlier, “hey, I want to take an exam using my work computer. Is that allowed? Is it not?”
So just having that policy foundation is really important.
There's lots of great templates that are out there. We do find that the templates tend to be geared towards large and complex organizations. So, they do require some tailoring to make sure that they're relevant for the small to mid-size nonprofit. And what I mean by that would be that 20-to-100-person organization.
Right on top of security policy is really that security awareness. I'm the CTO. I've been the CTO for a long time. I love all the tech stuff. It's fantastic. But if I had to make choices in terms of where I was investing my IT spend, it would be investing in training for users. Technology tools can fail. You can have all these different solutions in place. Having an engaged program with your staff, where there's a trusted relationship with IT is really important. And I think training provides a tremendous return on investment for those limited IT dollars that I know many of us have.
Once you have a good policy foundation, you have a good security awareness training program in place, then you'll probably start to receive more benefit from some of the specific technical solutions to protect your digital identity, to make sure your data is backed up, protect your devices with patching and antivirus. Build that network perimeter. Again, if it's maybe your home is now the network perimeter, or maybe if you're making a transition back into the office, and you need to make some updates from technology that hasn't been updated since 2020, that's important.
And then the web, right? And I'll maybe say a little bit more about this just because we are seeing in today's contentious political environment that staff and organizations are being targeted simply because of where they work and who they are. The bigger digital footprint that you have, that's visible on your site, the easier for those malicious actors to find out more about you and the organization, who works there, and really target them. We are seeing organizations be much more intentional and focused on what information they are putting up on their website to make publicly available, communicate the mission of the organization, that kind of thing. Maybe pull some of that staff information down just to reduce their overall attack surface and try to help protect some of the digital identity for their staff.
And then finally, the compliance layer on top. We see organizations investing in this whenever they're oftentimes getting funding requirements that say, you need to be NISC compliant or CISV8, you need to maintain controls that are in line with that. So that's probably the last thing that you do. But if you're doing all the things under there, you're well on your way to meeting that compliance requirement.
Carolyn Woodard: And I like how compliance wraps back around to the policies. So, you can have all of the policies in your acceptable use manual or in your employee manual. But if nobody's checking, then do you even really have the policies? If nobody reads them and nobody's doing them, for example where you might have staff who have left, and it may be part of your offboarding policy that you need to disable their accounts. But if no one's checking that those accounts did get disabled, then you still have this pretty big risk of hopefully they didn't leave in a huff. But in any case, you don't want to have somebody who doesn't work for your organization who still has access to those accounts.
So that compliance piece wraps back around with leadership to your policies and making sure that those policies are being carried out.
We have a quick question in chat, Matt. How effective are VPNs for remote workers? Are we still saying that people should use a VPN? If your tools are in the cloud, what do we recommend?
Matt Eshleman: I mean, the VPN conversation is interesting because there's lots of VPN services that pitch it as hey, it's secure and you're going to make your access protected.
I would say in general, if you have an office and you have staff who are largely working out of their homes, a VPN is not necessarily required. Because, as Carolyn said, mostly we're just accessing cloud resources.
VPNs can be helpful whenever maybe you have staff who are traveling internationally and you need to provide some consistency. If you are often working from untrusted or kind of unreliable internet cafes, that kind of thing, that could be a reason where you may want to have a VPN.
But I would take it a step further and say, if you are going to have a VPN solution, it is really important to invest in something that's business grade or business class.
Because one of the challenges that we have faced in supporting organizations that have users that are using VPNs, is that it makes security monitoring very complicated and adds in a lot of overhead. Because people are using personal not business-like class solutions. They might be in Virginia, but they turn their VPN on. And all of a sudden, it looks like they're in Colorado. Then that sets off all kinds of alarms. And then, we have to track back and say, well, is this trusted? Is this approved? Is this the right location?
And so, if you are going to use a VPN, it makes sense to look at something where you can say, here's our corporate VPN solution. We're going to make some approved IPs and say, hey, we're going to allow traffic to come through our corporate VPN network.
And it's actually a way to use and manage access to applications so that, if you're an organization that maybe has heightened security requirements, you can say, well, we really want to vet all the traffic. We don't want just anybody in the world able to try to log into our Office 365 environment, our Google Workspace environment. We want to funnel that all through a trusted VPN solution that we can verify the user, maybe even verify the device that they're coming from. And then after that happens, then we'll let them connect.
So, in general, you don't need a VPN. If you have some specific heightened security requirements, then that's something to look into, and look into a business class or enterprise grade system, where you can provide a lot more controls and specificity around who's connecting, how they're connecting, and build that into the program.
Carolyn Woodard: I will say we did a podcast a couple months ago about cloud services and how almost everything that you would have had on a physical server that you really would need to VPN into, that's physically in your office and you're working from home, almost all of those services are now available in the cloud. So that might also be a case for somebody needs to get into an accounts database or something like that. But if you aren't in the cloud, it might be something to think about doing, because then you can have all of that cloud security on it and not have to do the VPN.
All right. Thank you so much, Matt, for going over those issues. We have another poll for the participants. We have two questions in the same poll.
The first question is, how do you train staff?
And you'll find the first five answers are,
· We have no plan, no formal training.
· We do ad hoc training.
· We have a free tool for our HR system or something related to that, like a backend office system.
· We have a managed training campaign through a vendor
· Something else, something other.
So please choose one of those.
And then for the second column, we have a second question, which is, how often do you do training?
· Never. It's fine. There's no shame. We're not judging you.
· You have an ad hoc schedule, so do training when something happens and you are made aware of it.
· Annual training, that used to be the gold standard, right? You had to do the video once a year and answer the quiz.
· Quarterly training,
· Something other.
So Matt, can you see that?
Matt Eshleman: Yes, I can. All right. It's good everybody's here today.
So about 30% of folks don't have any plan or no formal training in place. And another 30% are just doing ad hoc training. So hopefully you'll get something to take away. A small number doing a free tool through HR, and then about another 30% of folks are doing a managed campaign through a vendor. So, an even distribution there between non-ad hoc and then managed training.
And then of the folks who are doing training, it looks like the most common response is quarterly. About a little over a third of folks are doing it quarterly. And maybe I'm curious if that other training schedule, the 15%, is weekly, daily, monthly?
Carolyn Woodard: I'm very happy to see nobody said never, that that's their training cadence. Thank you so much again for joining and for sharing that information with us.
Okay, we are going to go ahead and move on to talking about security awareness training. At Community IT, we recommend as part of a minimum standard that in general, you want to have a deliberate and well-communicated plan that has executive buy-in. It's always a lot better for staff and executives when there's an executive leading the charge and also doing the trainings.
Our goal for a security awareness training program is to effectively communicate information, build that relationship between the staff and the IT team, and improve the language and how we talk about cybersecurity threats and how we incorporate everyone in being aware and seeing themselves as being able to protect the organization. Training is intended to be positive and educational and not punitive.
KnowBe4 is the tool that we use. It provides a full range of resources that are available to users.
Matt Eshleman: We really want to make sure, particularly, that new staff are included in training, basically as part of their onboarding, because what we see from the other side of the Security Awareness Training program that we have is basically a test phishing campaign to see who's clicking, what are they clicking on, what are the trends there? And it is very clear that new staff are much, much more likely to click on these phishing messages than staff who've been at the organization for a while, who know their culture and who have received training previously.
New staff are the ones that are targeted by these malicious actors. Gift card fraud is particularly focused on them, because they don't know maybe the organization norms yet. They want to fit in. They don't want to push back. Whenever we do have cases where there's a gift card fraud, it is often a newer staff person or a more junior person who maybe doesn't want to push back on their executive or their director asking them to buy a gift card.
We want to make sure that new staff have training as part of their onboarding. It's just built into the plan.
And then for all the other staff, then we take an approach of doing quarterly trainings. That comes out through our platform automatically. Typically, those trainings, that new staff orientation, right, is about 15 to 20 minutes of content, with quizzes and videos and interactive elements there.
And then whenever we move to the quarterly trainings, those end up being a little bit shorter and typically more focused on a specific topic. For example, learning about smishing, learning about link construction and how the phishing messages are actually put together. Good practices for working from home, right? The quarterly trainings tend to be focused more on a specific topic.
And quarterly trainings can become more tailored to the season. I know often towards the end of the year we typically provide some more training around shipping and gift cards and all the fraud that seems to ramp up at the end of the year whenever people are waiting for a package. The fraudsters will use those messages to basically get people to click. And I've had those conversations. They say, “oh, I thought that was real. I was waiting for a FedEx email. And one showed up in my inbox. And so, I clicked on it.”
So, well, we can say that was a test phishing message. And so, here's what to look for. For the folks that do click, we implement something through the KnowBe4 platform. That's point in time training, right? So you click on something and immediately you get the window with the message that you clicked on and the things highlighted that you should have been paying attention to. I think that's pretty effective to kind of get that reinforcement, maybe that slap on the wrist right when it occurs. We call that point in time trainings.
And then for some organizations, we are ramping up and doing monthly trainings just to build that relationship, build the rhythm. We see through our data that having content that is more frequent but shorter in duration leads to better engagement and better results overall.
For those folks, for the organizations, and if you're in IT, you probably can already think of, oh, that person, the one that's always clicking on stuff, or they always need extra support, and that's probably true in cybersecurity as well. For folks that really do need that extra support training, the KnowBe4 platform allows us to build some custom training plans that say, oh, somebody's clicked on three messages in the last six, here's some extra training for those folks to do.
You can build these dynamic campaigns so that, hey, if you're being attentive, following the trainings, not following through all the fake phishing messages, hey, you just do the basics. But, if you're in a category where you're having lots of trouble identifying those phishing messages, then maybe you need some additional support or education. So, through these training programs, and I'm sure others can do it as well, but basically you can build some special campaigns for those staff that need more support.
The final piece on here is a specific KnowBe4 tool. They call it Phish Alert. You can basically report messages or instruct your staff to report messages that they think are suspicious. If it comes from KnowBe4, if it's one of those fake messages, they get a little green checkbox that says, hey, good job, you identified the right message.
If the suspicious message didn't come from KnowBe4, it'll get removed out of their inbox and submitted to an email address that you define. I think we like that because it helps us communicate with staff, build that relationship, and show them that, hey, IT will be there to review and vet those messages that are being reported. And also helps us look for trends again.
Is this message, one person reported it? This is really suspicious. Did anybody else get it but maybe didn't report it? The Phish Alert tool gives us some insight in terms of what types of messages are being targeted at our staff.
Carolyn Woodard: Can I tell my funny new staff story? I was a contractor with Community IT for years before I came on as a staff member, and Matt, my first day with an official account, I got an email from HR at Community IT. And I'd never seen that email before, but I said, “yay, I'm official now,” and I clicked on it. And no, that email does not exist at Community IT. It was from KnowBe4. So, it was a good illustration of how you can think that you're pretty savvy, but new staff, all the time, you're trying to do the right thing, and you've got a ton of new emails coming at you. It's definitely great that KnowBe4 has built in to give those tests right away the first couple of days. I definitely fell for it.