Nonprofit Data Retention Policy and Cybersecurity Basics with Ian Gottesman Artwork

Community IT Innovators Nonprofit Technology Topics

Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com

All Episodes

Community IT Innovators Nonprofit Technology Topics

Nonprofit Data Retention Policy and Cybersecurity Basics with Ian Gottesman

April 04, 2025 • Community IT Innovators • Season 6 • Episode 14

Ian Gottesman is CEO of a coalition of 200+ NGOs and 20 major IT companies working together to improve cybersecurity for the nonprofit sector (NGO ISAC). He has decades of experience in executive roles in nonprofit cybersecurity in a variety of organizations.

In these challenging times for the nonprofit sector generally, many nonprofits are taking a harder look at their cybersecurity policies to better protect their organization and staff. Community IT recommends getting to a foundational level of basic cybersecurity, and you can download our free Cybersecurity Readiness for Nonprofits Playbook to learn what that means and how to put those basics in place.

Three cybersecurity basics to think about: manage your identity, patch your hardware and software, and look out for phishing – train your staff. You will get 80% protection from just doing those three low cost things – why would you want to get 0%?

When your cybersecurity basics are in place, Ian recommends strengthening your nonprofit data retention policy and compliance as your first next step. Again, this is low cost in terms of your budget, but will have costs to your organization in terms of staff time and energy. So let this challenging moment motivate your team to take on a sorting-and-retaining-or-deleting project.

Some Key Takeaways:

Cybersecurity Basics are not difficult and protect you from 80% of hacks.
- Manage your identity. Accounts must be protected, your staff should be verifying they are who is supposed to be logging in.
- Patch your hardware and software. The easiest way to do this is reboot – log out, restart, and log back in periodically. Your IT provider or internal IT staff should be patching as part of your cybersecurity strategy.
- Look out for phishing – train your staff. More than 90% of attacks start out tricking a user into clicking a link. For more information on anti-phishing training, check out this webinar on Cybersecurity Awareness Training Tips.
Cybercrimes are crimes.
- Don’t feel that you were responsible for your own victimization. Clicking on links happens. Huge companies fall for scams. Encourage a culture of openness and sharing around cybersecurity best practices and incident response planning.
- Make sure your nonprofit culture embraces a team approach to cybersecurity, and that everyone on your staff knows to tell someone when they see something suspicious or make a mistake, and who to tell.
- Holding cybercriminals accountable in every country should be a bigger goal for our governments and our laws.
Nonprofit Data Retention Policy is a valuable project now.
- Remind your staff not to put in writing in any device or app something they would not want to be public about your organization
- Creating and monitoring compliance with a nonprofit data retention policy does not require expensive tools but it does require the time and energy of your staff. Avoiding unnecessary reputational risks is worth it.
- Make sure your nonprofit data retention policy covers emails and messaging in addition to documents and files.

_______________________________
Start a conversation :)

Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
email Carolyn at cwoodard@communityit.com
on LinkedIn

Thanks for listening.

Carolyn Woodard: Welcome to the Community IT Innovators Technology Topics Podcast. I’m your host, Carolyn Woodard, and today I’m talking with Ian Gottesman, the CEO of NGO ISAC. Thank you so much for being willing to do this with me.

So, do you want to introduce yourself and what you do?

Ian Gottesman: Sure. My name is Ian Gottesman. I’m the CEO of the NGO ISAC.

The NGO ISAC is a non-governmental organization, information sharing and analysis center. We are a community of nonprofits that help each other with cybersecurity, and we have a very broad definition of what cybersecurity is. We’re mostly U.S.-based nonprofits. We use your EIN and your 990 to help verify what you do.

ISAC started about 25 years ago at the financial sector. Bill Clinton started as an executive order, and then it was adopted into law. And basically, it’s usually within an industry – vertical or regional, and it’s mostly an industry-based sharing analysis center. You provide information to each other about things that are happening in your organization or your sector that helps protect other people in the sector.

In our organization, we might share email addresses or IPs or whatever that are threatening, or we might ask some of our vendor partners, and we’re about 300 nonprofit members and about 40 vendor partners, questions about this tool or that thing we’re seeing to be better secured.

Carolyn Woodard: Several years ago, there was the Kaseya issue where it was a vendor who had been breached, and then all of their clients had issues. And I think there have been a couple other like that. So, you would communicate that with each other, “watch out, this thing is happening.”

Ian Gottesman: Yeah, or a real more recent example, was with the CrowdStrike thing where everybody’s CrowdStrike crashed, and what did you do to do it? So CrowdStrike is pretty expensive, so not an enormously popular option for nonprofits anymore. They did used to give it away free, but those days are long gone. But for those of us that did have CrowdStrike in our community, there was a lot of, “How did you get this to work? What did you do?” Because people were struggling to even get support on the line with CrowdStrike, because so many people were having the problem. Nonprofits were not paying for the highest level of support typically.

There were a lot of very specific instructions, like “have them restart their computer 10 times. And on the 11th time, if it doesn’t work, do this.” Or disconnect the computer from the internet and then restart it, things like that, which were kind of manageable if you had a person at a desk that could do it.

The reason the CrowdStrike thing was so bad in some cases was there were things like signs in kiosks and airports, where there was no one there to restart it 10 times. And then because it was disconnected from the internet, remotely managing those things got really, really hard.

Cybersecurity Advice for These Times

Carolyn Woodard: I would love if you want to talk about some of the basics. We’ve been having some conversations at Community IT. We’ve had some clients contact us about what cybersecurity do they need to beef up in this day and age, given the changes in the last month, two months in the environment. Do you have any advice?

Ian Gottesman: I would do the basics, and it’s not as basic as one, two, three. But it is a lot easier than the work that a lot of nonprofits do.

Record Retention Policies and Philosophies

And record retention.

That is not particularly hard. It doesn’t make you popular as an IT person, but it’s not particularly hard at a technical level or even a policy level. It’s hard to communicate and roll out because people love email. I cannot emphasize how much people love email. Just let your email system crash and see how quickly you have a new job after you’re an IT person.

So, record retention. That keeps coming up because we’ve all worked in the last, say, five or ten years in an environment where cybersecurity has become increasingly more important for our job, and as nonprofits we expected our good reputation and our good deeds protect us. And that’s not true. Criminals will just commit crimes, whether it’s vandalizing our website or breaking into our e-mails and reading what we’re doing and then doing embarrassing things with it or whatever.

But what is unique about this environment, at least at the federal level, is that now we have more concern about nonprofits being subpoenaed and attacked and things. And there’s a lot of embarrassing things in our e-mail, in our messages, in our file server. They’re just stored and really serve no tactical or useful purpose. They have a cost to them as well.

A Record Retention Policy Should Cover…

Deletion

And so just delete the data, right? Come up with a process, a record retention policy process that deletes e-mails at a given time, whether it’s two weeks, which somebody was mentioning to me that they were able to do in some organizations, or two years.

Who Is Responsible for Storage?

And just have a regular cycle and then have a person who’s responsible to store those e-mails. It could be an individual person. If you work in a large organization, you may have a librarian or an archivist. It can be their job. You just give them all the things you have to store.

What Are You Storing?

And you, your operations staff, your general counsel should be able to identify things you want to store.Some of them are very obvious, like tax returns, donation records, incorporation records, corporation records, when people are coming in, going on your board, things like that.

Where Are You Storing It?

Store those things. Find a person to store them, whether it’s an archivist, which is some places I worked have had that. I worked at a university where they had that, so you just shipped everything off to the archives.

Or the responsible person is the person who creates it. The CFO creates your tax records, right? And they’re storing those.

How Are They Stored?

When you’re storing the records and they need to be accessible and in an index, that doesn’t mean they have to be stored electronically. It could be in a paper file and alphabetical. That’s accessible in an index.

One thing that paper has going for it is it literally defines history, right? When you’re talking about prehistoric times, you’re talking about before things are written. Things are written on paper and we can store them for literally thousands of years. You can go to the Library of Congress or somewhere. If you want to store things on paper, it’s a little old school, but that’s certainly an option and it’s totally acceptable. And you may have things on paper that you’ll just keep there. You don’t need to digitize.

So that’s something I would definitely… That would be a place I would put my energy, and we see our members putting their energy.

What Are You Required To Store? For How Long?

And I would think about what’s important to store. And again, your operations and other people can tell you that who’s going to store it and for how long. How long is usually defined by law. There’s a minimum. You can run an audit for up to seven years, so keep your tax records for seven years.

The who’s storing it and the why is maybe defined by your internal organizations. Who is probably keeping employment records in HR, not too complicated, or financial records in your finance office or CFOs or OASs. I think that’s really a key thing.

What Is the Process? Who Are the Stakeholders?

And when you are going to be deleting people e-mails, you need to have a lot of people involved in the process.Because, as an IT person, you’re going to get run out on a rail to do that.

Carolyn Woodard: So, you need a lot of stakeholders involved.

Your Policy Must Cover Email and Messaging

That is interesting because I had not been thinking about e-mail, but there’s several stories just in recent history of very embarrassing e-mails that got out, from the Sony hack or from other hacks like that.

And it seems like if your non-profit is having some kind of adversarial situation, your adversaries only need to find one jokey off-key e-mail, and they will run that out on social media and just pillory you with it.

So that does maybe add a little impetus to getting people to let go of those e-mails, because everybody loves to have their e-mail.

Ian Gottesman: And the same thing with messaging. And messaging may in some ways be a little worse because it’s more flippant and faster. But the same policy and procedure.

The good thing about messaging is you’re not going to write a long policy and announce it in your Teams or your Slack very often. You’ll do that in e-mail. But you still probably want the same rule of retention record to apply. And what determines the retention of a document isn’t where it’s written or who it’s written to, it’s the content of the document determines how long it’s stored for.

And in some rare cases, who writes it? Who writes it doesn’t really typically apply to nonprofits. But if you have somebody on your board or someone in your organization that’s a public official and working in their public capacity, typically everything they write is an open record and required to be stored.

It’s not that unusual for a nonprofit to have a politician on the board. And some nonprofits that are full of politicians, like a consortium of state governors that do something, they literally don’t take notes, they don’t have records of their meetings other than who attended, and the agenda of the topics, and who said what, they just note what the vote results were. To avoid exposure, nothing’s in writing.

AI Acceptable Use Policy and Note Taking/Record Retention/Consent

Carolyn Woodard: That means also you want to look at your AI acceptable use policies. If you’re using AI to take the notes on that meeting, and you have a policy to not keep those notes, then you’d want to make sure that everyone is aware.

What Would Come Out in a Subpoena?

It sounds like also you’re saying that you might want to go back over with your staff, and this is kind of old school, about being professional. What you communicate with your colleagues should be something that you would be okay with being public.

Ian Gottesman: I think when I first learned this step, they would say, you don’t want it to be on the front cover in the New York Times. Not too many people below 45 or 50 read the New York Times. Conversely, you wouldn’t want someone to tweet it out with hundreds of millions of followers this embarrassing, silly or stupid thing you said.

There’s tons and tons of example of people just saying the most ludicrous and insane things in email or in text messages or in Teams or Slack but then gets out. I mean, the Sony hack, you talked about, and all of this stuff with Blake Lively and Justin Baldoni, all the crazy things they were saying about each other and hiring people to do. The reason we know that they did that is because they put it in text messages which were then subpoenaed.

And I think that another thing when you’re thinking about record retention that’s important is it’s not enough to be worried about the sort of the lawfare thing of oh no, you’ve been subpoenaed by a congressional committee or a law firm or whatever. It could be someone nefarious breaking into your email or breaking into your messaging system and releasing the same thing.

Or, and this is what’s happened more commonly to me in my career in IT, is you have somebody on your board or a senior staff member who’s involved in a lawsuit about something totally unrelated to your organization’s day-to-day work, but then they’re getting all of their emails subpoenaed. And you have to provide it all. And if there’s something embarrassing in there, it could come out, and it shouldn’t, but it still could. Or you may have to have a general counsel or legal counsel go through and review all the email, which is expensive and time consuming, to decide what’s pertinent and what’s not pertinent.

There’s just a really high cost of storing information that’s, quote unquote, free because Google or Microsoft or whoever your email provider is gives you unlimited space to have instant messages or Slack or whatever, and to have email stored everywhere.

There’s just a cost to that that you don’t really consider of risk.

And the risk can be reputational, the risk can be contractual, the risk can be a lot of things. But you want to think that through now.

And that’s a really good way by getting rid of old useless communication, e-mail files, text messages, old stuff in your file server. That’s a really good way to reduce your risk surface. Whether you’re talking about cybersecurity, lawfare, whatever, that’s a risk that you can control yourself and manage yourself. Because if something embarrassing comes out, that someone in your organization actually said, that’s something you could have avoided.

Cloud Based File Storage Considerations

Carolyn Woodard: We did a podcast a few months ago on needing to organize those files that are in the cloud, even though they seem like they’re quote unquote free, to just keep all of them forever in kind of flat files usually. And do you really need those photos from the gala in 2011, that maybe your old board members were at? And this just feels like it gives you an extra reason to go through and just either have a blanket policy, if it’s before a certain time, certain year, you’re just getting rid of all of it, because really, who has been back in there to look at those photos in all that time?

Ian Gottesman: Yeah. One of the things I did when I was at a previous job during the pandemic was, we moved everything from an on-prem file server to the cloud, which was a good move.

And we went through an exercise with each individual program that had a file share. And we asked them, if this hasn’t been open or modified in two years, are you okay deleting it? And we’re not deleting it but not moving it to the cloud. And if you do need it, let us know we can move it. Or if you find out you need it over the next whatever, we have it stored. We’ve stored them off, created an offline backup. We can pull it off. So, we did that.

And our research programs, our actual programs that did work, I think 14 out of 15 were fine with that. The operation programs that did fundraising, finance for taxes, HR, they all wanted to keep theirs because they were legally required to, and it was harder for them to sort through.

But I think that that sort of exercise does it.

And now with more modern file storage systems like SharePoint and Google and others, you can tag and organize things such that it can be deleted too, just like an email. I’ve never done that, so I don’t know, but I’m sure there’s people that are much smarter than me that can do that. And then those files that are just wasting space and a risk, even if it’s very small out there, can be deleted.

Carolyn Woodard: It’s hard. It goes against human nature.

Ian Gottesman: Right. Because it used to be communication and storage was really hard. I mean, when you think about somebody like John Adams, who went off to revolutionary war and then wrote these beautiful letters to his wife about what was happening. It would be really long months between when they got them. And then they were turned into books and novels about him because that’s how his history was recorded. That’s totally different than right now.

I’m texting with my wife every day about things that are just in minutiae because communication is basically free and information is stored at almost no cost. We just have a plethora of information we’re creating and then we’re sort of drowning in it in some ways. And we have the opposite problem that generations ago had, by trying to locate and find what’s useful.

Cybersecurity Basics for Nonprofits

Carolyn Woodard: Can you talk a little bit more about the basic cyber securities that you would advise for nonprofits that maybe aren’t part of your organization yet? Are there two or three basic things that you need to have in place?

Ian Gottesman: Three things you want to think about.

You want to manage your identity.

You want to patch your hardware and software.

And you want to look out for phishing, train your staff.

If you can do those three things, according to the Verizon breach report, that will save 80% of your cyber security problems. And then you don’t have to worry about some of the really big, complicated things, because if you can get 80% by doing three things, why not do those three things?

Managing Your Identity

Managing your identity. We all know these things, don’t share your passwords, store your passwords in a password manager or password locker, set up multi-factor authentication. You know, look at things like haveIbeenpwned to see if your passwords have been released somewhere.

Use the tools that are out there, like free and low-cost password lockers. Bitwarden is free, NordVPN offers stuff free too, Nord offers their password manager free to nonprofits.

Use those out there to help protect your members, your members, your stuff, because as a nonprofit, you have a responsibility internally to your organization. But then so many of us have clients that we need to safeguard their data. Some of our organizations are helping people that are really in need and really have had bad things happen to them. And we need to bear that responsibility very carefully.

Carolyn Woodard: Or children.

Ian Gottesman: Yeah, kids, people that are sick.

Carolyn Woodard: Education.

Ian Gottesman: Exactly. Kids, right. Kids that are going to Rock and Roll Summer Camp, I saw that was one of our exciting nonprofits that I just read about. That nonprofit is a member. Helping sick people, religious organizations, all kind of part of our community. And you have a responsibility to your clients, constituents, volunteers, all of them, to protect their information.

Install Patches

Patch your stuff, make sure you know what you have.

You need an inventory, which is again, easier said than done. What I mean is anything that contains information on that is your organization’s information. So that may not mean just things you own. It could be your staff’s phones. It could be smart devices, like TVs or your air conditioning controls. A few years ago, I guess a lot of years ago, Target was broken into because there was a problem with one of its vendors and air conditioning controls. You kind of have to worry about all of these things a little bit.

Take an inventory of what you’ve got.

Try and set those things like your phones, your computers, whatever, to be managed and automatically run updates.

And then things that can’t automatically run updates, keep that inventory and revisit them and say okay, the TV doesn’t automatically run updates, so I need to go once a month, once a quarter, once a week to run updates on the TV.

Just because a device is smart, just because you bought a smart light bulb or smart thermostat, doesn’t mean you need to connect it to the Internet. And if you’re not connecting to the Internet, then you don’t have to worry about running updates and all these things.

And when you connect these things to the Internet to do cool things, like have the light change colors when you shout at it or through an app or whatever, you do need to take responsibility for the un-cool things of making sure you’re running the latest version, so it’s not becoming part of a DDoS botnet attack thing.

Carolyn Woodard: Update the password.

Ian Gottesman: Right. Exactly. Exactly.

Make sure your door camera isn’t being snooped on by somebody else and watching all your neighbors walk by or even worse, like a security camera that’s looking in your daycare, that’s designed for parents to watch their kids at daycare or dogs. My sister leaves her dog in a doggy daycare, and they can log in to a camera and watch them. But it wouldn’t be so cool if some bad person was doing that and then taking pictures of your dog.

Watch Out for Phishing/Train Your Staff

And then finally, watch out for phishing, right? I’d have to look, but a huge percentage of cybersecurity incidents start with phishing. And phishing in sort of the broadest sense of the word, not just email at your professional email, but texting, messages on all these different services, like WhatsApp, Signal.

Carolyn Woodard: QR codes.

Ian Gottesman: Yeah, the whole works.

One thing that someone told me years and years ago about this stuff is it’s not an accident that 911 isn’t an email, right? People send you things with a false sense of urgency, whether it’s a salesperson saying “oh no, you’re only one day left to buy this thing,” or a hacker, “oh no, click on this before you lose your bank account,” or your access to your EZPass, which I got the other day, and I was just talking to my wife about it. She got the same one. Very little of what you get in email is urgent. So, take a second.

There’s a really good free public service announcement that Craig Neumark for Aspen Digital did called Take 9. You can go out there. You can download those. You can show those to your staff. Those of you in Washington DC or New York area and a few other places, they have big billboards during the holiday seasons. There was one, I think, on New York Avenue, if I remember correctly, and in the metro during those seasons.

There are a lot of good, low-cost, no-cost resources around cybersecurity for nonprofits, and there’s a lot of them for public service announcements or public education. CISA has a bunch, and you can use those for your staff.

The one thing I’m really, really, really convinced of is if your organization is doing amazing, cool work in teaching kids to go to rock and roll summer camp, teaching kids to play soccer, to get them involved in education, giving grants to people that do stuff, that if you can do that really hard work that the private sector or government can’t do, you can do cybersecurity too.

It may be sort of a black box that you don’t understand, it is a little intimidating, but start with those three things and you can fix the other stuff, and then you can build up to the more complicated stuff. But if you can get 80 percent done with three things, do those three things.

Carolyn Woodard: We talk about it too, that when you think about training your staff or making sure your staff are part of your army, protecting your organization, nonprofits have it a little bit easier because everyone who works for you believes in your mission, believes in what you’re doing. They want to protect you.

I mean, I don’t know if you’ve had a for-profit job recently, but I know that in my past life, I had jobs where I didn’t care. They were paying me and, hopefully I was doing the job I was supposed to be doing.

I think we already have a little bit farther ahead of being able to get the staff to see themselves as in their inboxes, they’re protecting the organization.

Ian Gottesman: Yeah, I mean, you read a lot about insider threats and people doing bad things that work in an organization. That occasionally happens with nonprofits, but it’s much more common, like you’re saying, with for-profit or government organizations, where people are working there and they just don’t care and they’re annoyed at their boss or their boss’ boss or what their organization does. So, then they leak things or do terrible things to the organization.

These are mission-driven organizations and part of your mission is to protect your organization. And so, some of the cybersecurity stuff that happens, you can help protect by just spending a little bit of time and a little bit of thought.

Ending the Stigma and Being Open About Cybersecurity Crimes

I think the other thing too that I think a lot about with cybersecurity – and I think a lot about cybersecurity, which is, that’s what happens when it’s your job and a passion.

I think one of the things that happens with cybersecurity that’s not analogous with real life security is when people are the victim of a crime in cybersecurity, they are a lot more times embarrassed or ashamed.

If someone were to drive a big truck through the front of your organization, run through the elevator, run up to the file cabinets of your CFO’s office, rifle through all the file cabinets, steal all your financial records, and then run out, that would be on the front cover of the Washington Post if they did that in Dupont Circle where I used to work.

But if someone were to break into your financial system and steal all your financial records, and maybe you didn’t have multi-factor authentication set up, just like you didn’t have big bollards in front of your building to stop people driving through the front door, then people will say that’s your fault because you didn’t have MFA set up, and then some big fat Russian person did that because you’re a fool.

I don’t think that’s right, and I don’t think that’s fair.

And I think that if something happens to you in cybersecurity, you should feel free to talk about it, and you should sort of expose it just like a lot of other crime. Sunlight is the best disinfectant.

And you should feel free to come to people when these things happen, people that are in your organization to help you, people like Community IT, people like the NGO ISAC, because we’re here to help, right?

We aren’t here to belittle or make fun of you because you didn’t have a good password. That happens. I wish I could say I’ve never had a cybersecurity incident or I’ve never had a bad thing happen to me, but, it happens.

Carolyn Woodard: It’s out there all around. I like that analogy of if someone broke into your office building, it would be easy to see yourself as a victim, right? You were the victim in that case. It wasn’t your fault. They just came in and robbed you, you know?

But when it’s in your inbox, you think, oh, well, I shouldn’t have clicked on that. I’m stupid. I can’t believe I clicked on that. And now it’s this big problem.

But we do talk about making sure in your organization that you have an environment where people can tell you that they clicked on the wrong thing and aren’t so embarrassed about it that they just either don’t mention it to anyone or try to fix it themselves. It really is important to share that and to know who to tell.

Ian Gottesman: Yeah. And I think that’s kind of one of the models of the NGO ISAC or these shared security models is – security works better when it’s a team sport and when everybody shares. And so, whether that’s within your organization, within peer organizations or everywhere, I think some of these criminals prey on people because they know that it’s an easy thing to do.

A lot of them are coming outside of the United States and then doing things to the United States, and there’s no real repercussions for what they’re doing in some far-off place. And then even if one in a million people do it, if you get a few thousand dollars or a few hundred dollars or whatever, then just you’re doing it at such a big scale because you have a lot of infrastructure you’ve stolen, and you just keep doing it. So that’s another thing I think that we need to solve.

I don’t think the NGO ISAC can really solve it, but we as a society and international organizations, we need to make criminals who commit crimes outside of your country and cyber organizations pay, whether it’s like lottery scams in places like Jamaica where I used to live, or ransomware gangs running out of Eastern Europe, or former Russian, former Soviet Union countries. If there was a price those criminals were paying, it would make cybercrime a lot less likely.

Carolyn Woodard: I think we’ve noticed that a lot of nonprofits now in this environment are a lot more worried about, maybe getting doxed or being attacked for an advocacy stand that they take, or even just the work that they do. But I think you’re still far more likely to be the victim of a crime.

People are trying to break into your systems to get your money.

Ian Gottesman: I mean, the most common type of Internet crime is a business email compromise where someone breaks into your email or breaks into a vendor’s email and sends you an email. And then says, I’m your printer vendor. And there’s one letter off from your printer vendor’s name. Our $5,000 bill for your quarterly printing costs need to go to this new bank account. And they send it to a person who’s really busy and not really thinking. And it looks exactly the same because they broke in into the printer vendor’s email or someone’s email. And you send it, and then now you’re out $5,000. So that is the most common type of internet crime that businesses are exposed to. And those businesses include nonprofits.

And it’s the most costly, too, a lot more costly in total than ransomware, for example. It doesn’t get a lot of attention. But if you look on the FBI’s website, it talks about IC3, which is the FBI’s internet crime reporting. And one thing I do have to say, we just had a briefing. We have weekly briefings about two weeks ago with the FBI.

One thing I do have to say is that if you are the victim of BEC, go immediately to the FBI.

If you report it within 72 hours, they say they have an 80 percent recovery rate with your money. Report it to the local police, report it to the FBI, and report it to your bank. And then hopefully, with 80 percent certainty, you can get your money back.

Carolyn Woodard: That’s great. That is great to know. And I think with all of this, if you put these cybersecurity protections in place, then you will protect yourself from wire fraud, phishing, email compromise, and also from any other attacks that you might be facing.

Ian Gottesman: Right. And it doesn’t need to be a new, expensive tool or a new person or something. It could just be a simple process. If someone requests to one of your accounts payable people or one of your people that signs a contract, “we need to change where the payment is going,” then verify it offline, meaning don’t reply back to the email that you got or the WhatsApp message you got. Call them from the number you found on their website, not on the email you just got, and say “Ian, I see the NGO ISAC has a new PO box that I should be sending our check to for your dues. Can you confirm that PO box?”

Carolyn Woodard: Yeah.

Ian Gottesman: Sure. Here’s the PO box.

Carolyn Woodard: And that’s not expensive.

Ian Gottesman: Right. That’s not expensive. Speaking from personal experience, even if you send a small check accidentally somewhere, there’s the cost of that check, and then there’s the cost of investigating it, reporting it to your board, reporting it to your auditor, rejiggering your processes to do those sorts of things.

And these things are really, really, really common. And they happen to not just small nonprofits, Google and Apple were victims of a huge BEC scam, where someone set up a website that looked like the people that make screens for their phones, and then sent them invoices saying, “you ordered 10 million screens.” And it was a guy in Germany, and then they wrote two or three checks for millions of dollars before they realized what had happened, and that they had written it to the wrong everything.

And so, again, back to my earlier point, you don’t want to be embarrassed or ashamed about these things, but you do want to do better. And one of the ways you can do better is by communicating and that within your organization, within peer organizations, and to law enforcement and others.

And then, you learn from these things, right? Everybody makes mistakes.

You know, we all had to fall off our bike before we could ride. And it’s important to learn from the mistakes you make and to learn to make small mistakes. You don’t make big mistakes.

Carolyn Woodard: Yeah. Well, I want to thank you so much for your time today, Ian. This was just so helpful, I think, to our audience. And I know I learned a lot, so I really appreciate it.

Ian Gottesman: Yeah, happy to do it. And for audience out there that are nonprofits, please apply to join the NGO ISAC. You can do it from our website. There’s a link on the top of every page. We’re happy to have conversations about how we can help you with cybersecurity. It’s a community of peer organizations that are here to help each other.

Just click the Join Me link and that’ll get you started in our membership pipeline.

Carolyn Woodard: Sounds great. Thank you so much, Ian.

Ian Gottesman: Thank you, guys. Have a good day.