Nonprofit IT Essentials for Challenging Times with Nuradeen Aboki pt 1

Show Notes

Are you worried?

The current situation for the nonprofit sector is highly changeable and changing fast. Every day there’s a new worry turning up around your mission, your funding, and your future. 

Where does your IT fit into this new world? Is your IT strategy flexible, and have you revisited your IT planning, performance, and policies? As you examine your finances, what IT is essential and where can you afford to pare back without hurting your productivity and morale? Do you have some smart savings opportunities lurking in your IT budget that could help your organization in this moment? Is your cybersecurity up to date and do your staff know how to protect your organization and data? Perhaps most importantly, how are your staff coping with all this stress?

What are the top steps to take NOW to adapt your IT quickly to the new nonprofit sector reality?

Join Senior Consultant Nuradeen Aboki who answers your questions about priorities, strategy, and next steps. Nura has been in nonprofit IT for decades and has enormous experience helping our clients’ executives strategize priorities and cut through the noise to the essentials. This is a perfect opportunity to get guidance and reassurance.

In part 1, Nura and Carolyn cover introductions, policies, and resources on three main categories you may be worried about - cyber, data, and staff safety. In part 2, they go over budgeting for IT when your budget may be up in the air, what to move into the "nice to have" and what needs to stay in the "must have" column, resources on how to stay mentally healthy under stress, and how to make a plan to move you and your nonprofit forward with confidence in your priorities. 

What you are doing matters. Don’t burnout with worry but don’t leave your organization vulnerable either. 

Learn what Nura recommends and leave with a plan for your next few months and the resources to help you sort out your nonprofit IT essentials for these challenging times.

As with all our webinars, this presentation is appropriate for an audience of varied IT experience.

_______________________________
Start a conversation :)

• Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
• email Carolyn at cwoodard@communityit.com
• on LinkedIn

Thanks for listening.

Transcript

Carolyn Woodard: Welcome everyone to this Community IT webinar, the Nonprofit IT Essentials for Challenging Times. We're joined today with Nuradeen Aboki, who's a senior consultant here at Community IT. We're going to talk about making hard choices in our current climate and facing the challenges with our essential IT intact. We plan to talk about governance and policies that help you manage risks, and how to budget wisely. We'll also talk about when in-house or outsourcing.

IT can add value, especially if your nonprofit is facing staffing cuts or major disruptions in your programs or your funding. We want to talk about how you keep their. IT lights on in the midst of these changes and challenges, and how do you protect your nonprofit staff and your nonprofit against attacks? And how do you, on top of all that, how do you maintain a healthy workplace with all of these mounting stresses and uncertainty? 

My name is Carolyn Woodard. I'm the Outreach Director for Community IT, and I'm the moderator today. And I'm very happy to hear from our Senior Consultant, Nura, who has been calming clients down for decades, and will help us sort through our priorities and how to think about making a plan. But first, I'm going to go over our learning objectives. Our learning objectives are, by the end of this session today, we'll learn about 

●               IT governance policies and why they are a necessity for nonprofits at any time, but especially now. 

●               Learn what to prioritize in your IT, cybersecurity, data security, staff security,                       basics, and more.

●               We're going to learn how to budget for IT and how you can use that budgeting process to find value and make decisions.

●               We're going to talk about staying healthy and motivated as a nonprofit or a nonprofit IT professional, and we're going to review at the end how to make a plan to move forward. 

We know we're not going to be able to get into all of this. It's only an hour, but we're really happy that you're spending the hour with us.

I want to acknowledge that this moment is suddenly very adversarial. In general, I have some friends who worked at nonprofits that were in certain advocacy areas where they knew going into it, they were going to have a lot of maybe adversarial attacks, a lot of politics involved. And they went into that job knowing that that was what they wanted to do, and they were okay taking that security risk to do the job, the advocacy that they were really passionate about.

But I feel like in the past year or so, the nonprofits that were never controversial before are suddenly facing maybe a lot more adversarial attacks online, in this administration, in this political environment than we've never faced before. So I just wanted to acknowledge that I know a lot of people are feeling a lot of stress. A lot of us are really scared about what's going to happen to our job, to the sector, to our organization.

So I hope this webinar will help us breathe, prioritize and give ourselves some time in the midst of everything, being on fire all the time, to be together and talk this through, talk about what we're going to do next. And what does any of this have to do with nonprofit IT?

I'm really happy that my colleague Nura is joining us today because as I said, in addition to his decades of experience in. IT and as a senior consultant with so many of our clients, he's also very, very calm. So Nura, would you like to introduce yourself?

Nuradeen Aboki: Thank you, Carolyn. It's been a pleasure being here. My name is Nuradeen Aboki, Senior Consultant in Community IT. I've been with Community IT for about 16 years, helping nonprofit organization clients in. IT planning, management, strategy, and overall just taking a look at that nonprofit. IT solutions and making sure they're right fit to meet our clients where they need to be in terms of their mission and values. So today, I'm really thrilled to talk about these times that we're in and how we can take a look at. IT and make the right investments and choices. 

Carolyn Woodard: And I'll go ahead and introduce myself. I'm Carolyn Woodard. I'm the Director of Marketing at Community IT. And before I was in marketing here, I worked for a couple of different nonprofits, a very small one and a large international one, working in IT. I was an IT director, if you can believe it, which just proves that you need to be a manager, not necessarily have a tech background, to be successful as a technology director, or to be helping a shepherd technology through at your organization.

I'm really happy to be here also, so thank you all to you for joining us today. Before we begin, if you're not familiar with Community IT, I want to tell you a little bit more about us:

 

·       We're a 100% employee-owned managed services provider. We provide outsourced. IT support.

·       We work exclusively with nonprofit organizations, and our mission is to help nonprofits accomplish their missions through the effective use of technology. We are big fans of what well-managed IT can do for your nonprofit.

·       We serve nonprofits across the United States. We've been doing this for over 20 years, almost 25 years next year. We are technology experts, and we are consistently given the MSP 501 recognition for being a top MSP, which is an honor we received again in 2024.

·       We host a weekly podcast, and we do this monthly free webinar series. You can also access all of our previous webinar videos and transcripts on our website at communityit.com, and you can register for upcoming webinars there. 

 

For these presentations, Community IT is vendor agnostic so we only make recommendations to our clients and only based on specific business needs. We never try to get a client into a product because we get an incentive or benefit from that. But we do consider ourselves the best of breed IT provider. It's our job to know the landscape, to know what tools are available, reputable and widely used. And we make recommendations on that basis for our clients based on their business needs, their priorities and their budget.

And a little bit more about us. Our mission is to create value for the nonprofit sector through well-managed IT, and we also identify four key values as employee owners that define our company: Trust, knowledge, service and balance. We always seek to treat people with respect and fairness, to empower our staff, clients and sector to understand and use technology effectively, to be helpful with our talents. And we recognize that the health of our communities is vital to our wellbeing and that work is only a part of our lives. 

Nonprofit IT Governance Policies

And now I would like to ask everyone a thought question, which is: what nonprofit IT governance policies do you need?

And while you're reflecting on that, don't worry, on our next slide we're going to tell you a little bit about some of the bedrock IT governance policies we recommend. And I just want to say before we really get into this, that Nuradeen and I did a webinar specifically on governance and policies last year, so we're not going to go in depth on it here. If you're in a situation where you need more information on these policies and governance, do go check that out on our website and I'll put that link in our chat as well. 

Today we really wanted to especially touch on data retention policy, especially if you might be facing subpoenas or leaks, etc in the current environment. And I know policy sounds really boring at a time when we might feel like we just want to be out there taking action, writing to our congressmen and doing all the things that we need to do to protect our organization and our sector. Nura, I would like to ask you to draw on your experiences over the decades of advising our nonprofit clients, and just take it maybe back a step. 

What kind of trouble can a nonprofit get into if they never get around to creating these essential policies?

Nuradeen Aboki: Well, fundamentally, having no policies can leave employees unsure of what to do in the event of an incident.

It could be a security incident as simple as, hey, I lost my laptop or it's stolen, or what applications to use at the workplace? 

And then where do I store my data? Who do I share my data with?

So there are a lot of questions that employees are left with without any guidance or governance, especially without any IT policy. 

One of the biggest risks is actually data exfiltration or data leakage. 

So having an IT policy is foundational.

Every organization should spend time and make the investments to consider some essential policies, especially the ones that we've listed here on the slides. And I noticed on the chat that there's a common theme such as acceptable use policies. Cybersecurity policies could include the data retention policy, privacy policy, as well as an AI acceptable use policy. 

So IT policy is to help protect the organization from honest mistakes, disgruntled staff, and security vulnerabilities.

Carolyn Woodard: I know of some cybersecurity liability policies where they will want to know that you have an acceptable use policy. And also, we have the new auditing guidelines for nonprofits that include IT risks.

And they're also going to ask you, do you have an acceptable use policy? And if you don't have one, you can't really hold employees accountable. You can do training with them on how not to click on that link, or how to stay secure, where to keep their data and keep that secure. But you don't have any recourse if something happens, if you don't have a policy. 

Can you talk a little bit, just quickly, about what kind of barriers you see at our clients that kind of keep them from really having strong policies?

Nuradeen Aboki: So certainly leadership is one of the barriers, I think, lack of understanding from leadership. 

Why does IT require policies? Sometimes leaders are focused on their mission, and IT is given little or no attention.

Having leaders that do have an understanding of how important technology is to help their nonprofit achieve its mission, do give time and investments to that department. So you find that leaders that do understand how policies can influence the direction they go in terms of achieving their mission, also make the time and investments. 

One barrier is usually leadership and lack of understanding of how to go about creating an IT policy when they are simply focused on raising funds, for instance, for their nonprofit organization, helping end hunger across the globe. 

A lack of understanding that the space has been, and usually it's not completely ignorant, it's just they just don't have the understanding of how important IT policies are, until recently, when we are seeing more awareness in terms of data, how data is the new currency. So you may find that nonprofit leaders are asking for assistance. They are reaching out asking their IT managers if they are large enough or asking their other colleagues within the space about what other nonprofit organizations are doing about securing their data from adversaries and so on.

Carolyn Woodard: That is a perfect segue to our next slide, where we're going to talk about prioritizing. 

How to Prioritize IT and What to Prioritize

I think you just hit the nail on the head that, if you've just done a press conference because something is on fire in your sector and you're trying to also manage your donations and your funding, carving out the time to write a policy is maybe the last thing on your list that you want to be doing. It really just leaves you so vulnerable if you don't have those policies in place. At least a policy is a place to start, and then you can work from there toward training, making sure your staff are doing all of the acceptable use and best practices to keep your data safe, your organization safe, and then the staff safe as well. 

I think we would start out, as you were talking about Nura, the leadership and creating that IT roadmap. 

We just are going to scratch the surface again today. We do have a couple of webinars on how to create an IT roadmap. We talk a little bit more in there about how to get your leadership on board with it or help them. Maybe you have somebody on your nonprofit board who's tech fluent, who can jump in and kind of help your executives make the time and space to do an assessment and create that roadmap.

And we know that that roadmap is going to be individual, right? You can't just find a template online and make that your roadmap and those priorities are going to be unique to your nonprofit. 

So, I think, Nura, when we were talking about doing this webinar, we identified several areas for focus, and it was reflected in the questions that people had at registration around cybersecurity, data security, and staff security. And of course, financial security, but that isn't something that we can really help you with. Although if you have good cybersecurity, it might help your donors feel better that their money is going to get to you.

Can you talk a little bit about these different categories: the cybersecurity, data security, and staff security, and kind of what we advise nonprofits to do in these realms right now?

Nuradeen Aboki: Yes, thank you. Certainly, security is a hot topic these days, and having an understanding of security is an umbrella that has many domains under it. And one big domain is data security.

Cybersecurity

But I will go back a step where we have cybersecurity here because it touches on the cyberspace, and most likely your behavior or your identity over the Internet. We know that these days a lot of nonprofit organizations leverage cloud applications or services to access their data, whether it's email on Microsoft 365 or Google Workspace or files on Dropbox. They're still using web services, cloud services to access that information. 

So the identity is really very important. A lot of the cyber criminals these days try to steal your identity one way or the other. So having a way or solution to help you monitor that identity as the identity moves from one service to another and if there's any compromise in the identity quickly, having a mitigation solution that would help you secure and protect and isolate that identity and resolve the issue. It's a direction that we are seeing nonprofit organizations buy into. 

And those kind of monitoring solutions these days are pretty robust. You would be amazed at how quickly they are able to detect and attempt to hack into your account from a country. So no longer do you need a whole IT department just monitoring your identities, but you can actually get a service that can do that for you while you focus on your nonprofit's mission and trying to help you achieve your goals.

Data Security

 

With data security, it's important to make sure your data is contained, secured, and ensure that only the people that need access have access to your data. And a lot of the bad actors these days, they are looking to mine your data, so they can probably, get to your funders, get to your donors, and for at least some financial reasons. 

So having a way to ensure your data is encrypted, whether it's at rest, it's with a provider that actually cares about security, as of what a provider that actually can protect you, in case of a subpoena, it's important.

Going back to that topic of an assessment, it does give you an evaluation of your current state, the gaps, and then a roadmap would help you identify where you need to make investments, the ones that you want to start in the first year, second year, third year, and down in the future.

Staff Security
 

Staff security is important. Certainly, the safety of your employees is necessary. These days, we do have work from home. So a lot of the infrastructure is basically the Internet connection that you have, and then the laptops, the people are using to connect to the Internet and the services that are provided. Oftentimes, that's the model we see. A lot of nonprofit organizations will have that flexibility in terms of hybrid work environments, or some of them are fully remote. 

But the device that the staff use is important, and your role at the organization is also important. If you're a finance staff or someone in HR, people and culture, you have high confidential sensitive data that you're working with so you are likely going to be a target, because the bad actors are looking for high-value employees that could be a target. 

So ensuring that the safety of your staff is ensured that you make that investment, give them machines that are secure, give them high assurance security access, like multi-factor authentication that has its own kind of security key, so that whoever tries to break in and access that information, it's harder for them to get any valuable information because you've made the right investment. 

Financial Security

The last piece of financial security, I'll pass it back to you Carolyn, because as you said, it's not our core. I'm sure there are other experts that can provide guidance

Carolyn Woodard: No, it's not really our bailiwick. I guess I would just say, this is something that I've heard. It's not like none of these things are easy. We can just sit here and say, oh, you should do this, you should do this, your executives should make a policy, and then you should all follow it. But if it were easy, we would all have already done it. So I want to just say we're so proud of you for being this webinar and for doing what you've already done.

These are our recommendations for best practices, but you definitely need to find in your own nonprofit what will work in your culture. 

I've been to a couple of conferences recently where there seems to be more of an ability to really talk with your funders. And tell them what cybersecurity issues you're worried about or facing because it's their money too, so they have an interest in helping you.  

If it's your staff security, you have staff that are being attacked online by online mobs, or if it's just you want to get more training for your people to not click on those links that might be phishing. 

The good news is we just had Matt do our Cybersecurity Incident Report. Well, I don't know that it's good news, but he just did a webinar about it. And really 90 to 95 percent of the attacks that we're seeing at our clients are still just financial. It really isn't an adversarial, somebody trying to hack in and take all of your stuff. They really just want to take your money. And it's just some random person following an algorithm, trying to get you to click on stuff and then get you to wire the money to the wrong vendor or whatever it is.

And then the other good news, if it can be good news, is we do have the Cybersecurity Playbook that's free to download from our site. And we really think, and Matt has crunched some numbers on this, that if you follow these best practices, you're really going to prevent 80 to 90 percent of those risks and scams coming in. And a lot of the best practices aren't really expensive, like doing your staff training, having the policies in place, following just the guidelines in our free Cybersecurity Playbook.

And if you can prevent 80 to 90 percent of the risk, like please go ahead and do that. 

I'm going to go quickly to this next slide, which I put a bunch of these links in the chat. But for those of you watching on YouTube or following this later, we have so many resources on our website. We really love to share these resources and hope to help the sector become better at all of these things around IT, around cybersecurity. So please check out these resources and they will be in the transcript as well.

Resources on Setting Priorities

Leadership: ​

·       https://communityit.com/video-design-an-it-roadmap-to-create-value/

Data Security:​

·       https://communityit.com/blog-data-retention-policy-best-practices-in-uncertain-times/  ​

·       https://communityit.com/podcast-nonprofit-data-retention-policy-and-cybersecurity-basics-with-ian-gottesman/ ​ 

Staff Security:​

·       https://communityit.com/blog-protect-digital-identity/ ​

·       https://communityit.com/podcast-anti-doxxing-and-nonprofit-staff-safety/ ​

Cybersecurity Basic Best Practices:​

·       https://communityit.com/webinar-playbook-on-cybersecurity-readiness-for-​
nonprofits/