Community IT Innovators Nonprofit Technology Topics
Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com
Community IT Innovators Nonprofit Technology Topics
Cybersecurity Tabletop Exercise for Nonprofits with Matt Eshleman pt 1
Learn how to run this valuable training tool from Community IT Chief Technology Officer and resident cybersecurity guru Matthew Eshleman, who explains how to carry out a cybersecurity tabletop exercise for your nonprofit and why this type of active testing is so valuable to your security planning.
In pt 1, Matt and Carolyn go over what a tabletop exercise is and how they fit into your cybersecurity planning for your nonprofit. In pt 2, Matt describes 3 scenarios specific to nonprofits that you can use, and reviews general lessons learned and best practices from his work with clients.
Make regular cybersecurity tabletop exercises part of your nonprofit incident response plan.
Do you regularly practice your nonprofit’s cybersecurity incident response?
If you haven’t had a cybersecurity incident yet, count yourself lucky. If you have, you probably encountered some questions you wish you had had the answers to before the incident began to unfold.
That’s where a cybersecurity tabletop exercise for nonprofit has enormous value. A cybersecurity tabletop exercise simulates a cybersecurity incident in a controlled environment so you can practice your response and discover weaknesses before they become damaging.
For example, a staff member alerts you that they clicked on a malicious link in an email and now their laptop is “acting funny.” Do you have a phone tree of the people you need to contact? What if someone important is on vacation, who do you contact then? What if everyone’s laptops are frozen, can you still access important contacts? What do you do next?
Cybersecurity tabletop exercises can be elaborate or simple, run by a consultant or run from within. It is surprising how many nonprofits that regularly review and evaluate their programming never use the same principles to evaluate their basic cybersecurity preparedness.
How can your nonprofit get started on this practice?
If you’ve never walked through a cybersecurity tabletop exercise at your nonprofit, you may be intimidated at the prospect or have trouble prioritizing it and carving out time on everyone’s calendar. In this webinar, Matt introduces some popular resources, describes common examples of tabletop exercises, and explains how to adapt this skill-building exercise for nonprofits.
Matt Eshleman has run through cybersecurity tabletop exercises with many nonprofit clients and guides you through best practices and first steps to get started. Don’t wait to introduce this valuable training tool to learn where you can strengthen your practices and better protect your organization in these challenging times.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Download the free eBook on Cybersecurity at Nonprofits: https://communityit.com/download-cybersecurity-readiness-for-nonprofits-playbook/
_______________________________
Start a conversation :)
- Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
- email Carolyn at cwoodard@communityit.com
- on LinkedIn
Thanks for listening.
Carolyn Woodard: Welcome everyone to this Community IT webinar, Cybersecurity Tabletop Exercise for Nonprofits with Matthew Eshleman, who is going to explain how to carry out a cybersecurity tabletop exercise for your nonprofit, and why this type of active testing is so valuable to your security planning. It doesn’t have to be expensive. You don’t have to hire consultants to do it, although you can if you want to. If you think that would be helpful to your organization to get it done.
We include this advice in all of our cybersecurity webinars all the time. I’m excited today to be able to share some of the how-to advice with you.
My name is Carolyn Woodard. I’m the Outreach Director for Community IT. I’ll be the moderator today. I’m very happy to hear from our cybersecurity expert, Matt.
But first, I’m going to go over our learning objectives. By the end of the session today, we hope that you will learn
what a tabletop exercise is,
learn why regularly doing tabletop exercises is a valuable and inexpensive way to strengthen your nonprofit emergency response plan,
walk through a sample tabletop exercise with us and
discuss the lessons learned and next steps for introducing or improving tabletop exercises at your nonprofit.
Matt, would you like to introduce yourself?
Matthew Eshleman: Thanks for the introduction, Carolyn. I’m really looking forward to this webinar today.
We talk a lot about various technology solutions in our different webinars and the content that we produce, and so I’m looking forward to today’s session and really being able to bring it all together.
As Carolyn mentioned, my name is Matt Eshleman. I’m the Chief Technology Officer here at Community IT, and I was reminded by a little calendar pop-up that I actually started as an intern at Community IT 25 years ago in the summer of 2000. It’s pretty exciting to continue to be here and be able to engage with so many great organizations and talk about cybersecurity.
Carolyn Woodard: Oh my gosh, Matt. Congratulations.
Before we begin, if you’re not familiar with us, with Community IT, a little bit more about us. We are a 100 percent employee-owned managed services provider. We provide outsourced IT support, and we work exclusively with nonprofit organizations.
Our mission is to help nonprofits accomplish their missions through the effective use of technology. We are big fans of what well-managed IT can do for your nonprofit. We serve nonprofits across the US.
We’ve been doing this for 25 years, over 25 years, but we’re coming up on our actual 25th year anniversary next year.
We are technology experts and are consistently given an MSP 501 recognition for being a top MSP, which is an honor we just received again in 2025. We’re checking the current list, but in the past, we have been the only MSP on the list serving nonprofits exclusively.
I want to remind everyone that for these presentations; Community IT is vendor agnostic. We only make recommendations to our clients, and we only do that based on their specific business needs. We never try to get a client into a product because we get an incentive or benefit from that.
We do consider ourselves a best of breed IT provider. It’s our job to know the landscape, the tools that are available, reputable and widely used, and we make recommendations on that basis for our clients based on their business needs, priorities and budget.
And we did get a ton of great questions at registration. We’re going to try and answer as many of them as we can, but anything we can’t get to, I’ll give Matt to give us some written thoughts, and I’ll append those to the transcript. You can check back after the webinar if we didn’t get to your question.
And a new thing this month, we just started a community over on Reddit. It’s r/nonprofitITmanagement. We’re going to answer some questions over there without naming names. And if you have questions and you’re on Reddit, you can join us over there. Matt’s going to pop on and off for the next couple of days and just answer any questions that come up in there.
And a little bit more about us, our mission, as I said, is to create value for the nonprofit sector through well-managed IT. We also identify four key values as employee owners that define our company, trust, knowledge, service, and balance.
We seek always to treat people with respect and fairness, to empower our staff, clients, and sector to understand and use technology effectively, to be helpful with our talents, and we recognize that the health of communities is vital to our well-being, and that work is only a part of our lives.
Cyberliability Insurance
With that, we’re going to tell you, we’re a little bit curious how many of you have cyber liability insurance and have had to comply with requirements. I’m going to go ahead and launch that poll now, and I hope that you can see that.
The answers are, no, not yet. We don’t have cybersecurity yet. We’re not sure. It could not be part of your job description, so that’s fine. Yes, you have cybersecurity liability insurance and not applicable or other. Matt, can you see that?
Matthew Eshleman: Yes, I can. For the question of, do you have cyber liability insurance for your organization? I’ll jump ahead and say about 56 or almost 60 percent say yes, and then about 20 percent say no, not yet. Another 20 percent are not sure, and then a few folks were saying not applicable.
So that’s really good to see. I think that probably mirrors our experience in supporting our clients.
I will just say kind of anecdotally; we have seen the cyber liability insurance market change pretty dramatically. Six, seven years ago when this got started, cyber liability insurance was cheap, easy to obtain, and didn’t really require much other than filling out the application.
Then over the next couple of years, the costs certainly rose along with the requirements.
And I think now where we’re at is the cost is still increasing, although at smaller rates than before. But certainly, the number of requirements that are coming along with the cyber liability insurance have increased as well.
Carolyn Woodard: And I just want to mention, we did ask at registration how many people had had an incident in the last year, and it was a pretty sizable chunk of people registering. If you don’t have that cybersecurity liability insurance yet, you might want to think about it. And some funders, I think, also require it. It’s something that we have a lot of resources on our website about that insurance. So that’s something to look into.
Have you already done a tabletop exercise?
And then we have a second poll, which is, have you already done a tabletop exercise? The answers are no, not yet, not sure. Yes, it went great. Yes, but it could have gone better and not applicable or other.
Again, we’ve got some pretty good response. And I don’t know if this is going to surprise you, Matt, but I’m going to go ahead and share. Can you see that?
Matthew Eshleman: Yes. So, yeah, I mean, maybe not surprising, but yeah, the vast majority of respondents, so 80% said no, not yet. And then, you know, 12% here had said yes, and some for another with just 5% saying yes, it went great.
If you’re in that category of yes, it went great. I’d really love to be able to hear what, you know, what made it go well as we go along, and as Carolyn said, we should have time for questions and some more conversation towards the end of our session today. So that’s great.
Carolyn Woodard: All right, sounds great. Thank you, everyone, for participating. That really helps us.
Cybersecurity for Nonprofits Framework
And now I think, Matt, you’re going to talk a little bit more just kind of a baseline framework grounding on how we look at cybersecurity and where this kind of exercise would fall in this rubric that we use.
Matthew Eshleman: Yeah, for sure. This is a graphic that that I use quite often just to help think through how we’re organizing and aligning around cybersecurity.
Policy
Things like those foundational concepts such as policy really provide that foundational guidance for the technical solutions that we’re building on top.
Security Awareness Training
You’ll notice we don’t jump straight from policy into technology but really have that layer of security awareness training as a key element. As most of the attacks that we see in this kind of small to mid-sized nonprofit space that we support are initiated by people clicking on something that they shouldn’t have, or by getting tricked into updating payment information, or buying gift cards, or updating information for somebody that’s obfuscating their identity.
What we’re going to be doing today is a special type of training, maybe an incident response where we’re going to practice ahead of time, what you and your staff would do in the event of that tech emergency, whether someone knows they clicked on the wrong thing, or somebody on your staff sees something suspicious, or maybe your IT team has identified a breach.
Technology Tools for Cybersecurity
In the rest of the graphic there is the blue line is really the range of technical solutions that we would add in to provide meaningful protection. But again, technology in and of itself isn’t going to be a perfect solution without that policy and staff training element as well.
Compliance
At the very top, we have this compliance layer, which represents some external requirements that you have, either from external funders or other board sources that say, hey, we really need to apply these policies or these procedures as a result of some external requirements.
At the end of the day, the IT department can help support that compliance, but it’s really an exercise that the entire staff needs to be on board with the policy implementation of those controls. We’ll spend the most of our time today talking about how to actually play those things out.
Cybersecurity Readiness for Nonprofits Playbook
Carolyn Woodard: And I did put the link to download that playbook in the chat. It’ll be in the transcript as well. And we have some other resources around that playbook on our website, so go ahead and look for those.
Background: Tabletop Exercises in Cybersecurity for Nonprofits
But Matt, can you set the stage for us? Why are nonprofits hearing about and interested in tabletop exercises at this moment?
Matthew Eshleman: Yeah, so I think it’s a great question. I’m really excited that we’re actually at this point and being able to talk about doing a tabletop exercise. We’ve been talking about cybersecurity for quite a while. We have tended to be focused on specific technologies or specific solutions or specific policies, right? We talk about an IT acceptable use policy. We talk about the importance of MFA and why it’s so critical.
We talk about security awareness training. We’ve done a lot talking about why we’re doing all of these specific elements.
And I think now we’re really at a place where a lot of organizations have made significant investments and improvements in their cybersecurity controls. With all of these pieces in place, now organizations say, hey, well, we’ve already done the basics. Maybe we followed that playbook from you all. We’ve done all these pieces.
How do we need to test it to make sure that the things that we thought were in place and the controls that we think are working are in fact doing the things that we expect them to do?
I think organizations have invested a lot over time, and I think it’s now working. And it’s listed on here. If you’ve got the basics in place, now it’s an excellent time to put your plan to the test. Is it in fact doing all the things that you expect it to do?
Being able to test it can help identify those gaps and maybe surface some weaknesses in your existing policy or controls and really help to identify, okay, so what’s the next thing that we need to take?
Whenever we do have a security incident, we’re really ready to respond and do so in an efficient way.
Carolyn Woodard: And I did put in a link to how to create that incident response plan if you don’t have one. And it used to be just for like, oh, those sprinklers went off in our office and the whole thing got flooded and we had to figure out where our laptops were and all of that sort of thing. And now, a large part of it is, if there’s a cybersecurity incident, how would you respond?
So Matt, I think you’re going to tell us a little bit more about what a tabletop exercise is.
What are Tabletop Exercises in Cybersecurity for Nonprofits?
Matthew Eshleman: Yeah, maybe we should have put this at the beginning of the slide before we asked everybody if they did one.
The way that I’m choosing to define a tabletop exercise, really it is a way to practice the implementation of your organization’s incident response policy.
The incident response policy defines the different systems that your organization has.
It talks about if something happens, how are we going to respond as an organization? What is the IT department’s response? Is there a communications department response? Do we have a legal duty to report things?
The incident response plan itself can be pretty detailed. And the tabletop exercise is really an opportunity to test that out and to put it through its paces to make sure that it holds up.
It makes sense to do it using some realistic scenarios. I’m sure as soon as I mentioned testing out your incident response plan, maybe something horrible popped into your mind of like, oh my gosh, our website goes down or our executive director’s account gets compromised. Those are all real scenarios that happen to organizations just like yours.
It’s a chance to test how would we respond or react in those situations and does our plan and our procedure actually make sense and give us the level of comfort and control that we really need.
I think the big thing is that the incident or the tabletop exercise itself is not really something that is just done by the IT department in a vacuum.
It really should, in kind of its best ways, be a dedicated exercise that involves everybody who’s identified in the incident response document, in a room together, either in person or virtually kind of working together and working through the scenario that’s identified.
Carolyn Woodard: You remember we had someone tell us about the phone tree, like who you’re supposed to call next. Unfortunately, their client, when they had the response, everything was frozen. If they had done an incident response plan tabletop exercise, they would have realized they needed a paper copy so that they could call the next person on the list. But as it was, they were running around like, who are we supposed to call? That was all on the laptop that’s now frozen. Good to know.
In your tabletop exercises, I think these are kind of key pieces of advice that you would give to an organization.
How do you get started?
Matthew Eshleman: Yeah, for sure. I think the top bullet point here really is important.
Planning is the key to success. Planning a tabletop exercise does not just mean throwing a calendar invite on a bunch of people’s calendars a week from now and expecting them to show up and be ready to go.
I think whoever is leading or organizing the tabletop exercise should come planned with some of the scenarios that we’re talking about in the next couple of slides.
I think it’s helpful to identify what are the goals of this process. What do we expect to be able to say at the end of our time together?
Then also making sure that who’s available. I just talked about; a tabletop exercise is not just something for the IT department to initiate and do on their own. Often the best ones that I’ve been a part of are actually even led by external legal counsel. They involve the executive leadership of the organization. It’s a department, it’s a director level meeting. It is a high-level meeting.
As a result, it can be a very expensive meeting if you think about it, because of all of the senior staff time that is required to be there, to be engaged and to participate for a sustained amount of time.
With all of that investment, we want to make sure we’ve got clear goals. We have all the engaged parties are able to participate, and we can have a clear sense of what we expect to get out of this process together.
Carolyn Woodard: And I think we would say, don’t try to squish it into 15 minutes of a staff meeting, like an all-staff meeting. You really need to have some dedicated time to it. It may take longer than an hour. It may take a couple of hours to really work through everything you need to talk about.
Getting that time on those people’s calendars can be difficult. But if it’s a small organization, it may be, in addition to an all staff meeting, you just set aside a couple of hours for everyone on staff, like all six of you to get together and just talk about what’s your response plan, who’s responsible for what, and how do you cover it if that person’s on vacation, that sort of thing.
Is your nonprofit open to the idea of doing a tabletop exercise?
So next we’re going to do this thought question. If you could put in the chat your answer to this, is your nonprofit open to the idea of doing a tabletop exercise? I know we had several of you in the previous poll who say you haven’t done one yet.
We just want to kind of take a little temperature of is that because people are not open to it or you haven’t found the time, that sort of thing, or you don’t know how. So hopefully this webinar will help you with that.
And if you can also put in the chat, like, what are the barriers to getting started?
I just mentioned a couple like time, organization, making it a priority. We’d love to hear from you as we go on and talk in the next couple of slides. If you want to put in to chat, is your nonprofit open to the idea of doing it, and what are your barriers to getting started? Because that’ll help us answer you as well.
And someone’s already jumped in with time, getting the right people in the room, right? That’s something. Having a small organization, just two people makes it seem not as pressing, maybe just the two of you are going to cover it, whatever happens.
So please go ahead and keep putting those in chat. We’re going to move on to the next slide, which I think, Matt, you’re going to talk a little bit about really defining those goals a little bit more.
Define the Goals of the Tabletop Cybersecurity Exercise
Test the plan
Matthew Eshleman: I think the number one goal of the tabletop exercise is to test that incident response plan.
As Carolyn provided, we have some resources to help put that together. But essentially, the incident response plan defines for your organization who is responsible for responding when you think there may have been a security incident occurs.
There is some variability ranging from maybe a single account compromise, maybe an intern, that’s going to obviously have a very different response associated with it than maybe if the executive director’s account is compromised, or maybe your director of finance.
Often the incident response plans will have a couple of different scenarios outlines. In this case, here’s what we do. In this case, here’s what we do. And so, it’s a way to test that out.
Ensure it works
Another goal really is to use it as a roadmap to ensure that it works, right? Are there weaknesses in your incident response plan? Does it rely entirely upon one person of your organization to manage, coordinate, execute the response? Does it maybe call for vendors? Does it have a relationship with you no longer?
These documents get created, they tend to get put on a shelf, and so the incident response, this tabletop exercise is really an opportunity to take it off the shelf, review it, walk through it, and see if what you define for yourself really still holds up.
Include stakeholders
It’s also an opportunity to include those stakeholders to build buy-in and identify unknown gaps. Community IT is a managed service provider. We have our organization’s incident response plan. We know what we’re going to do whenever somebody (a client) tells us they have a security issue, but the organization itself needs to know. We’re just one part of the bigger puzzle for an organization.
The incident response plan is not just an IT initiative, there could be communications, executive leadership, maybe the board has a role.
Everybody who has a role defined should participate as part of the tabletop exercise to make sure that that coordination and communication is really available there.
An example: I know as an incident response or tabletop exercise, we were a part of, we had our primary contact.
But then in their plan, they had a couple of other people identified as having key roles.
But we didn’t really have a strong connection with those folks. As an outcome of the tabletop exercise, we got some additional contact information, had additional relationships so that we can respond appropriately to the people that have the response roles at our clients.
Carolyn Woodard: There’s always going to be something in a response that’s not going to go right. There are so many things moving and it’s different from anything that you’ve had to respond to before, each time. It’s hard to find out in that moment, this isn’t the right contact person for that organization or whatever it is.
And I was also just thinking when we were preparing for this, nonprofits usually spend a lot of time on their programs evaluating what went right, what didn’t go right, what could we do differently next time. There’s a lot of program evaluation going on, even informally, as we’re thinking about our jobs.
And so maybe one way to think about this is to take that same mindset, but just apply it to this cybersecurity incident response plan, right? How could you do it better testing it, probing it, you know, running through it to see where there’s some weaknesses is a good way to look at it.
Join us in part two of this podcast, where we'll walk through some specific actual scenarios that could be useful at your own nonprofit to run a tabletop exercise. And Matt will discuss some of the best practices and lessons learned from the many times that he runs tabletop exercises with our clients.