Cybersecurity Essentials for Nonprofits pt 1 Artwork

Community IT Innovators Nonprofit Technology Topics

Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com

All Episodes

Community IT Innovators Nonprofit Technology Topics

Cybersecurity Essentials for Nonprofits pt 1

October 17, 2025 • Community IT Innovators • Season 6 • Episode 41

A Panel Discussion with Matthew Eshleman and Ian Gottesman.

In part 1, Ian and Matthew discuss an approach to cybersecurity for nonprofits, taking the first steps, and 3 steps you can take to prevent at least 80% of attacks. In pt 2, they talk about making cybersecurity training more engaging, and lessons learned this year. They finish by taking audience questions.

Our nonprofit cybersecurity experts discuss the current state of risks, and the best counter-measures nonprofits should have in their toolboxes.

Learn what are cybersecurity essentials for nonprofits, and how your nonprofit organization can meet the moment.
Keep your staff, your networks, and your data secure in an insecure world.

Worried about nonprofit cybersecurity?

You aren’t alone. The nonprofit sector is seeing new attacks and politicization of work that was never political before. Most attacks we are seeing in our networks are still financial, not political – but that doesn’t make being a victim of these attacks better. AI is changing cybersecurity needs rapidly.

If you aren’t sure what you need to know, or who to ask, learn from our expert panel in this webinar where we will discuss cybersecurity essentials for nonprofits in accessible language, and lay out a plan for any nonprofit to put the basics of cybersecurity in place.

Secure your devices.

Secure your accounts.

Secure your data.

In this new webinar, expert panelists discuss cybersecurity essentials and take Q&A.

As with all our webinars, this presentation is appropriate for an audience of varied IT experience.

Community IT is proudly vendor-agnostic, and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.

_______________________________
Start a conversation :)

Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
email Carolyn at cwoodard@communityit.com
on LinkedIn

Thanks for listening.

Carolyn Woodard: Welcome everyone to this Community IT webinar, What Are Cybersecurity Essentials for Nonprofits, with Matthew Eshleman, who is the Chief Technology Officer at Community IT, and Ian Gottesman, who is the CEO of NGO ISAC. And they’re going to discuss the basic practices that can block about 80%, at least 80% of attacks and help you get your nonprofit on the right track to meet this moment. They’re also going to talk about how to engage your staff with cybersecurity, so it isn’t just something the IT team does, but something that everyone at your nonprofit sees themselves as a part of. My name is Carolyn Woodard. I’m the Outreach Director for Community IT.

I’ll be the moderator today. I’m very happy to hear from our cybersecurity experts. I’m particularly excited because both of these guys are great at breaking down this complicated jargon into components and concepts in ways that I can understand. And I’m not a cybersecurity techie, so if I can understand it, I’m sure all of us can too.

Learning Objectives

We’re going to learn a lot today. But first, I’m going to go over our learning objectives.

So, by the end of the session today, we hope that you will learn what practices go farthest to protect your organization now, learn to train against phishing, always perform your updates, and prioritize identity management. Hear ideas on making cybersecurity more fun for everyone on staff and discuss some lessons that we’ve learned this year and next steps.

Introductions

So Matt, if you’d like to introduce yourself.

Matthew Eshleman: Great. Thanks, Carolyn. It’s good to be here. My name is Matthew Eshleman, and as I said, I’m the Chief Technology Officer at Community IT. In my role, I’m really responsible for managing our back-end team that does all of the device and endpoint management for our over 200 clients. And I also work with our clients on cybersecurity strategy and implementation. Looking forward to talking with Ian today.

Carolyn Woodard: And Ian, would you like to introduce yourself?

Ian Gottesman: Sure. My name is Ian Gottesman. I’m the Chief Executive Officer on the NGI SAC. And then I was a long-time IT leader at a series of nonprofits, which led me to my current role where we help other nonprofits with cybersecurity.

Carolyn Woodard: Awesome. And before we begin, if anyone isn’t familiar with Community IT, a little bit more about us. We are 100% employee-owned managed services provider. We provide outsourced IT support, and we work exclusively with nonprofit organizations. Our mission is to help nonprofits accomplish their missions through the effective use of technology. We are big fans of what well-managed IT can do for your nonprofit.

We serve nonprofits across the United States. We’ve been doing this for over 20 years. In fact, our 25th year anniversary is coming up next year. We are technology experts. We are consistently given the MSP 501 recognition for being a top MSP, which is an honor we just received again in 2025. We always check the current list, but in the past, we have been the only MSP on the list serving nonprofits exclusively.

I just want to remind everyone that for these presentations; Community IT is vendor agnostic. We only make recommendations to our clients and only based on their specific business needs. And we never try to get a client into a product because we get an incentive or benefit from that. We do consider ourselves the best of breed IT provider. So, it’s our job to know the landscape, the tools that are available, reputable and widely used. And we make recommendations on that basis for our clients based on their business needs, priorities and budget.

We got a lot of good questions at registration. We’re going to try and answer as many of them as we can. But anything we can’t get to, we’re going to go over to our community on Reddit right after this webinar. It’s r/NonprofitITManagement/ and we’ll continue to answer questions over there. And we’ll do that probably for the next couple of days as well. So, if you don’t have a chance to go right over there this afternoon, you can check us out tomorrow or the day after.

And a little bit more about us, our mission, as I said, is to create value for the nonprofit sector through well-managed IT. We also identify four key values as employee owners that define our company, trust, knowledge, service, and balance. We seek always to treat people with respect and fairness, to empower our staff, clients, and sector to understand and use technology effectively, to be helpful with our talents, and we recognize that the health of our communities is vital to our well-being, and that work is only a part of our lives.

Poll: Are You the Cybersecurity Person at Your Organization?

So, with that said, I’m going to go ahead and launch our first poll for those of you in the audience.

So, our question is, are you the cybersecurity person at your organization? Your answers could be:

no, definitely not. That would be me. I’m definitely not the cybersecurity person at our organization.
You could answer, yes, I am responsible for cyber.
You could say, I have some responsibility for IT management, but I am not the tech or cyber person, or
there’s another option of not applicable or other. And if you don’t mind putting in chat what your role is, that would be great for us to see if you feel comfortable sharing it.

And Matt, can you see that?

Matthew Eshleman: Yeah, again, so it looks like we’ve got pretty even distribution here for about 20% say no, definitely not. 35% of folks here, yes, they are the cyber, own cyber at their organization, or and then another 20% say, we’ve got some responsibility, but not the owner. And a couple of the people will say, hey, no, not applicable. So, but good distribution there. So hopefully something for everybody.

Carolyn Woodard: For everyone. Yeah, thank you for sharing that with us. If you are not the cyber person, don’t worry. But thank you for coming here and wanting to get more educated on what the threats and the protection that you can put in place as that’s a great step to take.

Some of the people have been putting in the webinar chat, they’re a board member, level 1 IT support, director of IT, volunteer board member. So, thank you for putting that in and welcome to the webinar. All right.

Poll 2: What is Your Organization Doing Now About Cybersecurity?

Then we actually have another quick poll right away. Oops, I just closed my polls. Hold on a second. Okay. It took me to close. I meant to go back. Okay. So, I’m going to launch this one.

This question is, what is your organization doing now about cybersecurity? And your options are:

hoping not to be a victim. We don’t know what we are supposed to be doing. If that’s you, there’s no shame here. So please just let us know and you’ve come to the right place.
The second option is we’re worried. We’re taking some steps, but probably not enough. Also very, very common for nonprofits to fall in this bucket. So, thank you for letting us know that.
Another option, option three is we have good practices in place, but we can always do more. And that’s something about cybersecurity that’s kind of a constant. You can always do more. It’s changing all the time. There’s new stuff coming out, new stuff you can do.
And then that last option again is not applicable or other.

Ian Gottesman: So, what is your organization doing about cybersecurity? The most common two answers, we’re worried about it. Taking some stats are probably not enough. That was 41 percent, 17 out of 41.

And then the second or tied for that is we have good practices in place, but we can always do more than 41 percent. And then for 12 percent, five respondents were hoping not to be a victim. We don’t know what we’re supposed to be doing. And then two people said not applicable slash other. So, I think that’s about where we can all be.

One of the things to think about with cybersecurity is it’s a bit like health or wealth or a lot of other things that you can do the bare minimum. It will make a big difference, but you can always do more. You can always eat more vegetables and be healthier or make more money. But if you can do enough to sort of do your day to day job and make sure that you can do your security, secure your information for your organization and your clients or users, whatever you want to call them, that that is really where you should go and sort of do it a step at a time. It doesn’t have to be this sort of great big unknown thing that causes you to cower in fear and stick your head in the sand like an emu or whatever.

Carolyn Woodard: I think doing something, like you said, doing something, taking a few steps, like maybe you’re not doing everything all at once until you feel like, oh, why should I even start? But it’s definitely worth it to start. All right.

Cybersecurity Foundations

So, we’re going to move on.

And Matt, I think you wanted to talk about this graphic, which everyone can find in our playbook, which is a free download from our site. I’ll post the link in the comments, and it’ll be in the transcript as well. But we use this graphic to talk about our philosophy of cybersecurity. So Matt, do you want to talk a little bit about it?

Matthew Eshleman: Yeah, I mean, I think it’s kind of building off of what Ian said, right? You can, you know, there’s always more you can do. And I think that’s a good kind of metaphor to keep in mind, right? Security is a, it’s a journey. It’s not a destination, right?

You’re never going to get to the place where you’ve got all the security. So, there’s always more things that you can do. So, I like this graphic. I mean, I should, I wrote it or I developed it. But it really talks about, you know, the foundation of policy. That can be hard for organizations, but it is good to have, you know, kind of a common language, set of instructions that just kind of talk about how do we think about IT at our organization.

You know, it can be in plain words, right? Like, what are we going to do about personal devices? How are we going to treat interns and volunteers? What’s our password policy going to be? Where are we going to store our data? You know, so just starting off with that foundation of policy helps make some of these other decisions a little bit easier. Building on that, you know, we feel pretty strongly that’s engaging and training users is probably the best investment that you can make in terms of organizations that have limited resources to spend on IT.

Just engaging staff, getting them trained, kind of showing them some of the basics, you know, really does bear a lot of fruit. You know, once you get beyond kind of trained and engaged staff, then, you know, there are lots and lots of different technology tools that you can layer on top of this. I mean, it really can be a daunting process. But, you know, if you’re working with a good partner, you know, they will have some good solutions in each of these different areas.

You know, and then kind of at the very top, we have this layer that we call compliance. And what we find in working with the small to mid-size nonprofits that we have, you know, everybody wants to have a good foundation of IT policies. And we are seeing, you know, more and more clients are getting into that realm where, you know, because of their financial audit, they are now required to maybe do additional security practices.

Maybe they are, maybe they were getting some government funding that required adherence to certain policies or kind of compliance framework. So, you know, organizations typically aren’t jumping, you know, both feet into kind of a full-on compliant framework at the beginning. But, you know, maybe it’s something that you do after you take care of some of these basics. So that’s a way that we like to think about it and kind of build out those recommendations. And that’s built into the Cybersecurity playbook that we’ve provided.

Carolyn Woodard: Yeah, and I just shared that link and it will be in the transcript, too, if you’re listening to this later.

Cybersecurity Essentials for Nonprofits

So, I wanted to move on, and this one I want to turn to you, Ian. You had mentioned, when we started talking about doing this webinar about covering the basics, I think you said that if all nonprofits did these couple of things, they would immediately prevent up to 80% of attacks, which is a lot better than 0% of attacks.

So, as you and Matt talk about these basics that you pointed out for us, I wonder if you can also talk about the barriers to putting the basics in place for these different categories. We know our nonprofits are worried about cybersecurity. All of you here today in the audience are worried about it. Once you know that you should be doing these things, it’s also helpful, I think, to discuss why it can be hard to put them in place. So, Ian, do you want to kick us off?

Ian Gottesman: Yeah, I mean, these sort of three, Cybersecurity 123, ABC, what you want to call it, are really the core, the foundations of all the stuff you’re doing. And whether you’re using CSI, CIS controls, or some other methodology to help you with that, like Verizon Breach reports, you can see that these things come up over and over again.

And it can be hard, like even quote unquote, the basics is not easy. Like, you know, making sure you have updates running on all your computers requires, for example, having an inventory of all your computers and phones that have your company’s data on it. And that may include personal devices, right? A lot of us are in organizations where we provide our staff laptops and not phones, or maybe not even laptops.

And so, they’re kind of intermingled work devices and personal devices with all kinds of data in there. But yet, you have a responsibility to make sure your client or your users or whatever your data is secure.

So, you really have to kind of think about this and just start with simple things and start with baby steps. So, if you’re a super small organization and trying one person who’s managing IT and HR and finance, which is not that unusual in a lot of nonprofits when they’re starting out or just aren’t big, how do you make sure that people are running updates?

It could just be as simple as setting up a meeting with them, whether it’s in person or online, and making sure they’ve turned on automatic updates on their laptop and their phone so that they get the latest things automatically. Like I just had to install an update right before this call.

And then anti-phishing training could be something as you pay thousands of dollars for or tens of thousands of dollars for to train your staff, or do it asynchronously, or you have a trainer come in and do it. It could be as complicated as that. Or it could be as simple as you have some reminders that you give people once a quarter, or once a year, once people start. You have a document that you’ve created, or someone like Community IT, or the NGO ISAC, or whoever has created for you. They go through a presentation.

And then identity management is two words, but it’s a lot, like trying to make sure you have unique passwords and you’re using multi-factor authentication or pass keys or physical keys.

But there’s a lot of different tools and places and ways that you can help you with these things. And you just start with a simpler version of it. You’re not going to have a single sign on SSO. If you’re a small nonprofit, write out the box that maybe will add more security and physical keys from someone like Yubikey or Passkey, which is like using biometrics for your password, for that second factor. Right out of the box where you can move towards it. You can make sure that you’re all using a free or low-cost password locker, for example. There’s a lot of them out there that are free to use or based on open source or free to use.

And start with that and then mature yourself up. You got to kind of crawl before you walk or you run. And you got to just not be intimidated and not start. Start anywhere. And go from there.

You can’t, you know, it’s like the analogy we keep making with health and wealth or other things. You can’t eat a field of broccoli on January 1st and then not eat vegetables any day for the rest of the year. You’ve got to do a little at a time.

Carolyn Woodard: I love that. Speaking as someone who may have tried to eat a bunch of broccoli in January.

We do have a question in the Q&A. What are CIS controls?

Identity Management

And I wonder if while we’re on this slide also, we could maybe talk a little bit more about what is phishing? What is anti-phishing training and why identity management is important? What can happen if you don’t have good identity management?

Ian Gottesman: I mean, identity management is just how you log into things. Increasingly right, we’re all sort of working in a remote cloud first world where we’re like logging into things and we don’t have complete control over our stuff. 30 years ago, when I started out in IT as a little intern in graduate school, my first day we walked in and we had a meeting.

I was in an IT office at a state agency in Florida where I’m from. And they proudly got up and said, we’re the first agency in our division or whatever it was. I forget the exact thing. They had set up a firewall, and we had this very cool firewall called Eagle Raptor Firewall which I still remember 30 years later because it has a very impressive name, it sounds like a cartoon. And all the bad stuff on the Internet is kept outside with the firewall and all the good stuff is inside. And as long as you work inside the firewall, everything is safe and the firewall is going to guard us. And it’s a firewall and it’s full of fire and walls and it’s an eagle and it will claw you up.

And that was the analogy 30 years ago is that the Internet was bad and everything outside was bad and everything inside was good, kind of like an egg. And that’s still true, probably wasn’t true then either.

And that sort of increasingly now we’re all using things in different ways and very little of it is hosted inside like it was inside our firewall like it was a million years ago when I was in grad school. And we’re using, we’re logging in to those things. We’re logging in to Office 365 or Google or Salesforce or NetSuite or Intacct or all these cloud-based tools that run our day-to-day operations. And then there’s probably many more that I haven’t thought of.

And you have to make sure that when you log in to those tools, it’s giving the right person the right access that you want. Somebody can’t impersonate a staff member of yours and then send a bunch of money to the wrong place, which is the most common form of fraud. Or use an account that’s shared across a bunch of different people because it’s easier to do that than set up individual accounts.

You really have to make some time and effort and design things correctly from the get-go so that you’re doing managing individual access to tools in a way that makes sense and that protects the data of your staff, the data of the people you work for and with, and make sure that you are taking your responsibility, your duty of care for all the things that you’re supposed to do.

What are CIS Controls?

Then questions about what are CIS controls. CIS is the Center for Internet Security. It’s a big nonprofit that helps set up standards for cybersecurity and internet security. They’ve created these controls that you can use, I think there’s 20 something that you can use to measure your security and then you can like go and take a test and measure your controls, your standard, your organization standard versus say other peer organizations or other types of organizations.

And sometimes when you get like an IT audit, that’s what they’ll use to do it, CIS controls. And they have controls for things like identity management and updates and inventory that a lot of people use as a standard for cybersecurity and IT sort of maturity.

Carolyn Woodard: And is that https://www.cisecurity.org ? For Internet security?

Ian Gottesman: Yeah, yeah, yeah.

Carolyn Woodard: All right, I will put that in the chat, and I’ll be in the transcript too. So, you can look it up yourself.

Ian Gottesman: And they have a ton of different cybersecurity tools for nonprofits, or for anyone, but they’re a nonprofit and they have some pricing for nonprofits to do a bunch of different things in varying degrees of price and options. And I’m just a partner that we’ve worked with.

Anti-Phishing Training

Carolyn Woodard: Matt, if I can turn it over to you just for a minute or two. We do a lot of anti-phishing training with our clients, and we find that very effective. So, can you talk a little bit about what it is and how it works? Ian was saying, you know, you can get really expensive, fancy ones, it can be as much as meeting together in the conference room and talking about what phishing is and how to be careful.

Can you talk about like kind of our medium range of what we recommend people do?

Matthew Eshleman: Yeah, I mean, I think, as Ian said, right, you can do 20% of the work and get 80% of the protection.

I really think that’s true as it relates to email. As we support organizations, it’s very apparent, right? I mean, almost all of the account compromises or like the wire fraud that we see, it all starts with a malicious email.

And we would call that phishing, where the sender of the message is obfuscated or the link that they’re sending you is obfuscated or has some way that it’s hiding its intent or its result. And so, the link that you thought you were clicking on to get access to the document from a partner, well, maybe that actually is, the partner maybe has a compromised account. And so now that attacker is sending you a link that’s able to steal your credentials or access to your systems. And so now, you’re kind of another victim.

And so that being able to identify as an end user, like is this message legitimate? Is it who I think it’s supposed to be from? What should I do if I click on something and it doesn’t look quite right? Building all of that expertise and knowledge is important.

And again, so there’s lots of free training resources out there. CIS has stuff, CISA, you know, the government agency has training resources that are free. And so, if you have the time and can kind of organize those and point folks in the right direction to get to that stuff and make sure folks are taking it, that can be a good resource.

We do a lot of managed security training, you know, through a platform called KnowBe4, you know, there’s other online security training tools that are out there.

But, you know, those tools are really helpful because, you know, you get a little bit more granularity in terms of, you know, maybe which users are getting which training. You know, you can kind of take it, you know, it’s an online learning management system, right? So, people can take training whenever it’s convenient for them.

And then the other nice thing is you can do a little bit of testing. You know, you can see which users maybe are more prone to clicking on those links that are going to come across and maybe, you know, which folks need some additional training resources to help them identify areas.

And I think the other thing is, you know, in terms of training, there’s a whole bunch of different training content out there. And some people might like the formal kind of stilted approach. It’s very like, here’s the detail and here’s how a website link is constructed. And, you know, here’s what the WWW means. And, you know, one of the things about KnowBe4 we like is that they have some really engaging, you know, like mini-series style content where, yeah, it’s like a little like mini show and they’re just like dramatically representing like what happens when you click on that link.

And I don’t know, it’s not that’s not the training for me, but we get like really great feedback when people take that. And I think if you can make training fun and engaging, educate people, give them the freedom to like ask questions, you know, talk to other people, share their experience, you know, I think that all works better.

It’s important, you know, for these emails, right? It’s good, right? Whenever we send out those test phishing messages, and we see, you know, the result, like people are like, oh, is this phishing? Or somebody forwarded this to me, asked me to take another look at it. Yeah, that’s great. That’s what you want to do. Take a second look at it.

Joining NGO-ISAC

Carolyn Woodard: Yeah. We do have a question, Ian. Someone asked if there’s a fee to join NGO-ISAC.

Ian Gottesman: We’re a Pay What You Can organization. We’ve been lucky to have some foundations help us with most of our operating costs. But based on your revenue, we have some guidelines. But if you want to join for free because you don’t have the ability to pay right now, that’s fine. You can just join through our website. Join through our website and we have a community online. We have weekly briefings. Not honestly that dissimilar from this. And Matt has given one of those. We have an in-person conference. It’s December 3rd in Washington, DC at the Brookings Institute for Nonprofits.

Carolyn Woodard: Ian misspoke. It is actually December 4th. It’s in Washington, DC at the Brookings Institution. And you can register on his website, ngoisac.org. That’s ngoisac.org.

Ian Gottesman: And we’re sort of going from a totally volunteer run organization where we were a year and a half ago to having staff and kind of moving up at providing more than just a community to help our sector protect itself.

I wanted to kind of double click on a couple of things Matt just said.

One really good resource, which is run by another nonprofit, the Aspen Institute, is Take9. It’s a nice free online tool that is designed for sort of everybody to use to learn how to do some training. If you’re in the Washington DC area, you may have seen some of their public service announcements that they did around the holidays last year. They did some advertisements in the metro and on billboards and stuff.

And then the most common type of Internet fraud involves phishing. It’s called BEC, Business Email Compromise. That’s basically where someone gets in the middle of a conversation you’re having with the vendor and misdirects funds. It can be a small amount like your printer vendor or your paper vendor and maybe a few hundred or a few thousand dollars. Or it can be a really large amount like it gets between you and a grant making organization and your annual grant of hundreds of thousands of dollars can be misdirected and it can be quite scary.

One thing I would like to say is that FBI is really, really successful at redirecting those funds. So, if that happens to you or your organization, you’re a victim of a crime, you should report that crime immediately as soon as you possibly can to the FBI, to the IC3 website.

I think the IC3 stands for Internet Crime Communication, Internet Crime and something. But they have an 80% recovery rate if you can report it in 72 hours. So, if you’ve realized you’ve had money stolen from you, I can immediately go there and report it.

The person who did it may or may not be punished as a crime because a lot of these things are happening outside the United States. And so, we can’t, our government, our law enforcement agencies can’t do a lot, but they can work with Swift and other banking institutions to pull your money back. And so that’s a really important thing is you’re a victim of a crime.

Don’t Be Ashamed If Your Organization is a Crime Victim

You shouldn’t be ashamed of what happens to you with something like BEC or any sort of cybercrime, honestly. And you should report it to local law enforcement in places like Washington, DC or Northern Virginia, Maryland, where I think most of us on this call or the speakers on this call are, or in the case of US or report to the FBI, they have large numbers of people dealing with cybersecurity and cybercrime and they can help you recover money, get more information to you. They may come back to you with questions if they have them.

But it’s really important that cybercrime is dealt with as it would be a real analogous crime, like in a physical crime. Like if someone were to drive through the front door of your organization, a big truck, run up the stairs, rifle through your finance office’s files, steal all the finance files if they’re interested, run back down and then drive out in an office and say DuPont Circle or where I used to work or any number of places in downtown Washington.That would be on the front page of every newspaper, it’s so crazy.

But if they do the analogous thing of like break into your file server and rifle through your CFO’s files, somehow that’s okay and that’s not nearly as bad and that’s the CFO’s fault because they didn’t have a right password or didn’t do security as well as they could have. I don’t think that’s true.

I think that that crime is just as serious if it happens in the cyber world as in the real world, and it should be reported to law enforcement and dealt with as a crime, and you’re a victim just like anything else, and I think that’s something that people kind of forget.

Carolyn Woodard: Yeah. Thank you for that analogy. I think also we always say don’t try to, don’t be so embarrassed or ashamed that you try to fix it yourself. Like that’s a criminal on the other end of what happened to you, and you don’t want to be trying to go after them.

So, I do want to move on to this slide about protecting nonprofits, talking about risk assessment and some more basics.

But I noticed that neither one of you really addressed, how can you get going on this if there’s some barriers at your nonprofit that are preventing you from taking these steps?

So, I’m actually going to turn it out to the audience.

While we’re discussing this slide, if you want to put in chat, if you’ve encountered barriers at your organization that are keeping you from getting going, please go ahead and put those in chat, and we’ll ask Matt and Ian for their thoughts on that.

Realistic Risk Assessment for Nonprofits

But I wondered if you could get you to talk to us a little bit. I think Matt, this was one of your topics you wanted to talk about. I know a lot of cybersecurity companies use fear to sell their services, and there’s a lot of anxiety in the nonprofit sector now. So, can you guide our listeners as to how they can think through risks, do realistic risk assessment now?

Matthew Eshleman: In general, cybersecurity is kind of a fear-driven sales model. That’s how a lot of vendors come about it. Maybe for your organization, that is the only thing that gets people out of their complacency and will make them kind of take those steps.

I think every organization is a little bit different. I think if you’re in the role, maybe cybersecurity is not your responsibility, but you have some involvement. I think understanding what levers to pull at your organization to move things forward is helpful.

Maybe it’s that cyber liability insurance application. That’s a good way to say, hey, we have this application, they’re asking for all these controls. We’re not doing any of these. Let’s pick one or two that we just need to get started and then you can build momentum.

You don’t have to eat the field of broccoli today, but take a bite, take one step.

Maybe you’re going to enable MFA, maybe you’re going to sign up for a security awareness training, maybe you’re going to use a free training just to get started, and then once you see that successful, you can move on to the next thing.

I would say the other thing that’s important to understand is just from the risk perspective, what does your organization’s risk profile look like? What’s your biggest threat? How likely is that going to happen? What protections do you have in place to help mitigate against that risk?

I think just generally, being an organization with online resources, the biggest risk most organizations have is cybercrime that’s perpetrated through fraudulent email that targets your finances. That’s a very common, if you’re a one-person organization to like a 200-person organization, that’s the most likely thing that you’re going to experience.

Maybe organizations that work in policy, maybe they have a little bit of a different threat profile maybe. But that’s the most likely thing that’s going to happen.

And so just take a step back. What are you concerned about as an organization? And how can you put in protections to help address those most likely scenarios so that you can address that and then move on to the next thing?

Carolyn Woodard: We’re getting lots of great suggestions in the chat around barriers. So, I will include some of these in the transcript anonymously. I’m not going to say what you said your barrier was, but they’re really helping think through some of these barriers.

Barriers to Putting Cybersecurity in Place at Nonprofits

Affordability of the training
Staff capacity
Uncontrolled private devices
Management cooperation
Keeping up with changes
New hires are most at risk of getting phishing emails from senior leadership within first week on the job
Biggest challenge has been knowing where to begin, then getting buy-in from staff.
Tip from chat: get people to think of data (especially personal confidential information) as a child’s favourite toy or their most prized possession and ‘how would you feel if someone ran off with it’

And so, we’ll also, if we don’t have a chance to talk about all of them because we only have an hour, I’ll get Matt and Ian to give me some thoughts as well on that and I’ll put them in the transcript too. So, look back for that.