2026 Nonprofit Cybersecurity Incident Report with Matthew Eshleman pt 2 Artwork

Community IT Innovators Nonprofit Technology Topics

Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com

All Episodes

Community IT Innovators Nonprofit Technology Topics

2026 Nonprofit Cybersecurity Incident Report with Matthew Eshleman pt 2

April 24, 2026 • Community IT Innovators • Season 7 • Episode 31

0:00 | 31:52

In Part 2 of the 2026 Nonprofit Cybersecurity Incident Report, Community IT CTO Matthew Eshleman walks through the real attack examples his team saw hitting nonprofits in 2025: scareware pop-ups, fake invoices, DMCA impersonation notices, HR job scams, and calendar phishing. He also unpacks eight years of incident data and what the numbers actually mean — including a 70% spike in malware activity and a surprising drop in phishing reports that turns out to say more about tools than threat actors.

The conversation closes with a practical look at what nonprofits should prioritize in 2026, from phish-resistant MFA to AI governance — because the gap between what your org has authorized and what your staff are already doing is quietly becoming one of your biggest risks.

Haven't listened to Part 1 yet? Find it in your podcast feed.

This episode covers:

A 60% drop in reported phishing messages sounds like good news — but it reflects a tool switch, not a safer threat landscape, and underscores the value of regularly reevaluating your tools and using best of breed protections.
Malware and endpoint virus activity surged 70% year over year, with AI enabling less sophisticated actors to launch more targeted attacks.
Real attack examples from 2025: fake invoices with convincing ACH details, DMCA legal threats, HR job scams using your organization's identity, and calendar invites engineered to create urgency.
New staff, HR contacts, and finance and operations roles are the highest-value targets for social engineering — and your training program should reflect that.
Ungoverned AI is a growing data risk. Staff are already using free AI tools, and the downstream exposure is only beginning to show up.
A strong cybersecurity foundation in 2026 means IT acceptable use policies, formal security awareness training, phish-resistant MFA, cloud identity monitoring, and consistent patching.

Resources Mentioned:

Nonprofit AI Governance Tips Webinar — May 27 with Senior Consultant Nuradeen Aboki
Nonprofit Cybersecurity Playbook — Community IT Innovators
Nonprofit IT Management Community — Reddit
How to Use AI Tools Safely at Nonprofits — Community IT Webinar
Talk to Matt About Your Cybersecurity Questions — Community IT

_______________________________
Start a conversation :)

Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
email Carolyn at cwoodard@communityit.com
on LinkedIn
on reddit/r/nonprofitITmanagement
on the Community IT website

Thanks for listening.

Community IT Intro 0:23

Thank you for joining this Community IT podcast, part two. You can find part one in your podcast feed if you subscribe wherever you listen to podcasts.

Carolyn Woodard 0:34

Welcome everyone to the Community IT Innovators Webinar, Nonprofit Cybersecurity Incident Report for this year with Matt Eshleman, our Chief Technology Officer. So my name is Carolyn Woodard. I'm the outreach director for Community IT. I'll be the moderator today.

Matthew Eshleman 0:53

So my name is Matthew Eshleman. I'm the Chief Technology Officer here at Community IT.

Carolyn Woodard 0:58

Matt, let's go on to the next slide and talk about some of these new cybersecurity attacks.

Matthew Eshleman 1:04

Yes, so I am looking forward to talking about that. And the kind of the big news is after, you know, I feel like we've been doing this, you know, this is now our eighth year of, you know, analyzing all the data, right, that are, like I said, our 8,000 um nonprofit staff that we support, right? Submit to our team. Um, you know, so

Matthew Eshleman 1:25

For after many, many years of it basically being like everything's the same except more, um, you know, we have had a couple of things that were different uh last year. And so

Matthew Eshleman 1:35

One was really the big increase in viruses and malware that were, you know, uh largely detected and blocked by our endpoint protection tools, but then also, you know, reported, um, reported by uh by clients. And um, you know, I think you know, this is something where AI uh you know is creating new attack methods from both outside the organization, right? It's easier for these threat actors to kind of create new and novel um attack methods. Um and then I also you know would say

Matthew Eshleman 2:07

We also saw some results of of self-inflicted uh you know kind of virus activity, right? That people were kind of creating scripts to do things that they maybe didn't fully appreciate or understand um what they were asking or how the script was actually um working. And so, you know, we saw that too, right? So it wasn't just you know bad guys from the outside attacking the organization. Uh it could also be you know people trying to you know automate you know some process, uh, but the way the script was running on their system, you know, wasn't wasn't safe or wasn't wasn't secure. Um and again,

Matthew Eshleman 2:39

I think this is only certainly going to increase um such as tools such as right this new the new Claude Mythos, right? Everybody's uh it's the big buzz. Um this right, tools like that that are so good at identifying vulnerabilities, um, and most concerningly, right, maybe not in a virus that they're gonna send you directly, but identifying vulnerabilities in libraries or modules and processes or applications that are part of the enterprise tools that you've already deployed, um, I think is the big risk. And so again,

Matthew Eshleman 3:09

Just this week, you know, coming out of that was an example of a vulnerability for the Wolf SSL or like a TLS/ SSL library that can weaken um the security of certificates, right? And so certificates and um that process uh really underpins a lot of the security on the internet. And so if there's a weakness in a the way that you can trust or generate certificates, has you know a whole massive series of cascading effects. And so uh, you know,

Matthew Eshleman 3:36

We've had a couple of examples of pretty serious um, you know, kind of supply chain uh attacks, right? So some vulnerability in some system that you use down the road um is impacted. Uh, you know, I think the fear is, and I think justifiably so, is that these are really going to increase. And so um

Matthew Eshleman 3:52

There's gonna be a lot of patching and updates and reconfiguring to make sure that we can kind of secure the whole ecosystem of the technology tools that we that we use. Um again,

Matthew Eshleman 4:04

We saw a ton of fake invoices kind of make its way through into organizations. Uh you know, again, these are maybe uh, and we have some examples of that coming, um, coming on. Uh, you know, fake, you know, uh uh

Matthew Eshleman 4:18

DCMA takedown notifications, right? Digital Millennium Copyright Act, you know, these formal legal requests, right? If you use some copyrighted information on your website, uh, right, you're supposed to take that down. Uh, right. So the threat of kind of this coercion, uh, you know, we saw really, you know, um pretty pretty common examples of these kinds of attacks making its way through. Um and you know,

Matthew Eshleman 4:42

The attacks again are also not just against the organization itself, but certainly create chaos in the organization is an increase in HR scams that trade on the organization's identities. And so we saw this again, it wasn't a risk necessarily to the organization itself, but uh there was there were a number of cases where uh people would get lured into or kind of scanned into applying for jobs that they would get with the organization. And then you know, that attacker would say, Hey, I'm from you know, nonprofit.org. Like we're really excited for you to become our new development associate. You know, here's your you know, onboarding form, and you know, go ahead and purchase uh, you know, purchase your equipment and send us your bank information and we'll reimburse you for it. Um, right? I mean, those we saw you know numerous examples of that where the organization's identity uh you know kind of was exploited for for those types of um scams. Uh and again,

Matthew Eshleman 5:45

This kind of long-winded, right? There's nothing malicious, right? No virus activity in that scam, but lots of long-term and kind of confidence um building. Um then finally, right, we saw a lot of this uh new calendar phishing where uh you would just get like an invitation dropped on your calendar uh and and and right, and they were just kind of creating this sense of urgency, like I need to click on it. Um, you know,

Matthew Eshleman 6:09

The calendar invite process itself, uh, you know, there could be some kind of um exemptions created in that in your email security tool, right? That that can be um exploited. Uh typically if you do have third-party email security, then you know, if there's malicious links like those will get identified and blocked. But again, it it just creates a lot of chaos whenever you're starting to see those things in your calendar. Uh and uh again, it's kind of the first step for uh you know these kind of longer-term confidence um scams.

Carolyn Woodard 6:39

So thank you for sharing all of those. And uh, we did have somebody in the chat um say in response to that thought question of what are you not doing anymore? Uh, this question about changing your password or having a password keeper, that sort of thing, it's not as effective. So, how frequently should you make users change their passwords or what's our advice on that?

Matthew Eshleman 7:04

Ooh, that's great. So you should set a good unique password and not change it. And

Matthew Eshleman 7:09

That is updated guidance that's supported by NIST and by Microsoft and kind of all the best uh kind of cybersecurity guidance, right? So just creating new passwords like doesn't make you more secure.

Matthew Eshleman 7:21

You should create a strong, unique password, you should protect it with fish resistant MFA and use a password manager, right? So those are the things that are uh are are good. So um, so

Matthew Eshleman 7:33

As we kind of transition to looking at some of the examples, and I'm seeing the chats come in, we've got some great uh examples coming up. You know, I think cybersecurity uh in general, you know, I think in this space, it it does seem to be really geared towards a lot of like fear, uncertainty, and and doubt, uh, right? We've got to scare people into compliance or into doing things. Um, but again, it's also

Matthew Eshleman 7:54

I think worth taking a step back and having some perspective, right? So if if a lot of these schemes kind of build on your confidence, um and if somebody walked up to you on the street and was like, hey, I'm your executive director, can you, you know, buy me a gift card, right? It'd be pretty easy to tell uh that that's you know not your executive director, but in the digital world it's not that easy, particularly in our new AI, you know, world where it's it's you know, yes, it is really hard to trust. Like, can you see what you're you know, is is what you're seeing online um uh you know kind of actually happening. And so um, you know, so a lot of that confidence or kind of um kind of trusting what you see is uh is at the root of a lot of the attacks that we saw in 2025.

Carolyn Woodard 8:37

Yeah, and now we're gonna get to some of the attacks. We're afraid we're gonna have to move through them a little bit quickly, but this is definitely someone I know people who have seen this. Um and so what do you do when you see this?

Matthew Eshleman 8:49

Yeah, so this happens a lot. This is what I'm gonna call scareware, right? So there's nothing necessarily malicious about this other than uh, you know, please contact us immediately, right? Your computer has a virus, you gotta call us right away, gives you a number.

Matthew Eshleman 9:04

I actually called this number, uh, it's since been disconnected, but um that would have put you in touch with a very helpful person who would have taken your credit card information, uh, charged you a couple hundred bucks, and then basically done nothing.

Matthew Eshleman 9:15

So if this happens to you uh and you're on a Windows computer, all you need to do is press Alt F4, it closes the open window, and you can kind of go about your day, right? So this is again uh very tricky uh to deal with, a very tricky to kind of prevent. Um, but again, a little bit of knowledge, the ability to hit all the four, right, solves uh a lot of the problems uh that that you um would encounter. And again,

Matthew Eshleman 9:42

This is something you know where I think it's good to tell your friends and family, maybe your parents, um, don't call that number for help if you ever see anything weird, right? They can call you, turn your computer off, right? Like all those are much better uh options than uh calling the number on the screen.

Matthew Eshleman 9:58

And that's a good you know takeaway, right? Having a pre-verified number to call in case you have any IT support issues or or or or um finance, so to speak.

Carolyn Woodard 10:07

And I think also making sure that your family members and your coworkers, your colleagues know that they can talk to you about this. They shouldn't be embarrassed if they click on it or call that number - that you're a person they can talk to about it, because that's the other emotion that these scammers try to build on is you're too afraid to tell someone that you might have made a mistake.

Carolyn Woodard 10:27

So making sure your training is all around that openness of like it happens to everyone, just know, like tell someone.

Matthew Eshleman 10:35

Yeah, yeah, exactly. You know, kind of um, you know, maybe going back to my comment earlier, right? If somebody walked up to you on the street and said, hey, I'm your executive director, you know, buy me some gift cards, you would just ignore it out of out of kind of out of hand. The same way, right?

Matthew Eshleman 10:49

We see a lot of these impersonations, right? There's nothing inherently malicious about this message, right? No viruses, no attachment, no QR code, but it's just an ask. Um, and so again, it's good to have um those that internal knowledge. Is this something your organization would do? Uh, can you determine if this is actually coming from your CEO or not? Um, but again, having all those education pieces um makes it a lot easier to yeah, identify this, delete it, right? Move on. You don't need to spend a lot of time um uh on that.

Carolyn Woodard 11:21

I want to hear about the invoices.

Matthew Eshleman 11:24

So I think the invoice one again um is something that we saw uh and got a lot of buzz, right? Look very official. Um, I think maybe a little bit the wrong target demographic for our clients, right? I'm not sure how many um of our nonprofit clients are just kind of signing up for you know $90,000 worth of comprehensive reports and analytics, but you know, you could it could be, but again, really um, you know, kind of pretty official uh looking receipts. I think the thing that you know I liked or maybe I didn't like is you know, right, it's Citibank has the H ACH number, right? Looks pretty um official, uh, has all these dip details, uh, and you know, you got all the information here. And you know, like I said, financial fraud, like just asking, just asking for uh just asking for the money. That's the best way.

Carolyn Woodard 12:17

And I love it, like pay on time so you don't have any delay fees. And they gave them a discount. Also, they're like, see, this is totally legit.

Carolyn Woodard 12:27

Thank you, another one, right?

Matthew Eshleman 12:29

Yeah, so you know, and again, I think these types of attacks, I think, are good to highlight that from a cybersecurity perspective, right?

Matthew Eshleman 12:36

Good cybersecurity controls are best when they combine both a policy and a technology, right? So it is possible that you received an unsolicited invoice, maybe got blocked by your spam folder, right? That would be great. But it's also possible that you received uh, you know, a pretty convincing fake invoice, you know, with updated banking information from a trusted sender. Maybe they're compromised, they had an account compromised.

Matthew Eshleman 13:00

And so in that case, you know, the process that your organization follows to updating banking payment information is the cybersecurity control. You know, is that something that just one person can change on their own? Is there a threshold? How do you verify new information? You know, all of those um, you know, policy controls are in place to help support the technical protections and kind of vice versa, right?

Matthew Eshleman 13:22

So we can't just rely entirely on policy, and I think we can't um rely entirely on um uh technical controls, right, to protect these kind of things from from making their way into our inbox.

Carolyn Woodard 13:36

I love how this one and that impersonation one also had the kind of grooming language of um for compliance reasons, make sure you don't tell anyone. So just watch out for that. Or like you can't use bill.com. I know that's what you usually use, but we're not allowed to use it. So just give me the check.

Matthew Eshleman 13:55

Yes. Uh yeah, and I think speaking on playing on kind of that insecurity, I think a lot of the the kind of these D MCA takedown um notices, right, kind of play on that uh, you know, kind of uncertainty, right? You're kind of presented with this like vague legal threat that you're gonna get sued or like something is gonna be, you know, something is gonna happen, right? And so often these types of attacks, right, are gonna prey on that uncertainty or that lack of knowledge.

Matthew Eshleman 14:22

And then either, you know, kind of initially, right, like download evidence PDFs, right? Here's all the stuff, right? These are ways to, you know, engage, right? Create compelling uh reasons for you to click. Um, and so again, being able to have a little bit of understanding, have a process in place. Uh, yeah, is this legit? Is it not? Um, again, you can delete it and delete it and move, uh, delete it and move on. And again, we have a lot of you know,

Matthew Eshleman 14:49

HR tends to be um, you know, kind of a highly targeted area, you know. So, in terms of people at the organization, or or maybe more accurately, roles at the organization that we see um kind of receive a lot more uh attention than others.

Matthew Eshleman 15:03

So certainly new staff are kind of one category, right? So new accounts in the organization, people post, hey, I'm working this great org, right? They get targeted uh a lot because they're not as familiar with organization policy and norms. And so they get targeted a lot for gift can give gift card scams because they don't you know have that uh relationship yet. Um,

Matthew Eshleman 15:24

And then we see a lot of things of things print on HR, right? HR emails, again, because it's that kind of compliance or uh interaction, right? Those are very appealing for people to click on at a much higher rate, right, than kind of other types of messages. Um, and so you know, kind of HR uh emails are are good, you know, kind of really risky candidates. Uh and then

Matthew Eshleman 15:47

I think you know, kind of the finance and operations department s. Like those people in those roles tend to get targeted a lot more simply because of the access uh that they have um, you know, to other you know resources information in the organization.

Carolyn Woodard 16:02

Yeah, for sure. Well, we're gonna have about five, 10 minutes until we get to questions. So if you have more questions for Matt, make sure to get them in. And Matt, let's look at some of the data.

Matthew Eshleman 16:12

Yeah, so you know, kind of uh, you know, drum roll. This is you know, eight years of of cumulative um data, and we'll kind of dig into it a little bit. But like I said, you know, um uh you know, this is uh, you know, not a peer-reviewed statistically uh normalized um data, but you know, kind of reflects you know an increase in the number of clients that we support and a change in technology controls uh over time, right? We don't have, you know, all of our clients don't all have the same tech profile. Um but um that being said,

Matthew Eshleman 16:44

I think the really interesting things that we see uh particularly in this top categories, right? Um spam and email, is that um year over year we actually had fewer uh messages reported to our support desk from that were considered, you know, kind of spam, just kind of unwanted, like this is junk cluttering up my inbox, um, and also phishing messages, right? So a drop of about 20% year over year um in spam messages, um, and a drop of over 60% in in phishing messages. So um, you know,

Matthew Eshleman 17:17

We'll talk you know about the trends kind of in summary, but again, we switched tools. So again, we you know, so um I don't think that there was less spam and less phishing messages in the world in 2025. I think that number in general increased, but we switched email security tools, uh, and I think that had a meaningful impact, right? So having you know, reiterated to me, and it was really interesting to see this number is is that yes, the tools that you have in place are important, and continue reevaluating and redeploying kind of the best in class tools to protect your organization does make a difference, and we see that in the data um that we have. Um,

Matthew Eshleman 17:55

The next class of mess of events here, right, where we see the 101 and 57, right? So these um these numbers here are um kind of the increase in malware. So largely that would be the scareware, right? Those pop-up messages, right, that are really disconcerting, right? You're not expecting it. They pop up. Sometimes they play sound and music, like it's really wild. Um, but so we had over 100 of those reported to our team, um, which is an increase of over 70% year by year.

Matthew Eshleman 18:24

And then we had an increase of you know, from 13 to 57 things that we would classify as virus, like malicious endpoint activity. It was, you know, almost entirely identified, killed quarantine by our um endpoint antivirus protection, but that represents, you know, almost none in the previous years. Um, and

Matthew Eshleman 18:45

So that was really striking again to me as well, to say, hey, like we basically have had the same endpoint protection scheme, right? We're still doing patching, we're still doing a lot of stuff, we have good endpoint um security, but the amount of things that were getting launched um on the endpoints really increased uh dramatically. And again, you know, uh

Matthew Eshleman 19:06

I think again you can kind of see like maybe this is the use of these AI tools kind of seeping in and kind of making uh you know the targeting more sophisticated or you know, less, you know, like less capable of users, right? But they can they can now do a lot more than than maybe they were able to before. Um, you know,

Matthew Eshleman 19:23

Fortunately, ransomware is still a zero. Again, I think that is a again, a thing to be aware of. And if you have physical servers and like a traditional network, I think it is still very risky. Um, but again, for most of the nonprofit organizations that we're supporting, we're almost entirely cloud. This ransomware attack hasn't hasn't made that leap yet. Maybe it will, but again, not something that we're as concerned about. Uh, there's a lot more, there's other things that we want to prioritize and invest in um because of that. Um,

Matthew Eshleman 19:55

The other thing that we saw here kind of flat year over year was this um account compromise confirm, right? So we had about 32 um of those, which is the same as 2024. I went back and looked at all the data, like that's what it turned out to be. Um and uh, you know, again,

Matthew Eshleman 20:14

I think that is um, you know, some combination of you know, better training, right? Reducing you know the amount of people that are clicking, right? So that number doesn't kind of keep going up and up and up. We did see organizations start making a switch to pass keys, right, which are phish resistant in most cases, right, to really help protect um those identities. Uh, you know,

Matthew Eshleman 20:34

The other piece that's kind of in the mix is that um Microsoft partnered with like the FBI to go attack to do a takedown um of uh a big you know kind of IT hacking infrastructure that was that was used to perpetrate a lot of these attacks. And so again, I think you know that also helped to mute um some of the increase in that year over year over year. Uh, you know,

Matthew Eshleman 20:57

The other thing you'll notice, right, that was an increase was the account compromise suspected. And so that's um, you know, whenever either we're alerted by a tool that we have or people are reporting, like, hey, I think my account is hacked, you know, we look at those, and that continues just to increase. Um, again,

Matthew Eshleman 21:12

This is area where we're, you know, I think the tool is important, we're we're making some changes there. And again, I I anticipate that the false positive rate in that relationship will go down. Um, but again,

Matthew Eshleman 21:23

If your account is available online, you know, it's being targeted all the time. And so having good tools in place to identify, to detect, alert, and and lock, you know, if there are suspicious logins, I think is is a really key cybersecurity protection because the impact of a compromised account um really is so so significant. So you know, those are kind of the big, I think the big uh numbers, you know,

Matthew Eshleman 21:48

We had some right small relative increase in the number of advanced persistent threat actors, right? These would be you know foreign nation states. Um and uh, you know,

Matthew Eshleman 21:59

Wire fraud, you know, again, the financial fraud aspect is real. It did go down, so that's great. Um, but again, that still represents a pretty significant impact to the organization that's you know on the on the receiving end of that um of that attack.

Carolyn Woodard 22:13

I know on the next slide we want to talk a little bit about how tools matter. Um can you talk about this um decrease that we saw?

Matthew Eshleman 22:21

Yes. So, you know, um, you know, this is really the you know the graph form of of what we saw in the table, right? So there are two different scales. So on the left are uh kind of the spoofing spear phishing, right? So that was a pretty big drop, about 60% year over year. Um, and then the number of spam messages that was recorded on the right. Um, again, uh, we're seeing a reduction. Again, I think um, you know, the the the

Matthew Eshleman 22:46

Having good email security is really beneficial because it just reduces the noise in your system from you know how many junk messages people have to deal with in their day-to-day management of their mailbox to the number of phishing messages, you know, which are really that you know malicious content getting them into those um steps of kind of financial fraud or maybe compromising their account. Um, you know, you can really see uh and for us, right,

Matthew Eshleman 23:14

We can see the difference that having effective tools in place um you know, it makes it makes a difference. And and we see it in the data um from the clients that we're supporting.

Matthew Eshleman 23:25

So in terms of summarizing and kind of the the tools and trends as we look to uh kind of wrapping up here is that you know, your tools are important, um, you know, better um better monitoring are are kind of catching those and and kind of being able to help us close and and respond to those alerts quickly. Um

Matthew Eshleman 23:44

The big kind of area of risk is that kind of malicious endpoint virus activity is is increasing. And I think that means you know, investing more in those protections and those workflows is going to be um you know really important. Um you know, and and kind of despite how grim and unfortunate like our current political uh landscape seems to be, you know, from kind of purely from the cybersecurity perspective, most attacks are still financial. Um, you know, we're just kind of adding on lots of you know partisan or ideological attacks on top on top of that. Um but

Matthew Eshleman 24:19

From a kind of the risk perspective, the biggest risk I think for the organization still ends up being financial uh in terms of uh of overall loss. And

Matthew Eshleman 24:29

I think the new thing I would add in here, right, is that insecure AI is creating new risks for organizational in terms of data leaks. And while nonprofits are slow to write policy, although we had really good results um here on the on the session today, um uh so while your organizations are relatively slow to write policy and adopt tools, I would say your or your staff are not. And

Matthew Eshleman 24:50

We see widespread evidence of the use of free and ungoverned AI tools across the organization, right? Your you know, even if your org hasn't written written a policy talking about how you use AI, your staff are already using AI. And so um I think you know the impact of that is going to be seen, you know, kind of down the road as uh you know, data that you thought was internal is now not, um, or you know, other, you know, kind of other downstream impacts of that. So again, uh, you know,

Matthew Eshleman 25:20

We're seeing you know that continued need for investing in staff training, providing clear policies for data and AI in particular. Um

Matthew Eshleman 25:31

And then again, all the basics, right? The stuff that we've been talking about from a cybersecurity perspective for years and years and years like is still really important. What are your baseline configurations? People aren't local administrators, patch and update regularly, right? All those things um, you know, just kind of continue to be uh important and continue to be foundational to help protect your organization from the myriad of threats that are um that are out there.

Carolyn Woodard 25:57

I just shared in chat we have a couple other um resources. We did a podcast about doxing that gives some information there. And then we just did a webinar a couple months ago about how to use AI tools more safely at your nonprofit, so you can check those out too. So, how do you protect your organization, Matt?

Matthew Eshleman 26:15

Yeah, and I think this kind of goes back to some of our early questions, like, hey, what's one new thing you did in 2025? And here's a chance for you to think about what's one new thing that we are gonna do in 2026. Um, and so again,

Matthew Eshleman 26:29

I think nonprofit organizations continue to be at a high risk for cyber attacks of all types. And so making sure that you have those foundational controls in place, such as um IT acceptable use, a formal awareness, uh security awareness training program, phish-resistant MFA, um, you know, cloud identity protection do provide meaningful um protection against the most likely attacks that your organization is gonna face. And so, again,

Matthew Eshleman 26:54

We talk a lot about that in our updated cybersecurity playbook. Um, and again,

Matthew Eshleman 26:59

If you haven't, you know, if you have an ad hoc cybersecurity training program, maybe it's time for you all to look at something more formal. Um, if you have uh MFA for everybody, that's great. Maybe that's time for your uh finance and operations folks to upgrade to Phish Resistant MFA. Um if you don't have any email filtering in place, um, again, I think this is a big win, right? Just to reduce the amount of junk. Um if you don't have a system that's in place to monitor your cloud sign-ins, again, a lot of value in um getting something that can protect, alert, and block uh you know, potentially suspicious logins.

Matthew Eshleman 27:35

And then finally, right, batching and updates. It's you know, nobody likes to reboot their computer. We send out a note, right, the first every month to as a reminder, but um you know, doing the basics uh is really important. And so making sure that you're taking time to yeah, update those apps, reboot your computer, install the operating system updates. Uh that is an important way that the OS vendors are making to make sure you have the latest protections built into your system.

Carolyn Woodard 28:04

Well, I'm sorry that we're I think we're gonna run out of time. I hope that you can maybe stay an extra minute or two, Matt, before you jump over to Reddit. I want to encourage everyone to join us on Reddit. We got a bunch of good questions in the QA. So we will put those in our Reddit um thread and you can find some answers there. Um so

Carolyn Woodard 28:21

We have we do have cybersecurity offerings from Community IT. You can find those on our website, community it.com. You can also, there's a link there that you can get some time uh with Matt to talk to him more about your questions, uh, learn more about this, so you can grab that time there also on our website or at this link, which I just shared in the chat.

Carolyn Woodard 28:44

For our learning objectives, I think we've got went over them pretty well. Um we learned cybersecurity landscape, we learned some general best practices that will protect you against most of even new scams that are out there. We learned some definitions, the initial impact of AI on these cybersecurity risks, and some ideas on how to protect ourselves better and our nonprofits. Um,

Carolyn Woodard 29:07

I want to mention our webinar next month, which will be May 27th. I will be back here with Nuradeen Aboki, who's our Senior Consultant, and he has several mini case studies that he's gonna share with us from clients he's been working with on implementing AI. And particularly, you know, there are good things that are happening, maybe some pitfalls that you can we can help you avoid, especially around governance and policy making. So I'm really excited about that.

Carolyn Woodard 29:36

I feel like a lot of people are talking about AI and nonprofits in kind of theoretical terms right now. And so having Nura here to give us some really practical experience that he's had with big clients, small clients, it's gonna be a really good webinar. So I invite you to come back for that. You can register for it at our website, communityit.com.

Carolyn Woodard 29:57

And Matt, I just want to thank you so much for your time today and sharing all your expertise with us and all of the time that it takes to go into that data and pull out those threads and help us see, you know, what our other clients are seeing because we can all get smarter together when we learn from each other. I want to thank everybody in the uh webinar who attended. Um, please remember to take that uh survey as you leave for the $25 gift certificate, and it really helps us improve.

Carolyn Woodard 30:26

And we just appreciate your time so much. You could have been doing other things with your hour uh this afternoon. We're so glad that you joined us. So, Matt, thank you again so much for sharing this with us.

Matthew Eshleman 30:38

Yeah, great. Well, thank uh thank you all, and I appreciate all the the comments in the chat. Uh as Carolyn mentioned, we'll we'll be answering some of these things um over on our Reddit channel. Uh and um yeah, uh go go check out the answers there.

Carolyn Woodard 30:52

Exactly. So we'll see you over over on Reddit, and um I hope you have a great rest of your day. Thank you.

Community IT Intro 31:00

Thank you for joining this Community IT podcast, part two. You can find part one in your podcast feed if you subscribe wherever you listen to podcasts.