Vulnerability Scanning for Nonprofits with Johan Hammerstrom Artwork

Community IT Innovators Nonprofit Technology Topics

Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com

All Episodes

Community IT Innovators Nonprofit Technology Topics

Vulnerability Scanning for Nonprofits with Johan Hammerstrom

July 18, 2025 • Community IT Innovators • Season 6 • Episode 29

Most nonprofits will be asked about vulnerability scanning when they renew cybersecurity liability insurance or complete an annual audit. Do you know what it means and what you should do to comply?

The takeaways:

There is no one-size-fits-all vulnerability scanning app for your entire organization. You will need to do vulnerability scanning on various systems and the scanning will be different.
As part of your incident response planning you should have an inventory of your general vulnerabilities – website, any custom apps, any customized anything, and then other apps and tools. Check in with your IT team and stakeholders.
If you are being asked to check off a box on your cyberliability insurance or part of your annual financial audit, talk with the auditors or your insurance broker to get more clarity.
In addition to checking this necessary box, vulnerability scanning is an important layer of protection to have around your organization and your mission. Take it seriously, but realize that as a buzzy term, you may be approached by vendors overselling what you need.
A trusted IT partner – whether a board member, IT director, or outsourced IT provider – can help you wade through the options and choose the one that fits your budget, risk profile, and the specifics of your IT set up.

Vulnerability scanning is the process of using automated tools to scan for weaknesses in computer systems, apps, networks, and platforms. It is particularly necessary for websites, to avoid falling victim to hacks and ransom extortion. It is a proactive approach to finding these flaws and vulnerabilities before outsiders and hackers can. Doing vulnerability scanning will help your nonprofit learn where risks may hide, and allow you to take proactive steps to mitigate risks and correct errors in configuration. Vulnerability scanning providers will need access to your systems and will provide a comprehensive report on vulnerabilities found, often arranged by most immediate risks or risks most potentially damaging.

Many security regulations and standards require periodic vulnerability scanning. Nonprofits are being asked to complete vulnerability scanning as part of renewing cyberliability insurance or complying with enhanced annual audits as part of SAS145 guidelines. Vulnerability scanning helps prioritize remediation efforts by highlighting the most critical vulnerabilities, and should be a continual process renewed periodically to help improve nonprofits’ security posture.

Many providers will use the label “vulnerability scanning” so it is important to understand what is meant by this term and what the provider will do and report on. There is no one universal vulnerability scanner. Different systems must be scanned with their own automation.

If you have questions that aren’t answered by this podcast, talk to us! On our site we have free resources on basic cybersecurity and IT governance policies. You can use our downloadable Cybersecurity Playbook or other online resources, or schedule time with our Cybersecurity Expert Matthew Eshleman to ask your questions.

_______________________________
Start a conversation :)

Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
email Carolyn at cwoodard@communityit.com
on LinkedIn

Thanks for listening.

Carolyn Woodard: Welcome to the Community IT Innovators Technology Topics Podcast. I'm Carolyn Woodard, your host. And today, I'm excited to be talking with our CEO of Community IT, Johan Hammerstrom.

I'm so glad that you're here to talk with me.

Johan Hammerstrom: Yeah, me too. Thank you.

Carolyn Woodard: Do you want to introduce yourself?

Johan Hammerstrom: Yes. My name is Johan Hammerstrom, and I'm the CEO of Community IT.

Carolyn Woodard: And what are we going to talk about today?

Johan Hammerstrom: Well, today, I wanted to talk about vulnerability scanning.

Carolyn Woodard: Oh, what is that?

Johan Hammerstrom: Kind of a technical topic. Part of the reason that I wanted to talk about it is that it's becoming more of a requirement for a lot of nonprofit organizations. We're seeing it start to be mentioned in cyber liability insurance applications. We're starting to see it show up on financial audits. As part of the annual financial audit process, nonprofit organizations are being asked if they've conducted vulnerability scanning. And then we're also seeing it show up on cybersecurity assessments, and it's becoming a more important part of various compliance frameworks.

So, FISMA, HIPAA, any organizations that need to comply with some form of regulation, vulnerability scanning often is something that they need to be doing.

Carolyn Woodard: So, do they react the way I did of what is that?

Johan Hammerstrom: Yes. And that's actually the issue, I'm not sure that people who are telling you that you need to do vulnerability scanning know exactly what they're asking you to do.

It's like one of these things that it's sort of shown up everywhere now. Like pen testing, we should do another podcast on penetration testing.

Everyone's now saying, oh, you need to do this, you need to do this. But then no one really tells you, so what am I supposed to be doing? Just vulnerability scanning.

And that's always a risk because you can end up spending a lot of money doing something that isn't adding a lot of value and isn't really keeping you safe. It's just enabling you to check a box on an application or on a questionnaire.

Carolyn Woodard: I'm sure there are companies out there who are going to market to nonprofits, like we'll do your vulnerability scanning for you, and it's expensive.

Johan Hammerstrom: Absolutely. I was helping one of our clients through this process, and exact same situation, they were being asked to do vulnerability scanning. Well, they were confused because they said, we thought you did vulnerability scanning, and our web developer just told us that they do vulnerability scanning, and I'm getting emails from these security vendors telling me they do vulnerability scanning.

So, which one should I go with? And the reality is they're all doing vulnerability scanning, but it's all a different kind of vulnerability scanning. Understanding what you're getting and what you're scanning is kind of the first step in the process.

Carolyn Woodard: So, what do nonprofits need to, where do they start if they've gotten this notice that they need to do vulnerability scanning?

Johan Hammerstrom: I suggest thinking about, I mean, it really is a term that you can just kind of take at face value. Like, what is the English word vulnerability mean? What is the word scanning mean? And then you can kind of, it's not any more technically complicated than that.

A vulnerability is a weakness in a system. And you can think about all of your technology systems having certain weaknesses.The place to start really is just thinking about your different technology systems. You probably have a website. You have staff who have laptops that they're using to do their work. If you have an office, then you have a network that those laptops are connecting to to go out to the internet. You have different cloud-hosted providers like Microsoft or Google that are hosting your email for you. So those are all of your different IT systems.

And every one of those systems could have vulnerabilities associated with it or weaknesses associated with it. And so thinking about your systems and their potential weaknesses is a good place to start.

Carolyn Woodard: And I think we often tell people as part of managing IT that they should have that map or that list of their systems anyway. But if you don't have that list, then you'd want to start with making that list for your different departments too, or the different teams might have tools that they're using. Building that list, it sounds like is what you need to do first.

And then when you have that list, go into each of those systems and talk to the stakeholders. Or how do you determine what their vulnerabilities are?

Johan Hammerstrom: Yeah, that's a great question. I do think coming up with that inventory of all your technology systems, it's important to have that. And then for this exercise, you could go through each of those systems and say, well, what are the potential weaknesses or vulnerabilities of this system?

And also at the same time, identify the business risk associated with that system. If there's a vulnerability that gets exploited, will it lead to down time? And what's the business impact on the organization of that down time? If there's a vulnerability associated with this system that leads to it being compromised, what's the risk associated with that compromise? And how much will that impact the organization?

Because not every system will have the same level of risk. And so that's an important piece of the analysis to do so that you're not treating every system equally.

And now we're starting to get into how you can evaluate the different vulnerability scanning solutions and whether or not they're actually going to add value. If it's a system that doesn't, it's not business critical, if it went down for a day or two, no one would notice or you could work around it, then maybe it's not as important to scan for vulnerabilities as a system that has all of your donor information or other critical constituent information or the information associated with your financial institutions.

So, it's good to look at the different systems from that business impact and business risk perspective to help you determine what's important to scan with the vulnerability scanning.

Carolyn Woodard: Is this an exercise that you can do with a stakeholder committee, and who would be on that team to look at this list and kind of plot out what those vulnerabilities are and how critical they are?

Johan Hammerstrom: I would maybe handle this more as from the perspective of a business continuity and disaster recovery planning. And so most boards, I think, are going to ask their management team to put together a disaster recovery plan or a business continuity plan.

And as part of that planning process, inventorying technology systems and assessing business risk and impact associated with those systems, that's a key step of the disaster recovery business continuity planning process.

I would focus on that process first, and then you can take the results of that process and just use those results to guide you in the solutions that you choose to use for vulnerability scanning.

I think vulnerability scanning is important to do, but I don't think it should be your primary focus as an organization. You want to get it done, you want to find a cost-effective method for scanning for vulnerabilities that is going to deliver value, but I wouldn't spend too much time on it.

I wouldn't make it a major organizational priority, the way that I would business continuity and disaster recovery planning.

Carolyn Woodard: You should be doing that anyway, and you should be doing business continuity and disaster recovery annually? Is that a good?

Johan Hammerstrom: Yeah, I think it's going to take a lot of work to do the initial plan. Once that's done, then reviewing it annually and updating it, and then probably after five years refreshing it, or after major organizational changes would be good to refresh it. The business continuity plan provides you with that inventory to evaluate what you need to be scanning.

Three Aspects of Vulnerability Scanning

I think of vulnerability scanning as scanning for three different things. One is it's scanning vulnerable software, two, it's scanning vulnerable configurations, and three, it's scanning for vulnerabilities in systems.

Vulnerable Software

Vulnerable software is if you're running basically out of date software. So, if you're not updating the software on your everywhere, I mean, just you've got software on your laptop. Have you been applying your patches? Have you installed the latest version of your laptop software? You've got software on your website, depending on the web platform you use. If you use WordPress, a lot of organizations use WordPress. You're responsible for updating your WordPress version, and if you're not doing it, you're running software that's out of date and is therefore, by definition, vulnerable.

So, that's the first one is just scanning for vulnerable software. That involves different types of scanning, depending on what software you're looking at.

Carolyn Woodard: We talked about, oh, there's a vendor who will do vulnerability scanning for you. Is this like a tool that you just run it on your machines, and it will say, oh, your WordPress version is three versions ago and you haven't updated it?

Johan Hammerstrom: That's right, yeah. The most common type of vulnerability scanning is a network-based vulnerability scanner. And that's worth doing.

I mean, and I think, especially if the price is modest, sometimes it gets bundled with other solutions that you may already have.

More often than not, that vulnerability scanner is going to scan the software versions. You tell it what to scan. You'll tell it, scan or you give it your URLs of your websites. If you want it to, if you have an office with a firewall, you give it the IP address of the firewall so that it's scanning your firewall.

And basically, the scanning tools will check the software versions on all of your exposed assets, whether it's a website, whether it's your firewall, anything that's publicly available, it'll scan and it'll look for the software version. And it'll look for how it's been configured.

Those are really the two big things for web properties, is it up to date in terms of its software? Has it been configured properly or are there configurations that are insecure that need to be addressed?

I think in most cases, that type of vulnerability scanning, it checks the box for your cyber liability application, for various types of compliance frameworks. And it gives you valuable information about how vulnerable your firewall is at your office or your website.

That's where the business risk analysis comes in handy though, because if you don't have anything behind your firewall other than laptops, which should be protected already, you don't want your firewall to be insecure. I'm not saying that's something you should feel comfortable living with. But it's just different now than it was 15 years ago, where you had servers in your office, and all of your information was on the servers, and the firewall was really critical to protecting that information.

Vulnerable Configurations

Nowadays, most information is out in the Cloud, and most of your staff are sometimes working from the office, sometimes working from home, where you're not scanning that firewall, whatever home Internet your staff are using, you're just living with the vulnerabilities in their systems.

Carolyn Woodard: You're protecting the Cloud. Their access and login to the Cloud is secure, whatever home Wi-Fi network they're using.

Johan Hammerstrom: That's exactly right. And that's where kind of the next-gen, if you will, of vulnerability scanning comes in, where they'll scan your Cloud systems. So, you'll tell them, we're using Office 365, we're using Salesforce, we're using Google.

And it's a little bit different, though, because they're not doing the same sort of scanning from the outside, because there's, just think about it, there's millions of hackers around the world who are trying to break into Microsoft every day. And so, Microsoft has very sophisticated defenses to protect people from illegitimately breaking into their systems.

But what you need to make sure is that how you've configured your account in Microsoft is secure, are you using multi-factor authentication? Are you using contemporary policies to protect your accounts? Or have you not implemented any policies?

There are firms that will do, they call it configuration analysis of how you've got your major software systems set up. And that is a type of vulnerability scanning, because it's scanning for vulnerabilities and how you've configured your tenant.

Carolyn Woodard: So, I guess those are the first two categories you mentioned, the software and the configuration.

Johan Hammerstrom: Yes, the software version and the configuration.

Vulnerabilities in Systems

And then the third vulnerability is the people. So, are people going to fall for scams? Are they going to fall for phishing attacks? Those sorts of things.

And so technically, security awareness training, which is really important to do, it's not technically vulnerability scanning. If that's all you're doing, you can't check that box on your application. But the reality is like people are the biggest vulnerability now. And so you need to be protecting against malicious actors, exploiting that vulnerability to gain access to the system.

Carolyn Woodard: Well, and I think often on a cyber liability checklist, it will also have staff training that you've done.

Johan Hammerstrom: Yeah.

A lot of antivirus systems now will do what they call vulnerability scanning. And they're just scanning for old versions of software running. Like if you use desktop office, that needs to be kept up to date because that's something that can be exploited. So, it will say we're scanning for vulnerability on your laptop.

And what it's scanning for is old versions of software that need to be updated. It's a vulnerability. Like the other thing, like on your laptop.

Carolyn Woodard: It's a narrow .. vulnerability

Johan Hammerstrom: Exactly. It's narrow. I think there's two answers to this question.

One is, what do I need to do to check the box? And that's basically like the web-based scanning is what I would recommend for that, which is good to do anyways. And if you do that, you've done sort of the dictionary definition of a vulnerability scan.

But then there's the broader sort of, how do I check for vulnerabilities in my IT system at large? And I think that's a process that's very much worth engaging in but has more dimensions to it that are important to consider and keep in mind.

Carolyn Woodard: And are good to do.

Johan Hammerstrom: Yeah. Very good to do. Yeah.

Carolyn Woodard: I will put in a quick plug for our webinar this month on July 23rd is going to be Matt Eshleman, who's our CTO and cybersecurity guru, leading the tabletop exercises. So that's related, I guess, to what we're talking about with vulnerability scanning.

So, you go through your incident response in this kind of exercise, choose your own adventure, like something has happened and then how do you respond?

What is the next thing that you do? And so you can check for vulnerabilities in your response plan. Also, like if there's one person that you have to talk to, and they're on vacation in this simulation, then what do you do?

So, you can discover that way that you've got single points of failure or other vulnerabilities that are people-based often, so wouldn't show up in a scan. I'm wondering about using the vulnerability scanning though, the way you were talking about it. When you discover, for example, maybe there's one person in your office who just never does their updates.

So, their laptop turns up as running a version from four years ago or something like that. It seems like it's an opportunity also to do more training and more sensibilization of your staff, of why the vulnerabilities are dangerous, and how to protect your organization.

Johan Hammerstrom: Yeah, that's a great point. I think a good security awareness training program should include that training in it.

IT Management Best Practices

That's a great example because that really falls more under the category of IT management best practices.

One of the IT management best practices is reviewing a report on a regular basis, typically a monthly basis or quarterly basis, to basically look at what percentage of our workstations have the latest patches. And then which ones don't, and then initiating a process to check on those specific machines and make sure that they're up to date with the latest patches. And that means having a good like ongoing monitoring and management system in place to be able to report on the patch status of all of the machines.

But yeah, managing machines, I mean, that could be another podcast, because that's a not very glamorous, but incredibly important aspect of IT management, that when done well, really reduces the costs of managing IT, because it keeps the number of problems, that it's proactively addressing problems before they stop people from working.

Carolyn Woodard: Well, we've started talking a lot about the compliance aspect, and that that's part of an executive team's responsibility, is you can have all the policies you want in place, you can have all of the best intentions. But if no one's actually checking on the other end, like was the patch put in place, do we have machines or devices that aren't patched, then you might - like the policies are just sitting there, you're not actually doing them. So, you do have to close that loop of making sure you have some way to check. I guess, trust but verify.

Johan Hammerstrom: Trust but verify, yeah, exactly.

Building Your Own Software Vs Using Software from a Vendor

There's an important caveat that I want to make sure gets included. And that is if you're building or developing your own software, you're now living in a different world from the one we've been talking about.

If you're building or developing your own software, there's a good chance that there are vulnerabilities in your software system that you need to be scanning for, worried about and addressing that don't really apply if you're using commercially available off-the-shelf software and systems. So that falls into a whole different category that's outside our realm of expertise. If you're building your own systems, if you have your own custom development, there's a whole other level of vulnerability scanning that you have to be doing.

That also, when you're filling out those applications, they're asking about those systems as well. And if you're just doing the kind of vulnerability scanning that we've been talking about in this conversation, you shouldn't check that box for your custom developed systems because those require a whole different and more advanced level of vulnerability scanning to identify bugs and other weaknesses.

Carolyn Woodard: And with that, it seems like with a lot of nonprofits, that might also be not that you developed your own app or something like that, but that you had really customized your CRM or something that you've really just built out very specific to your own organization. And so in that situation, you'd also want to do some advanced scanning.

Johan Hammerstrom: Yes, yeah, for sure, for sure. I mean, I think at first I was like, well, that doesn't really happen. There's only a handful of cases where that's happening.

And that's to some extent true. The number of nonprofits for whom a custom built system is core to the work that they do is relatively small. But there are a lot of nonprofit organizations that will hire a web developer or just a developer to build a custom web app.

Like they're going to launch a campaign. And as part of that campaign, they want to have like an interactive web application.

Carolyn Woodard: Yeah.

Johan Hammerstrom: You're now owning that custom-built application and you're responsible for, you know, if people are using that application to enter PII, you better make sure that that's getting stored in a secure way and that it can't be hacked into. There's a whole host of security concerns that emerge when you're doing custom development that absolutely require a more advanced level of vulnerability scanning.

And so anyways, I just want to make sure that that, that I got that caveat out there that we're mostly talking about vulnerability scanning in the context of IT infrastructure and off the shelf systems.

Carolyn Woodard: I have one more question for you before I let you go, which is that it sounds like this is a relatively technical thing that you need to use a tool, give it the IP addresses, give it some of your internal information so that it can do the scanning.

And I'm wondering - for our clients, of course, they have a managed services provider, they do outsourced IT.

There are other nonprofits out there that have, that aren't our clients yet but also have an IT department or an IT manager or someone with those technical skills. We run into a lot of nonprofits that are maybe under 20 staff, maybe they implemented their own Google workspace or just haven't grown to a size where they may have a full IT department or outsourced IT.

So, if small organizations are being asked for vulnerability scanning proof for their cyber liability insurance or their audit, do you have advice for them? I mean, there are tools and companies that do this. Is there a way to vet them or know what you're dealing with?

Johan Hammerstrom: I think for a really small organization, your most likely vulnerability is your website. And so I would maybe start with your web developer and just ask them, hey, we need to run vulnerability scanning on our web assets. Is that something you could help us do? Who do your customers normally use for that sort of work?

I would start there, because I think that is essentially fulfilling the requirement from those applications.

And then the larger question of configuration security, particularly around your software, your key software systems, technology systems. I mean, at that point, either you have someone on staff who's an accidental techie, or you have a volunteer who cares about the mission of the organization.

Carolyn Woodard: Or maybe somebody on your board.

Johan Hammerstrom: Or somebody on your board, potentially. But somebody, at the end of the day, if you're a small nonprofit, you're either, you're most likely in Google or Microsoft, and you should have multi-factor authentication configured. You should have security alerts enabled. There's a variety of just basic security configurations that need to be set up. And you need to find someone who can do those for you. And sometimes it's someone on staff who wears multiple hats.

And I think for small organizations, that's totally viable. That's a feasible approach.

Carolyn Woodard: That makes sense. Well, thank you so much, Johan, for your time and for helping us understand a little bit more about this function and tool and another way to add another layer of protection for our nonprofits that are vulnerable to hacks and scams and wiring the stuff to the wrong place and all of that. It's good to know how to keep your nonprofit safe.

Johan Hammerstrom: Thank you, Carolyn. You can always be safer.

Carolyn Woodard: Yeah. Well, thank you so much.

Johan Hammerstrom: All right. Thank you.