Community IT Innovators Nonprofit Technology Topics
Community IT offers free webinars monthly to promote learning within our nonprofit technology community. Our podcast is appropriate for a varied level of technology expertise. Community IT is vendor-agnostic and our webinars cover a range of topics and discussions. Something on your mind you don’t see covered here? Contact us to suggest a topic! http://www.communityit.com
Community IT Innovators Nonprofit Technology Topics
Cybersecurity Essentials for Nonprofits pt 2
A Panel Discussion with Matthew Eshleman and Ian Gottesman.
In part 1, Ian and Matthew discuss an approach to cybersecurity for nonprofits, taking the first steps, and 3 steps you can take to prevent at least 80% of attacks. In pt 2, they talk about making cybersecurity training more engaging, and lessons learned this year. They finish by taking audience questions.
Our nonprofit cybersecurity experts discuss the current state of risks, and the best counter-measures nonprofits should have in their toolboxes.
Learn what are cybersecurity essentials for nonprofits, and how your nonprofit organization can meet the moment.
Keep your staff, your networks, and your data secure in an insecure world.
Worried about nonprofit cybersecurity?
You aren’t alone. The nonprofit sector is seeing new attacks and politicization of work that was never political before. Most attacks we are seeing in our networks are still financial, not political – but that doesn’t make being a victim of these attacks better. AI is changing cybersecurity needs rapidly.
If you aren’t sure what you need to know, or who to ask, learn from our expert panel in this webinar where we will discuss cybersecurity essentials for nonprofits in accessible language, and lay out a plan for any nonprofit to put the basics of cybersecurity in place.
Secure your devices.
Secure your accounts.
Secure your data.
In this new webinar, expert panelists discuss cybersecurity essentials and take Q&A.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic, and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
_______________________________
Start a conversation :)
- Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
- email Carolyn at cwoodard@communityit.com
- on LinkedIn
Thanks for listening.
Carolyn Woodard: Welcome, everyone, to this Community IT webinar, What Are Cybersecurity Essentials for Nonprofits? My name is Carolyn Woodard. I'm the Outreach Director for Community IT. I'll be the moderator today.
Matthew Eshleman: My name is Matthew Eshleman, and as I said, I'm the Chief Technology Officer at Community IT.
Ian Gottesman: My name is Ian Gottesman. I'm the Chief Executive Officer at the NGO ISAC.
Carolyn Woodard: We have another thought question for you and our audience. And that is,
Why is cybersecurity training so awful? And what could make it more fun?
So, if you have some ideas on that, please put it in the chat. We're going to talk a little bit about it here.
Matt and Ian, do you have ideas on how it can be more something that people feel really engaged about? Maybe not excited about, but they understand how they can help protect this organization that they care enough about to work for? Tell us some of your ideas. What works?
Ian Gottesman: You can definitely game it, little simple toy, little simple treats or punishments.
For example, one year, and this is cybersecurity awareness, which I think why we're doing this. One year when I was at an organization, if everyone, I think it was 80% or 90% of our organization, completed their monthly training within the first two weeks of the month, when we had our monthly party the second Friday of every month, I would drink cod liver oil to make me smarter and more aware of cybersecurity. I can just tell you, cod liver oil tastes really, really bad. But people enjoyed watching me drink it, so that really motivated people.
The other thing, I've used tools like Wombat, I know before in all of these training tools, and people really enjoy seeing their score, seeing how they do, providing examples of phishing that they've gotten it, then you can use to create examples for other people.
I mean, cybersecurity is a risk, like a lot of other risks, and it can be managed and mitigated and transferred in all the ways you deal with risk. And it becomes a risk with ways to manage it, and you can do audits and things. And you just need to, as an organization, you can figure out what are those really most important things and how do you protect them and find easier ways to do that and more fun ways to do that.
I mean, it, you know, financial records, donation records, those things are really important to all nonprofits, and you need to make sure that those are secure and that the CRM or AMS or whatever, you're placing all those key things, that you've added as much security as you can there and that maybe you've done things like have an audit run, use the scoring system that will give you, say you have a score of 70 out of 100, here's the things you can do to get the extra 30 points.
Do all these things that you can do routinely to help and do it a step at a time. You can't eat that field of broccoli on January 1st, but if you have a few heads of broccoli every week, then you'll be a lot better off.
Carolyn Woodard: I have a friend who gave me this analogy. While we're on the health subject of the prevention versus recovery, and that if you do suffer a hack or a breach, it takes a long time and it's really stressful. You're going to spend a lot of money probably too, until your insurance pays for it or whatever. It's like having to go to the ER versus going to see your doctor yearly for your annual checkup.
It's not fun, but really doing the preventative stuff really can pay off in the long run of helping you not have to do the recovery. Again, some people are putting some really good things in the chat. We will share those in the transcript. Matt, did you have some ideas on fun stuff?
Matthew Eshleman: Yeah, I think I talked about it a little bit in the previous slide. In terms of making the training, using different training methods, I would say the other thing that we have tended to do is try to do training.
Instead of it being one big training once a year, where everybody is in the conference room or you have this hour-long thing that you need to slog through, our approach has been to do shorter but more frequent trainings. So again, our standard training, the big training is maybe 10 or 15 minutes of time. And then we're typically doing a five-minute game, a little video, a quiz, a topical thing.
Try to mix up the actual training content that folks are receiving. Instead of it being, you just have to sit at your desk or there's the all-staff meeting where somebody gets up and talks for an hour nonstop about some cybersecurity topic, you endure it and then you forget it after it's happened.
But building that culture of security where we're doing a training this month, there's something next quarter, people are engaged in an internal Slack or Teams channel, to be like, oh, I got this weird email. What does this look like? I think those are all good ways to make it engaging. Cybersecurity is something that we just do and talk about all the time. It's not something that just happens in October during cybersecurity month, but it's something that really does need to get built into the culture of the organization and happen throughout.
Carolyn Woodard: Yeah, no, that's what they say. You know, the cover up is worse than the crime. Definitely encourage an open community where you're all talking about it and sharing what happened to you, or that something, you know, you clicked on the wrong thing. It's better to be able to tell people. We never want to have any kind of shaming culture around the IT cybersecurity training.
I just wanted to go over, we covered a lot really quickly today. We are going to have some time for Q&A in just a minute or two. If you want to start getting your questions in, either using the Q&A tab or just write in chat, we'll ask Ian and Matt.
If you need more resources, we do have the Community IT Cybersecurity Playbook, which I shared that download with you. We have the Cybersecurity Library on our site. We have a ton of free resources, articles. You can get in touch with Matt to ask more questions. We have also, we did a webinar on Cybersecurity Insurance, and that has a lot of good information on it if you're kind of confused about what those controls are.
I'm also going to share these links for NGO ISAC, which as Ian said, they have these meetings where they just talk about what's going on, the latest trends, what you should be doing, all of those sorts of things.
But I wanted to turn it back over to Ian and Matt. If you want to tell us something you learned over the past year or even the past month, past week that you'd like people to know about.
Ian Gottesman: Matt, you want to go first?
Matthew Eshleman: Let's see. Maybe two things. I will plug that, talking about updates, Windows 10 just got its last security update this month. So whatever, that story made it onto NPR at least.
If you are running a Windows 10 computer, it's probably time to upgrade or replace it. Keeping your devices up to date - it sounds basic, but updating your computer and restarting it once a month really does a lot of good.
Ian Gottesman: Once a month? You're being generous. It should be every day, every week at least.
Matthew Eshleman: And then the other thing I will say, it's a little bit tech-y, but the multi-factor authentication, making the switch from that app-based authentication to switching to a physical security key or what's called a passkey is important.
I think particularly if you're in one of those finance or operations or IT roles, the attackers are very sophisticated in getting people to click on those links and stealing your session. There's a lot of technical detail around that but just know that the physical security keys are very good at preventing that. And again, if you're in that role, you've got the biggest target on your back, and so taking those steps is important. Again, maybe not everybody in the org is going to be able to do that, but those three or four people really should.
Carolyn Woodard: And that's one of those things where if you are doing that phishing training and you can see on your dashboard, there's one person that always clicks on everything. Even if they're not your executive director, maybe they need to have one of those FIDO keys that they have to use.
So Ian, did you want to weigh in? What are lessons learned recently that we want to share?
Ian Gottesman: I don't know how recent it is, but I have a YubiKey here. I hold it up a lot in trainings that I do. So YubiKey does have a free program for nonprofits. You can just get a grant from them for keys. I've been lucky enough to get it at multiple different organizations. They're one of the sponsors of our conference. So if you attend our conference, you'll be getting some YubiKey to play with.
So that's one thing you can do. There are a lot of really generous offers from the sector, from cybersecurity vendors to help you figure out things at little or no cost.
And Okta has its Okta for Good program, which will give you grants for single sign-on. Microsoft really has pretty steep discount and Google too for their cybersecurity tools. Some of them are free, some of them are really inexpensive. So don't let price be a problem. Cloudflare is another really good example. They have a bunch of things for their tools, which includes website security, email security, a bunch of things.
So don't let price be the determinative factor in everything you do. Look around and see what options are for low cost, no cost cybersecurity tools, whether it's doing something with open source or getting a grant or a donation or something. And then a lot of foundations will help you build up capacity around your work, give you general support grant that can be included for cybersecurity or IT resources.
And there's a community of us at NGISAC that can help with these things. You're not alone.
That I think is one of the hardest things about cybersecurity is you feel like there's this big scary black box you're staring at and there's some sort of scary person on the other side. And you've seen TV shows like, Okay Robot or whatever it's called where the guy puts his phone in the microwave. I never really understood that. But it makes for exciting when you see it's a parking and he's doing the stuff and he's got a dark hat hood on.
That's not really real life any more than the Fast and the Furious is like your commute in Washington DC every day. It's what makes it a compelling TV show or a compelling movie. What's real life is just sort of the day-to-day stuff of making sure you have multifactor authentication set up, making sure you've got something helping monitor your emails and your texts and your messages. So the really bad stuff isn't getting through, you've trained your staff on how to not click on things and know what to look for and just really just pause for a minute.
That's what the whole take9 is about. Take nine seconds and pause and ask somebody whether it's an IT person in your office, a person that sits next to you and say, this is a weird email or this is a weird text. Should I really be getting a text from my boss who's traveling right now to buy iTunes gift cards?
I'm going to let you in on a secret and say the answer is no on that one, and I'm sure most people know. But that's one that people get a lot, especially new employees.
So really just make sure you have those resources and those things, and you do it one step at a time and figure out what that first step is for you.
Where do you want to concentrate on that initial thing? Is it updates? Is it security around certain core applications, certain key staff? Is it making sure you have a good inventory so you can run updates, or train all your staff with phishing? There's just a lot of different places to start.
But like any other journey, you just start with the first step and that's where you, and that'll help get you in the right direction.
Carolyn Woodard: I love that we have several board members here because I want to say that's probably maybe an overlooked asset. You might be able to get a board member on your side who understands how important cybersecurity is to the organization. That's their, the board's mission is to make you be successful. So they can also help get that set up.
We have some questions coming in, keep them coming. I want to make sure to talk about what Community IT does, our cybersecurity offerings. Matt is in charge of this kind of area of our services. You can find more about it at communityit.com/cybersecurity, which I'll put in the chat.
Also, we've got a lot of previous webinars. We do three or four webinars on cybersecurity every year. We have downloads, we have articles on cybersecurity on our site, information on insurance controls, the playbook, other resources on training your staff. I want to make sure that we do have time to get to some Q&A, but if you do have more questions, get in touch with us. You can schedule time with Matt, get in touch with Ian right through his website. You can schedule time with him to talk about what they need to do. We have our Reddit community thread.
So, I just want to re-emphasize what Ian just said. You can feel alone, especially if you clicked on that link and you're like the second afterwards, oh no, why did I click on that? I was going too fast, I didn't really read it, and now I've got a big problem. You're not alone. There's a lot of people who want to talk with you about this, help you with this, so make sure you talk to people. All right.
I'm going to put up, this is how you get in touch with both of these wonderful people.
But we also have some good questions coming through.
So, a couple of different people said, can you provide the link for the security key, that is the physical key, the Yubi key or the Fido key, it's also called sometimes. So, if we can put that in chat, we'll also share that in the transcript.
We have a couple of questions in here. So, one is, I feel like this was touched on, but I may have missed it.
Is there a known org that specializes in doing risk analysis for nonprofits?
So, do you guys want to, I mean, Ian, just maybe a question.
Ian Gottesman: There's a lot of different places you can go to do that. I mean, you could go to NIST or CIS. There's a lot of different cybersecurity firm. There's a lot of different controls. The CyberPeace Institute, which we're a partner with, has a free assessment you can do, and then they have volunteers to help you conquer, what they call missions, to help you fix things. So, that's a really good place you can go. I think, I'm trying to remember the exact URL. I think it's cpb.ngo, cyberpeaceinstitute.org and that's a self-directed test you can do. Let me double check that that's right.
Carolyn Woodard: We will share all of these. We'll make sure we have the right links.
Ian Gottesman: So, that's a free test you can do. You walk through it. It takes about 45 minutes. It has a little wizard or bot or whatever you want to call it to help answer questions, because maybe you don't understand what MFA is or some of the other questions it specifically asks. It can help you do that. They also even have a mission, which I call, to have someone help you walk you through that. They have about 1500 volunteers helping them. So that's a good place to go. https://cyberpeaceinstitute.org/services-and-tools/
The YubiKey program is called Secure It Forward. It's a very simple grant application. I can share this with Carolyn, who can post it. It's specifically for organizations that promote and protect free speech and democracy, but they have a pretty broad definition of that. And if you are inclined to apply for it, I would recommend doing it. They're engaged in our community. You can ask them questions about that.
There are just a lot of different options out there to help with things. And to get this stuff done, risk can be your friend. It can help if you're showing how these exercises you're taking, like training or getting passkeys or whatever, or if it's physical keys, is preventing a risk from making sure your organization can do the work it's done. It's much better to give everyone passkeys and spend, I don't know, an hour applying for the application and a few more hours training people how to use them and handing them out, than discovering, oh no, someone broke into our ERP, our financial system, and misappropriated hundreds of thousands of dollars. Which I've heard that horror story before.
Or someone misappropriated somebody else's check by constantly spamming your HR person and now direct deposits are going to a weird place and very quickly things are going pear shaped.
It's much better to spend a little bit of a time and sort of figure out what your risks are and what you're concerned about.
And then coming up with training or tools or whatever that mitigate that risk and transfer that risk to someone else. Moving things to the cloud or using physical keys or making sure everybody's gotten training or whatever it is that can help make that risk less likely to happen.
Carolyn Woodard: We have a question about a specific company, which I'm going to say at the outset, we're not going to recommend any particular vendor. I think one of the things we would say is, like we said, you're not alone.
You have peers at other nonprofits as well. There are other Reddit boards, there's a Reddit just for nonprofits, r/nonprofits, where you can ask questions like this as well. I would say that is a better option to try and get what your peers think of different tools and vendors. To try and find out, you know, what's a good value for you.
Like Ian was saying and Matt as well, there are lots of discount programs. As soon as you say that you're a nonprofit, you may find that they have discounts or other options for you. I would definitely say NGO ISAC is a great place to talk about this vendor, that vendor trying to figure out.
The question was about Comcast Cybersecurity for Business. You know, there's a bunch out there, and when you look at their websites, it's always fear, scared, be afraid, you know, use our company. And, you know, of course, you do need to be careful, but you do need to, you know, find a company that will work with you, answer your questions so that you know what you're getting into, what you should be working on first, that sort of thing.
All right, we're almost out of time. We probably have time for one more question. And it's a big one. In one sentence or so, we haven't talked about AI yet at all today. And it seems like AI is changing cybersecurity.
Do you want to each say just one quick thing about AI? You know, just one little thing.
Ian Gottesman: I’m saying about $1,000,000 in our economy.
Matthew Eshleman: Well, I would say what we see, I think without a doubt, is that AI makes phishing attacks more believable and authentic, and easy, and cheaper for threat actors to affect. It's making it harder for sure.
Ian Gottesman: Yeah. I think obviously AI is a big buzzword. There's a huge investment in our economy. We've all used or seen all these AI tools. But it's become a Cold War weapons race where there's AI on the defenders and AI on the attackers. But ultimately, I think the most important thing is covering those fundamentals that we've talked to over and over and over again here.
And if you've done the things like train your staff and have good identity management and all these other things, the AI is just another way to send a phishing email. But if your staff knows what a phishing email looks like, it can avoid or it's another way to scan your network for things that are unpatched. But again, if your devices are patched, you can do that.
And once you've got those sort of three or four fundamental things done, which are, it's not simple, but I know that there are nonprofits out here doing really cool, awesome work like getting kids to summer camps that never go out into the country and they're riding horses and doing fun stuff like that, or teaching people to swim, or teaching people to read, or bringing world peace, and going to crazy places and war zones and counting up the kind of arms that people are using.
You can do your cybersecurity. That is something I'm 100 percent confident of. You do so many awesome mission-driven work, you do these really complicated, hard things. Cybersecurity isn't as hard as the day-to-day work that nonprofits do every day, all day. And I think that's something you need to remember.
Carolyn Woodard: I love that. It's a great way to formulate it, to think about how complicated your mission is, and you're doing that. So, cybersecurity is not as hard. That's true.
All right, I want to go quick through our learning objectives. I think we covered pretty much everything. We wanted to learn what practices go farthest to protect your organization, learn to train against phishing, perform those updates, prioritize that identity management so that all your systems know the person logging in is the person that it's supposed to be. We heard some ideas on making cybersecurity more fun for everyone on the staff.
Thank you everyone who contributed your ideas in the chat. We discussed lessons learned this year, next steps, took some Q&A. I want to make sure that I invite everybody back next month for our last webinar of 2025. We're going to hear all about the N10 Equity Guide for Nonprofit Technology. That's N as in Nonprofit, T as in Technology. I'm not sure what the E and the N is for, but it's N, T, E, N. Equity Guide for Nonprofit Technology. It's a free download from the N10 website, which is updated for 2025.
I can't wait to welcome the Equity and Accountability Director, Tristan Penn, to join us for our next webinar. He's going to talk about how you learn to use this equity guide to address your IT strategy for things like inclusivity, especially in this age of AI. On their website, they also have a companion resource for board members helping guide your IT strategy. For all those board members on today, you can find that right at their site. That's at 3 p.m. Eastern, noon Pacific on Wednesday, November 19th.
And I just want to thank Ian and Matt. Thank you so much for joining us today for an hour. We got to ask you all of our questions. It was like having our super smart friends here. Explaining and answering our questions about cybersecurity for nonprofits. Thank you so much. Thank you, everybody in the audience who joined us. We know an hour of your time is a gift. We hope that you got a lot out of it and learned a lot today.
As always, you can contact us, contact Ian, contact Matt if you have more questions or just don't know where to start. That's totally an acceptable place to be in, but we really encourage you to take those first steps and get some cybersecurity under way for your nonprofit. Ian and Matt, thank you again so much for joining us.
Ian Gottesman: Thank you for having us. Happy to do it. I hope everybody has a good rest of the day and a good rest of the Cybersecurity Month at the end of the month. We'll probably be celebrating by handing out candy and dressing up in costumes. That's always something to look forward to.
Carolyn Woodard: That's right. Cybersecurity Month in October. Matt, thank you so much for joining us.
Matthew Eshleman: All right. Thanks, Carolyn. I appreciate it.