2026 Nonprofit Cybersecurity Incident Report with Matthew Eshleman pt 1

Show Notes

In the first part of this annual check-in, Carolyn Woodard and Matthew Eshleman dive into the findings from the eighth annual Nonprofit Cybersecurity Incident Report. Analyzing data from thousands of client endpoints throughout 2025, they discuss how the landscape has shifted—specifically how AI is being used by threat actors to lower the barrier for sophisticated attacks. This episode provides a high-level look at the trends that defined the past year and the foundational layers every nonprofit needs to protect its mission in 2026.

The conversation covers the rise of financially motivated scams, the increasing frequency of partisan digital attacks, and why data is transitionally moving from an organizational asset to a potential liability. Matthew explains:

• How AI tools are accelerating attack vectors through automated scripts and convincing phishing.
• Why your organization’s cybersecurity foundation must be built on policy and frequent, vibrant staff training rather than just annual videos.
• The evolution of multi-factor authentication (MFA) and the shift toward phish-resistant methods like Passkeys or physical keys like FIDO keys.
• Why data retention policies are becoming a necessity to mitigate legal risks and data leakage.
• The importance of governing how staff interact with free AI tools to prevent institutional data from entering the public domain.

Resources Mentioned

• Nonprofit IT Management Reddit Community
• Cybersecurity Playbook for Nonprofits
• NGO ISAC
• KnowBe4 Security Awareness Training

_______________________________
Start a conversation :)

• Register to attend a webinar in real time, and find all past transcripts at https://communityit.com/webinars/
• email Carolyn at cwoodard@communityit.com
• on LinkedIn 
• on reddit/r/nonprofitITmanagement
• on the Community IT website

Thanks for listening. 

Transcript

Community IT Intro 0:23

Thank you for joining Community IT for this podcast, part one. Subscribe wherever you listen to podcasts and leave us a rating to help others find this leadership resource for nonprofits. Listen for part two in your podcast feed.

Carolyn Woodard 0:39

Welcome everyone to the Community IT Innovators Webinar, Nonprofit Cybersecurity Incident Report for this year with Matt Echelman, our Chief Technology Officer. This is the eighth year that we have done this, our eighth annual cybersecurity incident report. So we're so glad that you could join us and we can look back over some of the trends.

Carolyn Woodard 1:02

This webinar is very popular every year. We study the incidents that were reported. We have thousands of client user endpoints. So he looks at all of that data for the course of 2025 and pulls out the different trends and changes and incidents that will matter to you so you can benefit from our experience. So he's going to cover the initial impact of the AI tools that we're seeing, give some examples of more sophisticated scams that are coming out so you can be forewarned and forearmed. He'll discuss our basic cybersecurity best practices that still form the foundation for your protection, and he'll give us some of those best practices and advice for this year going forward. So

Carolyn Woodard 1:45

My name is Carolyn Woodard. I'm the outreach director for Community IT. I'll be the moderator today.

Carolyn Woodard 1:51

I'm so happy to hear from our cybersecurity expert, but first I'm going to go over our learning objectives. So today we hope by the end of this session that you will learn the cybersecurity landscape for nonprofits and the general best practices, learn cybersecurity lingo definitions and trending scams, understand the initial impact of AI on cybersecurity, it is assisting the hackers, it's creating more risks, and it is also, we hope, creating more possible protections that are coming online. And we hope that you will learn how to protect yourself and your nonprofit in 2026.

Carolyn Woodard 2:28

If you are looking for more information on cybersecurity topics for nonprofits, we have a lot of free resources on our website. And we also have a community on Reddit at r/nonprofitIT management where you can ask questions or get in touch, or you can get in touch with Matt through the website as well. And Matt will be on our Reddit uh thread after this webinar answering more questions. So if you're on Reddit, you can join us over there for that. So,

Carolyn Woodard 2:54

Matt, would you like to introduce yourself?

Matthew Eshleman 2:57

Um sure. It's good to join you all today to talk about um this topic that I get to do a lot of work on uh over the over the year and over the past um eight years. Um my name is Matthew Echtelman. I'm the Chief Technology Officer here at Community IT. Um happy to have my new updated background here, celebrating 25 years. Um, and I've been here for uh for most of them. So uh it's great to um have a good audience. I encourage questions um as we go along. There's lots of content to cover, and uh, but also want to be able to take questions as they um come along. So please feel free to chat those in.

Carolyn Woodard 3:31

And I am going to tell you a little bit more about community IT if you're not familiar with us. We are a 100% employee-owned managed services provider. So we provide outsourced IT support. We work exclusively with nonprofit organizations, and our mission is to help nonprofits accomplish their missions through the effective use of technology. We are very big fans of what well-managed IT can do for your nonprofit. Uh,

Carolyn Woodard 3:59

We are experts, we serve nonprofits across the United States. We've been doing this for 25 years. Uh, we just are celebrating our 25th year anniversary this year. We are consistently given the MSP 501 recognition for being a top MSP, which is an honor we received again in 2025, and we believe that we're the only MSP on that list serving nonprofits exclusively.

Carolyn Woodard 4:23

I want to remind everyone that for these presentations, Community IT is vendor agnostic. We only make recommendations to our clients and only based on their specific business needs. We never try to get a client into a product because we get an incentive or a benefit from that vendor. We do consider ourselves to be a best of breed IT provider, so it's our job to know the landscape, uh, know what tools are available, reputable, and widely used, and we make recommendations on that basis for our clients based on their business needs, their priorities, and their budget.

Carolyn Woodard 4:57

We got a lot of good questions at registration, so we're gonna try and answer as many of those as we can also. But anything we can't get to, as I said, will be over on Reddit after the webinar for about 30 minutes. So you can find that at r slash nonprofit IT management. So I hope you join us over there. Take advantage of Matt is gonna answer some questions so you get some more expertise there.

Carolyn Woodard 5:20

A little bit more about us. As this slide says, our mission is to create value for the nonprofit sector through well-managed IT. And our values, we have four key values that we identify as employee owners that define our company. So we seek always to treat people with respect and fairness to earn their trust. We seek to empower our staff, clients, and our sector to understand and use technology effectively to use our knowledge. We seek to be helpful with our talents and to provide service. And we recognize that the health of our communities is vital to our well-being and that work is only part of our lives, and that we all need to seek balance. So

Carolyn Woodard 6:01

We will start with our first poll of the day. I'm gonna go ahead and launch it. And this poll is does your organization have security awareness training for staff? And the answers you could answer are yes, we do, no, we need to start, or not applicable. And if you answered no, and if you feel comfortable, we'd love it if you would put it in the chat, why not? What are the barriers to your organization or your to yourself in getting started with that security awareness training?

Carolyn Woodard 6:37

And when we talk about security awareness, you know, we're really talking about not the once-a-year video that everyone has to like scroll through quickly and answer the questions at the end and then you're done. Um, so we hope that you have a you know vibrant, engaging uh security awareness training in place. And it looks like we have complete answering, so I'm going to share the results. And

Carolyn Woodard 7:00

Matt, can you see that?

Matthew Eshleman 7:02

Yes, I can. So um, yeah, so great. I'm really glad to see uh about 68% of the respondents here today say that they do have a good security awareness training program um in place. Um, and so I think that's really fantastic. I know uh organizations have made that a priority over the last couple of years, and we are seeing really good uptake on that. And yeah,

Matthew Eshleman 7:26

For those um 32% of folks that say no, we need to start. Yeah, I think I would uh encourage you to uh again, maybe this presentation helps to build some of that ammunition for taking those um steps to make that a priority uh and be part of the organization's culture.

Carolyn Woodard 7:42

Yeah, I'm really glad to see so many people have it. I'm seeing a couple of answers in the chat of being very small and so being able to have like more informal, hopefully frequent um conversations about security and also doing more informal awareness security conversations during staff meetings. And that I think is also very effective and very helpful as long as they're frequent. And uh, it does help if you're following kind of a plan. So if you can do that informally, that is way better than nothing at all. So congratulations on getting that started. All right, I'm gonna stop sharing. And um,

Carolyn Woodard 8:19

Matt, we have this graphic which shares a little bit about how we think about cybersecurity layers of protection. Um, so did you want to talk about this a little bit?

Matthew Eshleman 8:31

Yeah, so I think this is a really a graphic that talks about our approach to cybersecurity and that foundational concept of policy, you know, continue to provide guidance for those technical solutions that have been on uh that kind of are built on top. Uh,

Matthew Eshleman 8:46

You may notice that uh we don't have AI mentioned explicitly here, um, but it certainly is something that influences each one of those layers, whether it be policy, they're helping to generate those topics or providing some edits and revisions, um, the training that folks are doing, uh, and then you know, particularly in the technical solutions that we see uh, you know, kind of in that in that layer, right? So AI uh can be um you know infused in in these um tools, both help and helping with prevention and also detection. Um, you know, as we asked about

Matthew Eshleman 9:21

Security awareness training, that is a key element. And because you know, as most of the attacks that we see in our you know, small to mid-sized nonprofit space that that we support and that we operate in are really um yeah, initiated by people clicking on something they should uh have, updating payment information, you know, getting tricked into buying um gift cards by somebody who's obfuscating their identity. Uh and so being able to provide that end user education because we can't, you know, there's not enough technology uh to provide complete coverage, and so we do have to trust and engage with our staff to provide that education layer. Um as I kind of talked about already, you know,

Matthew Eshleman 10:00

In the blue layer, these tend to be a lot of the technology tools that we have in place, and that's where uh a lot of the AI uh is getting infused in terms of improving detection or um response or analysis. And then

Matthew Eshleman 10:12

The top layer is compliance, right? So this is, you know, if you have a policy but it's not enforced, or maybe your staff don't even know about it, you know, you might as well not even have that policy. So, you know, ownership in that, including the training, education of the stakeholders, regular revision are really necessary at an executive level for the organization. Um, you know, and in addition, right, the IT department can be uh involved in putting compliance checks right on the on the back end. But without that being involved or the whole staff being on board, uh, you know, the IT measures really can be seen as you know, kind of an opposition or burden rather than a than a protection. So uh again,

Matthew Eshleman 10:51

I think it's a helpful way just to think about um this uh security, uh, and again, reiterating, right, the foundation really is policy, making sure people are on the same page, and then training, make sure that your users are engaged and aware of what's going on.

Carolyn Woodard 11:06

Yeah, I like that when we talk about compliance, that you can have the policy, but if no one's checking that anyone's following the policy, then you don't really like it's good that you did a policy, but there is that extra step if someone has to be in charge of making sure that people are complying with it. Um so

Carolyn Woodard 11:23

I know um before we get to the analysis from this year, uh, we wanted to talk a little bit about the current cybersecurity landscape that we're seeing. Um can you can you talk a little bit about that?

Matthew Eshleman 11:38

Yeah, so you know, I think there are some new things uh in the current cybersecurity landscape that maybe are kind of new concepts for this year. But then I think there's a lot of also, you know, things kind of continue as they are. And I think the big, the big thing I that

Matthew Eshleman 11:50

I think it's important to keep uh reiterating, right, is that cyber criminals see their work as a job, right? It's not just a hobby. Uh, you know, people are getting getting paid for this. Uh, and as a result, most organizations, right, you are primarily under threat for financial scams. The hackers really are motivated by that financial benefit. Uh, and so that is the avenue for the vast majority of attacks that we um see in our space, even amongst nonprofit organizations that would be involved in very uh, you know, kind of progressive or potentially um you know contentious topics. So

Matthew Eshleman 12:27

That is something that we are seeing kind of in addition to the financially backed uh cyber attacks that are really impacting, you know, everybody with an internet connection or everybody with an email address, um, but also recognizing that partisan attacks are increasing online. Um, and those typically are are uh you know, again targeted at the individual themselves. And so as an organ, so in

Matthew Eshleman 12:50

As a result, we are seeing organizations take steps like identifying people on their website, that kind of thing to combat that personal attacks uh that uh folks at different organizations are experiencing. Um, the new uh kind of thread or trend that we are seeing is just how fast the use of AI tools is accelerating um those attack vectors and attack methods, um, both from you know kind of seemingly benign things, right? More sophisticated uh you know, spam messages, you know, all the way up to uh you know kind of automated, you know, script-based attacks that are uh you know just a lot more effective and lower the bar uh for the technical sophistication of somebody to execute those. Um yeah.

Carolyn Woodard 13:41

Yeah, I shared a couple of resources in the chat and we'll share them in the transcript as well. So we have a downloadable cybersecurity playbook for nonprofits that includes that graphic we showed about the different layers and it has a lot of good advice in it. Um I also shared another uh member-based resource that you can join as a nonprofit called the NGO ISAC. Um that website is also there, and that's a community of nonprofit cybersecurity um, you know, experts and members who need to know more. So it's a great place to share information and share, uh learn more about what you need to be doing. So yeah, um,

Carolyn Woodard 14:21

Matt, can you talk a little bit more about AI?

Matthew Eshleman 14:25

Yeah, you know, you can't have a presentation without uh talking about this and an item. But you know,

Matthew Eshleman 14:30

I think from the hacker perspective, you know, and the trends that we saw, right, in in the data that we you know see, right, supporting about 8,000 nonprofit um staff, uh, yeah, I mean, there's certainly like the futuristic uh approach to using AI for more sophisticated, you know, uh scripts and and um you know exploits. Uh but we're also you know, and I think that is really um kind of taking us back in time um to where that you know malicious code and viruses are a bigger danger and a bigger risk. And

Matthew Eshleman 15:03

When we get to the table, we'll see that the amount of endpoint malicious activity has really increased pretty dramatically, uh kind of year over year, because you know, AI makes it I think a lot easier for um those threat actors to write new viruses and but and then also for them to create new and convincing ways to get victims to open up, uh, download a document, uh, you know, have a QR code, you know, connect over WhatsApp and then install some other software, right? So there's uh kind of sophisticated playbooks that are being developed and tested, uh, and the bar to enter or use those just you know kind of continues, um continues to drop, right? So

Matthew Eshleman 15:43

You can have pretty good um defenses in place, but just kind of get overwhelmed by just how I think on the ball you need to be in terms of evaluating every um you know, kind of every message that uh you know that kind of comes across your screen. Um, you know,

Matthew Eshleman 15:59

I think the the other things that we're seeing here is you know increase in kind of the HR scans and kind of longer cons. And I think again, this kind of goes back to, you know, at the end of the day, even with all of the AI tools and and kind of AI automation, right, you're you're interacting with a person kind of at the other end of the computer screen. And so because they're financially motivated, right, there is this investment that over time, if they can kind of engage and work with somebody, that eventually they'll they'll get to the you know, the financial scam part of it, you know, the first 10 messages that you uh enter, you know, exchange with somebody, right? That's just building up. That's just um creating that trusted relationship.

Matthew Eshleman 16:38

And then we'll come, you know, kind of the ask or or the engagement where uh you know, where they'll ask for money or or kind of create uh an opportunity to for that fraud to occur. So um again, lots of really sophisticated and tricky ways to ultimately get to that, um, get to that point. So again, um, you know, being cautious, having good tools in place to prevent that stuff from happening, you know, kind of all those uh, you know, kind of come into play.

Matthew Eshleman 17:03

But in terms of what we're seeing that's kind of new and different in 2025, uh, yeah, certainly the the use of AI and and these kind of long cons are certainly occurring with a lot more frequency.

Carolyn Woodard 17:15

Yeah, I think it's interesting. In some ways, it's encouraging, right? Because the training is working. People know not to click on the link in the email. So then they're like, oh, I'll send it to you a different way. I'll send you a document, or I'll send you a calendar invite, or I'll send you something that you aren't aware yet to not click on. So they're just finding new workarounds, but it's good. Training is working.

Matthew Eshleman 17:38

Yes, for sure. Um, and you know, again, I think kind of on the operational side of things. So kind of as we uh kind of look at the data and what is happening, um, you know, those account compromises, right? So financial fraud maybe has the biggest, you know, kind of financial impact to an organization. Uh, having a compromised account, right? Somebody other than the trusted user accessing the account uh is kind of the biggest risk to the organization because it could, you know, kind of carry into so many things, right? Could they access your donor information or maybe you have insider information into your board members? And so

Matthew Eshleman 18:11

Protecting accounts is, you know, uh kind of the crown jewel, and that's what we want to um protect. Um and you know, say

Matthew Eshleman 18:19

We are also seeing kind of on the operational side that these cyber liability insurance and auditing requirements continue to drive compliance. Um, you know, it's not that I don't think nonprofits want to invest in cybersecurity because it's the right thing to do, but it does have a cost and it has an operational impact. And so, you know, organizations do things because they they have to. Um, and so insurance and financial audits are are some of those levers that get pulled to uh enforce those standards. Um again, as we you know kind of talked about, right?

Matthew Eshleman 18:51

The multi-factor authentication that has um been a great technology tool that people have adopted. Uh hackers have kind of continued to find ways of um exploiting that. And and you know, there's kind of this big battle uh in the tech space that's largely in the background for big vendors like Microsoft that are kind of going after the underlying hosting infrastructure that uh is really kind of facilitating or making those attacks uh happen. So again, um, you know, as we you know kind of look at some of the recommendations, like, okay, so this is the role that we're living in, what do we need to do to change it? You know,

Matthew Eshleman 19:29

It does mean that we've updated some of our multi-factor guidance to say, yes, MFA, not only is it required, but if you are in a trusted role, uh we need to make sure that you are moving to a Passkey or a phish-resistant MFA method as a way to uh combat some of the increase in technology that the that these threat actors are are using to exploit accounts. Um and then again, I think uh then kind of some of the new trends that we're seeing um, you know, kind of worth shedding some light on are uh recognition of those kind of ungoverned uh account risks and uh also data retention. So, you know,

Matthew Eshleman 20:08

Ungoverned accounts could be um you know organizational accounts being used to uh interact with uh you know kind of free AI tools, right? And a risk of data leakage uh there. Uh we certainly see organizations um becoming more aware of the risk that they have to uh legal attacks and and data retention.

Matthew Eshleman 20:28

So this idea of uh I think is is is really shifting or has perhaps shifted to say uh organizational data used to just be, hey, it's an asset, right? We want as much data as we can and we're gonna keep it forever because like this is our work. Um I think there is a growing recognition that uh, well, if now we have to comply with uh legal subpoenas uh and be able to turn over all this data, some of which, yes, we need to retain, uh, others, which is maybe just conversational or whatever. We we don't actually, you know, data is now uh evolving into a liability for you know some organizations.

Matthew Eshleman 21:03

And so being intentional about here's the data we have, here's why we need to keep it, we'll need to keep it for this long. Um so again, I think those are some of the new things that we're certainly seeing um in the nonprofit space um over 2025 and certainly continuing into 2026.

Carolyn Woodard 21:19

Um I want to make sure that we have time to get um to the uh information that's at the end of the presentation. So unfortunately, let's go through the definitions fairly quickly. I just want to say we'll add full definitions for all of these terms in the transcript on our website. So if we don't mention something that you don't know what it is, don't worry, we're gonna put it on the website. So just check back there. But I think there's some of these that we need to consider today.

Matthew Eshleman 21:48

Yeah, so I I've said this a couple times. I do want to just define it maybe a little bit more precisely, but like threat actor, right? So this is the person or entity that's behind the keyboard. Um at community IT, we don't get too caught up uh as to whether the threat is attributed to uh fancy bear or midnight blizzard, right? You may hear some of these buzzy terms um spinning around. That's not as important to us. Um, but there's an entire taxonomy uh of groups that groups attackers in the different geographies and target areas, and you can you can find that. Um, so we're mostly interested in right identifying and and restricting the uh the threat.

Matthew Eshleman 22:20

The other one, and we'll have some examples here or malware is, or I you know, maybe scareware is a better term for that because we see a lot of this like the unwanted software or pop-ups that redirect you your web searches or collect information or try to trick you into calling a flying number for tech support. Um, again, that's I think a good term just to understand and and you know, no know how to describe what you're um seeing or experiencing.

Carolyn Woodard 22:46

It sounds good. Thank you. I'm sorry we don't have time to go into all of them because some of them are so interesting and sound so odd. Um, but yeah,

Carolyn Woodard 22:53

We want to get started with our next poll. So let me go ahead and launch that. This one is a multiple choice question. So you can answer as many things as refer to your organization. And

Carolyn Woodard 23:07

We want to know what is a cybersecurity tool or process that you added in 2025. So the answers, I'll go through the answers because there's several of them. Again, this is multiple choice. So choose all of the ones that um that make sense to you. So

Carolyn Woodard 23:23

The first answer is none. We didn't add anything in 2025. Well, we know what we are doing is working. Uh, none is number two. We know we need to do something, but we don't know what. If that's you, you've come to the right place. There is no shame in anything on the this uh chart as well. Um number three is that fish resistant MFA. So having the physical key or using a pass key, requiring that for different people in your organization or for everyone in your organization. Uh number four is cloud backup. So that might be something that you've added in 2025. And please, only if you added it. If you were already doing it, just don't mention it. All right. Uh number five is the um SIEM and SOC. I don't know what that is, Matt. Can you explain that?

Matthew Eshleman 24:11

Uh security information and event management tools and a security operations center. Basically putting all your logs and data in one place so that uh it can be monitored and you can get alerted if there's something that's suspicious.

Carolyn Woodard 24:23

Okay, so like managed security. Yeah, somebody is checking on the logs. Okay. Um,

Carolyn Woodard 24:29

Number six is uh new policy. So if you did implement a new policy this year, a new security policy, please put in the chat what you implemented. Number seven is new training. Same thing. If you could put in the chat what did you what new training did you do this year? Uh number eight is uh data protection or retention policy. So we were just talking about of when you offboard somebody, you close down their account, or you don't keep certain data past a certain date, that sort of thing. Um sorry, not this year, 2025. And uh number nine is you have new AI policies and governance. Um, and I hope I see a lot of those because you know we didn't really have a lot of AI policies in 2024, although we probably needed them then too. Uh, number 10 is other, something else. If you want to put something else in chat, we'd love to see it. And number 11 is not applicable. So uh if you choose number 11, please don't choose any of the other choices, although this isn't really a statistically significant poll. But

Carolyn Woodard 25:32

We just wanted to see, you know, what what people are are adding as they as the cybersecurity landscape is changing and as uh we're finding like we need new tools, we need new training, we need new policies. Um, what have you been able to add last year? Um all right, and I think we're getting to pretty good. I'll give you another minute or so to get some of the um answers in.

Carolyn Woodard 25:57

I'm gonna look over here at the chat and say somebody said that they added a phishing campaign with staff for training. So teaching staff what phish might look like sounds like. Um, someone said that they added monthly training campaigns to the existing KnowBe4 setup. So if people don't know, KnowBe4 is one of the vendors' official tools that can help you manage these kind of small trainings that go out to all staff every quarter, every month. You can set it for different ways and they create the content and then you do these quick quizzes and it can be really useful, especially if something comes out. I know KnowBe4 has a training about it, you know, very quickly after it becomes something we need to watch out for. So that's good to know. All right, it looks like we have pretty good participation. So

Carolyn Woodard 26:47

I'm gonna go ahead and end the poll and share the results with everyone. And Matt, can you tell us what you're seeing in this poll?

Matthew Eshleman 26:57

Uh well, I mean, I guess, Carolyn, to your to your uh point here, a big big jump in the number of folks that have added AI policies and governance. So that was kind of the biggest uh number of respondents, uh, 39%. So they've added that, which I think is really um fantastic. Uh,

Matthew Eshleman 27:13

Along with a lot of folks uh addressing their data protection and retention policies. Again, kind of tying into that you know, data data is a liability in addition to being an asset for us. Um,

Matthew Eshleman 27:23

I'm really excited to see that about 18% of the respondents have implemented fish resistant MFA um in 2025. Uh again, in terms of doing backups, a handful of folks have added um the SIEM or SOC services. And um

Matthew Eshleman 27:39

There was uh one person that said they they haven't added anything because all the what they're doing is working, and I really want to know. But because you know, security, you know, I think from my perspective, um, right, it it isn't it isn't a destination, right? You're not gonna get to a point where you say, okay, we've done everything we need to do. Um,

Matthew Eshleman 27:58

Security is a journey, right? And there's always gonna be new things to to kind of add, to adjust, to you know, change um how you're doing. Uh, and I think, you know, to the presentation that we give next year, right, there there's probably gonna be new things that we haven't really even considered or thought about at this point. So um glad to see that there's lots of movement. Uh particularly in the policy area. And

Matthew Eshleman 28:19

I think AI uh is is one of those areas where there's so much opportunity and then again, so much risk uh as well in terms of what it means to an organization's um the integrity of your organization's data.

Carolyn Woodard 28:31

I feel like AI we're becoming, as we're becoming more and more aware of it and we're using it more and more, we're realizing these different dimensions of risk that it adds. So um I think that's just so fascinating.

Community IT Intro 28:44

Thank you for joining Community IT for this podcast, part one. Subscribe wherever you listen to podcasts and leave us a rating to help others find this leadership resource for nonprofits. Listen for part two in your podcast feed.