Main

10 Free Security Tools for Nonprofits

What should you do to protect your nonprofit from hacks if you don’t know much about IT? Where can you find expert, current information on practical steps you can take as a nonprofit leader to make sure your staff take cybersecurity seriously, without breaking the budget, or paying for security you don’t understand how to use? Nonprofits are seeing cybersecurity risks and costs go up. Come learn how to manage cybersecurity basics at every level of your organization, to better protect yourself from scams and frauds. Matt gives an overview of the threat landscape for nonprofits and shares 10 free IT security tools your organization should be using – and probably already have access to. He also shares a few bonus low-cost tools you can consider, and discusses ways to make cyber security an integrated part of your nonprofit culture. All staff will find this information relevant, whether or not you have IT responsibilities. Community IT Innovators is pleased to partner with Nonprofit Learning Lab to present this webinar on free IT security tools for nonprofits. Learn to put safeguards in place to prevent falling victim to scammers and cons. As with all our webinars, this presentation is appropriate for an audience of varied IT experience. Community IT and Nonprofit Learning Lab are proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.

Community IT Innovators

1 year ago
hello everyone and thank you for joining the non-profit learning lab for today's workshop and without further Ado I will now hand it over to you Matt and Carolyn thanks Tammy um welcome everyone to the community I.T innovators webinar on 10 free security tools for nonprofits um so today we're going to talk about the cyber security landscape and what the biggest risks are to non-profits and non-profit staff and then we're going to talk about some free and low-cost Investments you can make to incr
ease your security we always try to explain any lingo we end up using and today during the session please ask if you don't understand any terminology because that's what we're here for our learning objectives are that after the session you should be able to describe the cyber security landscape for non-profits learn about cyber security Readiness review the 10 free security tools we're going to talk about understand the role of Executives and staff to manage basic security even if you're not the
I.T person and know where to go for additional resources on non-profit security and I want to remind everyone Community I.T is vendor agnostic this presentation is to discuss how non-profits are using common tools and what we are observing about them but we don't recommend any tools in general we only make recommendations to our clients based on specific business needs and their nonprofit culture so again I want to encourage everyone to submit questions and comments through the chat and the Q a
feature today and we probably won't be able to get to everything but you can always contact us after the webinar for a follow-up so Matt great thank you for that introduction Carolyn I'm happy to be joining you all today my name is Matthew Eshelman and I'm the chief technology officer at Community I.T in my role as CTO I'm responsible for not only the internal I.T systems that we use to manage our 170 non-profit clients which supports about 6 000 staff but also work with our non-profit clients
to help them develop their technology and cyber security strategy to ensure that their data is well protected so looking forward to talking today about some free tools that organizations can take advantage of as it relates to cyber security thanks and my name is Carolyn Woodard I'm in charge of Outreach at Community I.T and I'm going to be helping Matt today and monitoring the chat so I'm very excited to be sharing our expertise with you today I think sometimes cyber security can be so daunting
it's tempting just to try not to think about it too much and just hope for the best but Matt is going to show you today that there are some easy steps you can take to make your non-profit much much more protected so it makes sense to start taking those steps now so before we begin if you're not familiar with Community I.T a little bit about us we are a 100 employee owned managed services provider we provide outsourced I.T support we work exclusively with non-profit organizations and our mission
is to help non-profits accomplish their missions through the effective use of Technology we serve non-profits across the U.S and we've been doing this for over 20 years we are technology experts and we are consistently given the MSP 501 recognition for being a top MSP which is an honor we received again in 2022 we have lots of free resources on our website including videos articles and free downloads We have a weekly podcast on technology topics and we really just think that the more non-profits
learn about nonprofit I.T the better you can accomplish your mission uh we're also recording this webinar as Tammy said and they'll be sending out the link to that video later so don't worry too much about taking notes while we have this conversation if you miss a link or a resource you can be you can look it up later um so now our agenda we are going to be talking about the landscape uh the cyber security landscape talk a little bit about cyber security Readiness and then Matt is going to talk
about the 10 free tools and then we'll leave we'll hope to leave sometime at the end for Q a great all right begin oh that's right go ahead go ahead great well thank you uh Carolyn for that introduction and I would just reinforce that uh if you have questions as they come up along the way please feel free to use the question feature that will be moderated if there's something that's really relevant to one of the slides that we're on I'm happy to take those questions as they come in or we can ha
ve some time at the end as well to answer questions uh that you may think of as we're going throughout this presentation so um as I mentioned I think it's really helpful to understand the cyber security landscape that we kind of all operate in cyber security is is important it's not the threats are not just something that happens to the the big organizations that you read about in the paper but uh cyber security concerns are important to every Organization no matter how big or how small and I th
ink it's important for for everyone to kind of understand just kind of what's going on out there in the cyber space in the cyber world and one of the things that is is happening quite a bit is that there are persistent and ongoing Brute Force attacks against your digital identity I think non-profits have done a great job of moving resources into the clouds that's Office 365 or maybe Google workspace and it's been really great to access that information from from no matter where you are but it al
so means the bad guys can too and so we see evidence of lots of kind of ongoing attacks where the bad guys are just trying different username and password combinations and trying it again and again so that's one area that we see a lot of attacks around are kind of your digital identity uh we also see pretty sophisticated spearfishing attacks and so spearfishing is a special type of email attack that combines some unique knowledge about you and your organization in order to get you to take some a
ction click on a link type a password you know open up an attachment that sort of thing and so some industry research says that you know as much as 91 of cyber attacks really start with email and so we certainly see that in a nonprofit sector I think another thing that nonprofits do a really good job of is they're very proud of their staff and so many organizations have really great staff directories you know so and it's easy for the bad guys to find email addresses reporting structures and all
that information ends up being used to craft those spear phishing messages we also see that organizations are targeted because of the work that they do this applies particularly for organizations that are in the policy space so again if you're government or government adjacent you're very attractive to sophisticated uh hacking organizations because they want to know what's going on and and who has access to government resources or may have access or influence to government officials we also see
attacks you know targeting organizations that are in Family Planning and Health Services as well so uh you know it's important if you're in one of those maybe protected categories to have additional attention to your cyber security protections and then attacks are also targeting vendors so if you're a managed service provider like Community I.T we take extra care and caution because of the access that we have to our clients data if you're working with a an I.T vendor or an I.T consultant it's im
portant to understand the cyber security controls that they have in place to protect access that they may have into your systems again that's very very appealing to these uh cyber actors to make sure that they can try to you know exploit one organization and then thereby gain access to many more uh I would say it's not necessarily all bad news uh when it comes to cyber the Cyber landscape I will say that there are lots of great security tools that are out there that can help protect and prevent
some of these attacks from occurring uh I'm also encouraged that we're seeing you know as compared to a few years ago a lot of organizations are being really proactive about improving their cyber security and so as somebody who's been talking about this topic for for quite a while and really encouraged uh to see so many organizations being proactive to say hey what can we do what steps can we take to make sure that we're being as secure as possible given the constraints that we have um it's you
know even with that good news I think there's still a long way to go so n10 uh put out some information about the cyber security controls that organizations and nonprofits have uh and they identified that even with this good momentum about 68 of non-profit organizations still haven't defined an incident response plan and so that's just a document that describes what steps is an organization going to take kind of if and when something bad happens to them access to a donor database is disclosed ma
ybe a ransomware attack and just having that policy document in place because cyber attacks are expensive while you know we see the million dollar damages in the news uh you know the the Cyber costs associated with a Cyber attack for small organizations certainly isn't that large but it can still be in the hundreds of thousands of dollars range which uh can have a significant impact on a non-profit organization all right so I've asked a bunch of questions and kind of talked a lot about Community
I.T uh now here's your chance to respond so uh what type of cyber uh threats have happened to you that your organization or maybe an organization that you are familiar with have you had a compromised email account uh have you been a victim of wire fraud or financial loss you know that's when you know information is kind of stolen from the organization uh have you been a victim of maybe there's really sophisticated hackers that are interested in your work maybe you've been a victim of kind of so
me ransomware attacks or crypto attacks and uh or maybe you've been the lucky person that hasn't hasn't been involved in any of this so will just take a moment here to let you respond to that poll and I think we also were going to ask people if they had had something else happen to them and they felt comfortable just you know briefly saying what it was they could drop that in the chat as well because sometimes they're just like Off the Wall things that happen that are um also cyber related all r
ight so I'm going to read the responses about 60 said that you had had a compromised email account um about 20 said that there had been some wire fraud or financial loss maybe somebody had gotten you to send money to that number you know bank number that wasn't the right bank number about 40 percent have been a victim of ransomware or a virus or malware um and about 20 percent of you hello wonderful I haven't seen any incident or don't know anyone who has so um so you can see eighty percent of t
he respondents just today said they have some familiarity with some kind of Cyber attack great well thank you for sharing um for sharing those results and for those of you the 20 uh that haven't you know the the operative phrase that you hear in cyber security is it's not a question of if uh but when so again with that mindset of uh you know maybe you've been lucky so far but it's something that uh you could surely plan for it so we'll talk about some of the tools and techniques that you can use
to help provide some additional security for your organization so when it comes to kind of cyber security Readiness I like to break things up into these top level categories knowing that you know there are Technologies or there are solutions that are people-centric um and so those are things like You're you know choosing good passwords or having your staff Implement multi-factor authentication right those are things that people steps that your users can take to to make your organization more se
cure uh there's a lot of process around policy and training I think those are absolutely critical and so organizations can take those steps to have clearly articulated policies that really Define how the organization approaches these different technology controls and make sure that that is well communicated and then along with the process side I would say that training is a very key piece while there's lots of Technology Solutions and we'll get into those making sure that staff are educated awar
e and engaged is a really key part of cyber security and the cyber security training is something that again there's lots of free Solutions there's lots of low-cost options out there to help improve and educate your staff and then finally you know the technology tools there's you know lots and lots of different options out there it can be overwhelming at times but we'll you know talk through some of the free tools that are available to help manage things like computer updates some proactive scan
ning tools and then also look at some tools related to email protection as well and I would just highlight that Community has a free resource on our website that Karen maybe you can chat out it's our cyber security Readiness for nonprofits Playbook and so that's a free guide that will provide some step-by-step instructions along with some budget information for organizations that are ready to take some additional steps to protect their organization yep so throughout today I'll be putting some of
the links in the chat so hopefully you'll be able to see those and grab those there um and I love how you frame this um Matt I know this is a somewhat common rubric but the people the process and the technology um we're not going to jump right into the tools right away I think first we're going to talk about um people is that correct yes yeah so uh you know first we'll we'll talk about you know some things that are kind of human human-centric or people-centric cyber security controls uh you kno
w I'm the CTO I've got technology in my in my job description but I really think that these people controls are are absolutely critical and provide a lot of value for organizations because again they don't cost much to do you just need to get people to take uh to take those uh to take those steps uh and the one that we you know want to make sure that every organization has and again if you you only take away one thing from the webinar today it's that you should make sure that multi-factor authen
tication is a is enabled on uh definitely your primary it systems but any system that will support it it should be enabled because password breaches are so common because it's so easy to access resources from anywhere the bad guys are kind of constantly trying different username and password combinations that they gather and being able to implement multi-factor authentication which combines something that you know which is your password along with something you have which is often going to be an
app on your smartphone is a great way to put a big speed bump in front of those hackers who are trying to get into your account so I think we've got some additional links and resources available to help support that process at your organization um there's some videos on our YouTube channel that walks through a step-by-step process if you've got Office 365 so that you can turn on that multi-factor authentication or Google refers to it as two-step authentication and that provides an incredible am
ount of protection one of the things that we see at Community it is lots of security incidents and we can see from our data that none of the account compromises that we responded to last year had multi-factor multi-factor authentication enabled so we can really see from the data associated with supporting you know over 6 000 non-profit staff that that MFA is incredibly effective at stopping the bad guys from getting into your account so MFA is our number one security control that you should have
in place it doesn't cost anything it's included as part of all of those platforms uh and it's not something you need to pay extra for if you have Office 365 you have the ability to turn on multi-factor authentication if you are a Google workspace customer you also have free access to multi-factor Authentication the next control is related to passwords and again um passwords to all these systems you know I know myself I probably have Accounts at hundreds of different online services every place
you go needs a different username and password and keeping track all of all of those is really complicated and uh can can be a daunting task so it's important to I think to make make sure that you are using unique and complex passwords for every site that you need to access and the reason is that there are password breaches that happen all the time this one maybe a hacker gets into a system and they are able to get a list of username and passwords associated with some certain web service and the
n they take that information and you know maybe go from your you know kind of a shopping site or some kind of member site and then they'll try those same credentials at your you know mobile phone provider or your Office 365 account and so it's really important for every site that you access then you create a new and unique password there are some free tools that are available to help manage these passwords so again keepass is one uh that's a kind of a free open source tool that's can be installe
d and used to manage credentials I would also say that there are some you know built-in security tools in most browsers again so if you've you know Google or even the edge browser will now give you the ability to securely store passwords for websites again from a security perspective that is a good security tool to have and makes it easier to access those systems because if you can protect your main account with multi-factor authentication and then store all of those other credentials in that Va
ult that gives you a secure way to access multiple sites through the browser and then if you're you know a Mac User the you know the actual you know Mac OS keychain is also a great secure Enclave as a way to store passwords that can be then decrypted and used at the range of sites so it's really important to make sure that you are using unique and different passwords at all the different sites that you have access to um and then for kind of a discount option for organizations that are you know 5
01c3 nonprofits there are also some discounted tools available through techsoup I believe Dashlane uh has a non-profit kind of discount or donation program where you can access that Tool uh and get a bit of a discount off of the regular list price because you're a non-profit I um I know we get this question sometimes Matt but um sometimes people are concerned about a free tool that's going to guard their passwords so are those types of tools secure should you trust them yeah I think you need to
um to certainly be uh skeptical of the tools that you use I think particularly with you know a lot of the apps that end up being on the you know the app store or the Google Play Store there can be a lot of look-alikes that uh you know are are appearing like they're legitimate software but they're not so again it's important to kind of investigate what tools are there and so that's why I would recommend again using the big names again like your browser like the keychain if you're a Mac OS uh you
know key pass again it's a it's an open source tool and so again it has lots of eyes on it to make sure that that tool itself is very secure so be careful be skeptical and just make sure that you're using them kind of well-regarded and and kind of well rated app for for passwords and I think we always say that using like a free tool a password manager is so much better than reusing a password over and over in different places that it's just makes a huge difference yes exactly um okay so I think
the next thing we were going to talk about is uh so we hit on people and then our next three tier um uh rubric we're going to talk a little bit about different processes that you can use and maybe some tools that will help you with the processes great um so one of the tools that I wanted to to highlight was a free resource uh it's actually a a government resource so your tax dollars are already paying for this it's free free to use now um but it stop thinkconnect.org uh so that is a cyber securi
ty resource that the government has put together that provides a lot of you know kind of free tips tricks some you know basic trainings and overviews and so if you're looking for somewhere to get started this can be a great place that can be a great place to to get started so that website is stop thinkconnect.org and we can check that out so again here you can see some of the the basic tips that they outline to make sure that you are doing again from a process standpoint keeping your computer up
to date through automated software updates make sure everything that's connected to the internet is is kind of as secured as possible and be careful about you know plugging in external USB drive so again some basic advice that that may may seem like common sense but is really good to just work on the fundamentals you know unfortunately cyber security the way that the attackers work is that they're really looking for you know the weakest link and so again if a system is not patched or not up to
date like that's the system that's going to get compromised and so it's important for your organization to just make sure that you're you've got a good foundation making sure all the basics are covered um here we can also see that you know there's a list a technology checklist of all the systems and so making sure that you've got a good system inventory again is a basic form of cyber security control just making sure that you understand as an organization what are the different resources that we
have in place who has access to them how how are they updated how are they managed all those elements go together to form some kind of good Baseline cyber security controls um for the next resource I'll also highlight some resources from an organization called Sans as we talked earlier one of the important pieces to get started with is around I.T policy and then the following question is hey where can I get those policy templates and this is a great resource to get started with so they've recen
tly updated their site I think has some new updated policy templates so you can go to sans.org information security policy and they have a wide range of policy templates that are available from your foundational you know it acceptable use let's just set the Baseline to Disaster Recovery to incident response to data management lots of policy documents that are available there that provide a framework and then you can tailor and customize for your organization's unique requirements foreign some of
the free resources that we have at Community I.T I already talked about one which is our non-profit cyber security Playbook that gives you a road map again if you've already done all these Basics to to really move into some Next Level cyber security controls so that's a resource that is available uh we have a great little non-profit cyber security self quiz that you can go through and check and see how your organization is doing against some baseline requirements um and then we have our monthly
webinar Series where there's quite a few cyber security topics that we talk about that can help provide use with some additional tools and education to ensure that you're staying up to date with the most current best practices and then let's see I'll also highlight that we do have there is a free tool that we are going to make available for folks that are attending this webinar so this is a standards-based risk assessment tool from uh from nist and so what that will do is uh it takes about 30 t
o 45 minutes to go through to fill out the survey and we'll generate a automated Report with this you know pretty graphic that highlights what areas of cyber security are in the green and are good and then what areas might be in the red so you can see that this you know we'll provide some recommendations the nist cyber security framework you know highlights and prioritizes things like security awareness training which we've we've talked about as well um and so it's a great resource again if you'
re looking to get some baseline understanding of you know what should our organization be focusing on this is a great free tool I think we have the link that we can chat out you can drop an email and I will create uh access to this tool for you and then you'll have access to the online portal where you can fill out this risk assessment tool get an automated report have a PDF download and then dashboard access to this tool moving forward so again it's a really great resource especially if you're
trying to get started and figure out where to prioritize the cyber security Investments for your organization all right another again kind of under the kind of the process things uh you know we talked about passwords uh in the password manager section and then there this is a free resource that's available called have it been poned and so this is put together by actually an Australian cyber security researcher and so he has taken this kind of all these publicly disclosed password breaches put th
em in a big database and then you're able to go and search to see if uh any of the passwords that you use or an account that you use has been involved in a data breach or a compromise and so again that comes back to the good practice of having strong and unique passwords for all the different sites that you go to you can go to this website which is to uh have ibinpone.com you can chat that out and check and see which of your accounts uh have may have been involved in a data breach again if uh if
you find an account good practice reset the password see if you can enable multi-factor Authentication oh my God I did this and there were like I have this old Yahoo account from like years ago I wasn't even using it anymore and I guess Yahoo has been like hacked so many times but yeah I just I recommend this just for your you know personal emails that you use as well it's good and then you can go change the password on that and enable the multi-factor authentication as well mm-hmm so um yes I
have been busy on the sidelines uh chatting out these different links so people can grab them in the chat if you can see that um and if you want to get in touch with uh Matt to request that um missed risk assessment that link is in there as well so I think now we are going to turn to um technology and um talk about some more tools we haven't got to 10 yet so it's it's time I'll be putting them in the chat as well all right um so now we're talking a little bit about technology tools uh we can hav
e some conversation about keeping computers up to date uh it doesn't sound that exciting um but uh keeping your computers up to date with both both operating level system patches and application patches is a foundational element of cyber security control so if you are a Windows user Microsoft is kind of has made a shift in their patching policy so again if you're Windows 10 they're kind of automatically pushing down those patches to you and installing them in the background so it's important for
folks to be rebooting their computers ideally once a week so that those patches can have a chance to be applied and applied correctly so again Windows you just make sure that you're restarting your computer weekly and that should take care of the operating system patches if your Mac User when you get a system preferences and check for updates again uh you know Mac OS uh the patching is really end user-centric so again check for those updates and restart your computer weekly to make sure that th
ey have a chance to be applied so that's for operating system um for third-party patching so again that would be third party applications you know like Chrome uh like Adobe you know maybe some um you know additional add-in tools a lot of them have now moved to a kind of a self updater model so that's been great if you're responsible for the it at a larger organization it may be helpful to have some sort of an automated tool to make sure that you know it's not just the operating system level patc
hes that are being installed but all those third-party applications as well so there's a couple of tools out there so ninite is is a very popular one there's a free version of that and you can kind of run it on computer it'll scan for all the applications that are installed there and identify which of them updates if you're again not a free but on the pro version or the uh there's a kind of an Enterprise level that allows you to automate a lot of that and so if you're at a larger organization th
at may be a great tool chocolaty is another so-called kind of package manager and again provides a free way to kind of manage and update applications from a centralized way so again those are some great tools uh to make sure that not just your operating system is patched but also the third-party applications are patched as well another you know so now that we've talked about so your operating system is patched you know that's that's a pretty straightforward process third-party applications are p
atched uh now you can maybe look at um some vulnerability scanning and so vulnerability scanning is is a process where you can get a third-party application to kind of scan your computers your public web resources and it will report back you know if it detects that anything has not been updated so this is a great way to check and confirm that you know the patching process that you think is in place is actually working so uh there are a couple of different options out there qualis which is a kind
of will really well regarded vendor for this does make a free scan version it has kind of a limited scope but is a great way if you just want some independent checks on kind of the quality of your patching and Management Systems um the qualis tool is available there so freescame.quaus.com and that will give you some insight in terms of you know are my computer's patch and updated on my service passion up to date uh it'll even look for uh you know Network firewall that kind of information is abl
e to query and report on uh that level of uh of insight as well so again it's important to patch your systems and it's important to confirm and make sure that that patching is actually happening and as we talked about kind of at the very beginning email is is a huge source of uh you know attacks I mean that's that's kind of the the most the most common attack Vector is is going to be through email uh and there's a lot of great paid security tools that are available to help you know block spam yo
u know remove business email compromise messages all of that so there there are great paid tools that that are that can kind of proactively block that if you're trying to build a case or just want some additional insight about you know if you need this tool Barracuda makes uh an email scanning an email threat scanning tool where you can actually sign up uh delegate some permission and the Barracuda system will actually scan your Office 365 environment and identify if you have malicious messages
that are already in your Office 365 environment so here in this report that we can see delivered it will identify if there are fraudulent messages um maybe if there's spear phishing that's already you know been been delivered uh it will surface those messages that you can you know get some additional information on so again a really great tool to provide some of that reporting and Analysis to make sure that uh again the email tools that you currently have in place are doing the job that you expe
cted to um and just give some good insight and Reporting to identify if there have been any threats that are kind of already made its way through so again the Barracuda email scan is a great free Resource as a way to uh to scan that Office 365 environment to make sure that your email inbox is clean all right I think we've got a Bonus recommendation here did want to highlight there are some additional free tools uh that you know vendors like Microsoft make available particularly for organizations
that are in kind of like the democracy and journalism space so again if you find yourself in that category there are some additional security tools that Microsoft will make available call the defending democracy program um and uh so I think it goes by the term account guard so this is you know turns on some additional Security Options within Office 365 and then gives you access to their addition you know kind of heightened security planning and response team uh for making sure that your organiz
ation is well protected and you've got maybe some additional set of tools and and monitoring available from Microsoft so again that's a free resource that Microsoft provides to organizations that are in that what they call their defending democracy space so we've talked a lot about free tools and I think you can certainly do a lot with free um but I will say you know there for a lot of these tools there's a limit to what you can get out of the free platform and so I think there's certainly a cou
ple things that you've done the free stuff and you're ready to move forward and kind of take the next step I think there's a couple things that are really worth paying for so one is formalized security awareness training um again you can do a lot for free you can you know if you're an internal person you know you can kind of run and provide education to your staff I think that's great um I would maybe look for security awareness training uh it's being included with a lot of different service off
erings now so again maybe your HR System is including some training libraries as part of an added module that they're throwing in uh you know so that's something that we're seeing quite a bit I think you want to make sure that the cyber security training is really good and uh relevant so that you can kind of get your staff engaged and it's not something that people just kind of pass off and ignore because it's not done very well I do think security awareness training is something that it is wort
h paying for because you get such a good return on investment from that uh you know we used no before it's very well regarded it's not that expensive and we see results and so this is from there data that they generate from I think they have like six million customers or mailboxes that they're protecting or providing training for and uh the thing that I like about some of these paid training programs that you can see progress over time in terms of who's clicking on emails so you can do some test
phishing out of the out of the tool where your messages are delivered in inboxes you can see which of your staff are opening messages which of your staff are clicking on them and then it combines that with an online learning management system where you can assign trainings gauge progress and then provide follow-up as it's needed so again we see this mirrored in the clients that we're working with where you know from initial Baseline fishing campaign we may see I don't know 20 to 30 percent of m
essages get clicked uh and then typically over time after about a year so that falls into the low single digit percentage points so it really is effective and you can measure the progress over time really great resource and uh not that expensive totally worth it and again that reportability is just really handy so you can get some feedback so it's not just uh you know the I.T person sharing at a staff meeting once a year but you can really see some measurable progress over time I can definitely
say having to know before and I clicked on the wrong but you get an email from no before and it's got a little suspicious like you should be suspicious of it of course I clicked on it and then it takes you right too it's like immediate you know you're like I shouldn't have done that and it takes you immediately to like what you should have done how you can check how you can hover over to see you know look for misspellings and stuff like that so I I just found it incredibly effective for me perso
nally that fit my style of being able to learn about it um in a positive way I wanted to just jump in quickly and say we're going to leave a little bit of time at the end for questions so we're getting a couple now but if you have questions for Matt we're going to save them for the end but put them in go ahead and put them in the Q a feature now so that we'll be able to get to them great uh another tool I think that's really important to pay for and it's actually a follow-up on that that email s
canner tool is uh business email compromise protection so again uh some of that may seem a little jargony so I will Define uh to spam there's just kind of any any type of unwanted email we all know it we're all familiar with it you know kind of offensive emails as for you know Viagra sales junk just kind of stuff that's just unwanted like you know what's coming who it's coming from but uh it's not something you're interested in it's kind of easily ignored and so that's how I quantify or characte
rize spam um business email compromise is kind of a little bit different also kind of spear phishing is is kind of a similar term where the sender of the email is obfuscating who they are and they're trying to appear like somebody else you know again like your executive director emailing a staff person saying hey can you do something for me real quick right or hey I need you to buy some good gift cards can you do this or call me back on this number right so that is when the the name of the sende
r is often obfuscated and so they're disguising who they are and trying to get you to take some action it's really hard for any spam solutions kind of the traditional any spam solutions to block this stuff because there's just not that much content to go on um and so it can be very difficult you know if you have spam protection it's been set up for a long time it's going to miss all of this stuff because it just hasn't been updated or it's not designed to to protect against this very short trans
actional email messages so there are security tools that are built to identify and block this they typically work a little bit differently whereas regular spam filters are you know kind of email flows through them these business email compromise protection tools like Barracuda um Sentinel uh work by kind of connecting into the back end of your email system and scanning email after it's delivered and so they're able through some of their AI work to analyze messages determine intent that tool can
maybe figure out that the sender is different the actual reply email address is different from the sender and provides some additional insight and it's great because it can remove messages from your inbox after it's delivered so again this is a very helpful and Powerful tool in combating these business email compromise attacks and I find organizations again if they have to pick between the two they'll often choose to pay for this type of protection because people get a lot more upset and and you
know frustrated whenever they're getting email that looks like it's coming from their executive director or looks like they're coming from their finance department and so if they can block and remove that they'll prioritize that over you know trying to reduce the amount of junk spam messages that that people get in their inbox so again um business email compromise protection or spear phishing protection I think it's something that's worth spending money on again because so many attacks originat
e via email it's important to have the best type of protection you can if you're going to make a cyber security investment you know after MFA email protection is a great place to um to look at spending that money and then I will say uh you know I think assessments are actually worth spending money on as well so I think you can learn a lot there's a lot of free assessment tools already talked about a couple here there's a you know probably a five minute um survey tool that you can go through you
know on our website it'll give some immediate feedback there's the offer to do the free nist assessment again about a 30 to 45 minute investment of time on your part to go through the survey to answer all the questions you know gives you a nice report back those are great kind of survey driven um tools to give you some insight in terms of what your organization should do next um but I think there's certainly no substitute from somebody actually you know looking under the hood at your organizatio
n's I.T configurations and policies and procedures and identifying where those gaps exist so again if you've already done the fundamentals right if you've already implemented multi-factor authentication you've already done security awareness training you've already um you know maybe done some I.T policy work you know the that's where you really should start you don't need an assessment to tell you that but if you've done the basics and you're really looking on how can we continue to improve our
organization's policy and kind of practices around cyber security having in and outside vendor who's kind of specialized and focuses on on cyber security controls can be a great way to help make sure that you kind of continue to make sure that your bases are covered and then move you know move to a more mature level when it comes to implementing cyber security protection so again I think getting an independent assessment is a great way to provide a lot of value I would certainly do this before u
h you know organizations maybe invest in pen testing um I think pen testing again can be helpful but you really need to make sure you've you've invested a lot in your cyber security controls before that sort of assessment or you know that sort of services is really worth it so again free tool helpful once that's done you know you can kind of move up the chain and continue to improve your controls we said we'd make sure everyone knew all of the lingo so can you just tell us what pen testing is uh
yes so pen testing short for penetration testing uh and so that is a uh kind of a tool or a system of approach where an organization will actually kind of pretend or act like the bad guy and try to hack your system so again they will you know maybe send emails to your staff to try to get them to click on things so actually you know look at your website and and try to do some exploits and so again it's a it's an you know it's a mock adversail engagement where you know you're paying somebody or a
firm to kind of do some of that proactive scanning proactive hacking so that they can uncover weaknesses for your organization to identify and protect so that whenever the real bad guys come uh you've had a chance to to identify and Implement some of those protections and I think pen testing tends to be a lot more expensive is that am I wrong in thinking that and also more necessary larger organizations or if you are working in a policy area where you have specific concerns like an advocacy are
a or in maybe some other countries where you're thinking that there may be that kind of spying or persistent threat that you want to invest in the pen testing perhaps yeah I would say you know penetration testing I think you know depending on the size of the organization again the answer is it often depends but that's going to be you know something that's like at least 10 like a ten thousand dollar in engagement right so kind of starting at 10 000 and going up and going up kind of quickly from t
here so again it's it's very expensive and maybe a requirement again if you're an organization that needs to follow um you know PCI compliance you process credit card information you have a lot of donor information you know those are areas where it may be relevant and worthwhile too or maybe even required to do penetration testing but if you're doing that as like hey we have some money to spend on cyber security where where should we spend it um that would yeah be one of the last things that I w
ould do you know invest in in the in the basics get a road map make sure that these basic controls are in place uh and then you may get value out of the pen test I think you said also um maybe a different time that once you've had a security breach you're then on the list of more likely to have more um not because you were doing anything you know particularly wrong but once you it's known out there that you had a problem then you know you get on these websites and other people are going to try a
nd attack as well so maybe that would be another consideration uh we're doing great on time I want to make sure that we go to the Q a um now so on this slide you see we have um Matt's contact information and we have a couple questions that came in so I'm going to go through them in order um we have a question from Carolina who wonders do you have a recommendation for email threat scanning for Gmail yes so uh that is so most of the tools will do email threat scanning for Office 365 I think they h
ave a bit more of an open um API uh that allows them to do that uh there are some for Google the name has escaping me right now uh if you send me an email I will reply with it or if I think about it you know by the end of the webinar I will uh I will share that but there are again so this is one area where you know if you have a spam filter the way that works you're you're kind of just sending your email through there and then they can deliver it whether you're in Google or whether you're in off
ice 365. these you know business email compromise tools again typically work through apis and so most of the work is around Office 365 so there's a lot of solutions there and then there are less less Solutions available for for Google but they do exist um and I will I'll think about I'll have to get that that list over okay um so the next question is do you have a recommendation for free is great or paid is okay for password managers for teams and staff I'm sorry um the person who asked this Ben
I'm not sure if that's for teams the platform or for a team within your team team's a group yeah as a group yes so I think you know the kind of the password Journey that you know many organizations are on are you know step one right no password management or using the browser or that kind of thing which is where we all start you know the next step would be you know getting a password manager maybe as a one-on-one and then moving up to kind of team-based password managers I think the you know th
ere are popular tools again like Dashlane um I like LastPass personally uh and there are team-based subscriptions where again for your organization you can buy and provide password managers for staff as a kind of a secure way to to manage and deal with all of those unique passwords that you need for every you know for all these different sites all right got 150 different sites that you need to log into throughout the course of your work week um then it's important to have a good way to generate
and manage all those passwords without reusing anything so yeah so I think LastPass is a great tool for something like that um but it was Ben who asked the question and he clarified teams as a group not Microsoft teams the platform do you I might be opening a can of worms here but is that I know that you've talked about single sign-on in the past that's something that's more organization why you wouldn't have that just for a team to access all of their applications that they need yeah that's cor
rect so again a password manager is great for storing and providing passwords to to kind of all these discrete websites again if you're part of a larger organization or maybe you have a little bit more sophistication kind of the next tier up would be called single sign-on so instead of having you know 10 username and 10 passwords for 10 different websites you would have one username and one password for those 10 websites and so um the security thinking there is that instead of kind of protecting
all those different accounts equally and like managing them discreetly you're able to provide more support and management around that one credential that then provides access to all those different websites through some security technology called saml is typically the the mechanism and that there's there's a whole bunch of technical stuff that we could we could geek out about related to that but this the kind of the security benefit of single sign-on is that you get much better reporting and an
alytics from like kind of Gateway that you're putting up uh than you are trying to manage like 10 different accounts at 10 different websites and obviously that increases exponentially as you add more people and more websites to to the security profile I think if you want to geek out with Matt you need to get in touch with him um we have another question which is any recommendations for log aggregation and Analysis tools we worry that if we had a breach we would never know or have records to han
d over to law enforcement or Security Professionals so I did already put in the chat and in response to that question the loctin guide for cyber parents which has a really it's a free download and it's kind of adjacent to what we were talking about but it has a lot of the controls and kind of how to think about insurance and then as part of that insurance process if you had a breach you know what you would do next and I can also recommend our webinar that we did on that in August which I'll drop
that as well but go ahead not um yes I think that is a great question I think whoever asked that I think shows uh you know kind of a growing awareness of of kind of just all the all the different systems that are out there that would need to be considered kind of if and when you do have to respond to a breach so uh you know it's a just kind of in general most systems will provide you know maybe a week or two or or maybe up to 30 days of logging right within a platform and so in the event of a s
ecurity incident your I.T provider or you know the breach response person are going to kind of look in those logs and and unless you've got a unified system in place they have to look in all these different places to try to piece together well wait how did this email come in and then this person clicked on it and then you know it was a virus on this computer and then it spread to this other system uh and so if you have all these disconnected systems it can be very difficult if not impossible to
try to really piece something together so again there is a uh you know a number of different solutions that are uh called security information and event management tools that are geared towards basically uh receiving all this log data so that you can again retain it and search it and analyze it so um they end up again being expensive right if you're asking questions about log aggregation you know that I think shows a certain degree of maturity as an organization um you know there are some you kn
ow kind of Open Source tools that are on the lower cost side but if again if you're making the investment in a Sim Tool uh you know it's important I think to understand your requirements and it's probably going to be you know part of a Strategic investment for the organization uh and and you would kind of go through and kind of figure out what your requirements are and find a vendor that would match up with that again that's you know probably in the yeah tens of ten to fifty dollars kind of per
month per user kind of kind of cost range and so again uh can be relatively expensive but uh again if you're depending on the type of organization that you work in may be a requirement um okay I want to make sure um that I get to tell people about some of the other events that are coming up for cyber security month um and uh those are things that are on the slide right now um I'm going to drop some of those in the chat as well but I um I want to make sure to tell people that we are also giving a
webinar in October October 12th um you can sign up for it on our website communityit.com and Matt is going to be back and talking about anti-fishing training um where we worked with a funder to provide that to a bunch of their grantees so really interesting case store study about working to kind of protect your investment in your non-profit and how to train staff to be that first line of defense so that's coming up as well we had another question of Matt's email address which I think is on the
next lighter the one after so we could put that up I think that's my contact I'm happy to if you want to yeah chat I'm happy to have that made available for folks that are on the webinar today okay yep I can put that in there too um and I said I would put these other resources that are coming up on different um see if those will come up yep all right and I'll put your your email in there okay um I think we have the learning objectives I want to just go back quickly over them I always like to you
know kind of wind up an hour of having such a great conversation with you Matt about all of this that I think really you did a great job of course covering the cyber security landscape for non-profits um talking about cyber security Readiness we have that free download with the report um the 10 I think it was more than 10 free security tools and a couple of those that you could pay for and then like depending on what the kind of investment you wanted to make um what you would do next how to get
in touch with you if you need an assessment or that free tool or just want to geek out understanding the role of Executives and staffs to manage basic security even when you're not the I.T person although I get a sense that we had some I.T people on this webinar but I hope that if you are not um you know totally up on all of the lingo and uh in charge of this at your non-profit that we gave you some things to think about and some tools to investigate of course you can always get back in touch w
ith us and that's the last point of the learning objectives knowing where to go for additional resources on non-profits cyber security so um I think that's it for us let me drop your email in the chat here um and then I don't know Tammy if you wanted to wrap it up for a nonprofit learning lab yes thank you Matt and Carolyn this Workshop has now come to a close if you are interested in receiving the recordings and materials from today's free webinar you can visit our free webinars page on the non
-profit learning Lab website or you can send us an email at program nonprofitlearninglab.org thank you so much for participating and again thank you Matt and Carolyn for educating our community

Related articles

Comments