Main

Cybersecurity Self Assessment for Nonprofits

How secure is your organization? Join Community IT CTO Matt Eshleman in a new webinar that will explore risk assessment and cybersecurity preparedness options. Community IT released a self-assessment quiz https://communityit.com/nonprofit-cybersecurity-self-quiz/ that will give you documentation of your cybersecurity readiness. Many nonprofits are building cybersecurity policies from the ground up. Your nonprofit may not have a good idea of where your weaknesses lie, or where to invest your cybersecurity budget wisely. You may not have an executive level role responsible for cybersecurity, or adequate and frequent staff training. For more details, you can download our free Cybersecurity Readiness for Nonprofits Playbook that will help you build the foundation on which you can begin to optimize and then be proactive about your security approach. The Playbook is complementary to this self-quiz, and both are free. As with all our presentations, this webinar on cybersecurity self assessment is appropriate for an audience of varied IT experience. Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.

Community IT Innovators

2 years ago
all right welcome everyone to the october 2021 community it innovators webinar thank you for joining us for today's webinar on the cyber security self-assessment today we're going to explore your risk assessment and cyber security preparedness options based on our just released cybersecurity self-assessment which you can find on our website and which we will be sending a link out to shortly this self-assessment will help nonprofit organizations document their cybersecurity readiness my name is j
ohann hammerstrom and i'm the ceo of communityit and the moderator for this webinar series the slides and recording for today's webinar will be available on our website and youtube channel later this week if you're watching on youtube right now we encourage you to subscribe to our channel so you can receive automatic updates when we post new webinar recordings each month we invite you to use the q a panel throughout today's webinar to ask questions and we will do our best to respond before we be
gin i'd like to tell you a little bit more about our company community i t is a 100 percent employee-owned company and our team of 38 staff is dedicated to helping non-profit organizations advance their missions to the effective use of technology we're technology experts and we have been consistently named a top 501 managed services provider by channel futures and it's an honor that we received again for 2020. and now it's my pleasure to welcome our chief technology officer cyber security expert
and resident thought leader in the area of non-profit cyber security matthew eshelman good afternoon matt hey good afternoon johan thanks for the intro and i'm thankful for all of you who are joining uh today this is october it's cyber security awareness month uh and so we're bringing this session to you today to talk a little bit about how to go through our cyber security self-assessment and i think more importantly then going through the assessment is understanding the recommendations and mak
ing a plan for how your organization can get those plans implemented so we are going to be talking about a couple things today during our session so one is just the overview of the cyber security landscape again i think it's always good to level set and understand the kind of the it world that we're operating in we'll talk about some controls that are identified in the assessment and then talk about how to prioritize implementation and then engage leadership i think there's so many different ass
essment tools out there and surveys and frameworks and so there's no shortage of knowing what to do i think the real gap is in in implementation and execution and so we'll talk a little bit about how to pick some things how to engage your leadership and how to really move forward with the implementation so as johann said we want this to be a conversation please use the chat and the q a features johann will be moderating that and we'll be taking questions as they come in the session so please fee
l free to go ahead and check those in so that we can answer any questions that come up as you think about them so let's first start off by talking a little bit about the cyber security landscape um this is the world that we're operating in now where we see persistent and ongoing brute force attacks on identities so if you've been following the releases from microsoft uh there have been a number of different threat actors that have been conducting uh password spray attacks against office 365 and
so this is something that we see in the security systems that we monitor is that there's just ongoing authentication attempts against any cloud-based system so again if you can log into it from the cloud the bad guys can too and they're actively doing so and trying to to log in we're also seeing very sophisticated spearfishing attacks uh being perpetrated where uh you know you may get those emails that look like they're coming from somebody within the organization or maybe even a partner organiz
ation that you work with and then try to get you to maybe click on a link share your password buy a gift card update some financial information uh and they they look very uh convincing so that's something that we've seen a real increase on in the last year or so we're also seeing organizations targeted because of the work that they do uh so you know organizations in the you know the think tank and policy space i think are particularly uh targeted right now uh we're also seeing you know attacks a
gainst health care and even education so again non-profit organizations don't get to fly under the radar because they're doing good work uh organizations you know are kind of targeted because of the work that they're doing and then finally we're also seeing attacks targeting vendors so vendors like managed service providers such as ourselves because the access that we have our tire our favorite targets of these attackers and so it's important that as you're working with a vendor you have a good
understanding of the security controls that they have in place to protect your information it's not all necessarily bad news you know the good news is that there are lots of good security tools available to help combat these threat types uh you've taken a really good step in uh in terms of coming to the webinar to learn a little bit more maybe you've already taken that self-assessment and so we certainly see a lot more proactive steps from the clients that we work with to asking about how they c
an implement good security controls at their organization what steps they need to take and so i think that's really encouraging um but we know that it's we still have a lot of work to do uh and i think that was judged by uh the survey results that that we saw uh i don't think we had very many people that you know that had the big smiley face that said yes we're doing all that we need to do uh in the area of cyber security protection so again there's lots more work to do and i think there's also
a real um financial impact to this as well we see the stat here that you know breach response for small to mid-size business is about 149 000 that's that's real money i think the other thing that we've seen in the last uh six months in particular as it relates to cyber liability insurance renewals is that those prices are going up they're going up steeply and they're also mandating significant cyber security controls to be in place to even be considered for a policy so if you have a renewal comi
ng up i think you need to be aware that uh the controls that you may not have had to say yes to uh you will now need to be able to say yes to so i think the cyber insurance business has gotten burned and so they're uh reacting to that with increased um requirements for controls and then also raising prices as well and again as i you know reiterated i'll reiterate is that just because you're a non-profit organization doesn't mean that you get to fly under the radar so your organization has data t
hat is valuable and that could be specific specific information like what's shown here in terms of credit card or customer pii or medical information if you're in that space but it also could be other financial loss that occurs due to fraud and so we've seen recent examples of this related to email compromise that turned into wire fraud so again updating bank transfer information we've also seen cases of gift card fraud and while we haven't been able to find a direct correlation between any comp
romise on a system that we've maintained we've also seen a spike in unemployment fraud and so this is kind of new to me in terms of the fraud associated with unemployment claims but that's where an employee's identity is stolen somehow not necessarily clear how but then an unemployment claim is filed and then the state office then reaches out the employer to confirm the status and then follow up so this is something that has increased pretty dramatically as part of covid and so uh angie barnett
who is the president of the better business bureau of maryland greater maryland said that in some estimates this type of fraud has gone up over 300 or 3000 percent since the chronovirus pandemic and catching and prosecuting these criminals is really tough so i know i've been on the on the reacting side whenever we have a client say hey we were contacted by our state labor department to investigate this claim of unemployment um you know can you investigate what happened and so uh we're involved i
n kind of responding to those incidents as well and it's because of the data that is stolen again it could be from the organization it could be you know other areas where where an identity may be stolen but that really translates uh into real money into real financial loss and i think it's important to understand that uh these hackers aren't just you know some genius hacker in the basement and there's 15 percent of your password that's that's trying to get into the system but these are organized
criminal enterprises so again the cyber security adversaries that you face um you know are examples here like um we see here fancy bears so that kind of got a lot of press as part of the dnc hack back in 2016. cozy bear also russian backed uh entity that was involved in the solarwinds act and then we have the the other adversary here which is not necessarily a nation state but more of a criminal enterprise uh the re-evil uh group that was has been responsible or associated with a number of rans
omware attacks recently the colonial pipeline uh among others where networks were uh infected with a crypto virus all the files were locked and then a ransom was demanded in order to get that data back so again that's something that happens to big companies but it's also something that happens to you know small organizations as well i was talking with a colleague today uh and he said that that his local newspaper actually was a victim of a crypto attack just in the last week and it really just c
rippled their ability to put out a newspaper and so this is something where no organization is immune from attack it doesn't matter if you're a colonial pipeline or a local print company uh a local education your department of education you know all are vulnerable and susceptible to these types of attacks so in terms of how we take all this bad news and scary things and turn it into actionable steps for for nonprofit organizations to take is really by building a foundation of security policy uh
and awareness we really try to start with that view of a policy roadmap educating and training the staff at organization and building on top of that with the technology tools that fill in these these blue blocks here as well uh you know once we have our foundation established you know then it may be appropriate to add on some additional sophisticated tools to provide that extra layer of protection and we draw that from what we put out for the past three years which is our non-profit uh cyber sec
urity incident report so this is a report that we've developed because as a managed service provider we support over 140 different organizations we support about over 5000 users and so we get a lot of information through our help desk in terms of the types of attacks non-profits are facing and we can see over the years that the number of security incidents that we record has really gone up dramatically so you know back in 2018 we recorded 233 incidents 2019 that number went up to five just over
500 incidents in 2020 that was almost 700 incidents and so that helps us take a data driven approach to guide our cyber security recommendations so in addition to the data that we see coming through our service desk we also you know use common industry standards such as the nist cyber security framework and the center for internet security's v8 controls that if you're a policy wonk that used to be called referred to as the 20 critical security controls now there's only 18. i think they've actual
ly done a good job in the revision and making a little bit more applicable to smaller organizations but again they um provide some good high level guidance but i do think that they end up being a little bit overly cumbersome for the smaller and more cloud-centric networks that we see in the small and mid-sized non-profit clients that we work with and so applying those big frameworks to your organization just may be a little bit too complicated or not relevant and so that's why with the assessmen
t that we put out in that survey it really is a stripped down and focused version so that you can you can get started on manageable steps to really address the the most likely risks to your network so let's go ahead and take a look at those specific sections in the survey and talk a little bit more about the details and then where you can get started so um yeah so if you can we'll just go ahead and take a look here and as i said we really start with policy so i think policy um uh it's maybe not
always the most entertaining thing to talk about but the policy really should form the foundation of your cybersecurity controls so this provides the framework to make other decisions that layer on top of that so we have an entire webinar and podcast devoted to this policy elements that you can check out so johan will be chatting out the link to that where i really go into a deep dive on the policy creation process and the details associated with each of those elements but i will say that you kn
ow most organizations whenever i'm doing consulting engagements with clients you know i will say that most organizations do need to refresh this as their i.t acceptable use policy it's likely part of the employee handbook it was developed a long time ago and it really isn't reflective of the organization and how they work now in terms of being flexible and cloud-centric as many non-profit networks are now i think that was uh one of the striking things that i noticed in the survey data of all the
people that have taken uh the assessment now only one organization has data on premise uh solely on premise every other organization was entirely in the cloud uh or was in a hybrid environment and so i think that's um you know evocative of of what we see as well is that we've taken a clouds centric approach for quite a long time uh and nonprofit organizations i think benefit from the donations from google and office 365 among others and i think that's really been a benefit uh but i think it als
o means that our policy work uh often is not reflective of kind of the current operating environment so i would also encourage organizations to go through that policy uh development process and use it as an opportunity to identify all of those it and information systems that are in use and catalog the data that's stored in each one of them so it's also a good opportunity to have a discussion around the device status of the organization i think this is another thing as we found because of kovid a
nd the work from home and the use of cloud platforms that many organizations have relied on personal devices either personal computers and mobile devices and it's it's been viewed as a nice benefit and that may be okay but it's good to talk about good to talk through some of those different scenarios to see how how your organization would react so again somebody syncs your organization's dropbox folder to their personal home computer and then they leave the organization what impact would that po
tentially have same scenario could be somebody has you know all the organization your development director has their email on their personal phone they leave the organization what happens to all those contacts calendar uh email addresses uh as they leave the organization is that okay is there any concern about that uh data going away or would your organization want to have or need to have some sort of controls that say hey whenever you leave we're gonna wipe data from that device or if your devi
ce is lost or stolen we need to have some way to prove uh that it can't be you know accessed by you know somebody that picked up the computer you know that acquired it you know maliciously or or by accident uh and so i think that's you know having some of those real world cases helps to to make this stuff come to life and so i think we've all appreciated having the flexibility of these cloud-based platforms we've all appreciated the ability to to access new services but i think at the same time
it's good to answer you know ask those questions what happens in these scenarios what do we need to have as an organization in place to protect our data which is our most important asset so i think that really starts and can be included as part of the i.t acceptable use policy um the next bullet on there talks about a data privacy policy again uh one thing that i typically see is that this policy tends to be a little bit more up-to-date uh this often comes through the web or data side of the org
anization so this is this tends to be more up to date and it really talks about how your organization is handling the data that you receive from your constituents from your donors uh and and what are the protections and expectations that somebody would have whenever they fill out a donation form or sign up to volunteer how is that data going to be used what expectations can that individual have around the privacy controls of that data so oftentimes again this is a separate document and and would
be informed by the various data systems um that you're that you're using and would you know could potentially also be informed by some uh external compliance standards so for example if you do need to be aware of gdpr or there's some california data privacy or new york standards those would be applicable here or help inform those policies so again the data privacy policy would be a separate document that would be often developed to support those platforms where you're showing information about
constituents volunteers other stakeholders of the organization and then the final policy document that we think is is is a key element of of kind of a foundation or or a baseline would be the incident response plan and again this is a document and it doesn't have to be very long but it really describes what is your organization going to do when something bad happens you know the the operative phrase in the cyber security world is is it's not a question of if but when right so it's not if you're
going to get hacked it's when you're going to get get hacked and so with that mindset it does i think change the thinking you know we still want to prevent we still want to do have good practices in place to prevent bad things from happening but then we also need to have thought around what are we going to do whenever that bad thing does happen and it doesn't need to be long and sophisticated but it should be clear in terms of who you're going to contact you know does your current it provider ha
ve the capacity to respond to an incident do you need to have somebody else in place are there resources maybe that are available through your cyber liability insurance that would help support an incident response plan what stakeholders may be on your communications team need to be involved if you have to do a notification to your stakeholders i think that was a challenge that many organizations that were affected by the blackbaud breach you know had to scramble you know they had to figure out o
kay their database of 50 000 users uh was exposed how are they going to communicate what are they going to say what do they need to say to the stakeholders and so if you're able to at least run through some of those scenarios ahead of time can help you fill out those gaps so when you do have to use it for real there's not so much thinking on your feet you can have a plan and work through it as opposed to really reacting in that scenario so so that outlines the policy controls and provides i thin
k a little bit more context to those survey questions that that we're asking the next piece and element that we talk about is around training and so uh i think as an it professional who loves lots of shiny uh tools and lots of reporting and analytics and endpoint management i really think that training is uh the key first step of investing in a technology solution so again making sure that your staff are aware of what's going on are educated and equipped to respond to these cyber security threat
s i think is a key element in protecting your organization's data and also preventing you know financial loss through you know these online fraud attempts so we know that most of the cyber security threats are coming from email and so if we can really focus our training and tools and protection around uh reducing those email threats you know then we get a lot of value out of that so we have some training resources that are available that we've done for free that are on our youtube channel so the
re's an end user security awareness training and there's some other resources that you can walk your staff through you know our best practice is to use an online training platform called know before and uh this is the framework that we use in terms of the education and awareness for you know for a standard cyber security training plan and so that plan really um starts with a i put quotes in here for a large annual training and what i mean by that uh is not you know once a year everybody goes int
o the conference room and you have a one or two hour presentation by somebody up front and everybody sits there and uh learns about it but we use through the online training platform typically a 15 to 20 minute training video that talks about a couple of different scenarios different educational elements a quiz and a survey uh to have some interaction and so that would be something that would be done on an annual basis or as you onboard new staff so they would go through that um you know trainin
g on their own time you know within a within a few few days of their employment or again if you can do this on an annual basis for your staff so again uh an annual training that requires you know that really covers some foundational concepts to give people some you know some awareness of the most likely attacks that they're uh going to see how to identify spear phishing choosing good passwords good security practices those are all common elements of that annual training the other thing that we l
ike to do is do test monthly fishing so uh this gives you a way to measure how well you're doing so in addition to providing the training we also want to test and evaluate how well staff are responding to that and so we do monthly test fishing just to see how things are going uh and i have a slide a little bit later on where we can see the effectiveness over of that over time but we found that this you know rhythm typically works well uh and then alongside of that we're also deploying the abilit
y for staff to report if they have a suspicious message so again we want to have a engaged user base that feels like you know they have tools and they're equipped to identify suspicious messages and if they're not sure they have a way to check so again that just sends it to our help desk team and we can evaluate it and and and head off any potential issues and then finally we would say we want to have quarterly micro training so we don't want it you know cyber security training to be something t
hat you know we do once a year and then we don't really think about it uh but we want to keep it in front of people so on a quarterly basis then we're typically delivering you know a five-minute micro training that's in the form of a a game or a quiz there's even some kind of short form um you know like videos like mini miniseries that communicate the concepts in a way that's engaging and educational as well so we want to keep security in the front of people's minds so that they are constantly a
ware and vigilant and then because we have a training system that gives us some reporting and insight we're able to identify if there's staff that need additional assistance so you know usually there's always a handful of folks that uh you know could use some additional training maybe that's one-on-one maybe that's some additional online training but again we want to know where our problems are so we're able to be proactive about that and address it ahead of time so now that we've talked about t
he policy elements we've talked about the security awareness training and staff education i think now we kind of get to the uh the technology controls of the tools and so that's you know there's technical pieces that we can implement at your organization uh to prevent those attackers from getting into your systems and so those are broadly in three different categories so um the first being your identity and account management as i mentioned earlier you know anything you can log into from the web
uh the bad guys can too so uh really focusing controls around that identity is is where we want to make that initial investment we also want to focus on data protection so because we have that mantra it's not a question of of if you're going to get compromised but when so we need to have those reactive protections in place that means you know things like backups um so just because you have data in a cloud-based system doesn't mean it's protected in the way that you assume it is and so i think k
ind of tying this back to some of the it acceptable use or data policies if you as an organization say hey we really need to retain data for a year then you need to make sure that you've got the technology tools in place to support that because many cloud systems may have a 30-day data retention so if somebody uh if you have a departing staff person they delete all their files whenever they leave the organization and then you realize you know 60 days later that you need to recover some of that i
nformation it may not be possible unless you proactively put something in place you know in the same way if you need to be able to respond to some sort of a security incident you need to have the security tools in place that'll allow you to do logging and reporting and analytics before that incident you know actually needs to be reacted to you so again data protection is really important because we've gotten i think rather lacks in our shift to the cloud we haven't needed to be as deliberate abo
ut planning around that data protection as when the server was in the hall down the office and we had the backup tapes and somebody was swapping them and taking them home and kind of being diligent you know moved to the cloud and kind of forgot about it but i think that's a mistake and we need to be intentional around the protection that we have around not only the backups also folder permissions maybe there's some encryption that needs to be input in place on either files or on the desktop comp
uter so that if again something is lost or stolen you're not going to disclose information about your constituents and then the final element here is really on the device protection and so uh you know the device protection really being focused on elements of updates and patching so you know if you follow us on twitter you know we see we we tweet about hey have you rebooted your computer this month it's kind of basic but making sure that your computer is is up to date with the most recent securit
y patches is a very good security practice it's it's low cost if you're in a microsoft world it happens automatically if you're in the mac os world uh you may need to be a little bit more intentional around installing those updates but restarting your computer allows those things to be installed complete completely and then that protection is applied to your computer the same thing goes for third-party applications so in addition to the operating system updates the third-party apps need to be up
dated as well and then also you need to have antivirus on your computer to make sure that you've got that extra layer of protection in place for us as a managed service provider you know we have reporting to make sure that all this stuff is happening so that we can verify that updates are installed antivirus is up to date and again so unless you're able to to do those things there'll be gaps in the system so again those three elements of the technology piece is really around your identity and ac
count management data protection and then also device protection so if you've been hanging with me so far and you've checked everything off and you're and you're doing great congratulations that's really great um i think that you know cyber security is really about fundamentals and so once you have those fundamentals in place then you can move into additional controls that will provide protection you know an additional layer of protection for your organization so in cyber security it really is t
he weakest link is exploited and so it's important to invest in the basics before spending money on tools or consulting or services that may not provide much of a return on your investment so where we see again value associated with those next steps so again if if you've already done all that stuff that we've talked about so far that's fantastic once you've gone and implemented all that you know then it may be helpful for your organization to have some sort of an external assessment and again th
ere can be different kinds of assessments depending on what your primary concern is from a terminology perspective you could get kind of a gap analysis from the policy side where you could have an organization come in and maybe score you against those uh critical security controls that say hey this control says you need to do this how are you meeting it so again that could be a policy assessment um you know a community it we do that we also do a technical review we're actually logging into syste
ms looking at your office 365 configuration looking at the google configuration you know what's the you know are the backups in place how is multi-factor uh you know implemented you know are using modern authentication you know kind of doing a full technical review of the system um or you may also need to do a pen test so a pen test is kind of a specific type uh of security scan where often a vendor will put an appliance on your network they'll run some scanning to identify you know are there vu
lnerable systems on your network are there open ports other systems that need patched um maybe that you're you know it's not a server it's your network but uh you know invest so investing in those those elements uh can provide some additional insight into gaps in your current deployment plan uh you may want to invest in an endpoint detection and response tool so again antivirus is kind of table stakes uh edr is kind of the new buzzword i think xdr is the the newest acronym to to be aware of but
um these are higher end tools it's what we run at community it that can detect not only kind of your traditional malware and viruses but these new what are called fileless attacks so again it could be like a script uh it could be some power shell that's running and so this is where where a lot of the adversaries are are moving to is that they're running to these fileless attacks uh because they're they're harder to detect and so you need to have a more sophisticated tool that's able to both iden
tify detect and then block these systems and then the final piece here that may be helpful is to have more of a unified monitoring and management platform so again because we move things to the cloud we have all these disparate systems and so uh instead of just looking at the server to look at you know who's logging in and what's being accessed you know now you have audit logs you need to look at you know for email maybe you have a separate file system you have a separate crm all these systems u
h have maybe different usernames and passwords to log into and so it's hard to really get a single view of those so there are systems that allow you to integrate the logging data from all those different tools into a central place and so you can do some event log correlations so you can see oh i see this user they logged in they accessed email they logged in they accessed crm and all that's expected you know or it could also help to raise some flags and provide that analysis in a single uh singl
e pane of glass so again uh those unified monitoring management tools i think are going to become more common uh and i'm also happy to see that they're also more affordable as well so with specifically with microsoft uh that's something with their microsoft cloud app security is included as part of a an e5 license and i've been very impressed with how it works and how it aggregates not only security logs from the microsoft tools but then also third-party applications as well so are there any que
stions that have come in uh so far that we can answer or we can just continue on into you know talking about uh some of the implementations and road mapping yeah they're you there are know few ques there are a few questions um but i think it makes sense to save them for the end if you want to keep going we can we can get to those questions at the end so i think with with all this we would be remiss to talk about implementing any change at an organization without understanding the impact that you
r organization's culture has um on all of this so i think you know understanding your organization's tolerance for risk and what needs to be protected in the context of what can be allowed is really important and so uh each organization you know is different the technology tools may all be the same but how they're implemented uh can be vastly different and so we have organizations uh that tend to be you know very competitive and so they really want to know on the security awareness training like
how many people are clicking on those messages who is it you know uh and so they've made it into a game you have other organizations that are maybe a little bit more reserved and so you know they want to handle that uh kind of thing a little bit more privately and so the same thing goes in terms of you know device access uh as your organization uh did you make the shift to work from home reluctantly or were you already a pretty good place uh to allow people to work remotely in terms of providin
g laptops and uh cloud access to systems or was it a very traditional come into the office work on your desktop computer and that was the mentality so again i think the impact of how your organization's culture really does uh continue to flow into how you're protecting the organization from a cyber security perspective so again um you know each organization needs to navigate the implementation of those controls within their own operating framework so kind of distilling this down uh to if you wer
e uh to the top three controls on the technology side you know or you know the the assessment side is that you know multi-factor authentication uh is the number one thing you know if you know i talked about policy a lot talked about the importance of it uh but at the end of the day if you only have kind of the capacity to implement one thing it really needs to be multi-factor authentication we see that being the biggest risk area because if an account is compromised that has such a significant c
ascade of negative consequences and so we need to really protect those digital identities and turn on multi-factor authentication and it needs to be turned on for everything and so if you're uh everything you have is in google workspace great if everything you have is in office 365 great but most organizations don't have all their data in just one system so every system where you have uh important information needs to be protected by multi-factor authentication so the good news is that it is inc
luded with most cloud applications so it's not uh you know something you have to pay extra for typically if you're you know big enough and and that's you know kind of could be a subjective term but again you could turn on uh some additional features through enterprise mobility and security now it's on the microsoft side to upgrade to conditional access and turn on single sign-on uh so again instead of turning on you know password policies and multi-factor authentication for office 365 and salesf
orce and bamboo you can just turn it on one time and run everybody through the office 365 portal so that you've got one place to manage access you have one set of passwords to deal with you have one mfa challenge to deal with and so that's very efficient so multi-factor authentication should be the number one thing on your list if you haven't done that already after that i do think security awareness training is a very important step to take there are lots of options out there we've already talk
ed talked about it so again if if you're just getting started there's lots of free resources that you can use we have an online training available that's on our youtube channel i was able to partner with techsoup and do a 101 and a 201 cyber security training course for them um and so those are great kind of one-offs that you can that you can use uh if you're able to i would really encourage the investment in a security awareness training platform like no before there's others out there it's not
that expensive you know twenty dollars a user you know for the year for the license and i think the real value is that kind of the the training but then the ongoing testing and evaluation so again you have a better sense of what's going on um and then the final technology tool i think that you know is is really important to implement is around business email compromise protection so uh we'll talk about provide some additional detail later but as i said most threats are coming from email and so
[Music] uh the technology tools associated with this have needed to catch up and so traditional spam filtering is okay against you know blocking unwanted messages but it hasn't been doing a very good job in blocking these confidence scams you know things with malicious links in them and so having a dedicated tool to work on business email compromises uh is really we get a lot of mileage out of that you know people can ignore you know the the spam message in their inbox but it's really hard for t
hem to ignore the email that looks like it's coming from their executive director or their finance person to click on this link to share something and so business email compromise protection really focuses on identifying those messages and then removing them from the inbox so again the other thing that we like about them particularly the barracuda tool that we use is that it provides some additional alerting so again if an account does look like it's been compromised it will also provide alertin
g on that so again uh for all those things you know getting visibility into what's going on in your network is is key and so some of these tools like barracuda signal are great for blocking spear phishing messages also raising flags if things like new mailbox rules are created or if uh you know there's a suspicious login and so that generates an alert and then you're able to respond to that when you get it so talking specifically about you know why why mfa uh we can see how effective it is so wh
at we're recommending uh for mfa and again another plug for our video is that we do have a an enrollment video it's like 10 minutes long that walks you through how to turn on multi-factor authentication in your organization uh and using the on-device prompt so again multi-factor authentication is something that you know which is your password along with something you have like a smartphone and so those on-device prompts where you log in your phone buzzes from the authenticator app uh is a hundre
d percent effective against automated bot attacks so that's the best method uh that we recommend implementing whenever you're gonna make this change you wanna you wanna get people on you want people to use the platform in the right way so multi-factor authentication is extremely uh effective and then cyber security awareness training is also extremely effective so this is some information from the vendor uh that we use in terms of know before and these are real numbers and these are real numbers
that we see whenever we do baseline phishing tests for a new organization we will see up to 40 percent of people clicking on links and emails i mean it's it's it's unbelievable uh you know you you would be surprised what people click on uh but the good news is is that after that initial baseline and you do that major training and maybe after you do quarterly trainings the the click-through rate really does decline and decline significantly now what we've seen is that it typically never ever goe
s away somebody always clicks on something because they're they're curious um but going from forty percent of your staff clicking on things to you know four percent uh is a really good return and so this is data that's that was taken from know before and they did an industry benchmarking study across four million users 17 000 organizations uh and so this is the data that they came up with and this is something that would you know we echo their experience in terms of very high initial click rates
and then significantly reduce click rates after training so again training needs to be ongoing needs to be consistent then we also have the note here some supporting information about how business email compromise works uh and so this is something from this is a graphic from the fbi uh where they are very uh concerned about this because of the financial impact so again we can see this as well uh these confidence-based schemes that start via email can be very expensive to organizations and they'
re very difficult to defend against because there's often not much content in the messages so spam filters are are often not able to catch it and so we're reliant on either really sophisticated tools to try to block it or staff being able to identify that it's it's malicious or something is off and then also having good processes in place for organizations you know if and when they need to change uh payment information so again business email compromise is a significant threat and having a techn
ology tool in place to help prevent it is you know provides a lot of protection so as we transition from this kind of laundry list of things you know to do and maybe you already know that you need to do that i think it's really important to engage the organization's leadership and impress on them that all organizations are vulnerable so again hacking isn't something that just happens to the big organizations with big it teams this is something that happens to organizations no matter what their s
ize so and that poor cyber security is an organizational liability and so we have seen that where if your organization has not implemented multi-factor authentication you are very likely going to have an account compromise so you know the data we saw from last year 96 of the account compromise uh tickets that we responded to were for staff that had not implemented mfa and so it's really stark whenever we see those numbers um that you know if you have multi-factor authentication you're in good sh
ape uh it's very unlikely you'll get compromised if you don't have multi-factor authentic authentication in place uh then it's very likely uh that your account would be compromised or maybe not yours but somebody at your organizations and i think finally uh it does require leadership to say yes and so for these changes these are organizational changes and so for multi-factor to be effective for security awareness training to be effective you know somebody at the executive level needs to say this
is important we're making it a priority we're going to devote time at our staff meme for this uh it can't be you know i.t pushing it through because it's not going to get the adoption that it needs to so the organization's leadership really needs to identify this as a priority and include it you know kind of at that all staff level it could be driven from the bottom up i mean it can certainly initiate it and it be successful we've also seen it come from the top down you know the board says this
needs to happen uh and then it and it occurs that way so again uh there's not necessarily one right way to do it but the key factor of success is really for leadership to make it a priority and in terms of how do you do that again your organizational culture really comes into this uh a lot i would say uh you need to schedule time for security it needs to be part of your regular rhythm so it's not an afterthought uh could be you know monthly reporting that you're gonna you know go do with your u
h your executive team it could be quarterly planning with your i.t partner to identify what we need to focus on what are the threats that we're seeing how's the security awareness training going um in terms of how that gets communicated i really think it again it comes back to knowing your audience you know what is the most effective is it is it a narrative is it stories hey this other organization that we work with they got hacked and here's why they got hacked and here's why we need to make th
is change um you know or are they more impressed by you know metrics and numbers you know is it you know hey it's gonna cost us six thousand dollars more for our cyber liability insurance because we haven't implemented mfa how we're gonna address that you know a breach is going to cost 150 000 once we get through you know how we're going to address that and then i think it's also an opportunity to leverage existing compliance requirements to do some of these things you know as a an organization
if you are receiving any sort of donation then pci compliance would be applicable here uh if you're a health care provider then hipaa would be appropriate you know if you're dealing with european data subjects then gdpr may drive some of that compliance as well so again understanding those external factors can help get some additional attraction to implement these initiatives so in terms of next steps if you haven't taken the assessment survey i would encourage you to go ahead do that and review
those results you'll get a little email with the questions and then your responses so you can use that print it out check it off of what you need to focus on and i would say prioritize one control to implement it can be really daunting to get these assessment reports where it seems like there's so much work to be done um but you just need to take a bite take a step and so pick one new control to implement if you haven't implemented multi-factor authentication already make that the first step yo
u know if you've already implemented mfa but maybe you haven't done training maybe go ahead and start with a training plan so again pick a control implement it and then you gotta really plan again get time on the all staff uh meeting to say this is a priority we're gonna talk about multi-factor authentication or we're to talk about security awareness training so uh really make it intentional and then you'll be able to execute and get through those roadmaps so um great well i think we are uh we h
ave a couple minutes here for questions and so i'll be happy to respond to anything that that's kind of popped up throughout this presentation yeah thank you matt that was fantastic great summary and overview of cyber security which i've been thinking about for a long time and i've heard about many times but i feel like i always learned something new in um in these presentations uh we do have a few questions if you if you do have any questions please uh you can chat them in or use the q a utilit
y to ask your question so if money is no object what does best in class protection look like what are some specific examples you can provide what would you suggest someone who's got a blank check to write on security protection what should they do yeah well i think once you get the policy work done i think in and out of the way um i would really make sure that you've got good tools in place i think on the device protection side so again uh for us you know community and i think we we work really
hard to get best in class and we may not have a complete blank check but but we invest a lot in our security um and so for that for us that means um we're doing all managed uh devices so again staff have managed computers we're doing client-side uh encryption we have uh sentinel one complete which is a high-end edr tool in place on our systems uh and then all of that information feeds up into our uh managed cloud app security portal so again we have alerting and management and monitoring that co
mes from the tools that that we use we've been really intentional around any privileged system that we have access to includes multi-factor authentication most of that is driven through our single sign-on portal we happen to use microsoft's enterprise applications which is included in office 365 but we've also supported organizations that use octa or one login so again there may be some reasons to invest in that and then again investing in training and education and awareness for your staff is u
m is important and then i think the final piece you know once you've got again the policy the device protections backups of those critical systems server failover all those things in place which which we do uh you know then you can start looking at those external assessments where you can get a third party view because even as you have really you know invested a lot in those internal controls it's likely that you've missed some things and so getting somebody to look at that system with fresh eye
s and investing in in a you know gap analysis or a technical assessment or even a pen test can be really helpful to uh to get that that view so again you know we use a laundry list of technologies at community so we're we're all in barracuda kind of all of their cloud uh protections spam filtering spear phishing backups the sentinel one tools the microsoft suite you know we've got a lot of productions in place and i think that that gives us the insight and reporting that we need given the level
of work that we do great thank you matt um we have another question about from an organization that uses following that relies on volunteers these volunteers are spread out throughout the country they're using their own personal laptops to do the work what sorts of protections might you recommend for them um and maybe more importantly uh any suggestions for how to train those volunteers on cyber security yeah i i think um [Music] you know it would be important to uh to implement those security c
ontrols in terms of the systems that they can access so again some of those data protection policies in terms of what we call like least privileged access so again make sure that you've got volunteers that you know only have access to the information they need to do their job so again that may mean if you're collecting information about you know various constituents uh volunteers are using that information you know maybe the volunteer they don't need to know their birth date or they don't need t
o to know their um you know address to deliver service and so you can make that restricted and so the volunteer has you know their their their name maybe their phone number as a way to to identify somebody but they don't have access to additional personalized personally identifiable information so again understanding um what information people need to do their work and then only providing that level of information would be i think an important step again depending on that the type of data you ha
ve you know if you're just delivering all of that through a web browser and you can put in some controls you know so that they maybe can't export data or or there's limited opportunities for them to to download something on a personal device that you don't control would be good um and then i don't think it would necessarily be out of line to you know expect volunteers to go through some basic um basic training on good you know cyber security practices particularly if it involves you know creatin
g an email account at your organization for them i think this is one area where we see your organizations get a little bit casual and saying oh well this you know this person only is a volunteer or we just need to create an email account from them but i think recognizing that you know any account that can be logged into from the web is potentially vulnerable and again if it is associated with your organization's domain you know that that email address is potentially valuable because you know it
could be used then to target other people and i think that's the real risk so again um you know only provide people access to the information um that they need uh you know if you can you know turn on multi-factor authentication for those systems particularly if they have sensitive information uh and then have consistent policies and follow-through i think would be important steps to take great thank you matt um well i think we have just about reached our time limit for today's webinar uh we do w
ant to let you know about next month's webinar um we're not going to be talking about cyber security i know we've we've done a lot of that this year and we wanted to finish strong this month since october is cyber security awareness month and next month we are going to be talking about best practices for mac support we know that many of you probably use macs or have staff that use apple mac computers we manage over 600 macs it's probably 10 of our install base it's a significant number and uh th
ose of you who use macs or or manage macs know that they're a little bit different and they require a special approach it can be done well it is possible to use macs on an enterprise basis and we're going to be going into a pretty deep dive in november uh to go over that provide you with some tips and tricks on things you can do to manage your max so i'm very excited about it i'm i'm looking forward to attending that webinar and that will be wednesday november 17th right before the holidays uh a
t three o'clock so keep an eye out for that uh announcement and we encourage you to register for that webinar thank you very much for your time today uh we will be sending you an email with um a summary of all the resource links that we chatted out today as well as a link to the recording of today's webinar wish you all a great afternoon and a pleasant rest of the week thank you

Related articles

Comments