 Well, hello. Good morning. Good afternoon. Whatever time it is that you're joining us today. This is day two of our non-profit Power Week with Ida Bailey, specifically with Kyle Hendrickson. So he's joining us yesterday, today and all the days of this week as we move forward for this nonprofit Power Week with Ida Bailey. For those of you that joined us yesterday, we did have a live audience. Unfortunately, they're not with us today, but hopefully they're joining us just like you and they're here virtually. So today Kyle's going to talk to us about nonprofits being held hostage with ransomware and what that looks like for our NPOs around our country. So as we move forward in today's conversation, we of course want to remind you who we are. So Julia Patrick, hello to you. Good morning. CEO of the American Nonprofit Academy. And I'm Jaret Ransom, your nonprofit nerd, CEO of the Raven Group, and we are honored to be here day in and day out to be of service with our presenting sponsors. Again, huge shout out to Bloomerang American Nonprofit Academy, Thundereasing Academy at National University, Bee Generous, your part-time controller, staffing boutique, nonprofit thought leader, and the nonprofit nerd. So we are marching, get ready for this, towards our 700th episode. So Julia started this in March of 2020 with me, but she coaxed me in saying it was going to be two weeks. And so I think I'm being held ransom on some, on some occasions. You can find all of our episodes and archive just plentiful on Roku, YouTube, Amazon Fire TV, as well as Vimeo. And for those of you that are podcast listeners and we learned that Kyle, our guest is as well, you can listen to the nonprofit show wherever you stream your podcast. So as we move into today's conversation, Kyle, again, we are thrilled to have you here. So glad that we didn't scare you away yesterday. You did a fantastic job picking off with those top five tips for us. So again, Kyle's joining us, director of cybersecurity at Ida Bailey. Welcome back. Awesome. Thank you for having me back again. I'm glad that I didn't scare you away yesterday. Well, not a chance. Not a chance. Although you did give us some like scary things to think about. And it's really was amazing. You were a great sport. As Jarrett mentioned, we did our very first live studio audience remote. Now Jarrett's done some live remotes for us before at the big association of fundraising professionals conference that was held in Vegas. But this was really interesting because we actually had people behind us in the audience. And so Kyle, that was fabulous. And we were really, really honored that you would roll with the flow. And it was really a lot of fun. So thank you. Very cool. Well, I'm excited about today. Hopefully I can bring that same level of energy today as well. Well, I say let's get into it because we're talking about ransomware, which is such a frightening concept and we're going to get into this more. But what is ransomware and what are like the most common types that we can be that we should be on the lookout for? Yeah, so just to start it off, ransomware is what a malicious actor is using. It's a type of software that they're getting on your systems. And what it's doing is it's encrypting the data. And then in some cases, stealing that data. And with that encryption that it's doing, it's preventing you from accessing that data and it's holding it for ransom, ransomware, and they're asking for a payment for them to release that data back to you so you can access your systems again. And so how this normally manifests itself within an environment is someone clicks on a phishing email, or maybe we had improperly configured our systems or our network which allowed an intruder in they get that malicious code to run in our environment. And then all of a sudden we see the pop up message on our computer that says, hey, you can't access anything, and we'd really like to be paid so that we can give you access again. So, that's generally how it goes down. Now, some of these threat actors are pivoting. They are going to just extortion only business bottles. So they'll just steal the money, and then ask for payment so that they can delete the data and not release it publicly if you don't pay it, and they release it publicly so this in the case of a nonprofit might be our donor information it might be the people that we're serving. It's it's all the data that we are trusted to protect the releasing that are extorting you so that they won't release it, along with the typical preventing access to normal it type systems the our accounting systems are our how we serve our clients all that. Kyle, how often does something like this happen. So this is happening all the time. So this is one of the. So this and business email compromise are two of the largest cyber threats that we've faced as a nation. And so, when we look at ransomware across the world and I can only go off of reported statistics. So, when we look worldwide, North America, or specifically, the United States is 44% of all ransomware cases in the world are targeted at the United States. This is this is a very much an us problem. Yeah. I like that pun there us. Good job, Kyle. Yeah, I can only imagine that that is just so frightening but you, my friend, yesterday gave us so many messages of hope and you're going to do that again today I'm sure is to have some messages of hope for our nonprofits. So when we do encounter this because like you said it's happening all the time which sadly means it's probably happening right now. You know, as we are having this conversation. When do we share that information like do we share it internally with our staff and then externally with our stakeholders are. What do you recommend. Yeah, so the first step is to have a plan right. We don't want to work to a plan to a plan we don't want to just run around with our hair on fire and just not know what to do because we do have potentially some legal or regulatory requirements for disclosures. So, nearly every state in our nation has breach notification laws, along with, depending on what industry year and you may have regulatory requirements to notify your regulatory body or just a certain timeframe with notifying people. This also is further complicated because it's based on where the clients you're serving or where the people you have data on live, where they reside, and that can be further complicated because it let's say someone is in Europe for a vacation or for an extended period of time but their their mailing address technically is in the United States, they may potentially still be subject to GDPR so European data regulations. So, this can be a mess so this is where, when we're start talking about how do we notify how do we transparently tell everybody that a incident has went down. We want to make sure we have a plan we're working with a marketing or a PR firm or someone like that, so that we can have our internal messaging consistent and our external messaging consistent. We also want to be making sure that if we do have cybersecurity insurance, we're working with a breach attorney that is part of that plan, so that we know that we're following all legal requirements that we have we're not opening ourselves up to further liability. Wow. Okay, I would have never guessed that this would have been the path that you drew for us. It makes me think that this is something and you kind of touched on this yesterday. You need to have your ducks in a row, and this plan as you just started stated, needs to be in full force before anything else because this is, this is too arduous just to think on the fly what okay this has happened what do we do now, you need to have that and it's affecting it this is affecting our friends our neighbors our communities and and everybody around us. Because when we look at ransomware specifically for those companies who have been through ransomware 25% have been forced to close for a period of time while they're recovering the the regular recovery time the average is somewhere about three weeks and it can be anywhere from 20 to 21 days is where I've seen the recent studies, but this is losing access to your systems to your it to everything you use to run the business in a technology era that we live in. What happens if you lose access to those systems and for extended periods of time. I feel like there needs to be a crisis communication plan for all organizations probably all businesses right for profit not for profit. And then the scenarios in, in which you know the crisis communication then is implemented and taken into effect. Right Kyle that message you know I, again yesterday for those of you that watched you know we kicked off nonprofit power week with Kyle, our new bestie yesterday and you know I learned for the first time of the cybersecurity insurance and so my first call would probably be to that insurance provider to then you know determine what needs to happen for our next steps and I'm assuming that they to have some boilerplate language that can guide you in this communication is that a correct assumption Kyle. We want to make sure that when we're doing our testing so we want to talk through this before it actually happens, and we call that a tabletop test. And when we're doing that, it is okay to be asking our insurance carrier. To participate in that observe and make recommendations based on what they've seen in the past. So that's an okay thing to ask of your insurance carrier. It's also okay to ask of other business professionals that your organization is working with whether that's an outsourced controller or an outsourced CFO or whoever's helping you with the finance side of things, they may have leadership expertise that they can lean on for things that they've seen in the past as well so I would. I would reach out to all of those other places that you already have a business relationship with, or a trusted professional you can work with that has been through these types of things for guidance and if they would sit in on a tabletop test. I want to go back to something because you mentioned something just now that I have never heard of until we started this discussion this week about a breach attorney. Talk to us a little bit more about that because I'm fascinated by that concept and it seems to me like that could really save a lot of future angst if you have this member on your team so to speak before it happens. Yeah, so this isn't something that you normally staff for this is something that when you have cybersecurity insurance, or if you don't, if you have your plan in place. You'll have identified those people who already know the legal requirements for notifying people if there is a breach of information. So these are these are lawyers that specify or that specialize in breach notification law and cybersecurity incidents so these are smart people they know what's up. They know all of the different regulations and requirements between all of the different states and all of the different countries that the people you're serving, maybe residing in and not every state not every country has the same requirements. Some may require within 48 hours, some might be within a week, it may have different definitions of what a breach is. They may have different definitions of what private information is so they may not all agree on if it was a breach based on their different definitions of what is considered sensitive information. So there's a lot of things to be considering when you're going through this, but having that trusted resource. And again, most likely through your cybersecurity insurance policy is key to make sure you're not subject to further, whether it's, I don't know if it's civil I'm not smart enough to know if it's similar or criminal but there's legal requirements around this so. I want to ask you a follow up question to that, because so often our accounting partners find internal fraud and financial mismanagement would be, would these be the same types of talents legal talent that would actually be able to interface with you outside of the cyber security issue but just in general fraud, or is this really more drilled down to the cyber security. This is really drilled down to cyber security so those people would be a good resource, but again we're going to want to find somebody in the legal profession that actually specializes in breach notifications. I feel like there needs to be some, and maybe there are maybe I'm just not privy to this information some round table discussions with other nonprofit peers about, you know, cyber security and being transparent with the stakeholders, because this, someone is immune to this like everyone you know this this could potentially happen to absolutely any organization and as we learned yesterday I believe the number that you shared with us Kyle was a quarter of a million dollars is like the the dollar impact is that could you school me on that again. Yeah, so. So I'm losing information from a study from the group I be out of 2022 so they look back through 2020 so this is current data. So this is the most recent data that I have in front of me, and the average ransom demand was $247,000 and and that's increased 45% since 2020. That's terrifying and as we as we mentioned again yesterday and for those of you that are thinking, man I missed a lot yesterday that's okay, you can go back and watch it. But that as we talked about you know that could shut doors that could really close down the organization and make a severe impact in the community. We're here from the funds that we have to support our organization and continue our mission of helping people where we're all in the nonprofit space to help people. And when we have unplanned expenses like this it takes away from our mission. Now let's move on to, I mean, one of the things and Jared alluded to this earlier, you were really specific and that you were here to deliver messages of hope, and when it all seemed like overwhelming. So you're telling us that we can do some things to prevent ransomware attacks. What would that look like. Yeah, so I think I mentioned yesterday that this isn't magic, and you can't just jump to the end of the monopoly board you can't just pass go get your 200 bucks and skip all the way to the end. It doesn't work that way. And adversary malicious adversary has to has to use the same laws of nature the same laws of physics that we do as defenders. They don't have secret sauce. And what I mean by that is an adversary still has to get malicious code on an endpoint they have to get that malware into your environment, or take advantage of some other way of logging into a system. They have to be able to survive a reboot. So if they don't lose access of a computer restarts, they have to be able to remote control that computer from somewhere over the internet because they're not physically in your office. They have to be able to elevate privileges they need to get more rights than what they have when they landed on a computer. They have to be able to find other computers to get to, and they have to leverage those other computers to continue discovering and going through that whole circle of that attack chain, until they find enough computers to infect and encrypt, or they find the data that they can steal and then extort you for not releasing it to the public so all of these different steps that it takes to get to disaster is an advantage for us as defenders, because we don't have to be good or we don't have to be perfect in every single stage of the attack. We just have to be really good at enough of them to catch things as an incident before there's any notification requirements, rather than waiting until disaster when we get all of this pain that's delivered upon us. I think that's fascinating. I think it's such an interesting process that you just walked us through, and that it's not just like this one and done thing that it does take time, and it is pretty substantial for the very fact that they're not sitting in your office. And I think a lot of times when we think about fraud in the nonprofit sector, and Jared and you and I have talked about this so much with different guests over this time, is that it's Betty Liu in accounting, or it's Sammy volunteer that comes in every Tuesday. But in this situation, we never see these people. And so it's the sense of lack of control or filtering that I think is so dangerous for so many of us because we just out of sight out of mind until it happens. Well, and the other thing I think about to Julia is, you know, so many people, when they start a nonprofit, they don't start it thinking, I want to do this because I really want to put a cybersecurity plan in place right. I mean, maybe some. Yeah, Kyle, you might have with an organization that you started because I'm certainly, you know, in your frame of mind, but you know so many organizations the founders the CEO, they just thrive in passion, and this is not an area of expertise so partnering with someone like I Bailey to really, you know, support because I as you said yesterday again I'm referencing yesterday is you know really looking at having those trusted advisors you don't have to do this alone and I think that's really comforting. Yeah. So I heard something just two days ago so I forgot to bring this up yesterday. And it's a little bit ridiculous but I think it kind of brings home the point. And this was directly from a client so compromises inevitable, but it won't happen to me. Why, because it's never happened before. Why would it happen now. It's not going to be me that's target so I, I thought of a different way to rephrase this. So no experience in the life of the turkey prepares it for Thanksgiving. Just because it hasn't happened to us in the past doesn't right isn't going to be happening to us in the future, and that we don't have a reason to prepare and understand what these adversaries are doing so that we can make sure that we're protected. Well, and they're becoming thank you for that because that's very poignant, I would say, but they're becoming more and more advanced and one of the things during coven is really this acceleration of technology. You know, I've mentioned my son probably more times than than I want to count right now but you know he's 12 and he's learning coding. And so there's so many other, you know, individuals around the globe that are so very attuned. To technology and the advancements of ransomware and cyber attacks and things like that that's what's frightening to me is, you know, yes, it might not have happened to us yet. But how do we prepare for that and prepare for the next like installment of what that might be because I feel like all of these. You know, as we talked earlier, fishing, fishing, missing all of those kind of dumb words, they're becoming more and more advanced. So, I think that's a good point. And when we start talking about that attack chain those things that lead up to ransomware. Those aren't exclusive to ransomware. These are the steps that all advanced adversaries are taking in people's environments. They just have different goals at the end of that. So, when we start focusing in on these common things there's common threads that extend across all adversaries as they're attempting to steal data or prevent our access to it or steal money from us. We're working through this attack chain. And so one of the things that from a very technical perspective that I like to reference is the MITRE attack framework. And so this is observations of all known attacks that have occurred in the past, so that we can look at the past to help us better protect us in the future. And so we came out in that whole attack chain methodology, so that we can start to look at what does initial access look like. What does that remote control look like, how do we need to defend ourselves. So is that specific to our like sites, our organization, is that what you're saying. That's everybody. So that's not specific to nonprofits. This is looking at all attacks across all industries. So this is a huge body of knowledge that we can reference as computer professionals to make sure that we're building solutions to cure upfront the right way at the beginning. Yeah, again, that prevention is so important and that's one of the things you know we don't want our NPO's to be held hostage by ransomware and these hopeful messages you're going to be here all week to provide them. So, so don't be alarmed as we they're watching listening, you know, this is really something that we're providing in partnership with I Bailey throughout the week. To really help you garner this insight because we know that you show up with passion and purpose for your community, not to create a cybersecurity attack crisis communication plan. As much as you need one. I don't think that's new. That's not the forefront of anyone's mind. Yeah, as Jared mentioned, this is a really interesting thing nonprofit Power Week, working with I Bailey specifically on the topic of cybersecurity for this whole week. If you missed an episode, or you want to make sure that you don't miss an upcoming episode, go to the nonprofit show.com where you'll be able to register for reminders, access the library of the archives. I mean, there are a bunch of different ways to stay with us on this because it is really one of those discussions that we're not having enough and as Kyle has educated us in just two short days. The extensive way that this is penetrating our nonprofit sector changing and it's it's vast and so been really interesting Kyle to have you on and talk with you again today. Kyle Hendrickson, director of cybersecurity with I Bailey coming to us. He was live with us in Phoenix, right after the show yesterday bless his heart he got on a plane flew back to North Dakota, and wow, here he is back with us. And so this has been really interesting thank you Kyle. Well thank you. And I think one last one last thought that I'd leave you with is, I, we're putting this into context of cyber risk. And we're talking about that all week here. But I think cyber risk is made up to this is all just business risk this is impacting our businesses, our communities and those that we're serving. Yeah, great point. And that, that makes it even more important to share this concept because it yeah because of the impact so thank you for that. Super valuable words. Again I'm Julia Patrick I've been joined today by the nonprofit nerd herself. I'm CEO of the Raven group. I'm Jared ransom. You have the perfect last name this week my friend. I know. Wow. I know I couldn't have asked for better a better name for this week but I'm not holding anyone hostage that's for sure. This is nothing within my wheelhouse I'm learning so much from you Kyle truly so glad that I Bailey you know again as as an accounting firm I mean I I send so many clients to them when it comes to audits and just overall financial support to see this marriage and the compliment that it provides to you know this risk prevention that is fascinating to me and it really just shows that I Bailey is a true partner in the in the sector we talk all the time there's 1.8 million registered nonprofits in the US not to mention those that are not registered but 1.8 million so we appreciate this nonprofit Power Week and the partnership of I Bailey. Super powerful. Hey again we want to thank all of our presenting sponsors who are with us day in and day out they include boomerang boomerang American nonprofit Academy your part time controller be generous fundraising Academy at National University staffing boutique nonprofit thought leader and the nonprofit nerd. These are the folks that really help us have these conversations and to remind everyone Kyle's going to be back and so if you've got questions for him or comments go ahead and send them our way you can access that through the nonprofit show.com or or connect with us on social because you you know I'm sure as we have there been a lot of questions that have come up and just new things that we're hearing and so we want to make sure that while we have Kyle here in the hot seat we get those questions answered. Friday we're going to put him literally in the hot seat he and I will cover our ask and answer so if you do have a question send that in and we will add that to our Friday or as I like to call it Friday ask and answer so. Yeah that'll be amazing because so much new vocabulary new concepts but we really need to move this discussion to the top of the heap yesterday. Jared you asked me a question at the board service that I do. If you're if we're being if we're talking about this or hearing about it and we're not not enough and so this is this is one of those things. Well as we like to end every episode we want to remind ourselves our viewers our listeners our guest to stay well so you can do well we'll see you back here tomorrow everyone.