 each and all of you here to join us today. We also have a live audience as you can see behind us. So we welcome all of you that are here IRL as well as virtual. So thank you for joining us today. This starts the entire week of the non-profit Power Week thanks to Ida Bailey and we are going to as I like to say nerd out on cybersecurity. So it's going to be a fantastic week. We're starting off today with Kyle Hendrickson, director of cybersecurity for Ida Bailey. But before we jump into and get super nerdy with Kyle because he already like preface that he's he knows this stuff and so there's a reason that he's here today and kicking us off for this non-profit Power Week. But we of course do want to thank our sponsors that keep this show going and growing with unscripted episodes. So that can get dangerous but we do want to give a shout out to our amazing presenting sponsors. Those include Blimering, American Non-profit Academy, Be Generous, Fundraising Academy at National University, Your Part-Time Controller, Staffing Boutique, Non-Profit Thought Leader, and the Non-Profit Nerd. If you haven't checked these companies out I encourage you to do so but you know the drill not now do it in about 28 and a half minutes. That's the best time to check them out because you don't want to miss any of today's episodes. But if you do or you want to watch it again you also know where to find us because we've become the new binge series on so many different streaming platforms. We've heard numerous times that someone will share an episode and several hours later they're still watching non-profit shows. So you can find us on Roku, YouTube, Bimeo, Amazon Fire TV as well as Podcasts for those of you that are podcast listeners. Are you a podcast listener? Oh yeah. Oh okay. Prime series. Historical drama. Okay excuse me the non-profit show. So you can find us on Podcasts wherever you stream your entertainment you can find us there. So without further ado Julia let's let's get Kyle starting. Hey Kyle we are thrilled you came to Phoenix, our home base. We don't always identify where we're coming to live from you know the non-profit show every day but we are based in Phoenix, Arizona. I was telling Kyle Hendrickson Director of Cyber Security for Ida Bailey. It's kind of an interesting thing because Jared ransom and I in our lifetime we've not really been this close our IRLs we like to say too many times. We work from remote studios and so this is really an exciting opportunity to gather in the city where we live and work and get this conversation live. So it's it's something we want to make sure that we really give our gratitude to Ida Bailey for kicking us off for this week. It's really great yeah let's hear your studio audience. Hendrickson you come to us from where? From Ida Bailey now from Fargo, North Dakota. I love it so you came here to warm up. It's a little chilly in Fargo this morning I think it was around 34 degrees. Oh yikes well you got to come to sunny Arizona because we don't have that problem in too many spots but we do have more and more problems with cybersecurity and so that's the the down and dirty of it we really need to talk about that in with the non-profit sector it's such a frightening topic and so as Jared mentioned this is going to be a whole week dedicated to this topic but today you're kind of kind of kick us off with the five top things that we need to be thinking about in order to keep ourselves safe so are you ready to go Kyle Hendrickson? I'm in okay all right so tip number one know the current cybersecurity attacks you're getting right into it you're freaking us out jump right in right in like how do we do this? Well so to defend against a malicious adversary it helps to know where they're coming from and what they're doing so that we understand what we need to do to protect ourselves so the big things right now that we see as cybersecurity trends are ransomware business email compromise supply chain attacks like vendor management those types of things and fishing attacks and and just understanding what they're trying to do so that you can put the proper protections in place we don't want to guess this is a magic there's no mysteriousness things happen for a reason and we want to understand those reasons so we can make sure that we're properly protected. Okay so I love what you're saying and I think I get that I'm like yeah we need education as power but I mean would we like watching CNN and they're going to tell us this or how do we get how do we know what to be looking for? So we want to work with the trusted advisor and so one of the advantages we have here at Ida Bailey is we're not just your tax or audit partner we have a lot of other specialty services like cybersecurity where we're able to come in and look at your business understand what your concerns are what your processes are what your people's concerns are what your leadership is looking for so that we can help you create a roadmap based on where your current gaps are what your current landscape is as far as controls that you use to protect your environment and make a plan together on how we can approve and get where you're properly managing risks. And is this for all-size nonprofits? Because I can only imagine some of those smaller nonprofits are thinking we don't have the bandwidth to manage this. So typically we do have a threshold for working with companies but it's very very small and so the smallest companies could still call ask for advice we're here to help. For those who do not have their own staff we can do managed services for them we can help make them a plan so they don't have to go out and just look to hire a bunch of people especially in this job market that's going on right now it's hard to find people and we have people and we're able to help and and make sure they're managing risk properly. Great okay Kyle so I'm already my hair did go on fire a little bit but now you put it out you you made me understand this is a commerce situation not to panic yet. It's a message of hope. I thought it was a message of hope we could all use that. But tip number two is a possible another little high hair and fire moment invest in cybersecurity insurance. What is that? So one of the big problems is over the last five years or so around cybersecurity insurance and this is engaging with an insurance carrier so that if you do have ransomware or business email compromise or something else that affects your ability to do business from a cybersecurity perspective that they have the ability to compensate for your lost wages lost profits those types of things and make your business whole or reasonably whole. So that's what cybersecurity insurance's goal is over the last five years or so companies have relied upon that too much and not invested in the actual protections that they need now insurance carriers are requiring certain controls to be in place in order to get coverage in the first place and that's what a lot of our clients are looking at right now is how do I get my renewal because now they're asking me to do more things interesting to protect data to get up to speed so that they are a risk oriented client. Insurance carriers are really interested in not paying off claims. So they want certain things being placed that they know is going to stop them from having to pay claims. I have to witness though I've never heard of cybersecurity insurance until just now and so I can only imagine many of our viewers and listeners for thinking the same thing kind of that oh no moment because we're a family audience right don't want to say anything else but that is cause for concern so as a board member I would think that's something that we need to have on our checklist to ask when it comes to compliance and just overall security. And so it's a big deal because the average cost of a ransomware incident is just short of a quarter million dollars and so that's a big impact especially when we as nonprofits are tasked with providing services to people and especially a lot of times where it's people in need or we're serving our communities and what does a quarter million dollar ransomware payment means to your organization? First of all does that allow you to even continue operating? It could shut you down. Or does that impact your ability to give? Wow it's really an interesting cause for concern and I think later on in the week we're going to spend more time on this but really quickly before we move on to tip number three. Is this something that your normal risk management partner insurance broker are they going to have this or do we have to go out and find this as an added question? So this is part of a cybersecurity insurance policy. So when you're talking about cybersecurity insurance policies it's just important to talk to your broker work with someone that you trust and understand your limits and supplements so there's going to be specific things that are called out we just want to make sure that it matches what your tolerance for risk is. Okay and just to remind our listeners and our viewers we are going to actually have one of our episodes where we do a drill down on this because it is such a big topic and wow amazing. Okay so just to refresh everybody tip number one know your current cybersecurity environment or attack potential invest in cybersecurity insurance. Okay now this is really interesting because when I was looking at this I have to witness to you I was like what? I haven't thought about this. Vendor security assessments talk to us about that Kyle. So as we become more interconnected throughout all of IT all of information technology everything that makes our businesses run. We are dependent on third parties we're dependent on vendors to be able to do things for us or provide services to us. A lot of times things like software as a service type components it might be a website it might be a mobile app it might be something that we're using and we want to make sure that just because we are protecting our data appropriately within our organization that our partners are also protecting that data the same way we would expect. A long time ago when Target got breached it was because of a HVAC contractor and they trusted them from a technology perspective too much and it allowed them to steal everybody's credit cards. I would say probably a lot of people listening or watching this got new debit cards or credit cards. Yeah I used their hands too. I was one of them. Yeah I was one of them. And more recently we are looking at things like IT services that are being used to keep all of our businesses up and running. In 2021 there was the SolarWinds hack and that was a software that IT departments use to monitor and make sure that they can continue to support uptime requirements for businesses. They tell them when things fail so they can react really really quickly. That IT vendor got compromised and then it was used to compromise all of the other or not all a portion of the customers of SolarWinds to further their own gain stealing data manipulating systems. Wow I was really interested you know kind of exploring that and I'll give you a little heads up. If you go to the iBaili.com website there's a very robust part of that website dedicated to cybersecurity. You'll see Kyle's image and you'll get to learn more about Kyle and their work but I thought this was a fascinating thing to really explore and nothing that I was really thinking of. I wasn't thinking about how we are linked and you said something very magical Jared you know think about how interconnected we are and we are always promoting even on the nonprofit show. Find those vendors that can pick up that heavy load for you so it's something that's going to actually becoming more and more part of the landscape of how we do our business. You know one of the things that has happened COVID silver lining is the acceleration of technology and so cybersecurity and these hopeful messages hopefully right is what we need to focus on so that we can continue to do the good work in and around our community. So let's move us into tip number four. How do we plan for when things might go wrong? Well first of all going back to tip number one understanding what the risks are out there allows us to create that plan for when things go wrong. Things can and will go wrong that's a guarantee and it doesn't have to be just cyber we all know that there's been supply chain constraints there's been natural disasters there's been all kinds of things that have disrupted businesses one of their nonprofit otherwise this isn't limited to nonprofits so understanding what the risks are and then making a plan and this isn't just a technology thing this is people process and technology we want to make sure because the business still needs to survive it still needs to support its clients and its customers we want to make sure that technology is available to allow those business processes to continue to proceed even in times of adversity and so when we're talking about working through what an incident is from a cybersecurity perspective we're talking about someone stealing data someone stealing money or somebody impacting your availability to do anything it ransomware those types of things and so what alternate processing capabilities do you have in order to continue your business up and running and ransomware has no relation to me just to say that is Jared ransom that's true yeah that's true we changed her name three years ago just for this moment we dropped the wear we knew that was coming down the fight kind of hey um okay i'm fascinated by this and once again to Jared's comment um this seems like a pretty heavy lift so yeah so it's one thing to have a plan it's a completely other thing to test it okay and so we wanted to walk through both full interrupt testing and or tabletop testing and what we mean by that is getting those people that would be responsible for responding to a business outage or a downtime event in the same room or same room virtually and talking through what is our plan how are we going to keep our our clients informed that they know what's going on to the degree that they need to know how are we going to honor our commitments for notifications if it comes to that what is our marketing message both internally and externally how are we going to get our business processes up and running what is that underlying technology that needs to be recovered in order to continue supporting what we need to do for our mission okay so i gotta ask you this of all the things that you've so far the top tips this seems to be kind of like the most in-depth thing because it's not enough just to get the insurance or to understand what's out there this is like actually sitting down and saying okay we have a crisis communications plan is what i'm thinking of Jared and that we know we who we're going to call what we're going to do yeah it's pretty intense work this is a big deal so i would say the first thing would be understand where your gaps are so we can make a plan on how to get you where you need to be and then let's build the plan let's test the plan let's make sure everybody's comfortable with the plan because eventually you're going to need to use the plan and again we we want to understand are we using this plan because of an incident or because of a breach and we want to catch things earlier in the cycle there's no guarantees in cybersecurity but we can arm you with the right tools to catch things earlier in that cycle rather than later late means bad okay now this is like tip number five and this is i want to spend a little bit more time on this because this is a big point of discussion in the nonprofit sector tip number five you say know the rules for disclosing cyber attacks and we talk a lot about this is that we're afraid in the nonprofit sector to deliver bad news or to look like we're not good stewards or to talk about fraud or any problems because we don't want to lose donors yeah and so we have to kind of navigate away from that what are your thoughts on this well first of all we have an obligation to all the people that we are serving to protect their data that's that's number one we want to make sure that they trust us because either we're serving them or they trust us because we're they're donating to us and we want to make sure that we're honoring all of those commitments second of all depending on what industry that you're serving you may have regulatory requirements along with that depending on what state you live you may have state notification requirements yeah wow and it's not just where you live and operate it's where your people that you're serving your clients everybody you have data for it's where they live and so where this gets complicated is if you're serving people in Mexico or or Canada or in Europe or wherever they also have different rules so if you have cyber security insurance one of the very first things is I recommend getting in touch with them earlier in the process because they have pre-negotiated rates with people like breach attorneys who understand the legal ramifications to having a breach of data along with the forensics the incident response people everything you're going to need in order to recover you're going to need legal advice on how to properly respond to this if all your clients aren't just in the state where you live and you know those rules this sounds so overwhelming yeah and again hopeful messages I heard that from Kyle definitely and as you heard there's plenty of resources and probably more coming to the iBailey website but where do we go with all this information now Kyle so we have these five tips I heard you say if you have cyber security insurance which I'm sure now all of our viewers and listeners are doing that probably maybe at this moment what do we do with all this information well I think the first thing is to find someone you trust a trusted advisor that you can work with so you can understand where you're at now where you need to be if you have questions around cyber security um talk with your broker but also a trusted cyber security advisor because it isn't just an assumption that you're going to get your cyber security insurance policy now there are required items there's also recommended items that need to be in place so that they think you're an acceptable risk wow insurance companies have actuaries and very very smart people that understand what reduces their risk of having to pay out of claim that translates directly to reducing risk for your organization so it's a great place to start okay it's getting those pieces and parts in place but having somebody that you trust giving you advice on how to do those things holistically we don't want to just check a box right if we're going to spend money on something let's make it matter to the whole organization and implement cyber security controls in a way that reduce friction we don't want to cause more pain and more interruption of business let's do things intelligently and talk through things uh and and find somebody who's been there done that and and as successfully tackled as in other businesses julia i'm gonna um put you on blast here but i'm curious because you serve in our community on a lot of different boards are you seeing cyber security at the board conversation no no i'm not it's it's horrific because i think about how much money and data we have with donors across the landscape i mean that that information is is there with credit card information and and phone numbers and pass codes and everything so it's home addresses all the information is there yeah and so it's fascinating kyle to hear you talk about this and i'm i'm fascinated having worked with i bailey for a long time in um our community in business and seeing all this i'm fascinated that the accounting sector would notice or would would draw a line between accounting services and management and advice and finance directly back to cyber security and so i think that if nothing else that sends a message of how important and costly this is right it's not just a it's a it's not a nice thing to have it's not like oh yeah well let's do some training this this needs to be moving up into what's going on and we're not doing it enough so i would say i bailey has a goal of not just being an audit partner or a tax partner our goal is to be holistic business advisors so this isn't just cyber security isn't just tax isn't just audit really all those needs that enables a business to be successful that's what we're trying to fit it's awesome well it's you're an amazing partner throughout the nonprofit sector we love the i bailey resourcefulness awards um you've been judged yes and uh it's it's been really great one of my favorite public humiliations in my whole life was being at one of the resourcefulness awards and i sat on a board that won and i actually screamed like i was being murdered um but it was so exciting to get you know to get that that winner win for our organization so uh yeah i bailey's doing a lot of really interesting things across the landscape we're super excited to have kyle hendrickson here director of cyber security with us for the whole week this is non-profit power week with the non-profit show we don't do this very often jarrett and i made a commitment to finding some topics that we liked with with experts that we really trusted and so we only do this a handful of times um each year and so this is really going to be an exciting thing it's going to be very exciting and this is just scratching the surface i can tell uh so again you know kyle's gonna be shared these top five tips and we're going to go deeper into so many of these conversations throughout the week um and again you know non-profit power week here with i bailey we are here live with the audience today but unfortunately they're not going to be around each and every day although we wish that they were um but it's been fascinating and again you joined us here from uh north dakota park north dakota yeah can you hear it in his accent i thought it was a lack of access this is going to be really cool we just want to make sure um the top five cybersecurity things to be thinking about number one know what the current landscape is invest in cyber security and um insurance understand those vendor relationships and how they can impinge upon what's going on that i think is the big sleeper that's a fascinating topic and we're going to spend more time on that because it's a it's a deep dive isn't it well i mean we all depend on somebody we're not running everything internal to our own companies and even things like payroll what happens if your payroll vendor has an incident people stop showing up if you don't pay them i would wouldn't you yeah i think i might so what plans and and and alternate ideas can you put in place in order to continue on with business if something should happen i love it and then tip number four plan for when things go wrong and tip number five know the rules of disclosure which again all of these things we're going to be talking about more in depth but i just think kyle it's really interesting that you shed a different light on all these issues and and give us giving us some new things to think about especially as we start marching towards the end of q4 where we tend to let the other things slide because we're so um desperate to get those those year-end donors and things i i would imagine this is a pretty perilous time so um charot this has really been fun hasn't it's been fantastic i think we're gonna have to do more of this and thanks for trusting us kyle we just met uh this morning but it's been a wonderful conversation i look forward to the rest of the week with you um and you know diving deeper in all of these topics and and throughout the episodes of this week uh for those of you that are saying you know okay these are top five tips i don't have any of them in practice currently that's okay kyle has more hopes messages of hope rather to join us throughout the week but for those of you again that are saying okay i need to share this episode there's so much in here that we need to make sure that our community is aware of you can share this episode it'll be on the archive and shared far and wide in a near few hours after today's recording wraps up but we do want to thank i bailey for having you here we want to thank you for being here and for being with us here all week uh we also you know just want to remind you to check out their website so that you don't feel like you have to do all of this alone you don't this is a great partner partnership across the nation and i was just in salt lake city and mentioned i bailey to a colleague of mine there and i said you know if this is what you need let me get you in touch with someone at i bailey there's uh there's offices yeah in all communities so it's fantastic hey again um as a reminder if you miss any parts of this episode or you want to watch it again or share it because i have a feeling many of our viewers and listeners are saying i have at least 20 people that need to hear what kyle just said uh you can find this on roku youtube amazon fire tv vimeo as well as podcast and of course we want to thank our presenting sponsors to keep our show alive and growing even flying and guest for a live audience appearance here um into our phoenix community from north dakota so we're so grateful to be able to offer this i r l which means in real life exactly exactly so thank you so very much to i bailey uh for this nonprofit power week we also want to thank bloomering american nonprofit academy be generous fundraising academy at national university your part-time controller staffing boutique nonprofit thought leader and the nonprofit nerd thanks for all of you for joining us here today again thanks to our live audience that uh dedicated their morning and their coffee time to join us here i'm so grateful to have each and everyone here and julia i'll let you sign us off hey i really mean this from the bottom of my heart especially since we've forced kyle to stand between the two of us this closely this morning stay well so you can do well thanks to i bailey and the crew that showed up today we'll see you back here tomorrow everyone thanks everyone thanks