 Good morning, everyone. Welcome to another episode of the nonprofit show. I'm Julia Patrick and today we are continuing our conversation with Kyle Hendrickson, director of cybersecurity for I Bailey, and we're going to talk about something really interesting today. Oh wait, I have to say, Kyle, every day has been interesting in nonprofit Power Week. But I think this day and this topic is probably the thing, and I've had a lot of hair and fire moments, but this has been the most shocking because we're going to talk about third party cybersecurity risk management. And it might not mean or be apparent to everybody, you know, as we define it. And so I can't wait to have this discussion. So, Kyle, again, thanks for being with us. We're going to jump in with you very quickly. But in case you don't know who we are, I'm Julia Patrick, CEO of the American Nonprofit Academy. Jared Ransom, my personal nonprofit nerd, the nonprofit nerd, CEO of Raven Group, is not going to be with us today. But she'll be back on tomorrow for our Friday Ask and Answer with Kyle. Again, this is Nonprofit Power Week. Jared and I only do this less than a handful of times a year. We pick topics that we feel like we really need to do a deep dive, and then we find the right partner. I Bailey is that partner with us this week. And so we're really excited to bring this to you. And our partners and sponsors buy into this and understand that this is what we're going to do. So we want to thank Blumerang, American Nonprofit Academy, Your Part Time Controller, Be Generous, Fundraising Academy at National University, Staffing Boutique, Nonprofit Thought Leader, and Nonprofit Nerd. These are the folks that pretty much all of them have been with us since day one, going back almost three years, to bring the nonprofit show to you every single day. Kyle, hard to believe it, but we are marching upon 650 episodes. We have almost 1,000 video clips, which is crazy to even think about that. And you can access those on Roku, YouTube, Vimeo, Amazon Fire TV, and then podcast. We just started putting all of our content into podcast format. So queue us up wherever you'd like to get your content. Okay, Kyle Hendrickson, give us the weather report, because every day we ask you and we're just mortified. Yesterday it was one below. It felt like one below. So today we're 45 degrees and sunny. It feels lovely outside. This is t-shirt weather. This is awesome fall t-shirt weather. Holy moly. Well, bust your heart, because where I live, if it got that cold, we would have like emergency alerts coming across our TVs. I'm just saying, because that sounds mighty cold to me. Kyle Hendrickson, Director of Cybersecurity for Ida Bailey. Before we move much further, and we've had you, Kyle, talking about cybersecurity. Can you give us like the quick elevator speech about what Ida Bailey does and who they are? Because I think the nexus between cybersecurity and Ida Bailey as an accounting firm might not be so apparent until we start talking. Yeah, so Ida Bailey is a tax and audit firm that has its roots in a little over 100 years now. So we were here a long time ago. We're not going anywhere. We're going to be here in the future. But along with being a trusted business advisor around tax audit and those other traditional finance related items that every business needs. We also, again, becoming that holistic business advisor, we do specialty services. And so those specialty services include if you want to sell a business, we can help you through those transactions, both from either buying or selling a business. We do business outsourcing processes. So if you need a CFO for hire, or you need somebody to do payroll for you, we have those types of services. So I fall into the group of technology consulting. Technology is a huge part of nearly every business. And so not just cybersecurity. We implement ERP packages so accounting solutions as a software for clients. We work with CRMs like Salesforce and make sure they're customized and fit a client's expectations. We do analytics for a large number of clients. And around that it's really how do we turn your data into something that can drive your business and something that you can use. It's great that we have all this stuff. But if we can't use it, what value is it? And so that's where we want to turn every company into a data company. And so we have all these practices. I fit into the cyber security world. And so I help companies from very large where they have staffs, they have chief information security officer type people. They have people ready to respond to incidents and they just need some advice, some guidance or help with specific areas of the program to small companies where they're just throwing their hands up in the air and saying, what do I do? What do I need to watch for? How can I make this better? And so we deal with big and small. You know, it's fascinating. And I apologize if you're hearing my phone ring. I forgot to unmute my my phone here in the studio. I'm fascinated by this. And at the end of the day, I see a nexus between all of this once you start explaining it because ultimately, these problems are issues. And I'm not going to say opportunities because what we're talking about is the cyber security. It automatically becomes an accounting issue. It's not just about stealing money, or what we think of as fraud. It's actually impinging upon how your organization works. And I think that's one of the things that I've learned from you today because I think before we really started talking. I was all about, well, fraud is fraud and it's money. But what I've learned from you is that it's really the way you can operate your business, serve your community and your clients, interface with your employees, your volunteers, your stakeholders. So it is financial, but it's much larger than that. And when we talk about fraud and financial risk management, again, that's just business risk. That's not financial risk. That's business risk. I feel very strongly that cyber risk is business risk as well. These are things that can seriously mess with your ability to serve who you are trying to serve. Yeah, it's fascinating. And I feel like once you kind of pivoted the space with which I looked at this, it made this two things. It made it more frightening because you can say, I don't have that much in the checking account. How can they steal, which is completely stupid, but I can see how we could kind of devolve into that. But when you kind of post the concept of time missed and time down and how you can't serve, that was when I was like, Holy Moly, this is a much bigger conversation. So thank you for kind of helping steward that theory for us so that we could dig in even deeper. So today we're going to talk about third party and third party cyber risk and why it's important. But since you've been so good at educating us from day one, can you start with what a third party is and what they look like who they are? Yeah, so these are the solutions and the vendors that we work with to support the business. So it might be something like a lead generation company or it might be in the case of a target breach that happened a long, long time ago. I was talking about this earlier. I believe it happened in 2013, but it came out in the news I think in 2014. So that's where I was getting my dates mixed up. But in that case, attackers compromised an HVAC controller. Somebody was doing heating and air conditioning for target locations, and that vendor became compromised. And through that, they got into their point of sale system, started capturing credit card numbers. And as we talked about a little bit earlier here, probably a large number of us watching this right now got new debit cards as a result of that. And that was a very eye opening experience to a lot of people. And from a business side of things, that was kind of the first wave of, oh, this is a risk now. We need to take this serious. If target can go through this, and they have all of those controls in place to protect and make sure that they're reinforcing customer confidence in how they're protecting data. What do all of us need to do to protect that data? Yeah, I mean, and one point is how we started this conversation is that, you know, you think, oh, well, I run a food pantry. I have no connectivity in my business scope, or place in this on this planet to target than the man on the moon. But I think what I've learned from you is that's just a lesson that we can learn from because an air conditioning and heating organization that came in and became that disruptive. I mean, who would have ever guessed this. And we start thinking about the Internet of Things. So are we doing sensitive conversations with donors or those types of things with Amazon Echoes or Google Homes in the proximity and are they recording our conversations and how is that data being protected. All these questions that are we doing the right thing to make sure that those people that don't want those private details shared, making sure we're protecting that. And that's an often unthought of thing when we're starting talking about smart home devices. The same thing about thermostats and other things that we have that we control with our smartphones. What happens if those types of things get compromised and have we properly segregated them from how we do business to make sure that there's no way if those types of things which typically have very little security, if they're compromised, they can't be used to be that jumping off point into some of the systems that we care about, or how we keep track of our finances, how we keep track for our donors, other things that we're using to keep track of what we're doing to how we serve those who we need to serve. Well, okay, so that just made my hair go on fire and it wouldn't be a day without Kyle Hendrickson if he didn't make my hair go on fire at least once. So I get, I mean you pointed some things out that I never thought of to be extremely candid. And it's only going to get more intense as a society as we rely more on our devices and we think this is how we need to behave and work and serve and all that. Okay, good to go, understand that. But this then leads me into this question is how do we even understand who's doing this? Like how do we assess those security challenges? How do we even begin to determine if the people that we're working with are protecting us in essence? So when we start looking at vendor security challenges, let's say that we have an accounting system, an ERP enterprise resource planning type system that we're using to do all of our financials and keep track of things. For example, most data isn't originating in that system. It's probably coming from other systems. So if we're getting inventory and all of this other stuff that we're using to manage the organization and that's flowing up to our ERP or our accounting system in some way so that we can get everything integrated, which is all of our goal to make things easier, more integrated. What controls are we putting in place to make sure that only what we think should be updated or only what we think should be manipulated can be manipulated by those outside systems? So if that's the case, how do we have that conversation? I mean, I'm looking frankly at my green screen behind me and the partners that we have whom I trust. I mean, I wouldn't have these folks on my screen if I didn't think they were good to go reputable honest companies because that reflects back on me, right? But how would I go to one of these vendors and say, are you protecting me or what are you doing? I can't imagine that the people that I would interface with as a customer would even know the answer to that. Yeah, so we want to start there and they can get us to the right spot. And so this is all about data. How are they protecting that data that they have as part of that relationship of working with you? So are they doing things like encryption? Are they protecting it with multi-factor? We hit pretty hard on that the other day. Yes. Are they doing those types of things? What other integration points do they have to you so you can make sure that you're asking the right questions around is it only me that can manipulate or change this? And how do you protect my data from other people's data within your platform? So these are big questions and I'm going to go back to yesterday. For those of you who were with us yesterday, we talked about cybersecurity insurance and we talked about mitigating risk via that. Are these questions or this process, would that be something that we could get from our cybersecurity carriers? So the same expectations that your cybersecurity insurance carrier has for you, that's an excellent spot to start asking those same questions for your vendors. Let's keep it simple. Let's focus in on what actually reduces risks. Another common thing that companies that are providing services and this is something that we could think of for ourselves and request of those that we have a business relationship with is a SOC report. It's a SOC 1, SOC 2, those type of assurance reports for vendors to know that they're doing certain things and they've been tested against those certain things to make sure that they're protecting data safe. And that's something that they do that they're able to share with their clients. I'm kind of thinking about, you know, for so many of us in the nonprofit sector, we do events. And so we go to these, if you will, third party, you know, venues, we work with a lot of third party vendors, and a lot of times we are requested to provide our insurance certificate, or we get those certificates of insurance from the vendors that we work with. Is this something that this pattern that might fit into this mix? Yep. Yep. So typically when we're looking at establishing a relationship with a vendor as a larger entity, we're looking for things like cybersecurity insurance, minimum requirements around liability coverage, those things that would put them at risk of not being able to serve us. Well, cyber or business risk is part of that. So we start looking at a SOC report and SOC is spelled SOC. And there's type one, type two, there's different flavors of all that. And it takes a little bit to try to understand what you're looking for. But that's the very first question is to start asking from somebody that's providing IT kinds of services to us is one of those SOC reports to understand what controls they have in place. And are those controls working? Okay, so like not to be naming, you know, brands, but are you saying like the bank that we do our online banking and our bill pay or the company that we're, like, say, an accounting software like books or something like that? Is that where we're looking at? Or would this be more somebody's coming in to physically be a part of what our team is doing? So it's a risk based decision, right? So we know that certain industries are known for protecting data better. They just are forced to from a regulatory perspective. So banks, they're forced into doing a lot of things that they may not otherwise do. They have the benefit of going through many, many, many years of dealing with regulators and audits and going through and proving that controls work and doing attestations. So I'm less worried about a financial institution as I am about an IT vendor. So let's say, if QuickBooks is hosting the data, I would be asking for how what are the controls that you're putting in place to protect my data up in the cloud. And it may involve the SOC report or it may not. It may be just, hey, this is the list of things that we do to protect your data. Just making sure that you're keeping that in mind and understanding that if there's something that you need to ask for or something that you need to implement that they offer, but they don't just do by default that you're doing that. Okay, so put your catchers mitt up because I'm going to throw a curve ball to you. I got to ask you, my friend, how many clients in your world ask for the I Bailey SOC report. Does anybody ever ask you for this information? I don't have that answer. So I'm okay with saying I don't know. So that tells me that people aren't asking. Well, they're not asking me. Yeah, they will be reaching out. They'll be reaching out to somebody within our assurance group. But I mean, do you see what I'm saying? Yeah, it's that. I don't want to say new of a concept, but maybe it's it's that new of a practice of a best practice that we that we are not just automatically thinking to ask for this. Assurance this information that, you know, yeah, it's really an interesting. Kind of time. Well, I think this is evolving like what you're saying. And that that target breach that happened way back in 2013-14, it really changed things for a lot of large businesses. So anybody who is in a regulated industry, that was the start of being forced into doing vendor management processes. All of us outside of regulated industries now are starting to feel this coming on as well. And I think it's even more important now. So we look back at last year, 2021, there was two very high profile things that happened that kind of are a little bit eye opening. So there was a company called SolarWinds that was compromised and SolarWinds is a software that IT people use to monitor and measure availability of systems. So if something breaks, they can jump on it right away and fix it before there's very much downtime. It's a monitoring software. They got compromised and its own update mechanism. So how SolarWinds stays up to date in your environment was used to see malicious code into client environments and they use that to take over companies network. So when we're putting software out there understanding what kind of controls are in place to know what normal is versus not normal. Is a not IT person trying to do IT things. Those types of questions. Yeah, very, very interesting. And that is, I think that just illustrates how you made this comment yesterday that this doesn't just happen. People have to get in and use the word seed. You just used it again to seed this stuff into your systems across your devices. So then it can impact you. So it's fascinating. We don't have a lot of time left. I mean this time with you Kyle has just blown by. But ultimately, whose responsibility and liability is this? I mean, this kind of dovetails with what we talked about yesterday with risk, you know, insurance, cyber insurance. But how do we go back and say, hey, you know, in the case of, as I like to call it, Targucci, hey, you know, how did the HVAC company deal with all this drama? I mean, what is this environment look like? Yeah, so it all comes down to contractual requirements and whose information is it. So us as a nonprofit, do we own the information or is this information being provided to us by another company? So like market research companies or lists of prospects? Well, those companies own that data. So if they have a breach, they are responsible for notification. We're just using their information. Now, if this is stuff that we have gathered from our clients and those that we have served, we own the liability. We own the protection. We need to make sure that even if we are using a third party website or something that we've bought and purchased and installed on our computer. That's our information. Are we protecting it the right way? Yeah, that's a really big, that's a big question to ask and to understand. Yeah, very interesting. You can see how the waters would get very muddy in a hurry here. Yeah, I can. And then something you mentioned earlier in the week and I can't remember which day. Maybe you said it more than once, but also the jurisdiction. You know, state to state, nation to nation, GDP for those working in Europe. I mean, wow, very, very interesting. So we have responsibilities based on where our physical point of presence is. So we all have to be have an address in order to establish a business and we might have physical points of presence across multiple states. So that matters where our businesses reside. It may matter where our employees reside. And it almost always matters on where the people that we have information on where they call home. Well, and Kyle, this seems to me like this question in terms of structure is more amplified given that in the last three years, because of the pandemic and because of the opportunity that technology has afforded us. We are now securing donors and creating relationships outside of our little communities where we once did. I mean, I live in a state that takes, you know, it can take almost a day to get from the top to the bottom. And a lot of our nonprofits just worked within this tiny little radius of our municipality. And now we're bleeding. I can see it bleeding out and throughout the region and the country. It seems like it just puts another layer of I don't want to use the word complication, but something you need to be aware of. Yeah, and certain states are more difficult than other states. So California and New York and I believe Massachusetts has different rules than the rest of us. And even the rest of the states, nobody can really agree on notification requirements and all of those kind of things. So until we have a federal law that supersedes all state law, we are in a mess of what we need to do as far as if we do have a breach. Wow. So this kind of, you know, makes it even more important, you know, the discussion understanding what this looks like. Ida Bailey has been with us throughout the week talking about cybersecurity, how this impacts the nonprofit sector from small to large organizations to independent one shop organizations to multi chapter national structured organizations. If you've missed any episodes or you want to learn more about this or maybe share this information with your board or your team. Go to the nonprofit.com and you'll be able to find the access point to our library of these episodes. It has been riveting. And I feel like Kyle, it is the start of a conversation that is quickly changing because of how we're more involved in this overall structure and just, you know, devious minds coming up with new ways to torture us, I guess, if you put it that way. Kyle Hendrickson, director of cybersecurity for Ida Bailey, it has been really cool to work with you and hear all of these things. This is the fourth day of our conversation. You don't want to miss tomorrow. Kyle will be on with the nonprofit nerd herself, Jarrett Ransom on our special Friday ask and answer. And this will just be a day dedicated an episode I should say dedicated to your questions and the questions that have come in. You can do those live on the live broadcast or if you want to reach out to us again through the nonprofit show.com. We'll get those questions queued up. Kyle, it's been so interesting to have you join myself and Jarrett Ransom this week, really interesting stuff. And I know that we will have conversations in the future because it's changing. Well, and I'm looking forward to tomorrow's adventure because I do not know what those questions are in advance. Well, you know, that's kind of a that's one of the things about Friday ask and answer. It's a little bit of a crapshoot because they come in and they come flying at you left and right. I think that's why Jarrett and I like Friday because it makes us like really be sharp, you know, and sometimes we're not sharp. Yeah, it's kind of an interesting thing. Well, again, I'm Julia Patrick Jarrett Ransom. The nonprofit nerd will be joining us back tomorrow. Again, this has been another wonderful nonprofit power week and we want to make sure that we thank our sponsors. Blumerang American nonprofit Academy, your part time controller be generous fundraising Academy at National University staffing boutique nonprofit thought leader and nonprofit nerd. These are the folks that join us day in and day out. As we end every episode and especially after hearing about cyber security, we want to say to everyone that we partner with who listens, who watches, who comes on like Kyle to stay well so you can do well. We'll see you back here tomorrow, everyone.