 Welcome. Thank you so much for joining us for another episode of the nonprofit show. Today we have Michael Nugier with us, director of cybersecurity with I'd Bailey, and Michael is with us yesterday he's here with us today to talk about creating a cybersecurity safety culture, and he's going to be back tomorrow so we've got a lot of Michael coming up but again as we had said earlier, we are merely scratching the surface of this very large discussion topic, and really just issue that we should all have as part of our conversation so before we dive into the conversation we of course want to make sure that you know who we are. I feel we have not met so Julia Patrick joins us. Julia is the CEO of the American nonprofit Academy. I'm Jared ransom, the nonprofit nerd CEO of the Raven group and we are so excited to continue these conversations, dive deep in these thought leader episodes, and we would not be able to talk about these conversations and be 400 plus episodes strong. If it weren't for these logos that you see right in front of you these companies have been dedicated to our conversations to our episode and to you, and your mission so they truly are here to help you serve the community, and to help you move your mission forward so please do check them out. There's anything these companies can do. Please do reach out to them because they are here to help you and to be a part of your team. Just as Michael again our guest today Michael new gay director of cybersecurity with I'd Bailey welcome back Michael pleasure to be here. I'm excited about it. Today, you were in a different city, all together. Tell us where you are today. Yes, yesterday I was in Minneapolis. It's about an hour and a half drive south. There was an office here where I wanted to meet meet the office essentially and talk through what we are operating from internally as well so. Mankato, Minneapolis, Minnesota now so. Yeah, and then, you know, back to Denver tomorrow. They've got you on a tour you need the, the tour t-shirt you know like we're in the world with Michael. I should wear red hat like Carmen San Diego family. You should. Yes, that's the best well we're thrilled that you found time to travel, organize your thoughts and get back with us because we had so many. Questions to what you said yesterday I mean I was freaked out all day. And I had so many questions, and I thought, you know, most of the time when we leave these episodes. I'm thinking, okay, you know I knew that or had a feeling of that or I learned something new but it built it was built upon the foundation of a not a lot of knowledge that I already have. So I have to you yesterday, I have to admit, I did not have that feeling. And I realized that I had so many more questions that were really foundational and so I thought today, let's start with the concept of. Is this is cybersecurity relegated to like one part of our nonprofit. Is it just one department. No, no, the answers. I mean it could be yes and no right it's not necessarily is cybersecurity just one doesn't only need to protect one portion of our organization right one of the things that I like to convey about cybersecurity is that everybody is responsible for it not just the cybersecurity person or the cybersecurity person, everybody has access to the corporate network is working within the nonprofit and everybody has access to specific types of data. Now the levels of security in different departments might need to protect the data, the financial data and the donor information or that you might want to protect information that's coming in to say the front desk or something along those lines right. The level of security might differ the baseline needs to be there, but it is ultimately everybody is responsible for cybersecurity. That's like, okay, again, we're only we've only had you on for four minutes, my hair is now back on fire. Because I kind of feel like, and Jared tell me what you think, I kind of feel like this has always been like, oh, that's a problem for the accounting folks, or development. It's IT right it's like, I need to think about cybersecurity, because you know we we have a Michael here and Michael gets to fix everything. But you're right. And that makes sense. I also say fundraising is everyone's job and now I'm going to say fundraising and cybersecurity. Yeah, you are all representatives of the same mission and culture and that's why we're talking about culture today, right is that culture of cybersecurity that culture of the protection of the, of the donor information and of the data that is traversing inside of your organization is everybody's responsibility right we all get targeted with cyber attacks. It's not just one or two people it's all of us and so as such we need to do our due diligence to provide that security within the organization now I don't. I don't think every employee needs to go out and technically monitor the IT security of every system but we all have some form of responsibility within cybersecurity, and that's the cultural aspect of it. Well I'm thinking to nonprofits depend often on our volunteer workforce, and so that is another layer of complexity, education and training when it comes to cybersecurity. And I would love to just throw this curve ball out for you Michael, Julie and I are known for you know really, really just throwing out some some crazy, you know conversations but I'm curious if cybersecurity happens internally, as well as externally when I think of cybersecurity I'm thinking, oh these are all of the people externally have no idea who we are what we do, but could there be a breach through either an employee or a volunteer that is like really. I don't know, opening the doors for this opportunity. Absolutely absolutely I mean cybersecurity most people think of that as a technical control right the computers that the ones and zeros that are traversing the internet. Right but there's a physical aspect to that as well physical access to a system is a cybersecurity consideration, having volunteers right. They're volunteering for a reason, they're not they're not just randomly picking a nonprofit to volunteer with they and they agree with the mission and the vision of this and culture needs to apply to them as well right. You have a culture statement and that has to extend to the volunteers as well as internal staff, but that physical piece right with volunteers that have some form of trust in the organization to come access somewhere that has a computer or that there is a cybersecurity risk there. Yeah. There's so many layers that I am remiss and thinking through and really remiss and putting cybersecurity higher in the priority of conversation. I'm just so grateful for for you and your your expertise, where and how can we determine where we might have vulnerability throughout our departments or throughout our organization. How can we determine where these, you know, weak spots might exist. I often get asked a question right I have X amount of dollars cybersecurity where should I start. And so I boil it up if I had $1 to spend on cybersecurity where should I spend it, and it's visibility visibility inside of your organization where do those weaknesses occur. There are a lot of assessments you can do understanding where where there might be gaps or vulnerabilities and policy and and the conceptual aspects of cybersecurity, and then there are technical tests like a penetration test, which test the technical weaknesses on your device that you have in your system, and both of those run together should provide you a visibility that you need to understand where those weaknesses are and road map to move forward on how to protect against those which risks you need to accept and which risks you need to mitigate quicker. That prioritization. That's, that's kind of a, that's a bigger picture issue that I would imagine if you ask 10 nonprofit leaders maybe only one out of the 10 might even get that. So there are statistics around that specifically within nonprofits right as I think 29% of nonprofits actually perform vulnerability assessment penetration test. Wow. And is there a statistic our measure of financial kind of, you know, allocation that we should say okay we're a million dollar nonprofit, how much money should we budget to a lot for this, you know, cybersecurity needs. Well, that's a hard one. That's a hard, hard question to answer because you need to understand what the current state of the organization is from a cybersecurity perspective what is their cultural aspects of the organization that provides an emphasis on security and if so that percentage probably needs to be a little bit higher. And I would say that it's important to have that cultural aspect to focus on securing the organization and the data of the donors and the data of the employees. You know, five years ago I think the, the typical percentage was between three and 5% of the IP budget should be focused on cybersecurity. I would, I would probably stress that it's a lot higher now than it was five years ago. So three to 5% of IT department. Right. That's not very big. That is not. No, and then that's why I'm like as a as a cybersecurity professional I think the focus needs to be higher because these are one of the detrimental like cybersecurity can be a detrimental occurrence inside of your organization if not handled correctly it can lead to not being a business anymore. And oftentimes it is 60% of small businesses will go out of business after experiencing a cybersecurity attack. I remember you saying that yesterday so if you have not listened to yesterday's episode it is available to you it will remain available to you. But when you stated that Michael that these are business ending attacks. Yeah, that is that is frightening. I mean super frightening and it's really across all sectors all industries, not just the nonprofit. But again, you know for the nonprofit sector, we typically focus so much on our mission and providing that solution to the community that we aren't the expertise when it comes to cybersecurity so these truly are mission ending, you know, issues that we're talking about. Right. And then it's the work that the nonprofits are doing is so important so protecting the capability and the few like future proofing that to make sure that you can continue to perform those. The work that you need to the mission that you're you're trying to achieve is important securing it is very important. Yeah, you know it's interesting you talked about the technology budget. I would think that the, the discussion about what technology you want to be investing in could, could sort of back up to what your your cyber security issues are and that cultural aspect of it so that you might want to say okay no we're going to invest in these types of laptops or systems or air software. Right. Is that fair to say. Yeah I think I think the big, the big focus has been do we invest in our own hardware or do we invest in the cloud or the ethereal cloud that exists somewhere in there and, and a lot of organizations are determining that the cloud is the way to go because there's less maintenance there's less. A lot of, a lot of work that doesn't need to be performed by an IT staff, however, there still is a cybersecurity consideration with all of these, just because you're moving to the cloud doesn't mean that cybersecurity needs disappear there are still protection data still belongs to you you're just outsourcing where it's stored essentially and so. Yes, it does change how you focus on cybersecurity to some extent, but that focus still needs to remain. One of the focuses that I know we are seeing and this is a trend that I really believe is here to stay is our remote workforce right and you had mentioned during our, you know, chitty chat chat or maybe even before we open those digital doors that remote workforces and cybersecurity is a topic that you could talk about for hours. So I would love if we could, you know, use the remaining time of today's episode to talk about this because this is a trend that we have seen over the last two years due to the global health pandemic. And again, it's not leaving so talk to us Michael. What are things that we need to consider when it comes to our remote workforce. Yeah, so when I talk about trends within the cybersecurity industry. One of the top trends that talk about is the growing attack surface and ultimately the attack surface is just from a hacker's perspective. What is available to attack right and as an organization you need to be aware of what your attack is. You know, back in March of 2020 when when a lot of organizations were forced to move remote. They did so without the consideration of cybersecurity they had to to maintain some business continuity, but they didn't have to control the place to secure that. So what happens when you know from a corporate network to a home network, the home network does not contain the management of the organization, right. You don't control each employee's home Wi Fi. And when I know when I went home, my kids have their own tablets and their school laptops and whatever they play video games on. So they have access to the same internet that my work computer is connecting from. And as a hacker that's great for me because I'm looking at all of these devices that's a target now. And if my work laptop is connected to the same network that my kids laptop is. I can go after two different targets. And that's that's that's only one piece right 10 years ago 20 years ago. Nobody had email on their cell phone unless you were important enough to have a blackberry. Everybody remembers those right. People, they called them crack berries to some extent because so much. And move to today, every employee that has an email address basically has corporate information on there. We point the four digit acronym BYOD, I bring your own device everybody knows about that. And so that increases the corporate attacks as well. And then I was one of the massive things that I talk about is anything with a target. So when you're talking about your home network, I have I can change the temperature at my house from Mankato, all the way back in Denver. Right. So, right, there's another internet connected device I can, you know, there are refrigerators that have cameras in it so that when you go grocery shopping. And you don't know if you have milk you can look inside your refrigerator, all of these pose a risk and another attack surface item to be protected. And so when everybody transitioned from their office to their house, those devices became a part of that corporate network to some extent. If the proper security controls weren't in place. And most people didn't have time to consider that. So there was a lot of this retroactive consideration. And most people didn't even, I know, Julia, if I could just like help me with your job. A lot of us also didn't even realize, you know, the threats that come with that because as you're saying this I am like inventorying everything that I have in my house right there's play stations because I I too have a young child. All of this is internet connected right even the little. Oh gosh, I forget what they are but like the little handheld play stations, wherever. All of this is connected to the internet. Now is this why there's a need for VPN and tell us what that is and I mean is that something we consider. VPN is is critical and the protection of the data on your corporate laptop. When you're connecting to a public Wi-Fi or a home Wi-Fi that VPN is called a virtual, it's a virtual private network and and what it creates is a tunnel that siphons the data from your laptop back to your organization and I can't see that data from inside because it is in this tunnel it is encrypted within this tunnel and only the only two, two people that can see it are the end of the corporate network and your device. So VPN is critical. And then when we talk about VPN logging into VPN your credentials making sure that you have that multi factor authentication. Let's let's take a step back. There is a there is a conflict between ease of use and cyber and security in the world. Most people don't want to be inconvenienced to get access to the things they need access to multi factor authentication is often considered an evil, an evil tool because it makes you have to get a text message or go check an email or leave an application from your phone to press a button to authenticate Yeah, more work. It is more work and sometimes it results in in just a couple more seconds of time off of your day and time is money. But that is one of the easiest ways to store an attacker if they can, if even if your password is stolen. You still have the capabilities of authenticating another way, which keeps keeps that the single factor authentication. A non issue with our cyber attackers. Wow. There's a lot of, you know, I know I'm guilty whenever I am at a coffee shop or at the airport, and there's free Wi-Fi right and it's like, oh, simple, I'll do that. And that is really probably the most open vulnerable opportunity for any hacker to access in and they don't even have to be in the same physical location they just have to be somewhat close by right and I'm curious you can talk to us about the threats of using open access like that. Yeah, that is that is a high to critical risk in my opinion, connecting to any Wi-Fi that you don't know is a trusted Wi-Fi. Right, I often tell people your cell phone is able to provide Wi-Fi for your laptop, utilize that, because at least you know it's your Wi-Fi and you connect your laptop to it nobody else is connecting to it. When you are connecting at an airport, there are like Denver was just being like one of the third largest or the third busiest airport in the world. The other day, right, that many people traveling through the airport, any one of them can be connected to the same network as you and we hackers perform what's called the man in the middle attack. So they will monitor the traffic going between your laptop and whatever else if you don't have a VPN connected. Also, public Wi-Fi, I can a common tactic that hackers use is setting up their own Wi-Fi device with the same name. So if you're connecting Starbucks and their Wi-Fi called Starbucks Wi-Fi, I could also set up a device that presents the same thing Starbucks Wi-Fi, and then you connect to it and then I can see everything that you're doing on that. So if you log into your bank account, I can steal your credentials from there. And so making sure that when you connect to a Wi-Fi network, that it is a trusted network and you are sure which one it is, which is why I always say just use your phone. Just use your phone. Okay, I got it noted. I'm going to you change my ways, you know, take those extra steps, even if it's a, you know, multi step often. I'm going to visit the authorization to do that as well as using my Wi-Fi. Now, when it comes to a cybersecurity hack, how long does it take? Are we talking minutes, hours, like milliseconds? How long does something like this breach take? It's a dynamic question, right? It depends on, right, the thoughtfulness and how they set up their attack, right? There is actually a framework for how to attack devices. And it's run by a company called MITRE, and they developed a MITRE attack framework on all the tools, techniques and procedures that you can use to set up an attack. So if you are thoughtful about the setup of it, the attack can take a couple of seconds to a couple of minutes. But a setup is what is really takes the longest amount of time. Wow. You know, I'm thinking about us in the nonprofit sector. So often we're out with clients. And so we take these laptops. It was revolutionary when organizations started buying laptops for their teams so that they could go and be with their clients or their organizations that they're working with, sister organizations, satellite offices, I mean, you name it, different parts of their communities. This aspect of us taking our work and our pipeline back to the home office has become something that we're very familiar with, but I would imagine the majority of us are not doing what you're saying. We are not adopting this cultural aspect of knowing we need to protect this asset. There's a concept in application security, which is the development of software, and it's called shift left or push left, which is basically as you are building an application, you go from a process from left to right to build that application and shift left is talking about making security a consideration sooner in the process of development. And we try and focus that same concept on cybersecurity, network security and any other aspect of technology that needs security is being thoughtful about security in the process. So that you aren't retroactively considering it right you haven't already exposed yourself. Okay, so, again, my hair is on fire. I know my heart's palpitating. Yeah, I'm going to have no hair left for tomorrow or last time with you. And we don't have much time left today. But I'm kind of curious about for our guests and our live viewers, viewers that come on and watch us on our archives or connect to us somehow. What is a way for them to develop this cultural aspect I mean, can we find it people that we can, you know, hire on a consulting basis or how do we navigate this really. And I'll just say it what sounds like a daunting task but it seems like it's the starting point Michael and maybe I've missed something but how do we get going. So the vision, the strategy is realistically where where most people need to start and there are consultants that do this they're considered the VB chief security officer. Okay, what they do is they come in as a virtual executive at the C level. And to consider these types of things. What is your current culture what are your current business risks. What is your what is your growth plan over the next five years. How do you plan on achieving that. And let's talk about where cybersecurity needs to fit in there. One of the things I always like to say is 20 years ago if you didn't have a website you weren't going to be a successful business. Today, if you don't have a cybersecurity strategy, moving forward, you will not have a successful business. It has to be that consideration. So, starting at the top of the organization, building up that cultural statement of what the organization is, what the nonprofit is, is mission and vision is, and then making sure that security is a part of that. We want to help with X, Y and Z security, right, bringing in security into that and building up that culture. Let's protect our donors, while providing this help for this person of the industry to work with. That's an amazing thing and you know you don't know what you don't know. And so, to find that that leadership position. Because it's such a strategic thing and not to denigrate the IT field but when I think about the IT people that I've worked with or had in my company. It's certainly the right voice for that strategy. I'm not trying to negate their skill sets but it seems to me like that, that voice that can understand asking the right questions, does that make sense. Absolutely, absolutely. Yeah, so bringing in somebody that is familiar with those whether you're looking to hire that position or you're looking for consulting in that arena. The virtual technology executive the virtual security executive is really the place to start, or we can call it fractional virtual or hiring the position to drive that leadership and strategy because it needs to happen like I said from the C level from the C level, it needs to be at that decision level and then push it down throughout the organization and knowing what questions, knowing where to focus your resource. I think what I've learned is my huge takeaway from yesterday and today and I am excited already for tomorrow I'd be a little nervous, but is really this visibility, you know is where are we now understanding our baseline having that assessment performed as someone like yourself that really has this knowledge to truly, you know, land, create, you know the landscape of our information technology systems, identifying risk, not only for today, but in the future to help us see into, you know the future to predict some of the potential risk as they continue to you know to move forward. That is something that I am going to take away. I truly is a professional consultant in this nonprofit sector. I mentioned that I do bring up it as part of the strategic planning conversation but really going deeper so that it gets a little bit more attention and priority, because it is scary, and I never want any business, our mission to end, because of the lack of that. And you had mentioned to to us Michael that I Bailey and yourself you're on this, you know, really big kind of like speaking tour, you offer a variety of seminars workshops, discussions around this. So is this where we might find more information about this topic and what I Bailey is doing. Yeah, absolutely I Bailey, our website at really.com slash cybersecurity is a great place to start will have the case you from that point you will be able to find any future programs or any recorded webinars that we've already done talking about building a culture what best practices are trends in the industry and any future either in person or remote. Tomorrow you're joining us for best practices if I if I recall correctly. So, if you did not see yesterday show, please do check that out today will be on our archive and perpetuity and tomorrow is one that you want to be here for because Michael will be sharing with us about best practices and so if you have been at any way frightened like Julie and I have make sure you join tomorrow because we're going to end on a high note. It's, it's true. Well hey everybody, this is like blown by, but we want to thank our sponsors before we sign off today. Michael, it's been great, we really as Jared mentioned we really look forward to kind of getting another view of this tomorrow with best practices. Another great episode. Thank you so much for joining us on the nonprofit show as we like to end every episode we want to remind you to stay well. So you can do well. See you back here tomorrow.