 Hello, and welcome. Happy Friday. So excited that you're here. Today is another episode of the non-profit show, and it is our final episode of the Power Week that we have here with Kyle Hendrickson of iBailey. Each and every Friday we dedicate these episodes to our Ask and Answer episodes. Thank you so much to Fundraising Academy at National University for being our exclusive sponsor of every Friday. And again, we've had Kyle Hendrickson with us, director of cybersecurity at iBailey. He's joining us from North Dakota, but iBailey works across the nation, so many satellite offices throughout our country. And so just so glad to have had you here each and every day this week for the Power Week. Not quite sure what we're going to do tomorrow, although we know you're pouring concrete. Without showing up each and every day, our coffee in hand, and you here for conversation, it's not going to feel the same. So Kyle Hendrickson, director of cybersecurity at iBailey again joins us today for our Ask and Answer episode that closes up every weekday. Hey, we want to give a shout out to our presenting sponsors. Those of you that are watching, you can see the logo right on screen. Those of you that are listening, I want to say thank you so very much to Bloomerang, American Nonprofit Academy, Fundraising Academy at National University, Be Generous, Your Part-Time Controller, Staffing Boutique, Nonprofit Thought Leader, and the Nonprofit Nerd. These companies have kept these episodes growing and growing and growing. And if you haven't checked them out, do yourself a favor and do check them out online, but a friendly reminder. Wait for about 28 minutes to check them out because you don't want to miss what Kyle's going to share. If you want to share any previous episodes or perhaps today's episode really grabs your attention. You can find us on Roku, YouTube, Amazon Fire TV, as well as Vimeo. So all of our episodes, they are online. You can find the archive as well as podcasts. So wherever you stream your podcast, you can find us there too. You can put us in your ears and just listen to us as you walk. And so check us out on podcast form. So Kyle, I mentioned, every Friday we do questions, ask an answer. They come in from our audience across the nation and fact across the globe. And because we have focused with you this week on cybersecurity, guess what, these questions are all about cybersecurity, which is a good thing because you're here and you're able to answer them. I'm still learning, but I have already learned so much from you. So again, thrilled to have you here. I'm going to read the question aloud for our viewers and our listeners. And Kyle's going to be on the hot seat. So you ready, my friend? I'm ready. Ready as your lover be. I like it. I'm in. So Evan in Portland, Oregon, submitted this to us. If we need to cut some corners and maybe look at reducing our insurance cost, should we pull back in our general insurance and put more into cybersecurity? It seems like this is more of a pressing issue than ever before. What do you say, Kyle? Well, so I think that this is a risk management decision. So this is not something that I can tell anybody what to do. So we need to look at what are the risks from general liability or from the cyber side that are the most impactful for our business and has the biggest impact if something should go wrong. I would also discuss this with your insurance broker because there may be different business practices that we could implement or change how we do certain things that may reduce our premiums from a general business liability and certainly from a cyber security insurance side of things, maybe there's practices that we can do to reduce what our premiums would be. So I would probably try, I would recommend doing a consultative approach going back to your broker saying, what can I do to keep the same level of protection, but are there certain practices that make me more risky, therefore increases my premium. So I would engage in a dialogue with where I'm getting my insurance from. And that's that's great feedback and I've been with a lot of clients over the years that have actually have to increase their own general insurance. So I don't see it as a benefit to decrease really any insurance add to me like makes my heart palpitate a little bit but you're right I think having that consultation really learning the risk for that you know we certainly want to manage those risk, and you've been so great throughout this week Kyle to really, you know, provide these messages of hope and to say it's all about managing the risk and Evan I think this answer that you just received from Kyle, really provides that feedback to you, you know to go to your insurance providers plural, and ask them that question, I think, I think that's spot on so thank you. And I hope that that that helps Evan it's, it's not going to help you cut corners but hopefully it'll help keep your doors open. That's what we want to do for sure. Okay, Jamie and my neck of the woods here Scottsdale Arizona hello. How often do you recommend training of the staff in terms of understanding how critical cybersecurity really is. I think our staff. I think that this is only for for profit companies and that for profit companies are liable for attacks as opposed to nonprofits. It sounds to me that nonprofits are just as vulnerable. What would you tell Jamie. When we think about cybersecurity training, most often the topic comes up around fishing and awareness training, doing those simulated fishing attempts, and measuring who clicks who provides information those types of things. And I don't know that it's worth staking everything on those, but they are a low cost way to be able to provide awareness within our companies. So the approach that we've seen across our company base is typically a quarterly approach to doing that sort of fishing and awareness training. But it needs to be not in a punitive way it needs to be in a learning sort of way so how can we help people understand what those things are to understand. If someone is trying to spoof or pretend to be someone, what types of business processes needs to change in order to understand if you can't trust the person that you have normally been interacting with that they have control of their email anymore. If someone's requesting address changes or requesting bank payment terms or different financial institution changes, what kind of business processes are we going to put in place and provide that training to our people to make sure that we're paying people appropriately and we're not on the hook for financial fraud through through business email compromise those types of things. I'm curious. I'm earlier this week Kyle you had mentioned about working. And I forget exactly with whom but it was about doing a table test table topic test can you can you dive into that a little deeper. Yeah, so tabletop tests are just sitting around the table, virtually or physically with those key people in your business, or those key vendors that you rely upon to provide your technical stuff that you keep your business up and running with, and making sure that we're working through what would happen if disaster happened to us from an information technology perspective, and this could be from a loss availability of a system, or from a cyber attack, whether it's business email compromise ransomware data theft manipulation systems, something like that understanding. Okay, do we have a plan. And if not, let's make a plan. And then once we have the plan. Let's all get together and talk through the plan, as it would relate to a specific incident to understand if we need to improve or otherwise what would be impacted. And this needs to be comprehensive to so it's not just about technology, because technology without business processes without those things that we do to serve who we need to serve technology doesn't matter. So what's the problem about what are those key activities that we need to do to support our business and to support who we need to support. And can we continue with those, if we have an outage or if we have a disaster and putting that front in front of mind. So yeah, that's great and I and I think to one of the things that really hit home for me that you had shared. And I want to say, on Monday. So again that was when we were in person had the great pleasure of launching the nonprofit Power Week with you and I Bailey on Monday was the average cost of a cybersecurity attack was approximately quarter of a million is that am I remembering that correctly. You are remembering that correctly and that's a really scary and painful number for people to have to go through. Yeah, so I think you know, I know we're all super busy and maybe to think of doing a quarterly education for our staff. You know it's really talking about that quantifiable impact that could, could really be here knocking at our door and I think sitting down and doing that table top test. That's talk about alliteration a table top test. See that seven times fast. You can't afford not to do that. And so I really think that that's a great best practice Jamie and and you know what Kyle has shared here some really good insight. And again this entire week has been chock full of information that that Kyle has been able to provide for us so hopefully that'll help to educate your staff your volunteers your board and everyone involved with your organization. So, excellent. Alright Kyle you're a pro at this so we've got question number three coming in from Houston, Texas, Brad wants to know is older technology such as laptops and phones, more apt to be less secure. We have some old technology, and I am wondering if the issue of cybersecurity might make it more important to update some of our computer tech. Answer this Kyle, I just want to say Brad, you're not alone I think a lot of nonprofits around our country has a lot of old technology. So yeah let's let's hear what you have to say to Brad Kyle. That's good. Well, so when I think about upgrades. It's not just about cyber security right so we want to make sure that is the equipment that we're using still reliable. And am I still able to be productive on it is fast enough to do what I needed to do in order to serve our customers. And with that, then we start getting into, should I upgrade it just for cyber security side of things. And so for that answer I would lean on to what kind of software are you running on that hardware that those devices. So for computers traditional laptops desktops those types of things. Most of everything we see in a nonprofit profit space is on a Microsoft Windows type platform. It is what it is. And so if we're still running things like Windows seven or previous versions of Microsoft Windows, they're no longer getting security updates. That's if our hardware doesn't support upgrading to the newest operating systems. That's a good sign that we need to upgrade. Just because you're on Windows 10 now, or Windows 11 doesn't mean that you're on the current version of Windows 10 or Windows 11 so with the newest operating systems. They have moved to a periodic version refresh within that ecosystem so Windows 10 has periodic feature pack upgrades that come out and these aren't just patches these are actually new versions of the operating system. When these come out, only so many of the older versions are still supported and are still going to get those security patches get those security updates. So it's important to ask those questions, even though I'm on the what I think is a newer operating system, am I still getting those updates being delivered to me. And so there's there's a little bit more to keep in mind other than just is the hardware new enough to support the new stuff. We just blew my mind because I'm always of the thought that it everything technology wise is plug and play right I use an iPhone I wish that we had Apple as a sponsor we don't yet we're going to work on that. But every time that there's an update you know our new software installation whatever I don't speak this language, it tells me that it's going to happen, you know, at night once it's plugged in. So my assumption and we know why we spell assume right is I mean is that not for every computer are you telling me like we there's extra steps we need to take. So most computers do have that automatic update mechanism for their operating system like iOS on your iPhone or on your iPad. Yes, that doesn't mean that it works every time so we need to check on it periodically to see if that process has broken for some reason and recruit the proper health. It's a troubleshoot it if it gets stuck for lack of a better word. And so that can happen with your iPhone that can happen with your iPad with your Android device with your Windows device. It's something that it needs to be checked on periodically so monthly quarterly whatever fits your tolerance for risk. Again, we need to be checking in on that just hey, do I have anything hanging out there did did it actually work the way I expected it to because trust but verify we assume again assume that everything is going to be fine, but we need to trust but verify and understand that they are things actually working the way that we expected them to. And then speaking to the mobile devices like what you brought up, we want to stay on hardware that supports the latest version of iOS or the Android operating system. We don't want to be on hard drive hardware, just because we had it for the last five years that can't support the newest stuff the newest stuff is what's solving those security vulnerabilities and making sure that you're not going to be an easy target to be able to manage up. Wow, Brad, I hope that you heard all that Kyle had to say. I feel like my to do list just got a little bit longer, but when it comes to risk tolerance I don't think it's something that we can as another guest asked cut corners so Brad that's that's your feedback and response from Kyle I think it's great again I'm so grateful to have have your nerdiness in this space Kyle. Okay, Patrice in New York, New York, sent in this question and wants to know. In regard to cybersecurity insurance, how much do you think annual coverage costs are going to increase or change. It seems that this is an escalating problem, and that the cost are going to go through the roof. So I think that this is a very big message of hope for everyone. And so this is this is my opinion. I think that we're in a situation right now where they've increased dramatically where they're going to increase dramatically I think that we're in a situation where there's only going to be incremental increases to this type of service going forward. But what I do see as increased requirements for getting that. So again, we went on insurance day we talked about those five key controls that need to be implemented in order to get your your policy renewed that policy in place in the first place. As the malicious actors evolve, and as they change tactics, that list of things that we're going to be required to do is going to change to reflect what's going on now. And so that's something we need to keep in mind and that's where I would recommend setting up some sort of cadence with our cyber security insurance broker and making sure that has things changed. I'm going to be doing other things. How do I reduce risk so that I can make sure that I continue to get my policy, or if there's any opportunities to implement certain things that allow me to reduce my premiums. And by implementing these things that's not always just going out and buying something. Sometimes that's taking advantage of security settings or configuration on things that I already have. So this isn't necessarily outlaying a ton of money. Maybe it's just changing how I'm managing technology within the organization. I've been refreshed my memory and for those of you that are viewing and listening. Kyle, you had mentioned that we could go to our cyber security insurance provider, ask them how they might be changing their requirements and for us and you were saying maybe do that. What six months in advance or three months in advance could you. So I would say I would start off with six months in advance but I would also preface that with with your broker or with your agent saying, is this too soon. So just making sure that you're working with the system that they have in place, but asking early is encouraged I would definitely do that. And they're going to have access to what the latest requirements are from the insurance carriers, knowing that you can get a head start on that. And again, working with them to see if you can reduce your premiums by doing things a little bit different. Yeah, I think that is the cherry on top you know really work with the partners that help you provide this insurance the coverage and to mitigate the risk really working with them because I think often we see that it's ours we have to handle it we need to figure out what it is but one thing that I've certainly learned from you throughout this entire week the nonprofit Power Week is really to work with your partners including I Bailey on what needs to take place so that we can mitigate these risks so I love that you have this message of hope for Patrice and for all of us is that you know maybe we've already hit that that max of where these charges are really going to land and that they're not going to increase let's hope. I think I think that's from everything I see I think that's right where where it's going to be. I've been wrong before, and I'm okay with being teased for being wrong but that's just that's just where my head is at. That's what you're saying. And that's really important. So Patrice again and you know hopefully that helps and I'm curious I'm going to tag on to that question for her. Is it based off a geographic location because I noticed you know she's asking from New York, I'm in Arizona you're in North Dakota. Do you see that rate change across the nation. So that rate probably changes for general liability based on other factors, but from a cyber security insurance side of things. I don't as long as you're in the United States. As far as I know, the rate is going to be consistent. Okay, that's that's good. More about how how you protect the data and what that data is. So what what kind of risk does the carrier have by ensuring you got it. That's that's great insight. I have been amazed I have been schooled I have learned so much from you Kyle Hendrickson director cyber security at I'd Bailey, you haven't been with I'd Bailey long, but you have been in the industry for a long time, plus you have started as a nonprofit. So you really are a whiz when it comes to all things in PO related nonprofit organization for cyber security. Kyle, as we wrap up today's episode, you know, again, one of the things that Julie and I like to ask our guests and it's a little bit of a curveball, but we assume, again, using that word. It's a crystal ball. Right. So I want you to get your crystal ball out shine it up. What are you seeing in the near future, truly for we're going to stick to nonprofits in the cyber security risk management space is there any kind of final you know for shadowing you can provide us here ransomware is not going away. It's here to stay. We see a lot of ransomware actors pivoting to just stealing data and just moving right to the extortion phase, skipping over the encrypting and locking you out of your systems. I think that's important to keep in mind, as we are protecting very sensitive information there's a lot of donors a lot of people that are keeping us afloat as a business that don't necessarily want their name out there, or their We also in the nonprofit space. We have a lot of people that come from environments where they need help and they don't necessarily want their contact information out there, regardless of the services that we're able to help them with or provide them. So data protection. When we start thinking about security controls, we need to think about business outcomes. What is this going to do for me and how is this going to reduce my risk. I don't want to just buy something for the sake of buying it. I don't want to check the box just to check the box for compliance. I want to actually get value out of what I'm doing. And so I think there's going to be more of a focus in on business outcomes. As we talk about cyber security. What does it mean to the business by doing this, along with. I continue focus on ransomware, at least for the next 24 months the next two years. It's going to be a big thing and it's affecting all of us. Yeah, it is any and again as technology advances that's one thing we've certainly see the acceleration of over the last three years for good or for bad. Who knows right we can stay agnostic there. But I love what you've shared each and every day this week. Again for those of you that are just joining us today or maybe you're only able to join us a couple of days this week. Kyle was with us each and every day this nonprofit power week. As you see Julie and I have not been here every day but Kyle has he has stuck with us. We absolutely adore everything that he has come on to share and really just, you know again I'm going to stay alive and it's going to be recorded but you know we never know who we're going to get when we're talking to someone in the technology sphere. My, my eyes tend to glaze over and I'm like I'm not quite sure what this person just said it's all Greek to me but you have made it so relatable so very easy to digest. I just really appreciate that I appreciate all that you shared with us every day this week. Again if you missed any of the episodes here with Kyle, you can go back and watch listen share you can do all of those good things, and just so grateful to have your expertise. We also want to say thank you to our sponsors that keep the nonprofit show growing we are marching towards 700 episodes so we keep moving forward. So we want to say thank you also to our presenting sponsors that include Bloomerang American nonprofit Academy fundraising Academy at National University. Be generous, your part time controller staffing boutique nonprofit thought leader and the nonprofit nerd. I had mentioned you know if you missed any of the nonprofit shows you missed any of the episodes this week with Kyle as we jumped and dove deep into cybersecurity, they're still there for your viewing pleasure so YouTube Vimeo Amazon Fire TV, check them out there. They're here they're not going to go anywhere they're going to stay online. And again Kyle we're going to miss you next week but we wish you the best with pouring your concrete so you can prepare for your Thanksgiving. Awesome. Well I appreciate you having me on. It's going to be weird without you next week. I know but you know I have a feeling we're going to have you back on. I Bailey is a great partner of ours, and so grateful to have a nonprofit power week dedicated to cybersecurity. We don't do power weeks very often, we really save those and secure those for some hot topics like this one today. So again, I'm going to give another shout out Kyle is on LinkedIn he's active on LinkedIn if you'd like to connect directly with Kyle, find him Kyle Hendrickson director of cybersecurity for I Bailey and of course check out I Bailey they are in around throughout our nation, based in North Dakota right there with Kyle but again, they have offices and individuals working in this sector, all around the country so Kyle, thank you. All of you that joined us. Thank you. This is another Friday ask an answer and a wrap up for the nonprofit power week. Hey I hope everyone has a fantastic weekend, including you and your wife Kyle again you've got some some heavy lifting this weekend, but I hope that everyone stays well so you can do well. Get some rest. We'll see you back here on Monday.