 Welcome and thanks for joining us for another episode of the nonprofit show. If you have joined us today, you can see that we are ready for you. So we are bringing best practices in the nerdiest way that we know how. So welcome back and thanks for joining us. Michael new gear you are phenomenal day three. Thanks for showing up and nerding out again. Today's conversation is nonprofit cybersecurity best practices. And again back, you know with our best friend here Michael new gear. Julia Patrick joins me Julia is the CEO of the American nonprofit Academy and thanks to her we have these wonderful platforms and episodes to discuss these conversations. I'm Jared ransom your nonprofit nerd CEO of the Raven group and really blessed to serve alongside Julia as the co host of the nonprofit show. And if it weren't for our presenting sponsors we would not be able to have so much fun. Thank you to our sponsors that invest in these conversations invest in the American nonprofit Academy and truly in the sector at large we are so grateful to have your commitment and your investment again in these conversations so thank you to our presenting sponsors and back to our guests today welcome back Michael I feel like you know you're just you're a steady now and and I don't know what we're going to do tomorrow. I'll be here daily yeah I came home and I was excited to wake up and start back on to this. This podcast series again and I was like all morning my wife is like, What are you running around with a smile on your face. It's great so you've been in Minnesota the last two days different cities within Minnesota. And now you're back in your home state or where you reside in Colorado so so glad to have you back Michael and tell us a little bit about what we're going to cover today because again 30 dedicated minutes to cybersecurity. I think today we're going to recap some of the trends that we talked about, but I want to I want to take those trends and tie them into the best practices that that realistically every organization should do. Not just nonprofits and what those best practices are right that they can seem overwhelming most people are probably like I'm really scared after the last two days. What do I what do I have to do yeah raise raise your hand you're scared. And so right what what can be done what are some quick wins that organizations can focus on. And then what are some of the standards that they need to focus on moving forward. Okay, so you know that's like one of the things I was talking about with somebody yesterday was that you scared the hell out of me, but at the same time, I felt like you were giving me knowledge in a roadmap for navigating it. And so, even though it's really, it's been tough to hear some of this. I feel like there is a roadmap and there is a path to helping us all not become so vulnerable so the first thing I think we want to ask you or like what are cybersecurity trends. And then, how do you, you know plan ahead for these things. Yeah, from a best practices perspective in the industry the big trends have been focused on, as I stated yesterday this visibility understanding what's happening within your environment. And where you where your weaknesses lie if you understand those you understand what you have to protect. Then you have a great idea of what to what to plan for moving moving ahead what what to budget for what software and consulting you might need to to drive better security posture in your organization. I love that I love the way that you phrase that the assessment piece is really what hit me so again if this is your first episode with Michael there are two previous ones that you will definitely want to check out. So this is where I learned of the visibility and the assessment and really identifying where are we currently you know what what systems are working what systems do we need to improve and really identifying that that baseline of visibility. That's been probably my biggest one of my biggest takeaways there's been a lot but that's one of my biggest. As you talk about going on your family vacation next year and you're going to take a road trip right, you know your destination, right, is in this case it's security and being secure but you can't get there if you don't know where you're going to leave from so assessing your current state and where you are helps build that those directions to move forward and that I think is, I can drive that home all day I probably talk for the next 30 minutes just about building that current state understanding what what risks you have and the lining those right because every security risk has often been seen as this, this other type of risk but it realistically is the business is risk right it plays into all the risks that we're planning for now. So let's expand a little bit on that you mentioned this briefly on one of the two previous episodes about the risk factor and purchasing insurance, not just as part of the budgeting but just, can you talk about that briefly. Yeah, so insurance is right I'm not going to say that you have to buy insurance or you shouldn't buy you should or shouldn't buy it but insurance is a failsafe right we all want to have some form of life insurance or health insurance because it is a stop gap. So the best practices you have to do with best for your organization but buying insurance years ago was really easy it was an afterthought it was added on to liability now it is a it is a very very much a consideration for what your security posture is and what you need to budget for forward and so we've seen a lot of, a lot of clients with denials coming back from their cyber insurers because they don't have the best practices that they need in place and those best practices are, you know, they range organization organization but they want you to have their authentication. They want you to be consistently updating your, your visibility into your security weaknesses, those are the vulnerability assessments penetration testing. They want to make sure that you have policies and plans in place to, to set the standards of cybersecurity and plan for an incident, you know, a cyber attack if one were to happen. And if those things aren't in place we're either seeing denials or a lot higher premium similar to health insurance right if there are considerations for your health that might lead to, you know, determine in the near future. Health insurance will raise your premium or even deny you health insurance same concept now we're starting to see that emerge in this industry. Wow. Okay, so that like brings it home. I mean because it makes it even more incumbent upon our organizations to be doing these assessments and really figuring out a path. Well seriously because I feel like, you know, it's also that identity theft. Oh that won't happen to me, cybersecurity that won't happen to us, you know, again what Julia said in a previous show is we're really small like why would someone come to maybe an organization under a million and not a nationally federated nonprofit that is a multi million and therefore, you know, their gain could be could be bigger or greater. But this is no one's immune to cybersecurity. And it is opportunistic right it's that's what attackers are looking to do and hackers are looking to do is where is there an easy opportunity for me to gain even a little bit of access or a little bit of money right just enough like if I can get five or six small businesses, because they haven't been proactive in their cybersecurity, rather than trying to go after a much larger organization that might have some of these proactive measures in place. It's a lot easier and easy is easy is what people are focused on from a from a cyber tech perspective. Sure, sure because I think is exactly what Jared just said it's the other. It's going to be somebody else. Okay, so then let's get down to the nuts and bolts of this. How much is this going to cost us upfront I know you you gave us a number and I don't know if I can recall it correctly that average cyber attack cost is in the United States it's 8.64 million dollars or it was in the in 2020 right we're still compiling that data this year. We think it's going to rise because we've seen a lot of large ransomware cases this year. But 8.64 in the United States worldwide it's about 3.9 million dollars per breach. That being said right if you were an attacker and you knew that that you were going to get double the amount of money would you not target the United States and so as having a presence in the United States we are automatically a bigger target for cyber attacks. So, I don't know the, we know there's 1.8 million nonprofits in the US and I don't know their average size but I feel like, you know, a 3.8 million dollar cybersecurity threat would really yes wipe out the organization and as you had said previously there are countless ending situations and there are several nonprofits right that are even under a million dollars but a 3.8 million dollar threat that is severe and that is so frightening it really is. Yeah, and you have to remember that those statistics were built on businesses in the small business sector and all the way up to the Fortune 100 and so obviously the average breaks down and so 8.64 million for a small, a much smaller nonprofit or small business is obviously going to be a lot less but still detrimental from a cost perspective. So how do we prepare for this again I had mentioned you know information technology is something I bring up in strategic planning and I know that this is part of conversations around the boardroom. So looking ahead into next year, how do we truly budget for the needs of cybersecurity. Yeah, so yesterday I gave a statistic from several years ago right the cybersecurity was three to 5% of the it budget realistically today it's about 10 to 15% even rising to about 20% of the actual it budget and focusing on what that is and right is that percentage is it focusing on tools and protection or is it focused on the holistic cybersecurity mission because that risk again as we just talked about is business risk and so as cyber insurance is starting to ask more detailed questions about your posture and raising your rates depending on how secure they think you are and how much of a risk you are, understanding that that is not necessarily a cybersecurity cost that is a business cost moving forward that that insurance cost. So, that's why I say it might even be 20% at this point of your total overall it spend and so planning planning for this and driving that culture as we talked about yesterday building a culture that emphasizes security for every individual within the organization making sure that that it is a focus. So, moving forward for every individual in that condition as well is going to help. Now, Michael I want you to get out your crystal ball okay I don't know if you travel without in Minnesota, but if it's there in Colorado go ahead and get it out as Julia says dusted off. I'm sure come on if you if you have those glasses you have to have that yeah. Looking ahead, if there was a big jump from 5% to almost 20% should we forecast going forward in our budget so if we're creating you know a three to five year strategic plan. Should we prepare for an increase of this budget. I told you, right I mean I mentioned this the other day right 20 years ago if you didn't have a website you're going to be successful 10 years ago if you didn't have a social media presence today. My prediction is if you don't have a cybersecurity strategy, you're not going to be successful moving forward and so should you plan for an increase in the cybersecurity budget I absolutely think so. I think that is all dependent on assessing your, your current risks where your risks actually are and what you're actually doing to accept those mitigate those transfer those risks within your organization and so that that could lead to an increase in budget I think it would make more sense to have that assessment build out that roadmap and that strategy, so that you knew what to budget for and plan on in some pretty decent round numbers. And so, I, you mentioned this yesterday but I want to have you dig in just a little bit before we get on to our next question. And that is, I'm all the things that I'm hearing you say and just in these two now three days that we've been the folks that I've engaged with our viewers have come back really concerned about how little they understand about this. One of the comments I've had is, we can't do this ourselves we didn't even know about this until we started hearing your guest. So, so pain is a picture is how we can get these assessments done because this isn't something I think we can do internally with the notepad and asking questions. It always, I would never. I would never ask an organization to do like to do just a self assessment I think having an expert come in and outside third party, assessing the environment from their perspective and when the best practices and the trends that they're seeing in me is always going to be my recommendation because they're going to have an understanding of the threat landscape, not just for your industry but for your geographic location for a lot of different perspectives on that and so having, you know, a trusted partner and do something like an assessment or an audit of your IT controls to make sure that they align with best practices, and if they don't, building out that that strategy and that roadmap to help you align over the next one two three five years. It's not a one and done is what I hear you saying. No, the journey not a destination that's exactly right. Oh gosh, I feel like a prerequisite is to ask the person. Have you in your past been a heartless hacker. Okay, now you're qualified because we need that expertise. And clearly that is not the route to take you know we don't want to invite the hacker into our dining room table. And that's the ethical perspective with it right I want to emphasize the ethical hacking perspective right that's what we, we, we have from essentially what a penetration test is an ethical hacker coming in and saying, I know how a hacker will come at your environment. And so we will test it the same way that any other hacker will, following these frameworks and these methodologies and then that delivers and understanding a much clearer understanding of where you are most vulnerable. Okay, so we have had a lot of questions come in and this is kind of an interesting thing. I want to ask you before we move on to our next question. What role do you think the new government cyber crime agency GCA is going to play in the cyber insurance industry. Because you know it is the world series. Yes. What role do I think the government cyber crime agency is going to play. I think it's going to develop the standards that every organization should probably follow right there are already standards out there. Right. The National Institute of Standards and Technologies NIST has a cybersecurity framework that you can align with and there are maturity models to that. There's the cybersecurity maturity model which is also a federally run program, or federally designed program for the DoD so that you can align with maturing your cybersecurity posture. And then there's the Center for Internet Security actually has the top 18 things that you should focus on to secure your environment. And following all of those right when my team goes in and does an assessment we align with all three of those right and making sure that we're putting forth the best practices that help you align with any of those frameworks. And there are a handful of other frameworks as well but I think that that's probably what is going to come out of that is a more detailed framework for security and also some rules around maybe when mulling over whether or not it should be legal to pay ransom right. It's already illegal to some extent to fund terrorist groups and so if you get a ransomware attack. You have to be very, very sure that if you pay that it is not funding a terrorist group because OFAC is the federal department that will actually follow up with you on whether or not is it is a legitimate payment to a hacker and not a terrorist organization. Okay, now hair on fire for a third day. I don't have much hair left. I think I need a defibrillator. Okay, let's go let's go. Let's go best practices here. Okay, yeah. Okay, so now I want to get into this and Jared and I are so curious about this. How do we educate our nonprofits to care about this and you talked about culture. I mean, education. What does this look like and how do we immediately start getting our teams to work on this idea. Right, so I talked about the top down approach right culture has to be driven from the top down. And so there's an emphasis on on cybersecurity right making sure that it is an important aspect that everybody needs to focus on for the mission and driving the organization that helps provide that that that caring aspect from every person in the organization. I think earlier we were talking about the difference between training and education training is vitally important right it's usually walking through pre recorded materials or reading to understand where you're at. I think education is really that sounding board that everybody needs to start becoming more of an expert in this right not everybody has to be a cyber security expert but if we are educating people and providing feedback and questions and answers. In that education it is it is way more valuable than just a training right coupling the two together helps build individual cyber security knowledge it's not a. It's not really an option to not pay attention to it right now right as we've already talked about the last two and a half days we've all been scared. And right, learning about it is step one and learning about what to do about it is step two right. Fascinating I, I can see what you said bleeding over into how we look at our organizations on the whole. You know how we treat personal development and this almost as a personal development issue ultimately. And yet, I can't think of one organization or person that I've met, and the last forever. It's actually brought this concept to their whole team, it seems like it's another problem it's accounting problem it's, you know, HR problem it's it's something else. Somebody else is responsible for it let's let them be responsible for it. And that's right time back into everybody has a responsibility when it comes to cybersecurity. When you're watching data within your organization you get emails from your organization you have physical access to something you have a responsibility to be that protection. Part of that protection at least moving forward and getting education on how to do that right, just saying that you're responsible for it is not enough because there's probably going to be a thousand questions coming out. And so making sure that you are doing education alongside of that training. Hopefully, everybody listening on here has a million and one questions and if they want they can reach out to me or there's a trusted advisor somebody that they know that they can talk to about that and get those answers. I'm curious. My two main will houses and consultancy work with nonprofits is fundraising and strategy. So when I'm listening to these conversations. And I'm thinking, are funders playing a role in funding this need, you know and I'm curious if you're aware Michael of any funders that do focus specifically around the cybersecurity and it enhancement need. So I think the answer is yes I do see that in in every industry not in just a nonprofit right, whether it is a client or a large donor or even small donors right I pay attention to where where my, my donations go because I want to make sure that my donors are safe with it as well. Right and specifically in the nonprofit realm there is this concept of anonymity right now everybody wants to know. Not everybody wants people to know that they're a donor or a funder of this and so maintaining the anonymity is highly important. And if you don't trust the organization security to move forward then you might not be a funder much longer. So we get questions from a lot of different clients, asking asking us to come in and do an assessment and do a vulnerability assessment or penetration tests so that they can provide that information to a potential client or potential funder to, to provide them the this piece of mind that says hey we know that we don't have any security weaknesses on our on our network and, and here's here's the third party attestation for that right here's how you can see that we are secure, providing that is is a business plan moving forward now. To what you said it's not just about being proactive, it's about when an attack does happen, how we act upon that attack right so even sharing that attack plan, perhaps, I think is just as important as as putting these other elements in place to be prepared and to do whatever we need to do to mitigate the attack, but to realize that when and if an attack does happen, we're ready for that to and here's the plan. Exactly and it's my father always told me failing the plan is planning to fail right if you don't have anything defining what you're supposed to do moving forward then you're doing everything off the cuff in there that inevitably leads to mistakes and people running around and bumping into each other so. Right, right. Well funders, if you're listening, I hope. I hope that you're putting cybersecurity as one of the items that you will find, you know, typically in the past it's been only program program dollars and that of course has been a big, big shift in change to talk about personnel and to talk about program evaluation and a little bit of everything so cyber security I hope is a trend that funders will start to back so that we can ensure the safety of our constituencies and our communities in which we serve that's that's my soapbox. Well, it's a good one and I mean if you think about all of the Silicon Valley based philanthropy that's leaking out across this country, the vast amounts of wealth that have been made from the tech sector. This should be something that we see coming about and, you know, almost becoming a part of capacity building. I think so. You know we really need more Michaels in our space. Yeah, ethical hackers of you as you've called them. And that is, it's just so important because I've sat here flabbergasted the last two shows and today to like this is Greek to me it is so unfamiliar in it's really scary and I wish I had counted how many times I've used that word or the word, because it really is a space that I don't think many of us are familiar with. Yeah. And, and as I say on almost every call that I'm on there's always somebody willing to help cyber security is one of the largest communities out there right it's not a competition against different businesses it's really a community, sharing the intelligence that we have between everybody because we want to see protection for all organizations we want to see a lowering in cyber crime. Moving forward. Well this has been remarkable and it's hard to believe that our time is almost up before we let you go and end this three day series which has really stirred up so many more questions for me. What would you say to somebody in terms of a leader within an organization is the best practice to start learning or where do you get this information as opposed to just general media. Is there a place where you know leaders of nonprofits should be checking in. There are, I'll give two resources today and the first one is stay safe online.org. And that is not just for leaders of businesses but also personal and personal understanding of cybersecurity that stay safe online.org hosts cybersecurity awareness month which is October. Happy cybersecurity awareness month. There are resources out there right now stay safe online host that it is run by a joint collaborate the collaborative effort between a couple federal agencies, one of which being CISA which is the cybersecurity and infrastructure security agency. They also have a plethora of resources for businesses to to help them understand what what to do next from a cybersecurity perspective. It's overwhelming. My phone is always available that there are 100 consultants out there that are able to talk to you and I'm happy to answer any questions that I can like I said, we are a community and we're here to uplift all businesses so that we can put an end to cyber crime. Wow well you're an amazing representative of this whole. I hate to use word industry but this thought leadership and it's been really amazing to have you on. I think we need to really be thinking more and more about this it hasn't been part of our dialogue. Not just on the nonprofit show but across, you know the nonprofit sector and so it has been amazing here's Michael's information. Michael, I did not put your phone number on here, but I put on your email and so brother you're going to be getting emails emails are probably better anyway right and my voice is starting to go out right now. Well, day three of a national broadcast you have brought so much wisdom value and expertise. I Bailey is very lucky to have you we are very lucky to have this partnership with I Bailey, and truly to know that I Bailey is here for our nonprofit sector across the nation. I'm so grateful this has been a wonderful three day series. Again Michael thank you so much for coming and nerding out with us. It's been. Yes, right up right on. It's been super nerdy and a lot of fun, I have learned so much. And again, very grateful to have your partnership with I Bailey through these last three days so if you missed it. And you missed the previous two days or you want to go back and watch any of the episodes I know I will. Please do check them out Julia Patrick CEO of the American nonprofit Academy. I'm Jared ransom, your nonprofit nerd CEO of the raven group. And we are so grateful to have the continued support and investment from these presenting sponsors that you can see right here on the show many of these Julia. I think they've been with us about, you know, day one. Yeah, day one, so day one. Yeah. Hey everybody, you know this has been amazing. And I'm really appreciative that we got this glimpse into something that we need to be talking about. And I want to remind everybody as we end this episode to stay well. So you can do well. Thank you so much Michael it's been wonderful thank you Jared we'll see you back here tomorrow.