 Welcome and thank you so much for joining us today. This is a very in-depth conversation, one that you cannot afford to miss truly. So today's episode is dedicated to cyber hackers are heartless. We have Michael Nugier, who is joining us today. Michael is the director of cybersecurity with Ida Bailey. And again, today is dedicated to this topic. Tomorrow is dedicated to the topic as well as the next day. So Tuesday, Wednesday, Thursday of this week. So excited to have Michael with us. And of course, Julia Patrick is here. Julia is the CEO of the American Nonprofit Academy. I'm Jared Ransom, you're nonprofit nerd CEO of the Raven Group. And if you joined us for the Chitty Chat Chat, you learned that all three of us are nerds and we are really looking forward to getting nerdy today on today's topic and today's episode. Again, we would not be able to bring this broadcast to you live as well as the recordings if it weren't for our presenting sponsors. So you can see their logos right in front of you. We encourage you to check them out. They exist to help you move your mission forward in the best possible way to serve your community. So thank you to our presenting sponsors. And again, please do check them out online. They want to help you and they want to help you elevate and sustain your mission. And back to our guests today. Again, Michael Nugia joins us as the Director of Cybersecurity with I Bailey. Michael, welcome. Thank you. I'm so happy to be here. I love talking about cybersecurity and then the nerd glasses, I'm super excited about those too. So I can, those back on, let's let the nerd out today. Yeah, you're in good company, right? And we will make sure that you get a pair of these Michael because I do believe you've earned them. Thank you. Yes, it's a crown to, you know, to be proud of. Not a backhanded compliment, I get it. It's a crown. Absolutely. Michael, tell us a little bit about your journey and your role within I Bailey. Yeah, so I, you know, I've been the IT person in my family since the day that we bought a computer back when I was like four, right? And so really sparked the interest at one point in my life. I thought, I don't want to do IT, I'm going to be a doctor. And that, that obviously didn't turn out for me. And so growing up with computers and IT and working, working with that, I was always the go-to person to fix something when it broke and getting that knowledge and growing up into that led me to a career in IT in general. And so I spent a lot of time working across a ton of different organizations and higher education and state governments. Finally got into my foot in the door with cybersecurity and I worked in the state government running certain aspects of cybersecurity there, transitioned into the consulting side because I felt there was more to do, more people I could help. If I, if I'm talking about my why it's that I really want to help people. And in doing so, I found my niche in cybersecurity came over to Ida Bailey about eight months ago to work on consulting services around cybersecurity and been here ever since helping, helping anybody that needs help when it comes to cybersecurity. So Ida Bailey is one of the largest accounting firms in this country. I find it fascinating that they as financial wizards and certified public accountants and all that goes with that would identify, I'm assuming from their clients that this was such a big issue that they needed to develop a team that could assist their clients. I mean, to me, if nothing else gets imprinted upon our viewers minds, that's how real this issue is. Yeah, it's top of mind more now than ever, right? Even as you watch the news, right? Like $70 million, $15 million, right? It's not recorded in hundreds of dollars anymore. It's been business ending amounts essentially. And so that led a lot of Ida Bailey's clientele to say, hey, we want to focus on cybersecurity and as such, right? Here we are, we've offered cybersecurity services now for about five years and we're focused on building best practices with any of our clients and moving them forward, right? As Ida Bailey was an accounting firm, right? We're focused on technology consulting and business advising and our CPAs, financial services as well. It's a big forward thinking and it's very proactive and I'm sure maybe the service line came from a reactive state as Julia said, identifying the risk that exists. And I'm curious if we could just start with what are the types of cyber threats that may impact our organization? What are they? And talk to us if you would as like we have no idea really what the cybersecurity threats may be because I have a feeling some are completely unknown to me and many of our viewers. Right, well, I have to start with ransomware, obviously, right? We've all seen that in the news. It's impacted hundreds and thousands of organizations but in the news alone we've seen that impacting every industry and upwards of, right? We've seen $70 million with the Kaseya ransomware that came out around July 4th this year. Right, that is what is driving conversations today around cybersecurity. I don't want to be ransomware. But I just want to say that has no relation to me. Right. That's right, because her name is Jordan. Her name has no relation to this, yes. Right, and to describe what ransomware is, right? It's when an attacker takes control of your data and encrypts it or makes it unreadable to you and then holds it ransom and you can't get it back until you pay them or they'll actually do extortion and say we'll release your data to the public. And so that's what that's front of mind for every business manager, business owner at this point is we don't want to get ransomware. But again, it is just a small portion of the cyber threat landscape that's out there right now. I have a question. Go for it. Back up. So when you say data, I mean, I think a lot of us in the nonprofit sector were like credit card numbers from donors or whatever but it's not just that, right? I mean, it can be a lot of different things or is it, does it tend to be a certain type of data? So it... Sorry, I didn't like... No, that's a great question. Attackers on average spend about 200 days inside of an organization before even being recognized. So they understand what data there is that is most important to you. So it might be donor information. It might be donor financial data. It could be your email communications, whatever they determine is the most important, right? Oftentimes it's financially motivated about 80 to 90% of the time it's financially motivated. And so, right, in the nonprofit industry, it's more than likely something to do with the financial impact, understanding how to get the most money out of this attack. Okay, I'm kind of sad that I interrupted you because that just turns my stomach. Right, right, that's... What you asked, right. I'm going to scare everybody. And then at the end, on the third day, we're gonna provide a lot of hope and best practices. So... Well, it is the months to scare everyone. So it's all good timing. And yeah, I'm glad you asked that, Julia. Because again, I think many of us hear of this concept and maybe have not experienced a cyber threat, but I do know several that have even... Well, I don't wanna quantify. I was gonna say, even as minimal is like hacking into someone's website, but that's not minimal. I mean, that's a big deal. Yeah, I mean, websites are publicly facing. Anybody can access them from anywhere in the world from an internet connection. And so that exposes your organization to some extent because you have to have, right? And the statistics were clear 15 or 20 years ago. You have to have a website to be successful in any business. And then 10 years ago it was, you have to have a social media presence in order to be successful as a business. Fast forward 10 years from there. You have to focus on cybersecurity in order to be successful in business right now. So... Wow, okay, so I interrupted you. And before I go on to the next question, you've identified going after data, ransomware, our websites, any other types of threats that we need to be thinking about just in a holistic way. Right. I mean, come on upstairs. Holistically high level, high level. There's two attack vectors that we're focused on. The technical, which is your ransomware, somebody hacking into your environment, the public exposure. And then there's the human element. And that human element is often exploited through the concept of social engineering, which is the phishing emails, right? And a lot of organizations are familiar with the term phishing. And that's where somebody creates an email to look legitimate in order to gain credentials or your username and password or to have you download a file to run malware in that organization. That's actually the most common attack vector in cybersecurity right now, is that phishing. And that is coming, this is a question. So that's also coming by way of text messages now. Is that correct? Yeah, I literally just got one before we started the show. This said that I won $150 cost of a gift card. Yeah. Yeah. Well, and I too have received those, not today, but before stating, did you recently use your card because we've identified fraudulent activity, click this link and I'm like, no way. Am I clicking? Don't click the link. That's the number one word of advice. Don't click the link. Don't click the link. So what do we do in case of these phishing scams or emails, text messages, carrier pigeon, however they're coming to us these days? Yeah, education and training are the most important, right? You have to educate. And I separate education and training because training is usually the automated. You're watching somebody talk at you or it's click to the next slide, right? Education is getting feedback from somebody that understands and being able to have a dialogue back and forth. And so education training is the number one thing. As an end user, as somebody with a cell phone or a laptop or whatever, right? Don't click the link. If it's too good to be true, it's probably not true, right? You did not, if you're not expecting a FedEx package, don't click the link, right? If you want a $500 gift card, it's probably too good to be true. That's mostly what it comes down to is most people want the Nigerian Prince that has a $10 billion endowment for them, right? It's, you know, third cousin, Therese removed. But realistically, that's, you know, like it's too good to be true. Let's not send them our financial information. Wow, okay, well, I love that because we do have more and more viewers coming to us from Africa and the Middle East. And I've had them say, you know, that Nigerian Prince scam has ruined us as a client because when they go out to do legit work, they have that cloud and it's a real bummer. But anyway, okay. They have to overcome that stigma and it's, you know, soon it's going to be the text messaging and it's going to transition and we'll soon forget about the prince, but. It'll be something else. It'll move into another challenge. What are some of the challenges that make us as a sector, Michael, more vulnerable to these threats? Right, so non-profit as an industry is unique because you exist in every other industry. So you have the threats of being a non-profit and having the donor information, requesting grants and whatever it might be, but you also exist in a secondary industry most of the time, right? A lot of non-profits exist in the medical or healthcare industry. And so they suffer both from the threats that target non-profits and target donor information and also the threats that target, say healthcare or whatever other industry it might be. And so it's almost a two-fold attack that they're getting targeted at. Okay, that's another like, because I never thought of us in that way. Right, yeah, I mean, it's really interesting. And there's a different type of complexity in non-profits, right? Because you are garnering donation based funding, right? You also want to make sure that you are serving your donor as well by keeping your expenses lower and you don't want to have 50% expenses, 50% payout, right? If that's the type of non-profit you are. And so you want to focus on how do we keep our expenses low should cybersecurity be considered or not? And oftentimes, and it usually is pushed back, actually rest statistics say that executive directors and CEOs of non-profits were surveyed and only 29% of them plan to increase their cybersecurity spend over the next year. Yeah, so one of the service lines I offer as a consultant is strategic planning. And I have this model that includes administrative and that administrative model or circle of the model, Michael actually includes technology and cybersecurity comes up quite a bit, especially as we're moving and seeing trends of giving like monthly donations. And so there's a storage of credit card information somewhere or electronic transfers. We've had on the show someone that's doing cryptocurrency donation. So that's another level of complexity and financial component. And so really looking at the technology as a strategy for the organization is a huge potential risk. So how do we get ahead of that? Like I'm curious if you would recommend that we audit our technology or do some type of an assessment? Like what should we be thinking from the lens of potential hacking? Yeah, so I get that question often and I usually rephrase it to if I had a dollar to spend on cybersecurity, where should I spend this dollar? Okay. And every time I say on vision and visibility, right? You don't know where you need to be if you don't know where you currently are. We need to define or perform an assessment to understand what your current state is. So we can understand where your strengths are, where your gaps exist and how to, and building out that roadmap to cover those gaps and strengthen your program, right? And so the number one thing I recommend is let's start by identifying where you currently are. What is your current state? And then let's build that roadmap that can then define your direction and your vision forward. And that assessment should align with the business risks and it should align with the culture of the organization as well. One of the things we've seen over this time and Julie and I have seen it exponentially as I'm sure everyone throughout the nation is the advancements of technology. And it definitely feels like that has been one of the like predominant advancements over the last two years. And so as technology advances, I'm assuming the ill will behind hackers are also advancing at parallel paces. And so that to me is really scary. What exactly can we do by way of an organization to work with Ida Bailey on this front? Because clearly again, Ida Bailey is taking this progressive proactive measure to help us to take actions when we are hacked. So what does that look like? And even further, what does that look like with you? Yeah, so from our perspective, right? We wanna make sure that we understand where like I said, building out where we are and where we can go. But we wanna talk about, I always hate the saying it's not if but when you get attacked. And so I never wanna lead with that in any of my conversations. But what I do like to state is that as an organization, you have to be right every time you're getting attacked. And then the attacker only has to be right once to get past your defenses, right? And so it's not enough anymore to focus on what we can do proactively. The data is out and over the last couple of years and there was actually one of the largest threat reports that's released from IBM and the Poneman Institute that stated that there is a cost savings and being prepared to respond to an attack. So rather than focusing just on the proactive is focusing on being prepared to respond, monitoring your network and responding to it. And I think that, right, if you have a team prepared to respond and you actually exercise that response run through scenarios, the cost savings on a data breach if the breach even happens is about 40%. And so because you're able to mitigate it, I'll go ahead. So back up on that, when you say it's 40%, what does that actually mean? So on average, the cost of a data breach in 2020 worldwide was 3.9, somewhere around $3.9 million, $3.86 million. And the United States is actually double that at 3.64 or 8.64 million, right? Teams that had, or companies that had a team prepared to respond to it quicker and actually knew how to respond to it, saved 40% on that 3.64 or 3.86 million dollars. Wow. They spent around $1.9 to $2 million instead. And so, right, being able to mitigate it quicker, being able to stop the attack lessens that impact, right? And so I never want to focus on proactive measures and prevention holistically because as I said, realistically, an attacker only has to be right once. They only have to find one chink in the armor. They only have to find in the case of phishing, as I mentioned, the human element is the easiest to attack because somebody somewhere will fall victim to a phishing attack. And that is where they will get in. Yeah, right. The one unfortunately will say, oh, maybe I did order a FedEx, you know. Right. And I should click the link and then log in and now you have my credentials. So yeah. So, you know, I gotta ask this and we don't have that much time left. I mean, I'm really thrilled that as stressful as this is to hear all this, that we have you for three days because I know that the minute we're off this episode, I'm gonna be thinking about additional questions. So just be prepared. Yeah, absolutely. Please show up for the next two days. So I'm one thought I have in my head is that, is it inappropriate to say, I'm a small nonprofit. Who would ever wanna deal with me or hurt me? Is this, are we just talking about like the national federated chapter kind of organizations? Are we talking about Miss Betty's Bunny Rescue and Buckeye? I mean, where are we? Right, so we- A lot of population. I love slogans like hackers or heartless. One of the other things I've stated in ladies around the world, but hackers are lazy. They're opportunistic. And so right, going after a big fish to try and get a multi-million dollar ransomware takes a lot of time and effort. Small businesses and nonprofits at state, how I'm too small to be attacked are the target for most attackers because it's a quicker payout and it might not be millions of dollars. It could be 10, 15, 20, $50,000. But that is what a hacker wants to hear is I'm too smaller, I'm not a target anymore. And so realistically speaking, they are and as we see about 50 to 60% of organizations have experienced a cyber attack in the last 12 months. And of those that were small businesses, 60% of those will go out of business in the next 12 months that they experienced the data breach. One of the things I see, unfortunately, all too often, Michael is a mirrored account of an online fundraising campaign, right? So disaster strikes where there is opportunity and someone goes out and creates a similar or as I refer to kind of a mirrored campaign that is just similar enough to really be deceptive and those potentially Julia are some of the smaller organizations. They could be larger as well. Are you seeing this happening more and more, Michael? And is that considered a cyber hack or is it like, how would you classify those instances? That tends to fall under like fraud, right? As they're mimicking and copying the or impersonating your fundraising site and everything along those lines. And it's hard to stop because they haven't technically hacked your organization in any way other than looking at how your website was built. And so building out an intricate marketing plan, right? This is the non-technical side of it, an intricate marketing plan, detailed websites that are not easy to attack and then having a team that might be able to send a cease and desist is helpful in those arenas too. Interesting. Interesting that you use the word fraud versus hack because I agree with you, Jared. I've heard this more and more from organizations and I agree generally they're disaster oriented things where CNN is reporting, this just happened in this town and you can help out this community or whatever. We're seeing that a lot. Yes, and that ties back into the heartless nature of hackers, right? If there is an opportunity to create a fraudulent website or to attack somebody when they're at their weakest, that is what hackers will do. Hospitals during the last 18 months have been a massive target. In October of 2020, there was a massive ransom work campaign and it actually hit over probably, I think 10 hospitals and each of the ransoms were up to $1 million, right? And everybody's running around focused on life support and technology to save lives and not focusing on cybersecurity. And as such hackers are heartless and they kicked them when they were down. Yeah. Wow. Okay. Well, I need to like relax after this episode. Yeah. You know, going forward with you, we're gonna talk about a lot of different things. We're gonna be talking over the next couple of days about the cultural nature, like how do we get our entire team to understand why we need to be doing things a certain way, how we behave, how we educate ourselves. We're gonna also be talking about best practices so that we can be a lot more engaged in the process and not just responsive to some sort of crisis. And so I'm really appreciative that you're gonna be doing this with us. I also want to witness to everybody that Michael is in three different cities each one of these days. So today you are in Minneapolis, Minnesota. To tomorrow. You even know, Michael, it's like, God, I'm not sure. What day is this? To Minnesota and tomorrow. Tomorrow I'll be in Mankato, Minnesota, which is about an hour and a half south of Minneapolis. Okay. And then on the third day. On Wednesday, I will be in back in Denver, back home. Okay. To see my beautiful kids' faces. Okay, awesome, awesome. Well, here's Michael's information director of cybersecurity for Ida Bailey. You know, Ida Bailey as a really important national accounting firm, they have over 350 accountants just dealing with the nonprofit sector, which I think is absolutely fascinating. And to me, as we led our program today, I think this is such an indication of how big this issue has become. If an organization that's an accounting organization can see that it's something that is becoming a financial reality to their clients that would lead into this type of practice. I'm fascinated by it actually. It's happening too often. And, you know, while we might be experiencing some uncomfort by this, you know, it's really comforting knowing, Michael, that you exist. Other cybersecurity nerds exist. Again, huge compliment. And for us to have you in the sector and for Ida Bailey to dedicate your level of expertise to us in the sector is very comforting because typically nonprofits, right? We do what we do because we have a huge passion to provide a solution to the community. And our passion is often not cybersecurity and mitigating technology threats. So thank you for sharing with us today what types of threats exist and then what those challenges are within our organization that makes us a little bit more vulnerable. And then also those actions that we can take when we are hacked. And, you know, Julia, we love statistics and that 40% I have a feeling is going to come up in one of our ask and answered because that is really a good thing to know is that it's not about being proactive. It's about taking that action and making the action do what it's intended to do when that happens so that you can save on that threat. So thank you, Michael and to Ida Bailey for sharing your time and your talents with us today. Absolutely. Thank you for the opportunity. It's been a pleasure talking. Well, you're not done yet, my friend. Oh no, no, I'm not. I know. Because my hair's on fire and I'm gonna have a lot more questions for you. Hey, you know, we're gonna have Michael back here for the next two days. So be thinking about how you and your organization might be impacted by this because if not when. Again, I'm Julia Patrick, CEO of the American Nonprofit Academy. I've been joined by the other nerd in the room, the nonprofit nerd, Jared Ransom, CEO of the Raven Group. Again, we wanna thank all of our presenting sponsors without you, we would not be here having this discussion. Thank you ever so much. We want to also let you know that we are running our annual viewer survey. So we'll be talking more about that, but we really do wanna know the types of information and discussions that you need for the health and the safety and security and the growth of your nonprofit. So be looking for that. Wow, Jared, this has been really interesting and something that we haven't really talked about. No, we haven't, but we're talking about it a lot this week. I'm so grateful and I hope that you will come back even beyond this week, Michael, regardless of where you might be in Minnesota or throughout the nation, so grateful to have I'd be at least commitment to this and to the commitment to the sector at large. So thank you, Michael and to your entire team. Absolutely, thank you for having me on too. Well, it's been, yeah, it's been a lot of fun. Join us tomorrow as we talk about this conversation, but we will be talking about different things and giving you ideas. So no matter the size of your organization, what you are doing within the nine main sectors of the nonprofit world, I think that this is really a valuable time to commit to learning and kind of exploring how we could deal with heartless hackers. Hey everybody, it's been a great day. Thanks so much already. As we like to remind everybody as we sign off for the day, stay well so you can do well.