Cybersecurity for Nonprofits

Transcript

Julia: Hey, welcome back everybody to another episode of The Nonprofit Show. We are delighted that you’re here because we have a, kind of a – Bart I’m just gonna call it out – a scary conversation today talking about framing nonprofit cybersecurity. Talking with Bart Holzer today Chief Information Security Officer at Affinity Technology Partners. Bart, welcome to The Nonprofit Show.

Bart: Thank you for having me.

Julia: You and I met in Boston a couple months ago at the JMT Conference that was held and I really was fascinated by the things that you said and… and fascinating is the gentle word I think you kind of scared the crap out of me in some ways so I was like, “okay, we need to get you back on” you know get you in front of The Nonprofit Show viewers because this is a topic that’s pretty scary and something that we need to get ahead of so we’re going to really pick your brain today in this next 30 minutes. We probably need like 30 years to talk to you but we’ve got 30 minutes. Are you ready my friend?

Bart: I’m almost there. 25 years in, so I’m almost there.

Julia: All right, well we want to make sure that we say thank you to our presenting sponsors. They include Bloomerang, American Nonprofit Academy, Staffing Boutique, Nonprofit Thought Leader, Your Part-Time Controller, Fundraisers Friday, and 180 Management Group. These are the folks that support us day in and day out. You know, Bart, we are coming up on our 1,100th episode of The Nonprofit Show. So, we’ve had an amazing support from these people. We also have an amazing “support group,” if you will, of co-hosts. I’m flying solo today, but most each and every day you can see one of our new co-hosts panelists joining us and they’re really fun they’re diverse they come from all parts of the country they each have their own specialty and so it’s been really a lot of fun but what’s going to be more fun is talking with Bart Holzer, Chief Information Security Officer at Affinity Technology Partners. Welcome, as I said. Bart, what is a Chief Information Security Officer?

Bart: Thanks for asking! I am the executive in charge of security, much like a CIO would be in charge of IT at a company or a CFO would be in charge of Finance at a company.

Julia: So when we met, we had so many common things to chat about but one of the things I thought was really fascinating is that you come from a federal law enforcement agency. You have 25 years in of service with the FBI?

Bart: Well, almost 20 years at the FBI as an engineer and then five years in Industry.

Julia: Okay, so I’ve got to ask. I mean, over the trajectory of a 25 year career the issues that we’re dealing with now certainly didn’t exist when you started out or did they?

Bart: They did not. The the internet was in its nascent stages when I graduated from college and and got a chance to work at Quantico and we obviously have come a long way since those early days and uh and bad guys are definitely using the Internet – like we thought they would.

Julia: Yeah, amazing. Well, let’s get into it because I think you have a fascinating perspective and I kind of want to start off with this question, and that is, how vulnerable are nonprofits? I feel like when I’m out in the community a lot of folks say, “oh, you know the bad guys just and I’ll say and gals but the bad folks just go after forprofits – they’re not going to go after nonprofits.” True or False?

Bart: Well, totally false. We know they’re going to go after nonprofits and I think the easiest way to think about it is to put yourself in the shoes of the bad guys. Just think about: If you were a hacker and you had this tremendous skill set – you’re good at coding and you’re good at networking and you know how to violate and circumvent and get around any security controls and get into an organization to try to steal money – whatever your purpose might be. We’ve seen waves hit various Industries. So we know hackers have targeted the government, they’ve targeted contractors to the government, they’ve targeted municipalities, they’ve targeted healthcare, real estate, we we know this we’ve seen it. They continue to target those industries and those industries – some quickly some very slowly – have tried to adjust, tried to slow down the ongoing attacks that they see. Well, if you’re a hacker and you’re getting foiled every day that you come in to work, so to speak, you’re going to look around and say where else can I go, who else can I use this unique skill set to attack? Nonprofits are in the news every day either getting grants or having success in their programs, and we know most nonprofit funding goes to programming and not to security, and the bad guys know that, too.

Julia: You know you said something that’s kind of chilling, and I remember you said this to me when I first met you in Boston and that was that you know you have to give it up that these are really intelligent people that work hard at their – if you will craft or their trade – that they’re they’re really advanced in their methodology. This isn’t just like a haphazard kid sitting in their parents basement right?

Bart: That’s correct, and we have seen where the really good hackers have started selling their tools. So, that proverbial kid in his mom’s basement can actually buy really sophisticated tools. So, it’s even worse than what we’ve seen in the past.

Julia: Okay, that just gave me chills because… yeah, okay, what, well I’m like kind of speechless at that but it makes sense right I mean it kind of makes sense as we navigate through the complexities of a new a new day, right? There’s it’s a new day when it comes to technology and the profit margin of how you do your work and and where you go, it kind of makes sense, doesn’t it? Let’s ask you about cybersecurity posture and what is that and what should we be thinking about ?

Bart: Well, I think we all, in general, have an idea when we see a startup or a small company that starts to grow, starts to gain traction, whether that’s in the commercial world or the nonprofit world. I think we all inherently recognize there’s a certain growth and maturity that sets in as that organization gets bigger. The exact same thing happens in security where you can start with kind of a rudimentary security program but then over time get a little bit more robust, the security controls are a little more sophisticated, policies and procedures start to form and that’s really what we’re talking about when we talk about a security program or security posture.

Julia: Is this ever tied to the size of the organization or the budget of the organization or like maybe even like the programming domain that they live and work in? I mean, how do we know kind of where to start with that? Should we – are we big enough or important enough to think about this?

Bart: Yeah, so really, it’s, I have to say risk at some point in time in this conversation. It really, truly is about risk and that risk could be based on the size – the sheer size – of the organization and the number of employees. That could be based on the revenue you know of the organization but it also could be based on just the publicity of the organization. In the nonprofit world, it could be based on who the donors are for that nonprofit. So, the nonprofit could be very small but they have high-profile donors. That kind of puts them on a list that the bad guys have.

Julia: Okay, I never thought of that direction and that’s kind of chilling because especially when we think about the super donors and the use of DAFs and the wealth in this country that’s been generated over the last 20 years and is now in a kind of a fluid you know motion. There’s a movement of this money that’s fascinating. I would have never thought of that in a million years I gotta believe that there are a lot of nonprofits that haven’t even registered that concept.

Bart: I’m sure.

Julia: Yeah, wow. When you think about this, do you feel like this is something that a small nonprofit can wrap their head around or do they need to go outside their organization and find that expertise? I mean, because we can’t all have been you know raised on the culture and the knowledge of the FBI like you. How does a regular person even figure this out when it’s changing – it seems to me like every day?

Bart: Well, I would say it’s difficult for the regular person – I’m going to use air quotes around that. I would argue that most folks who work in the nonprofit space are not regular people. They they usually have a bigger heart, they’re more gregarious, they want to make a positive impact on the world, they could probably most likely go to a commercial organization and make more money. But, they’re in it for the mission. So these are, by nature – I’m making a broad generalization here – these are kind-hearted folks working in nonprofit space. It is the exact opposite profile of a guy like me who’s been in security for a long time and I’m – you know, I typically come across as a nice guy – but I’m pretty jaded when it comes to what bad guys can do to good people like nonprofits.

Julia: Yeah, I’m sure you are because you know you see this over the trajectory of a career and it’s fascinating that you’ve – I’m gonna say been able to – but you’ve witnessed the change and the growth of a new type of crime. I mean, it’s pretty amazing to think in a short period of time it’s like a whole new, if you will, industry that’s been created for ne’er do well people and now it’s global, right? So it’s not just people in our own community or part of the country but it’s coming at us you know from all these places.

Let’s switch gears a little bit and we’re not really Switching gears but we’re drilling down. Talk about these assessment resources because that’s an interesting thing that maybe could really help a nonprofit to figure out what it is they even need to to be thinking about, right?

Bart: Exactly. So, I think the general idea is that if you’re a small nonprofit you you think I just don’t have the resources uh and that might be true maybe you don’t have the money uh to dedicate to something like cyber security but there are a ton of resources and one of the the resources that I recommend uh it’s online and it’s at the center for Internet Security the CIS uh for internal use so this is you assessing your own organization everything is free and there’s quite a bit of information there’s also some actual tools that you can sign up for um to help with whether it’s a scan or it’s a spreadsheet to help keep track of things um all of that’s available for free to download um so now it becomes a matter of do we have the time uh and it’s certainly worth dedicating the time to do that.

Julia: Right, right. How often are these if you will threats, or direction of scam, changing? I mean, is this the sort of thing that we need to be looking at you know weekly, monthly, quarterly, or hourly? I mean, how do we temper the momentum that we need to be thinking about.

Bart: Well, I would say that we security folks try to encourage a constant state of vigilance and readiness. That is not realistic. It’s hard to be aware all the time and suspicious all the time – especially if, by nature, you’re a caring person and don’t think that way. So, what we typically try to do – is there are cycles to this, right? We we know that there’s certainly going to be some sort of shipping fraud happening around Christmas; we know that there’s going to be tax fraud around you know March and April. So, what we try to do from a security perspective is encourage and it’s a constant state of training and reminding this is the season for, you know, pick whatever fraud that might be perpetrated. In reality, it’s always happening. It’s just so hard to be vigilant all the time for everything.

Julia: Sure. You know, one of the things I was thinking about before we we got started today and that is that I think primarily because of Covid, right, nonprofits have been introduced to so many digital components of operating their business from fundraising to volunteer management to employee engagement – heck, just the the platforms that we use to communicate, right? From having our meetings and all this how do we know or what would be the appropriate thing for us as nonprofits to talk about with these providers, because it seems to me that we we don’t do that. We don’t ask well how secure are you or how do you how do you shield us from – especially let’s say you’re dealing with a fundraising or a financial partner that is actually managing donations and running them for you. What should we be looking for or maybe even asking?

Bart: Well, so part of this conversation has to do with using a framework when you’re assessing your own security posture and so the CIS has a framework for that. I mention frameworks because all the good ones have a third-party risk component to that framework and some folks would call this the supply chain risk. So, you as a nonprofit have supply chain risks in

that you have these other vendors and this could be your email marketing platform, this could be your donor management platform, your email platform. Those are all, you know, supply chain for you as an organization. So, yes. How do they handle your information? They should be open and transparent. All the major companies should have some sort of accreditation or certification like SOC2. SOC2 is is a popular one. And, quite often it should also include language in your contracts with these vendors. What happens when you cancel your subscription? Does your data stay there for a long time or does your data get purged after a period of time, 60,90 days? You know, for sure, that all of your data – your donor data, your emails – it’s all gone and that’s important to have in any vendor relationship and you probably are starting to see some of those requirements in your programs and in your partner relationships as well.

Julia: Wow, okay, that’s a hair on fire moment for me because I never thought of that ever ever ever and the reason why I’m so intrigued by that is because funders are now – they’ve moved everything digitally, right? You know, you put your grant applications online. They’re they’re not cutting checks, you know? You’re turning over your banking information and they’re doing you know automatic deposits – depending on how the contracts are fulfilled. If it’s upfront, if it’s every month, if it’s every quarter, whatever right – this digital world that nonprofits are living in with their funders has really escalated.

Bart: It sure has. I think we all knew, at least in technology, that we could probably get a work-from-home type thing going. But, when Covid hit, we kind of proved the point. Not only can we work from home, a lot of organizations actually do well working from home and that has to do with these cloud services that have come online where you could – do almost your entire organization can be run out of the cloud. So, yeah, it’s all up there now in the cloud and you know what they say? “The cloud is just somebody else’s computer.” So, somebody has to protect it and we need to make sure that they’re protecting you know what’s ours in their data center.

Julia: Wow, yeah. Like I said, this was going to be a little shocking and somewhat you know like “oh, there’s just so much to think about!” So, let’s have you step back a little bit and help us boil this down when you’re thinking about you know a newer a smaller or maybe an uninitiated n profit how do we even take steps to building a cyber security program- like where do we begin with so that we can be intelligent and be effective?

Bart: Right. Well, I think most security wonks like me would say you have to start at the top. It isn’t something that an executive leader or an executive leadership team can just kind of tag a subordinate to do, you know: “build us a program!” It has to come from the top, meaning they have buy-in; this is an important mission for the company. It starts at the top, it works its way down throughout the organization, and we’re talking about a culture of security and privacy from from the top all the way down to the lowest level employee and then it goes from top to down to out so then it goes outward from your employee base to contractors, to volunteers, to your partners, to your vendors. So you can see this is a very holistic approach that any entity, any person, or organization that touches our data or or we have to rely on for privacy concerns – they’re a part of our security program and it comes down from the top. So, that’s kind of step one is getting that kind of direction, guidance, and buy-in from senior leaders.

Julia: You know, I’ve got to believe too that if you are in the nonprofit world dealing with anything that is going to involve HIPAA, medical issues, privacy, dealing with children, dealing with minors, you have like a whole another level of concern, right? I mean…

Bart: Absolutely. So, when we talk about privacy in the United States, it’s very much a state by state concern and so it depends on where are your volunteers – you know, where do they reside, where do your donors reside, and if you as an organization have a very broad reach and you have folks in every state you might have 50 different compliance concerns when it comes to data privacy. Now, there aren’t 50 data privacy laws yet but we’re certainly going that way. The strongest one that we have today is in California. That’s the CCPA, and that’s probably – if you know a compliance law – that’s probably the one people will recognize. But, that’s the type of things that we as organization owners have to deal with is kind of staying a breast of all the legislation and regulation.

Julia: Amazing. I always feel like, and maybe it’s because I live in the west but, as California goes, so goes the rest of the country. If if they start a policy or a directive you know it starts to kind of move move across the country and for good or for bad so it’s something an interesting thing to watch, certainly. Because yeah, that that’s coming down the pike.

This is a totally off-the-wall question and and probably super hard to to get a handle on but in terms of a percentage of a budget what should we be thinking about if we’re going to be like okay because so many organizations it’s this time of year they’re looking at their budgets they’re you know finalizing things if they run on a fiscal year they’re starting a new fiscal year. What should we we be thinking about in terms of making an investment so that we protect our our nonprofits?

<Video cutsdue to bad connection.>

Bart: …IT is typically focused on tools and hardware, security is a little bit more.

Julia: Okay, okay, so we lost you. Yeah, we had a little bit of a freeze but I I think what you said is, correct me if I’m wrong, that you bucketed out and then you put between a two and five percent. Is that correct in in terms of a budget between two and five percent – is that an accurate or did I was I misreading it?

Bart: That is accurate. You got it.

Julia: Yeah, okay cool. Well, you know for for anybody that is thinking about this and looking at an investment and they’re thinking holy moly what am I going to do it seems to me that a two to five % investment within your organization is a heck of a good deal versus taking the organization down and being vulnerable for you know, however long.

Bart: Absolutely. Even without loss of money there’s still reputational risk. So, if if you suffer a data breach you could from that point forward suffer a lack of funding, you know? Just the perception of being unsafe might turn away donors.

Julia: Yeah, I think that’s a great comment. I appreciate you bringing that up, because I don’t know if that’s exactly something that we think about because it just just seems so hard to even wrap your head around it if you haven’t done anything like this. You know, I think about the number of nonprofits in this country that just started doing, you know, digital management of their donor databases which is shocking but it’s new to a lot of organizations, right? And now they’ve got to layer this in. There’s a steep learning curve for these folks to get to and and and you know the mindset. I also thought it was fascinating that you said you know use that phrase tone at the top leading down and saying this is going to be part of our culture. In the final minutes that we have with you, I have heard that from accounting firms when they talk about fraud and protecting you know the financial security of an organization and so it seems to me like maybe the cybersecurity does live with some of these um the financial folks and financial decision makers. Is that fair to say?

Bart: I think it kind of reveals what security really is about and not everyone appreciates that a good security program affects the entire company. Finance certainly is one of the the strongest components of the business that’s affected, but I would say that Human Resources is also equally affected in a positive way from from having good security and that that starts with onboarding and and bringing on your employees, making sure you bring in the right folks, as well as when you’re offboarding and making sure that when a when an employee wins a lottery and they go off into the sunset that you’re off boarding and removing access and and taking away those accounts as appropriate. So, yeah, I would say security affects the entire business if it’s done well

Julia: Yeah, I think that’s a good way to look at it and I think also it probably helps with buy-in, right? If you can be like look you know HR department you’re you’re just as vulnerable as Programming or Fundraising departments or whatever. I think that’s probably a really good way to to think about it as opposed to saying oh that’s just their problem over there because we won’t be involved, you know, which is which is never a a good idea at all.

Well, Bart Holzer, Chief Information Security Officer with Affinity Technology Partners, it has really been cool to talk with you. I had the pleasure of working with you at the JMT Consulting conference in Boston where I got to learn a lot more about what your viewpoints what our viewpoints should be I should say right and so really a lot of fun to kind of drill down with you on this. I think we need to have you back as you look at maybe some things that are coming up that might be new. I was really intrigued by the cyclical nature of approach um meaning okay if it’s going to be during tax time we should be looking at these if it’s during end of the year or the holidays. I mean, I thought that was really something that I would have never considered and so thanks for illuminating that if not putting our hair on fire because yeah that’s that’s a shocking thing.

You can learn more about Affinity Technology Partners at their website affinitytechpartners.com They have a lot of free resources and a lot of information that, no matter what size of nonprofit you are, I found it to be really interesting, Bart, and maybe some framework for setting up how you discuss and how you approach this this potential problem because we all need all the help that we can get so I would definitely check out affinitytechpartners.com. Again, we want to thank all of our partners that join us day in and day out and they include Bloomerang, American nNonprofit Academy, Staffing Boutique, Nonprofit Thought Leader, Your Part-Time Controller, Fundraisers Friday, and 180 Management Group. Okay, Bart, I know from our green room chatter you are on your way to a fabulous vacation out of the country. I hope you have a successful time and that you get rested because it sounds to me like you have a lot of work to do for the nonprofit sector when you get back!