This document summarizes a cybersecurity training webinar for nonprofits. The webinar covered the current cybersecurity landscape including persistent brute force attacks and sophisticated spearphishing targeting organizations. It discussed new security tools available and common contemporary attack examples like phishing, malware, and social engineering. The presentation emphasized the importance of the human firewall through cybersecurity awareness training and individual steps like enabling multi-factor authentication and using a password manager. It provided resources for moving forward with both individual cybersecurity practices and formalizing organizational controls.

1. Cybersecurity Training
for Nonprofits
Monthly webinar
Series
October 2020

2. About Community
IT
Advancing mission
through the effective
of technology.
100% Employee
Owned

3. Presenters
Matthew Eshleman
CTO
Community IT

4. Agenda
Cybersecurity
Landscape
CybersecurityTraining
Human Firewall
Putting it into Action

5. CYBERSECURITY LANDSCAPE
Persistent and ongoing
brute force attacks on
identities
Sophisticated
spearphishing
Organizations targeted
because of the work
they do
Attacks targeting
vendors

6. CYBERSECURITY LANDSCAPE
New security tools available
to combat new threat
types.
Organization’s starting to
ask about where to start in
improving their
cybersecurity.
68% of Nonprofits don’t
have an Incident Response
Plan
Breach response for a small
to medium business is
$149,000

7. HOW MUCH IS BUSINESS DATA WORTH TO
BAD ACTORS?
CREDIT CARD INFO
$2-$5 (per record)
CUSTOMER PII
$20-$450 (per record)
EMPLOYEE PII
$20-$450 (per record)
PROPRIETARY INFO
Competitive Value
SALES/FINANCIAL INFO
Competitive Value
MEDICAL RECORDS
$20-$50 (per record)
43% OF ALL BREACHES INVOLVED SMB VICTIMS6 BILLION DIGITAL RECORDS EXPOSED IN 2018
Per the Verizon Data Breach Investigation Report
Estimated data values from Sociable

8. Genius Hacker – 197 IQ
I know 15% of your password

9. Cybersecurity - Adversaries

10. NextGen Tools
IDENTIT
Y
DATA DEVICES
PERIMETE
R
WEB
SECURITY AWARENESS
SECURITY POLICY
OUR APPROACH TO
CYBERSECURITY

11. Cybersecurity
Overview
It’s good to talk openly
about cybersecurity
Share your story and
learn!
Your experience will
help someone else

12. Contemporar
y Attack
Examples
Email Phishing
Malware
Social Engineering

13. Phishing
Common attempts How to identify How to respond

14. http://corpcatererscleveland.com/?24=UCPAUBYKV1CQUuQZCQi

18. Phishing
Look at the email
Check for red flags
Ask someone or forward to
your IT support provider

19. Malware
Email attachments
Malvertising
Cryptojacking

20. Malware keeps
increasing
- Malware is defined as
malicious software
- PUA or potentially
unwanted applications
also fall in this category
- Provides adversaries a
foothold into your
systems

22. Cryptojacking
• Malicious JavaScript that
mines cryptocurrencies
• Uses your computer’s power
for adversaries benefit
• Think SETI, but for nefarious
purposes

23. Social Engineering
Trick you into
making payments
1
Trick you into
entering credentials
2
Trick you into
calling for “support”
3

27. Human Firewall

28. Devices
Identity
Security

29. Human
Firewall -
Data
You’re capable of
protecting your
information
• Inventory
• Backup your data

30. Human
Firewall -
Devices
Patch and Update
• OS
• Firmware
• All devices
• Monthly
Enable and use
Antivirus
• Only 50% effective
(but 50% is better than
0%!)

31. Human
Firewall -
Identity
Protect your Identity
• Pick a good password
• Use a password
Manager
• Enable MFA
Know your Data
• Audit access to your
Cloud Systems

33. Cybersecurity
Checklist
Backups
Updates
Strong Passwords with MFA
Antivirus
Audit Cloud Systems
Cybersecurity Awareness Training

34. Putting it
into Action
• Desktop
• Email
• Cloud Services
• Photos
Inventory systems
• 2 locations
• You have control
Backup

35. Putting it into
Action
Update your systems
• Operating System (Windows, Mac,
iOS, Android)
• BIOS and Firmware Updates
Quarterly
• Reboot weekly

36. Putting it
into Action
• LastPass
• 1Password
Get a password manager
• Passphrase
• One for your computer, one for the
password manager
• Here are some guides
• https://communityit.com/how-to-create-
an-excellent-password/
• https://haveibeenpwned.com/Passwords
• Enable MFA
Pick a strong password

37. MFA is Effective

38. greatpassword

39. AntiVirus
• An important layer of
protection
• Traditional AV may miss 50%
of attacks
• New technologies and
approaches are available, in
EDR, but come at a premium
This Photo by Unknown Author is licensed under CC BY-SA-NC

40. Security
Check Up
Audit access to applications
• Facebook -
https://www.facebook.co
m/help/799880743466869
• Google -
https://myaccount.google
.com/intro/security-
checkup?hl=en-US
• LinkedIn -
https://www.linkedin.com
/psettings/

41. Cybersecurity Awareness
SMB Nonprofits (1-249
employees)
• Phase 1 (Initial baseline
results) – 39.4%
• Phase 2 (90 days after initial
training) – 14.9%
• Phase 3 (1 year into training
program) – 4.8%

42. Moving Forward
Cybersecurity can be dauting, but it doesn’t need to be overwhelming

43. Moving
Forward -
Individual
Steps you can take
• Inventory and backup your data
• Update your computer (OS and Firmware)
• Make sure AV is installed
• Select a good password
• Use a password manager
• Turn on MFA
• Review System access and remove
extra/unnecessary applications
• Schedule time for security

44. Moving
Forward -
Organization
Steps you can take
• Start with a policy
• Formalize your cybersecurity controls
• Implement Regular User engagement
• Baseline phishing test
• Initial training
• Quarterly phishing tests
• Quarterly focused training
• Regular reporting
• Incorporate feedback

45. Cybersecurity
Awareness
Training
Training must have Executive Buy-in
Needs to align with Organizational Culture
Training should be frequent in timing
Incorporate testing and feedback
Build a culture of learning
Don’t punish mistakes

46. Schedule
time for
Cybersecurity
• Set a reminder for yourself
• one week from today
• Have an accountability
partner
• monthly check in

47. QA

48. Building a Better Nonprofit Software Selection Process
an "ask the experts" panel webinar with Peter Mirus,
Kyle Haines, and David Deal from Build Consulting
November 18th from 3-4pm EST

49. Resources
• Community IT Webinar – https://www.communityit.com
• Stop Think Connect – https://www.stopthinkconnect.org
• TechSoup Covid Response bundle -
https://techsoup.course.tc/catalog/track/coronavirus-mitigation-
track
• KnowBe4 Free Resources - https://www.knowbe4.com/free-it-
security-tools
• Microsoft Free Cybersecurity Training -
https://security.microsoft.com/attackSimulatorTrainings