The Nonprofit Hero Factory: Episode 43

Navigating Nonprofit Cybersecurity to Reduce Risk, with Joshua Peskay

In this Episode:

For most nonprofits, the cost of a cybersecurity professional seems unjustifiable. However, the cost of an attack could be catastrophic. (And if a cyberattack sounds like something that happens to large tech companies, you haven’t been keeping up with the headlines.)

Fortunately, there are simple approaches along with low-cost tools and training that can help mitigate those threats, help you meet requirements and help you sleep easier at night knowing that your supporter data, funds and, more importantly, supporter trust is secure.

Joshua Peskay of RoundTable Technology started out as an “accidental techie” in a small nonprofit, so he understands the struggles they face. He joined us on the show to talk about the risks, the tools and the strategies for minimizing and managing the threats that we all face today.

Listen to this Episode

[00:00:04.310] – Intro Video
Welcome to the Nonprofit Hero Factory, a weekly live video broadcasting podcast where we’ll be helping nonprofit leaders and innovators create more heroes for their cause and a better world for all of us. Da Ding!

[00:00:20.670] – Boris
Hi, everybody. Welcome back to the Nonprofit Hero Factory. Today’s episode, I think is going to be one of the most important ones that we’ve had on this show. As amazing as all of the speakers have been, we have been trying to cover cybersecurity specifically ever since I started this podcast. I think it’s critical to an organization not just in terms of your online presence, but in terms of your trust and your credibility with your supporters, with your donors, with your volunteers, and anybody who might be visiting your website or examining your online storytelling in one way or another.

[00:00:51.990] – Boris
I’ve been trying to get our guest today on the show pretty much since we started the show. But he’s been incredibly busy and trying to coordinate schedules, has been tougher than just about anybody else I’ve been getting onto the show, so I’m really excited to have Joshua Peskay on the show. Josh is the vCIO and Cybersecurity at RoundTable Technology. He has spent nearly three decades leading technology change for over a thousand nonprofit organizations. Joshua is especially dedicated to improving cybersecurity in the nonprofit sector and works regularly with at-risk organizations to address digital security challenges.

[00:01:28.030] – Boris
Joshua regularly presents and teaches on topics such as technology strategy, cybersecurity, project and change management. When I asked him his nonprofit superpower, he said, it’s helping nonprofits leverage technology to do more, do better and be more cybersecure. Obviously a mission very close and dear to my own heart. So let’s bring Josh onto the show. Hey, Joshua.

[00:01:49.410] – Joshua Peskay
Hello, Boris. Thank you so much for having me here. I’m so excited to be on the Nonprofit Hero Factory. This is great.

[00:01:55.610] – Boris
Thanks for finding the time in your busy schedule to do this with us today. I know that there’s constant cyber threats. I mean, I read about them all the time, and so I’m sure you’re busy pretty much all the time.

[00:02:08.590] – Joshua Peskay
Yes. Sadly, that is the case.

[00:02:11.970] – Boris
Yeah. I know that actually, cybersecurity is one of the most in-demand fields right now that recruiting is going through the roof that people are getting poached from one cybersecurity job to another. It’s kind of a crazy time.

[00:02:24.750] – Joshua Peskay
It is. Yeah. The cybersecurity industry really needs a lot of talent and the demand just keeps on growing. So there’s a lot of great organizations trying to build up more cyber talent, but if anybody’s interested in it, we need you.

[00:02:38.850] – Boris
Absolutely. So we’re going to go in and break down all of the different aspects of cybersecurity, what’s going on out there and what organizations can and should be doing to improve it. But before we do that, Josh, I always like to start by asking, what’s your story? How are you the person that you are today? What led you here?

[00:02:56.750] – Joshua Peskay
Sure. I grew up—I kind of bounced around a little bit but grew up largely in the Midwest. But all my family lived in New York and around New York City. And so I visited here a lot as a kid and decided really at the very young age of, I think, 13, that when I was old enough, I would move out here to work with the homeless. And at the age of 22 when I graduated from college, that’s exactly what I did. I came out here and actually was a social worker for homeless, mentally ill adults.

[00:03:23.090] – Joshua Peskay
And the organization that I worked at at the time, which is Fountain House Incorporated, wonderful, a nonprofit that helps little adults kind of discovered that I had some technology skills. And for those of you familiar with the term “accidental techie,” I was one of the first. That was probably back in 1994. They very quickly converted me and my colleague Kim Snyder, who I still work with today into accidental techies. We help build databases, set up networks, build websites. And that long story short led me to ultimately RoundTable Technology, where I’ve had the wonderful opportunities to just help so many phenomenal nonprofits with technology, cybersecurity and lots of other things.

[00:04:05.130] – Boris
That’s cool. So you wanted to do good in the first place and then got sidetracked or intentionally tracked into—

[00:04:16.660] – Joshua Peskay
Yeah, a bit of both. I mean, the organization—I wanted to work with homeless, but the organization quickly convinced me that given my skills, I could do more good by helping them leverage technology toward their mission than I could by delivering direct services as a social worker. And I agreed with them and found that work equally rewarding. And so I’ve been trying to take the skills that I have and use it to do the most good that I can. And that’s worked well.

[00:04:45.310] – Joshua Peskay
One thing I want to just make sure I hit on Boris, because I know that you are also a theater nerd like myself. Although you I think, did it much longer and further into your career than I did; I’m sure have many more accomplishments. But I grew up as a theater, which is kind of like theater nerd being a gateway to tech nerd, perhaps. But I was continuing to try to do theater when I was first in New York City.

[00:05:09.060] – Joshua Peskay
My wife, my brother and I actually were in the New York City Fringe Festival all the way back in 2002, and people can Google this. If you Google my last name Peskay, and the words “In the Wire,” alright? So “Peskay In the Wire” you’ll actually find a New York Times article from 2002 where we had a reporter talk about our play because we depicted how email traveled through the internet. And in 2002 in that story, which is also referenced in the article, there is a cyber security threat. The ILOVEYOU virus, which had been popular the year before or nefarious the year before, was a part of that play. So technology and theater came together way back then, Boris.

[00:05:54.270] – Boris
That’s awesome. I’m going to have to check it out. I think I had left New York for LA around that time, so I probably missed it. Actually, I don’t remember.

[00:06:04.990] – Joshua Peskay
You missed a Fringe Festival off-off-off-off Broadway show in 2002 my friend.

[00:06:09.380] – Boris
I know, all my friends were doing Fringe at the time. It was the thing to do. It was a great way to test new plays and get people’s eyeballs on it. I had actually done a few shows around technology myself. I did a one-man show called Dialogue, where I traced my own evolution and technology, starting from the TRS-80 COCO Model 2 up to what I was doing at that time. And all of the different media, including email, including instant messaging, and actually featured a DDoS attack as part of that show, Distributed Denial of Service Attack.

[00:06:47.170] – Boris
There’s definitely crossover, and you and I will probably geek out over all of that stuff at some point, maybe in the real world, IRL as we call it. But let’s talk about what hopefully most of our listeners are more interested in than my own personal theater stories, which is cybersecurity and nonprofits specifically. What’s going on out there in the world today? What are you seeing from your point of view?

[00:07:14.240] – Joshua Peskay
Well, first of all, for any nonprofits that are listening, or any people at nonprofits that are listening, especially if any part of your job means being responsible for cybersecurity: my sympathies are with you. Because it’s hard and it’s difficult, and I know it’s something that you’re struggling with, or at least most nonprofits that I talk to are really struggling with. It’s a challenge for nonprofits that are not technology companies have trouble even getting technology talent, let alone cybersecurity talent. And so it’s a real challenge.

[00:07:44.380] – Joshua Peskay
And that’s honestly what I’m seeing, Boris, is that organizations are overwhelmed, confused and unsure of really what is a reasonable level of cybersecurity for them to have. They don’t know if they have it, they don’t know if they should have it. They don’t know what it would look like if they did. And they’re getting pressure from a lot of different directions. One of these we can kind of describe is this bureaucratic direction. So you’ve got privacy regulations and data regulations such as HIPAA for Protected Health Information. You’ve got GDPR, CCPA, New York SHIELD, which are data privacy laws that protect the data of individuals like you and me, Boris, which is nice for you and me that there are laws that are telling nonprofits that have our data that they should be taking steps to protect it.

[00:08:38.510] – Joshua Peskay
But for those nonprofits that have all this data and are used to collecting it and keeping it and collecting as much as they can, these regulations really pose some challenges for them around what they’re supposed to do with that data in terms of protecting it and getting our consent to keep it, right? That’s one.

[00:08:56.390] – Joshua Peskay
The other thing is, if they’re trying to get cyber-liability insurance, which is increasingly something that nonprofits really want to have and certainly should have. Those cyber-liability insurers are asking them some very hard questions about what their cybersecurity and data privacy practices are. And a lot of nonprofits are now, frankly uninsurable. They don’t have things like multi-factor authentication in place on their major applications. The cyber-liability insurer is just going to say, “Sorry, we’re not even going to give you a policy.” And even if they will give a policy, it’s going to be prohibitively expensive.

[00:09:29.530] – Joshua Peskay
Other places they’re getting these kind of pressures from business partners where those business partners are saying, “Hey, if we’re going to work with you and share information with you, then you need to show us that you’re protecting this information in different ways.” So we’re going to audit you or give you a compliance checklist or a questionnaire. And the nonprofits are wondering what they do with that. They’re not even sure how to answer a lot of the questions if they understand them. So it’s all of these different kind of bureaucratic areas where the nonprofits are getting a lot of pressure to comply with different standards that are being thrown at them, and they have a hard time understanding what they mean.

[00:10:08.290] – Joshua Peskay
On the other side, you’ve got the pressure coming from stuff that’s in the news all the time, which is the cybercriminal side. So you’ve got ransomware attacks, you’ve got what you referenced, Distributed Denial of Service Attacks, and you’ve got what doesn’t get talked about, but is honestly the thing that’s most impacting nonprofits from where we’re looking at, which is straight up, social engineering and business email compromise where attackers are in various ways, essentially just asking for money and nonprofits are inadvertently giving it to them. And what that can look like is, “Hey, this wire transfer that’s supposed to go through instead of going there, it should go here or the new employee that just started last week, we need $1500 of gift cards right now. Can you please ship those over?” And unfortunately, nonprofits who aren’t training their staff on a regular basis and putting good practices in place are really vulnerable to these very simple but very effective tactics that criminals are using.

[00:11:08.830] – Boris
Yeah, those are all so spot on all of the different sides that organizations are having to have to respond to all of the different ways they’re kind of getting attacked, death by a thousand paper cuts, if you will. And I do think that phishing, which is what you were just talking about, where someone will impersonate someone within your organization and social engineering. I mean, that’s been going on since the very first early days of computers and hacking. Who was it Kevin Mitnick? I don’t remember.

[00:11:37.620] – Joshua Peskay
Kevin Mitnick, yeah.

[00:11:39.970] – Boris
Yeah, who wrote the book on it basically, and identified that the weakest link in any cybersecurity chain is actually people. People just don’t realize how vulnerable they are to these types of attacks. And I know several organizations and for-profit companies who have been attacked in this way, where they’ll just get exactly what you said in email, basically saying, “Hey, I actually need this to go to this address instead.” So people are somehow getting passwords one way or another, hacking passwords perhaps, then inserting themselves into conversations that you’re already having—so it sounds totally normal, it’s not like out of the blue—and diverting funds or getting greater access to things and hijacking an organization in so many ways. Why is that such a big problem for nonprofits specifically?

[00:12:31.210] – Joshua Peskay
It’s a problem for everyone. But it’s a problem for nonprofits, I would say, for two reasons which kind of tie back to the core reason, which is just the normal resource constraints the nonprofits have. So I used the term accidental techie before. For those who don’t know what that term is, it’s a term within the nonprofit space that describes a role that emerged… I first heard it probably 25 years ago, and it still happens in nonprofits, where you’ve got a 10 or 15-person nonprofit.

[00:13:01.370] – Joshua Peskay
And as you go from three to five to 10 to 15 staff, you develop this need for technology functions in the organization, right? Someone needs to set up the new computers, create the user accounts, manage our Google Workspace manager Salesforce instance. And there’s no designated technology role at the nonprofit because there’s only 10 staff. So someone… the office manager, the development assistant, sometimes the CFO, winds up with this technology role, not because anyone said we’re hiring you as a technology person, but because they were the person who seemed the least afraid of taking on this role and the most competent to do it. So that’s an accidental techie.

[00:13:44.050] – Joshua Peskay
And that is because nonprofits are resource constrained. So it’s the point at which they can hire an IT manager, a full-time IT director or an outsourced company like RoundTable. It’s a big financial investment for a nonprofit that’s trying to dedicate as much of their resources as they can to delivering their mission and views operational expenses as kind of like this necessary evil sadly, and adding this technology operational expense can be a real challenge. So that leaves them constrained in the technology space.

[00:14:12.360] – Joshua Peskay
And then, of course, cybersecurity is one element of the cybersecurity space. And you have the same problem in a nonprofit that you have in a business, Boris, which is that cybersecurity in most cases doesn’t drive revenue. So no one is donating to a nonprofit because they’re the most cybersecure nonprofit out there. So if you’re looking to invest resources, you’re saying, “Where’s my return on investment for being more cybersecure?” it’s not raising us more funds, right? So it’s hard to make a business case to reduce risk.

[00:14:45.070] – Joshua Peskay
And so once the accidental techie emerges because they do need their computers to work, they recognize that… but making them even more secure is like, yeah, it’s kind of tough to really do that until, of course, that happens. And then everybody’s like, oh, boy, that now we’re really in trouble.

[00:15:04.390] – Boris
Yeah, I find that accidental techie phenomenon happening a lot in nonprofits, but it goes beyond techie in the term of IT and cybersecurity. It goes into online marketing, goes into so many things. Few people go to school and get degrees or advanced degrees even in these kind of marketing and technology fields, and then say, I want to apply that to nonprofit. More often, especially in smaller nonprofits, it’s people who are coming in because, like you, they want to do something good, just like how you started. And then for so long and still to this day, the youngest person with a TikTok account is the one who’s responsible for the social media.

[00:15:49.010] – Boris
Similarly, I understand it’s happening with technology, too. And it is, as you rightly said, really hard for nonprofits to devote those kinds of resources when cybersecurity experts right now are making so much money because there’s such high demand for them among for profits. How do you compete for that? So I absolutely get that. And it’s a really real problem.

[00:16:10.440] – Boris
I also want to add that whereas a for-profit company, if they get hacked, okay, they might have to pay a ransom. They might have to do something. It might slow them down. They might lose some trust with their consumers. But we’re also used to that right now. At this point, I feel like we’re almost numb to it that, oh, another 15 million user accounts have been hacked on Facebook. Go change your password or something like that.

[00:16:34.470] – Boris
For a nonprofit, first of all, you’re not dealing with that kind of scale. But second of all, for a nonprofit to lose that kind of credibility, if you’ve got to pay ransom to hackers that’s coming out of—especially if you’re uninsured—that’s coming out of your funds that you’ve raised from donors who want you to spend it on feeding the homeless, for example, as you were doing.

[00:16:58.670] – Joshua Peskay
Yes, there’s a Wall Street Journal article from earlier this year about a large nonprofit, ironically called Treasure Island I believe in San Francisco, that business email compromise took them out of about $650,000. And so you imagine that main page story in the Wall Street Journal. What’s that doing to the confidence of your donors, to your reputation? You know, reputational damage from these kinds of attacks is really something that’s very hard to cost out in terms of what damage that does.

[00:17:30.550] – Joshua Peskay
But the other thing that’s kind of not captured, Boris, in the dollar amount that’s lost is like how much time was taken away from mission focus while you’re cleaning up after some cyber incident that happened and the stress, the morale impact. It’s very tough. The sad part is and this is what we can talk about a little bit as we move on, Boris, is that there’s really some basic, inexpensive, simple things that nonprofits can do that reduce the risk dramatically of being in a cyber attack. And it’s unfortunate that not more of them are taking these basic efforts because they view them as onerous or not a priority.

[00:18:14.570] – Boris
Absolutely. And you’re absolutely right. Let’s get into that. Let’s talk about what are the solutions? What should organizations be doing right now?

[00:18:23.450] – Joshua Peskay
So I would say the first thing is to identify who in your organization is going to take on the cybersecurity role. Generally, it’s going to be whoever is already your accidental techie or technology person. If you have an outsourced vendor that you work with, it’s great to go have a conversation with them and say, talk to us about cyber security. But typically it starts with some kind of basic assessment that you can do.

[00:18:50.910] – Joshua Peskay
And at RoundTable, there will be resources I believe in the show notes, Boris, but we have at our website. If you go to, we have some self-assessment surveys that you can do to kind of baseline yourself and get some basic findings and recommendations. A great tool was released by the Ford Foundation called the Cybersecurity Assessment Tool or CAT, and that will also be in the notes, I believe, Boris. That’s a great tool that people can use. And that’s a great place to start to get a sense of where your risks are.

[00:19:25.600] – Joshua Peskay
Now those things will produce reports based on your own self assessment. You’ll answer a bunch of questions and then you’ll get a report, but then you have work to do, right? You have to look through that report and it’s going to be a lot. So I’d really encourage you to work with someone, either any kind of cybersecurity consultant or a friend on the board or someone you can find who knows this stuff a bit and help you prioritize those findings and recommendations and put them on some kind of a timeline.

[00:19:59.630] – Joshua Peskay
For example, Boris, if we do an assessment and we find out that you’re on Google Workspace and you’ve got 20 staff and only three people have multi-factor authentication turned on for their account. Right? Then getting that turned on for all of the staff at the organization and enforcing that as a policy is going to be the number one priority because the data is totally clear. Enforcing multi-factor authentication on core things that you use is one of the biggest things you can do.

[00:20:36.540] – Joshua Peskay
Another thing, if we find out that you’re not training your staff on social engineering, on phishing, on using multi-factor authentication, on using strong passwords. Like a lot of the stuff you talked about, Boris, that’s an extremely low cost thing.

[00:20:50.850] – Joshua Peskay
Again, we’ll have a resource for you where you can get that done for your whole organization for free in 1 hour. Right? So all you gotta do is get your staff to sign up and attend for that 1 hour and you can get your staff the training for free. These are really basic free or low-cost things that just take a bit of time to set up that dramatically, I mean, profoundly reduce the likelihood of your organization being victimized by these kinds of attacks.

[00:21:19.950] – Joshua Peskay
So it’s really kind of the basics of making sure—I often say there’s three things I would start with just to give people really actionable stuff, right? Multi-factor authentication on everything but you possibly can start with email, then go to file sharing, then go to your CRM like Salesforce, but get MFA enabled, by the way, on your WordPress admin accounts, too. Boris, I know you’re a WordPress guy, so I’m sure you’ll appreciate that. Next thing is train your staff. And then third thing is backups.

[00:21:48.330] – Joshua Peskay
And going back to WordPress, something I see in assessments all the time is that organizations either don’t have a backup of their website or the only backup they have their website is with the host who’s hosting it. And that can be a real problem if the host itself suffers a ransomware attack and their backups are destroyed or encrypted as part of that. Now you not only is your web host down, but the backup that you would use to go and try to get your website up somewhere else is also down in the same attack.

[00:22:20.790] – Joshua Peskay
So getting some offline backup of your website that is separate from where it’s currently hosted and having some plan of what kind of hosting plan do we need? What would be the process for taking that backup and actually getting it live? That’s a really good thing to have in place, especially if it happens like a week before your annual gala, right? Boris, what do you do to back up the websites for the organizations you work with?

[00:22:47.700] – Boris
So it depends on how the organization is set up and where they’re hosted. I always recommend host. I recommend SiteGround, and I could link to that as well in the show notes, along with every single tool that you’re talking about because they’re all so important. SiteGround does daily backups with the plans that I have organizations sign up with or host them on. But then, yeah, I will do at least once a month. There’s a tool, it’s free, called Duplicator. And with Duplicator, you could create an entire backup of the entire site, plus a PHP script, basically a file that you could run that will restore it anywhere you want to go.

[00:23:24.150] – Boris
So if a host goes down or if something gets hacked, I can, within 15 minutes, have the site back up on the same server, on a different server. It really doesn’t matter. We point it to the new address, and for the rest of the world, it looks like nothing has happened while we can resolve… okay, what happened? How did that hack even come into place, and break things down and keep things running.

[00:23:45.900] – Boris
Besides that, of course, I could talk ad nauseum about WordPress security, but there’s a few different functions that I think everybody just to quickly list off should be doing, like changing your default login URL, because all WordPress comes with the same one. And that’s the easiest point for hackers to try to guess passwords

[00:24:05.712] – Joshua Peskay

[00:24:05.260] – Boris
slash wp dash admin, uh-huh!

[00:24:07.670] – Boris
Second is, and Josh, you and I were talking about this and you mentioned it as well. People leave admin accounts up, someone came in and did a little bit of work or someone was working, and then they left and that admin account stays open. And you don’t know what the password was. You don’t know if their password keeper gets hacked, and then they could come in, whoever gets it and hijack everything you’re doing. So checking and making sure that only the right users have the right levels of access, and you could get really fancy with that.

[00:24:40.050] – Boris
But I think more than anything. And this is what you were talking about before, Joshua. It’s a matter of education, because the most frustrating thing to me, and I try not to reveal how frustrating it is when I’m talking to clients is passwords, and knowing how important it is to actually have a secure password, every organization thinks, oh, we’re not going to get hacked.

[00:25:00.790] – Boris
What are the odds that somebody’s going to guess my dog’s name? Well, guess what? If it’s a simple password, they don’t have to guess it. They’ve got a dictionary of millions of common names and words that they’re going to barrage into your server at a rate of couple thousand a second until they break open. Number one is that education piece.

[00:25:22.510] – Joshua Peskay
Yeah. And listen, I know folks that are listening to this may be feeling a little bit overwhelmed, like we’re giving all this work to do. And I want to kind of say, hey, first of all, take a breath, calm down. And you want to approach this like you would, let’s say, like a fitness program, where if I’m not in shape and I’d like to get fit, physically fit, I have some upfront work to do to kind of start doing some exercise, eating a little healthier and doing stuff. And maybe in three to six months, I can reach a sort of level of fitness, and I feel a little bit healthier and less at risk of having a heart attack or other bad things happening to me.

[00:25:59.820] – Joshua Peskay
But if I don’t continue doing some level of maintenance and exercise and diet, then I will fall out of shape again. So it requires—to do cybersecurity, you’re not going to run a marathon tomorrow, and you also don’t need to run a marathon. You just need to do a nice, easy 5K and be able to do that on an ongoing basis. That’s the level of fitness you’re looking to get to as a nonprofit, right?

[00:26:28.460] – Joshua Peskay
Unfortunately, most of the nonprofits right now, if I asked you to go do a nice easy 5K. You’d be puffing by the first kilometer. So the idea is to get started, identify where your most vulnerable points are, go after those, do it in a reasonable and sustainable timeline and fashion, and then continuously be looking at. Okay, now that we’ve got MFA enabled, what’s our next week point? Let’s review our WordPress admin account. So next month we’re going to make sure we clean up those WordPress admin accounts and enforce multi-factor on everything.

[00:27:07.930] – Joshua Peskay
And then the next month we’re going to make sure we’re backing up. We’re going to set up that Duplicator process and make sure we’ve got a backup of our website and a plan to restore it. Next month after that, we’re going to make sure we train our staff and set up something so that we’re training them every month or every quarter. After that, we’re going to maybe deploy password managers to our staff and get them to use that. After that, we’re going to go look to cyber-liability insurance.

[00:27:30.060] – Joshua Peskay
So you’ve got a one-year plan, where all you need to do is one thing each month. And it doesn’t feel so overwhelming. But a year from now, you’re in a totally different place than you were now, and you have this practice that you’re doing. So that’s what I want people to kind of think about. You can do it. It is sustainable and manageable. Just don’t try to do it all tomorrow.

[00:27:52.550] – Boris
I love the comparison of a fitness plan. I know that it’s January when this episode is playing for those of you who may be watching or listening to it later on. And January is the month that gyms love because they get so many sign ups. It’s a New Year’s resolution, and I think that this could also be a New Year’s resolution for organizations is to create a cybersecurity fitness plan with these commitments as you’re going along throughout the year.

[00:28:25.130] – Boris
What you’re advising, I think, is absolutely brilliant, which is make a plan that is simple and easy enough to follow along rather than trying to fix everything at once and feeling overwhelmed triaging, essentially, what are your biggest risk factors? I still think that training is the number one thing. So maybe in January you commit to having your entire staff watch a one-hour video on cybersecurity practices. Right? That’s going to really take you to a huge new plateau from which you could then climb further and further.

[00:28:58.610] – Joshua Peskay
Absolutely. I love that. So, we at RoundTable offer an annual training, so we call it very modestly “The Best Free 1-Hour Cybersecurity Awareness Training Ever.” This year will be our 6th annual, Best Free 1-Hour Cyber Security Awareness Training Ever. It’s going to be on January 27th. Me and my longtime colleague Destiny Bowers do it together as a two-person show. We try to make it really fun, really entertaining, really funny.

[00:29:29.400] – Joshua Peskay
We actually—not only is it free for your entire organization to attend, but we offer cash prizes. We do a quiz at the end. It’s a competitive quiz, so the hundreds of people that attend the webinar, all can compete with each other, and you can win up to $100 by simply attending the webinar and getting first place in that quiz. And in other years, we’ve given little $25 prizes for people during the webinar for whoever’s first in the chat with the answer to a question or something like that. So be on the lookout for that. We’ll have a link in the show notes, and it really is a really fun time and a hugely important thing you can do for your organization.

[00:30:10.890] – Boris
Sounds like a holiday party to start off the New Year with prizes and quizzes, all those kinds of things. I think that’s awesome. And I’m glad that you are making it free to everybody, including everybody at the entire organization. Is there anybody who you don’t think needs to take that kind of a training within the organization, or should it just be everybody from top to bottom?

[00:30:32.770] – Joshua Peskay
I think it’s a lot of the regulatory compliance guidelines that we talked about before or laws actually require that everybody in your organization complete a cybersecurity awareness training. So many of you, if you’re in New York and you’re subject to New York SHIELD, you are required to be training your staff at least once a year. So you can satisfy that requirement by having every single staff person your organization register for a webinar with your organizational email. And if you ask us, we’ll send you the list of everybody that registered with your organization’s email who attended the webinar. And you can have that as proof that you’ve met this requirement of these various compliance laws. So everybody in your organization should take this training.

[00:31:19.830] – Boris
Awesome. I think I’m going to sign up to take it myself to see if there’s anything that I should be aware of that I’m not already that’s not already on my radar. I know you guys are doing great work in this field, so why not learn from you as well? Joshua, thank you so much. I know, actually, as we’re recording this, I know that there’s some severe cyber threats that are currently going on that I’m probably distracting you from, so I’m going to let you get going.

[00:31:45.420] – Boris
But thank you so much for joining us today and talking to us about all of these critical areas that nonprofits may not be devoting enough of their time and brain power to address.

[00:31:59.070] – Joshua Peskay
Yeah, well, Boris, thank you so much for having me on. It’s an absolute pleasure to talk with someone who understands these issues really deeply and cares about them and is doing so much good for the nonprofit space. And for all the nonprofits out there, I get it. It’s hard. You’ve got your missions to pursue. I’m not asking you to do a ton, but just do a little bit on an ongoing basis I promise it’s enough and it will get you better. But you got to do it.

[00:32:24.190] – Boris
Awesome. Thank you, everybody, for joining us today. I hope Joshua and I didn’t scare you too badly in terms of cybersecurity, but it is really an important topic, and there are practical steps that you can take, and we’re going to have links to all of those resources in the show notes, as well as a summary of everything that we talked about to make it as easy as possible for you guys to really secure your online presence so that you can maintain your trust so that you don’t have to worry about giving up hard-earned resources to cyber criminals and so that ultimately you can then create more heroes for your cause.

[00:32:56.920] – Boris
Thank you for joining us, everybody. We’ll see you again soon.

[00:33:00.570] – Intro Video
Thank you all for watching and listening to the Nonprofit Hero Factory. We hope this episode has given you some ideas and strategies for creating more heroes for your cause and a better world for all of us. Please be sure to subscribe to this show on YouTube, Facebook, iTunes, Spotify or your favorite podcast platform. And let us know what you think by leaving a review.

Concepts and Takeaways:

  • Cybersecurity is especially challenging for nonprofits that aren’t technology companies and don’t have the resources to attract trained cybersecurity professionals.(7:14)
  • Nonprofits are feeling pressure from multiple angles, including data privacy regulations and laws, HIPAA compliance, and others. (7:56)
  • A lot of nonprofits are uninsurable when it comes to cyber-liability insurance; which is a major threat to the organization’s survival should something go wrong. (8:56)
  • There’s also pressures from the threat of cybercriminal activity like hacks, viruses, denial-of-service attacks and social-engineering attacks (phishing). (10:08)
    • “Unfortunately, nonprofits who aren’t training their staff on a regular basis and putting good practices in place are really vulnerable to these very simple but very effective tactics that criminals are using.”
  • Due to resource constraints, the person responsible for the technology and data at a nonprofit is often an “accidental techie” — someone who is tech-savvy, but not trained for the position and its responsibilities—and it’s often in addition to their primary role that they were hired for. (13:01)
    • It seems difficult to justify to supporters the expenses of cybersecurity… until a breach happens that costs a lot more.
  • Nonprofits, even more than for-profit businesses, can’t afford the cost of ransom demands or losing the trust of their supporter base. (16:10)
  • There are basic, inexpensive measures that nonprofits can take to dramatically decrease the risks. (17:30)
    • 1. Identify who in your org will take on the cybersec role
    • 2. Take an assessment of your current vulnerabilities and opportunities
    • 3. Start doing the work to mitigate the threats, triaging in terms of priorities
  • Three low-cost, simple things you can do: (20:28)
    • Enforcing multi-factor authentication on your coor tools is one of the most important and inexpensive things you can do.
    • The second thing is training your staff on social engineering, phishing and other vulnerabilities.
    • Create regular backups – and keep some off line, separate from where it’s currently hosted.
  • When it comes to nonprofit websites on WordPress, securing them starts with: (22:47)
    • Creating regular, off-site backups
    • Changing the default login URL
    • Making sure that the right users have the right access
    • Creating strong, unique passwords
  • It’s easy to feel overwhelmed, but you can approach this like a fitness program. Set it up in stages by order of priority to get yourself to your desired level. Then set up a maintenance routine to keep yourself there. (25:23)
  • RoundTable offers a free annual 1-hour cybersecurity training in January (it’s happening next week) (29:00)
  • A lot of regulations and laws require that everyone within an organization complete cybersecurity training. (30:32)

Action Steps: What Now?

About this week’s guest

Joshua Peskay

Joshua Peskay

vCIO / Cybersecurity, RoundTable

Joshua (he/his) has spent nearly three decades leading technology change for over a thousand nonprofit organizations. Joshua is especially dedicated to improving cybersecurity in the nonprofit sector and works regularly with at-risk organizations to address digital security challenges. Joshua regularly presents and teaches on topics such as Technology Strategy, Cybersecurity, Project and Change Management.

Connect with Joshua Peskay