Ways to Improve Your Nonprofit’s Cyber Security Strategy 

At our monthly Social Impact Advisory Group meeting, we wanted to explore ways to improve your nonprofit’s cyber security strategy. We invited moderator Julia Arant and panelist Mark Van Slambrook , to discuss how nonprofits can ensure data protection and security while navigating potentially devastating risks. The following panel presentation was edited for length and clarity in digital format. 

Julia Arant is a Partner with Nava Benefits. She assists her clients in designing bespoke HR benefit strategies, with a keen eye on aligning these strategies with their organizational goals. Her approach is holistic, focusing on financial optimization, and leveraging benefits to boost recruitment and retention. As part of Nava’s commitment to revolutionizing health care, she provides support to Nava’s clientele through innovative program design, effective cost containment methods, HCM system assessments, engaging communications, and regulatory compliance. 

Julia is driven by a profound passion for supporting organizations that champion innovation and purpose, contributing to the greater good. 

Mark Van Slambrook works in technology support including assessments, managed IT/cloud services, copiers/MFPs, document management at The Swenson Group. He is passionate about helping local nonprofits leverage technology to control costs, secure their data and make their people more productive so they can achieve their mission. Headquartered in Livermore and serving San Francisco and surrounding areas, nonprofit leaders tell him they select him because they want to deal with a local, privately owned company that offers the world’s best Office Technology Products, Cloud, VOIP and IT Services – all backed by award winning service with a personal touch. 

He is driven by building business relationships through the integration of technology to securely improve workflow and efficiencies.  

Julia: Mark’s going to talk about the importance of having a tech stack and really having a partner in that space. That’s going to help you address some of these issues that are coming down the pike when it comes to cybersecurity and how you can safeguard yourself against some of the risks there. 

Mark, I’ll invite you to briefly introduce yourself and then I’ll get into some questions that I have that I think would be relevant for the audience here.  

Mark: I am principal and vice president with the Swenson Group. We provide technology support including assessments, IT, copiers, printing, anything document related. My goal is to build relationships through the integration of technology and help improve workflow and efficiencies. 

There’s other accolades that really aren’t that relevant other than I’m passionate about nonprofits. I’m involved in them and I’m certainly grateful for all the things that they do out there. If you or your clients have any technology questions or I can be a resource for you at any time, we’re a local family owned business here supporting the San Francisco Bay Area.  

Julia:  I will kick it off with just some general questions. I think what we’re going to do here is just do some Q & A with Mark and get through some of the subject matter. At the end, we’re going to open it up to the floor for Q & A from the rest of the group.  I think we all know that there’s sort of a problem out there stemming from cyber security issues and sort of escalated over time. Can you begin, Mark, by just telling, some of the attendees here sort of what issues you’ve seen in the cyber security space that have hit home lately. 

I know when you and I touched base on this subject, for example, Patelco came up, but I know there were others. So can you start with sort of a brief synopsis of what the problem is that we’re seeing out there and where it has manifested?  

Mark: I will hit on some background real quick. The goal today obviously is to just share a little information about cybersecurity. 

It’s hopefully going to validate some of the things that you already know, and may have implemented in your business or seen implemented in the nonprofits that you work for. Some further education on some of these components and you may hear something new, and then also just a little different spin on cybersecurity and how your organization can incorporate it and implement that technology platform. 

So you mentioned Patelco. I’m not sure if these folks are members, but if you had not heard, Patelco is a credit union. It’s headquartered out here in Dublin.They have about 2,000 employees. They were breached about two months ago, and they did not find out about the malware detection for about two weeks, and they were literally shut down. They shut down for business for approximately two weeks. What that looked like was no access for 450,000 customers. 

They couldn’t get their statements, their account loans, their bill payments weren’t happening. Their credit card transfer payments weren’t happening. I’m a personal member there. I have a credit card with them in a small account from long ago. 

I have some personal friend​​s that is 100 percent they’re banking, and they were literally going to the ATM every day. The maximum amount you could withdraw was 500, taking their money out because they were afraid they were not going to get it, and they are not planning on going back. 

Malware, ransomware, a hack, lost all their information, completely shut down. That’s a big one. We may or may not hear about it, and the ramifications, who knows what that’s going to happen, but it’s significantly going to have some ripple effects. We might talk about that a little bit later. 

Cyber security is really attacking the smaller businesses.​​​ And unlike the I am like smaller businesses​. Nonprofits sometimes struggle just with technology in general. I have one that I’m affiliated with and I’ve worked with for some time now. They had ransomware, this was several years ago, and their hard drive was completely stolen: all the data, everything taken from them. This is an organization that serves the public. ​​They have daily schedules, so they had no access to who was coming that day. No access to what classes they were going to be going on. No access to what kind of medical care each person had. 

Prescriptions, medication, anything. Shut down. Four days. They asked for money. They needed to pay 28,000  dollars to get their information back. And they had no access to it. And they had no choice other than pay it. So they pay 28,000.  

The way it works is ‘give me the money, we’ll give you your data back.’60 or so percent of the time, they don’t give it back to you. They just take your money. This nonprofit was fortunate enough that they got the data back and were up and fully running in four days. We’re fortunate because it’s a very niche nonprofit, so there weren’t 15 other nonprofits in the area that could do what they did. So it’s not like they were impacted necessarily from grants and funding, and they did not have to disclose at that time to the masses that they had a data breach and that they had lost their information.  

The employees knew and their clientele knew ultimately their donors probably all found out, but they did not have to send out a communication unlike Patelco. I got an email that day saying ‘we’ve been breached. We’re working on it.’ I got a follow up from the CEO. ‘Please be patient. We’re working on it,’ a week later. 

But nonetheless, it was extremely disruptive. If we think about this on our own day to day, what would happen if let’s pretend your cell phone was gone. You had no emails, you had no phone numbers, you had no bank information, and you had to go along with your course of business. 

How do you communicate? It’s one of those things. It was catastrophic for them.  

Julia: It sounds like there are some, you know, reputational cost related implications to this, you know, occurring to an organization, which I know we’ll be covering in a future question. But can you talk first about some of the steps? I know that you mentioned a few pillars of what to address, some steps they can take to sort of protect themselves from cyber theft from cyber crime and what that looks like a little bit of background. 

Mark: With the growth of AI. In the last two years, this has significantly accelerated the exposure in the cyber security arena because these hackers and what they call bad actors, just have more capacity, bandwidth, computer power, internet speed. Someone could just be sitting in their bedroom just trying to hack all day long and using AI to do that. 

So some of these things have been accelerated, but we look at it that there really are four components of this in terms of steps inside of this cyber security and I’ll touch upon each one. The first is protection. The second is detection. The third is response. And then the final one is recovery. 

From A protection standpoint, how is your infrastructure configured? What’s your tech stack look like? That could be things like firewalls, Network integration. How are they talking to each other? Your cloud services? How are you? 

What’s that configuration look like? Another component is the management, the management of those devices. If you have a firewall that’s not managed, not someone actively looking at it, it might not be as protective as you need it to be. But is there oversight? Who’s looking at it on an ongoing basis to ensure that it’s working properly and it’s functioning the way that it’s supposed to? So oftentimes these devices and if they’re not licenses, there are expirations on warranties. So sometimes they can come out of that. So there’s things we want to look at in terms of just general maintenance. 

You know, how do we keep that system up and running optimally and that also includes things like patching and that needs to be done because the Microsoft of the worlds will come out and identify something. They’ll send out a patch to fix it. It might not ultimately completely fix it, but it will certainly make it more secure than it was without that patch because the hackers are looking for the loopholes and the companies are trying to patch those and get in front of those as well. 

So that’s a component from that standpoint. There’s also education and training. Those are two pieces that I see a lot of organizations miss. The education is ongoing, letting people know the days of the prince in Nigeria asking you for 500,000, you know, send me 50 and I’ll give you 500,000 with cryptic English that you can see that’s terrible. 

I’ve gotten texts recently that look like real communications with links on them. Emails come from your boss with their name and in the tone that they would use. I had a client that made a request to make a bank transfer and the controller almost did it and just happened to call the president and he’s like, I would never do that. You know better. You’ve been here 20 years, but just kind of that course of business clicking on the name was there. So things like looking at the email address, correct. Be more cautious, you know, but part of this is an educational component. And another is training: showing people, not just telling them, but showing them. 

There are services out there that will not only educate, but put a training program together that looks like creating these false emails and sending them out to the organization. And when they click on them, rather than say, got your ransomware, give me 28,000. It says bad, bad, bad. We talked about this. 

We can get some reporting and we can kind of collectively as a group look at it and say, how do we become aware so that we can do the protection standpoint?  

The detection part, just a knowledge and understanding of publicized threats. So when you hear things that come out in a specific arena to be really cautious, if something came out in, you know, Microsoft 365 and you see it just be aware, engage your folks to talk about that. And then just also having detection, you know, software things in place that would find that so that you could identify it quickly, because that becomes our next one of responding when something does happen. 

How do you respond to it? We need to isolate that incident. We need to shut down the appropriate channels whether that’s Internet, whether that’s something on the network, but really try to contain what’s happening so it doesn’t spread actively. 

How do you respond to it? We need to isolate that incident. We need to shut down the appropriate channels whether that’s Internet, whether that’s something on the network, but really try to contain what’s happening so it doesn’t spread actively. 

Also, we just need to notify the appropriate people internally, to ensure that they can respond accordingly and then external partners, because oftentimes there’s third parties that have different software that we use different components that we want to let them know this is what’s happened. 

Then the last one is just that recovery and part of that is containing the situation that you have and trying to get back to the day to day components, but also equally important is understanding what were the weak points? How did this happen? 

How were we exploited? Where did this happen? Trying to find that and then ensuring that we take a look at that and we understand it. And then we kind of go back to the protection. We put preventative measures in place to protect so that that doesn’t happen again.  

Julia: So I think you kind of touched upon there some of the hidden risks, which are, we need to look at where did this originate, where did this come from? 

You know, I think when organizations are thinking about this, you know, they’re thinking, I need to upgrade my technology. I need to update my cybersecurity.  What are the costs of this? You already cited there’s some reputational costs. There’s obviously having to pay a ransom. How do we expand upon that when it comes to nonprofits, in particular, you know, donors, grants, things like that, and what those costs can really look like for not addressing these issues proactively. 

Mark: Yeah, so you mentioned the cost and there are soft and hard dollar costs involved in this, and again I do want to reiterate: tech is confusing. It’s complicated. It’s not unique just to nonprofits where there’s a concern and the mission is to take those dollars and put them into the programs in the community and the mission, but in order to accomplish that, you have to have a good infrastructure. 

What does it cost if you were shut down for an hour? For a day for a week. Could you function? What’s that look like? There’s a soft cost associated with that. 

You have to have a good foundation and you want to keep that. So some of the things that we might have touched upon or I’ve already touched upon. One is operational downtime. What does it cost if you were shut down for an hour? For a day for a week. Could you function? What’s that look like? There’s a soft cost associated with that. 

But there is a hard dollar cost associated. If I had more time, I could extrapolate an example about like, just one little sliver in what a nonprofit does in the morning, how tough it would be. If you just were shut down, what’s that operational cost? There’s the cost to get back up. 

And it’s going to be typically 10 to 50x the cost to have put something in place to potentially prevent it. When I go to the dentist and I have an abscess in my tooth, I don’t start negotiating. ‘Let me go see another dentist. Not sure how this is going to work out. Let me look at my NAVA benefits app to see what the copay is.’ I got some pain, I gotta get it fixed. I write the check. When you’re shut down, you pay 28,000 to get your data. There’s no question about this. That’s what you do.  

I don’t want to say what are the unnecessary investments, like one of those recovery or paying a ransomware, but the investments that might have been made the dollars that could have been used more strategically and better in terms of good stewards of those funds that the nonprofits have to be operationally sound. 

Those are just, that’s an operational component, right? So the cost of not being able to do business, the cost of getting back up to doing business, and then the cost to get that recovery and protection now back in place to do it. We got data breach and loss.  

This is a soft cost, but an example is I recently got a letter from ticketmaster. They were compromised. They had to tell me that they were breached and that I might have lost the information. Imagine going to your donors and philanthropists, people with extra money that are supporting your cause and having to say ‘I’m really sorry, they have your credit card and your bank info and your home number. There’s a lot of confidential information including Social Security numbers.’ 

Hackers like young children’s social security numbers and medical numbers, because it’s not quickly found out that they’ve been breached, unlike you or I were, there’s a little bit more exposure there. Depending on the nonprofit, there can be some regulatory compliance. 

My understanding now, by law, if you’re compromised, if you process credit cards, you have to notify everybody. Like Ticketmaster did. If you’re a non-profit doing any kind of healthcare services, there’s HIPAA compliance. 

The last one we talked about: reputation. The reputation damage and what’s that look like? I live out here in Dublin. 

I don’t know how that company is going to be impacted, but potential loss of grants when that comes across the desk and they say didn’t, didn’t the Swenson group get hacked? Didn’t they lose all of our information last time? We got another company. We got another nonprofit kind of doing the same thing. You know, sometimes our most valuable resources from ​​time and treasure have reputational damage.  

If you can indulge me, I’m going to tell you a quick story about my fence in my backyard. When I first moved in 20 years ago, I walked around the side. There’s an open space behind my home and I kind of live up in the hills in Dublin. And I walked around the corner and there was a buck, a doe and two fawns in the back, like I turned the corner and just like startled me. 

They were going crazy, jumping in bushes, the door swung open on the fence, and the hand of the Holy Spirit or something out there just kind of moved them all, and they all just ran out into the session, out into the backfield, and I watched them run away, and I looked around for a second, and I’m like, did that really just happen? 

I was maybe eight feet away from the buck when I turned the corner. I scared him. He scared me away. They go. So being a good homeowner, I took a rock and I put it in front of the door, the gate where it shut. And that was my fix for the gate that was broken. I was thinking, thank goodness. I don’t have young children. 

This would be bad. Fast forward a couple of years, I don’t really go out there that often. Every time I drove my car and I saw someone getting their fence painted, fixed, or a new fence, I thought to myself, I really got to get that fence fixed. I really got to get that fence fixed. I had every intention of doing it and then I would take a phone call or someone would cut me off or I go to an appointment and I would forget all about it. 

That’s where I ended up having younger children. So they’re at the house and I do end up getting the gate fixed much later. The reason I tell you this story is this is a little bit with IT and executive directors CEOs, some of them, a problem comes up. It arises amongst families, friends, and other community partners that they have, and they think, I really got to make sure that my IT stack is good. 

My cyber security is all in place with every intention of doing something and it just doesn’t happen like Mark with this fence. I kind of didn’t even really band aid it. So my recommendation to the team is don’t be like Mark. Get your fence fixed or looked at. But more importantly, engage your current IT resources. 

Are you protected? What’s your detection? What’s your response? What’s your recovery? Along those lines, test your backup.  

If it’s in house, if you outsource it, engage them, have a conversation about your cybersecurity tech stack. Are you protected? What’s your detection? What’s your response? What’s your recovery? Along those lines, test your backup. Everyone says they have backup. Everyone thinks they have backup. The example I gave you, they had a backup system. 

They just hadn’t checked it or updated it in 35 days, which was a problem. So test it, minimum one time a year, if not twice. Have your IT folks test your current infrastructure, make sure that it’s up and running so that you are secure and you do feel safe. You’re being good stewards of the dollars that you receive, the employees that you employ, and the community and clients that you serve. 

Maya Tussing: This was really near and dear to our heart, you know, with the risk management. I had an executive director say to me that she has continuously asked her board to look at this and she’s not an expert and they tend to poo poo it and she knows that recovery is more expensive than prevention. What are a few kernels of you know data points or things to share with your nonprofit leadership, that isn’t too scary but scary enough that they’ll at least explore it. Any recommendations on how to dip your toe in the water? 

Mark: A great question, and I’m flying off the cuff here, and real quick, as people ask tech questions, the propeller hat on my I. doesn’t spin, so I’m ​​slightly dangerous, not super technical. Here’s what I would do, as you were telling me this, I would have the executive director go to the key board member, the vocal one, the one that’s kind of got the juice. 

I think we all know who we’re talking about, who that one person or two people might be. Go to that person and ask and talk about your biggest donor, whoever that is. Hopefully that donor has written some pretty big checks. Bring it up and just say, hey, real quick, what would it look like if their credit card bank information, personal information was all stolen? 

What impact would that have on us? Maybe because in this case it’s the government. That’s a tough one. And the reason I say that is oftentimes people that are on the board have a financial stake in the organization and contribute treasure and time and people that are longtime donors. 

Becky: Question, just in terms of training employees within an organization, is that something that your firm provides?  

Mark: We do provide it. I’ve got partners that also are really good at that. Almost every client I talk to, this comes up and everyone says, Oh, I’m going to talk to my team about it. Next team meeting, we’re going to talk about this. Some things are an ongoing educational training component. 

You do it one time. In two weeks, someone might forget. I’m not supposed to click on these links. You know, little things like that are things that can really significantly improve, the cyber security threat and trying to prevent it to the best of your ability. 

Sheila: You mentioned you started out talking about Patelco and I was one of those members. And I was sorely disappointed in the cadence of communication and the depth of communication around the hack. So I’m just curious if you have any high level best practices in the event that something horrible happens. How would you advise, or could you just advise a client on high level communications in terms of depth and frequency of communication? 

Mark: I hope your situation with them has worked out. I knew people where there were no answers. I don’t even know if they’ve actually come out and said this is what happened. I don’t think they’ve done it. I’m a big proponent of full disclosure. It’s better to just be truthful and honest about it. We have a team that actually goes into these scenarios, a cyber security team. That’s literally a division of what they do. I’d like to ask them that question.