Human error is what will cause you to succumb to a cyber attack, education and caution are our best tools. In this episode, Cory Brester and Tammy Tilzey talk about the simple but important ways you should be protecting yourself and your organization from cyber attacks.

Cory Brester | Director of CRM and Information Systems, Foundant Technologies

Cory supports a fast-growing team focused on maximizing the philanthropic community. As a software solution provider for grantmakers, grantseekers, scholarship providers, and community foundations Foundant is tasked with supporting the infrastructure of philanthropic programs everywhere; in order to be successful at this, Foundant needs a reliable infrastructure of its own. Cory manages Foundant’s internal corporate IT infrastructure and systems as well as leads the company initiatives on cybersecurity. Since starting at Foundant in 2011, Cory has spent much of his efforts planning and developing efficiencies and systems to support Foundant’s growth. His 8-year history with Foundant has allowed him to participate in sales and support - providing the internal experience necessary to provide a framework and continuity to information system processes and data integrity. Outside of his daily management work, Cory also enjoys sharing his cybersecurity knowledge through Foundant education resources, such as blogs and hosted webinars. Cory came to Bozeman from the agricultural community of Laurel, MT to pursue degrees in Finance and Accounting at Montana State University.

Password managers:

• LastPass
• OnePassword
• PassPack

Password analyzer: https://haveibeenpwned.com/.

Examples and information on: Social Engineering and Phishing Attacks 

Blog articles referenced, etc.

• https://resources.foundant.com/blog/cyber-attacks-not-just-for-facebook 
• https://resources.foundant.com/blog/know-thy-passwords-a-guide-to-security 
• https://resources.foundant.com/blog/gone-phishin-what-to-watch-for-and-how-to-keep-from-being-a-big-phish 
• https://resources.foundant.com/education-webinars-for-community-foundations/trick-or-treat-banish-your-cybersecurity-fears-3
• https://resources.foundant.com/philanthropy-experience/security-q-a-with-high-point-networks

Want to see additional resources? Visit resources.foundant.com

Connect with other members of the philanthropic community at Community.foundant.com

Hello and welcome to our Connected Philanthropy podcast today. We are so very privileged to have Cory Brester Foundant own director of CRM and Information Systems as our guest as a solution provider for grant makers, nonprofit scholarship providers and community foundations. Foundant is tasked with supporting the infrastructure of philanthropic programs everywhere and in order to be successful at this bound, it needs a reliable infrastructure of its own.

So that's where Cory and his team comes in. Cory manages thousands internal corporate I.T. infrastructure and systems, as well as leads the company's initiatives on cybersecurity. And then outside of his daily management work. Cory also enjoys sharing his cybersecurity knowledge through Foundant education resources such as blogs and webinars. And now this podcast. Thank you so much for joining us, Cory.

Glad to be here,

Tami, and happy to share some knowledge with non-profits listening here today. I am so excited to talk with you today. I have learned so much about security and threats from working with you. You have communicated how important it is as well as shown us that it isn't an insurmountable challenge and you don't have to do everything at once.

I know there are a lot of folks in our community who appreciate this as well, so let's go ahead and dove in. I was thinking about talking and starting with that elephant that always seems to be in the security room and and talk about passwords first hand.

You're right, Sammy. I think people are probably tired of hearing about password requirements and and probably get frustrated every time they have to come up with a with a new one.

But we have to remember that you and I, our employees, everyone else in our organizations, there are number one risk when it comes to cybersecurity. Human error is what will cause you to succumb to a cyber attack and education and caution are really our best tools. So starting with creating strong passwords, use the strongest, longest password or passphrase that's permitted by a system and don't use passwords that attackers can easily guess.

Avoid using your birthday, your child's name, your pet's name. Attackers can use software to conduct dictionary attacks and try common words that might be used in a password. They also do brute force attacks where they just continue to randomly apply passwords to a system until one is successful. So when you're setting security verification questions, make sure you choose questions and answers that an Internet search wouldn't reveal the correct answer for you.

It becomes even more difficult for someone to brute force up a password attack when your password is 12 or 15 characters long. So I know that takes a long time to type in two systems, but the longer the password, the more difficult it is for a brute force attack. A password that's 15 characters long with upper lower case letters as well as numbers can take advanced computer system 600 million years to crack.

So I cannot emphasize enough have a long, complex password. Now everyone's probably thinking or how do I keep track of all these passwords? You know, I'm recommending they use different passwords for different systems so that if one password was breached, you don't have to worry about somebody getting access to a different system. So once you choose those complex passwords, don't write them down.

Don't leave them somewhere where somebody can find them. Leaving them written on a sticky note next to your computer would be like leaving the key in the door of your house. Get a password manager. Password managers are great for helping you create randomly generated passwords as well as storing those behind one long, complex password. Always remember to log out of your websites when you're using a public computer.

If you're sitting at a library or Internet cafe, I can't guarantee that these techniques will prevent an attack, but it'll at least make it more difficult. And you can do everything in your control to try to protect yourself. And then finally, you know, as you're setting up these systems with passwords, if they offer multifactor authentication, make sure that you are setting up those two factor authentication methods.

Yeah, yeah. That's something I've been seeing a lot as I've logged into existing applications I get offered. Do you want to enable multifactor or you know, as I'm creating new accounts Can you explain more about what this is and maybe examples? And I've I haven't found that it's taken much of it doesn't add that much complexity to log in.

And yeah, you're right, Tammy, that doesn't take a lot of extra work there and authentication system that requires more than one distinct factor is what creates that multifactor authentication. Usually you're using another application like duo Google Authenticator, Microsoft Authenticator that's providing you with another unique code that verifies that you are essentially the person that identity, that's your username, your email address, something that you know, which is going to be that password.

And that's your your first factor. And then your additional factor. There is going to be that code that comes from another system to verify that you hat that's something that you have. You have that system that's giving you that additional random code.

Yeah, it always it always makes me feel better knowing that if this was somebody who wasn't me, they wouldn't have their phone.

My phone right here. Right. Or I would get a notification if someone tried. Makes me feel better. So one of the common things that I've seen is a nonprofit. They have limited resources and they have some accounts that are owned by one person but need to be used by more than one person. How can they make secure passwords that that then can be shared?

Yeah, this is a problem that I think a lot of smaller organizations have to try to solve when when they maybe only have one account because of the cost that goes into extra licenses. And I think, you know, you do what you have to do there to to securely share those passwords using a product like LastPass or one password or passport, just to just name a few.

These you can create folders where you can share that unique password with with someone I would caution to not use this as the the first option because you'll lose the audit trail within the system if if somebody logs into your system and it's always being recorded as as a common user, you won't be able to keep track of who made that change or, you know, who altered the system.

So unique log ins is always the best option. But I know budgeting becomes tough and you have to be able to share those passwords. Another caution there is you know, if you do have staff turnover where you've shared that password, make sure it's part of your off boarding process, that you are changing that password in that system that was shared,

not too difficult to do change your password once once things happen, but definitely have it on the checklist.

And that'll make make it not perfect, but better Yeah. So how about checking the existing passwords I have because I have come a long ways Cory. I have. But I did have one password I used for everything because for a while back there and I've been slowly making making changes and now I rarely use that one. But how can you check if that password is secure or any?

Is there anything available there?

Yeah. And tell me, I'll, I'll just remind everyone that I really want to encourage people to use a unique password for every system, just to reduce the vulnerability there. But there are tools out there that are scrubbing some of the, the breached password databases that that have come out. And there's something like, have I been found?

And we can drop that link in the bottom of this podcast so people can use it subscribing to the monitoring on that site is totally free. You can subscribe for your organization's domain. If you're laid it manager, then you want to keep a close eye on your organization overall. But you can also subscribe for your personal email addresses as well as your personal working email address to get alerted if a password is on a breach list or if passwords are on a compromised list.

You can even use some of these password managers that I mentioned before. They will often have access to those databases of breached passwords and tell you if something was on a compromised list or if you are using a redundant password that's already stored within your system or a password that's potentially weaker than it should be. They'll help alert you to that.

And even Web browsers now, if you're leveraging their password saving techniques, they'll also help remind you to use different passwords and if something has been breached. Excellent. Yeah. And I, I do want to let you know that was in my personal life that wasn't at work. Right. And I've always got it all cleaned up, but it was a personal mess.

Right. So and I can't say enough that I use LastPass based on your recommendations, and it has made things easier. Will also put those suggestions in the show notes as well. On the that Cory mentioned. So what about email phishing? These these are getting trickier to spot used to be more obvious to me but lately I've I've seen they've they've up their game so can you explain what that is and and how to watch out for that Yeah.

And you're right, Tammy. These these cyber attacks through phishing are getting more and more creative. Yeah. Let's we'll start by kind of giving everyone a little bit of background on the what a phishing attack really is. You know, you should imagine the word Phish I sage, but with, you know, an F as if you're going fishing or the attacker is going fishing and there's bait that they use to trick you into jumping into the net or biting on their hook, an email that's pretending to be from your bank account with instructions to log in is a great example, something that didn't actually come from your bank and is trying to capture your your banking credentials you

know, even you go back to the the prince that is your long lost relative that has untold millions of unclaimed goal of gold just waiting for you. Yeah. Those are some of the ones that are more obvious. But as you mentioned, they're getting more and more tricky. There's not the obvious misspelled words. There's not the the obvious links that are totally wrong.

They are getting more creative, getting everything, everything closer. And now you're starting to see phishing not just in emails, but in text messages coming from someone pretending to be the CFO, coming from the president asking you to buy gift cards you know, the these fake emails that are more spear phishing, very strategically and precise in what they're trying to capture, using information that that pertains to a situation.

Maybe they know that your CEO is on vacation. And so leveraging that in that email to say Hey, I'm in the Bahamas, can you buy all these gift cards or can you wire this money? Because they were able to see that on a social media post or something. They are really getting creative. So the very first thing that I just encourage everyone to do is hover over links before you click on them, make sure that they look like they're going to the right site when in doubt.

Go directly to that site, especially in a bank account situation or a sensitive a system that's holding sensitive information. Maybe your accounting system go straight to that site, log in from there versus clicking on those links when it's asking you to reset a password or something. You know, even these emails have gotten creative to include brands and logos that are just misleading and false, and they're just hoping that you can they'll fall for these and this is the number one concern that I have around organizational security is emails coming in that people get busy in their day to day and let their guard down for a second, click on something, log in, and now I'll think

they're logging in. And now all of a sudden passwords are compromised and they need to go reset passwords. If something like that happens in your organization, seek help with your your I.T. department. If you use a third party I.T. department, get their assistance, especially if you think that those credentials are are across multiple systems.

Yeah, I those such as somebody out of the blue sending you a PDF of the invoice, you know?

Exactly. Exactly. I just really start to question why? Why is this person sending this to me? Why are they asking me to do this? That's that's a lot of what we see from when an organization has a compromised email account and someone's in there actively sending messages as them and they send a PDF that has a link in it.

Well, why would you send a PDF to just include a link? So a surefire way to to catch that one. But email is the number one most common and successful way that attacks are performed on the internet with up to 90% of those successful attacks, starting with a malicious email So use caution when you're opening email attachments and links that you maybe shouldn't trust.

And malware is not a thing that can come through email it's super common to spread when you click a malicious link within that email or download a malicious attachment that maybe is an Excel file with macros or something Don't open those attachments unless you're certain they're safe and you know who they're coming from and be especially wary of attachments with kind of names that are trying to trick you.

Something that seems too good to be true. Misspellings. Or, you know, some sort of prize or click here to claim this offer. Definitely stay away from all those as much as you can. And use caution when you're providing your information. Know, emails might seem to be legitimate, but example of another email being sent from your system administrator asking you to reset your password for a specific system.

And is that normal for them to ask you to do that? Did they give you enough information as to as to why it just can not caution people enough to just question emails before you click on links. And if it goes to a Web page that maybe looks suspicious, don't enter your credentials. Phishing, again, like I mentioned before, is probably one of the biggest threats to organizations.

And just think about the situation if you have a weak password that you use for everything and I mentioned earlier, you need passwords for every system, but say there's that weak password and they get into everything and now they have access to your email. They blast all your donors or all of your colleagues with a false link and maybe one of your donors or colleagues is hasn't been trained to look for those phishing emails.

And now they enter information into a malicious site and they've compromised their credit card information What does that look like for that organization now? That donor or your colleague has potentially lost trust in any organization in your reputation?

Yes. Yeah. And your your advice. If you see something in you, because they they do that spear phishing and wait for a specific time or use some personal information, like I was vice president on a board for a nonprofit, and I got a text saying the board president was unavailable.

It needed to pay this invoice and can you pay it with your credit card? And I will reimburse you or whatever. And I'm like, I got drawn in because it was like, who else would know that I'm this and she's that? But, you know, I think you back on it or that's information on our org's, you know, Web page.

And then and then taking this pause there and going direct to the person in that case or to the website, like you said, rather than using their links as always allowed me to like, okay, if some of it sounds legit, just ask the person this takes a little extra time but save so much pain.

And I know in our listeners out there coming from all sorts of different sized organizations and they might be asking, you know, we're only one or two people in our organization, how do we how do we bite off some of this?

And I think the biggest thing is baby steps, starting with just a little bit of awareness for your teams. You know, internally, within our organization, I think we've done a really good job of building a culture of awareness. Team members, as we grow, are asking really good questions when they don't think that an email is safe, they send them over to my team and we can check those links for them or confirm there are tools out there that can help reduce malicious emails coming into your inbox.

They can be expensive, and so make sure we're right sizing that for for your for your business and work with some I.T. consultants out there, if that's the right thing for for you. But even if you're just a small organization with one or two staff members, having some some annual cyber security awareness training that you do either annually, biannually might be just enough to protect you from that potential attack.

You can find tons of resources online for quick training. There's training tools out there you're like, no before or internally. We use one card called Mimecast that we schedule awareness videos out to the team to give them just little snippets of information and things to keep that security and and confidentiality of information top of mind versus not thinking about it until something bad happens.

Yeah, and I, I have to admit, I look forward to the start of every month, which is coming soon because they've mimecast has done a great job. I'll put those links in the show notes as well. But that monthly training has, as Cory knows, every once a while it catches me and it catches me on an educational, which is a safe place right.

You know, and then I'm like, I never want to not get 100%. So I try harder and learn more. It's that culture. I like that you've covered some, some really sound fundamental elements and there and so a lot of examples of what a nonprofit could do to increase their awareness of cybersecurity threats and what they can do. So thank you for spending time with us today sharing this knowledge and advice with our community.

And it has really been helpful and and in our shownotes you will find the links to articles on security that Cory has written for Foundant as well as the other resources that Cory is referenced. And before we close, I want to give Cory one more shot to the highlight and hit the themes on, you know, if you were going to do something tomorrow or work it into your plan to make improvements in this area, do you have any final thoughts or advice to leave our listeners with attending and this has been this has been great.

Thanks again for having me on here. I think for these for the listeners here today, if I could just encourage you to increase the length of some passwords start basic. If there's a look at your systems that you have access to and rank them from the most important most security, highest security risk. Start their links in that password.

If if you heard you use unique passwords on all systems and went, Oh, no, that's not me. Start there. Start by changing your passwords, using different passwords in all your systems. And just increasing those complexity. You know, like I mentioned, the longer it is, the longer it takes for a brute force attack. And then in your organizations, if you see something that doesn't look right.

Ask ask somebody. Even if you don't have a cybersecurity expert in your group, ask a colleague, ask a friend, ask a family member. Does this, you know, look weird? Should I try email? Should I click this link? Or if someone sends you something that looks suspicious, ask them, did you really mean to send this to me? That can be a a great first start to not fall for a phishing, phishing email.

And as I mentioned, human error is going to be the number one cause of a cyber attack for an organization. So just try to increase your knowledge. As Tammy mentioned, earlier in the show. Like, I've tried to not make cybersecurity a super complex thing for found in like we are getting information to people in bite sized pieces so that they can consume them and so that it's not a daunting task, but also keeping a culture of security that we keep data protected for our company, our clients and everyone else.

So I hope everyone has some takeaways from this and I hope everyone can continue to be safe in the world of cybersecurity.

Yes. Yeah. Thank you so much. Well, that's a wrap. And if you learn something from today's Connected Philanthropy podcast, please share it with others who might enjoy and benefit from this as well. We look forward, connecting again in our future webinars, podcasts and encompass our community discussion platform.

We wish you all the best success. And again, thank you. Thank you so much for all you do.