October is a spooky month full of ghosts, goblins and HACKERS TRYING TO STEAL YOUR DATA. Learn how cybersecurity awareness could save you and your organization from a hauntingly bad time.

Cory Brester | Director of CRM and Information Systems, Foundant Technologies

Cory supports a fast-growing team focused on maximizing the philanthropic community. As a software solution provider for grantmakers, grantseekers, scholarship providers, and community foundations Foundant is tasked with supporting the infrastructure of philanthropic programs everywhere; in order to be successful at this, Foundant needs a reliable infrastructure of its own. Cory manages Foundant’s internal corporate IT infrastructure and systems as well as leads the company initiatives on cybersecurity. Since starting at Foundant in 2011, Cory has spent much of his efforts planning and developing efficiencies and systems to support Foundant’s growth. His 8-year history with Foundant has allowed him to participate in sales and support - providing the internal experience necessary to provide a framework and continuity to information system processes and data integrity. Outside of his daily management work, Cory also enjoys sharing his cybersecurity knowledge through Foundant education resources, such as blogs and hosted webinars. Cory came to Bozeman from the agricultural community of Laurel, MT to pursue degrees in Finance and Accounting at Montana State University.

Links:

• https://staysafeonline.org/resources/  
• www.cisa.gov/report 

Want to see additional resources? Visit resources.foundant.com

Connect with other members of the philanthropic community at Community.foundant.com

Hello and welcome to Foundant's Connected Philanthropy podcast. Today we are privileged to have Corey Brester, the director of Information Systems at Foundant Technologies. And our topic today, we'll be talking about cybersecurity Awareness Month. Corey has been leading the charge on Foundant security initiatives, and we're excited to have him share some security tips and advice for our community.

Thank you so much for joining us today, Cory!

Thanks, Tammy. Happy to. Happy to be here.

Well, October it's October already. Year's going fast. And this month has become known as Cybersecurity Awareness Month. And this is becoming increasingly important to nonprofits and, well, really, organizations of all types. So I know there's a lot to learn about. Let's dive right in.

How how important is it now to learn and be aware of cybersecurity?

You know, to me, I think, you know, it it affects absolutely everyone. And you know, this year as part of Cybersecurity Awareness Month, the emphasis is on the person. And maybe I'll start with kind of a little bit of an EYE-OPENING statistic. According to Forrester Research, 91% of all hacking attacks today begins with a spear phishing or phishing email to an individual.

And each of those breaches potentially cost millions of dollars in damages to operations organizations, productivity, their reputation and their need to continually protect themselves against these ever evolving attacks. Spear phishing emails are the most popular targeted attack method so every individual needs to be aware before they open an email attachment or click on a link from an unknown sender.

Yeah, I am. I'm seeing so much, so many more of those email types coming out. And it it does frighten me. And you've been training us really well to identify them, but they are always finding new ways to trick us. So how how can we be aware of that? Or do you have any tips on what what people should focus on or how to learn how to identify those?

Yeah, absolutely. You know, those harmless looking links or attachments can contain malware. It could take a take advantage of your device and hold it hostage for ransom. And even, you know, if you're in a corporate network, you can. It can start to spread across the organization. And take over other colleagues, machines, other assets to the organization. So it's just really important to look for those basics, look for the links that don't make sense.

Question everything that you get anymore. Organizations have a lot of tools in place to try to stop these items before they get to the human. But the human aspect is the last element that can really protect the organization and even protect yourself. Today, we'll spend most of our time talking about how these sort of items and things are pertinent to a business or to an organization.

But look, at these things in your in your personal life as well. And that's really the the goal of Cybersecurity Awareness Month. This is now the 19th year that this has kind of existed as part of the government and industry to raise cybersecurity awareness across the nation and help ensure that everyone has resources they need to be safe.

And this year, the emphasis is on the theme actually as see yourself in cyber. So the emphasis is on how the human element of this somewhat complex topic really comes into play. So October focuses on the people and what people can do to protect themselves at home, at school and in the workplace.

That's that's great. And I like how how you are so right.

I mean, we can come with great tools and everything. But but having that suspicious mindset and assuming things are not safe until you prove or, you know, there's any question in your mind it's it's good to check and not assume that they're safe. As as was the case, I, I knew many years ago. My behavior has definitely changed from what it was two or even five years ago for sure.

And, and realize that how much damage can be done in just a second of clicking things before you you check them. That's, that's really needed to be aware of.

It's such an evolving landscape that things are changing all the time. I still hear people say that it doesn't affect them but whether or not you're working in the industry of cybersecurity, whether or not you're a student, an employee of an organization, if you if you use the Internet you are part of cybersecurity and it does affect you.

And everyone every age needs to be aware of how to protect themselves and the tools to to put into place.

Okay. So we've established it's scary. There's things to do. What what are some steps or what? Do you have anything that that maybe would be a first level of of what organizations or individuals should do?

Yeah, absolutely. You know, there's part of the campaign that the Cybersecurity Awareness Month that's put together really involves four steps.

So I think we'll talk through all four of those. And the first one is enabling multi-factor authentication. You know, every single account should have that extra level of security your bank accounts, your your investment accounts, your emails, every single piece of your cyber world that that has personal information should contain multi-factor authentication. You should be using password managers to encrypt your passwords, keeping them safe from others you know, just being able to hack them longer passwords are way more way more secure.

Phishing is as we talked to earlier, the most common type of malware that people can fall victim to. And so understanding what to look for is the first step in not letting that infect your PC or your device or CAPTCHA credentials and then updating your software. The most basic thing that I think most people forget about, especially in this world of the Internet of Things, where you have smart thermostats, smart TVs, all these different devices that need to be updated, whether or not you're updating the manually or when they support automatic updates, turn those automatic updates on So maybe the maybe the first thing we, you know, talk about is multifactor authentication.

Yeah, let's dig into that. I that's the reason why I carry my cell phone with me whenever I'm working at my computer now.

And that's that's become reality for so many people. And so multi-factor authentication, it goes by a few different names. Two factor authentication, multi-factor authentication, two step factor authentication, MFA to effect they all really mean the same thing, opting into an extra step for websites or applications to confirm who you really are.

So your bank accounts, your social media accounts, school accounts, work accounts, you need to take those extra steps to to protect those those different pieces of information. So instead of just asking for a password, which you may be reusing and we'll get to why you shouldn't reuse passwords a little bit later, the passwords are oftentimes reused. They're easily cracked or stolen, especially if they're not long enough.

And they can really be too simple by just a username and a password. So oftentimes when you opt into the multi-factor authentication options, it's going to ask for something that, you know, that pin number, your sister's middle name, your mother's maiden name along with something. Then you have an authentication application, like you said, your phone for you, whether it's a text message or an authentication app, and then something that you are in many cases that face ID or that fingerprint just those extra steps.

That second factor makes it so much more difficult for somebody to to hack or take advantage of your your credentials and compromise your accounts. It's a super simple way to keep yourself just a little bit more protected and you always have, as you said, you always have your cell phone on you. It's just a little extra time can go a long way.

I know. And so it's not confusing. It's, you know, that the numbers or whatever it it comes up right away and I always feel really good knowing that that step is there, especially when I'm logging into my bank account or other things like that. It really does. Well, you know, nobody would be able to do this unless they had my cell phone here to write, you know, and be able to log into my cell phone all that.

So I, I see how that really tightens it up with a really simple step. So, yeah, I've been turning it on normally they try to give you a benefit if you turn it on so or, you know, encourage you to do it every time you log in and tell you you do have it turned on so that's that's good to know.

Number one, always choose that option or look for it. I got that. What's next?

Second thing you strong passwords on don't reuse your passwords. It's too simple for one of the services that you've signed up for it to have some sort of data breach and then have your passwords and user name floating out there for hackers to reference as they're trying to hack other other sites and accounts you may have reused so use a password manager whether or not it's something like one password LastPass there's there's dozens of them out there.

But basically you're protecting your you're protecting your password under an encrypted method with a single long master password that keeps that keeps everything secure and use a long password, the longer the better. It's exponentially harder for a computer to crack a password when it becomes 12, 13, 14 characters long make that password complex add in numbers, add in special characters, upper and lower cases and people will often.

How am I going to remember those? Again, that's where the password manager comes into play. Or even it will create your passwords for you so that you don't have to think about them. I don't know, probably 99% of my passwords. I probably remember my Wi-Fi password and that's about it. The rest of them are all stored in my password manager.

Passphrases become easier if you do need to remember them taking sentences that mean something to you, but somebody else wouldn't figure out something that's easy for you to to to bring front of mind when you need to, to type that in multiple words mixed in with some special characters and and numbers and I can not encourage people more to have strong passwords that they're secure with a password manager that is going to be there.

The second most important thing to keeping somebody safe.

Yep. Yep. As we transition to using longer ones and mixing in numbers, it became very apparent to me that yeah, using one of those password managers is the only way I could go. I guess my memory is just not not going to remember too many unique ones. Right. And but once you get start getting those letters that, hey, you know, your personal information or your password was exposed here and you just don't know how far that goes.

And so making sure each one of them is unique really is is a way that would minimize what could happen there.

Just one more step to reduce risk, like the world of cybersecurity is about evaluating your risk and reducing your risk longer passwords reduces the risk of being hacked. Every single unique password very much reduces your risk of being hacked.

Adding a second layer, the multifactor authentication reduces your risk.

So that brings us to what the number one way people are getting in right now is

exactly as the simple cyber criminals are getting more and more creative with with phishing emails. And those aren't just phishing emails. Those are phishing smishing, SMS, text message type of attacks or phishing voice, voice attacks.

We're sending something that looks real. And these are getting more and more creative. We all we all used to see where you're your great, great, great uncle, the prince of of Egypt or whatever, left you some trillions of dollars of some sort. And that was what people were following for 15, 20 years. Ago. And, and now we're we're seeing those those one drives, those dark, those drop boxes, those things you're using every day that you become so used to trusting and you click into.

And that next phase is a credentialing credential harvesting type of screen where it's trying to get you to log into a system and it's capturing your passwords. And then if those are reused passwords, they're not only into that that system, they just trick you into logging into, but into so many other systems. You have to check for those those links, making sure that they're going to where they should question why someone's asking you for the information and even some of those basics still exist.

Is the offer too good to be true? Did you really win $1,000,000? Are you really the new owner of a Lamborghini do it. Do a good gut check question. Everything and just be really careful what what type of information you're giving people. Those credential harvesting aspects of a phishing email can be huge. And what they're going to capture from a password, from a Social Security number, credit card number, all those those pieces of information, but also their ability to download malware onto your machine, your laptop, your your desktop and and encrypt the hard drive for ransom and then you have to determine whether or not you're going to pay that ransom to be able to get

your data back off of your machine. And then as is area more sophisticated with the text messaging, you know, the number of times where you receive a text message from your boss that says, hey, I'm on vacation and I really needed to do me a favor and for organizations, I would really encourage them to establish what type of business is performed over a cell phone conversation.

Or a text message versus an in-person phone call. The biggest thing that was text message, kind of smishing attacks or trying to do is, is to get you to go buy something. You know, they create a sense of urgency in their request of your or your organization's president. Being in a conference and really needing some gift cards for whatever reason.

You know, they need those gift cards right away. Question those things why are they asking you for it?

That is so true. I mean, they are getting so clever. I'm on the board of a nonprofit organization and and I was on the executive committee as a VP. And yeah, they got our our numbers cell numbers or some I don't know how they got them, but but came up with a story like the president is in a meeting and really needs my help getting.

I'm like, it just was so this could happen. Right. And I'm just they they can then realizing where that information is out there in public, you know, helps you realize that that type of story can be created pretty easily and connected like you work at the same place. This is the president of the place you work. You know, all of that information is stuff that a lot of people have on their websites public websites acts.

Absolutely the social engineering aspect is is so critical and being aware of what's out what's out there about yourself. You know, when when you post that you're on vacation on your on your public Facebook page that anybody can see, you know, if somebody is is leveraging that information, they can even get creative to say, you know, I'm on vacation in Cabo and I need this.

And well, if you know that your boss is on vacation in Cabo, then that's just one more aspect that makes it so much more difficult to troubleshoot. But that comes back to the the aspect of the Cybersecurity Awareness Month with the theme of of it being people driven and how do people play a part in protecting themselves and the organization.

Yeah. So I know if it happens at work or with that work related things, I report it to you. But how about if it's I mean, you may be interested in what happens on my personal email, but are there places that that everybody should report them to or, you know, the whoever manages the, the mail site email site that I use is should I report those as well?

It's most definitely. If you're working within another organization, report them to your your security team, your I.T. team. There are resources out there to report does emails to the Center for Information Security, the government organization, as well as the FBI, which I would encourage anyone that has very legitimate phishing concerns or anything that they feel they've been a security member or a security breach or something that could potentially cause harm to them in the future or to their identity to definitely work with their local police department for for support there, just to make sure that there's nothing else they need to do on their part besides changing passwords and that sort of thing if they have

actually fallen for the for the breach. But there are resources out there to to forward those messages to with the FBI and the Center for Cyber Security.

Excellent. We'll include some of those links in the show notes then, too. So you mentioned that there's four and and we've been through three so what's the last one?

You know, finally, I think is really the most simple way to keep yourself safe, but update your software and these hackers and bad actors will exploit the flaws within an operating system, within an, you know, firmware of an old device that you might have in your home or on your network.

And people are out there trying to fix them. And when they find those things, they push out those updates. And the sooner you can patch those those bug fixes those security flaws, the better. It's those set your operating systems to automatically update on your mobile phone, your tablet, your laptops. Any application that's connected to the web should just automatically be reset to update.

It's just one more way to help keep yourself, help keep yourself safe

True. And you're right that that makes it easier for you if you have that auto and evil to to do that for you. All right. Well, these have been some great tips and it's not too many just these four tips. And we really appreciate you sharing those with us and with the community here on on the Connected Philanthropy podcast and I want to remind our listeners that we'll be including a couple of links that not only on where do we report or where other resources can be found on this topic.

So we appreciate you taking the time out of your day to Corey to to record this podcast. Do you have any final comments or advice to leave our listeners with?

Number one, I hope everyone leaves this podcast and turns on multi-factor authentication on every single system that my number one, you know, and we started this podcast with kind of an eye opening statistic of that.

91% of attacks beginning with a phishing email. And I don't want everyone to leave this leave listening this thinking that cybersecurity is always scary. There are very bad cyber criminals out there, and that's why we're trying to do our best to help educate, and that's why there's other cybersecurity experts out there in the world trying to help keep us safe.

But we need the human aspect of every individual that we work with to do their part in taking these four steps, watching for phishing emails, multi-factor authentication, longer password IDs, and patching their systems to be able to help secure and protect everyone else into the future.

That's great. I like it. And so now we've learned what us, the humans can do.

So if if you've learned something from today's Connected Philanthropy podcast, please share it with others who might also enjoy and benefit from it. And we look forward to connecting in our future webinars, podcasts and community discussions. We wish you all the best success. And again, thank you all for all that you do.