2. RoundTable Technology is a strategic partner who will work with your
organization to help you leverage technology to fulfill your mission.
We understand what it's like to be a nonprofit, working with limited
resources, budget, and people. That's why we only hire personnel that are
themselves driven by serving those who serve. We are currently supporting
over 200 nonprofit clients and helping them get their technology under
control.
6. A Little Jargon
Framework: A framework is high level structure that outlines what your program looks
like and is responsible for. Designed to create a common language for managing risk
within a company
Control: Cybersecurity controls are the countermeasures that companies implement to
detect, prevent, reduce, or counteract security risks
Standard: Collections of best practices created by experts to protect organizations from
cyber threats and help improve their cybersecurity posture
Regulations: Have a legal binding impact. The way they describe how something should
be performed indicates government and public support for the rules and processes set
forth in the regulation (HIPAA, GDPR)
7. What is Driving the Need for Cybersecurity?
Laws: NYS SHIELD, GDPR,
CCPA, TMRPA
Compliance/Regulations:
HIPAA, PCI
Insurance Companies
Auditors
Data Privacy
Partners
Pandemics
Oh, and cyber criminals!
10. Threat Modeling
Good security decisions begin with assessing your security posture.
To start, ask yourself the following questions:
1. What do I want to protect?
2. Who do I want to protect it from?
3. How likely is it that I’ll need to protect it?
4. How bad are the consequences if I fail?
5. How much trouble am I willing to go through to try to prevent
potential consequences?
Source: https://ssd.eff.org/module/seven-steps-digital-security
11. Imagine if a hacker gained access to…
the email account of a staff member with authority
to direct other staff members, or communicate with
a client or partner.
Imagine your reputational damage if…
your connections to other partners or customers
was exploited leading to their breach.
Imagine the disruption to your business…
if all of your files and records disappeared suddenly
and your systems used were inaccessible.
15. 5 Must Have Security Controls for Cyber Insurance
These controls will help satisfy most of the
Insurance requirements:
1. Multi-Factor Authentication (MFA) on all
systems, Admin accounts and Remote
Access
2. Backups
3. Endpoints Detection and Response (EDR)
antivirus
4. Patch Management for Endpoints
5. Ongoing Cybersecurity Training for Staff
16. 🍎 Setting and enforcing application controls (Control what applications can do)
🍎 Patching applications (Run updates and use current versions)
🍎 Configuring Microsoft Office Macro settings (keep Macros micro)
🍎 Hardening user applications (Control what web browsers can do)
🍎 Restricting administrative privileges (Keep regular and admin accounts separate)
🍎 Patching operating systems (Run updates and use current versions)
🍎 Using Multi-Factor Authentication (MFA all the way!)
🍎 Ensuring daily backups (including the SaaS and Cloud apps)
Source: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model
Ground Fruit 🐨
20. National Institute of Standards & Technology - Cybersecurity Framework (NIST CSF)
Identify Protect Detect Respond Recover
Organizations must
identify and classify
assets and develop an
understanding of their
environment, threats,
and exposures in order
to manage cybersecurity
risk to systems, people,
assets, data and
capabilities.
Organizations must
develop and implement
the appropriate
safeguards to prevent,
limit or contain impact
from potential
cybersecurity events.
Organizations must
implement appropriate
measures to quickly
identify cybersecurity
events.
Should a cyber incident
occur, organizations
must have the ability to
contain the impact,
implement an effective
response, perform all
required activities to
remediate the incident.
Organizations must
develop and implement
effective activities to
restore any capabilities
or services that were
impaired due to a
cybersecurity event and
incorporate lessons
learned into revised
response strategies.
21. NIST CSF Checklist
Identify Protect Detect Respond Recover
● Asset Inventory
● Risk
Assessment
● C/I/A
● Data
Classification
● Regulatory
Compliance
● Threat Modeling
● Defense in Depth
● Network
Defense
● Endpoint
Protection (EPP)
● SaaS Protection
and Zero Trust
● Encryption
● Identity
● Human Layer
● People
● Endpoint
Detection and
Response (EDR)
● Monitoring and
Alerts
● Honeypots
● Scanning
(network, dark
web, etc.)
● Managed
Detection &
Response (MDR)
● Extended
Detection &
Response (XDR)
● SOC/ NOC/ 3rd
Party
Responders
● Tabletops
● Incident
Response Plan
● Cyber Liability
Insurance
● Backups
● Business
Continuity and
Disaster
Recovery (BCDR)
22.
23. Know What You Have
Do you know your TechStack?
Windows 10
Windows 2008 Server
Filemaker Pro
Salesforce NPSP
Google Workspace
Email, calendars & some file
sharing
File sharing, Active Directory,
QuickBooks, Volunteer DB
Salesforce Nonprofit Starter Pack
for Donor Management
Most workstations running Windows
10. Mixed versions of MS Office. 2-8
years old - avg 5 years old.
Volunteer Management database
- custom built 10+ years ago
Shadow IT
Misc USB drives, DropBox and
rogue Google Accounts
24. IDENTIFY ASSETS
Tangible & Intangible
IDENTIFY
THREATS &
VULNERABILITIES
Internal & External
ASSESS CURRENT STATE
Processes
Systems
Roles
EVALUATE RISKS
Business Impact
Probability and Impact
Assessment
Prioritize Risk Mitigation
Steps
ASSIGN OWNERSHIP
Responsible Individual
Risk Assessment
25. C - How bad would it be
if the information was
exposed?
I - How bad would it be if
the information was
lost?
A - How bad would it be
if the information was
not available?
Low - Wouldn’t
Care
Medium - Not great, but
not catastrophic
High - Possibly
catastrophic
CIA Framework / Triad
27. Quantitative Assessment:
The ALE you would prefer not to drink
*Source: https://netdiligence.com/wp-content/uploads/2021/03/NetD_2020_Claims_Study_1.2.pdf
● Estimate cost of an incident - $77K*
● Estimate annual probability - 30%
● Calculate Super Simple ALE - 30% of $77K =
$23,100
Annual Loss Expectancy - current state - $23,100
Takeaway: If we can reduce probability to 10%
through improved cybersecurity, it’s worth over
$15,000 in annual loss expectancy reduction.
32. Training
● Social Engineering
● Phishing/Smishing/Vishing
● Policies
● Environmental Awareness
● Open Source Intelligence (OSINT)
● Security Culture
● Repeat
33. Password
123456
Password
45gg$5609932fc%
Password
I like to eat pickles 2 days a week.
Password
X9fg44!2
Weaker Stronger
Easy to remember
Easy to type )
Difficult to remember
Difficult to type
● The average person has to logon to over 170+ sites/services and only has 3 to 19 passwords
● Lots of weak, shared passwords (or password patterns)
● Lots of passwords that are easy for adversaries to guess
● One compromise more easily leads to other compromises
Think Passphrases - Not Passwords
Source: How Secure Is My Password? | Password Strength Checker
34. Password Managers
Allow you to create and easily use unique, strong, perfectly random
passwords for each site/service
● Passwords made up by people tend to be guessable within the
lifetime of the password, most within hours to days
● User created password needs to be 20-char or longer to be
unguessable/uncrackable but a 12-character perfectly random
password is unguessable/uncrackable
● Protect against phishing
● Audit your passwords
● Share passwords securely
40. Device Checklist
Antivirus /
Anti-malware
Current OS
and Software
Screen
Lock
Strong Device
Password
OS and
Security
Updates
Hard drive
and device
Encryption
Website
Filters
Camera
Cover
Good home
Wifi
security
41. Additional Checklist
❏ Web, Application, and Network Firewalls
❏ Mobile Device Management
❏ Proper Cloud/SaaS Application Configuration
❏ Patching and Updates
❏ Website Updates
42. POLL #3
When was the last time you provided
measurable security awareness training
to your staff?
43.
44. Alerts
MS365
Microsoft 365 alert policies - Microsoft Purview
(compliance)
Real-Time Alerting with Microsoft 365 Alert
Policies - Office 365 Reports
Google Workspace
Configure alert center email notifications -
Google Workspace Admin Help
46. Monitoring and Scanning
Domain Doppelganger
Firefox Monitor / Have I Been Pwned
Sucuri SiteCheck
Angry IP Scanner
Changes in your network | runZero
❏ Identify Look-Alike Domains
❏ Email and Phone Data Breaches
❏ Website Vulnerabilities
❏ Network Scans
❏ Network Monitoring
57. Backups - Cover Your SaaS
Your data on the cloud is vulnerable to loss and breaches due to these reasons:
Human error: Everyday human errors account for up to 64% of data loss incidents according to Aberdeen research. Employees inevitably
delete the wrong email, contacts, or critical configurations.
Malicious insiders: Employee action is involved in up to 23% of all electronic crime events, according to the CERT Insider Threat Center at
Carnegie Mellon University’s Software Engineering Institute.
Illegitimate deletion requests: SaaS providers will honor your deletion request without question. They have no way of knowing if it’s a hasty (or
malicious) request and they are not responsible for any unexpected results
Malware and viruses: Rogue software can spread mayhem with programmatic efficiency without an active attack from a hacker. Many
malware programs and viruses emerge from existing code after hibernation, making them especially hard to defend against.
Synchronization errors: Syncing or updating multiple SaaS applications, which is a common software scenario in organizations, is not always
seamless and can cause loss of SaaS data.
Hackers, Malware, Ransomware, Cryptomining, Phishing: There is an ever-growing list of malware types and scams. Social engineering which
target employees with phishing and whaling attacks are proving to be incredibly successful as per Verizon’s data breach report. The damages
due to such data breaches are devastating not only in terms of financial loss, but also damage the business’ reputation and cause loss of
customers.
59. Business Continuity and Disaster Recovery
BCDR Inventory
Example
Information Description Location
Recovery Point
Objective (RPO)
Recovery Time
Objective (RTO)
Recovery Level
Objective (RLO) In-place Safeguards Comments
What is this information
called?
Description
Where is this
information
housed?
The amount of data at risk.
It's determined by the
amount of time between
backups and reflects the
amount of data that
potentially could be lost
during a disaster recovery.
The metric refers to the
amount of time it takes to
recover from a data loss
event and how long it takes
to return to service. RTO
refers then to the amount of
time the system's data is
unavailable.
This is the level of granularity
required for restoration of the
selected information. For
example, is it sufficient to be
able to restore only the entire
database from a point in
time, or do you require the
ability to restore a specific
record?
What existing protections
are in place for the backup
and recovery of this
data/service?
Indicate any changes to
be made or questions
to investigate.
Salesforce CRM database Salesforce (Cloud) 4 hours 24 hours Record level restore Basic Salesforce Retention
Review restore options and
consider backing up with
Spanning
Email
All
organizational
email
Gmail (G Suite for
Nonprofits) 4 hours 4 hours
Full single mailbox restore
acceptable Spanning.com Satisfactory
File Shares
All
organizational
files File Server (in-house) 24 hours 24 hours Individual file restore USB Backup Drives (onsite)
Look into offsite backup
option with Crashplan or
BackBlaze
Voice Phone system Dialpad (Cloud) 24 hours 1 hour Full system restore acceptable None
Document administrative
accounts and authorized
personnel
Website
Organization's
website
WordPress, hosted at
BlueHost 24 hours 1 hour Full site restore acceptable Unknown
Speak with BlueHost, gain
understanding of
backup/restore options and
what is already in place
61. The CIS Framework was originally developed in 2008 to help small and
mid-sized organizations manage complex cybersecurity requirements.
This was a change to the discussion from “what should my enterprise do” to
“what should we ALL be doing” to improve security.
CIS Framework Controls are broken down into three categories. Basic controls,
Foundational Controls, and Organizational Controls.
CIS Controls are meant to apply easily to any industry or sector.
Many CIS controls can be directly mapped back to both NIST and ISO.
Center for Internet Security Controls v.8
Source: https://storage.pardot.com/799323/1638289699nZsVAZCD/CIS_Controls_v8_Mapping_to_NIST_CSF_FINAL_06_11_2021.xlsx
63. CIS Implementation Groups
The CIS Controls framework then goes even further to define
three implementation groups.
● IG 1 is for organizations with limited resources and
cybersecurity expertise.
● IG 2 is for organizations with moderate resources and
cybersecurity expertise.
● IG 3 is for mature organizations with significant resources
and cybersecurity expertise.
Under each of the 18 controls, the CIS Controls framework
provides a list of sub-controls, color-coded to indicate which
implementation group should be using them.
For example, CIS Control 1 “Inventory and Control of Hardware
Assets” lists sub-control “Utilize an Active Discovery Tool” is
appropriate for Implementation Groups 2 and 3 but considered
too much of a burden for Group 1.
67. ● ACSC publications
● Strategies to Mitigate Cyber Security Incidents | Cyber.gov.au
● The 18 CIS Critical Security Controls
● CIS Controls v8 Cloud Companion Guide
● https://learn.cisecurity.org/Establishing-Essential-Cyber-Hygiene
● Top 25 Cybersecurity Frameworks to Consider |… | SecurityScorecard
● Cybersecurity for Small Business | Federal Trade Commission
● CYBERSECURITY BASICS
● Cybersecurity Framework | NIST
● Canarytokens
● https://storage.pardot.com/799323/1638289699nZsVAZCD/CIS_Controls_v
8_Mapping_to_NIST_CSF_FINAL_06_11_2021.xlsx
● CIS Controls Self Assessment Tool (CIS CSAT)
Public Resources
68. Takeaway
● Pick up that ground and low hanging fruit
● Inventory everything
● CIA it
● Threat Model it
● Apply your Framework
● Use your CIS Controls
● Grind away!
69. What Next?
Go to NonprofitIT.com/cpa to
Schedule a Discovery Call to learn about a
Free Cybersecurity Posture Analysis
Cybersecurity
Posture Analysis
3rd party vulnerability scan
● Easy to understand report
● Identifies, tests, and highlights
network vulnerabilities
● Typically costs $297