CyberCAN: A Roadmap for Municipal Support of Nonprofit Cybersecurity in SF

All right everybody, let's get started. Uh, this is the first session after lunch and our speakers are Sarah Pawzek and Shannon Pearson and their topic is Cyber CAN a road map for municipal support of nonprofit cyber security in SF. And I want to remind you all that we will take Q&A questions through Slido. So, make sure you have the Slido app on your phone. Uh, if you don't have the Slido app, you can still participate if you go to slido.com, type in bsides. Uh, or you can also type in

bsidesf.orgqna. Um, after the talk, the speakers will chat with you at City View. Uh if you have questions, we encourage you to walk with the speakers up upstairs so that we don't crowd the aisles here and cause a safety hazard uh and get myself and and John here in trouble. Uh and then one reminder, you can support charities EFF, Internet Archive California Community Foundation by buying a t-shirt uh by the coat check on the fourth floor. T-shirt sales go until 5:30 p.m. today. And that is all for me. Uh, take it away, Sarah and Shannon. Thanks. Good afternoon, everyone. Good to see everybody. You're so full from lunch. Um, it's nice to meet you. My name is Sarah Pawazic. I'm

the program director of public interest cyber security at the UC Berkeley Center for Long-Term Cyber Security. Bears. Go Bears. Go Bears. Uh, and my name is Shannon Pearson. I'm a senior fellow in the public interest cyber security program. So, you probably haven't heard the term public interest cyber security, but instead of explaining it, I'm going to show you our brand new sticker. Um, which which describes public interest cyber security is as the idea that community security is the same thing as national security. And what we mean by that is that oftentimes when you look at an individual organization, that alone, even it would if it was hit by the worst ransomware attack in the world,

oftentimes doesn't really meet the threshold of a national security threat. But we believe that taken as a whole, all these sorts of organizations that uphold public life really do meet that threshold and that we need to start thinking of local cyber security um in the same breath as national cyber security so that we can give them the same types of resources that we that we do for the very very large companies. So we're here to talk to you today about nonprofit cyber security. Um, you all probably know this very well, so I won't belabor the point, but typically the organizations that provide essential public services uh tend to be the least prepared to deal with cyber

security threats. And this is especially true for nonprofits. They have very small budgets. They have very small staff and they provide really critical services that don't handle downtime very well. Um, we're talking about organizations like food banks, like homeless shelters, addiction services, legal services. If you don't make use of these, you might not think of them very often, but if you're one of the people that depends on these to get through life, you very much notice their absence. Um, and we don't want um these nonprofits to be on their own for cyber security. So, that is what this project is about. A couple nonprofit cyber incidents that I think help illustrate this point. One, in 2020, a hunger

relief organization in Philadelphia lost nearly a million dollars due to a cyber attack and forced it to redirect funds that it was using to build a community kitchen where folks could come in and cook healthy meals together. So, that really illustrates the fact that when nonprofits lose money, it does take it away directly from their missions. Um, they don't have a ton of overhead, which is funds that they use to maybe um pay salaries or buy extras. Um, most all of their funds are going directly towards their mission. So when they lose money either recovering from an incident um or actually having to pay a ransom or having money stolen from them directly that money is coming away from direct

resident services. The second is in 2022 cyber criminals stole the personal data of more than half a million people from the international committee of the red cross. This was big news in 2022. Um, and illustrates another risk that nonprofits face with cyber security, which is that they're often working with our most vulnerable populations, um, folks that really rely on them for services. And so they thus have very sensitive information about people such as people separated from their families, missing persons, refugees. Um, so this type of information is is all the more important to protect. Now, before I talk about our research project, I wanted to give one flag, which is that we care a lot about

studying these communities and we care a lot about helping them directly. We are researchers. We're here to present our research. Um, but there are lots of programs that do provide direct assistance to nonprofits that we want to give shoutouts to. One of which is the UC Berkeley Cyber Security Clinic, which is a program that trains students at Berkeley, graduate and undergraduate, in any degree program, to provide a pro bono risk assessment to nonprofits um totally for free. Uh they support organizations at Berkeley that are facing politically motivated threats. So, they've worked with sexual and reproductive healthcare organizations, with refugee assistance organizations, with antihuman trafficking organizations. um and they provide provide that completely for free. And

we're um we're going to bring that up a little bit later, but wanted to shout out that like even though we're not directly helping these organizations, we care a lot about helping get them this assistance and we hope that this research will help connect nonprofits to even more resources to help improve their cyber security. Um so on that note, this project really came about from the idea that cities actually should be hubs of cyber defense. People typically think about cities as victims. We see cities as ransomware victims in the news pretty much every week now. Um, but they're not typically thought of as part of the solution. And we believe that especially large, highly technical cities like San

Francisco can be a huge part of the solution of protecting underresourced organizations. Um, for these three reasons um that I'll go over very briefly, which is that they already have working relationships with nonprofits. Um, many many cities actually give grants directly to nonprofits that are providing these sort of direct services for residents. They have an established relationship. There's trust there which you all know is so important um in getting folks to make cyber security changes. Number two, they have special knowledge about public interest cyber security. Who better than the city IT worker to understand budget constraints to understand how important the mission of the work is and how to do a lot with what you're given. And three, city's

digital equity objectives align with cyber security. Many cities, including the city of San Francisco, have digital equity departments whose entire job is to make sure that technology is available to everybody who needs it and that everybody who needs it is safe when they use it. Um, so there are there's a lot of specialized expertise within cities that matches really well to this type of work. Yeah. And uh, our center is not too far away from uh, San Francisco. We're just across the bay. Uh, and we have a really close relationship with San Francisco's Department of Technology. So, this is the department that's responsible for uh, protecting all of the city's digital assets and securing all of the city's

networks. Uh, we talk with them all the time about uh, the many ways that they uh, ensure that the the data that they have and manage from residents is stewarded uh, correctly and safely. um as well as like ensuring the continuity of operations of a lot of important city services that if uh suffered like a cyber incident like what would they do? So we've learned a lot from them. Uh we talk a lot with them and uh they're really unique in that they have been asking questions about how they can do more. How can uh the city of San Francisco's Department of Technology potentially extend its resources to nonprofits? Um, as Sarah said, the city

does provide uh grants to nonprofits uh in order for those nonprofits to conduct uh provide different services like social services that the city just may not have the infrastructure to do. In a way, they are kind of extensions of city infrastructure and that's kind of the perspective of the department of technology of San Francisco. So they uh are have working relationships with these nonprofits and had uh heard anecdotally that the nonprofits were struggling uh specifically with business email compromise fishing scams but these were anecdotes and they didn't have any hard data. So uh they called upon us to kind of generate some more information about this so that we could understand like what specifically uh nonprofits are

struggling with uh in terms of cyber security. What resources do they have? What resources do they want? and uh to come up with some ideas for what uh the city of San Francisco could actually do to kind of improve the situation. Getting ahead of myself, sorry. Um yes, so uh we figured that the best way to do this would be to deploy a bulk virtual survey uh which we sent to every nonprofit that we could find within San Francisco. So around 220 of them. Um and we started mapping out the kind kinds of questions and topics that we wanted to learn about. But we figured that before we started, it might be wise for us to get some facetime with these

nonprofits. So what we did was we hosted a workshop downtown uh with the department department of technology and we uh invited nonprofits to come by. We offered a small little workshop on how to uh get started with building out a cyber security program at a nonprofit. We pointed to some uh pro bono affordable uh resources that they could use to kind of start building out some of their cyber resiliency efforts. But then we sat down with them and we just had a very honest conversation about like what are you struggling with? What do you need? Um and what would be useful if the city could provide it. Uh we were quite s like pleasantly surprised that

the nonprofits were so candid with us. Um many shared uh experiences uh of getting burned uh in terms of like experiencing a cyber incident. Uh one nonprofit shared that they had fallen victim to a gift card scam and explained how that uh impacted their ability to deliver on some grants. Um, another nonprofit explained uh their issues with turnover um in terms of staffing and how that can affect like knowledge of uh like IT resources throughout the organization and and credentials and things like that. So with these conversations, they helped us kind of identify topics that we wanted to learn more about um in the survey. So we included that and then we also turned to

um baseline uh cyber security uh controls uh to kind of guide the questions. So we looked at a lot of them and uh the two that we relied the most on were the CIS um uh the CIS security controls uh implementation group one which is uh like the baseline standard for cyber hygiene within an organization. And then we also looked at SIZA's uh uh catalog of bad practices which uh organizations that are a part of critical infrastructure or serving um critical functions uh should definitely not do. So, we uh included that in the survey as well. Uh then we once we had a list we felt comfortable with, we did a three-week pilot with the nonprofits. We

asked for some feedback from them. Uh we made it shorter. We removed a bit of technical jargon or provided uh some uh definitions along the way as uh they they just needed a little bit of clarification. And uh then we deployed the survey. Um the survey had a couple of different parts to it. Ultimately it was 20 questions uh 15 questions like asked about the cyber security resources that they have and then the cyber security resources that they wanted. The second part of the survey we kept optional. This was uh about five questions. This focused on uh asking some questions about like cyber hygiene. We kept this optional just because it was a lot of sensitive information um

and it was at the request of the city um and it kind of gave us a baseline of nonprofits current cyber security practices within their organization. So asking about MFA implementation across different platforms utilized by the organization um and software update cadence um as a like a carrot and stick incentive. We provided customized feedback to nonprofits. Uh we learned in the workshop that nonprofits wanted us to um make it worth their time and to provide they were talking about how they were struggling to know where to start. So um based upon the answers of that section, we were able to uh provide like some first step guidelines, some toolkits and uh to to just kind of guide

them uh for their first steps into this. And we received 68 responses to our survey. uh about 66% uh completed that optional survey addendum and it kind of ran the gamut in terms of size. So for size of organizations that were surveyed uh it ran from like folks or nonprofits that had at least two full-time staff employees to 700 which is huge and they provided a lot of important services to the city. The most common service was workforce development and employment services. So the nonprofits helping uh the members of our communities that were that are out of work and are looking for jobs. Um and the two other most common were arts and culture and housing support

services. So what did we learn? Um what were our findings and we walked away with five key findings that we're going to delve into uh deeper and I'm going to hand it off to Sarah. Great. Thanks Shannon. Um we're going to go through these one by one so don't worry about catching everything on this slide. Um, and also this is this is your reminder that if you have questions, especially about our findings, you should pull up Slido and type them out. Um, because it's going to be a lot of information, a lot of graphs, and we genuinely want to go deeper. Um, especially if folks are interested in them. So, finding number one, nonprofits are frequent targets of

cyber crime and remain attractive targets by collecting sensitive information. shocking. Um, but it is actually really important to prove this um with data versus just talk about it as if it's a problem because it it helps us get more resources towards it. If we can prove it, if we have exact information about like what resources are they lacking, what data are they collecting? So, we did that. Um, 85% of the nonprofits we surveyed had suffered at least one type of cyber attack. Overwhelmingly, and many of these can be combined, so you don't have to think of these as necessarily separate types of attacks, um 85% described that as fishing, 32% business email compromise, 29% credit

card or bank account fraud, very overwhelmingly um financial fraud-based um which totally makes sense for the sector. We weren't surveying very many um political targets, so we're assuming that these are mostly commercial um targets and trying to get after their finances. and 75% of nonprofits collect social security numbers. So, this is one of our scariest takeaways. Um, we we knew that some of them collected sensitive information. We didn't know exactly how many nonprofits were collecting this kind of sensitive information. So, we asked in particular contact information, names, home addresses, almost everybody collected those. Um, social security numbers, other sensitive non-public information. Almost threearters of organizations collected that. And we also asked about financial information and health information 61% and 32%

respectively. So you can see that many of these organizations um have data worth stealing to be very honest. Um and that means that we need to either help them understand whether or not that data is important enough for them to collect and if it is we need to help them better protect that data. Finding number two, nonprofits lack the staff they need to protect themselves against cyber attacks. Staffing is very important because cyber security is a human problem and without humans there to help you understand, to help you walk through the issues, you're going to have a really hard time implementing the fixes that you need. So, we surveyed this and I think this is one of the most

interesting parts of our finding. Um, over half of the organizations that we surveyed had absolutely no full-time IT staff. 21% of them had only one. So that's over 70% of them have one or less. And again, Shannon said we're talking about organizations as small as two people, but as large as 700. And of the nonprofits that have any cyber security staff at all, IT or cyber security, the ratio of full-time IT to full-time and part-time staff at the organization is 1 to 96. So that means that for every full-time IT staff they're responsible for securing about a hundred people at the organization which is a really really high ratio. The for context the closest metric that we could

find in the nonprofit sector for the ratio of full-time IT to full-time staff was about 1 to 33. So this is nearly three times higher. Um here's the distribution. This is just a different way of looking at the same data. You can see that the vast majority of the organizations clustered around zero and one full-time staff and the rest hovered around two, three or four. Um, although you can see that none of them had any more than five full-time IT staff, which is not surprising to us for reasons that we'll come to soon. Um, so you might ask, well, if they don't have full-time IT staff, surely that they're hiring a vendor, they're outsourcing that and someone

else who has that expertise is providing them with these services. Not necessarily. So, we asked about this and not everybody understood whether or not they used an MSP or an MSSP or not, which is okay. We had that option. So, there's the 24%. They don't know. Um, 40% of them claimed to use some sort of managed service. Um, so that could be a managed uh security service, so maybe a sock um or a managed service, so maybe it 37% said that they do not use MSPs. Um, but what we assumed was that the folks that didn't have IT staff were using vendors instead. And what we found was the opposite, that organizations that already had full-time IT IT staff

were more likely to use MSPs and MSSPs than those without. Um, this idea that the cyber poverty line that you guys heard Wendy talk about this morning in her keynote perpetuates itself that there are those that have and those that have not, and the have nots really don't have anything. Um and and that was that was sad for us to find because we're we're thinking that there are many nonprofit organizations with no staff and no vendors that are really on their own here with cyber security. We also found that nonprofits have moderate adoption rates of some of the most basic essential and empirically backed uh cyber security controls. Uh however there are gaps. So uh our

findings here kind of indicated to us that nonprofits do at least at some level understand that they need to pay attention to cyber security. They have some level of like cyber uh cyber literacy. Um but they do not have the they often are not uh implementing these controls to like the fullest extent. So uh when we asked about MFA implementation, what we found were about 16% of nonprofits do not use MFA at all on any platform utilized by their organization. Uh we also found that 61% of nonprofits do have MFA set up for email and collaboration tools. Uh this was uh not totally surprising to us especially as many of these nonprofits use uh platforms like uh Google

Workspace or uh Microsoft Teams which provide MFA and like imprompt users to set it up. Um however this gap the 16% the 61% there's a lot of there's like a lot of lack of coverage in terms of MFA deployment across all platforms utilized by the organization. Um and uh we suspect that this might be related to many nonprofits experiencing uh like fishing attacks or business email compromise. So uh this to us was quite concerning but also not very surprising. Uh we also asked about the cadence of computer software and operating system updates uh by nonprofits. Uh the the frequency kind of fell into two different groups. For uh 50% it was relatively regular and then

for the other 50% was quite infrequent. So for the top 50% um around 34% have auto updates uh on their computer software and operating systems. Um and 16% operate uh update every single month. Um however the the 50% where it's a lot less clear um like 20% update whenever there's time, 20% update on an alternate timeline. This kind of conveyed to us that the organization probably doesn't have a policy and is probably not very uh frequently tracking. Um, many nonprofits also had described a like a a more frequent but still laggy uh update cadence uh 7% six to 12 months and uh 3 to 6 months 2%. So we also wanted to ask nonprofits directly like what specifically is

getting in the way of you addressing cyber security within your organization. Uh we decided to ask this question in two ways. uh we had their free response section but we also provided them uh a question where they were asked to to like rank the types of obstacles that got in the way. Um the we kind of composed this list by doing a literature review as well as like just from our knowledge in the field. Um so the kinds of barriers that we gave them were uh like our organization struggle struggles to prioritize cyber security. um our organization doesn't necessarily know where to start with cyber security. Also like re uh options like leadership doesn't care about cyber security or uh

the culture of the organization is very resistant to the changes that uh of focus on cyber security would bring. So uh what we found is that um around like 89% of nonprofits ranked prioritization uh in like their top three barriers. So uh this made sense as many nonprofits really do struggle to make that trade-off between do we invest uh financing like do we end invest like our time and our money into focusing on cyber security when that doesn't seem uh entirely directly related to their mission of like opening a new food bank or uh hosting a new like a hosting a uh like an event uh for an arts and culture uh nonprofit. So uh we also found that

the number one ranked number one uh barrier was funding. Uh this also is unsurprising as nonprofits are often operating on a very small budget and and oftentimes struggle to bring on full-time employees that are paid. Uh as I mentioned like some of these nonprofits only have two people working there and then often rely on an army of volunteers to uh carry out uh the the service delivery of their organization. Um, we also found that many nonprofits aren't able to spend the funding that they receive in donations or in in grants on cyber security. Uh, many nonprofits, as you can see here on this chart, receive grants from the city, from the state, from federal sources,

foundations, and these grants oftentimes come with caps on overhead. They're funding uh programs uh that solve a particular problem and then a small amount is dedicated to paying overhead costs like people's salary, uh rent, keeping the lights on and that 10% has to cover uh a lot of different needs by the organization uh including technology. Um and cyber security oftentimes just falls at the bottom of the list. Um so we identified that as a bit of an obstacle. So we could have stopped there. We could have been we could have asked or we could have like from our understanding of the cyber hygiene of these uh organizations and uh our understanding of like their have nots

make recommendations on what the city could provide. But what we we didn't want our recommendations to uh exist in a vacuum and to not engage with the nonprofits about like what would actually be helpful to you? If the city provided it, would you actually use it? So we uh wanted to ask nonprofits directly like what kinds of resources would you find helpful? So we found that nonprofits uh the top things that they needed and desired were a city helpline um different kinds of software and tool uh tools and proactive consulting. So uh what was interesting to us was that while in the previous finding we found that funding was identified as the biggest barrier to and

like focusing on cyber security uh it was one of the least ranked uh desires desired resources. What nonprofits really wanted were human solutions. Solutions where a a person was helping them walk through uh like deploying cyber security controls within their organization. Someone to kind of explain and that was also echoed through the workshop because a lot of nonprofits communicated that they just didn't have a cyber literacy uh didn't have the cyber literacy to kind of get started with cyber security in their organization. So, uh, most folks wanted a city helpline, proactive consulting, and, uh, in terms of software and tools, what they were, uh, looking for were, uh, like password managers, uh, email fraud detection tools, as well as, uh,

SIM software, right? Policy recommendations. So, we ended up making six recommendations under three topic areas. And I want to caveat this by saying that there's a million things that could be done that would help nonprofits. We specifically focused our recommendations on something we could deliver to the city and county of San Francisco to say here's what you could do. Here's what you uniquely as the city and county with your exact resources could contribute to this issue of nonprofit cyber security. So we focused on three areas. Education, resource coordination and implementation. The first piece was on education. And I'd like to say that this does not mean education that cyber security is a problem. Something that I

hear a lot is that organizations don't care about cyber security. They don't know anything about it. They don't see it as a risk. That was not what we heard in this survey. What we heard was they know that it's a problem and they just don't know what to do about it. They don't know what they could possibly do to make it better and they don't know where to start and they're overwhelmed. So when we say education, we're talking about connecting them to useful resources, to grant funding, to someone that they can call if they're hit with a ransomware attack. Those are the types of education pieces that we thought that they needed. Um, so the first is

providing regular cyber security advice and assistance. So this is aiming at solving the problem of where do I start? We actually worked with the SIZO of the city and county of San Francisco, wonderful person. Um, and he actually volunteered to sort of serve as a virtual SIZO for these nonprofits. He's like, I would love to be in a capacity where I can actually take their calls and give them advice um, without them having to hire a full-time IT person. We said, great, we're going to put that in our report. We hope you do that. Um, number two is host an annual cyber security convening. Something that we weren't expecting out of the workshops that we held before we even sent the

survey out was how valuable the nonprofits found it to just be connected to people at the city who knew things about cyber security and to people in the regional cyber security community. So we brought in a representative from the San Francisco FBI field office and the um from the local SIZA region 9 cyber security adviser um and they found it so valuable even to get the basic talk from those people about what they should do um to send them a few resources via PDF. That was immeasurably helpful for these organizations to have a face um and a and a number to call when they are in trouble. Um so we recommended that the city actually host

that as a regular convening. bring in folks from SIZA, bring in folks from the FBI, bring in local companies that are willing to offer free tools and really use their convening power as as the city to help connect nonprofits to resources that they probably don't know about. Second set of recommendations is on resource coordination. So, one probably one of the easiest things for them to do is create a web page. They actually have a ton of resources. Um, you all probably know a hundred more toolkits that they could possibly use. um we in the security field know of these resources and the folks in nonprofits don't and if you've ever tried googling help cyber security um

the thing that you need is not the first thing that comes up. So we we talked to the city about being a convenor for these resources they also help small businesses they also help hospitals and utilities just collecting some of the basic cyber security knowledge pieces and saying we as the city we use these we endorse these these are uh you know your one-stop shop is is very helpful. Number four, funding opportunities. So, we talked earlier about that 10% overhead cap. That was a huge finding for the city to say, "Oh, actually the grants that we're giving, they're not enough to protect the services that we're funding." So, we recommended two different ways that they could go about

this. One to carve out another one to 3% of each grant just for technology so that they actually protect that funding for the nonprofit. This is something we talked to them about. um if you just increase the overhead it's going to get sucked it's going to get sucked in by all those other things that we need to spend overhead on. If you tell us that we have to spend x% of this grant on technology it'll help us invest it in what it needs to go to. And the second opportunity is actually creating a separate grant fund for cyber security to do sort of a bulk investment in either hiring cyber security staff or procuring muchneeded tools for those

nonprofits. And lastly, we talked about implementation. Um, a couple creative solutions that we found. Um, we tried not to recommend anything that would force the city to raise millions of dollars as we we found that to be pretty unlikely for cyber security at this point in time. Um, so number one, hosting student summer interns. We're in the Bay Area. We are fortunate enough to have Berkeley and many other um amazing institutes of higher education with really talented students that have the perfect level of knowledge to help nonprofits with those sort of basic cyber security controls. We talked about the clinics earlier. So we really encourage the city to make use of internships um as a win-win solution as

a way to provide students with more experience actually applying their knowledge to a real organization and providing nonprofits lowcost uh cyber security risk advisory services. And lastly, we recommended that the city provide local nonprofits with lowcost access to critical cyber security tools and software. This is something that they were really excited about the idea um to be in the heart of Silicon Valley and to actually connect with the companies um that call San Francisco their home and try and use those resources to better protect the nonprofits that take care of the people that live here. So, San Francisco is really unique in that uh like their department of technology is thinking about how they can extend city resources to uh to organ

to to organizations that are not necessarily a part of the city's infrastructure um but like are a part of like the city's objectives uh related to um like providing citizen services. Not every city uh is able to do this. Um but large metropolitan cities uh often oftentimes are. Um cities like New York uh often like New York City Cyber Command provides uh cyber security assistance and support uh to small businesses. San Francisco is thinking about doing some of these uh things for nonprofits. Um cultivating uh cyber resilience at the super local level. Um however by and large this can be challenging for many cities to accomplish. Um but so when we were thinking about what we wanted to do for

the next iteration of this project we wanted to engage with uh more capable actors in government uh specifically at the state level. So, uh, what we've done is we've been able to secure a partnership with the state government, um, to to focus on nonprofit cyber security and to see and to accomplish a couple of different objectives. So, uh, we want to survey hundreds of nonprofits throughout a specific state to gather data on their cyber security challenges and assess regional variance. Um, we want to identify ways that state and local governments can actually extend their IT and cyber security resources to support these nonprofits. We want to connect nonprofits also to uh pro bono or discounted cyber security resources and

we want this research uh this next step to inform cyber security policy and long-term cyber security strategy uh of the state towards uh public interest organizations. Uh states uh also manage a lot of different grants. They manage a lot of money coming from the federal level also generate level uh funding at the state level that uh gets doled out to nonprofits. So the state actually is very well positioned to create some upstream solutions that eventually trickle down um and can help uh municipalities more municipalities to kind of take on this kind of regional cyber resilience role. Also I would just note that um uh currently uh at the federal level things are changing quite a bit. uh the for the last six years

there's been an effort uh at the federal level to provide different pieces of critical infrastructure um more cyber security support um and that's kind of changing more responsibility is being uh pushed over to the states. So the states are going to have to take a bigger leadership role than they're already doing uh to assess and and assist for cyber resilience of like these different pieces of critical infrastructure like nonprofits, rural hospitals, uh small utilities. So we thought it might be great to partner with the state government. Also we've updated our methodology and we have like an implementation component so that uh this research doesn't uh this research translates to action um pretty much immediately. So uh this is the boring

part. This is about methodology and how it's going to change. Um just to fly through it quite quickly. Um we wanted to improve our methodology and rely on our friends at the Indiana at Indiana University and Purdue University. They've run a great project called Cyber Track which uh is doing cyber security assessments for all state and local governments throughout the state of Indiana uh for the government to kind of guide cyber security strategy um at the state level. So the way that they do it is they do it in two forms. They do like uh interviews as well as a survey and they use the trusted CI framework core pillar core pillars as well as the CIS

controls um implementation group one but like a distilled down version of the most impactful 12. So we're doing a variation of this and this is just uh kind of demonstrating what it is. Um so the trusted CI framework is a minimum standard for cyber security programs. It takes a a holistic um approach that prioritizes leadership, culture um and government structures that would support a secure like a mature cyber program rather than just focus on a narrow checklist of technical controls. Um and we were we distilled this down to around five of the musts. Uh there's 16 of them that we believe would be most impactful for nonprofits. We also um for IU and Purdue what they

did was they like compared a couple of gold standard studies against the CIS uh framework uh and doing so they found the most empirically backed uh top 12 that makes the difference for organizations. We reduce this down to five of them that we think will make the difference for nonprofits. So we're going to survey that compare uh see if there's like a relationship between the CIS core pillar implementation as well as the CIS controls. We're also going to do qualitative interviews with both local nonprofit leaders and state and local government. For nonprofit leaders, we want to deeper like understand at a deeper level um their experiences with cyber attacks and how it affects their uh their resources um and their

organizations at large. as well as um for state and local government. Uh we want to talk with them and understand like what kind of solutions do they think at their level from their perspective they can actually implement uh quickly to address this nonprofit cyber security problem. And lastly, the part that kind of involves um maybe most relevant to you is the implementation component. at our launch event. Not only do we want to launch this data uh and this report, but we want to have an opportunity to have like an expo for these nonprofits to um come face tof face with folks who can provide them immediate assistance. So cyber volunteering organizations that provide uh pro bono consulting services again

with the FBI and SIZA local offices um iss that specialize for nonprofit work and uh university students looking for internships and to get that kind of to use their cyber security education to make the difference for nonprofits but also specifically industry partners uh that can help provide things like tabletop exercises, cyber security tools and software And just to close, uh, we're looking for implementation partners in industry who might be able to, um, help, uh, us as we kind of pass on those resources to nonprofits, um, and hand them off so that once they leave that, uh, that event where, uh, we're launching our report, they'll have, um, more resources than they did before. So, if you're interested in getting

involved, feel free to email me, Shannon Pearson, um, at this email. And, uh, I don't know if we have time for questions, but thank you so much. And we also have some stickers up here um if you're interested.

Great job. Uh Sarah and Shannon, a couple of questions for you and you can also ask more via Slido if you want to. So first of all, I work at a legal aid organization. We are constantly switching vendors for essential functions, example software phones in order to keep costs down. Could this vendor churn negatively affect our security posture? Could what negatively affect just the like switching vendors? Yeah. Um I think turnover is a big problem and that's not just in technology but also in staff. Um nonprofits have one of the highest staff turnover rates of all industries. Um so anytime you're losing knowledge of how to protect a tool or you're losing someone who knows how to do that

organization's processes, um it just makes it more difficult. So potentially What did you see in the survey about BYOD or bring your own device challenges? Yeah, this was really tricky. Um, we know that bring your own devices are pervasive in nonprofits. Um, particularly because they make use of so many volunteers and they just don't have the capacity to provide each of them their own device. Um, we didn't get to the point where we felt comfortable recommending EDR solutions for nonprofits. They're just not at the point where that would be a viable recommendation for them. But that is something that we'd like to consider for the next round. Last one. I know Shannon, you covered this towards the end. Um, but a very

direct question. Is there an easy way for security engineers like those in the this audience to help nonprofits with cyber security? Um, yes, absolutely. Um we actually run uh a network of different cyber volunteering organizations uh where uh folks from industry are helping um respond to cyber incidents like at the state level as well as like just assisting nonprofits or like even small utilities. We uh it's called the cyber resilience corps and it's a coalition of all these different uh cyber volunteering organizations and we'd be happy to connect you. I think that'd be the best way to kind of get uh volunteering right away um in kind of a coordinated way where they already have

established relationships with uh nonprofits to to get you connected. Yeah. And just one more shout out um one of the members of the Cyber Resilience Corps that works specifically non with nonprofits is called the Cyberpace Institutees Cyberpace Builders Program. You can actually sign up as an individual volunteer there and they have a great matching platform where you talk a little bit about your expertise and they'll match you with a nonprofit um for a very specific limited time frame task such as like please help me configure my firewall. Um and they've actually done like I think hundreds to thousands of hours of volunteer matching through that service. Wonderful. Thank you so much to our speakers. Thanks so

much everybody. Round of applause.