EP 128: Secrets of Cyber Risk Management at Non-Profits
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
March 28, 2023
Are non-profits at risk for cyber exploitation? If so, why? And what should they do about it? Let’s find out with our guest, Lew Bader, the Finance Director at “Counseling In Schools”. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.
Speaker 1: Welcome to The Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.
Jake Bernstein: Kip, what are we going to talk about today on episode 128 of the Cyber Risk Management Podcast?
Kip Boyle: Jake, I'm so excited because we have this really amazing guest today. With our guest, we're going to learn three secrets about cyber risk management that happens at nonprofits. Our guest today is Lew Bader and he's the finance director for a nonprofit, it's called Counseling In Schools.
Their mission is to promote the emotional and social growth of children, so that they can thrive in school and succeed in life. They operate in New York City. Lew, welcome to our podcast and thanks so much for being our guest.
Lew Bader: Thank you, Kip. Hi, Jake. Nice to see you guys.
Kip Boyle: Well, we're glad you're here. Did you want to add anything to that very brief introduction that I made of you?
Lew Bader: Sure. Just to tell you a little bit about my background, I spent 40 years in Fortune 500 companies building accounting operations. About seven years ago, came to Counseling In Schools as their first ever finance director.
The great thing about Counseling In Schools is that we're helping kids. Right now, social and emotional issues are incredibly front of mind for everyone. In New York City schools, especially coming out of the pandemic, kids need us more than ever. I'm proud to be a part of this.
Kip Boyle: That's fantastic. My wife is a public school teacher here in the area of Seattle that we live in. We definitely see it as well, that the pandemic was a very disruptive event for kids.
They're falling behind academically and there's a lot of social isolation. Boy, it really did a number on a lot of kids. I'm so glad that Counseling In School does what it does.
Jake Bernstein: Yeah. No, I fully agree. I think one of the things that nonprofits just across the country are really struggling with these days, is managing their own cyber risks.
Lew, I'm wondering given the importance of this mission, and every nonprofit struggles with this, what is the main challenge of nonprofits from a cybersecurity standpoint or risk management standpoint?
Lew Bader: Nonprofits aren't immune. In fact, they're more susceptible than corporate, private companies and public companies. Our funds are limited. Where you're investing your money, how you're using your back office money, do you have the funds to create security layers and the infrastructure that are required to keep you safe?
More than any other company, I've seen fraud, theft, embezzlement in nonprofit companies. I've seen it in Fortune 500s too. I read about it all the time. Thankfully, we've never experienced that, but there's a culture of trust.
Jake Bernstein: In the non-profit world.
Lew Bader: In the non-profit world, yeah. It's mission-driven work, so there's a tendency to trust everybody.
Kip Boyle: Wow. I think in some ways that's counterintuitive, isn't it, that nonprofits would be targets for cyber criminals? It's like you would think that they would go where the money is, the banks and so forth. The old Willie Horton thing, "I rob banks because that's where the money is."
But we know from looking at the data, that nonprofits are absolutely targets and you know from firsthand experience. Lew, was there any event that happened to you that made you acutely aware of just how nonprofits were targets?
Lew Bader: A couple of situations came up in the news where because there's this culture of trust, you tend to have limited internal controls. I've seen situations where the controller might set up a fictitious employee, and the funds from payroll are being deposited into their account.
Or they create a fictitious vendor and start creating invoices and start getting paid, so the possibility of embezzlement is great. That just leads you to start thinking about, "Well, what other areas can you be susceptible to?"
Jake Bernstein: Yeah. The post-Enron regulatory overhaul, Sarbanes Oxley, all that stuff. While I've never dealt directly with that in my career, I certainly deal with a lot of things that are similar to it. Lew, you must be real sick of SOC 1s from your 40 years in the business, but I don't know of many nonprofits that do a SOC 1 that go through that type of process. I'm sure some do. Nonprofit doesn't mean penniless. There are very well-endowed nonprofits, but those are frankly rare.
I think because of that culture of trust, and you are not the first person at a nonprofit who has mentioned that to Kip and I actually. It's not just the financial aspect that it extends to. It extends to the IT and what is ultimately a lack of cybersecurity as well in a culture where everyone is very trusting, and they just want to get the work done. Because like you said, it's mission-driven, you're extremely vulnerable to grifters, scammers and hackers.
Kip Boyle: Especially phishing attacks, I should think, social engineering attacks.
Jake Bernstein: Particularly social engineering attacks.
Kip Boyle: Yeah. I would think that if you're dwelling in a culture that is marked by high levels of trust, must be difficult to even imagine that there would be people out there that would scam you.
Lew Bader: Yeah. But those phishing attacks, they're coming. They come every day and we actually test people. Our tech folks, they're a third-party company. About twice a month, they'll send out a phishing test and see who responds.
If somebody clicks through and responds, they'll get a little bit of training like, "You clicked on this, you should not have clicked on this and here's why." That's been effective. Every now and then, somebody will get an email and they'll send me a note and say, "Are you sending out a phishing test today?"
Kip Boyle: That's a lot of extra friction in your business in a way.
Lew Bader: Yeah. I'm like, "I don't know. I don't do that. Why don't you check it out?"
Jake Bernstein: Interesting. Yeah.
Kip Boyle: Well, I'm glad you're doing something along those lines. The phishing test and helping people realize that there's danger in your inbox.
Even though we've got a lot of controls on inbound email designed to minimize this sort of thing, they're always finding new ways to send us crazy messages.
Lew Bader: Yeah, for sure. The reason that we got involved with this is I do a lot of networking, dating back to my consulting days. One of my friends who runs an outsource IT firm mentioned the SHIELD Act in New York state, which requires you to have this level of security in place. I called them up and I said, "Let's do this. I can't afford not to."
We went through a very intense three, probably six-month program where we touched every piece of our network in our controls. Then we engaged the law firm to help us create a cyber policy for the company, an end user agreement that employees sign, and an end user agreement for any technology that we give them. We deploy about 50 or 60 laptops and about 35 phones every year, so we want to make sure that people understand their responsibility.
Kip Boyle: That's great. I love that. That's really good cyber hygiene. Lew, are you the the cyber risk manager for Counseling In Schools or how exactly is that done?
Lew Bader: Yeah. When you're the CFO for a nonprofit, you wear a lot of hats. One of them, technology tends to fall under the CFO so I took it on.
I've always had an interest in technology anyway, so why not? It's mine and the executive director is happy to give it to me.
Kip Boyle: Yeah, they're busy with the mission. They don't want to fuss around with settings on a piece of tech, for sure.
Lew Bader: Right.
Jake Bernstein: Well, I'm going to steal Kip's question here because it's been staring me in the face and I'm really curious about it. You told Kip, Lew, that humility is the secret or a secret to security. Why is that?
Lew Bader: I'm smart and I know how to keep everything secure. That's the quote that will lead you to big problems.
Jake Bernstein: Yes, it will.
Lew Bader: One thing that I've learned is that, no, you're not that smart. I'm not that smart. I need to surround myself with really smart people. I need to surround myself with experts. For us, it goes as far as if we're running an event, we have event planners that work for us.
We created a website, we have web designers, we have insurance agents, we have a PR firm, and we have a strong IT support firm. What I mentioned before about the SHIELD Act, I knew nothing about that. I could have read up on it and I could create a cyber policy. All I have to do is Google it, and I'm sure I'll find it where use one of those AI.
Kip Boyle: I was just going to say, you can just ask ChatGPT to make one for you.
Lew Bader: I know, I know. Yeah. Doing a full cybersecurity review, bringing in attorneys to create policies for us was critical to ensuring the security of our data and our infrastructure was whole. Also, ensuring that employees understand their responsibility in this.
Jake Bernstein: I agree, bringing in attorneys is definitely critical, particularly cyber attorneys.
Kip Boyle: No bias there.
Jake Bernstein: No bias there.
Lew Bader: I asked Whitney about K&L Gates and if they could do this for us honestly. He said, "No, you know what? You should go to a third party." I guess Whitney didn't know you.
Jake Bernstein: Well, how long ago was that? Because like I said, I haven't been here all that long.
Lew Bader: About a year and a half. Yeah.
Jake Bernstein: Yeah, there you go.
Lew Bader: Might've been, right.
Jake Bernstein: Yeah. Look, I think that's a really important point, the humility aspect that I think a lot of people. Gosh, Kip, how many times have you and I seen a complete lack of humility that you just walk away from shaking your head being like, "Oh my, you are in for such a world of pain, if anything happens to you"? Usually, it's an old-school IT guy to be honest, but I've definitely seen it come from CEOs and CFOs as well.
I think that I feel like the lack of humility and the arrogance is something that you see more common in these 30 something new, arrogant type of, "We own the world" type of guys, but it's not limited to them. It can happen anywhere at any time. You just have to have the maturity to understand that you don't know everything. Particularly in a situation where you're dealing with human actors who are trying to take advantage of you.
They are constantly throwing money into research and development, as Kip and I have talked about many times, you just can't stay on top of it. I think that's a huge secret, shouldn't be a secret. We need to yell that from the rooftops that be humble when inaudible.
Kip Boyle: See, the people who don't know how to be humble.
Jake Bernstein: Yes, that's true.
Kip Boyle: That is true.
Jake Bernstein: It is true.
Kip Boyle: I got to tell you, whenever I encounter people like this, I can sense it pretty quickly. I've become good at sensing it quickly. I'll never forget early on, when I was having these kinds of conversations.
Maybe the third or fourth time I encountered somebody like this, I remember thinking to myself, "I feel like I'm trying to sell life insurance to an immortal. I got to get out of here."
Jake Bernstein: That's a really good way of putting it.
Kip Boyle: Because they're never going to buy this, ever, ever, ever, until something bad happens to them, unfortunately. I think that's just the human condition. We just think that we're invincible until something bad happens.
Then we sober up and we're like, "Okay. Well, I guess I better do something about that, because that was super painful and I never want to go through that again."
Jake Bernstein: I'm so tempted to ask Lew about his 40 years in Fortune 500 companies to see how often he has seen arrogance and a lack of humility bite somebody.
Lew Bader: Lord, my background comes from really intellectual property. I ran royalty accounting for several publishing companies, cut my eyeteeth on it way back before the earth cold. The importance of having a strong, intellectual property system to manage that, I always viewed as critical.
As many times as I would present that to management or even my peers, and it was a $5 million investment, something like that for companies the size that I was working in, that was no big deal. Now it's like my total revenue almost. They would act like I was trying to sell them snake oil.
Now with the fact that printed books are almost unheard of, they really need that intellectual property management and none of them have it.
Jake Bernstein: Interesting. Yeah.
Lew Bader: They're struggling to get it.
Jake Bernstein: Wow. This leads very well into the next question, Kip. I think you should ask it because honestly, I'm struggling to know what it's a riff of. I think you would maybe have that better.
Kip Boyle: Yeah. Well, yes. Okay. Everybody should know, I don't know if I've ever if I've ever said this, but I spent about 10 years of my youth growing up in South Boston, so I understand the northeast culture. I do remember when I was a kid, there were these commercials that would come on in the Boston area, "It's 10 o'clock. Do you know where your children are?" That's just helping parents keep track of their kids.
Well, that came out of New York City in the late 1960s, because there was actually a curfew for kids at 10:00 PM at one point because there was just so much protests and that sort of thing. Anyway, so when Lew, during show prep said, "It's 10 o'clock, do you know where your data is?" I was like, "Oh my God, I haven't heard that in a million years." But anyway, for somebody who's lived in and around New York for so long, I wasn't surprised to hear you say that.
I thought it was really cool. But what does that mean in cybersecurity? It's a great riff, but what are you trying to say?
Lew Bader: Yeah. I guess locking it down and making sure that nobody can get at it is critical. We used to have a local area network in the office on 8th Avenue, and it was backed up at the end of every day.
The executive director, who lived on the Upper West Side, would take the backup drive, stick it in his briefcase and bring it home with him.
Jake Bernstein: What's a briefcase? No, just kidding.
Lew Bader: Yeah. He'd stick it in the freezer. Then the next day, he'd bring it back with him. There was a backup sitting in the office and there was one sitting in his freezer.
Kip Boyle: That's perfect ransomware protection, by the way, everybody.
Lew Bader: Right.
Jake Bernstein: Would work well for that today. Yes.
Lew Bader: But it all changed though, when we adopted a no local storage policy. We just said to everyone, "You are not allowed to store any files on your individual computer or your laptop." We decided to eliminate the local area network. We adopted Citrix ShareFile, like Dropbox or something like that for data storage, and write signature for legal documents and for invoice approvals.
That just eliminated thousands of sheets of paper. But it also ensured a single place where we could store documentation, we could realize HIPAA compliance and legal compliance that way, and absolutely limit the possibility of somebody getting at our data.
Kip Boyle: Okay. Then it just goes back to the question is, do you know where your data is and what are you doing to keep people who are not authorized from getting at it? Just really taking it personally in a way and looking after it. Jake and I encounter regularly what we would call cloud first or even cloud-only organizations these days, who have either done what you've done, which is made the switch.
Or when they were founded, they never even built a local area network. They just went right to the cloud. Their offices, to the extent that they even have them, are just private Starbucks. It's got a really nice WiFi access point in there, nice coffee machine and some places to sit.
Jake Bernstein: Yeah, that's what it is. That's what lot of offices are now, and people don't fully appreciate that. I love, Kip, have you said that before, the private Starbucks? I think that's a great metaphor for what a lot of offices are now, is these are not sophisticated corporate networks.
They're just shy of consumer grade. Really, honestly, there's not a big difference between a consumer grade internet connection and a so-called business connection, not from the ISP anyway.
Kip Boyle: No, but it's interesting because when you shift this paradigm, and the reason why this really caught my attention, Lew. Is because what we've also seen in situations like this is in the local area network era, if you wanted to share data with somebody, you almost had to get the direct assistance of somebody in IT, who was trained to share data. They knew how to do it correctly so that it wasn't overly shared.
But these days, every one of us can share data, and that makes us all systems administrators, but virtually none of us have been trained to do it correctly. We share data and we put the least amount of permissions on it. Why? Because we don't want to be hassled when people can't get to the data that we're sharing. We just make it as easy as possible, cross our fingers and hope that nobody else finds it.
Lew Bader: Yeah.
Jake Bernstein: There's a lot of hope out there as a method. Kip, as you know, I have a former colleague who always liked to say, "Hope is not a method."
Kip Boyle: Yeah. Hope is not a method, it's not a plan. I read that Gartner Research, so this is a big IT research company. They have been publishing and revising this estimate of theirs. It says that something like 99.9% of all data breaches in the cloud are the responsibility of the cloud customer through, and then they would put the year.
Every year, they've been kicking that year out one more year. It's just like, "Okay, why?" When I dug into it, I was like, "Now I get it. Okay, so that's what's going on here." When you're in the cloud, we have a shared responsibility security model, but none of the marketing material tells you that, does it?
Lew Bader: Yeah. I'm not at all surprised at that, because we've got about 100 licenses for ShareFile, and we're a nonprofit where one of our big issues is turnover.
Making sure that when people leave here their access is shut off is critical. That's something that I had to make sure we added to our offboarding policy.
Jake Bernstein: That's critical.
Lew Bader: Yeah. We've got an onboarding process, but we don't really have a strong offboarding process. I talk to our HR director about it pretty often.
Jake Bernstein: I have a curiosity, what is turnover for a nonprofit of your size? Are we talking one person a month or one person a week?
Lew Bader: No, at this point in time, it's more like one a month. What tends to happen is we'll lose people in September. We pay folks through the summer, even though they're technically just on call, schools aren't open. Some people do work in the summer, others don't. In order to get paid, you have to be an employee.
Come September 1st, we get a fair amount of resignations. Then during the year, people get opportunities, especially with the Board of Education. The New York City Board of Education is also putting a premium on mental health. What better place to find social workers and mental health workers than Counseling In Schools?
Kip Boyle: Amazing. You're actually part of their talent pipeline.
Lew Bader: Yeah, and we can't compete.
Jake Bernstein: No, no.
Lew Bader: The compensation and the healthcare benefits are by far greater than ours, so it's a challenge. Finding people now has become an even bigger challenge. It's all part of the pandemic, the post-pandemic era.
Kip Boyle: Yeah. I've also read that there's also, I guess, part of the phenomenon is the retirement of people from the baby boom cohort, that there's a lot of retirements going on. There just aren't as many people in the workforce coming behind them to take all those jobs is a factor.
I read about this, I think it was in the journal the other day, which I thought was really fascinating. How much of a part, I'm not sure. I just thought that was really interesting.
Lew Bader: Yep. We don't have a lot of boomers in the organization. We mainly have Gen X and Gen Z'ers, but there's a different dynamic with them. The dynamic is the average kid getting out of college today will have 14 jobs by the time they're 38, I think.
Yeah. I think I alluded to the back when the earth cold, the idea was you were going to work for one company for the rest of your life and retire with a pension, and that would be it.
Kip Boyle: Well, and looking at your LinkedIn profile, it appears that you did that for most of your career, but it looks like maybe the company you were working for kept getting acquired. Am I seeing that right?
Lew Bader: In let's see 1986, I went to work for McMillan Publishing Company. In 1992, we were acquired by Simon & Schuster, which was part of CBS.
In 2000, they decided to spin off their educational publishing assets, and Pearson bought them. That's where I spent the next 20 years.
Jake Bernstein: Technically, you did stay with the same company.
Lew Bader: Yeah. No, my tenure went back to 1986.
Jake Bernstein: Yeah. Yeah. I just want to review, we promised people three secrets about cyber risk management in nonprofits, and I think that I'm just going to run through them real fast. The first one, I think, was that nonprofits are not immune to cyber risk. We do not want that to be a secret. Look, this is a fact. Just because you're a nonprofit does not mean you're immune to this. You've got the culture of trust. You have to work around that. That's one.
Number two is humility, which I think is my favorite secret to security, it's so true. Then I think the third, we didn't directly say it, but I think this concept of it's 10 o'clock, do you know where your data is? We would call that a data inventory or identification of assets, but I think that's critical for nonprofits to be aware of your situation.
You can't protect that, which you don't know about or don't have a handle on. I just wanted to be clear that those are certainly three important concepts for nonprofit security.
Kip Boyle: Did we get that right, Lew?
Lew Bader: Yeah, and just when you mentioned the data again, so it got me thinking about all the devices that we have and the possibility, how many people have put welcome1 as their password or something like that. When we retire an asset, I go to a certified recycler and give them the machines, and I get back a certification that the machine has been wiped.
There are a couple of reasons for that. One, we've got HIPAA compliance to be concerned about, but the other is that there's data that somebody might be able to use against us at some point. I want to make sure those devices are wiped clean by whomever I give them to.
Kip Boyle: An audit trail to prove that you did the right thing.
Lew Bader: Right, good point. Good point.
Kip Boyle: Awesome. Well, we're just about out of time. We're really glad you were here on the show. Thanks, Jake, for summarizing the three secrets that Lew has shared with us.
Lew, if somebody wanted to talk with you because they enjoyed what you shared on the show, where can they go to find out more about you, and your work and how you manage cyber risk?
Lew Bader: Two places to go. One is counselinginschools.org, and the other would be my email, which is Lew, L-E-W, @counselinginschools.org.
Kip Boyle: Fantastic. Well, again, thanks so much, Lew. That wraps up this episode of the Cyber Risk Management Podcast. Today we learned three secrets about cyber risk management at nonprofits, and we did that with our guest, Lew Bader. Thanks for being here, everybody, and we'll see you next time.
Jake Bernstein: See you next time.
Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.