This post contains the full text transcript of an interview conducted by Paul Clolery (Editor-in-Chief, The NonProfit Times) featuring nonprofit experts Jacqueline Tiso (Founder & CEO, JMT Consulting) and Emily Sachs (Nonprofit Executive & Consultant, Sachs Associates). Read along as they discuss the rising data security risks and other challenges facing organizations in times of COVID. We are excited to share their insights regarding security best practices and top-of-the-line technology solutions so you can best protect your nonprofit and drive your mission forward.
Challenges Nonprofits Face from Zoom Meetings to Ransomware Attacks
Paul Clolery: We’ve had a busy tech couple of weeks. The COVID crisis, not just in the United States but around the world, has pretty much laid bare some of the challenges of technology within the nonprofit sector. What are some of the challenges your clients are seeing Jacki?
Jacqueline Tiso: We’ve seen everything from being unfamiliar with working in a home office and the equipment that you need to have, and [challenges with] how to connect into meetings and get your computer running, through to actual challenges with connecting to your organization’s software. So, you can get the other things working, but then you can’t get into your software. Then add to that all the normal issues that happen with technology, including security and ransomware attacks.
PC: You can put together a terrific Zoom meeting or use another platform to get a meeting together, then one of your geniuses will be using their phone and you’ll have feedback across the whole system. So how important is it for everybody to have the same technology, or at least access to a basic level of technology? And what would that be?
JT: It’s hugely important and it’s something that we’ve been trying to stress for years with our nonprofit clients. And it is hard. There are so many constraints, but it’s so important and what COVID has done is brought it home all the more.
I think it’s really identified a lot of the struggles that nonprofits have lived with for a long time — they didn’t realize how many workarounds they were actually doing and how it was impacting their productivity and what they’re able to get done.
Emily Sachs: I was going to add, two of my mantras are always training and communications. So, for example, I frequently will have people test on Zoom if I have a new consultant and they haven’t done Zoom before. Before we have a meeting, I’ll work with them to make sure they’re familiar and comfortable with the technology because everybody’s using something different. I think testing, training, and communicating with people and helping them feel comfortable before they’re on spot is really helpful.
PC: Talk a little bit about the need for good technology right now. Jacki was just making reference earlier to ransomware and hacking. There’s been some real incidents in the sector recently with some boldface names.
JT: Yes, and it’s interesting. I think there is in some ways a concerted effort that is happening where they’ve identified the nonprofit sector and some of the players in this space to go after. It’s a very serious thing. We’ve had clients that have been impacted significantly for a month or more. And in the case of Blackbaud… everyone has seen what’s come out recently about that. [It] wasn’t communicated exactly what was happening there.
That’s something else that, along with everything else that organizations are dealing with, having a lack of communication and visibility to what’s going on in the space and the impact it could have onto your organization is hugely detrimental.
PC: Talk a little bit, if you would, about contractual arrangements with providers such as Blackbaud and others. From what I’m understanding and from interviews that I’ve done in the last few days – we broke the story a while back – they knew about this [ransomware attack] on February 7 and didn’t tell anybody until July 16. Is there some sort of contractual clause that you can put into contracts with any technology provider that says you must communicate within 48 hours?
JT: For the publishers that JMT works with, that’s one of the things that we’re ensuring on our client’s behalf – you have certain markers, if you will, and communication is one of them. Percentage of downtime, as an example, is another one. What’s the recourse if the system is down and you’re unable to get to your data? I think there’s a number of aspects that you can do in this, and we tell our clients all the time [that] you do have to read the really small print and have a very clear understanding of the technology when you go to any platform and any service provider.
ES: I’ve experienced negotiating service-level agreements, but many times, even if I’m a relatively large not-for-profit, I’m not as large as the vendors who are selling to me — so I don’t really always have control. I mean, I’ve definitely had situations where Microsoft will have an outage, but they declare it something else so that it doesn’t become a part of their service-level agreement. And I’m just a little bit player. There’s nothing I can do about that.
I agree that you should negotiate hard and I agree that you should understand what the terms of your agreement are and also what the vendors are required to do in terms of disclosure, especially if it has to do with credit cards being made available or some sort of phishing or other kinds of attacks. But I think it’s also the case that nonprofits can’t always control those things, and the vendors sometimes have the cards in those cases.
Responsibility for System Backups and Raising Our Voices Together
PC: Well I know we’re a little bit off schedule here, but how do you keep the cards on your side of the table in arrangements like this. For example, I mean, yes, some data was breached… but in some cases, there was one vendor where certain people were locked out of their systems completely.At what point is it not on the owners of the nonprofit to have a backup system in their own right, not just relying on the vendor, but having your own backup system to say, “Okay we backed up 24 hours ago, we’re moving into this platform to go fix it and then we’ll move back?”
ES: So I would say that you’re right, we should all have our own backups, and that is something that I negotiate, that I want to be able to pull down a backup periodically. But also sometimes I think we do well – and I’ll look to you, Paul – sometimes we do well when we work in concert with one another. Because Microsoft might not listen to me, but they might listen to the sector as a whole. And other vendors, those like Blackbaud, that are focused on the sector, will listen when we raise our voices together. That’s one area where I think we can be more powerful if we work together.
JT: I would echo that I think that there is power in a united voice and we’ve seen that many, many times in many different industries. I think that at the same time, as organizations we have to recognize that there’s going to be a level of responsibility on us that we have to have regardless of whatever might be in a contract. We’ve got to make sure that our organization has a plan for going forward.
Ransomware attacks are very good examples of [unforeseen instances] that impacted so many of our clients. Many of our clients did not have backups. They were relying entirely on what they felt were in the Cloud or hosted – what I call “partly cloudy” – [solutions so] that there were safety nets there and they didn’t have to think about it or they didn’t have the funds to manage it. But we have to have a level of responsibility for ourselves as well.
ES: Right. We should be testing our backup and restore [as] part of our disaster preparedness. That’s hard and it is something that tends to get pushed back, but it is important.
The Dangers of Falling Behind the Technology Curve
PC: What are some of the other things you’re seeing, Emily? And give me three or four ideas of some of the nonprofits that haven’t updated their technology, obviously not telling us who, but some of the challenges you’ve been seeing out there.
ES: In one case I was in the middle of a modernization and centralization project with a not-for-profit. Before we had centralized cash management, one office initiated a multi-million dollar wire transfer that would have gone to a fraudulent recipient, except the bank caught it and realized that it was non-typical for that office. That, in a way, helped our process of modernizing and centralizing because it became apparent that there were some people in our finance team who were really steeped in the latest fraudulent tricks, and then other people who weren’t. It was helpful to have the people who are most steeped in the tricks be doing the wire transfers and not have that ability more widely spread. The person was a wonderful person, but just not steeped in all the tricks that were going on. That was very scary because no one can afford to lose that kind of money.
PC: Jacki, how about you?
JT: We had a client we were working with and they were in the process of upgrading their system. They had been on their legacy system for about 20 years and had totally outgrown it, but they believed their legacy system was the Bible. It [their legacy system] was correct, and we needed to make sure we were validating their new system to their legacy system’s data. We had one exercise on billing, which is hugely important to organizations – contract-funded organizations – and we spent over 40 hours trying to validate and were unable to match what was in their legacy system. At the end of the 40 hours, we determined that their legacy system was incorrect and they had been billing incomplete dollars for years. Leaving money on the table for years and they literally had no clue.
I had another situation where I actually had to call the CEO, [because] we were concerned. They saw some things that they were questioning around the bank reconciliations. We try to make sure we’re aligned with the organization and helping them. A new system comes up, we go to do the bank reconciliations, and they couldn’t get with the individual doing the bank reconciliations to get the project finished. So I called the CEO stating that I had a concern. We needed to finish this for them. Our natural – and I totally get this – a natural reaction often is,“My team knows what they’re doing; I have trust and faith in my team.” Unfortunately for that organization, it ended up being fraud.
We face these kinds of things all the time. It’s a merger of the technology and human effort, and both of those are part of a technology. A machine alone – software alone – isn’t the answer. It doesn’t do it all.
PC: Right. It’s funny you should say that. I mean, you could find a nonprofit that [has] the best technology on the face of the earth… but then low tech hits you. Somebody makes a phone call, somebody answers an email, somebody picks up a flash drive in a parking lot, and presto, it’s all over. So what are some of the low tech things you should be thinking about?
ES: Certainly education and training; there are online classes. At one organization we had everybody, and especially the top executives, take an online class about phishing. Fraudsters that don’t know the organization will go for the top executives, because those are the obvious emails that they’ll try to replicate and use phishing techniques to try to get people to transfer money to them. So education and training, particularly of the top people, is really critical.
And help all the staff to have some healthy skepticism. If the president has never asked you to do a wire transfer without sending paperwork before, why would the president ask for that now?
JT: I think that security is not a ‘communicated-once’ environment. It is something that has to be communicated ongoing, all the time. Have protocols in place for regular updates on security and dual authentication. Use the technology where you can along with educating and informing your staff.
PC: What about not wanting to take responsibility for the fire drill that’s going to occur as you try to move over your CMS system to another area or to do some more security within that system? Who’s got to stand up and take responsibility for that and say, “We’re going here, whether you like it or not?” And sometimes that isn’t the CEO.
ES: So I’ll speak as a CFO and CFAO. Many times it falls to that role, with the head of technology, to be the advocate for new technology and convince the rest of the executive team, and to engage the board, to make the change that needs to be made. I think one of the challenges is that major donors to the organization fall in love with the mission of the organization, and that’s why they support the organization. That’s true of the board members also, so sometimes it’s less compelling to them to hear about why you need to make these not-so-fascinating technology upgrades and changes and drills. But you need to, because you need to give your staff the support that they need so they can implement the mission.
From AI to the Cloud – A Merger of Technology and Human Effort
PC: Everybody’s talking about how AI is going to change things. Everybody says, “Ya, we’ve got to do AI!” I guarantee if you went to five people who are not tech folks in the nonprofit space, they would know what AI stood for but have no idea what it means. Somebody take us to school on this. Why is this AI going to be so important to nonprofits
JT: I am of the strong belief and a proponent that AI is going to be a game changer for organizations. Part of that is in the safety net that it will provide for organizations, as well as the streamlining of activities that it will provide.
An example might be [that] an individual is just simply entering information – very straightforward data entry, updating records. AI will take what they entered. It can look at it and say, this is commissions, but it’s being charged to another department or a program that the computer knows there has never been an entry charged to that department or that location or that grant ever before. The software itself will pop up and say, “This is outside your normal transaction definitions. Are you sure this is correct?”
In the most straightforward terms, it can look in at any level of data that is conceivably going in, where that data is going in, and it will also be able to look at trends or activity over a rolling 12 or 24-month basis. Think how valuable it would be if it can then project forward based on the information that is already in your system on your historical data, without someone else having to go in and analyze. These are the kinds of things that AI is going to bring right to nonprofit organizations.
PC: Now there’s got to be human components to that, right? You’re actually going to be the one making the decision. The system is just making suggestions, but it’s going to be a human function to make that change. Correct?
JT: Correct. So instead of having to spend time analyzing and figuring it out, the computer will bring the data to us. It’ll bring it to the surface quicker for us so that we can then make decisions quicker.
ES: I can see that this could help in client-side activities, also. If I’m working with a client, it’d be really helpful to have a quickly-distilled synthesis of things that have worked for clients who have experienced similar issues. Making services available to clients, and particularly clients who are not always on devices, is another area of challenge for not-for-profits. I think AI can help with figuring out how we can be better at enrolling and reaching out to the people who need our services and would benefit from our services.
PC: Imagine software with the ability to take actual budgets and history and turn them into forward-looking projections. How’s AI going to help us with that? How is AI and other technology we’re working with actually going to help us project budgets and maybe even programmatic decisions in the future?
JT: We have to have the human element, right? But what we’re doing is using the AI to take the information that is in the system and consolidate all that information and bubble it up to the surface and say, “Here’s what where we are, here’s what we have, and here’s some decision points for you.”
Instead of investing hours to get to the data, the data is going to be there and surfaced. Now the investment of the time and the creativity and the innovation that the human being brings to it is [the ability] to look at this data and say, “You know what, that’s right. That program is registering that we perhaps need additional funds in that program.” That’s the conscious decision we’re doing in the furtherance of our mission, and that is the human element that combines so powerfully with software being able to bring that visibility up to the surface.
ES: One thing we’ve learned with this COVID environment is that there are so many scenarios we have to do. We might have thought in the old days, it was good enough to do high, low, and middle financial scenarios. Now we need to be able to think about a whole bunch of different scenarios and possibilities. We need help in being able to synthesize those and figure out what are – as Jacki said – the critical points and then what does the flow look like from there.
PC: Give us a couple of ideas, Emily. Obviously people started working remotely very quickly, and they had not planned on working remotely very quickly. Are nonprofits now going to have to change the way their security access codes or systems are working so that people can have access from outside when they were generally on the network and the network was closed? How can we allow people into the system and still protect it at the same time?
ES: Jacki talked before about multi-factor authentication. Everybody should be doing that, and that helps [so] at least you know that when they’re accessing the central system, it’s a known PC that they’re accessing from. Those kinds of tools, if they haven’t put them in already, they definitely will want to invest in.
JT: In the true cloud environment, or what we call the multi-tenant, there’s all the audit trails and identifiers to say what they are doing in the application. What did they change? How many hours are they in there? You can have a lot of visibility to the activities within your organization in the new technologies around the cloud.
In the hosted environment, what I call the partly cloudy, and the on-premise, you can still have a level of visibility to it but it’s very much dependent on your service provider. You’ve got a few more hoops to jump through versus a cloud application where you can run a report most typically.
ES: You may also want to have some general reporting on what files your staff members are accessing. I had a situation with a staff member who said he was constantly working really late and I said to the IT team, “What’s he doing?” It turned out that part of what he was doing was trying to access files that he wasn’t authorized to access.
PC: How is all of this technology in the nonprofit space evolving so that there’s an interconnection between government, the private sector, and the nonprofit sector and is that a good thing?
ES: It would be great if government – and I’m particularly talking about some local governments – would listen to the pain that they cause not-for-profits by not using standardized methodology. For example, they might have developed a new system, but the system doesn’t accept uploads from anyone else’s system. So your nonprofit might have automated yourself but then you’re re-keying your invoices into a government system. That kind of thing can be really, really painful and duplicative for not-for-profits.
Governments also have the best [social sector] data in many cases, and various organizations have pulled that data out to make it available, but there’s an opportunity for governments to help not-for-profits figure out how to help their clients through data sharing in a more integrated way.
JT: There’s a tremendous amount of information and data that’s gathered from all different sources. The ability to have a repository that you would be able to access and you would, likewise, be able to contribute your data into would be a game changer for so many programs and the services that so many organizations work to deliver. But instead, we have a situation of extremely siloed [information.]
JMT works with numerous federally qualified health centers, Community Action organizations, and so on and so forth. There’s just so many pockets of information all over. Each of them having to do many of the same internal things that everybody else is doing.
PC: Lightning round folks. Its 2025. What did you learn in 2020 that’s going to be usable in 2025, and what will you be looking back on in 2025 and say, That technology just wasn’t what it was supposed to be. This is where we’re going now.
JT: It would be the ability to access my systems and data so that I can help my organization make decisions and pivot as needed.
ES: I think it would be having really good internal social media communications, so that I’m not torturing everybody by email all day and all night.
PC: Jacki Tiso, CEO and Founder of JMT Consulting, and Emily Sachs, Executive and Consultant to Nonprofits, thanks so much.
To watch the full interview, you can access the on-demand recording here.
Drive your mission forward with secure, modern technology.
Nonprofits count on us to deliver the finance, development, and productivity solutions that these unique organizations require to meet their goals of sustainability and mission effectiveness. Let us show you how we can help your organization, too.