Rachael Cruse, CPA
Robert Ramsay, CPA, CISA, CITP, HITRUST CCSFP
Rachael Cruse: Thank you so much for spending today and sharing your knowledge with us, especially for our non-profit
clients and others around the region and the country that just might be a little fearful when it comes to cybersecurity. Now, is that a healthy fear? Should we be afraid of cybersecurity or is this no big deal?
Robert Ramsay: I guess it’s the cybercrime that you should be afraid of and maybe some healthy fear, but if you take
some basic practices, and use some common sense and manage your organization properly, you don’t
have to have undue fear. That’s for sure.
Rachael Cruse: Great. I would say that maybe a little bit of the fear comes from not knowing what’s out there, not knowing the resources that are out there and not knowing how much bang for their buck they will get for those resources. So if you had to give a list of a few really good resources non-profits could use, if they have limited dollars, what would you recommend?
Robert Ramsay: Yeah. That’s a good question and it is super important for non-profits trying to be as efficient as possible. Google has that free advertising, which is really great. Google has a lot of nice resources. You can become a member of Google Non-profit, they call it. Then there’s a group called TechSoup that has a lot of free resources for software and licensing. They’ve been around a long time.
Robert Ramsay: Then there’s a networking group that I like full of the geeky IT people in the non-profit space, it’s called
nten, N-T-E-N. They have an annual conference. They have resources online. Before we sat down, I printed off their cybersecurity for non-profits guide as a prop. They did this with Microsoft, so they have a lot of great resources and they are of non-profits for non-profit. They’re really steeped in that. So those are all very good resources.
Rachael Cruse: Thank you. Of those resources and in specific terms for outsourcing, what other services should nonprofits be thinking about when it comes to cybersecurity?
Robert Ramsay: Yeah. Almost every non-profit has a board, so you can start with your board and those are really invested volunteers. So you can find folks on your board that can help with security and technology.Ideally, the board can have a technology committee and you can find folks in the community that care about the mission, but also work on technology as a part of their day job. Then depending on the organization, if it’s in healthcare maybe you might want a cybersecurity person, because you’ve got so much sensitive information. Maybe not so much if healthcare data is not part of what your operation or your mission is all about.
Robert Ramsay: But yeah. Start with volunteers and board members and then service providers. So you probably have a
law firm, they probably have someone who deals with some cybersecurity or privacy issues. Barnes Dennig would love to help. We help our non-profits with their 990s and their audits. As part of that, we often have an annual visit and help them with their IT security. So those are some easy starting places to go for resources.
Rachael Cruse: Thank you. Now we understand that service providers are maybe a once-a-year thing or every so often.
What can non-profits be doing, maybe a checklist of sort of these are the key things on a monthly basis, or a quarterly basis, annual basis? Things that they can be doing and should be doing and keeping top of mind.
Robert Ramsay: That’s a good idea. I’m glad you brought that up. That list itself will be different for every organization kind of like I mentioned, with the healthcare place versus a group that’s less worried about privacy. But having a routine institutionalized method of dealing with security, maybe it can help with that fear.
You’re doing something about it and you’re actually taking the proper steps. So we’re big fans of being policy driven, and putting these responsibilities in job descriptions and making sure they happen on a regular basis. That whole idea of a technology committee of the board could sort of help steer that. So that, that group gets together once a year and they can ask to see these checklists or whatever’s being done to help with some accountability and to make sure things don’t get forgotten or put off. So that’s a great idea. I like the checklists.
Rachael Cruse: Accountants, we love checklists.
Robert Ramsay: We do. We do.
Rachael Cruse: And finally, you talked about board members, volunteers. Who else in the organization, outside the organization should be aware, involved, concerned when it comes to cybersecurity?
Robert Ramsay: Yeah. Just general networking is huge. Non-profits are so good at that. We hear at Barnes Dennig host
events and we love to say how involved our non-profit clients can be in the whole collaborating and working together. It’s the same in the IT space. The kind of nerdy IT folks, we love getting together and sharing our nerdy IT stories. So whether it’s lunch or these events comparing notes with others is a huge resource and it’s really neat how non-profits will bend over backwards to help each other.
Rachael Cruse: Well, you’ve helped me alleviate some of my fears. Thank you. Hopefully there’s some others out there
that aren’t as fearful when it comes to cybercrime or the hurdle of getting over the cybersecurity bump, getting started. Thank you for your time.
Robert Ramsay: Well great. Yeah. Thank you, Rachael