Technology Decision Makers

last person joined: 17 days ago 

A group for those in nonprofit IT decision-making roles to connect with peers and share best practices. This Technology Decision Makers group is for nonprofit IT or MIS Directors/Managers as well as CIOs and CTOs to connect with their peers and share best practices. Topics for discussion include, but are not limited to: hardware and software management, product reviews, emerging technology, best practices, collaborating effectively with other departments, and management conundrums. Membership is restricted to IT staff at nonprofit organizations.

Attempted hack

  • 1.  Attempted hack

    Posted Mar 02, 2017 08:58
    Edited by Colin Boyle Mar 02, 2017 10:50

    My HR director came in with an e-mail allegedly from our CEO asking for a PDF of all of our employees W-2s for the year.

    It didn't come from our CEO and it was a bogus return e-mail but it was well constructed and it had to be someone with some knowledge of our internal structure.

    The good news is that Google APPs saw it for what it was and dropped it in SPAM.

    My guess is that it's someone that either knows us or someone that got his info off of our 990.

    you may want to share this story with the folks in payroll.



    ------------------------------
    Colin Boyle
    IT Director
    Manatee Community Action Agency
    Bradenton, FL
    ------------------------------
    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 2.  RE: Attempted hack

    Posted Mar 03, 2017 09:31
    We have had a similar email like that at our organization.  It was sent "from the President" of the org asking to wire money somewhere.  It was caught before anything happened, but we are now initiating a more intense and targeted education effort to make sure everyone in the organizations knows how to spot phishing and social engineering exploits and are keeping their passwords strong and safe. 

    Question to the group:  Does anyone have an education program they use for your staff.  Also can anyone recommend tools to check password strength and send these sorts of emails to measure the effectiveness of the education?

    Thanks

    ------------------------------
    Brent Lamb
    Assistant VP – Information Systems
    KU Endowment Assoc
    Lawrence, KS
    ------------------------------

    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 3.  RE: Attempted hack

    Posted Mar 06, 2017 06:59
    We also received an email "From" the CEO, our CFO fell for it.  We were able to cancel the transaction before it was transferred.  I am also looking for a good education program (hopefully free).  I have a Lynda subscription, but did not find anything that quite matched.

    ------------------------------
    James Moore
    Chief Infomation Officer
    The National Beta Club
    spartanburg, SC
    ------------------------------

    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 4.  RE: Attempted hack

    Posted Mar 06, 2017 08:31
    One of the training tools with both good videos and pro-active fake phishing email generation I have seen highly recommended is knowbe4.com.   We are looking into now ourselves.
     
    Dan
     
     
    Dan Shenk-Evans | Director of IT | Capital Area Food Bank
    P. 202.644.9803 | M. 202.644.9800 | F. 202.527.1767
    4900 Puerto Rico NE, Washington DC 20017
     
     
     
     
     



    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 5.  RE: Attempted hack

    Posted Mar 06, 2017 10:23
    We use KnowBe4 and are very happy with it. We require two of the video courses for all new staff and we conduct a constant spoofed phishing campaign to identify those who need further training. Our approach to this is NEVER punitive.

    --Keith

    ------------------------------
    Keith Berner
    Director, Information Technology
    Freedom House
    Washington DC
    202.247.7003
    berner@freedomhouse.org
    ------------------------------

    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 6.  RE: Attempted hack

    Posted Mar 06, 2017 09:36
    Brent,

    I continue to iterate, but this is the slide deck I currently use for security awareness training both within RoundTable and for our clients. This entire community is welcome to copy it, change it, use it as you wish. We have found to be very effective and we continue to iterate it with each new training.

    As for checking password strength, best would be to adopt a password management platform like LastPass or 1Password for your organization and then you can audit password strength, reuse, passwords that have been in breaches, etc. 

    Best,

    -Joshua


    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 7.  RE: Attempted hack

    Posted Mar 06, 2017 10:33
    We've heard from organizations that have fallen for this hack, and where payments were sent out.

    In addition to training staff, we strongly urge a review of your payment and approval procedures. Among smaller organizations there sometimes isn't the separation of check-writing and check-signing duites, or there are relatively high single-approver limits. We are considering putting together a training webinar around email security that might be a good fit for your training needs. Can I reach out to you when we're ready to share it?

    ------------------------------
    Isaac Shalev
    http://www.sage70.com
    Stamford CT
    @Sage70
    isaac@sage70.com
    ------------------------------

    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 8.  RE: Attempted hack

    Posted Mar 07, 2017 08:54
    KnowBe4.com looks interesting.  Thanks so much for the great thoughts and suggestions!

    ------------------------------
    Brent Lamb
    Assistant VP – Information Systems
    KU Endowment Assoc
    Lawrence, KS
    ------------------------------

    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 9.  RE: Attempted hack

    Posted Mar 03, 2017 11:51
    I'm glad Google flagged it. My mother is a banker and the CFO of one of her clients fell for that. It was a major mess.

    ------------------------------
    Robert L. Weiner Consulting
    San Francisco, CA
    415/643-8955
    robert@rlweiner.com
    www.rlweiner.com
    Twitter: @robert_weiner

    Strategic Technology Advisors to Nonprofit and Educational Institutions
    ------------------------------

    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 10.  RE: Attempted hack

    Posted Mar 06, 2017 07:20
    I haven used them, but KnowB4.com does anti-phishing education and testing. I do follow their post which seem pretty informative.

    stu.sjouwerman@knowbe4.com



    ------------------------------
    Tom Anderson
    Founder
    IT4 Causes
    Midlothian, VA
    ------------------------------

    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 11.  RE: Attempted hack

    Posted Mar 09, 2017 21:08
    Edited by Richard McConnell Mar 09, 2017 21:13

    At BSR we have been using KnowBe4 Security Awareness training modules for almost a year, and also using their service to send out test phish emails, to see how many people clicked thru, entered info when prompted, etc.

    After KonwBe4 training, and test emails every couple of months, the number of staff falling for these (test) phishing emails has dropped dramatically. We have been very happy with the results.

    Also, in Office 365 Exchange Online Admin rules, we have created rules to block any spoof emails pretending to come from our CEO or CFO that originate from domains other than our own. In addition, we have created Office 365 Data Loss prevention (DLP) rules to block outbound emails containing sensitive personal information such as social security numbers.



    ------------------------------
    Richard McConnell
    Director, IT
    BSR
    San Francisco, CA
    ------------------------------

    picture of work desk from home with notebook, glasses, coffee, keyboard


  • 12.  RE: Attempted hack

    Posted Mar 11, 2017 15:58

    All the suggetions are great; another thing I have seen put in place and recommend is to never respond to an email request from a coworker to move money or share documents with SSNs, bank/credit card #s, etc without verbal confirmation. Email spoofing is a lot easier than voice spoofing!


    On 3/9/17 6:08 PM, Richard McConnell via NTEN: The Nonprofit Technology Network wrote:
    At BSR we have been using KnowBe4 Security Awareness training modules for almost a year, and also using their service to send out test phish... -posted to the "Technology Decision Makers" community

    Technology Decision Makers

    Re: Attempted hack
    Reply to Group Reply to Sender
    Richard McConnell
    Mar 9, 2017 9:08 PM
    Richard McConnell

    At BSR we have been using KnowBe4 Security Awareness training modules for almost a year, and also using their service to send out test phish emails, to see how many people clicked thru, entered info when prompted, etc.

    After KonwBe4 training, and test emails every couple of months, the number of staff falling for these (test) phishing emails has dropped dramatically. We have been very happy with the results.

    Also, in Office 365 Exchange Online Admin rules, we have created rules to divert any emails coming from our CEO or CFO that originate from domains other than our own. In addition, we have created Office 365 Data Loss prevention (DLP) rules to block outbound emails containing personal information such as social security numbers.



    ------------------------------
    Richard McConnell
    Director, IT
    BSR
    San Francisco, CA
    ------------------------------
      Reply to Group Online   View Thread   Recommend   Forward   Flag as Inappropriate  




     
    You are subscribed to the Technology Decision Makers community as lisa@iecology.org. To change your notifications, go to Community Notifications. To unsubscribe this community, go to Unsubscribe.

    NOTE: Links in this message are connected to your account. Clicking links in this message will log you into your account automatically. Be careful when sharing.
    Certificate Credentials

    --  Lisa Jervis Principal Information Ecology: Strategic technology for progressive organizations https://iecology.org/  My preferred pronouns are she/her.  Want to send me encypted email? My public key is available at https://ecl.gy/lj-gpg. 



    picture of work desk from home with notebook, glasses, coffee, keyboard