Technology Decision Makers

last person joined: 22 days ago 

A group for those in nonprofit IT decision-making roles to connect with peers and share best practices. This Technology Decision Makers group is for nonprofit IT or MIS Directors/Managers as well as CIOs and CTOs to connect with their peers and share best practices. Topics for discussion include, but are not limited to: hardware and software management, product reviews, emerging technology, best practices, collaborating effectively with other departments, and management conundrums. Membership is restricted to IT staff at nonprofit organizations.

Sharing and Feedback - Phishing PHAQ

  • 1.  Sharing and Feedback - Phishing PHAQ

    Posted Oct 26, 2017 13:31
    I get asked about phishing so much and didn't really have a good single-source go-to for lay persons about what phishing is and how to deal with it. So I wrote-up a 2-pager for sharing with colleagues and clients.

    Sharing it here for two purposes:

    1) In case it's useful to anyone else. All yours!
    2) Feedback - I'm going post in on our blog, but wanted to see if I could some feedback from pros first.

    Phishing PHAQ

    Whole thing below, link to the collaborative Google Doc above.

    --------------

    What is Phishing?


    'Phishing' is a method of fraud that involves tricking the victim into doing something could be volunteering information such as account names and passwords, wiring funds, or clicking links or opening attachments that have a payload of malicious software.


    Usually, phishing happens via email, but increasingly phishing can happen via text, Facebook, Skype and virtually any online platform. Money or data is then illegally extracted or malicious software is installed.


    How much harm can come from Phishing?


    The potential for harm is massive, in fact, it's virtually limitless. Some examples:


    • Ransomware attacks such as WannaCry and NotPetya.
    • Data breaches such as the DNC hack that influenced the 2016 US election

    If you want more, here's a list of the top ten phishing attacks JUST from the first half of 2017.


    Phishing sounds really bad! How can I protect my organization from phishing?


    The good news is there is a LOT you can to protect yourself and your organization and it's not terribly expensive.


    There are several things you can do. Doing any of these (if you're not doing them already) will improve your chances of defending against phishing attacks. Doing ALL of them will make it highly unlikely that your organization will be severely impacted by phishing.


    • Security Awareness Training
    • Two-Factor Authentication (or 2FA)
    • Use Password Managers
    • Patch Management
    • Security add-ons (see below)
    • Reliable and tested Backups
    • Incident Response Planning
    • Properly configured SPF and DKIM records (ask your IT department or provider to help with this!)






    What should I do if I receive an email I suspect is a phishing email?


    Verify before clicking any links, replying or opening any attachments. Even if the email comes from a seemingly legitimate source. Even if it comes from a colleague. You can verify by calling the sender to ask if they did, indeed, send you this message.


    If the message does not pass verification, mark it as SPAM (or Junkmail). Simply deleting the email is also fine.


    Uh Oh! I clicked a link and/or opened an attachment in what I think was a phishing email. What should I do now?


    Report the incident to your IT support personnel immediately. Report it as an urgent, high priority ticket.


    I'd like to get additional protection for my email, what can I do?


    Review the list above about protecting your organization from phishing. If you would like to do even more, you can purchase add-on security services for modest fees typically ranging from $0.50-$10 per month per person depending on the service and the features chosen.  


    Additional Security Services for Email


    Big Two (Gmail and Office365)


    Office 365 Advanced Threat Protection

    Gmail (Google includes all protection at no additional cost in all service levels - Yay for Google!)


    A couple of well-regarded third-party tools

    Barracuda Essentials for Email Security

    The Email Laundry


    Further Reading


    This article (no, it's not a phish, but seriously, THANKS for asking!) has some good information about past phishing attacks and impact plus some other ideas for protecting against phishing.






    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------
    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 2.  RE: Sharing and Feedback - Phishing PHAQ

    Posted Oct 31, 2017 20:43
    Thanks for sharing this, @Joshua Peskay! (I'm wondering if you'd like to pitch it as an article for NTEN. I think it would be a great resource to share with the larger community.)

    Related: There's a small bit about phishing in this great article about social engineering: https://www.nten.org/article/nonprofit-scam-security/.​

    ------------------------------
    Bethany Lister
    Community Engagement Manager
    Nonprofit Technology Network
    bethany@nten.org
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 3.  RE: Sharing and Feedback - Phishing PHAQ

    Posted Nov 03, 2017 22:55

    I think this is great and so glad you wrote it! I have the same struggle but have not taken the time to do this and now I don't have to. :)

    One thing I would add to this is to clarify/emphasize that even after taking the listed steps around 2FA, extra security services, VERIFY is still the most important. In fact I would put "Train yourself and everyone in your organization to verify the legitimacy of an email before clicking any links or opening any attachments" on the list in first position.


    On 10/26/17 10:30 AM, Joshua Peskay via NTEN: The Nonprofit Technology Network wrote:
    I get asked about phishing so much and didn't really have a good single-source go-to for lay persons about what phishing is and how to deal with...

    Technology Decision Makers

    Sharing and Feedback - Phishing PHAQ
    Reply to Group Reply to Sender
    Joshua Peskay
    Oct 26, 2017 1:31 PM
    Joshua Peskay
    I get asked about phishing so much and didn't really have a good single-source go-to for lay persons about what phishing is and how to deal with it. So I wrote-up a 2-pager for sharing with colleagues and clients.

    Sharing it here for two purposes:

    1) In case it's useful to anyone else. All yours!
    2) Feedback - I'm going post in on our blog, but wanted to see if I could some feedback from pros first. 

    Phishing PHAQ

    Whole thing below, link to the collaborative Google Doc above. 

    --------------

    What is Phishing?


    'Phishing' is a method of fraud that involves tricking the victim into doing something could be volunteering information such as account names and passwords, wiring funds, or clicking links or opening attachments that have a payload of malicious software.


    Usually, phishing happens via email, but increasingly phishing can happen via text, Facebook, Skype and virtually any online platform. Money or data is then illegally extracted or malicious software is installed.


    How much harm can come from Phishing?


    The potential for harm is massive, in fact, it's virtually limitless. Some examples:


    • Ransomware attacks such as WannaCry and NotPetya.
    • Data breaches such as the DNC hack that influenced the 2016 US election

    If you want more, here's a list of the top ten phishing attacks JUST from the first half of 2017.


    Phishing sounds really bad! How can I protect my organization from phishing?


    The good news is there is a LOT you can to protect yourself and your organization and it's not terribly expensive.


    There are several things you can do. Doing any of these (if you're not doing them already) will improve your chances of defending against phishing attacks. Doing ALL of them will make it highly unlikely that your organization will be severely impacted by phishing.


    • Security Awareness Training
    • Two-Factor Authentication (or 2FA)
    • Use Password Managers
    • Patch Management
    • Security add-ons (see below)
    • Reliable and tested Backups
    • Incident Response Planning
    • Properly configured SPF and DKIM records (ask your IT department or provider to help with this!)






    What should I do if I receive an email I suspect is a phishing email?


    Verify before clicking any links, replying or opening any attachments. Even if the email comes from a seemingly legitimate source. Even if it comes from a colleague. You can verify by calling the sender to ask if they did, indeed, send you this message.


    If the message does not pass verification, mark it as SPAM (or Junkmail). Simply deleting the email is also fine.


    Uh Oh! I clicked a link and/or opened an attachment in what I think was a phishing email. What should I do now?


    Report the incident to your IT support personnel immediately. Report it as an urgent, high priority ticket.


    I'd like to get additional protection for my email, what can I do?


    Review the list above about protecting your organization from phishing. If you would like to do even more, you can purchase add-on security services for modest fees typically ranging from $0.50-$10 per month per person depending on the service and the features chosen.  


    Additional Security Services for Email


    Big Two (Gmail and Office365)


    Office 365 Advanced Threat Protection

    Gmail (Google includes all protection at no additional cost in all service levels - Yay for Google!)


    A couple of well-regarded third-party tools

    Barracuda Essentials for Email Security

    The Email Laundry


    Further Reading


    This article (no, it's not a phish, but seriously, THANKS for asking!) has some good information about past phishing attacks and impact plus some other ideas for protecting against phishing.






    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------
      Reply to Group Online   View Thread   Recommend   Forward   Flag as Inappropriate  



     
    You are subscribed to the Technology Decision Makers community as lisa@iecology.org. To change your notifications, go to Community Notifications. To unsubscribe this community, go to Unsubscribe.

    NOTE: Do not forward. Links in this message are connected to your account. Clicking links in this message will log you into your account automatically.
    NTEN Stories

    --  Lisa Jervis Principal Information Ecology: Strategic technology for progressive organizations https://iecology.org/  My pronouns are she/her.  Want to send me encrypted email? My public key is available at https://ecl.gy/lj-gpg. 



    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline