A

This is the Smart Communications Smart Communications.

B

Smart Communications Podcast Developing the Voices Voices.

A

Developing the Voices of Determined Nonprofits Brought to you by Big Duck.

B

Welcome to the Smart Communications Podcast. Today we're going to ask what do you need to know about cyber security? And I am delighted to be joined by someone I consider one of the most expert voices on this topic in the nonprofit sector, Joshua Pesque. Joshua uses he him pronouns and is co founder of an exciting new company, Meet the Moment, where he helps mission driven organizations manage security, rethink risk, harness AI responsibly, and thrive in a volatile world. Featured in the bestselling book AI for Nonprofits, Joshua blends human centered ethics and irreverent humor to make complex tech challenges accessible and engaging. Before co founding Meet the Moment with his longtime colleague and friend Kim Snyder In 2025, Josh was most recently the three CPO Chief Information Officer, Chief Security Officer, and Chief Program Officer for Roundtable Technology. I'm also going to guess he's a Star wars fan. Josh, welcome to the show.

C

Thank you so much, Farrah. It is delightful to be here and I wish I could take full credit for thinking of the 3 CPO, but it was actually a colleague of mine who suggested it at one point and thought it was just a funny title and I agreed. So I accepted it as my title from that point on and it was very fun. Now I'm just boring. Co founder.

B

You know, we'll think of it a spicy new title for you as you get into your new company and we'll wait for year two for that one. Well, I want to start off with what might be a silly question, but I hope it brings people into this conversation. Why should nonprofit staff, especially those working in communications, marketing and fundraising, care about this topic? We know our friends in IT get it, and I know it can be easy to just let those IT folks worry about cybersecurity, but it's so much more than data breaches and phishing scams, right? So tell us Joshua, why should folks tune into a conversation about cybersecurity?

C

First of all, I don't think that's at all a silly question, Farrah. I think that's exactly the right question. And one of the challenges of working in cybersecurity and risk management generally is like why should anyone care? And when you think about is a very hard thing for people to care about because the benefit of it is in many ways bad things that don't happen, which is very unexciting. Right? When you think of return on investment for effort that you put into something. If we get more donations, if we get, if we get more visitors to our website, if we get more engagement with our content, these are A, things that are easy to measure and B, things that are very clearly positive that we're achieving that make us feel better. But when we improve our cybersecurity, we look at a number like, okay, 90% of our staff are now trained or up to date with their awareness training. What does that mean? We didn't get any more money because of that. We didn't serve any more people because of that. We're just a little bit less likely to suffer some kind of cyber incident. And for you and for other staff people who this isn't their job, I actually think that's a great question of why should you care? And my job is in many respects trying to tap into that why. And for me, it's really about protecting the work that you do as an organization, being a good steward of the funds that are donated or granted or provided to your organization from wherever the money comes from, and probably most importantly, protecting the people that you are serving. So if you are serving vulnerable populations and as part of that work are collecting sensitive information about them, well, that sensitive information can often be used to cause them harm in, in various ways. And if you are not a good steward of that data, you're creating additional risk for those folks that's out of their control and that's not great for them. And additionally, if you provide them with services that they depend on, if you have some kind of a cyber incident that takes up your resources or even more prevents you from operating in a meaningful way, now you can't provide those services and have potentially created that exposure for them and are now spending funders money on recovering from an incident as opposed to delivering those services, all that's pretty bad, right? And so much of it is very, very preventable. And if not preventable, from a harm reduction standpoint, we can reduce the amount of harm that is done when we have incidents by good practices around cybersecurity. Hopefully that's compelling. But honestly, Farrah, I have to ask you, does any of that make you care?

B

I mean, it does at a high level, of course, right? Like if I'm working, I wouldn't want anyone's information to get out there and get in the wrong hands. I wouldn't want people to get harmed, as you said, I wouldn't want our, you know, our team or my clients teams to have to spend time doing something that is not necessarily achieving the mission, but. But is in responding to a threat or a risk. And I want to ask you, you know, I don't want to scare anybody out there, but I want to drill down or make this even a little bit more real and concrete. I'm curious if there is any examples that come to mind when, you know, this happens when people don't have a stronghold on protecting their systems or data, they get attacked. Maybe there's a real life example without naming names that you can offer, just so people can get an even stronger picture in their minds about, you know, again, worst case scenario. Not that we're trying to scare anyone, but just to imagine why this is part of what you need to know and care about.

C

The simplest example I think I can give is just simply money that leaves your organization. And there are various examples that you can read about in the news. But I sometimes joke that attackers, you know, we hear about cybercrime, we think of all this technical, you know, behind the scenes hacking and really sophisticated attacks. But honestly, one of the most frequent things I see is what I characterize as attackers simply calling the organization and asking them for money and getting it. And what that looks like in many respects is, hey, Farrah, I'm your vendor, you know, your, your IT vendor, and you pay us like $1,000 a month. What happened is our bank information changed. So here's a PDF of our updated wire information or our ach. So please make sure that you update that with your billing. And then three or four months later you get a call from your actual IT vendor who says, why aren't you paying us? To which you say, well, we are paying you because that money is actually going to an attacker. And that can happen in so many different ways like that, and can involve sums of thousands, tens of thousands, hundreds of thousands, and in some cases millions of dollars. This is incredibly common, primarily what the risks are to nonprofits or cybercriminals who just want to take money from you. And what hits the news more often are things like ransomware and extortion. Ransomware, where they encrypt your data and then basically demand a ransom to give it back to you. I'm sure everybody's heard of this on some level. And extortion is where they take the data and say, unless you give us money, we're going to release all this data on the dark web or sell it and therefore besmirch your reputation and, and also cause potential harm to those constituents whose data we have. That's a lot of work for attackers and they have to, you know, hope that folks pay. It's a lot easier just to, like, email you your new employee who just started last week and say, hey, you know, Jane, it's me, Farah. I know you just started at this conference. I super need, like, fifteen hundred dollars in gift cards that I can give away as prizes. So can you please just get this done for me in the next hour and text me at this number when it's done? Right. And the new employee maybe hasn't gone through their training yet, really eager to please and, you know, make sure the boss gets gets what she needs. And next thing you know, your organization's out 1500 bucks. And. But it's just all the time these things are happening.

B

Okay, you're getting me sufficiently concerned here. So now let's pivot a little bit from data to people. In preparing for this conversation, you mentioned that protecting data is protecting humans. That really stuck. Stuck with me. I'm curious if you can talk about what you meant by that saying, how does cyber security affect people and culture within organizations?

C

In many, many ways. First and foremost, think about your staff. So even organizations, let's say I'm the Kitty Crochet Collective, and we have donors. They donate 10, $50, but all we do is get their credit cards. We crochet sweaters for kittens to help them get adopted.

B

We.

C

We're not dealing with incredibly sensitive information or sensitive populations. We're not dealing with vulnerable folks. We're not dealing with protected health information. So you say, oh, we don't have anything of value or of sensitivity. Right, but you have, let's say, 10 staff at the Kid who Crochet Collective. For all those staff, you have somewhere, their Social Security numbers, all of their HR documents, their benefits plan plans. All of that information is somewhere on your systems. Let's say you also have 50 volunteers that come in to crochet these sweaters, and those volunteers also have gone through some sort of background process, and you have, you know, personal information on them, their home addresses, their names, you know, other information about them. So if this information becomes exposed, you've created additional vulnerability and risk for those 50 volunteers who have volunteered their time to help your mission. And, boy, that stinks, right, that we sort of betrayed their trust in that way by not safeguarding their information. And for those 10 staff, right, if their information, and it leads to identity theft and them being defrauded out of thousands or tens of thousands of dollars, that's also a terrible consequence. And none of this even takes into account what Regulatory fines you may be subject to, depending on the state of residence of these folks. If you're fortunate or unfortunate enough in this case to employ or have volunteers from a European Union country, then they're covered by what's called GDPR or the General Data Protection Rule, which is very stringent and can come with very significant fines for organizations. So all of that is a significant impact. For folks who find this stuff perplexing or wondering, well, how much security is the right amount of security? There's actually, I think, a great exercise, which I didn't make up the term. It's called the reasonableness standard. And the way I would characterize it is like this. Let's say, Farah, that I was an employee at Big Duck and I worked there, you know, a year ago, and then I left to go join another organization. And it's been a year, you know, since I worked at Big Duck. And then you have a security incident and you have to contact me and say, hey, Josh, you know, here's the information that was compromised in this incident. They got your name, they got your home address, they got your benefits information, you know, all this other stuff. And I said, oh, okay, well, you know, I left there a year ago. Why did you have it? And you say, well, we just like to keep it forever because you never know. That's not super reasonable. Right. On the other hand, if you say we're required by law to keep it for seven years, so we were going to keep it for seven years and then we would delete it. Okay, that's reasonable. Then I ask, you know, what were you doing to protect it in this case? You say, oh, we have great security. Yeah, it's awesome. Not super reasonable. Right. But on the other hand, if you say, well, last year we had a risk assessment done. They came up with, you know, eight things for us to remediate or fix. We were through six of the eight. The thing that got us and that ultimately compromised your information was actually thing number seven, which we were just a month away from correcting, but we hadn't gotten to it yet. We notified you as soon as we found out about it. Here's, you know, a year's worth of identity, know, monitoring and things like that. And, you know, please accept our apologies and know that we're working very hard to correct these things. That's very reasonable. And I think that the best guidance I can give folks is for your staff, for your volunteers, for your donors, for everything. Put yourself in the situation of having to have that conversation and kind of feel, how comfortable or uncomfortable would you be having that conversation? And if it's reasonably comfortable, then you're probably at a reasonable level of cyber security. And if you're like, oh, gosh, that would be a horrible conversation to have, you probably have some work to do.

B

Well, I want to talk more about those kind of conversations in a minute, but I must put something out there. If anyone is out there connected to the Kitty Crochet Collective or a nonprofit that makes sweaters for cats, please be sure to call me. I would love to work with you. Okay, we got to speak it into existence. Well, so that reasonableness exercise is interesting, and I imagine that can help people think about what to do in these scenarios. I know that there's also another technique that I've heard you and other practitioners talk about, which is called tabletop exercises. Can you talk about what those tabletop exercises are and again, maybe offer an example?

C

Absolutely. A tabletop exercise is kind of like an escape room for cybersecurity incidents.

B

You make it sound so fun.

C

I know.

B

And they slash stressful.

C

They can be fun, and they can also be stressful. The idea is to put yourself in a scenario and get a group of people at your organization that would be responsible for responding and have them pretend as though this thing has happened. So if we were going to do this at Big Duck, say, fair, we would say you and anyone who has legal or HR responsibilities at Big Duck, people who have IT responsibilities, if you have something called an incident response plan, which we can talk about, that will often have roles assigned to it. So we'll have like a HR lead, a legal lead, a technology lead, a security lead, so forth. So all the people that are named in that, we want to make sure they're all with us for about an hour once a year, which not a lot. Right. To commit to an hour once a year. And we'll say, okay, we're all going to pretend that we just found out that Jane, this employee that got hired six months ago, her account seems to have been compromised potentially a couple of weeks ago. And that the attacker has been emailing various clients of Big Duck, right. To change the billing information to get it routed to them.

B

Oh, my gosh, this is one of my many nightmares. Keep going.

C

And so we've discovered this because one of our clients, one of Big Duck's clients, you know, let's say it was Roundtable, who's very cybersecurity savvy and is, I believe, now a client of Big Duck, right? So they say, you know, hey, Farrah, we got this email from your employee, and it is really from their account. We checked that, and it really is emailed from their account. However, it really seems, by all accounts, to be some sort of a compromise, and we would be happy to help you look into this. So that would be the start of the exercise. And now you basically say to you, Farrah, and your team go, what do you do next? Who do you call? What actions do you take? What can you learn about the extent of this problem and what it's done? And you spend the next hour kind of going through all that. And the crucial things about it are that it is not a gotcha exercise. You know, it is a no blame, no shame kind of thing. We are trying to evaluate not just our response, but. But all the things that we did or did not do leading up to this moment that help us with this current moment in cybersecurity. There's this term that's sometimes referred to as boom. And then we have left a boom and right of boom. This is just because the way you visualize them. So boom is the incident is the moment you find out that this thing happened. And left of boom are all the things that you did to try to prevent this from happening and to prepare for it. So you made an incident response plan. You got notifications set up on your accounts. You enforced multi factor authentication to make it less likely that an account would be compromised. You trained your staff, all the preventative and preparatory things. And I think that many people, Farah, put all the eggs in that basket and say, we just don't want bad things to happen. And then once the bad thing happens, rats, we lost. Right? So not true. And it's not true in life, but it's particularly not true in cybersecurity. What we do, the moment we find out is super important, as well as that we find out. So in this case, you got lucky that you had this client roundtable that notified you. It's great. Would have been even better is if Jane had gone through her training, had noticed something funny like, you know, I clicked this link, I logged in, and before any of this bad stuff had happened, you'd had someone look into it and say, oh, yeah, this account got compromised. We need to go reset the. You know, before all the damage done. Because the difference in, you know, seconds, minutes, hours, days, weeks for attackers having access to do stuff is. Is huge. All right? So how you respond matters a lot. And that's the right of boom. And what the tabletop exercise is doing is Giving your organization again in just an hour, once a year, a chance to really experience right of boom in a way that's safe and contained and then determine what we could do better, not just in how we respond, but in what we set up and did before we responded. And that is, in a nutshell, a tabletop exercise. I'll give two quick plugs for Roundtable if you happen to be listening this. In the month of September, October, around Halloween, every year, Roundtable does a webinar that I usually participate in called Scary Stories and where we do a tabletop exercise often for an organization called the Zombie Rights Collective, who is a friend of the Kitty Crochet Collective, but in a different space.

B

Hopefully the zombies aren't coming to take over the kitties, because I'm not into that.

C

No, no, no. The zombies are just, you know, trying to advocate for zombie rights and, you know, and equal. It's much like the, what was the, like the high school musical one with zombies.

B

I don't, you know, Zac Efron's cute, but I can't say I know much about high school.

C

All right, all right. I think it was also Zac Efron in Zombies. I forget. Anyway, and so that is a very fun webinar. Gives you a chance. And then Roundtable also has a whole bunch of resources, including a free ebook around facilitating tabletops. It has like 20 different tabletop scenarios pre written for you. So there are lots of free resources. And I cannot recommend this exercise enough to organizations. Great.

B

We'll link to that in the show notes@bigduck.com insights so you can be sure to download those resources or participate in Roundtable's webinars. So you mentioned the incident response plan. You talked about tabletop. We've been talking about a few different things. What are some other steps nonprofit staff can take to start investing in managing their organization's approach to cybersecurity? Maybe what comes first, second, third? Like what's some of the beginning steps if they're not doing this actively now.

C

I think so much depends on your role in the organization. So if you're not in an IT role or a leadership role or things like that, then what I would say is your best thing that you can do is ask your organization what they're doing, what their expectations are of you around cybersecurity practices. You don't want to be an annoyance to your leadership, but you can ask gently just, you know, what is expected of me. I want to make sure I'm doing things right. And in a Very kind way that can. If your organization has basically no answer to those questions, that probably will make your leadership slightly uncomfortable and might encourage them to sort of, sort of do some stuff. The other thing is make sure, you know, if you see something, say something. It's a really boring kind of thing, but I often say that, you know, an aware and well trained staff at an organization is the single best cybersecurity protection you can have. And conversely, an untrained and unaware and even worse, afraid staff. Meaning, you know, if I work for Big Duck Farah and you know, when I a year ago, I clicked on something and I let you know, you know, I think I clicked on something and you just screamed at me for the next hour like, how can you be so stupid? Why would you do that? Didn't you take the training? Right. You're creating the shoot the messenger culture, which from a risk management perspective is one of the biggest risks you can have. So you want staff that know, hey, we want to hear from you. If you see something that's weird, if you clicked something that you're not sure you should have, if you open something that you're not sure you should have, let us know so that we can take action. And that is such a powerful thing. So just make sure that at least you're, if you're not in a position to affect change at your organization, just make sure you're doing those things and setting that example and asking questions. Again, not being annoying and telling people how to do their jobs, but doing that. If you are in leadership or in it, then it's really about just doing this reasonableness standard. There are so many great resources out there. Roundtable has lots of great guides on kind of basic cybersecurity measures, self assessments you can do to determine where you might want to improve. So I think that on the leadership side or on the IT side, it's really about being continuously educated around what are the current risks and how do our protections stack up against those risks for our organization. Again, the Kitty Crochet Collective and the Immigration Rights Advocates for undocumented folks working in California in 2025. Right? These are very different threat models and very different needs around the levels of cybersecurity that they're going to want in place for the people that they're working with and for their organization. So it's not like everybody should be doing the same things. Understanding what your risks are and the level of effort that it makes sense for you to put into a reasonable standard is really the best approach. Hope that's helpful.

B

Yeah, that's helpful. I want to offer two other resources. One, I hope this podcast right folks might be able to share the transcript or the conversation for other people in their organization to listen to and see what it provokes for them. I also want to shout out an organization that you and I both love and are connected to, which is NTEN. NTEN.org NTEN has lots of resources and classes on this topic. Often you and Kim and others are speaking on these topics at the annual NTC Nonprofit Technology Conference. So that's another great place to look for ideas, trainings, blogs, et cetera on this topic. Before we wrap up, I just want to say, you know, all of this sounds like a lot of, a lot of staffing work, a lot of people power, but also money. Given the current political climate and the rise in AI use, do you have any tips for how nonprofits can actually get funding to support doing more work related to cybersecurity?

C

I'll actually push back a little bit on the money piece. It's kind of a funny thing ferret like cybersecurity, for all of the effort that it can sometimes entail, is usually not a particularly expensive thing to do. It's just effortful. It requires work and it's hard as someone from the outside who knows the things to do, but I can't really come in and do them for your organization because I can't like take the cybersecurity training for all of your staff. They need to take it. Right. I can't turn on multi factor authentication for all of your staff. You have to do that. And most of the things are relatively low cost. And by that I mean either free, like turning on multi factor authentication, or very low cost in the sense of 10 to $50, you know, a month, a staff person, you know, throughout the year. So, and maybe for some of you, that might sound very expensive. You know, in terms of the, what.

B

It would cost, I think it depends on how many, how many staff you have, right? That certainly those numbers could, could add.

C

And the numbers come down as you scale up and get to hundreds and thousands of staff. But you know, if you're a 10 person organization, you know, for $1,000 a year you can, you can have, you know, all the stuff that costs money that you need. It's just the effort. And that is either educating yourself or getting an outside consultant. Cyber peacebuilders through the Cyber Peace Institute offers pro bono support. And that's very helpful and honestly, I would say used responsibly a lot of the current AI tools can be very helpful companions in helping you design and implement a cybersecurity strategy. But someone at your organization is going to have to kind of lead it and lead it in a continuous basis. In terms of finding funding, there aren't really, to my knowledge, specific funders and also this is my area of expertise in terms of fundraising. However, I have found that many funders, when you put in operational expenses around this is the level of cybersecurity that we will need in order to provide these services or to perform this work appropriately, that funders are increasingly open to, that there's, there's less downward pressure on operational spend than there has been. And there is a huge amount of support for improving cybersecurity across nonprofits. And I personally work on so many initiatives with foundations and fiscal sponsors and grant makers around improving the cybersecurity of their grantees or programs or networks. And so there's definitely a lot of support for that, I think. I actually can't think of a single incidence where cost has been even one of the top three obstacles to effective cybersecurity organizations. It's almost always effort, change management skills or access to those skills. Those are the challenges.

B

I appreciate that. I love to be proven wrong when it comes to things costing a lot of money and I also appreciate the tip of embedding it in within your budget. Sometimes we see communications that too that sometimes funders or donors may not fund communications or branding in and of itself. But if you explain that we need to do this work as part of getting our work done, getting people to participate in our programs, getting the word out about what we're doing so we can change hearts and minds or change legislation, then they start seeing it as an integral part of it, so it becomes part of the budget, if not the leading thing. So that's a great tip. Well, it's always lovely learning and talking with you. If you are out there and you'd like to explore how Joshua's company provides human centered technology leadership for Nonprofits, check out MTM for MeetTheMoment now. Or you can follow Joshua on LinkedIn. We'll be sure to connect that in the transcript. Joshua's former company, Roundtable Technology, who we've mentioned a bit, already, has a lot of useful resources available@roundtabletechnology.com they also send out these great weekly tips, cybersecurity Tips of the week and you can sign up for that as well. We'll be sure to link to that. Well, Joshua, before we Log off. Is there any other final advice or insights you'd like to share?

C

Two things. Number one, around effective cybersecurity, like so many things in life, what will be effective will be what is sustainable. So if you listen to this and you're like, oh, gosh, we're so far behind. We need to, like, really, like, do 20 things in the next month. Stop. Like, I don't want you to do that. I want you to think about what system and process can we implement at our nonprofit to very slowly but consistently and sustainably review our risk and complete items to make our risk more manageable and in alignment with what we want. Right. And if you do that, you may not notice a dramatic change in a month or two. But I can tell you from a huge amount of experience, that is the only way that in a year, two years, three years, and five years, your organization will be in a secure place. Because I have done so many risk assessments where I came in and gave people a laundry list of 20 things to do, they killed themselves for six months. And then five years later they came back to me and said, hey, can you do another risk assessment? And they've fallen behind again. They did everything from five years ago, but then they didn't continue because it was too much work. So make it an amount of work that fits with your organization, and that will be the most effective way to do it. The second thing I'll give is that if you happen to be listening to this near the end of any calendar year, roundtable technology for 11 or 12 years running has done a webinar called the best free 1 hour Cybersecurity awareness Training Ever. Happens every year in January. They really do make it incredibly fun. They give out prizes. You can send your whole organization to it for free, as the title would suggest, and I cannot recommend that highly enough. So those are my two tips.

B

Sounds like a date worth saving on the calendar. So everyone go to Roundtable. Figure that out. Get your spot. Well, everyone out there, have a safe day. And Josh, thanks again for being here.

C

Thank you. Pleasure.

A

Are you a fan of this podcast or Big Duck's other resources on nonprofit communications? If you are, we'd love to hear from you. Please drop us a line by writing to helloigduck.com to tell us what you're working on and what topics you need help with. We also welcome getting your feedback via reviews. You can review this podcast wherever you listen. We'd love to hear from you.

B

This is the Smart Communications Podcast, Developing the Voices of Determined Nonprofits. Brought to you by Big Duck.

A

Big Duck is an agency that puts smart communications in the hands of nonprofits. We help our nonprofit clients develop strong brands, strong campaigns campaigns and strong teams that advance their missions and achieve their goals.

B

Connect with us@bigduck.com.