Podcast Summary: The Smart Communications Podcast

Episode 198: "What do you need to know about cybersecurity?"
Host: Farra Trompeter (Big Duck)
Guest: Joshua Pesque (Co-founder, Meet the Moment)
Date: October 29, 2025

Episode Overview

This episode tackles a crucial subject for nonprofits: cybersecurity. Farra Trompeter of Big Duck welcomes Joshua Pesque—cybersecurity expert, co-founder of Meet the Moment, and the “3 CPO” (Chief Information, Security, and Program Officer, previously at Roundtable Technology). Together, they demystify why cybersecurity matters beyond the IT department, explore real risks and harms, how to prepare teams, and offer concrete steps nonprofits can take to prevent and respond to incidents.

Key Discussion Points & Insights

1. Why Nonprofit Communications, Marketing, and Fundraising Staff Need to Care

[02:18]

Cybersecurity isn’t just for IT—it’s about protecting your organization’s work, donor funds, and the people you serve.
It’s challenging to get buy-in because “the benefit is…bad things that don’t happen, which is very unexciting" (Joshua Pesque, [02:44]).
Data breaches can harm vulnerable populations, destroy trust, and divert funds from mission work to crisis response and recovery.

Notable Quote:

“My job is…trying to tap into that why. And for me, it's really about protecting the work that you do as an organization, being a good steward of the funds…and probably most importantly, protecting the people that you are serving.”
— Joshua Pesque [03:30]

2. Concrete Examples of Cyber Threats

[06:15]

The most common cybercrimes aren’t high-tech: often, “attackers simply call or email and ask for money—and get it.”
Scams include vendor payment redirection, ransom/extortion, and social engineering (e.g., impersonating a leader to make urgent requests).
Losses range from thousands to millions of dollars.

Notable Quote:

“It’s a lot easier just to, like, email your new employee…and say, ‘Hey, it’s me, Farrah…I super need, like, $1,500 in gift cards…’ and next thing you know, your organization's out $1,500.”
— Joshua Pesque [08:23]

3. Protecting Data Means Protecting People & Culture

[09:11]

It’s not only about donor or client data; HR files, volunteer details, and operational info are also at risk.
Even organizations thinking "we don’t have sensitive info” usually do—staff records, donors’ credit cards, etc.
Regulatory consequences (like GDPR) can be severe if data is breached.

"Reasonableness Standard"

A practical way to evaluate your cybersecurity is to imagine explaining a breach to a former staff member—would your approach seem reasonable and responsible?
“If it’s reasonably comfortable, then you’re probably at a reasonable level of cybersecurity.”
— Joshua Pesque [13:38]

4. Tabletop Exercises: Training for Real-World Scenarios

[14:20]

Tabletop exercises are like an “escape room for cybersecurity incidents.”
Gather team members who’d respond to an incident and walk through a realistic scenario (e.g., a staff account compromised).
Helps identify gaps in plans, clarify roles, and practice calm, no-blame response.

“Tabletop exercise is giving your organization…a chance to really experience right of boom in a way that's safe and contained and then determine what we could do better…”
— Joshua Pesque [17:48]

Resources Mentioned:

Free annual “Scary Stories” webinar by Roundtable Technology (around Halloween)
Free eBook on tabletop exercise facilitation (“20 different tabletop scenarios”) from Roundtable Technology [19:54]

5. Practical First Steps for Nonprofit Staff

[20:50]

For non-leadership staff:
- Ask your org about cybersecurity expectations.
- Model “see something, say something”—don’t fear reporting suspicious activity.
- Avoid a “shoot the messenger” culture.

“An aware and well-trained staff…is the single best cybersecurity protection you can have. And conversely…afraid staff…is one of the biggest risks you can have.”
— Joshua Pesque [22:25]

For leaders/IT:
- Continuously assess and compare your protections to your current risks.
- Not all orgs need the same level—know your threat model.

6. Effort vs. Cost: The Truth About Cybersecurity Investment

[25:00]

Most protections are not expensive, but require sustained effort and culture change.
Multi-factor authentication and staff training are often low or no cost.
Leverage pro bono resources (e.g., Cyber Peace Institute’s Cyber Peace Builders).
AI tools, used carefully, can help design and implement policies.

On Funding:

No specific funders for cybersecurity, but most grant-makers support operational costs when justified as necessary.
Embed cybersecurity expenses into operational or program budgets.

“I actually can't think of a single incidence where cost has been even one of the top three obstacles…it's almost always effort, change management skills or access to those skills.”
— Joshua Pesque [27:10]

7. Building Sustainable, Long-Term Security Practices

[29:20]

Effective cybersecurity is about consistency and sustainability over time—not big, one-time overhauls.
Small, continuous improvements and regular reviews prevent “falling behind” after a one-off push.

“If you listen to this and you're like, ‘Oh, gosh, we're so far behind. We need to, like, do 20 things in the next month’—stop. I want you to think about what system and process can we implement…to very slowly but consistently and sustainably review our risk...”
— Joshua Pesque [29:25]

Upcoming resource: “Best Free 1 Hour Cybersecurity Awareness Training Ever” webinar every January by Roundtable Technology—fun, engaging, open to all [30:56].

Memorable Moments & Quotes

On why cybersecurity isn’t exciting
“The benefit...is in many ways bad things that don't happen, which is very unexciting.” — Joshua Pesque [02:44]
On the human cost of breaches
“Boy, that stinks, right, that we sort of betrayed their trust...by not safeguarding their information.” — Joshua Pesque [10:49]
On the most common risks
“Attackers...call or email and ask for money—and get it.” — Joshua Pesque [06:20]
On ‘if you see something, say something’
“An aware and well-trained staff...is the single best cybersecurity protection you can have.” — Joshua Pesque [22:25]
On change management
“What will be effective will be what is sustainable.” — Joshua Pesque [29:21]

Key Timestamps

[02:18] — Why everyone (not just IT) should care about cybersecurity
[06:15] — Real-world examples of cybercrime and scams
[09:11] — Protecting data is protecting people, plus the “reasonableness standard”
[14:20] — What is a tabletop exercise, and why is it useful?
[20:50] — Practical steps for staff and leadership, “see something, say something,” avoiding shoot-the-messenger culture
[25:00] — Cost vs. effort, funding, and leveraging pro bono/AI resources
[29:20] — Building sustainable, long-term security processes
[30:56] — Annual free cybersecurity training by Roundtable Technology

Resources Highlighted

Roundtable Technology:
- Free webinars: “Scary Stories” (Halloween), “Best Free 1 Hour Cybersecurity Awareness Training Ever” (January)
- Free eBook on tabletop exercises
- Weekly cybersecurity tips (roundtabletechnology.com)
Cyber Peace Institute:
- Pro bono Cyber Peace Builders program
NTEN:
- Classes, resources, and Nonprofit Technology Conference (nten.org)
Meet the Moment:
- Joshua Pesque’s new company, human-centered tech leadership (MTMnow.com)

Final Advice from Joshua Pesque

Focus on building manageable, ongoing processes rather than overwhelming one-off efforts.
Make cybersecurity an integral, continuous part of your organization’s operations.
Take advantage of available free or low-cost resources and regular training opportunities.

By the episode’s end, nonprofits of all sizes and missions will have practical ways to get started, encouragement to build a supportive cybersecurity culture, and reassurance that sustainable progress (not perfection) is what actually keeps organizations and the people they serve safe.

Podcast Summary: The Smart Communications Podcast

Episode 198: "What do you need to know about cybersecurity?"
Host: Farra Trompeter (Big Duck)
Guest: Joshua Pesque (Co-founder, Meet the Moment)
Date: October 29, 2025

Episode Overview

Key Discussion Points & Insights

1. Why Nonprofit Communications, Marketing, and Fundraising Staff Need to Care

[02:18]

Cybersecurity isn’t just for IT—it’s about protecting your organization’s work, donor funds, and the people you serve.
It’s challenging to get buy-in because “the benefit is…bad things that don’t happen, which is very unexciting" (Joshua Pesque, [02:44]).
Data breaches can harm vulnerable populations, destroy trust, and divert funds from mission work to crisis response and recovery.

Notable Quote:

“My job is…trying to tap into that why. And for me, it's really about protecting the work that you do as an organization, being a good steward of the funds…and probably most importantly, protecting the people that you are serving.”
— Joshua Pesque [03:30]

2. Concrete Examples of Cyber Threats

[06:15]

The most common cybercrimes aren’t high-tech: often, “attackers simply call or email and ask for money—and get it.”
Scams include vendor payment redirection, ransom/extortion, and social engineering (e.g., impersonating a leader to make urgent requests).
Losses range from thousands to millions of dollars.

Notable Quote:

“It’s a lot easier just to, like, email your new employee…and say, ‘Hey, it’s me, Farrah…I super need, like, $1,500 in gift cards…’ and next thing you know, your organization's out $1,500.”
— Joshua Pesque [08:23]

3. Protecting Data Means Protecting People & Culture

[09:11]

It’s not only about donor or client data; HR files, volunteer details, and operational info are also at risk.
Even organizations thinking "we don’t have sensitive info” usually do—staff records, donors’ credit cards, etc.
Regulatory consequences (like GDPR) can be severe if data is breached.

"Reasonableness Standard"

A practical way to evaluate your cybersecurity is to imagine explaining a breach to a former staff member—would your approach seem reasonable and responsible?
“If it’s reasonably comfortable, then you’re probably at a reasonable level of cybersecurity.”
— Joshua Pesque [13:38]

4. Tabletop Exercises: Training for Real-World Scenarios

[14:20]

Tabletop exercises are like an “escape room for cybersecurity incidents.”
Gather team members who’d respond to an incident and walk through a realistic scenario (e.g., a staff account compromised).
Helps identify gaps in plans, clarify roles, and practice calm, no-blame response.

“Tabletop exercise is giving your organization…a chance to really experience right of boom in a way that's safe and contained and then determine what we could do better…”
— Joshua Pesque [17:48]

Resources Mentioned:

Free annual “Scary Stories” webinar by Roundtable Technology (around Halloween)
Free eBook on tabletop exercise facilitation (“20 different tabletop scenarios”) from Roundtable Technology [19:54]

5. Practical First Steps for Nonprofit Staff

[20:50]

For non-leadership staff:
- Ask your org about cybersecurity expectations.
- Model “see something, say something”—don’t fear reporting suspicious activity.
- Avoid a “shoot the messenger” culture.

“An aware and well-trained staff…is the single best cybersecurity protection you can have. And conversely…afraid staff…is one of the biggest risks you can have.”
— Joshua Pesque [22:25]

For leaders/IT:
- Continuously assess and compare your protections to your current risks.
- Not all orgs need the same level—know your threat model.

6. Effort vs. Cost: The Truth About Cybersecurity Investment

[25:00]

Most protections are not expensive, but require sustained effort and culture change.
Multi-factor authentication and staff training are often low or no cost.
Leverage pro bono resources (e.g., Cyber Peace Institute’s Cyber Peace Builders).
AI tools, used carefully, can help design and implement policies.

On Funding:

No specific funders for cybersecurity, but most grant-makers support operational costs when justified as necessary.
Embed cybersecurity expenses into operational or program budgets.

“I actually can't think of a single incidence where cost has been even one of the top three obstacles…it's almost always effort, change management skills or access to those skills.”
— Joshua Pesque [27:10]

7. Building Sustainable, Long-Term Security Practices

[29:20]

Effective cybersecurity is about consistency and sustainability over time—not big, one-time overhauls.
Small, continuous improvements and regular reviews prevent “falling behind” after a one-off push.

“If you listen to this and you're like, ‘Oh, gosh, we're so far behind. We need to, like, do 20 things in the next month’—stop. I want you to think about what system and process can we implement…to very slowly but consistently and sustainably review our risk...”
— Joshua Pesque [29:25]

Upcoming resource: “Best Free 1 Hour Cybersecurity Awareness Training Ever” webinar every January by Roundtable Technology—fun, engaging, open to all [30:56].

Memorable Moments & Quotes

On why cybersecurity isn’t exciting
“The benefit...is in many ways bad things that don't happen, which is very unexciting.” — Joshua Pesque [02:44]
On the human cost of breaches
“Boy, that stinks, right, that we sort of betrayed their trust...by not safeguarding their information.” — Joshua Pesque [10:49]
On the most common risks
“Attackers...call or email and ask for money—and get it.” — Joshua Pesque [06:20]
On ‘if you see something, say something’
“An aware and well-trained staff...is the single best cybersecurity protection you can have.” — Joshua Pesque [22:25]
On change management
“What will be effective will be what is sustainable.” — Joshua Pesque [29:21]

Key Timestamps

[02:18] — Why everyone (not just IT) should care about cybersecurity
[06:15] — Real-world examples of cybercrime and scams
[09:11] — Protecting data is protecting people, plus the “reasonableness standard”
[14:20] — What is a tabletop exercise, and why is it useful?
[20:50] — Practical steps for staff and leadership, “see something, say something,” avoiding shoot-the-messenger culture
[25:00] — Cost vs. effort, funding, and leveraging pro bono/AI resources
[29:20] — Building sustainable, long-term security processes
[30:56] — Annual free cybersecurity training by Roundtable Technology

Resources Highlighted

Roundtable Technology:
- Free webinars: “Scary Stories” (Halloween), “Best Free 1 Hour Cybersecurity Awareness Training Ever” (January)
- Free eBook on tabletop exercises
- Weekly cybersecurity tips (roundtabletechnology.com)
Cyber Peace Institute:
- Pro bono Cyber Peace Builders program
NTEN:
- Classes, resources, and Nonprofit Technology Conference (nten.org)
Meet the Moment:
- Joshua Pesque’s new company, human-centered tech leadership (MTMnow.com)

Final Advice from Joshua Pesque

Focus on building manageable, ongoing processes rather than overwhelming one-off efforts.
Make cybersecurity an integral, continuous part of your organization’s operations.
Take advantage of available free or low-cost resources and regular training opportunities.

wavePod

Episode 198: What do you need to know about cybersecurity?

Powered by Wave AI

Summary

Podcast Summary: The Smart Communications Podcast

Episode Overview

Key Discussion Points & Insights

1. Why Nonprofit Communications, Marketing, and Fundraising Staff Need to Care

2. Concrete Examples of Cyber Threats

3. Protecting Data Means Protecting People & Culture

4. Tabletop Exercises: Training for Real-World Scenarios

5. Practical First Steps for Nonprofit Staff

6. Effort vs. Cost: The Truth About Cybersecurity Investment

7. Building Sustainable, Long-Term Security Practices

Memorable Moments & Quotes

Key Timestamps

Resources Highlighted

Final Advice from Joshua Pesque

Summary

Podcast Summary: The Smart Communications Podcast

Episode Overview

Key Discussion Points & Insights

1. Why Nonprofit Communications, Marketing, and Fundraising Staff Need to Care

2. Concrete Examples of Cyber Threats

3. Protecting Data Means Protecting People & Culture

4. Tabletop Exercises: Training for Real-World Scenarios

5. Practical First Steps for Nonprofit Staff

6. Effort vs. Cost: The Truth About Cybersecurity Investment

7. Building Sustainable, Long-Term Security Practices

Memorable Moments & Quotes

Key Timestamps

Resources Highlighted

Final Advice from Joshua Pesque