Sean Eyre Sean Eyre

Why WARGAMES?

Wargames—sometimes called decision games—are a time-tested means to evaluate your plans. Whether we’re talking miniatures skirmish games, script read-throughs, model UN, or the military decision-making process, decision games provide us way to assess goals in conflict without the cost of defeat.

If we’re going to practice cybersecurity, our goals are in conflict. Wargames give us a no-cost (or at worst, very low cost) way to determine if we are prepared, what we overlooked, what resources are missing, etc.

Plus, they’re fun!

I recently had the pleasure of traveling to the International Conference of Computing in Missions – Europe, where I delivered an eight-hour workshop on building cybersecurity programs. Basically, a dump of the core tradecraft I use when serving as a virtual chief information security officer.

At the end of the class, we spent two hours doing table-top exercises—wargames—with the class of about 25 attendees. The game not only served as a fun way to end a long day, but also as a means to:

  • Drive home the importance of incident response. Have you planned and prepared for emergencies?

  • Highlight the multi-stakeholder nature of cybersecurity. Sure, the IT and cyber staffs may *want* to pull the plug on a compromised system, but what does that mean for the business/organization and the customers—or even the computers?

  • Teach an evidence-driven approach to analyzing and responding to situations. That hypothesis sounds realistic, but where do you get the data to prove that’s what is happening?

  • Teach teams to listen and share expertise between exercise attendees. Is there something a new professional sees because he’s fresh out of school or something the old hat sees because she’s been in the trenches before?

They’re also a great way to exhaust your remaining brain power quickly!

If you set your goals and outcomes in advance, wargames can be as simple as sitting around a table talking through actions and taking notes—something our teams can all afford to do a couple times before we bother hiring a facilitator. The goals are normally to evaluate readiness or a specific plan, but you may not yet have a plan.

At risk of sounding like I’m describing a magic bullet, wargames can also help you build a plan. Even if you have a small team—or even if you’re flying solo!—challenge yourself with a small problem like, “a user in marketing had their username and password stolen!” What do you do?

The odds are, that your team already has an idea of what they’d do to respond. It just hasn’t been written down yet. At this point, the goal of the wargame is to capture the knowledge floating in each professional’s head so that the team can use it like a pre-surgery checklist in a real emergency.

  1. Take turns talking through what each person would do in response to the problem. Make *everyone* talk when it’s their turn (introverts can conceal a wealth of knowledge).

  2. Have a note taker write down the steps taken in response, whether right or wrong, in sequence.

  3. After the game, ask which “steps taken” were effective and what resources were needed or missing. Keep taking notes.

  4. Boil the list of steps taken down until it’s a simple checklist with broad steps (you can always add more details later).

  5. Take action to start fixing resource gaps where you’re able to.

Wargaming is a flexible tool that doesn’t have to be expensive nor complicated. Hopefully this helps you figure out a few ways you can plug exercises into security, crisis response, and risk management processes!

Read More
Sean Eyre Sean Eyre

Year in review

This year has FLOWN by! It's hard to believe it's already over... If you plan to donate to help us cover the cost of clients who need financial help in time for your 2023 tax return, please do so now!

Let's recap

Here are some of the creme de la creme highlights from what we got done this year:

  1. Covered a missionary agency's security monitoring system for a month while the existing security staff took a much needed break

  2. Built out a cybersecurity roadmap for a missionary team and for a health care provider

  3. Revamped the cybersecurity policies for a major nonprofit helping alleviate poverty and homelessness

  4. Taught six missionaries how to build-up their security posture during a one-day workshop at ICCM America

  5. Helped a church spring-back in the aftermath of a computer breach

  6. Returned to Europe to provide security hygiene checks to 60 missionaries

  7. Wrote six "country studies" for missionaries deploying people and tech around the world

  8. Made a vendor security questionnaire to help nonprofits with vendor risk management

  9. Delivered countless gap assessments and made a self-assessment workbook

  10. Spoke at two missionary conferences on integrating cybersecurity into missions

And that's without the day-to-day work included! Your support has propelled us forward through this year and we cannot say thank you enough!

Up next

We have lots planned for next year! We aim to:

  1. Deliver another day-long training on improving cyber posture--this time at ICCM Europe in February

  2. Design and deploy a secure travel network for our annual conference and security hygiene trip in Europe next September

  3. Transform and improve our managed network monitoring system, which currently supports a couple campuses involved in anti-trafficking outreach and recovery

  4. Convert as much of our 20 hours of existing training material into on demand classes as we can so that people don't have to wait on us to learn

  5. Work with a business development professional to improve how we organize and talk about the business

  6. Add SIX clients to our docket of on-going cyber support (we're currently at one--do you know anyone who needs support?)

  7. Transform the team to drive towards long-lasting, repeatable impact

EOY giving and supporting operations in 2024

It's end of year giving season. If you plan to donate to help us cover the cost of clients who need financial help in time for your 2023 tax return, please do so by 31 December 2023.

We estimate that new operations in 2024 require we raise an additional $50,000 atop our currently pledged donations (we're predicting $16,000). If you or someone you know would like to donate to help, please do so here.

Thank you for all your continued support and prayers!

Read More
Sean Eyre Sean Eyre

Turning the Course of Nonprofit Cyber

When talking to people about cybersecurity in the nonprofit space I frequently say, “The nonprofit sector is 15 years behind the power curve on cybersecurity.” I like to think that it’s provocative to say. But in all the times I’ve used it, I haven’t heard a single “Hey! That’s not fair!” in response.

Unfortunately, the nonprofit world is just waking up to this set of problems, and missionaries are no exception. So, let’s explore the drivers for security on the for-profit side of the house to see what lessons we can learn.

Drivers of Security

For-profit businesses have about 7 drivers that force them to confront cybersecurity and quickly get on top of it:

1.      Breach – Getting breached and learning about breaches continues to be a major driver for business around the world. Paying the costs of a breach or ransom and going through all of the stress of recovering is pain that many prefer to avoid, so businesses build programs to prevent and respond to breach.

2.      Insurance – Insurance providers have lost a huge amount of money to cybersecurity failures because of miscalculated risks. They are increasingly passing on the costs of breach to the insured company either in the form of high deductibles or high premiums—or refusing to issue a policy altogether—so establishing a cybersecurity program directly saves businesses money on their insurance policies.

3.      Mergers, Acquisitions, Private Equity, and other Investors – Investors of all forms from seed funding to growth equity want to know that businesses are exercising due diligence and managing risk responsibly because they don’t want (overly) risky investments. Funding sources increasingly expect a minimal level of security and compliance before releasing funds, so businesses invest in cybersecurity to unlock more funding.

4.      Board Members – As board members move from company to company, they take their lessons learned with them and their scar tissue. Businesses invest in cybersecurity to exercise their fiduciary responsibilities and keep the board satisfied.

5.      New Customers – Customers have been burned by bad vendors in the past when service providers have failed to properly store private information or when data has been lost and disclosed in a breach. As customers (particularly for business-to-business products) begin to question vendors’ security postures and demand certain security features, businesses adapt so that they can close bigger deals.

6.      Vendors – Security vendors constantly (cold-)call potential customers looking for new business. Security vendors play a minor role by ensuring that no one can forget about the problem and producing most of the content about fixing security deficiencies.

7.      Compliance – Governments, industries, and professional organizations set standards which businesses must comply with. Compliance forces businesses to at least acknowledge the security problem, even if businesses are still often willing to bear the cost of a fine rather than investing in top-tier security.

Application to Nonprofits

I would argue that all of these can be drivers for nonprofits as well, but there’s work to be done to unlock each driver.

1.      Breach – High-profile breaches like Blackbaud and SiteStacker are bringing awareness to nonprofits about risks to and via their donor management platforms. Ransomware spares no one. Attackers will drain a nonprofit or church’s bank account just like anyone else.

2.      Insurance – Many nonprofits already rely on insurance in other domains, so insurance is already a viable driver for cybersecurity adoption across the nonprofit sector. The desire to get insured in case of breach or to drive the cost of insurance down may help bring up the level of security investment.

3.      Mergers, Acquisitions, Private Equity, and other Investors – Grantors and foundations play this role in the nonprofit sector but I argue that they aren’t yet working to help nonprofits improve their cyber efforts.

4.      Board Members – As experienced board members serve on multiple nonprofit boards, the number of boards that ask executive directors “What are we doing about cybersecurity?” will increase.

5.      New Customers – It’s possible (though unlikely?) that mass movements of donors and supports will refuse to support a nonprofit if due diligence isn’t in place to prevent loss of money to cyberattacks. It’s more likely that the nonprofits themselves will push THEIR software vendors to improve to get ahead of third-party risk in a process that looks more like enterprise sales. Which is why we wrote a vendor security questionnaire.

6.      Vendors – Security vendors can learn to speak “nonprofit”—and many are! (We’re one of them!) The advantage of traditional cybersecurity vendors is scale: having a large base of customers maintains a demand for high-quality output and actually drives prices down, making it more within reach for budget constrained organizations of all types.

7.      Compliance – Governments, industries, and professional organizations set standards which businesses must comply with. Nonprofits are just businesses with a different fiduciary responsibility, so compliance can help drive adoption too. Since most mission-driven teams have some level of budget constraints, it’s less likely we’ll see them behave like multi-national banks who can eat a fine and more likely we’ll see proactive work to avoid fines.

Read More
Sean Eyre Sean Eyre

Frameworks for Cyber Success

Nonprofits continue to lag on cybersecurity. Can frameworks help drive mission-driven cyber?

Cyber continues to lag in mission driven spaces.

I read a few stats from Diligent this morning that reminded me just how much cybersecurity matters in the mission driven and nonprofit space.

Here are a few from their "Key Stats that Boards Need to Know:"

  1. 50% of NGOs reported cyberattacks in 2021

  2. NGOs and Nonprofits raise $30 BILLION each year

  3. Only 25% of nonprofits monitor their networks

  4. Only 20% have a cybersecurity plan

Clearly there is more need than the cyber industry is able to provide for!

Let's get into the weeds a bit on how Ericius Security helps fix this.

Frameworks for success

There are a number of good cybersecurity frameworks for organizing defenses and IT risk management. The CIS Critical Security Controls and ASD Essential 8 are popular, but I tend to lean on the National Institute of Standards and Technology's Cyber Security Framework (CSF) crossed with the Cyber Defense Matrix (CDM) by Sounil Yu.

Why? The CSF is free. You can use it commercially, so you can apply it to your business. And it's thorough enough to handle organizations of all maturity levels.

I cross it with the CDM to standardize the application of the CSF's functions across all types of IT assets, as well as to get a FAST representation of where a business's cyber program is at--two things that the CDM was specifically designed to do and does EXCEPTIONALLY well.

The CSF Provides the functions: 

NIST CSF's Five Functions

The five functions of the NIST Cyber Security Framework

The CDM standardizes the functions across five assets:

The five assets of the CDM

The five asset classes as defined in The Cyber Defense Matrix by Sounil Yu

The resulting matrix allows us to produce a high-level view of the security program.

An empty CDM

The cyber defense matrix

Here's how it works when I run it:

Discovery - We talk through the business's goals followed by everything in the existing IT environment. What needs defending? How many users are there? How are finances supporting the mission? Where are the pain points?

Map Current State - We map the existing defensive capabilities onto the CDM

CDM with several cybersecurity features mapped

The current state maps your existing cybersecurity capabilities to the cyber defense matrix

Map Desired State - We map the business's goals onto the CDM and define requirements, then we provide some professional insight about noticeable gaps, opportunities for improvement, and places where complexity can be reduced

A CDM with desired capabilities mapped

The desired state overlays new cybersecurity capabilities on existing capabilities

Develop an Approach - We design a 3 steps bridge from the current state to desired state that the business can execute over the next year

A simple approach to cyber improvement

The approach moves the current state to the desired state

Afterwards, we can either search for managed security services to fill gaps with the business, or we can do more detailed analysis, consulting, and program building--perhaps policies need to be written or a three year roadmap for growth needs to be designed.

If that sounds helpful to you or to a mission driven business you know, we've wrapped this all up in a DIY version that you can find here or you can always book a call to get help.

Read More
Sean Eyre Sean Eyre

Investments in Nonprofit Cybersecurity

Can we find the “private equity” equivalent for nonprofit cyber?

This week, some musings on money, grants, and investors.

Eww. Money. What a gross topic.

Ericius Security has been working on cybersecurity for nonprofits now for just over five years. In that time I've learned a few things about the state of IT and cybersecurity in the nonprofit and missionary worlds.

One of my bigger observations is that modernization is holding back security. Many organizations are working with equipment that's too old: it's no longer supported by the manufacturer, the operating systems aren't receiving security updates, the firewall is past end of life, etc.

At the software level, we can sometimes fix this by applying new software atop aging hardware. But, from experience, running Windows 10 on a machine built for Windows XP… Well, it sucks.

The general advice is to replace computers every six years to keep up with degrading equipment, changing hardware capabilities, software requirements, etc. But let's face it: that's EXPENSIVE. And the further behind you get, the more expensive it becomes.

Security itself is also expensive. It takes time and hard work, which means hiring experts--either outsourced or onto staff. The hardware can be pricey, the licenses are worse. And if you start ingesting and storing data into a Security Incident and Event Manager (SIEM)… woah boy can the costs stack up fast!

Driving Security

One of the drivers of security in the for-profit world is investments. Investors (usually some variant of private equity) will reach a deal with a company trying to grow. The business gets some cash, but not for free. That cash comes with WORK. Work modernizing, work standardizing, fixing, improving, acquiring new people, businesses, tools, etc.

It seems to me that nonprofits and missions are missing this core driver.

Money that's freely spendable on cybersecurity is very limited. Most technological grant money is for software that departments outside of IT and cyber are using--for example accounting software. Tech grants for refurbished hardware are inherently a bit on the older side in exchange for being more affordable. It's making a small dent in hardware/software modernization, but not usually enough. Available security specific software and tools are usually severely limited--you can probably find an anti-virus suite but good luck finding one of the best ones, much less endpoint detection and response (EDR) or SIEM.

To make matters worse, when you buy a tool you buy the work. Nonprofits are flocking to open source tools because they are "free" only to spend hundreds upon hundreds of hours building, operating, and maintaining those systems. Organizations who can afford to buy top tier software still have to deploy it, manage it, use it. They need the people that do the work. And people in cybersecurity are BY FAR the most expensive cost, even just in terms of salary, but also in terms of training.

If you get all the people and all the software, you then need to establish, strive for, and implement a cogent risk management framework. Many nonprofits (with the notable exception of those operating in the health care space) can be oblivious to their regulatory requirements or what standards they need to reach to establish prudence.

Fixing it?

What's missing in the nonprofit space is the private equity equivalent: an investor or set of investors that don't just have a pot of cash to throw at anyone who asks, but have the expertise and know the standards necessary to help nonprofits reach a level of prudent risk management. Not a handout, nor free chicken, but cash that can be spent broadly on needs like salaries should come with the expectation to demonstrate prudence and coaching on how to get there. Growth equity, but for cyber in missions.

It occurs to me that this is what many granting foundations already do, just not normally for cybersecurity. So if we collectively are going to solve cyber in missions, this is one of probably seven or so drivers that needs to be tuned.

But, speaking of musing: maybe I'm overlooking the people already fixing this driver. Know of anyone working on funding modernization and security for nonprofits or missions? Contact me at the email in our footer and let me know!

Read More