What do you need to know about cybersecurity?

Farra Trompeter: Welcome to the Smart Communications Podcast. Today, we’re going to ask: What do you need to know about cybersecurity? And I am delighted to be joined by someone I consider one of the most expert voices on this topic in the nonprofit sector, Joshua Peskay. Joshua uses he/ him pronouns, and as co-founder of an exciting new company, Meet the Moment, where he helps mission-driven organizations manage security, rethink risk, harness AI responsibly, and thrive in a volatile world. Featured in the bestselling book AI for Nonprofits, Joshua blends human-centered ethics and irreverent humor to make complex tech challenges accessible and engaging. Before co-founding Meet the Moment with his longtime colleague and friend, Kim Snyder in 2025, Joshua was most recently the 3CPO (Chief Information Officer, Chief Security Officer, Chief Program Officer) for RoundTable Technology. I’m also going to guess he’s a Star Wars fan. Josh, welcome to the show.

Josh Peskay: Thank you so much, Farra. It is delightful to be here, and I wish I could take full credit for thinking of the 3CPO, but it was actually a colleague of mine who suggested it at one point, and thought it was just a funny title, and I agreed. So I accepted it as my title from that point on. And it was very fun, not boring co-founder.

Farra Trompeter: You know we’ll think of a spicy new title for you as you get into your new company, and we’ll wait for year two for that one. Well, I want to start off with what might be a silly question, but I hope it brings people into this conversation. Why should nonprofit staff, especially those working in communications, marketing, and fundraising, care about this topic? We know our friends in IT get it, and I know it can be easy to just let those IT folks worry about cybersecurity, but it’s so much more than data breaches and phishing scams, right? So tell us, Joshua, why should folks tune into a conversation about cybersecurity?

Josh Peskay: First of all, I don’t think that’s at all a silly question, Farra. I think that’s exactly the right question. And one of the challenges of working in cybersecurity and risk management generally is, like: Why should anyone care? And when you think about it, it is a very hard thing for people to care about because the benefit of it is, in many ways, bad things that don’t happen, which is very unexciting, right? When you think of return on investment for effort that you put into something, if we get more donations, if we get more visitors to our website, if we get more engagement with our content, these are (A) things that are easy to measure and (B) things that are very clearly positive that we’re achieving that make us feel better. But when we improve our cybersecurity, we look at a number like, okay, 90% of our staff are now trained or up to date with their awareness training. What does that mean? We didn’t get any more money because of that. We didn’t serve any more people because of that. We’re just a little bit less likely to suffer some kind of cyber incident. And for you and for other staff people who this isn’t their job, I actually think that’s a great question of why should you care? And my job is, in many respects, trying to tap into that why.

Josh Peskay: And for me, it’s really about protecting the work that you do as an organization, being a good steward of the funds that are donated or granted or provided to your organization from wherever the money comes from. And probably most importantly, protecting the people that you are serving. So if you are serving vulnerable populations and, as part of that work, are collecting sensitive information about them, well, that sensitive information can often be used to cause them harm in various ways. And if you are not a good steward of that data, you’re creating additional risk for those folks that’s out of their control, and that’s not great for them.

Josh Peskay: And additionally, if you provide them with services that they depend on, if you have some kind of a cyber incident that takes up your resources or even more prevents you from operating in a meaningful way, now you can’t provide those services and have potentially created that exposure for them and are now spending funders money on recovering from an incident as opposed to delivering those services. All that’s pretty bad, right? And so much of it is very, very preventable, and if not preventable from a harm reduction standpoint, we can reduce the amount of harm that is done when we have incidents by good practices around cybersecurity. Hopefully that’s compelling. But honestly, Farra, I have to ask you, does any of that make you care?

Farra Trompeter: I mean, it does at a high level, of course, right? Like if I am working, I wouldn’t want anyone’s information to get out there and get in the wrong hands. I wouldn’t want people to get harmed, as you said. I wouldn’t want our, you know, our team or my clients’ teams to have to spend time doing something that is not necessarily achieving the mission, but is in responding to a threat or a risk. And I want to ask you, you know, I don’t want to scare anybody out there, but I want to drill down or make this even a little bit more real and concrete. I’m curious if there is any examples that come to mind when, you know, this happens when people don’t have a stronghold on protecting their systems or data, they get attacked. Maybe there’s a real-life example without naming names that you can offer just so people can get an even stronger picture in their minds about, you know, again, worst-case scenario, not that we’re trying to scare anyone, but just to imagine why this is part of what you need to know and care about.

Josh Peskay: The simplest example I think I can give is just simply money that leaves your organization. And there are various examples that you can read about in the news, but I sometimes joke that attackers, you know, we hear about cyber crime, we think of all this technical, you know, behind-the-scenes hacking and really sophisticated attacks. But honestly, one of the most frequent things I see is what I characterize as attackers simply calling the organization and asking them for money and getting it. And what that looks like in many respects is, “Hey, Farra, I am your vendor. You know your IT vendor, and you pay us like $1,000 a month. What happened is, our bank information changed? So here’s a PDF of our updated wire information or our ACH. So please make sure that you update that with your billing.”

Josh Peskay: And then three or four months later, you get a call from your actual IT vendor who says, “Why aren’t you paying us?” to which you say, “Well, we are paying you”, because that money is actually going to an attacker. And that can happen in so many different ways like that, and can involve sums of thousands, tens of thousands, hundreds of thousands, and in some cases millions of dollars. This is incredibly common primarily what the risks are to nonprofits are cyber criminals who just want to take money from you. And what hits the news more often are things like ransomware and extortion. Ransomware where they encrypt your data and then basically demand a ransom to give it back to you. I’m sure everybody’s heard of this on some level. And extortion is where they take the data and say, “Unless you give us money, we’re going to release all this data on the dark web or sell it and therefore besmirch your reputation, and also cause potential harm to those constituents whose data we have.”

Josh Peskay: That’s a lot of work for attackers, and they have to, you know, hope that folks pay. It’s a lot easier just to, like, email you your new employee you just started last week and say, “Hey, you know, Jane, it’s me, Farra, I know you just started. I’m at this conference. I super need like $1,500 in gift cards that I can give away as prizes. So, can you please just get this done for me in the next hour and text me at this number when it’s done, right?” And the new employee maybe hasn’t gone through their training yet. Really eager to please and, you know, make sure the boss gets what she needs. And next thing you know, your organization’s out $1,500. And, it’s just all the time these things are happening.

Farra Trompeter: Okay. You’re getting me sufficiently concerned here. So now let’s pivot a little bit from data to people. In preparing for this conversation. You mentioned that protecting data is protecting humans, and that really stuck with me. And I’m curious if you can talk about what you meant by that saying. How does cybersecurity affect people and culture within organizations?

Josh Peskay: In many, many ways. First and foremost, think about your staff. So even organizations, let’s say I am the Kitty Crochet Collective, and we have donors, they donate $10-$50, but all we do is get their credit cards. We crochet sweaters for kittens to help them get adopted. We’re not dealing with, you know, incredibly sensitive information or sensitive populations. We’re not dealing with vulnerable folks. We’re not dealing with protected health information. So you say, “Oh, we don’t have anything, you know, of value or of sensitivity,” right? But you have, let’s say, 10 staff at the Kitty Crochet Collective. For all those staff you have somewhere, their social security numbers, all of their HR documents, their benefits plans, all of that information is somewhere on your systems. Let’s say you also have 50 volunteers that come in to crochet these sweaters. And those volunteers also have gone through some sort of background process, and you have, you know, personal information on them, their home addresses, their names, you know, other information about them.

Josh Peskay: So if this information becomes exposed, you’ve created additional vulnerability and risk for those 50 volunteers who have volunteered their time to help your mission. And boy, that stinks, right? That, that we sort of betrayed their trust in that way by not safeguarding their information. And for those 10 staff, right, if their information and it leads to identity theft and them being defrauded out of, you know, thousands or tens of thousands of dollars, that’s also a terrible consequence. And none of this even takes into account what regulatory fines you may be subject to, depending on the state of residence of these folks. If you’re fortunate or unfortunate enough in this case to employ or have volunteers from a European Union country, then they’re covered by what’s called GDPR or the General Data Protection Rule, which is very stringent and can come with very significant fines for organizations. So all of that is a significant impact.

Josh Peskay: For folks who find this stuff perplexing or wondering, “Well, how much security is the right amount of security?” There’s actually, I think, a great exercise, which I didn’t make up the term. It’s called the Reasonableness Standard. And the way I would characterize it is like this: let’s say Farra, that I was an employee at Big Duck and I worked there, you know, a year ago. And then I left to go join another organization, and it’s been a year, you know, since I worked at Big Duck. And then you have a security incident and you have to contact me and say, “Hey Josh, you know, here’s the information that was compromised in this incident. They got your name, they got your home address, they got your benefits information, you know, all this other stuff.”

Josh Peskay: And I said, “Oh, okay, well, you know, I left there a year ago. Why did you have it?” And you say, “Well, we just like to keep it forever, because you never know.” That’s not super reasonable, right? On the other hand, if you say, “We’re required by law to keep it for seven years, so we were going to keep it for seven years, and then we would delete it.” Okay, that’s reasonable. Then I ask, you know, “What were you doing to protect it? In this case?” You say, “Oh, we have great security. Yeah, it’s awesome.” Not super reasonable, right? But on the other hand, if you say, “Well, last year we had a risk assessment done, they came up with, you know, eight things for us to remediate or fix. We were through six of the eight. The thing that got us and that ultimately compromised your information was actually thing number seven, which we were just a month away from correcting, but we hadn’t gotten to it yet. We notified you as soon as we found out about it. Here’s, you know, a year’s worth of identity, you know, monitoring and things like that. And, you know, please accept our apologies and know that we’re working very hard to correct these things.” That’s very reasonable.

Josh Peskay: And I think that the best guidance I can give folks is for your staff, for your volunteers, for your donors, for everything, put yourself in this situation of having to have that conversation, and kind of feel how comfortable or uncomfortable would you be having that conversation? And if it’s reasonably comfortable, then you’re probably at a reasonable level of cybersecurity. And if you’re like, “Oh gosh, that would be a horrible conversation to have,” then you probably have some work to do.

Farra Trompeter: Well, I want to talk more about those kinds of conversations in a minute, but I must put something out there. If anyone is out there connected to the Kitty Crochet Collective or a nonprofit that makes sweaters for cats, please be sure to call me. I would love to work with you. Okay, we’ve got to speak it into existence. Well, so that reasonableness exercise is interesting, and I imagine that can help people think about what to do in these scenarios. I know that there’s also another technique that I’ve heard you and other practitioners talk about, which is called tabletop exercises. Can you talk about what those tabletop exercises are? And, again, maybe offer an example.

Josh Peskay: Absolutely. A tabletop exercise is kind of like an escape room for cybersecurity incidents.

Farra Trompeter: You make it sound so fun / stressful.

Josh Peskay: I know! They can be fun, and they can also be stressful. The idea is to put yourself in a scenario and get a group of people at your organization that would be responsible for responding, and have them pretend as though this thing has happened. So if we were going to do this at Big Duck, say Farra, we would say you and anyone who has legal or HR responsibilities at Big Duck, people who have IT responsibilities. If you have something called an incident response plan, which we can talk about, that will often have roles assigned to it. So we’ll have like an HR lead, a legal lead, a technology lead, a security lead, so forth. So all the people that are named in that, we want to make sure they’re all with us for about an hour once a year, which is not a lot, right? To commit to an hour once a year. And we’ll say, “Okay, we’re all going to pretend that we just found out that Jane, this, this employee that got hired six months ago, her account seems to have been compromised, you know, potentially a couple of weeks ago. And that the attacker has been emailing various clients of Big Duck, right? To change the billing information to get it routed to them.”

Farra Trompeter: Oh my gosh, this is one of my many nightmares. Keep going.

Josh Peskay: Right? And so we’ve discovered this because one of our, our clients, one of Big Duck’s clients, you know, let’s say it was RoundTable who’s very cybersecurity savvy and, and is, I believe, now a client of Big Duck, right? So they say, you know, “Hey, Farra, we got this, we got this email from your employee, and it is really from their account. We checked that, and it really is emailed from their account. However, it really seems, by all accounts, to be some sort of a compromise. And we would be happy to help you look into this.” So that would be the start of the exercise. And now you basically say to you, Farra, and your team, “Go.” What do you do next? Who do you call? What actions do you take? What can you learn about the extent of this problem, and what it’s done?

Josh Peskay: And you spend the next hour kind of going through all that. And the crucial things about it are that it is not a “gotcha” exercise. You know, it is a no-blame, no-shame kind of thing. We are trying to evaluate not just our response, but all the things that we did or did not do leading up to this moment that help us with this current moment. In cybersecurity, there’s this term that’s sometimes referred to as “boom”, and then we have “left of boom” and “right of boom”. This is just the way you visualize them. So “boom” is the incident, is the moment you find out that this thing happened, okay?

Josh Peskay: And “left of boom” are all the things that you did to try to prevent this from happening and to prepare for it. So you made an incident response plan, you got notifications set up on your accounts, you enforced multifactor authentication to make it less likely that an account would be compromised. You trained your staff, all the preventative and preparatory things. And I think that many people, Farra, put all the eggs in that basket and say, “We just don’t want bad things to happen.” And then once the bad thing happens, “Ah, rats, we lost,” right? So not true in life, but it’s particularly not true in cybersecurity. What we do, the moment we find out, is super important, as well as that we find out. So in this case, you got lucky that you had this client, RoundTable, that notified you. It was great. It would’ve been even better as if Jane had gone through her training, had noticed something funny, like, you know, “I clicked this link, I logged in…” and before any of this bad stuff had happened, you’d had someone look into it and say, “Oh yeah, this account got compromised. We need to go reset.” You know, before all the damage had been done.

Josh Peskay: Because the difference in, you know, seconds, minutes, hours, days, weeks for attackers having access to do stuff is huge. Alright? So how you respond matters a lot. And that’s the “right of boom”. And what the tabletop exercise is doing is giving your organization, again, in just an hour, once a year, a chance to really experience “right of boom” in a way that’s safe and contained, and then determine what we could do better. Not just in how we respond, but in what we set up and did before we responded. And that is, in a nutshell, a tabletop exercise.

Josh Peskay: I’ll give two quick plugs for RoundTable. If you happen to be listening to this. You know, in the month of September, October, around Halloween every year RoundTable does a webinar that I usually participate in called Scary Stories, where we do a tabletop exercise often for an organization called the Zombie Rights Collective, who is a friend of the Kitty Crochet Collective, but in a different space.

Farra Trompeter: Hopefully the zombies aren’t coming to take over the kitties because I’m not into that.

Josh Peskay: No, the zombies are just, you know, trying to advocate for zombie rights and, you know, and equal rights. It’s much like the, what was the, like the High School Musical one with zombies?

Farra Trompeter: You know, Zac Efron’s cute, but I can’t say I know much about High School Musical.

Josh Peskay: All right, all right. I think it was also Zac Efron, or maybe not, in Zombies, I forget. Anyway, and so that is a very fun webinar. It gives you a chance. And then RoundTable also has a whole bunch of resources, including a free ebook around facilitating tabletops. It has like 20 different tabletop scenarios pre-written for you. So there are lots of free resources, and I cannot recommend this exercise enough to organizations.

Farra Trompeter: Great. We’ll link to that in the show notes at bigduck.com/insights so you can be sure to download those resources or participate in RoundTable’s webinars. So you mentioned the incident response plan, you talked about tabletop, we’ve been talking about a few different things. What are some other steps nonprofit staff can take to start investing in managing their organization’s approach to cybersecurity? Maybe what comes first, second, third? Like, what are some of the beginning steps if they’re not doing this actively now?

Josh Peskay: I think so much depends on your role in the organization. So if you’re not in an IT role or a leadership role or things like that, then what I would say is your best, you know, thing that you can do is ask your organization, you know, what they’re doing, what their expectations are of you around cybersecurity practices. You know, you don’t want to be an annoyance to your leadership, but you can ask gently, just, you know, “What is expected of me? I want to make sure I’m doing things right.” And in a very kind way, that can, if your organization has basically no answer to those questions, that probably will make your leadership slightly uncomfortable and might encourage them to sort of do some stuff.

Josh Peskay: The other thing is make sure you know, “If you see something, say something,” it’s a really boring kind of thing. But I often say that, you know, “An aware and well-trained staff at an organization is the single best cybersecurity protection you can have.” And conversely, an untrained and unaware, and even worse, afraid staff. Meaning, you know, if I worked for Big Duck, Farra, and you know, a year ago I clicked on something and I let you know, “I think I clicked on something,” and you just screamed at me for the next hour. Like, “How could you be so stupid? Why would you do that? Didn’t you take the training?” Right? You’re creating the “shoot the messenger” culture, which, from a risk management perspective, is one of the biggest risks you can have. So you want staff that know, “Hey, we want to hear from you. If you see something that’s weird, if you clicked something that you’re not sure you should have, if you open something that you’re not sure you should have, let us know so that we can take action.” And that is such a powerful thing. So just make sure that at least you’re, if you’re not in a position to effect change at your organization, just make sure you’re doing those things. And setting that example and asking questions. Again, not being annoying and telling people how to do their jobs, but doing that.

Josh Peskay: If you are in leadership or in IT, then it’s really about just doing this Reasonableness Standard. There are so many great resources out there. RoundTable has lots of great guides on kind of basic cybersecurity measures, self-assessments you can do to determine, you know, where you might want to improve. So I think that, you know, on the leadership side or on the IT side, it’s really about being continuously educated around what are the current risks are and how do our protections stack up against those risks for our organization? Again, the Kitty Crochet Collective and the immigration rights advocates for undocumented folks working in California in 2025, right, these are very different threat models and very different needs around the levels of cybersecurity that they’re going to want in place for the people that they’re working with and for their organization. So it’s not like everybody should be doing the same things. Understanding what your risks are and the level of effort that it makes sense for you to put into a reasonable standard is really the best approach there. Hope that’s helpful.

Farra Trompeter: Yeah, that’s helpful. I want to offer two other resources. One, I hope this podcast, right? Folks might be able to share the transcript or the conversation for other people in their organization to listen to and see what it provokes for them. I also want to shout out an organization that you and I both love and are connected to, which is NTEN. N-T-E-N.org has lots of resources and classes on this topic. Often, you and Kim and others are speaking on these topics at the annual NTC Nonprofit Technology Conference. So that’s another great place to look for ideas, trainings, blogs, et cetera on this topic. Before we wrap up, I just want to say, you know, all of this sounds like a lot of staffing work, a lot of people power, but also money. Given the current political climate and the rise in AI use, do you have any tips for how nonprofits can actually get funding to support doing more work related to cybersecurity?

Josh Peskay: I’ll actually push back a little bit on the money piece. It’s kind of a funny thing. Farra, like cybersecurity, for all of the effort that it can sometimes entail, is usually not a particularly expensive thing to do. It’s just effortful. It requires work. And it’s hard as someone from the outside who knows the things to do, but I can’t really come in and do them for your organization. Because I can’t, like, take the cybersecurity training for all of your staff. They need to take it, right? I can’t turn on multifactor authentication for all of your staff. You have to do that. And most of the things are relatively low-cost. And by that I mean either free, like turning on multi-factor authentication, or very low cost in the sense of $10-$50, you know, a month, a staff person, you know, throughout the year. So, and maybe for some of you that might sound very expensive, you know, in terms of what it would cost,

Farra Trompeter: I think it depends on how many staff you have, right? Certainly, those numbers could, could add up.

Josh Peskay: The numbers come down as you scale up and get to 100s and 1,000s of staff. But, you know, if you’re a 10-person organization, you know, for $1,000 a year, you can have, you know, all the stuff that costs money that you need. It’s just the effort. And that is either educating yourself or getting an outside consultant. CyberPeace Builders, through the CyberPeace Institute, offers pro bono support, and that’s very helpful. And, honestly, I would say used responsibly, a lot of the current AI tools can be very helpful companions in helping you design and implement a cybersecurity strategy, but someone at your organization is going to have to kind of lead it and lead it on a continuous basis.

Josh Peskay: In terms of finding funding, there aren’t really, to my knowledge, specific funders. And also, this isn’t my area of expertise in terms of fundraising. However, I have found that many funders, when you put in operational expenses, around this is the level of cybersecurity that we will need in order to provide these services or to perform this work appropriately, that funders are increasingly open to that. There’s less downward pressure on operational spend than there has been. And there is a huge amount of support for improving cybersecurity across nonprofits. And I personally work on so many initiatives with foundations and fiscal sponsors, and grant makers around improving the cybersecurity of their grantees or programs, or networks. And so there, there’s definitely a lot of support for that, I think. I actually can’t think of a single incident where cost has been even one of the top three obstacles to effective cybersecurity organizations. It’s almost always effort, change management, skills, or access to those skills. Those are the challenges

Farra Trompeter: I appreciate that I love to be proven wrong when it comes to things costing a lot of money. And I also appreciate the tip of embedding within your budget. Sometimes we see communications that, too, that sometimes funders or donors may not fund communications or branding in and of itself. But if you explain that “We need to do this work as part of getting our work done, getting people to participate in our programs, getting the word out about what we’re doing so we can change hearts and minds, or change legislation,” then they start seeing it as an integral part of it so it becomes part of the budget, if not the leading thing. So that’s a great tip.

Farra Trompeter: Well, it’s always lovely learning and talking with you. If you are out there and you’d like to explore how Joshua’s company provides human-centered technology leadership for nonprofits, check out MTM.now (for Meet the Moment). Or you can follow Joshua on LinkedIn. We’ll be sure to connect that in the transcript. Joshua’s former company, RoundTable Technology, who we’ve mentioned a bit already, has a lot of useful resources available at RoundTableTechnology.com. They also send out these great weekly tips, cybersecurity tips of the week, and you can sign up for that as well. We’ll be sure to link to that. Well, Joshua, before we log off, is there any other final advice or insights you’d like to share?

Josh Peskay: Two things. Number one, around effective cybersecurity. Like so many things in life, what will be effective will be what is sustainable. So if you listen to this and you’re like, “Oh gosh, we’re so far behind, we need to like really like do 20 things in the next month.” Stop. I don’t want you to do that. I want you to think about what system and process can we implement at our nonprofit to very slowly but consistently and sustainably review our risk and complete items to make our risk more manageable and in alignment with what we want? Right? And if you do that, you may not notice a dramatic change in a month or two, but I can tell you from a huge amount of experience, that is the only way that in a year, two years, three years, in five years, your organization will be in a secure place. Because I have done so many risk assessments where I came in and gave people a laundry list of 20 things to do, they killed themselves for six months, and then five years later they came back to me and said, “Hey, can you do another risk assessment?” And they’ve fallen behind again; they did everything from five years ago, but then they didn’t continue because it was too much work. So make it an amount of work that fits with the organization, and that will be the most effective way to do it.

Josh Peskay: The second thing I’ll give is that if you happen to be listening to this near the end of any calendar year, RoundTable Technology for 11 or 12 years running has done a webinar called The Best Free One-Hour Cybersecurity Awareness Training Ever. It happens every year in January. They really do make it incredibly fun. They give out prizes. You can send your whole organization to it for free, as the title would suggest, and I cannot recommend that highly enough. So those are my two tips.

Farra Trompeter: Sounds like a date worth saving on the calendar. So everyone go to RoundTable, figure that out, get your spot. Well, everyone out there, have a safe day. And Josh, thanks again for being here.

Josh Peskay: Thank you. Been a pleasure.