Even if a hack doesn’t bring operations to a screeching halt, the impact has ripples that affect productivity, effort, and an organization’s approach to cyber security and IT. After suffering a breach of their legacy server, a sports nonprofit based in Pennsylvania reached halfway across the country for the right solution.
“At the end of the day in a nonprofit,” says Executive Director M. M., “I just want to look my board members in the eyes and say we’ve done everything a reasonable and prudent nonprofit can do to do right by its membership.”
Anderson Technologies sat down with M. M. to discuss the hack and how it—and partnering with a managed IT services provider—changed everything for his almost-100-year-old sport association.
Too Big to Be Small, Too Small to Be Big
AT: Thank you for taking the time to chat with us. Your organization serves approximately 10,000 members across middle school, high school, and colleges. Could you tell us a little about what you do?
MM: We have three core competencies, if you will. Coaching development is the cornerstone of what we do. We really focus on developing transformational coaches in the educational environment, so primarily middle school, high school, and college coaches.
Secondly, our focus is on student well-being. We have a large number of first-generation college-bound students in our sport. We spend a lot of time coaching our coaches on how to make sure they do well academically, how to make sure they stay in school and graduate. We do a lot with sports performance, and nutrition.
The third area would be advocacy. Lobbying governing bodies for legislation and policies that will help grow our sport. One of the things we’re most happy about in that world is we’ve helped to establish 274 new college programs since 1999. With our large percentage of first-generation college-bound students, it provides access for so many students to go to college that otherwise wouldn’t have the chance.
AT: What does your day-to-day look like as Executive Director of the Association?
MM: My primary focus would be business development, fundraising, sponsorships, and a focus on revenue generation. We do have a small staff here of four full-time people and about 10 subcontractors that are strategically located around the country who I oversee on a day-to-day basis to execute the nonprofit’s mission.
Hackers Exhibit Un-sportsman-like Behavior
AT: Could you tell me about the event that led you to Anderson Technologies? I know that your association experienced a hack.
MM: We did. We got hacked back in October of 2020. We’re a typical small nonprofit. In a lot of ways, we’re too big to be small and too small to be big. Sometimes as an organization this size you become vulnerable to these types of things.
We’re not big enough to have a full time IT director, and the consequences of not having a full time IT director are things like getting hacked. Since that happened, we made the decision to outsource everything that’s not core to our mission.
That way, we can focus our time and energy on the things that we have the expertise to do, and outsource those critical things that aren’t central to our core mission but are certainly essential to the long-term success of our organization.” — M. M., Executive Director
AT: What events led up to the breach?
MM: We had an old legacy server that some time ago we had transferred all the data off of it and onto the cloud-based platform that we currently have. But, of course, no one ever told us to unplug the old legacy server. That’s what the hackers got into.
It wasn’t so much that the information they got was critical to us being able to operate, but we needed to know and ensure that no sensitive data was obtained. That obviously determines what we need to communicate out to anybody that may have had personal data compromised.
It was very disruptive and labor intensive. Expensive. The old adage that an ounce of prevention is worth a pound of cure certainly would have been the case.
AT: How did you respond to the hack?
MM: We followed standard protocol. We immediately contacted local police, contacted the FBI. And immediately I reached out to a network of IT experts that we have in our membership, asking for advice, including one of our advisors who referred us to Anderson Technologies.
AT: What did you expect when reaching out to Anderson Technologies? Did you have any previous good or bad IT vendor experience?
MM: We actually had some previous bad experiences. We’ve dealt with a single consultant in the past. My experience is, sometimes single consultants will take on more than they can handle, and things slip through the cracks. In that case, we didn’t have a well-defined statement of work spelling out what the consultant was doing and what they weren’t doing. We were paying for it, but it was never spelled out.
When something like that happens, that conversation quickly turns to ‘I didn’t know you wanted me to do this and that and the other thing.’ That’s why it’s important to dot the I’s and cross the T’s and have a well-defined statement of work so both parties are well aware of what’s being done.
A Different Approach and a New Solution
AT: How would you say that your organization’s approach to IT changed after the hack and partnering with Anderson Technologies? It sounds, unlike before, that you now have things well-defined and have someone taking ownership over IT?
MM: Our approach was: we made the decision that we’re going to outsource everything that’s not central to our core mission. We are going to avoid single consultants and try to work with a small firm—the biggest firm that we could afford—to provide us with the managed services that we needed. And their services will really go beyond the cybersecurity. We’re looking for someone that would become familiar with our entire internet platform, and could provide ongoing advice for us. The cyber security was the first step.
AT: Would you share more about your relationship with Anderson Technologies?
MM: We’re looking for Anderson Technologies to provide us with ongoing advice, and they’ve already done a terrific job. When we need a specific consultant in a specific area, we lean on Anderson Technologies to find that best option for us, help us interview that consultant.
Generally speaking, one of the things that’s changed is we have access to a smaller firm where there’s multiple people, as opposed to a single consultant. The challenge with single consultants is that they have a tendency to come and go, and in the IT world every time they go, you’re paying the next one a large sum of money to do more discovery. You end up starting back at square one over and over and over again.
AT: It sounds like it’s especially beneficial for nonprofits to have multiple people working together to take ownership of their IT infrastructure, rather than relying on a single person.
MM: What happens a lot of times to small nonprofits is, when you have different IT people working on different projects, eventually you wind up with pipes that don’t fit into each other.
I’ve learned the importance of having one IT general contractor who is the point person for any decision that you make that’s related to IT. It’s very complex, and being small, we can go out and hire our own IT person, but you end up with a lot of institutional knowledge in one person. If that person ends up retiring or leaving, it’s very disruptive to the organization. Whereas if you have an IT firm that you’re outsourcing it to, you have much better continuity, and it’s much less disruptive.
AT: We’ve definitely seen with other clients where their entire network was managed by one person, and when he leaves, they’re left wondering, ‘where do we even start?’
MM: Exactly. But if you can have two IT people, you have some redundancy in what you’re doing. I think it’s a far better strategy to outsource it to a firm, rather than a single person. You outsource it to a single person, you’re right back to the same problem as with a single staff member.
AT: How would you describe your interactions with our team?
MM: It’s really, really good. One of our concerns in the beginning was not having someone that was local. We all know that technology can be done remotely, but when you talk about setting up hardware, there’s an argument to be made that using a local firm can be an advantage. But Anderson Technologies has been great. We had a couple situations where it required Anderson Technologies sending experts to our office to set things up, and they really did a great job. We’re still early in our relationship, but we’re off to a great start.
Disruption vs. A Good Night’s Sleep
AT: I have one more question about the hack that you experienced. You said that there was a lot of downtime and a lot of frustrations. What was that like?
MM: It was very, very disruptive. Very costly in terms of actual cost and in staff time to fix the problem. It was months of disruption.
Anybody who thinks they can’t afford to outsource IT to a third party to protect them, they’ll spend far more trying to do it themselves. ” — M. M., Executive Director
AT: It seems many organizations learn that the hard way. How does it make you feel to know that you have stronger security measures in place now?
MM: Much better, I’m much better. At the end of the day, in a nonprofit, I just want to look my board members in the eyes and say we’ve done everything a reasonable and prudent nonprofit can do to do right by its membership.
You can never eliminate bad things from happening. But, God forbid, if it happened again, I’d feel pretty good saying this is what we did to mitigate this risk. We know the bad guys are pretty good at what they do, and you’re never fully protected. But at least we’re doing everything within our resources that we can do, and that’s a pretty good feeling at the end of the day.
Your organization doesn’t have to live through a hack or the loss of a trusted vendor or IT staff member to know that cybersecurity and IT can feel tumultuous. Are you curious about how Anderson Technologies can help you sleep better at night? We’d love to talk about solutions tailored to your needs.