Technology Advisor Blog

Do small businesses need cybersecurity? YES!  Data shows that half of all cyber attacks target small organizations, making them prime targets alongside large corporations. Major security breaches at Fortune 500 companies grab headlines, yet local businesses, nonprofits, and municipalities face ongoing threats that can expose donor databases, financial records, and private customer details.  Each year, Verizon publishes the Data Breach Investigations Report which is loaded with statistics on the latest updates on real-world breaches.  Reports like this make it clear:  small businesses aren't flying under the radar - they're in the crosshairs.  Understanding real-world breach data helps you prepare, protect and stay resilient.

Your organization's data protection strategy needs to focus on practical steps that defend against common attacks while keeping costs manageable. Small changes in how you handle information security can help maintain customer trust and keep operations running smoothly during challenging times. This guide shows you straightforward ways to protect your business without complex technical requirements.

Small Business Cybersecurity Essentials for Nonprofits

You might think your small business or nonprofit is under the radar when it comes to cybersecurity. You see the major national headlines and have a mistaken sense of security, thinking, "I'm not a target, so nobody's going to come after me." But the truth is, most cybersecurity attacks are indiscriminate. Criminals can, for example, send out millions of emails, needing only a few people to click on them.  They make up the money in volume.

Identifying Critical Data - This is the Starting Point

How can resource-constrained organizations like nonprofits determine which assets require the highest level of protection? The first step in cybersecurity planning is understanding what data you need to protect. Start by identifying the important information in your organization:

• Donor database
• Financial records
• Intellectual property
• Regulatory sensitive information (e.g., PII, HIPAA, Payment Card Industry standards)

Remember, you cannot protect what you don't know exists, and data is the target. Do small businesses need cybersecurity? Absolutely, and it starts with understanding your critical data.

The CIA Triangle

A great visual for thinking about data protection is the CIA triangle, which stands for:

• Confidentiality
• Integrity
• Availability

Imagine the consequences if you lost your entire donor list. Do you have a backup or workaround? Consider what data is essential to your daily operations, such as payroll. Ask yourself what would cause the most harm if lost, exposed, or altered.  This does not have to be an expensive process.  A direct conversation with your leadership team will help you identify what has the biggest impact to your organization.

Assessing Risks and Prioritizing Protection

Walk through these scenarios with your team from a risk-based perspective. Once you understand what data needs protection and why, you can prioritize and evaluate how it's stored. This information will help you create an incident response plan for your small business or nonprofit.

Technology experts can then translate your priorities into a data protection plan, but the starting point is truly understanding the assets you have that need to be protected, why they need protection, and the impact if they were lost, altered, or unavailable.  In a real incident response situation, you will be faced with the difficult decision about which systems need to be restored first, and others will need to wait.

First Steps in Nonprofit Data Protection

As a nonprofit organization, you need to identify the core data you're trying to protect. Start by listing all the types of data your organization collects or stores, such as donor information, employee information, financial data, and operational data. What data do you need to operate your organization effectively? Who are all your constituents?

Identifying Data Storage Locations

Next, identify where each type of data is stored:

• Local PCs
• Servers
• Cloud storage
• Paper documents
• Emails
• Employee-created Dropbox accounts

Data has a way of proliferating all over the place, so it's important to consider all possible locations.  Get your leadership team together to talk about this and map it out.  You'll be surprised by the results - data winds up travelling far over time!

Understanding Data Access

Understanding who has access to each data type is critically important. Over time, data gets stored in different places, and you may not necessarily know exactly who has access to what. In a crisis, not having this information can slow things down significantly.  The lost laptop?  What data was on it?  Was it encrypted?  

Classifying Data Sensitivity

Classify the data by labeling it according to sensitivity:

• Public information
• Internal use only
• Confidential
• Highly confidential

For example, in the case of nonprofits, you may have donors who wish to remain anonymous, and there could be serious implications if that data were leaked. They put their trust in you.  Think through all the data you have, including sensitive information about people in the community you may be working to help. Protect your employees by identifying what information you have, such as tax documents, social security numbers, and bank account numbers for direct deposit.

Regulatory Compliance

Highlight any data that is under regulatory compliance, such as personal identifiable information (PII) covered by state privacy laws. This could include social security numbers, bank account numbers for employees with direct deposit, and credit card information for donors who have contributed via your accounting system.

Mapping Data Flow

Map the data flow in your organization to figure out how data moves through your system. As an illustration, you may collect donations via a website, which then gets transferred into an accounting system. You may have a customer relationship management (CRM) system with detailed records about the home addresses of your donors, employees, and other constituents.

It's very important to identify any third-party vendors who may handle or store your information, such as cloud applications, and note where the data is shared externally, such as with accountants or marketing platforms.

Reviewing Access and Permissions

Review who has access and permissions to the data, restricting access to only those who absolutely need that information to do their job. This is where the trade-off between security and convenience comes into play. While it may be easier to trust people and let everybody have access, if one person's PC is compromised and they have access to all this data unnecessarily, it puts your organization at risk.

Confirm the use of strong passwords and multi-factor authentication, and ensure you're doing software maintenance, such as patch management on your systems.

Real-World Example

In one recent case, a nonprofit donor management system hosted in the cloud had a cybersecurity incident. Although it was through no fault of the local organizations, because they were holding some data for the local nonprofit, it became an issue where they needed to figure out what data was there.

Identifying all of this information ahead of time and understanding exactly what data is located where can save precious time in dealing with an incident. Just because you have a cybersecurity incident doesn't necessarily mean it's a breach - which has a special legal definition involving confirmed data exposure.   If it's an actual breach, notification laws may be in effect, but it may just be an incident.  In a case like this, it is very important to consult with your Cyber Insurance Provider (Yes, your organization should have cyber insurance!), and an attorney.

Documenting Your Findings

Document your findings by creating a simple inventory classification spreadsheet. You need to know what systems you have and where the data is located. This information will go into your cybersecurity plan, helping you decide what you need to protect and why.

The risk will guide the investment of how much security you put in place for different things. In an incident response situation, you'll need to identify which systems take priority to get up and running again. You may have to make a trade-off between your CRM system and your payroll system, for instance.

These are important things to think through ahead of time, but it all comes back to your data and the impact of losing confidentiality, integrity, or accessibility.

Staff Security Training Benefits

When you pull this all together, it's important to understand what data you have, where it's stored, who has access to it, and the business impact of losing the confidentiality, integrity, or availability of that data. With this knowledge, you can start to form a cybersecurity plan around that data.

Developing a Cybersecurity Plan

Your cybersecurity plan will include:

• Implementing access controls
• Using encryption to protect data
• Monitoring for unauthorized access
• Backup critical data

The amount of time your organization can function without access to certain data will vary. There are many ways to backup data, some more expensive and complex than others, but offering better protection. The cost of downtime will differ depending on your organization.

Understanding the business impact of losing data confidentiality, integrity, and accessibility is essential. Security controls should be matched to the value of the data and its risk profile, allowing you to make intelligent decisions about where to invest in security.

Creating an Incident Response Plan

All this data is used to formulate your incident response plan. You'll know which systems or data are critical, develop playbooks based on different threats, and define roles for who does what if data becomes unavailable or its integrity or confidentiality is at risk. This is part of the written information security plan, and the first step is appointing a point person.

Instead of starting with technology, buzzwords, and acronyms, begin with your data and develop a risk-driven cybersecurity strategy. This includes both a cybersecurity plan for protecting and defending data and an incident response plan for dealing with incidents. In today's world, there's a 50-50 chance you'll experience a cybersecurity incident, so an incident response plan is essential.

Cost-Effective Protection and Business Continuity

Other factors to consider include developing the most cost-effective protection by putting more cybersecurity measures around the most critical data. This allows you to allocate your budget effectively. For less critical data, where loss of access wouldn't cause regulatory issues or prevent operation, a different priority can be assigned.

Business continuity is the main goal of an incident response plan, ensuring you can continue operating after a cybersecurity incident. Stakeholder confidence is also important, especially for non-profits. Donors want to feel their money is being used wisely and that you are good stewards of their contributions.

Staff Training and Phishing Simulations

Building a staff cybersecurity training program and running phishing simulations can help. While no one thinks they'll click on a phishing link, simulated tests often prove otherwise. These tests should be used for education, not as a "gotcha" moment.

Employees should understand roles-based responsibility for data access. Restricting access to only those who need it to do their job reduces your attack surface. Work with your team to understand best practices and explain the reasoning behind them to avoid employees feeling untrusted.

Developing a Security Culture

Developing behavioral changes will drive the development of a security culture. Encourage people to speak up if they think they've clicked on something suspicious, as this can help avoid harm. They should feel comfortable reporting incidents without fear of reprimand, fostering a collaborative approach to resolving issues.

Here's an example: We were recently called in after the fact when someone had clicked on a phishing link. They knew they shouldn't have clicked on it but thought everything seemed okay. However, they didn't realize that bad actors had gotten into their system. Fortunately, they had security controls in place to detect and respond, so the bad actors were stopped in their tracks minutes after trying to gain access and start doing harm. This is a common occurrence – folks think nothing bad happened, so it must be okay.

The Importance of Cybersecurity for Small Businesses

You might wonder, do small businesses need cybersecurity? Absolutely. Half of all cybersecurity incidents happen to small organizations, even if they don't make national news.

Another question that may come to mind is how to create an incident response plan for a small organization. It all starts with the data. Forget about the tech and buzzwords for a while and focus on the data as the first step in cybersecurity planning.

Small Business Incident Response Planning

As a small business owner or nonprofit, prioritizing cybersecurity is essential. According to the latest Verizon data breach incident reports, half of all cyber attacks target small businesses, with tactics, methods, and frequency mirroring what happens in enterprise organizations. The main difference is that major Fortune 500 companies make national news when they get hit, while small organizations typically don't. However, cyber incidents are happening locally all the time.

Maintaining Customer Trust

To create an incident response plan for your small business, begin by focusing on how to maintain customer trust through an effective backup and recovery strategy and a full risk-driven cybersecurity strategy. Look for cost-effective solutions that allow you to put the right strategic safeguards in place without wasting money unnecessarily. Ensure you are compliance-ready and meeting all state and industry compliance standards.

Consider implementing the following practical measures:

• Cloud backup solutions with automated backup schedules
• Strong physical security measures
• Proper access controls

Communicate these measures to your stakeholders, as they are likely wondering what you are doing to protect their data and your ability to keep operating. Customers and donors have choices in where they spend their money, so showcasing your commitment to being good stewards of their trust is a great talking point.

The First Step in Cybersecurity Planning

Understanding fully what data you have, where it is located, and who has access to it is the first step in cybersecurity planning. Once you have this information, you can develop step-by-step protocols to recover in the event any piece of data is lost. Prioritize your plan based on the impact data loss would have on your organization.

For instance, payroll systems, accounting systems, donor lists, and databases with sensitive information may be top priorities. The key is to ensure you can continue to operate and fulfill your mission during a security incident without leading to a major loss of business.

Developing Playbooks

Develop playbooks for potential scenarios. What would happen if someone threatened to expose a donor list? How would you respond if you lost access to your accounting systems? Even a simple conversation and jotting down notes can be extremely relevant down the road.

Maintaining Stakeholder Confidence

By strategically investing in cost-effective protection, ensuring compliance readiness, and developing a strong business continuity plan, you can maintain high stakeholder confidence. Your donors, employees, clients, and all the organizations you work with want to know that you can continue to operate in the face of a cyber incident. Taking proactive steps now can save you significant headaches in the future.

Safeguard Your Business with Expert IT Support & Cybersecurity Solutions

Your business data faces ongoing threats, yet our team brings proven methods to build a cybersecurity plan that aligns with your budget and operations. We partner with you to map your information assets, put smart security controls in place, and develop response plans that maintain business continuity.

Want to work with us?  Our specialists guide you through each phase of improving your security practices, from assessment to implementation. Contact us today to schedule a security review and see how we can help protect your organization's future.  If we're a fit for each other, we'd love to work with you, but there's absolutely no obligation.  We love talking about technology and cybersecurity!

About the author: