In today’s digital age, small businesses and nonprofits are becoming prime targets for cyber threats. With the rise in sophisticated hacking techniques and the increasing importance of data security, now more than ever it is crucial for organizations to understand the risks they face and how this impacts existing operations.

In this comprehensive guide, we’ll explore ten of the most common cyber threats that small businesses and nonprofits encounter. We’ll also provide you with valuable insights and resources to help you protect your organization from these threats.

1. Phishing Attacks

That sketchy email is probably sketchy.

Phishing attacks are a form of social engineering, and rely on clever tactics employed by cybercriminals to manipulate individuals into revealing personal information or taking harmful actions. These attacks often involve deceptive emails, messages, or websites designed to mimic legitimate sources, such as banks, social media platforms, or online retailers. The goal is to trick users into divulging sensitive information like passwords, credit card details, or personal identification.

Classic Phishing

In a classic phishing attack, cybercriminals send fraudulent emails that appear to originate from legitimate sources. These emails often mimic trusted organizations, such as banks, social media platforms, or government agencies. The goal is to trick recipients into clicking on malicious links, downloading harmful attachments, or providing personal information like login credentials or credit card details.

– Example –

Imagine receiving an email that appears to be from your bank, urgently requesting you to verify your account by clicking on a link and entering your username and password. The email includes the bank’s logo and formatting, making it look authentic. However, it’s a phishing attempt designed to steal your banking credentials. It could look a little something like this:

Subject: Urgent: Account Security Alert

Dear Customer,

We have detected unusual activity on your account that requires immediate action. Your account has been temporarily locked for security purposes.

Please click on the link below and enter your login credentials to verify your identity and unlock your account:

[Malicious Link]

Failure to verify your account within 24 hours will result in permanent account suspension.

Thank you for your cooperation.

Sincerely,
The Security Team

Potential Risk: Devastating. You really don’t want your banking information in the hands of criminals, right?

Mitigation: Don’t click or download anything suspicious. Ever. Employee training on recognizing phishing attempts, email filtering systems, and use of two-factor authentication (2FA) are an absolute must here.

2. Ransomware

Don’t end up being held hostage.

Ransomware attacks have become more sophisticated over the years, posing a significant threat to individuals and organizations alike. These attacks involve malicious actors encrypting data and demanding a ransom for its release. However, the landscape has evolved, and attackers are now employing more advanced tactics. In this blog post, we will explore the evolving nature of ransomware attacks, including the addition of data leakage as a means of extortion. We will also provide valuable insights on how to protect your data from these threats.

Wait, isn’t data encryption a good thing?

Data encryption allows you to protect data with a key – think of it as a super long, super strong password that makes data unreadable without it. Something as simple as “123 Elm St.” could become something like “68v/j6bLaZtpseMYr/xgJg==”. So, if a hacker tried to decrypt your client’s address, the data would be useless without the key. The problem is, that encryption ransomware attacks turn this problem around: imagine that the hacker is the only one with the key, and all of your data and files get turned into something like the example above.

All of your data and your files basically become unusable unless if you are able to obtain the decryption key from the attacker. Ouch.

– Example –

A healthcare facility experiences a ransomware attack that not only encrypts patient records but also exfiltrates sensitive medical information. Attackers threaten to publish this data on the dark web if the healthcare provider does not meet their ransom demands. Current ransomware demands are believed to average $740,000 USD per incident.

Recognizing Ransomware Attacks

Ransomware attacks can be difficult to detect until they’ve already taken hold of your systems.

Potential Risk: Years of data become inaccessible, a halt to your operations, and worst of all, the potential leak of all sensitive data, including customer data.

Mitigation: Regular data backups, up-to-date security software, employee education, and a robust incident response plan. Social engineering can play a huge role in the success of malware attacks – as it did in the September 2023 attack on MGM.

3. Malware Infections

Yup, computer viruses are still a thing.

Malware, short for malicious software, is a broad term encompassing a wide range of software programs designed with malicious intent. These programs infiltrate systems or devices, compromising their security and potentially causing harm. Understanding the types and methods of malware infections is vital for effective defense.

The Malware Landscape

The world of malware is vast and continually evolving. Common types of malware include viruses, worms, Trojans, ransomware, spyware, adware, and rootkits. Each type has unique characteristics and capabilities, but they share a common goal: to infiltrate and compromise systems.

– Example –

Consider a scenario where a user unknowingly downloads a seemingly harmless file attached to an email. The file contains a Trojan horse, a type of malware disguised as a legitimate program. Once executed, the Trojan opens a backdoor, allowing unauthorized access to the user’s device.

Potential Risk: Various types of malicious software that can damage systems or steal data.

Mitigation: Updated antivirus software, employee training, and regular software patching.

4. Weak Authentication

It’s time to give up on 123password – sorry.

Authentication is the process of verifying the identity of users, systems, or devices attempting to access digital resources. Weak authentication refers to authentication methods and practices that lack the robustness and security required to adequately protect against unauthorized access. Understanding the implications and consequences of weak authentication is fundamental to effective defense.

Imagine a scenario where an online banking platform relies on a simple username and a static password for authentication. An attacker who obtains or guesses a user’s password can access the victim’s account, potentially resulting in unauthorized transactions and financial losses.

Potential Risk: Weak passwords allow malicious third parties to gain access to your most important data, such as online banking or email.

Mitigation: Strong password policies, 2FA implementation, and regular password changes.

5. Unpatched Software and Hardware

Yes, waiting for Windows Update sucks. But you really, really need it.

Unpatched software and systems refer to computer programs and infrastructure components that have not received essential updates, patches, or security fixes. These unaddressed vulnerabilities are a prime target for cyber attackers seeking to exploit weaknesses for various malicious purposes. Understanding the significance and consequences of unpatched systems is crucial for effective defense.

Potential Risk: Data breach, downtime, and all sorts of nasty stuff.

Mitigation: Calendar regular system updates with your IT staff to work around downtime and ensure that updates are down in a prompt manner. Your OS probably has automatic settings to help you plan this.

6. Social Engineering

If someone calls saying that they are Bob from IT, really make sure that it’s Bob from IT.

Potential Risk: Digital apocalypse. Data breach, your most sensitive data being posted to socials, leaked to competitors, the media, and pretty much every terrible thing that you don’t want to see happen. Malicious actors could not only get your data, but also end up with full control of your IT systems, which in some cases could mean control over your business.

Mitigation: This one is scary – train your staff extensively, and consider implementing procedures and policies to mitigate risks from outsiders.

7. Data Breaches

Pretty much the last thing that you ever want to experience.

A data breach is an incident where an unauthorized party gains access to sensitive or confidential data, potentially compromising its confidentiality, integrity, or availability. Data breaches can occur through various means, including cyberattacks, insider threats, or accidental exposure. Understanding the implications and consequences of data breaches is crucial for effective defense.

The consequences? Many. We’ve gone over them in detail in our cyber security guide, which you can get for free here.

Potential Risk: Unauthorized access to sensitive data, leading to exposure or theft; being ridiculed in the media and lawsuits from your customers (ouch).

Mitigation: Encryption, data classification, and a robust incident response plan.

8. Shadow IT

Sometimes you can’t be the fun boss that allows for BYOD.

From a technical perspective, we would explain Shadow IT as: Shadow IT poses a multifaceted challenge in cybersecurity. It occurs when employees or departments within an organization adopt and use IT solutions without the knowledge or approval of the IT department or management. These unauthorized systems and applications can introduce vulnerabilities, complicate security efforts, and lead to various issues.

What it really boils down to is allowing employees to use unauthorized apps or hardware. Often, this may not be an issue, and mobile devices can blur the lines between work and personal items, but BYOD (Bring Your Own Device) can bring huge security risks into your business. Imagine someone connecting an out of date or compromised device to your network. This could wreak havoc on things, and quickly. You also need to watch out for well meaning employees who might use pirated or grey market software to create work for you – this can lead to unwanted ownership issues or liabilities.

Potential Risk: Unauthorized or unmonitored use of devices, software, or services within the organization which can lead to significant losses or breaches.

Mitigation: Establish clear IT policies and procedures, and regularly audit for compliance.

9. IoT Vulnerabilities

Your Smart TV might be great at Netflix, but not be so great at security.

The Internet has evolved way past connecting just computers and printers – we know have an Internet of Things (IoT). Watches, refrigerators, TVs, toys and all sorts of other devices now depend on connectivity for their core functions. The proliferation of Internet of Things (IoT) devices has ushered in a new era of interconnected convenience and efficiency. However, this interconnectedness comes with a significant cybersecurity challenge. IoT devices, ranging from smart home gadgets to industrial sensors, are vulnerable to various threats, which, when exploited, can lead to data breaches, service disruption, and even physical harm.

The reality is that a lot of IoT devices are built for fun, and not really for security. Many of these devices are built for features as a consumer electronic, without consideration as to how much data they can capture about you, or how they can represent a backdoor into your other devices. So you can imagine that adding one of these devices to an otherwise secure network can have some pretty nasty unintended consequences.

Understanding the dynamics of IoT vulnerabilities, learning from notable real-world examples, and knowing how to respond effectively are vital components of a comprehensive cybersecurity strategy. In this extensive guide, we will delve into the world of IoT vulnerabilities, explore real-world incidents, and equip you with the knowledge and strategies to understand, mitigate, and respond to this evolving cybersecurity challenge.

Potential Risk: Insecure Internet of Things (IoT) devices that can be exploited, causing threats that can cascade into more important systems.

Mitigation: Regular firmware updates, network segmentation, and strong access controls.

10. Out of Date Router

You know that router that’s just sitting in the corner all alone and neglected? You might want to check in with it every so often.

In the ever-evolving landscape of cybersecurity, unpatched software and systems pose a significant threat to individuals and organizations alike. These unaddressed vulnerabilities can be exploited by cybercriminals to gain unauthorized access, disrupt operations, or steal sensitive data. Bridging the vulnerability gap by staying up-to-date with patches and fixes is critical to maintaining robust cybersecurity. In this comprehensive guide, we will delve into the world of unpatched software and systems, explore real-world examples, and equip you with the knowledge and strategies to understand, mitigate, and respond to this pervasive cybersecurity challenge.

Threat: Exposing customer payment data to cybercriminals.

Mitigation: Payment Card Industry Data Security Standard (PCI DSS) compliance, secure payment processing, and encryption.

How to prepare and fight back.

By understanding these 10 common cyber threats and implementing the corresponding mitigation strategies, small businesses and nonprofits can significantly enhance their cybersecurity posture. While no organization is completely immune to cyber threats, proactive measures and a vigilant approach to security can go a long way in protecting valuable data and operations.

Remember, cybersecurity is an ongoing process, and it requires continuous monitoring, adaptation, and investment. Prioritizing cybersecurity not only safeguards your organization but also helps build trust with clients, donors, and stakeholders, reinforcing your commitment to security in an increasingly digital world.

In early 2019, Windows 7 reached end of life. This means that no security flaws,, no matter how serious or wide spread, will be patched.  And can you blame Microsoft? Windows 7 was released in 2009, so after 10 years it had to hit its expiry date.  

So what does end of life mean for you?  Basically, continuing to run Windows 7 means the following for your home or business:

• Severe Possibility of data breach
• Severe possibility of ransomware
• An unacceptable risk of general cyberattacks

But don’t worry!  You still have plenty of options.  Some may require new hardware purchases, although if you purchased a PC towards the end of Windows 7’s lifespan, then it might be able to run an updated OS, although with recent security flaws found in Intel hardware, a new device might be in order.

Now that you’ve decided to move past Windows 7, what comes next? Here’s our recommended options.

If you are working in a Microsoft centric environment: 

The obvious answer here is Windows 10.  A solid desktop from a major vendor (we prefer Lenovo, although offerings from HP and Dell are also solid choices) will run your new OS just fine, and Windows 10 is mature enough to integrate into your IT environment.  We recommend a device with at least 16GB of RAM ( 32GB or more if you will be creating media or carrying out heavy calculations), along with an SSD drive.  SSD drives provide a huge boost in performance, and really are a must these days.

Estimated Cost: A new PC (~$500+)

If you are working in a mixed environment, or as a solopreneur in a creative industry:

If your budget allows for it, now would be a great time to consider migrating to macOS.  Stability performance, and a great selection of software are just some of the benefits that Apple users enjoy.  Like our recommendation above, an SSD drive is a must.  If you’ve never used a Mac before, their ill be a learning curve, and a few items might seem odd or unintuitive, but the benefits definitely outweigh the negatives. The only caveat here is that Apple is planning to release its own CPUs inside of refreshed hardware, so you may want to delay purchasing a Macbook or Mac Mini until late 2020/early 2021, so this may not be ideal since that Windows 7 machine really needs to go now.

Estimated Cost: A new Apple device (~$700+)

If you are in a mixed environment, solopreneur, or running mainly from the cloud and want a cost effective solution that will let you keep your existing hardware:

This is an option that is met with initial resistance, but soon becomes a favourite: keep your hardware by using a Linux based OS – we highly recommend Ubuntu for first time Linux users.

Haven’t heard of Linux before? Don’t feel bad – it is best known for its use in servers, and makes up only a tiny sliver of the desktop market.  However, it is secure, super stable, and FREE.  Yup, free. All you need is a USB drive to download the image to, and a bit of expertise (or a willingness to learn) to get it setup.  If you need to continue using, or to resurrect older hardware, Linux is the way to go. It supports a wide range of hardware, and thanks to the cloud and a modern browser like Google Chrome, you can access Google Docs, Gmail, Office 365 (via the web), Zoom, Skype and so much more.  Its biggest downside is the lack of native Office 365 support.  If you are a Google Docs user and can do without MS Office, Linux can likely meet alll of your everyday needs.

Estimated cost: a USB drive, patience and some time.

Hopefully you’ll find an option here that meets your needs, but either way it’s time to retire your Windows 7 PC.  Still having trouble deciding? Just drop us a line – we’re glad to help.

Until the COVID-19 pandemic hit full-swing, many of us probably never considered working from home. Now, it has become a reality for many, with several small-medium enterprises scrambling to accommodate a wide range of needs and systems. While some businesses simply cannot operate remotely, many can. For those that cannot operate in a completely virtual manner, there might be a few lessons to help you through this crisis.

In the short-term, it is reasonable to expect some drops in productivity, delays, and maybe even a bit of confusion from team members who have never worked from home, but don’t worry! With a bit of tweaking, your organizational resources can be made to be flexible for both traditional and telecommute scenarios. Here are a few points to consider:

Work is an Important Part of Our Identity

Before we get into the technical stuff, remember that work is an important part of our lives and identities; we tend to crave the routines and socialization that work provides, so don’t lose focus of this as you build, design or tweak your existing systems. You can use videoconferencing or regular phone calls to maintain some cohesion and still have a bit of fun.

Expect Some Downtime

Unless if you designed your systems for remote work or cloud access from day 1, then expect downtime for training, account setup, and refresher courses. Training will likely become an ongoing task, but after some initial downtime, the results will materialize.

Less is More

I’ve seen so many scenarios where people have complex setups with on-site Windows servers, several different apps (many out of date or poorly supported), and workflows that get in the way of working offsite. Modern operating systems do great for supporting many functions out of the box, and unless if you are running a massive operation with several unique roles, you probably don’t need to worry about restricting user access too severely.

Effective Use of Social Media is Never a Time Waster

Many companies seek to limit the time that employees spend on social media, which aways confuses me. Social media is one of the most powerful marketing tools that we have available, and can also be a great way to communicate with stakeholders during this pandemic. It can also be another way to keep your team together – think of private facebook groups as just one way to use this for productivity and good.

Trust Your Team

Remember why you hired someone in the first place: you liked them, and came to trust them. So now isn’t the time to limit what they can do with their systems: users working from home can often find creative solutions that you may not have considered. Unfortunately, this creativity is limited when they can’t install printers, access USB drives, install practical apps, or access certain web resources.

Encourage BYOD

Don’t fall into the traditional mindset that a corporate, locked-down machine is most effective. If someone wants to use bring their own device (BYOD), let them, with one caveat: their setup must pass some basic security checks. This means an up to date instance of Windows 10 (Windows 7 hit end of life and is insecure), macOS, ChromeOS or Linux. Additional security software is always a plus, and if anyone will be working from somewhere like a coffee shop, then a VPN is always a good idea. This biggest challenge here is that many people still prefer Windows 7 over 10. Unfortunately, it just doesn’t cut it from a security perspective.

E-Mail is NOT a Conversation Tool

This is where I see most work-from home scenarios fall apart. E-Mail is not an effective way to have ongoing conversations. If you need to discuss something complex with your team, especially if you need quick feedback, then chat based tools are a good bet. Think of solutions like Skype, Google Hangouts, Slack, and Microsoft Teams. If all else fails, there is nothing wrong with a good old fashioned phone call.

Your In-House Setup is NOT Superior to the Cloud

Sorry people, but your elaborate windows server is likely not superior to the cloud, unless if you are Amazon, Google, Oracle or Microsoft. Even world class companies like Nintendo rely on Google to keep their infrastructure running. While you may have sunk countless dollars into server maintenance, training and updates over the years, it is time to recognize it as a sunk cost and move on.

This doesn’t mean ditch your infrastructure: this simply means moving it to the cloud where it can scale, perform and be managed in a secure manner.

You might think that your office is secure, but try breaking into Amazon’s data center.

Finally, during times of pandemic, you could lose access to your office space. A local non-profit recently lost access to its offices which were located within a municipally owned building. City Hall decided (rightfully so) to close this building to help fight the spread of COVID-19. This organization was left without physical access, but had virtual access to all of its data, records, and even its phone systems! Wouldn’t it be nice to be able to make sure that your servers are up and running from home, rather than trying to find someone to let you in to a locked down building?

The Cloud Can Be Cheap!

G Suite by Google provides your users with email, cloud storage and web-based document apps for less than $10 per user, per month. This has the added benefit of allowing your team to access all of their email, documents and other resources from virtually anywhere, and on any device.

Are you a Microsoft based organization? No problem – give Office 365 a try.

Less Really is More

This is something I can’t stress enough, especially when in the majority of organizations, most work can be done in a web browser. Chromebooks and Linux workstations can give you a modern, secure and high performing option. You might say “But I can’t get app X!”, but ask yourself, what are your typical users actually using on a daily basis? In my most recent digital transformation project, 80% of users were able to accomplish 100% of their tasks (yes literally everything they did on a daily basis) within Google Chrome.

Learn to Let Go

In challenging times like this COVID-19 pandemic, you can get by without your office. Sure, it may not be ideal, and even a little scary, but if you are willing to let go and put up with a few short-term headaches, you can transform your organization into one that can work from anywhere.