Cyberwise Discovery Guide

01The Setup

Frame the problem, then land it in their world. Lead with curiosity, not conclusions.

▶

Open with a question, not a pitch

Ask about their world first. "Tell me about how your organization handles technology day to day."

This is the most important moment. You are here to listen. Nobody asks them this. When you do, they relax.

Opening Questions

"Tell me a little about how your organization handles technology day to day. Who's involved? What's working?"

"What does a typical week look like for your team?"

"What's the mission? Who do you serve?"

For the Pastor

He talks about tech the way people talk about gutters. Ask about Mike, the streaming setup, the donor database. Listen for counseling files and children's ministry records.

For the Executive Director

Ask about the organization before the technology. Try: "If I asked your staff right now how to reach you in an emergency if your email went down, what would they say?"

For the Operations Manager

Listen for ten minutes while she tells you exactly what is not working. Take notes. Say: "Everything you've just described is exactly what the assessment is designed to surface."

For the Volunteer IT Tech

Ask what he's built and how it works. Be genuinely respectful. Do not lead with what he got wrong.

For the Board Chair

Do not try to be clever. Give her three things to know and one thing to do. Answer her questions directly.

Listen more than you talk. Let them tell you where the concerns are before you name them.

▶

The Old World: Security by Obscurity

"Too small, too poor, too boring for hackers." Ten years ago, that was valid.

Talk Track

"For a long time, nonprofits operated on a philosophy I call 'Security by Obscurity.' The idea was: we are too small, too poor, and too boring for hackers to care about.

And honestly? Ten years ago, that was a perfectly valid strategy. Hackers were humans. They chose banks and big corporations because that's where the money was. You were safe because you were invisible."

▶

The Shift: Automated Dragnets + AI

Bots don't know you're a nonprofit. They just know the door is unlocked. AI makes fakes too good to spot.

Talk Track

"The landscape has shifted, quietly but completely.

Bad actors now use bots that scan the internet 24 hours a day. The bot doesn't know you are a nonprofit; it only knows your digital door is unlocked. You aren't targeted because of who you are, but because of what you are: an opportunity.

Then came the AI factor. Today, AI allows attackers to write perfect, personalized emails to your staff in seconds. They can mimic your ED's writing style. They can clone voices for phone scams. The fakes are now too good for 'sharp eyes' alone."

▶

The Data (pick one or two, don't stack)

NGOs: #2 most targeted. 68% of breaches = human element. 80% of donors stop giving after a breach.

Choose one or two that land for this person.

NGO sector: #2 most targeted by nation-state actors worldwide (31%), behind only IT. (Microsoft Digital Defense Report)
68% of breaches involved a human element: clicking a link, reusing a password. Not a tech problem; a people problem.
80% of donors say that if they become aware of a breach, they will not give. (give.org) This changes the math for any organization that depends on donor trust.
For a business, a breach costs money. For you, it costs trust. Trust is the one asset you can't buy back with insurance.

For the Pastor

Lead with the trust line. The donor stat lands if the church depends on congregational giving. He responds to story, not statistics.

For the Executive Director

The give.org donor stat is your strongest play. She lives in funder relationships. The 68% human element reframes security away from expensive tech.

For the Board Chair

The give.org stat and the NGO targeting stat together make the fiduciary case in two sentences.

▶

The Stakes: Security by Stewardship

Reframe from tech problem to trust problem. Same care with digital keys as physical ones.

Key Reframe

"In the corporate world, a breach costs money. You pay the fine, fix the glitch, move on.

But you operate on a different currency: trust. The trust of a donor who writes a check. The trust of a volunteer who gives their time. If your data is leaked, or your email is used to scam your community, you can't write a check to fix that.

We need to move from 'Security by Obscurity' to 'Security by Stewardship.' It's not about becoming a fortress; it's about treating your digital keys with the same care you treat your physical keys."

▶

Connect to Their World

Now land it in their reality. What does this threat look like specifically for their type of organization?

You've set the universal context. Now make it specific. Choose the org type and deliver the examples that hit differently.

What the AI threat looks like here

Fake emails from "The Pastor" using their specific language ("Blessings," "Season of Giving") to trick congregants into sending gift cards. It attacks their desire to be generous.

Staff pasting anonymous counseling notes into ChatGPT for a summary or prayer response. Once pasted, it's out of your control.

The Heart Risk: "Broken Promise"

If a hacker locks the finance computer, that's a headache. If counseling emails leak, or a grandmother is scammed using the Pastor's name, that destroys spiritual authority. Protect the digital flock with the same vigilance they use on Sunday.

What the AI threat looks like here

AI scrapes connections between staff, volunteers, and clients faster than a human could.

Overworked staff pasting case files into AI to "clean them up." If that file contains a survivor's location or a legal name, and the model learns from it, you have effectively published that secret.

The Heart Risk: "Physical Safety"

If the donor list leaks, do supporters face harassment? If the client list leaks, is someone found by the person they are fleeing? Digital security is the shield that allows this work. Make sure the shield holds.

What the AI threat looks like here

Ransomware automated by AI. Doesn't lock one computer; locks the whole network in minutes.

AI voice clones calling Accounts Payable pretending to be vendors, diverting funds needed for food or rent. Preys on the fact that the team is busy and helpful.

The Heart Risk: "Operational Downtime"

Imagine every screen red on a Tuesday. Can't check people in. Can't access case history. The people you serve can't afford for you to be offline. A digital hiccup becomes a humanitarian gap.

What the AI threat looks like here

AI writes perfect emails in the ED's voice. Voice cloning leaves voicemails: "I'm stuck in a meeting, please wire this payment."

Staff using AI for grant reports is fine, until someone uploads the entire major donor strategy into a public tool.

The Heart Risk: "Donor Trust"

If email scams the top 50 donors, you don't just lose money. You look unprofessional. That takes years to repair. 80% of donors say they won't give after becoming aware of a breach (give.org).

027-Point Snapshot

Seven questions that reveal more about security posture than most full audits.

Ownership

Is there one specific person named as responsible for IT security?

▶

If No

If everyone owns it, no one owns it.

Quick Win

Name a "Dispatcher." One person who owns the relationship with IT.

Access

Does everyone use MFA on email?

▶

If No

Passwords are dead. MFA stops 99.9% of automated attacks.

Quick Win

Turn it on for Finance and Director emails this week.

Offboarding

Do you have a checklist to remove access when staff leave?

▶

If No

Old accounts pile up. Easiest backdoor.

Quick Win

Sticky note list of top 5 apps. Use it every departure.

Backups

Automated backups stored separate from your main network?

▶

If No

Ransomware locks backups too if they're on the same network.

Quick Win

Check cloud backup for version history with 30-day rewind.

Privacy

Are sensitive docs in a central system, not personal devices?

▶

If No

Can't secure a volunteer's personal laptop. They lose it, you lose the data.

Quick Win

One folder called "Confidential." Sensitive data lives only there.

Verification

Do staff call and verify financial requests before paying?

▶

If No

The #1 scam. Relies on helpfulness, not hacking.

Quick Win

"I will never ask for money via email without a phone call first."

AI Safety

Clear rule against putting private data into public AI tools?

▶

If No

AI learns from what you feed it. Don't feed it names, finances, or passwords.

Quick Win

One email: "Play with AI, but never paste names, finances, or passwords into it."

Yes0No0Skip0

03Closing Pivot

Move from the snapshot to the next step. Match your close to their readiness.

▶

If 0-1 "No" answers

Top 10%. Emergency essentials covered. Next step is optimization.

Talk Track

"You are in the top 10% of organizations I see. The Foundations Assessment can help you build on that, but you're starting from strength."

▶

If 2+ "No" answers

Open windows. Quick wins are temporary bandages. The full picture covers 14 domains.

Talk Track

"We have a few open windows here. The quick wins are temporary bandages. The Foundations Assessment gives you the complete picture: 14 domains across your technology, business practices, and people."

If donor trust came up: 80% of donors won't give after becoming aware of a breach. Closing those windows protects the relationships that fund the mission.

▶

What the Full Assessment Covers

Three layers: Tech (locked?), Business (liable?), People (do they know?).

Talk Track

"The Foundations Assessment covers the three layers where risk lives:

The Tech: Website, email, devices, backups.
The Business: Vendor contracts, insurance, finance systems.
The People: Onboarding, policies, AI use."

▶

What They Walk Away With

Report + Action Plan + Review Conversation. Never left staring at a document without guidance.

Talk Track

"You receive two clear tools:

The Foundations Report: Narrative summary across 14 domains. Plain English.
The Action Plan: Prioritized by effort and impact.

And a review conversation. You will never be left staring at a document without guidance."

Fixed fee: $1,200 to $1,800. No surprises, no scope creep.

▶

The Low-Pressure Close

No deadline, no urgency theater. The first step is a conversation, not a commitment.

Talk Track

"There's no deadline. The first step, if it feels right, is scheduling the assessment: 30 to 60 minutes with whoever knows how your organization operates day to day.

If this isn't the right moment, that's fine. I have something I'd like to leave with you."

▶

📄 Leave the Readiness Brief

Every conversation ends with something tangible. Link or print. Partnership without pressure.

Handoff Language

"I want to leave you with something. This is our Readiness Brief. It has the 7 questions we walked through, plus three readiness lenses: operational capacity, cultural appetite, and emotional bandwidth. You can share it with your board or team without needing me in the room."

Online: cyberwisesolutions.net · /services · /pricing

Printed: Hand it over. Physical artifacts carry weight. A printed brief on the table is proof of investment in the relationship.

The Readiness Brief demonstrates the Cyberwise ethic: a self-assessment tool before the formal engagement, so they can decide for themselves.

For the Pastor

Printed version lands well. He'll put it in his stack. It surfaces when the board asks.

For the Executive Director

She'll share with ops manager and board chair. Point her to the pricing page.

For the Board Chair

Designed for her reading style. The 7-Point Reality Check is her decision tool.

04Objection Handling

Every one is real, sympathetic, and understandable. None are arguments to be won.

▶"We don't have the budget."

What They Mean

Usually: "We haven't decided this is worth the money." Budget closes the conversation.

Response

Anchor in cost clarity. Fixed fee, no surprises. Reframe what security costs at their size. Most effective measures are simpler and more affordable. Some are free.

▶"It's too complicated. We don't have the capacity."

What They Mean

They've tried: jargon, unrealistic recommendations. Their skepticism is experience.

Response

Empathy first. 30-60 minutes, no technical background. "Built for small teams."

▶"We're worried about what we'll find."

What They Mean

Most honest objection. Not knowing feels safer. Deserves careful handling.

Response

Every organization has gaps. Clarity is almost always less frightening than the uncertainty.

▶"We're probably fine. No problems yet."

What They Mean

Optimism, motivated reasoning. Organizations unaware of a breach may still have had one.

Response

Validate first. Is confidence based on clarity or absence of visible problems? The 7-Point is the low-stakes entry.

▶"We know we should. Just haven't gotten to it."

What They Mean

The apathy-awareness gap. Immediate mission is always more visible.

Response

Reduce friction. One hour, no slide decks, no urgency theater.

▶"We have someone who handles that."

What They Mean

The IT Guy objection. Partially covered, almost certainly not completely.

Response

Never position as replacement. Leadership-level view that complements day-to-day IT. "Build on what you've already put in place."

05Assessment Info

Quick reference when the conversation gets specific about process.

▶

What it is

Guided discovery across 14 domains. 30-60 min. Standardized instrument, bespoke report.

14 core domains. The instrument is standardized. Only the report and action plan are bespoke.

▶

What it is NOT

Not compliance audit. Not pass/fail. Not staff performance. Not how "behind" you are.

A reality-mapping tool. Use "clarity." Avoid "audit."

▶

Deliverables

Report + Action Plan + Review Conversation + Path Forward.

Report: Narrative across 14 domains. On Track / Needing Attention / At Risk.

Action Plan: Immediate, short-term, long-term.

Review Conversation: Guided walk-through.

Path Forward: Partner or independent. No pressure.

▶

Pricing

$1,200-$1,800 fixed. Implementation: Guided $250/mo, Partnered $400/mo, Embedded $600/mo.

Fixed fee is the differentiator. Transparent price before they ask.

06Persona Notes

Deep reference for calibrating your approach.

▶

⛪ The Pastor (David/Gary)

Stewardship and trust, not threat. "The people who trust you deserve this level of care."

Talks about security: Stewardship language once framed. Before that, like gutters.

Fear: The phone call. Congregant info. Children's ministry roster. Counseling files.

Moves him: Story. Human stakes. Being treated as capable.

Never: "Threat surface" or "MFA" unprompted. Do not lecture.

▶

📋 The Executive Director (Sandra/Michelle)

Cost clarity is table stakes. Right-sizing is the differentiator.

Talks about security: Liability, responsibility, compliance (funder context).

Fear: The people served. A moral catastrophe. Funder confidence.

Moves her: Cost clarity. "Right-sized." Not enterprise scaled down.

Key: "If your email went down, does staff know how to reach you?"

▶

⚙️ The Operations Manager (Janet)

She already knows. Speak peer-to-peer. Honor that.

Talks about security: Practically and skeptically. Knows actual vs. supposed usage.

Fear: Being blamed. Has raised concerns. Was told "we'll look into it."

Moves her: Specificity. "Simple." "Built for small teams." Peer treatment.

Key: "What you already know makes this faster and more useful."

▶

🔧 The Volunteer IT Tech (Mike)

Partner, not sidelined. "Build on what you've already put in place."

Talks about security: With confidence. Not wrong about everything.

Fear: Being exposed. Can slow the process through lukewarm endorsement.

Moves him: Partnership. Credit. "Most real exposure isn't infrastructure. It's the people layer."

Never: Ridicule or diminish. Humor lands on the industry and on Jim, never Mike.

▶

🏛️ The Board Chair (Patricia)

Brevity and credibility, in that order. Governance frame.

Talks about security: Governance, liability, reputation. "Exposure," "fiduciary."

Fear: Personal liability. Reputational damage into funder conversations.

Moves her: Two sentences, then ten minutes. Board-level stewardship.

Key: "Every organization that takes this seriously got there because someone at governance decided it was a fiduciary responsibility."