Practice Makes Protected
How One LA Nonprofit Turned a Simulated Breach into a Confidence Boost
Story is how we explain the world to each other. Always has been. I write Stan’s Corner to help turn complex cybersecurity into something people can understand—and then do something about.
“Okay team,” said Aisha Morales, Executive Director of Nurture LA. “A donor just forwarded us an email that looks like it came from us—with their donation info attached. What do we do first?”
Jamal Reed, Development Director, frowned. “I’d probably reply to the donor, apologize, and call IT?”
Across the table, Maria Chen, Controller and Cybersecurity Leader, smiled. “Good instinct. But call me first. I’ll trigger our incident response plan.”
Jamal nodded. “Didn’t know we had one—but noted. Then what?”
“I’ll call IT to assess the situation,” Maria said. “We don’t notify the donor until we understand what’s going on. That’s Aisha’s call.”
Aisha leaned in. “Good. Don’t loop me in until you have facts. But if it looks bad, I want to know immediately. Then we decide who else to bring in. One question though—do I call the attorney or our insurance first?”
Maria grinned. “Attorney. They protect our legal position.”
“Makes sense,” Aisha said. “I’ll confirm that with her.”
Devon Patel, Head of IT, jumped in. “Running through this, I realized we don’t have a checklist for tracking what we investigate—timestamps, logs, data fields. We need to tighten that.”
“Exactly,” Maria said. “That’s what these tests are for—finding gaps before an attacker does.”
As the session wound down, the tension eased.
Jamal grinned. “Honestly, I thought this would be like a fire drill. But it’s actually fun figuring it out together.”
Aisha laughed. “Fun might be a stretch—but it’s definitely useful.”
Devon added, “Better to sweat now than panic later.”
Maria nodded. “Next time, let’s include communications. If donors are affected, they’ll need messaging ready.”
“Agreed,” Aisha said. “We caught a few things that could’ve tripped us up. Let’s fix them and do this again in three months.”
They left the room energized and proud.
No one wants a security incident. But Nurture LA knew now—they’d be ready when it came.
If this story motivates you to want to do better, please reach out. I’m the founder / president of SecureTheVillage, a nonprofit making a difference. We work with smaller businesses, nonprofits, and the MSPs who serve them. Email me now to protect your assets and minimize the impact of inevitable disruption. StanStahl@Substack.com.
Reasonable Cybersecurity: From the Boardroom to the Living Room is free today. But if you enjoyed this post, you can tell Reasonable Cybersecurity: From the Boardroom to the Living Room that their writing is valuable by pledging a future subscription. You won’t be charged unless they enable payments.