The 5 Biggest Cyber Security Risks Facing B Corps (and the Simple Fixes Most Organizations Miss)

Most leaders at purpose-driven organizations don’t think their mission or staff are cyber security targets. 

After all, the folks running these organizations and businesses are focused on the impact they make every day for their communities.  

But that’s exactly why they are targets.  

At their core, B Corps meet high standards for social and environmental impact across key areas, from climate action to human rights. They share information with vendors and volunteers. Their leaders are influential in business and their local communities.  

Luckily, most cyber risk that B Corps face is preventable and manageable. 

Why This Matters More for Mission-Driven Organizations

Cyber security for B Corps isn’t just about protecting systems, but also about protecting people and ultimately, preventing disruption. A disruption in a B Corp could look like: 

• Losing access to systems (e.g. ransomware) 

• Being tricked into sending fraudulent payments 

• Exposing sensitive data about staff, customers, or communities 

For B Corps and nonprofits, that risk is amplified. A B Corp may store sensitive personal data, working with or supporting targeted communities, or engaging in public-facing advocacy work, creating a unique risk profile, especially as threats evolve. 

The Threat Landscape Is Changing

A few years ago, most organizations were primarily dealing with opportunistic attackers, like scammers trying to steal money through basic breaches. 

That still happens, but today, there’s a growing additional layer of risk: 

• Ideologically motivated attacks targeting specific causes or communities 

• Concerns related to government overreach and surveillance, including legal access to data 

• Harassment and intimidation of staff, like doxxing  

And that’s the difference we're seeing: Cyber risk is more personal, physical, reputational, and community-level than ever before.  

Identifying Cyber Risk Starts With Security Threat Modeling (Not Tools)

The first step a B Corp should take in mitigating cyber risk threat modeling. This is the process of identifying, analyzing, and mitigating potential security threats. It sounds technical, but it’s simple: 

1. What data do you have? 

2. Who might want it? 

3. What could they do with it? 

4. What are you willing to do to protect it? 

Most organizations skip this step and jump straight into finding tools and services. However, without clarity on these questions, it’s easy to waste time, money, and effort. 

The 5 Biggest Risk Areas (and How to Fix Them)

Across dozens of our B Corps clients, we see the same patterns show up again and again. 

1. Keeping Too Much Data

Most organizations default to storing everything forever. We understand why. After all, you want to be sure that institutional knowledge is kept and recorded. However, that creates also unnecessary risk. 

Storing data longer than it is actually needed creates more data to steal, more data that could be legally summoned by the government, and more exposure in the event of a breach. 

How can this be fixed?  

• Audit what you store. Use a critical eye to save what you truly need. 

• Delete what you don’t. Be ruthless! You may be surprised to find that this process helps staff streamline work. 

• Set automated retention policies. Your productivity suites will become cleaner, more efficient, and easier to use. 

Make sure to clearly communicate these changes to staff early. Provide an adequate adoption period and make sure staff can ask questions about how their workflow may need to change. 

Remember, data you don’t have can’t be stolen. 

2. Weak Logins (The #1 Cause of Breaches)

If you do one thing, make it this: Turn on multi-factor authentication (MFA). 

Around 90% of cyber attacks we observe could have been prevented by enabling MFA.  

It’s free, takes minimal time to enforce, and it dramatically reduces the chance an attacker could compromise an organization's mission, staff, and community. Prioritize enabling MFA on Google Workspace and Microsoft 365 as soon as possible. 

3. No Visibility Into What You Actually Have

You can’t protect what you don’t know exists. For B Corps, that could mean: 

• Old user accounts in the productivity suite still active years after an employee has separated from the organization

• Forgotten or unused tools storing sensitive data for long periods of time 

• Employees with lingering access to data or tools they no longer need after changing roles 

How can this be fixed? 

• Audit all accounts, tools, and systems. What does staff really use? What can be removed? Use our Cyber Security Inventory spreadsheet to get started. 

• Adjust user access to tools and systems. Limiting or removing staff access to data they don’t use or need access to means a smaller attack surface in the event of a breach. 

• Regularly review accounts and tools. We recommend doing this at least once a year, and after a staff changeover occurs. 

This is both a security win and a cost-saving opportunity. The money you’re saving from deactivating old accounts can really accumulate over time. We’ve saved some of our clients tens of thousands of dollars in software license costs. 

4. Unsafe Sharing and Configuration Defaults

Productivity suites like Google Workspace and Microsoft 365 are designed for ease, not security. Most users are surprised to find out that optimal security settings are not the default.  

That means: 

• Files are often overshared 

• Permissions are too open 

• Security settings are rarely optimized 

It’s our estimation that most organizations are operating at about 40% of recommended security settings without realizing it. So, organizations must adjust security controls themselves.  

How can this be fixed? 

• Restrict sharing defaults and change sharing permissions on old files. 

• Disable public access where possible. Make sure that the recipient list is up-to-date. 

• Use public digital spaces for truly public content. Scrutinize how the level of detail that should be shared publicly. 

Your B Corp might share files with volunteers, partner organizations, or community leaders. It’s time to lock this information down. 

5. Human Behavior (and Lack of Security Culture)

Phishing remains one of the most effective attack methods, not because people are careless but because systems rely on them to make quick decisions that can expose data. 

How can this be fixed? 

• Talk about security openly and often. Security is a team sport. We need everyone to be aware of the rules and goals.  

• Create a “no-blame” environment for mistakes. The more comfortable staff feel reporting security mistakes, the quicker you’ll be able to respond during a breach. 

• Encourage quick reporting of suspicious activity. We suggest setting up an org-wide channel in Slack or Microsoft Teams where staff can ask questions, report suspicious activity, or share updates. 

Organizations with a dedicated security Slack channel had near-zero phishing success. Those without it saw up to 25% of staff fall for simulated attacks. 

The Overlooked Risk: Your Vendors

One of the most important (and often missed) risks: Your security is only as strong as your partners. Attackers often go after the weakest link, not necessarily most visible one. Attackers also know that vendors often have unrestricted access to many clients’ data.  

When speaking with vendors, it’s important to ask these questions, particularly of your IT provider and website vendor. 

• Does the company follow best practices? 

• Does the company actively manage security? 

• Who has access to the B Corp’s systems and data? Which user permissions do they have? 

What About Privacy?

Many people feel overwhelmed by the scale of data collection today. We understand why.  

We live in a surveillance and data economy. While you can’t reasonably eliminate all tracking, you can reduce exposure, by:  

• Enforcing data retention rules, which auto-delete data according to specified rules, often based on elapsed time. 

• Limiting sensitive conversations in email/text and having internal guidance for what topics should be discussed offline. 

• Moving high-risk communications to encrypted tools like Signal and setting up disappearing messages. 

Intentionally and thoughtfully managing your work as a Certified B Corporation™ supports the privacy of its leadership, staff, and community. 

Start Here (This Week)

Most organizations can make meaningful progress in 6–9 weeks with consistent effort to strengthen their cyber security posture. Take these steps forward this week. 

1. Turn on MFA across all accounts and communicate this change to staff. 

2. Audit users and remove old accounts. 

3. Review your data and delete what you don’t need. 

4. Tighten file sharing settings. 

5. Start one conversation about cyber security with your team. 

Security Is Part of a B Corp’s Impact

Strengthening your B Corp’s cyber security takes time and effort. It’s important to frame this work, not as a distraction from the mission, but how you protect the mission. 

Cyber security protects the people and communities you serve. It protects your staff, allowing them to continue executing your mission every day. It protects your reputation and trust, allowing your B Corp to grow and evolve.  

This blog post was inspired by 5 Cyber Risks for B Corps, and How You Can Fix Them from Beyond the B, a podcast about the latest on the B Corp movement. Listen to the full episode wherever you get your podcasts.