Nonprofit Technology

Cybersecurity for Nonprofits: Best practices and how to prepare

website security and cybersecurity for nonprofits

Cybersecurity is an increasingly important issue for nonprofit organizations, foundations and charities. Unfortunately, many nonprofits are ill-prepared to deal with cyber threats. In fact, the number of attacks against nonprofit organizations has increased dramatically over the last five years.

Many nonprofits lack the necessary resources and expertise to protect themselves. They also lack the budget to hire outside security experts. And even if they did have the resources and expertise, they may not have the budget to pay for cybersecurity services beyond an initial consultation.

In this article, we look at cybersecurity for nonprofits, explain the risks they face, and outline steps that nonprofits can take to secure their networks and protect sensitive data.

Cyber threats to nonprofits

Although being online isn’t new, the fact that we are now online almost 100% of the time exposes everyone to different threats; Cyber threats, to be exact. Due to everyone’s online work and internet usage being in flux, many individuals and entities are more at risk of being victims of cybercrime.

From recent research about cybercrime, six cyber-attacks happen every 4 minutes.

These attacks aren’t always major breaches or data theft. Some are as undetectable as probes. Such probes are used by hackers to prime a network or system for hacking. Looking for kinks in the software, security, or firewall are preparations for a heavier cyber attack.

Cyber threats can be broadly categorized into two types: cyberattacks and cybercrime.

  • Cyber attacks are malicious activities that are performed using computers and networks for unlawful purposes. These include hacking, phishing, malware, spam, denial of service (DoS) attacks, etc.
  • Cybercrimes are illegal activities involving the use of computers and networks for criminal purposes. Cybercrimes include identity theft, credit card fraud, bank fraud, etc.

Although the risk of being a target is low for the ordinary individual, businesses and nonprofits of all shapes and sizes continue to be targeted. Even a popular donor database solution was hit recently with a ransomware attack, leading to multiple lawsuits.

Why are nonprofits ideal targets for cyberattacks?

Two things make nonprofits ideal targets for hackers and cybercriminals.

The first is that nonprofits often have built up a pile of data. While it’s probably not data involving military secrets, it’s still crucial data in the form of personal, account, and payment details of the nonprofit’s constituents. Nonprofits often have important people — donors, staff, board members — connected to their organization. Even larger entities like corporate partners and other charities have some of their data collected in nonprofit databases. Without proper protection, all this data can be stolen.

The second reason is that nonprofits don’t see themselves as targets and prepare themselves against hackers and cybercriminals. This alone makes them incredibly vulnerable.

Less than 50% of all nonprofit organizations implement multi-factor authentication for passwords and logins according to data from NTEN. Multi-factor authentication starts at 2FA, or two-factor, which is common even for private accounts and devices. These involve using one-time pins, authenticator codes, and different layers of passcodes to authenticate access into an account. A hacker will need much more than just the correct account details to log in with authorized access through two-factor or multi-factor authentication.

Less than 30% of nonprofits have performed a vulnerability assessment. These are important checks for seeing how vulnerable or potentially exposed a nonprofit is to cyberattacks.

Worst of all, most nonprofits have no plans or strategy in place for a cyberattack or hacker.  Cybersecurity risks impact all organizations, so preparation and a plan of action are key.

What are common cyber threats to nonprofits?

Although attacks and threats may vary, nonprofits should watch out for a few things in particular.

Data Theft

As we previously mentioned, nonprofits are rich in data, whether inside their donor database or email system.

Data theft via a security breach in the database is a real threat that nonprofits are vulnerable to. The dangerous thing about data breaches is that they can be done by anyone, both hackers and employees. Data theft can happen through authorized and unauthorized access.

The data can end up in the wrong hands for malicious activities like leakages, selling data, and compromising constituents. Both your nonprofit and your organization’s reputation will suffer heavily from a data theft incident.

Accepting donations online? Learn about PCI compliance for nonprofits and proper credit card security.


Ransomware is similar to data theft but through software instead of through a direct breach by a person. Ransomware will hack into your network and encrypt data until the hacker who launched it allows your data to be released. It literally steals your data and takes it hostage. Usually, the hacker asks for money in return for the data or takes the data and runs.

Ransomware attacks are on the rise according to reports from data firms like Kaseya, with some noting it could also be connected to the increase in cryptocurrency usage.

Forced Downtime

Forced Downtime may not seem malicious in stealing data, but it can still heavily compromise a nonprofit. Forcing downtime means that the operations of your nonprofit will halt, such as throwing your website hosting offline. This may result in missing donations, making information harder to access or impacting volunteer scheduling. Proper website security for nonprofits is a key part of being prepared.

Hacks aren’t always obvious and evident. Some hacks are subtle. They can come in the form of malware, suspicious activity, denial of service, phishing, SQL, and more. So how can nonprofits prepare for these?

How to prepare for a potential cyberattack

1. Documentation is key to preparedness

Without formal security protocols, a nonprofit team works without a plan when under attack. A well-documented security policy can make it more difficult for attackers to infiltrate the organization’s resources and cause damage efficiently once detected by staff.

With documentation protocols, timely action from staff can mitigate any harm that may occur, such as cutting off access points that.

2. Train your staff and practice how to react

For nonprofits of all sizes and stages, cybersecurity training is a must to keep your data safe.

Most nonprofits don’t even consider training their staff to deal with cybersecurity breaches. So do yours better and take advantage of training and webinars to increase data and technology hygiene among your staff. Ensure that your system passwords are randomized and secure. CyberSecurity NonProfit (CSNP) provides free security education, webinars and resources to help organizations learn more.

You should also limit access. You can’t keep expanding authorized access to those outside of core staff members. The more people who can access the system, the more vulnerable it is. Limiting access to the trusted few will narrow possibilities for breaches.

Weak passwords and the lack of computer hygiene by site users are key factors in cyberattacks so that good employee training can fill in gaps.

3. Ensure backups are in place for key data and systems

Make sure to create multiple copies of your important data so that in the event one is compromised. You can quickly restore it. This can include onsite and offsite backups, such as in the cloud. This way, you are protected from any damage a cyberattack might do to your mission.

If you are using third-party databases and services, ask about their backup procedures and review documentation to see if you can also download a copy of your data at a regular interval.

4. Harden your systems to prevent attacks

Consider appropriate measures on your devices, such as antivirus and a firewall. Check for vulnerabilities with a security assessment, and then make the appropriate adjustments. Use multi-factor authentication on all available accounts to keep hackers out.

Consider updating your insurance policy to add Cyber Liability Insurance, which can minimize the impacts financially of data breaches and other cyber events.

5. Keep software up-to-date

Stay up-to-date with the latest system and software versions. It is important to regularly update your systems, ensuring that you are less susceptible to hacks and “zero-day” exploits.

6. Consider hiring an IT staff or consultant

If you have the budget to hire your own IT staff internally, please consider doing so. Hiring an in-house team can help detect and respond to cybersecurity threats, while a consultant can do routine checks and audits on security.

In short, having someone else look over your shoulder will give you peace of mind knowing that everything is being taken care of.

7. Be aware of phishing scams

Phishing emails are often used to steal information like usernames and passwords. They come disguised as something legitimate but instead contain malicious links or attachments. If you receive suspicious email messages, report them immediately to your IT department or flag them in your Outlook or Google Workspace.

8. Don’t forget about social media

Social media platforms like Facebook and Twitter provide many opportunities for organizations to connect with donors, volunteers, members, supporters, etc., but they also present risks. Make sure you know what type of content is allowed on these sites and monitor comments made by others. You should be able to easily identify inappropriate posts and remove them before they become public.

9. Keep your donor data safe

Nonprofits don’t accumulate wealth, but they do have to generate revenue to keep their projects going. These involve fundraising events and donation platforms. However, donation platforms aren’t always secure, especially with the influx of online activity during the pandemic. So ensuring your revenue channels are secure is a must.

A good donation platform should use high-level encryption, at least SSL or TLS encryption. This will encrypt information that has been entered and will secure any checkout processes as well. Multi-factor authentication is also a useful implementation for donors on their end. Try to acquire a donation platform that offers multi-factor authentication for users and those who enter personal information.

As much as you are securing the revenue, you are also securing your donors’ data. Donors risk a lot by giving nonprofits their personal information. Donors are easy targets for hackers who are after money. So as a nonprofit, you are obligated to give your donors the best security possible.

Understand the Risk

Nonprofits have the huge responsibility of delivering their missions and aid to their beneficiaries.

At the same time, they have to care for the data of the donors and staff who are supporting their missions. While nonprofits dedicate their time and energy to ensuring these get done (and rightly so!), that doesn’t mean security should be neglected.

In conclusion, we hope this guide has helped you understand some basic steps to take when planning your organization’s cybersecurity strategy.

There is a long list of reasons nonprofits have to keep their cybersecurity game at top performance and ensure layers of security. But the biggest reason has to be for the benefit of all the people a single nonprofit benefits.

So if your nonprofit needs to increase its cybersecurity, especially in this remote and online environment, don’t waste any time beginning to do so. Hackers certainly don’t waste theirs.