Cybersecurity Essentials for Nonprofits

Cybersecurity Essentials for Nonprofits

Not-for-Profit leaders need to know the cybersecurity essentials for Nonprofits. Many Nonprofits collect and store sensitive digital personal information that is protected by law as confidential.


When there is a breach of the confidentiality of this data, it poses a risk for the individuals whose data was disclosed, and for the Nonprofit that will potentially be subject to liability for the breach. It makes sense for every Nonprofit to take steps to understand the risks and protect its data from unauthorized disclosure.

One of the first cybersecurity essentials for Nonprofits is evaluating a Nonprofit organization’s level of risk to cyberattacks. There are three key areas to be covered:

Cybersecurity Essentials for Nonprofits

First Step | Risk Assessment

The Nonprofit Technology Network (NTEN) suggests that the first step in assessing a Nonprofit’s data risks is to take inventory of all the data the Nonprofit collects and identify where it is stored. 

The risk assessment should take inventory of the following: 

What data is collected about people?

What is done with it?

Where is it stored?

Who is responsible for it?

Think about the cost/benefit of maintaining all that data. It may be discovered that data the Nonprofit is currently asking for and keeping is not really needed. If so, reducing or limiting the data the Nonprofit collects, and streamlining the storage process (as well as diligently destroying data in accordance with the Nonprofit’s document retention policy) could be an easy first step towards mitigating risk.

Second Step | Is the Data the Nonprofit Maintains “Protected” or “Confidential”?

Know whether the data the Nonprofit collects and maintains is covered by federal or state regulations as “personally identifiable information.” If so, forty-seven states’ laws require Nonprofits to inform persons whose “personally identifiable information” is disclosed in a security breach, and 31 states have laws that require disposal of such data in certain ways. 

Additionally, the Federal Trade Commission’s Disposal Rule also requires proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” Protecting personally identifiable information is all about training staff on how to collect/store/dispose of and generally protect this data.

Even if the data collected does not rise to the level of “personally identifiable information,” a breach of that data can be harmful to the organization’s reputation and ability to bring in donations. All data reflecting personal preferences are important to keep secure.

Third Step | Drill Down on the Actual Risks

Consider using the US National Institute of Standards and Technology (NIST) Cybersecurity Framework to help the Nonprofit identify risks and make management decisions to mitigate those risks. This framework is not intended to be a one-size-fits-all approach, but to allow organizations to manage cybersecurity risks in a cost-effective way, based on their own environment and needs.

Preparing the Nonprofit for Cyber Attack

Once risks have been assessed, another of the cybersecurity essentials for Nonprofits is preparing the Nonprofit to handle possible cyberattacks. There are for steps to this:

Document Protocols

Research conducted by NTEN and others shows that Nonprofits often do not have documentation in place. Robust cybersecurity policies can lessen the likelihood of an incident in the first place, and response documentation can give teams quick paths forward to minimize damage in the event of a cyberattack.

Nearly 60% of Nonprofit organizations do not provide any sort of regular cybersecurity training to users. Training users on best practices is an impactful way of reducing risk; ignorant user action leads to far too many successful attacks. 

Train users

Make Systems Redundant

Systems should be redundant, meaning that there should be multiple instances of mission-critical data and systems so that if one instance is compromised, recovery is possible. Basically, Nonprofits should diligently back things up. This greatly reduces the damage that a cyberattack can cause.

Harden Systems

In addition to backing things up, Nonprofits should also take steps to harden systems. Doing this effectively will likely rely on the thoroughness of the risk assessment. Generally, solutions involve:

In addition to backing things up, Nonprofits should also take steps to harden systems. Doing this effectively will likely rely on the thoroughness of the risk assessment. Generally, solutions involve:

Implementing antivirus or other security software

Proactively monitoring for threats

Requiring multi-factor authentication on all accounts

Requiring all 3rd party software to adhere to strong cybersecurity standards.

Adopting cybersecurity essentials for Nonprofits is not an impossible task. By carefully assessing the risks and taking common-sense preventive steps, Nonprofits can greatly reduce the chance that cyberattacks will endanger their operations.

Rather than just investing in IT tools and resources, consider investing in “Software Experts” that work directly with you in effectively deploying tools to achieve your Mission.

Scroll to Top