Guide to Cybersecurity for Nonprofits

Omar Visram
Guide to Cybersecurity for Nonprofits
Table of Contents

Ready to streamline your bookkeeping process?
Get in Touch

Ransomware attacks are one of the most common cyber threats to any organization’s data security. In fact, IBM reported that in 2020, ransomware attacks and malware cost organizations’ $3.86 million USD on average. 

Contrary to popular belief, the target of a cyberattack isn’t always companies with lots of money. Nonprofit organizations have a variety of sensitive information that can be exposed in a data breach including, but not limited to:

  • Donation forms
  • Research surveys
  • Meeting records
  • Mailing lists
  • Donor contact information including name, email addresses, home addresses, etc.
  • Sensitive and personally identifiable information such as background information, medical history, etc.

Despite this, many nonprofits have not taken the time to protect their organization from potential cyber threats. Donor data breaches can damage your organization's reputation and donor's trust in you.

With some reports putting the number of nonprofits that have never run a vulnerability assessment as high as 70%, we can assume that many organizations aren't even aware of their risk to cyberattacks. Without evaluating their potential cybersecurity risk exposure, risk management is often low on the nonprofit agenda, and only 20% have a policy in place to address cyber attacks. 

This article looks at the common threats to nonprofit cybersecurity, as well as ways to mitigate the risk of an attack at your nonprofit organization. 

Common Threats to Nonprofit Cybersecurity

Nonprofits collect and store a myriad of sensitive donor information and are likely to become a target for cybercriminals as they are typically easier to access than large enterprises. Nonprofits are vulnerable to cyber threats in a number of ways:

1. Under Resourcing

Due to scarce resourcing issues, cybersecurity is often of lower priority for smaller nonprofits in comparison to other mission-driven initiatives. As a result, nearly 60% of nonprofit organizations don’t provide any sort of regular cybersecurity training to their staff and volunteers or even have any cybersecurity personnel of sort on the team.

2. Having Lax Security Measures in Place 

Hackers attack more than 2,000 times per day on average and they don’t discriminate between nonprofit and for-profit organizations. They are simply looking for an organization they can easily access. With nonprofits thinking they aren’t a target for malicious attacks, security measures are oftentimes pretty relaxed.

3. Using Outdated Technologies 

As previously mentioned, nonprofits don’t always have the resources that other organizations do. Therefore, they might not be able to therefore invest in new technologies as often as they would like. Operating with outdated hardware and software can leave your organization more susceptible to a cyberattack. 

4. Improperly Storing Donor Information 

Many organizations tend to rely on excel spreadsheets or outdated software to collect and store sensitive donor information. These non-secure methods of storing data can make it easier for cybercriminals to gain access.

5. Freely Sharing Access to Systems 

When all employees are given access to all areas of the company’s platforms and systems, it creates unnecessary risk for unauthorized access. Cybercriminals can infiltrate your employee's computer system to access your company's sensitive documents.

Ways to Mitigate the Risk of Cyber Attacks At Your Organization

Mitigating the risk of a cyber attack is only possible when the organization understands its areas of vulnerability.

A vulnerability assessment is a process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures. This assessment can provide your nonprofit organization with the knowledge to understand and react to the threats to your environment, including cyberattacks.

Even without a vulnerability assessment, there are a number of ways that your nonprofit can implement improvements to mitigate risk, including: 

1. Implementing Security Policies and Creating Data & Security Protocols

A comprehensive policy can play a key role in ensuring that potential cybersecurity risks are identified and planned for, and the appropriate responses are laid out to mitigate the damage.

Ideally, every organization should have an IT person or team that employees can contact in the event of a cybersecurity issue. For example, someone they can contact if they receive an email that looks like a phishing scam. This person should be able to investigate, determine the extent of a threat, and warn the rest of the organization of the scam that is circulating. 

Alternatively, you can also hire an external firm like to help you manage your security program at a lower cost.

2. Address Physical Security Risks 

Physical security risks such as leaving a computer unlocked or passwords written on sticky notes can also be a huge threat to a nonprofit’s security.

With working from home now increasingly more prevalent, employees must ensure that their working environment is secure and employers need to provide employee training on cybersecurity risks and best practices for working from home. If you have IT protocols in place, these need to be addressed in the onboarding process for new hires and volunteers. 

3. Password Management 

While notifications to change passwords can be annoying, it is a necessary evil to protect corporate computers and cell phones, especially when operating in a shared office.

  • Setting up strong passwords is fundamental. While it can be frustrating to have to think of a password that is at least X characters long, and must include alphanumerical characters, it drastically increases the security of the password. 
  • Tools like LastPass can be used securely store and encrypt passwords. All you have to remember is the one master password. In addition, these tools allow sharing of passwords among the organization without disclosing the actual password. 
  • Multi-factor authentication enhances cyber security for non profits, and requires that users not only enter a password, but also enter a code that’s been texted to their phone. Alternatively apps like Google Authenticator can be utilized if there’s any concern that verification codes from a text message can be compromised.

4. User Access Management

Most software programs allow administrators to customize end user access and control permission levels based on employee roles.

You should carefully consider each employee's access level to certain sensitive information. If it’s not an integral part of an employee's role to have access, then restrict it. These restrictions can always be changed in the future. However, you should ensure that the decisions are documented and frequently reviewed to ensure relevance – especially in the event of an employee's departure.

5. Secure Computer and Mobile Device Use

Every device is vulnerable to a cyberattack. To secure your devices, you want to:

  • Ensure that antivirus, malware, and firewall software is in place, security patches are up to date and you have a means of backing up data. 
  • Ensure cell phone software is updated regularly to keep devices secure. 
  • Always use an email provider that offers Secure Sockets Layer (SSL). 
  • Instruct your employees and volunteers to never use unknown USBs as they can potentially carry malware. 
  • Ensure all users are trained in using technology safely and securely, for example, showing employees how to identify a phishing email and check if a link is legitimate before clicking. 
  • Use a password-protected VPN when connecting to public Wi-Fi Networks.
  • Consider using encrypted messaging apps such as WhatsApp when dealing with sensitive or personal information on cell phones.

6. Cloud-Based Software

In comparison to desktop software, cloud-based technology platforms are a safer way of storing sensitive information. At Enkel, we always recommend our clients migrate to cloud-based accounting software like QuickBooks Online. When you use a cloud-based platform, your data is protected by the cloud provider. They'll encrypt your data, conduct regular data backups and require multi-factor authentication during logins.

It is also easier for them to issue updates for potential vulnerabilities in real-time as opposed to when the software is housed on-site. This is particularly important if your organization doesn’t have enough resources to hire IT support. 


Leading a nonprofit organization puts the responsibility of protecting donor data and the organization’s data on your shoulders. Data breaches can lead to sometimes irreparable reputational damage, so it’s critically important that your employees know what they need to do to keep the company secure. 

At Enkel, data security is one of our top priorities. We help nonprofit organizations manage their books securely through the cloud and ensure that their financial data is backed up every day. Visit our industry resources to learn more about our services tailored to organizations like yours. 

We thoroughly research and test the apps we include in our regular workflow for Client bookkeeping services. After deciding on criteria for evaluating the software and then researching the app itself, we tested the app, noting its strengths and weaknesses. We then work with the app for at least a few weeks before deciding whether to recommend it to our readers. We use the software as it was designed for its intended tasks. For a detailed walk-through of how we select and evaluate software, please see the details of our process.

Enkel receives no consideration or compensation from software publishers for featuring their software in our blog articles.

Ready to streamline your bookkeeping process?

Get in Touch