The sudden and unexpected shift to remote work in 2020 made clear that many nonprofits have vulnerabilities that cybercriminals could leverage to steal data or disrupt operations. Your organization’s employees may or may not be back in the office, but the risks are ongoing. Here’s what you need to know about the most crucial components of effective cybersecurity for nonprofits.

When cybersecurity is recognized as a top priority throughout an organization, the odds of being victimized drop dramatically. It only takes one employee to click on a risky link in a phishing email (see ”Know your cyberattacks,” below) or fail to update software to expose the entire organization. So you need everyone to be on board. Employees who see best practices routinely implemented are more likely to duplicate those practices and less likely to fall prey.



As with so many things, the tone starts at the top. If organizational leaders are exempt from measures required of others (for example, regular training or password protocols), employees notice and might take their own compliance less seriously. To create a pervasive commitment to cybersecurity, all policies, practices and procedures must apply to everyone. 

You should grant data access solely on a “need-to-know” basis. Too many nonprofits allow access to employees or volunteers who don’t actually require access to do their jobs. These people may all be trustworthy on their own, but each one represents an avenue to data that a cybercriminal could compromise.



In shared file systems, take advantage of permission settings to limit access, review permissions monthly or at least quarterly, and remember to shut off permissions when employees or volunteers are no longer with your organization. Require authorized users to use multifactor authentication and set up alerts for when these users are logging in from unfamiliar devices or unusual geographic areas.

Even with comprehensive, up-to-date cybersecurity policies and tools, no organization is immune from cybercrimes. Formulating an incident response is essential to minimizing the repercussions of a successful attack. You don’t want to be scrambling for the right response in the heat of the moment.



Consider establishing an incident response team (IRT) to develop a detailed written plan for handling attacks. Ideally, your IRT will be cross-disciplinary, with representatives from areas including management, IT, human resources, finance/accounting, marketing/communications, and member or client services. Each area should assume specific roles and responsibilities in the event of an attack. It’s best to have two representatives from each area to improve the odds that someone will be available to respond if an incident occurs.

Cybercriminals don’t rest on their laurels — they’re constantly ferreting out new vulnerabilities and devising new tactics for exploiting them. So don’t assume the cybersecurity protections you put in place last year are still up to the task. Whether conducted by an internal IT employee or a third-party expert, your organization should undergo an annual cybersecurity risk assessment. 



At the most basic level, every assessment should determine the data you currently possess and collect, how you store it, whether you truly need it, and how you dispose of it. In addition, identify all parties that have access to your data (for example, vendors) so you can evaluate whether they use appropriate security protection. Once you’ve determined the risks, weigh the likelihood of each risk actually occurring and the likely consequences. These evaluations can guide you in adopting additional steps to mitigate risk.

In today’s environment of evolving risks, every nonprofit needs to formally assign responsibility for cybersecurity. If you lack the resources to employ a full-time cyberofficer on staff or your IT employees are overstretched, you might want to outsource the job. Balancing the upfront costs against the potential ramifications of a breach should make clear that you can’t afford not to.

You’re not alone if you get confused by the various descriptions of cybercriminals’ schemes. Here are some of the most relevant for nonprofits:

Phishing. This generally refers to schemes where cybercriminals trick victims into providing personal information (including login credentials) or clicking on links in emails or texts that infect computers with malware. Many iterations exist, with more emerging. 

Malware. Malicious software encompasses a variety of viruses, including ransomware and spyware. It’s often unleashed when an employee clicks on a phishing link, resulting in malware installation. Ransomware can block access to critical data and could shut down a system completely, requiring the organization to pay a ransom to regain access. Spyware allows the transfer of data to the criminals. 

Denial-of-service (DOS) attack. DOS attackers overwhelm a victim’s servers, networks or system, eating up their resources and bandwidth. As a result, servers and networks aren’t available for their intended users. Visitors may not be able to reach the organization’s website, or employees might be unable to do their work.