top of page

How to Protect Your Nonprofit from Threat Actors: Practical Cybersecurity

Updated: May 14



Nonprofits are increasingly targeted by cybercriminals and other threat actors because they often hold sensitive donor data, operate with limited security budgets, and rely heavily on volunteers and third-party tools. The good news is that strong protection doesn’t require enterprise-level spending—just consistent, smart practices.

Below is a practical guide to help your nonprofit reduce risk and stay resilient.


Why Nonprofits Are Targeted

Threat actors often assume nonprofits have:

  • Limited cybersecurity staffing or expertise

  • Weak or inconsistent password practices

  • High email dependency (phishing exposure)

  • Valuable donor/payment information

  • Volunteers or rotating staff with unmanaged access

Common attacks include phishing emails, ransomware, account takeovers, and fraudulent donation redirects.


1. Strengthen Access Control

One of the most effective defenses is limiting who can access what.

Key actions:

  • Use multi-factor authentication (MFA) on all email, cloud, and financial accounts

  • Give users the minimum level of access needed (least privilege principle)

  • Immediately remove access when staff or volunteers leave

  • Avoid shared logins whenever possible

Even basic MFA can block a large percentage of common account compromise attempts.


2. Train Staff and Volunteers to Recognize Phishing

Human error remains the most common entry point for attackers.

What to train for:

  • Suspicious email links or attachments

  • Requests for urgent payments or gift cards

  • Slightly altered email addresses (e.g., “don0r-support@…”)

  • Messages pretending to be leadership or board members

Best practice:Run short, recurring training sessions instead of one-time annual training. Monthly reminders work better than yearly lectures.


3. Secure Email and Communication Tools

Email is the primary attack vector for nonprofits.

Steps to improve security:

  • Enable spam and phishing filters (Google Workspace / Microsoft 365 settings)

  • Disable auto-forwarding to external accounts

  • Use verified domains with proper authentication (SPF, DKIM, DMARC)

  • Be cautious with external collaboration links (Google Drive, SharePoint, Dropbox)


4. Protect Donor and Financial Data

Donor trust is one of your most valuable assets.

Safeguards include:

  • Use reputable donation platforms with built-in encryption

  • Never store credit card data locally

  • Restrict access to financial spreadsheets or donor databases

  • Regularly audit who has access to fundraising tools

If possible, separate fundraising tools from general staff systems.


5. Keep Systems and Devices Updated

Outdated software is one of the easiest ways in for attackers.

Implement:

  • Automatic updates for computers and mobile devices

  • Regular patching for CMS platforms (like WordPress)

  • Updates for plugins and third-party integrations

  • Replacement cycles for unsupported devices/software

Unpatched systems are frequently exploited in automated attacks.


6. Use Strong Backup Practices (and Test Them)

Backups are your safety net in ransomware or data loss scenarios.

Follow the 3-2-1 rule:

  • 3 copies of your data

  • 2 different storage types

  • 1 copy stored offline or offsite

Also:

  • Test restores periodically (many organizations skip this step)

  • Keep backups separate from main systems to avoid encryption during attacks


7. Control Third-Party and Volunteer Risk

Nonprofits often rely on external tools and volunteers, which expands risk.

Reduce exposure by:

  • Reviewing permissions for every SaaS tool you use

  • Limiting admin access to trusted staff only

  • Vetting third-party platforms before integrating them

  • Using time-limited accounts for volunteers or contractors


8. Create a Simple Incident Response Plan

You don’t need a complex framework—just a clear plan.

Your plan should include:

  • Who to contact if an account is compromised

  • How to isolate affected systems

  • How to communicate internally and externally

  • Steps to recover data from backups

  • When to involve legal or cybersecurity professionals

The key is speed: the faster you respond, the less damage occurs.


9. Monitor for Unusual Activity

Early detection can prevent major damage.

Look for:

  • Unexpected login locations

  • Changes in banking or donation details

  • New admin accounts you didn’t create

  • Large or unusual data downloads

Even basic alerting features in Microsoft 365 or Google Workspace can help.


10. Build a Security-First Culture

Technology alone isn’t enough. Culture matters.

Encourage:

  • Reporting suspicious emails without blame

  • Asking before clicking or downloading

  • Verifying financial requests through a second channel

  • Treating cybersecurity as part of mission protection, not IT overhead

When staff understand that security protects donors and beneficiaries, adoption improves significantly.


Final Thoughts

Nonprofits don’t need perfect security—they need consistent, practical defenses that reduce risk where it matters most. Most successful attacks exploit simple gaps: weak passwords, untrained users, or unpatched systems.

By focusing on access control, phishing awareness, backups, and basic system hygiene, your organization can dramatically reduce its exposure to threat actors while continuing to focus on its mission.



 
 
bottom of page