Cybersecurity Tips for Nonprofits

Nonprofits are a common target for cybersecurity attacks, in part because hackers know nonprofits have a lot of data and may not invest in the systems necessary to protect that data. At the same time, hackers are getting more sophisticated in their efforts to gain access to nonprofit data. These cybersecurity tips for nonprofits can help protect your organization.

Know your legal responsibilities around data protection

Nonprofit organizations collect a lot of data over time, including data about donors, volunteers, employees, and people they serve. Donor data, in particular, is a valuable asset for hackers, and it’s important that nonprofits understand their responsibility for protecting that data. If the organization does experience a data breach, each state has different requirements for how that must be reported to affected individuals.

Organizations that receive funding from federal grants also must consider the cybersecurity requirements related to that funding award. Final regulations from the Office of Management and Budget (OMB) took effect October 1, 2024, that require organizations to “[t]ake reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information.” (2 CFR § 200.303(e)) Organizations thus need to determine what information is sensitive, as designated by the Federal granting agency or pass-through entity, and applicable Federal, State, and local laws regarding privacy and confidentiality. The organization’s internal policies and procedures should document the contours of what information it holds that is protected personally identifiable information.

Have the right policies and procedures in place

Written policies and procedures are one of the most important ways nonprofit organizations can reduce risk, and that includes cybersecurity risks. However, simply writing the policies isn’t enough. To reduce risk, the organization must keep those policies current and hold employees and volunteers accountable for the procedures. Cybersecurity policies and procedures may include things like who can access what systems, password requirements, annual cybersecurity training, and actions to be taken if a data breach occurs.

Leverage technology to protect data

Donor information is valuable to hackers, and thus, it’s critical that your website or other platforms for online donations have proper data encryption and security features. Leveraging technology to protect data extends beyond website encryption, too. It also includes ensuring staff have laptops with the necessary layers of security, including software that protects against viruses and malware and multi-factor authentication for logins.

Many nonprofits allow employees to use their own computers to avoid investing in equipment, but that can create unnecessary risk for the organization. Organizations need to provide company-issued laptops for employees and ensure they are regularly updated for maximum organizational protection. If volunteers are issued organizational email addresses or access to software within your organization’s system, ensure these volunteers use strong passwords and change them regularly. Organizations can additionally put in place systems that force frequent password changes by system users.

Consult with qualified professionals when needed

If your organization is accepting donations or storing any personally identifiable data, work with a qualified IT security professional to audit your hardware and software systems and close any gaps they find in your system. In addition, talk with your insurance provider about cybersecurity policies that can help with the associated costs if a data breach occurs.

Organizations that don’t take cybersecurity seriously can quickly lose trust with donors and the public. Following these cybersecurity tips for nonprofits can help protect your organization, your data, and your reputation.