Nonprofits are just as vulnerable to cyberattacks as any other organization. Perhaps even more vulnerable, given that cybersecurity seems too often to be a second thought for nonprofit leadership. In order to protect your donors, volunteers and ultimately, your cause, you need proper security practices. Here are a few places to start. 

“I’m not a target,” you’re probably thinking. “Why would anyone want to hack my organization? It’s a charity – we’re doing good!”

If cybercriminals were concerned with good and evil, they wouldn’t be criminals. I don’t doubt that you’re working to create positive change in the world. I don’t doubt that your cause is noble, and your goals admirable.

Hackers don’t care. If you haven’t crossed your t’s and dotted your i’s where cybersecurity is concerned, all they see is a target. You are an opportunity to make money, whether that’s through stealing and reselling sensitive information, siphoning off finances, or locking down valuable data with ransomware.

Especially as a nonprofit organization, you need a strong security posture. You owe it to yourself, your donors, your volunteers, and every single person your cause is intended to help. Let’s talk about where you can start.


Lost, Stolen, and Compromised Devices

In all likelihood, your nonprofit doesn’t have the budget to deploy corporate-owned devices to staff and volunteers. That means you’re relying on your employees to provide their own hardware: laptops, smartphones, and tablets.

If that doesn’t make you at least a little nervous, then you simply haven’t been paying attention.

For one, there are tons of unsecured applications on both Android and iOS. Many of the most popular Android apps suffer from myriad vulnerabilities which could leave user data exposed at best, and compromise an entire device at worst. And iPhones aren’t immune, either – over a third of mobile apps on Apple’s platform are similarly vulnerable.

Bad apps and malware aside, there’s also the risk of lost and stolen devices. Let’s say, for example, one of your events staff has a laptop containing the financial information of some of your primary donors. That laptop gets stolen at an event. Suddenly, every single one of those donors is at risk.

You have a couple options for addressing this.

  1. Incorporate a mobile device management platform that allows you to create work profiles on all devices used to process or access information related to your nonprofit. This will allow you to immediately wipe information from a compromised device.
  2. Lock down your applications so that no data is ever stored on the device. Configure them further to ensure that if a device is lost or stolen, it can be deauthorized to prevent anyone from logging in.

A Lack of Proper Security Training

Contrary to what Hollywood might have us believe, the greatest risk to business data is not sophisticated hackers. Sure, advanced black hats exist. But those kinds of people are a rarity.

Most cyber-criminals are career opportunists, and they target two fatal flaws that have existed since the dawn of civilization. Ignorance and carelessness. These two together have probably caused more data breaches than even the most advanced criminal enterprise.

Teach your nonprofit’s core employees how to recognize phishing emails and how to react to social engineering attacks. Train them to be careful about what they download and how they browse the web. You aren’t going to prevent every social engineering attack this way, but you will mitigate a large portion of them.


Outdated Software

According to a 2017 Fortinet report, roughly 90 percent of cyberattacks target vulnerabilities that are three years old or older. Sixty percent target vulnerabilities that are more than a decade old. Basically, what that means is that if you aren’t properly patching the software your nonprofit uses, it’s the digital equivalent of leaving a shop’s door open overnight.

You’re basically inviting a cyberattack. Always keep an ear to the ground about security patches and updates. The longer you wait to apply a hotfix, the longer a criminal has to target your organization.


The Absence of Crisis Readiness

How prepared is your nonprofit for a ransomware attack? What about critical hardware failure? A service outage due to a natural disaster?

Crisis readiness is as much a part of cybersecurity as network monitoring and malware scanning. Your organization needs a concrete crisis response process in place. This plan should, in broad strokes, include the following.

  • Roles and responsibilities: Who is responsible for connecting with your service population? Who is responsible for your infrastructure? For maintaining your backups?
  • The frequency with which your nonprofit will carry out drills and simulations: Ideally, I’d recommend running them every few months, so your staff can familiarize themselves with your crisis response process.
  • How to assess that an incident has occurred, and what needs to be done in an incident’s early stages.
  • Backup and recovery: Your nonprofit should have air-gapped backups of all critical systems and data, with a clear process for recovering compromised systems.


Improper Vetting for Partners, Colleagues and Vendors

One thing I consistently see both nonprofits and for-profits neglect is the fact that internal security is not the only thing that matters. If your organization’s partners are not secure, then your organization is not secure. Therefore, it is imperative that any partners, colleagues and vendors working with your nonprofit’s data be subject to a vetting process.

They should be able to demonstrate that they have the necessary measures in place to protect critical assets – both theirs and yours. Ideally, you should bring in a security expert to analyze their infrastructure, who can locate any potential security concerns. Because at the end of the day, their security flaws directly impact you.



Cybersecurity isn’t something your nonprofit can afford to ignore. You owe it to everyone involved with your organization to protect your infrastructure. Because if you don’t, your cause doesn’t matter.

About the Author:

Max Emelianov started HostForWeb in 2001. In his role as HostForWeb’s CEO, he focuses on teamwork and providing the best support for his customers while delivering cutting-edge web hosting services. 

Leave a Reply

  • (will not be published)