Back to News & Stories

A Best Practice Guide to Cybersecurity for Nonprofits

A partial image of a laptop and a person's hand (white) with white images of locks across the screen
Kadian Douglas

In today’s digital age, cybersecurity is a critical concern for organizations of all sizes and sectors. Nonprofits, in particular, are not exempt from the risks associated with cyberthreats. As nonprofits handle sensitive information and often operate on limited budgets, it’s imperative to be proactive in safeguarding your digital assets. In this best practice guide, we delve into some of the key aspects of cybersecurity for nonprofits and what your organization needs to know and do.

What is cybersecurity?

Cybersecurity encompasses practices, technologies and processes designed to protect digital systems, networks and data from unauthorized access, theft or damage. Cybersecurity is a multifaceted discipline that includes a range of policies, tools and awareness programs aimed at ensuring the confidentiality, integrity and availability of digital assets.

What cybersecurity risks do nonprofits face?

Nonprofits face a unique set of cybersecurity risks. These may include, but are not limited to:

Data Breaches

Nonprofits often handle sensitive information, such as client records, personal health information and donor details. A breach could lead to reputational damage and legal repercussions.

Phishing Attacks

Cybercriminals may impersonate trusted sources to trick employees into revealing private and confidential information.


Malicious software can encrypt critical files, resulting in the demand of a ransom for their release.

Insider Threats 

Employees or volunteers with access to sensitive information could misuse or leak it.

7 Best Practices for Nonprofit Cybersecurity

To help protect your nonprofit from a cybersecurity attack, follow these seven best practices.

1. Conduct regular employee training and awareness efforts.

It is crucial to educate employees about cybersecurity best practices. Conduct regular training sessions on topics like identifying phishing emails, creating strong passwords, avoiding certain websites and recognizing suspicious activities.

2. Enact strong password policies.

Enforce the use of complex, unique passwords. The strongest passwords are typically more than 16 characters and use a mix of upper and lowercase letters, symbols and numbers that are not easily guessable. Updating your passwords regularly and avoiding reusing passwords across accounts can also help protect your information. Consider implementing multi-factor authentication for added security.

3. Ensure regular software updates and patch management.

Ensure that all software and applications are up-to-date to protect against known vulnerabilities that cybercriminals may exploit.

4. Encrypt data.

Encrypt sensitive data, both in transit and at rest, to protect it from unauthorized access.

5. Implement firewall and antivirus protection.

Install and regularly update firewalls and antivirus software to detect and prevent malicious activity.

6. Regularly back up your data.

Frequently back up critical data to an offsite location. In the event of a cyberattack, this ensures important information is not lost. Additionally, test the backup regularly, at least on an annual basis.

7. Limit access control.

Limit access to sensitive information only to those who need it and implement role-based access controls.

What steps should nonprofits take to help employees become more cyber aware?

Encourage a culture of cybersecurity awareness within your nonprofit by fostering an environment where employees feel comfortable reporting suspicious activities. Provide them with resources to stay informed about emerging threats.

Preventing Cyberattacks

To prevent or limit the risk of cyberthreats, nonprofits should:

  • Implement a security policy: Develop a comprehensive cybersecurity policy outlining acceptable use, incident reporting and response procedures.
  • Conduct risk assessments: Regularly assess potential vulnerabilities and areas of improvement in your organization’s cybersecurity infrastructure. This will allow for timely identification of vulnerabilities and implementation of the respective controls and mitigation.

What should a nonprofit consider when choosing a cybersecurity service provider?

When selecting a cybersecurity service provider, consider the following:

  • Experience and expertise: Look for providers with a track record of successfully assisting organizations similar to yours.
  • Compliance and certifications: Ensure your provider meets industry standards and has relevant certifications.
  • Scalability: Choose a provider that can adapt to your organization’s changing needs.

How should nonprofits respond to a cybersecurity attack?

In the unfortunate event of a cyberattack, nonprofits should:

  1. Isolate and contain: Immediately isolate affected systems to prevent further damage.
  2. Report the incident: Notify relevant authorities and any affected parties.
  3. Preserve evidence: Document the attack and any evidence for potential legal action.
  4. Restore and recover: Restore affected systems from backups and implement additional security measures.

Keep in mind that cybersecurity is an ongoing process. Stay vigilant, adapt to evolving threats and regularly review and update your security measures to keep your nonprofit’s digital assets safe. By doing so, you’ll not only protect your organization but also the invaluable work it does for the community. For additional information please visit the Cybersecurity & Infrastructure Security Agency (CISA) website.

Join our weekly e-newsletter to get exclusive tips, tools and trainings.

Share This Story:

Kadian Douglas


Kadian Douglas is the Managing Partner at Douglas CPA & Consulting, LLC. She supports clients with information security assessments, IT governance assessments, enterprise-wide IT risk assessments, compliance audit services, IT general and application controls and data privacy. Kadian has expertise in a wide range of industries, including the nonprofit sector.

Data Security for Nonprofits in a Remote Workplace