Cybersecurity for Nonprofits: The Essential Checklist

Nonprofits are favorite targets for cyberattacks. Why? You hold donor data. You hold volunteer information. You often have loose security (limited IT resources). You can't afford to pay ransoms. You look like easy targets.

A breach costs you trust, money (incident response, legal, credit monitoring for affected people), and operational disruption (downtime while you recover). It's not hypothetical. It happens to nonprofits regularly.

But cybersecurity doesn't have to be complex. You don't need enterprise security infrastructure. You need the fundamentals, done well. This lecture teaches you the checklist.

The Reality of Nonprofit Cybersecurity

You're not trying to stop sophisticated nation-state attacks. You're trying to stop: password reuse attacks (someone reuses a password from a breach on your systems), phishing (staff clicks a malicious link), and ransomware (someone pays and suddenly your files are encrypted).

The good news: you can stop all three with basic security practices. The bad news: you have to do it consistently.

The Essential Checklist: 12 Things You Must Do

1. Require Strong Passwords (or Passphrases)

Password requirements: 12+ characters, mix of uppercase/lowercase/numbers/symbols. OR a passphrase (four random words: "correct-horse-battery-staple") is actually more secure and easier to remember.

Better: use a password manager (LastPass Teams, 1Password) so people don't have to remember complex passwords. They remember one master password.

Do this: audit your most critical systems (email, CRM, accounting). Ensure strong password policy. Require password manager for staff.

Cost: free (built-in policy) to $60-100/year per person (password manager).

2. Enable Multi-Factor Authentication (MFA)

MFA means: password + one-time code (from an app like Authy or Google Authenticator). Even if someone steals your password, they can't log in without the code.

Do this: enable MFA on all critical accounts: email, CRM, banking, donation platform. Start with your most privileged users (IT, finance, executive director).

Cost: free or low (some apps charge, but Google Authenticator is free).

3. Keep Systems Patched and Updated

Updates fix security holes. Unpatched systems are vulnerable. Windows, Mac, phones—enable automatic updates. For servers, test patches and apply monthly.

Do this: set a schedule (first Tuesday of each month) to check for updates across all systems. Test in non-production environment first. Then deploy.

Cost: free.

4. Backup Your Data (Regularly, Offline)

Ransomware encrypts your files and demands payment. But if you have a backup, you restore from backup without paying.

Backup strategy: 3-2-1 rule. Three copies of data (original + two backups). Two different storage types (cloud + local). One copy offline (in case someone encrypts your cloud backups too).

Do this: use cloud backup (Backblaze, IDrive, AWS) for continuous backup. Plus monthly offline backup (external hard drive, stored offsite). Test restoration quarterly (can you actually restore from backup?).

Cost: $10-50/month for cloud backup per device.

5. Monitor for Breaches

If someone uses credentials from a data breach on your system, you want to know. Use a tool like HaveIBeenPwned API or Breach Guard to monitor if your email/domains appear in known breaches.

Also: force password resets if staff email appeared in a breach (even if the breach was from another company).

Do this: set quarterly reminders to check if your organization's email appeared in any public breaches.

Cost: free (HaveIBeenPwned is free).

6. Secure Email

Email is the attack vector. Phishing emails trick people into clicking malicious links. Use email filtering that detects suspicious emails, blocks malware, and flags phishing attempts.

Do this: if you use Google Workspace or Microsoft 365, these have email security built in (it's pretty good). If you use alternative email, add a security layer (Proofpoint, Mimecast).

Cost: free (if built into your platform) to $50-100/user/month for premium filtering.

7. Implement Access Controls

Not everyone needs access to everything. Finance staff doesn't need access to programs database. Program staff doesn't need access to donor payment info.

Do this: audit your systems. Document who has access to what. Remove people who left the organization. Grant minimum access needed for each role.

Cost: free (it's policy, not software).

8. Monitor for Unusual Activity

Set up alerts: if someone logs in from a new location, if large files are downloaded, if accounts are created. Review logs monthly.

Do this: for your most critical systems (CRM, accounting, email), enable logging and review quarterly. Look for: unusual login times, multiple failed login attempts, mass downloads.

Cost: free (logging is built into most systems).

9. Use Encrypted Connections

Data traveling between your computer and the server should be encrypted. HTTPS instead of HTTP. VPN when using public wifi. Encrypted email when sending sensitive data.

Do this: require HTTPS on your website (free with Let's Encrypt). Use VPN when staff work remote (ExpressVPN, ProtonVPN, $70-120/year per person). Use encrypted email for donor/patient data.

Cost: free to $120/year per person for VPN.

10. Secure Vendor Relationships

Your vendors have access to your data. If a vendor gets breached, your data might leak. Vet vendors: ask about security practices, certifications, insurance.

Do this: before signing with a vendor, send them a security questionnaire. Questions: do you have liability insurance? How do you store data? How do you handle breaches? Do you have ISO 27001 or SOC 2 certification?

Cost: free (it's due diligence).

11. Have an Incident Response Plan

If you get breached, who do you call? What do you do first? How do you notify affected people? Have a plan before you need it.

Do this: document a one-page incident response plan. Who's on the incident team? First steps? Legal/insurance to contact? Communication to staff/donors? (See Chapter 5.3 Lecture 4 for detailed plan.)

Cost: free (it's planning).

12. Train Your Staff

Humans are the weakest link. Train staff on phishing, password hygiene, and what to do if they suspect a breach. Make it a hiring onboarding requirement, not a one-time event.

Do this: annual security training (1 hour). Quarterly phishing simulations (send fake phishing emails, see who clicks, remind them to be careful). (See Chapter 5.3 Lecture 6 for a training program.)

Cost: free (you can do this internally) to $50-100/person/year for training platform.

Implementation Roadmap

Month 1: Passwords and MFA (items 1-2). This is quick, high impact.

Month 2: Backups and updates (items 3-4). Get your backup system running.

Month 3: Access controls and logging (items 7-8). Audit who has access to what.

Month 4-6: Email security, encrypted connections, vendor vetting (items 5, 6, 9, 10). Ongoing.

Month 6: Incident response plan and staff training (items 11-12). Written and trained.

Month 7+: maintenance. Update policies quarterly. Test backups quarterly. Retrain staff annually.

When to Hire a Professional

Hire a security consultant if: you have sensitive data (health information, financial data), you've had a breach, or you have more than 20 staff and limited IT capacity. A security audit costs $2,000-5,000 and is usually worth it.

For most small nonprofits: the checklist above is sufficient. Do it well, maintain it, and you're protected against 95% of attacks.

Key Takeaway

Cybersecurity is about fundamentals done consistently. Strong passwords, backups, updates, training, and incident response. It's not complex. It's disciplined. A nonprofit that implements this checklist is more secure than 80% of organizations, including many for-profits. Your data is valuable. Protect it.