Mitigating Cyber Risk: Practical Steps for Nonprofit Leaders and Boards

In our last post, I noted that cybersecurity is even more important today than it was when I published Manage Your Nonprofit for Resilience back in 2022. Here, I address targeted steps to begin addressing your cyber risks.

You don’t need a massive budget or an in-house IT team. Incremental improvements like training your staff, enabling multifactor authentication, updating old systems, backing up data, and clarifying policies can dramatically strengthen your organization’s resilience. Cybersecurity is mission security, and with the following practical, step-by-step approach, every nonprofit can make meaningful progress.

Start with a Simple Cyber Risk Assessment

You protect what you haven’t mapped. Begin by taking an inventory of the data and systems you have and where you might be vulnerable. The Nonprofit Technology Network (NTEN) suggests doing an inventory of all data you collect, where it’s stored (cloud apps, laptops, etc.), and who has access. This often reveals easy fixes like unused accounts, outdated software, or unprotected data. An annual cybersecurity risk assessment is a great habit that helps pinpoint weaknesses before attackers do. If you don’t have internal expertise, use a tech-savvy volunteer or free online tools from organizations like NTEN or CISA.

Educate Your Team and Build a Security Culture

People are the first line of defense. Given that many breaches involve human error (clicking a bad link or using a weak password), regular staff and volunteer training is a must. Train staff and volunteers regularly on how to spot phishing emails and suspicious texts, how to handle sensitive data, and when to pause and ask for help. Training doesn’t need to be expensive; free webinars, shared scam examples, or quick in-house refreshers work well. Leadership should model good behavior to set the tone: curiosity, caution, and accountability.

Put Basic Protections in Place

1. Strong Passwords + Multi-Factor Authentication (MFA): Require strong, unique passwords for all accounts, and enable MFA wherever possible, which immediately raises your security bar.
2. Keep Software Updated: Outdated software is an open door for hackers. Turn on automatic updates for your computers, website CMS, and any apps. Ensure someone is responsible for keeping your website, apps, and plugins current.
3. Regular Backups: Back up critical files (donor lists, finance records) to a secure cloud service or external drive. Test that you can restore the data. Good backups dramatically limit the damage of ransomware or accidental data loss.
4. Anti-malware and Firewalls: Use basic antivirus/anti-malware tools on all devices, and make sure built-in firewalls are enabled. Many are free or discounted for nonprofits.
5. Secure Websites and Donations: If your nonprofit accepts donations online, use reputable payment processors. Use reputable payment processors and avoid storing credit card information. Ensure your donation pages run on HTTPS and confirm with your payment vendor that you’re meeting current security requirements.

Create a Simple Incident Response Plan

Even with good practices, incidents may still happen. Having an incident response plan is like having a fire drill. You don’t need a thick manual, just a clear plan outlining whom to notify if something looks suspicious, and how to secure accounts or systems. It should also address when to contact your board, IT support, or outside experts, as well as how to communicate with stakeholders. reporting of lost devices, and guidelines for managing sensitive information. Even a one-page “dos and don’ts” can make a meaningful difference.

By implementing these steps, even gradually, you’ll significantly harden your nonprofit against cyber threats. Each step lowers the chance of a catastrophe and puts you in a better position to respond if something does occur. It’s all about managing the risk, not eliminating it (no one can eliminate it 100%). And these practices are very much in line with the ethos of resilience and continuous improvement.

In the final post about cybersecurity, I will address how we advise clients to work on these issues using effective interventions.