What You’ll Learn
- Why Nonprofits Are Prime Targets
- The 5 Biggest Cybersecurity Threats to Nonprofits
- Essential Protections Every Nonprofit Needs
- The Nonprofit Cybersecurity Checklist
- Building a Security-First Culture
- Tools and Costs
- Pros and Cons of Outsourcing Cybersecurity
- Frequently Asked Questions
- Your Next Steps
Why Nonprofits Are Prime Cybersecurity Targets
A development director opens a phishing email that looks like it came from a major donor. Within 30 minutes, an attacker has access to the donor database — 15,000 names, addresses, and payment methods. The organization does not discover the breach for three weeks. By then, the damage to donor trust is irreversible.
This is not hypothetical. According to BDO, 60% of nonprofits have reported experiencing a cyberattack in the last two years. Nonprofits were the second-most targeted sector, and Cloudflare’s Project Galileo documented a 241% increase in cyberattacks against nonprofits between 2024 and 2025.
Why are nonprofits targeted? Attackers look for organizations that hold sensitive data but lack the resources to protect it. Nonprofits fit that profile: they store donor financial information, client case files, employee records, and grant data — often with minimal security infrastructure and no dedicated cybersecurity staff.
At Scottship Solutions, we help nonprofits close these gaps without the overhead of a full security team. The protections in this guide are practical, affordable, and sized for organizations that need to protect their data without diverting resources from their mission.
The 5 Biggest Cybersecurity Threats to Nonprofits
| Threat | How It Works | Nonprofit Impact |
|---|---|---|
| Phishing | Fake emails trick staff into clicking links or sharing credentials | Leading cause of breaches (16% of all incidents in 2025) |
| Ransomware | Malware encrypts files and demands payment to unlock them | Accounts for 44% of breaches; demands averaging $1M+ |
| Credential theft | Stolen or reused passwords give attackers access to systems | 80-85% of people reuse passwords across accounts |
| Business email compromise | Attacker impersonates a CEO or vendor to redirect payments | Average loss: $125,000 per incident |
| AI-powered attacks | Attackers use AI to create convincing phishing and deepfakes | 16% of breaches now involve malicious AI use |
In 2024, 68% of breaches involved a human element — someone clicking a bad link, reusing a password, or falling for a social engineering attack. The most effective cybersecurity investments for nonprofits focus on reducing this human risk through training, policies, and basic technical controls.
Essential Protections Every Nonprofit Needs
1. Multi-Factor Authentication (MFA)
MFA requires a second form of verification — like a code from your phone — in addition to your password. It is the single most effective security measure any organization can implement.
- Enable MFA on every account that supports it: email, CRM, financial systems, cloud storage, social media
- Use authenticator apps (Microsoft Authenticator, Google Authenticator) rather than SMS codes
- Require MFA for all staff, board members, and volunteers with system access
- Cost: Free — built into Google Workspace, Microsoft 365, and most cloud platforms
2. Password Management
Deploy a password manager across your entire organization. This eliminates password reuse and makes strong, unique passwords the default.
- 1Password, Bitwarden, and LastPass all offer nonprofit pricing or free plans
- Require passwords of 14+ characters (length matters more than complexity)
- Ban password sharing via email, Slack, or sticky notes
3. Security Awareness Training
Your staff is your first line of defense — and your biggest vulnerability. Regular training reduces the likelihood of successful phishing attacks by up to 75%.
- Run phishing simulations quarterly using tools like KnowBe4 (nonprofit pricing available)
- Train all new staff during onboarding
- Keep sessions short: 15-20 minutes, focused on real examples
- Celebrate staff who report suspicious emails — build a culture where reporting is rewarded
4. Endpoint Protection
Every device that connects to your systems needs protection. Use a centrally managed antivirus and anti-malware solution.
- Microsoft Defender for Business is available through nonprofit licensing at no additional cost
- Ensure all devices receive automatic security updates
- Maintain an inventory of every device accessing organizational data
5. Data Backup and Recovery
If ransomware hits, your backup is your lifeline. Follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy off-site.
- Automate daily backups of all critical data
- Test restores monthly — a backup you have never tested is not a backup
- Keep backup credentials separate from your main network so ransomware cannot encrypt your backups too
- See our backup and disaster recovery resources for a complete guide
6. Incident Response Plan
68% of nonprofits lack a documented plan for responding to cyberattacks. When an incident occurs, you do not have time to figure out who to call.
- Document: who to notify, in what order, through what channel
- Include legal counsel, insurance provider, IT partner, and communications lead
- Define when and how to notify affected donors or clients
- Run a tabletop exercise annually — walk through a scenario as a team
The Nonprofit Cybersecurity Checklist
| Priority | Action | Cost | Timeline |
|---|---|---|---|
| Critical | Enable MFA on all accounts | Free | This week |
| Critical | Deploy password manager to all staff | Free-$5/user/mo | This week |
| Critical | Verify backups are running and test a restore | $0-$50 | This week |
| High | Install endpoint protection on all devices | Free (Defender) | This month |
| High | Run first security awareness training | Free-$500 | This month |
| High | Create offboarding checklist for departing staff | Free | This month |
| Medium | Write an incident response plan | Free | This quarter |
| Medium | Conduct a security risk assessment | $2,000-$10,000 | This quarter |
| Medium | Set up quarterly phishing simulations | $500-$2,000/yr | This quarter |
| Ongoing | Review access permissions quarterly | Free | Every 90 days |
Building a Security-First Culture
Technology alone cannot protect your nonprofit. The strongest firewall in the world does nothing if a staff member shares their password with a vendor over email. Security is a culture issue, not just a technology issue.
What Security Culture Looks Like
- Staff report suspicious emails without fear. Create a simple “report phishing” button in your email client and thank people who use it.
- Leadership models good behavior. If the executive director skips MFA, staff will too. Security starts at the top.
- Training is ongoing, not annual. A single yearly training session has minimal impact. Short, quarterly touchpoints keep security top of mind.
- Policies exist and are enforced. Written policies on acceptable use, password management, and data handling set clear expectations.
“Nonprofits must educate staff, volunteers, and board members on recognizing threats and maintaining security hygiene. Cybersecurity is not just an IT responsibility — it is an organizational responsibility.”
— KahnLitwin, What Nonprofit Board Members Need to Know About Cybersecurity (2025)
Tools and Costs for Nonprofit Cybersecurity
| Tool | Purpose | Nonprofit Cost |
|---|---|---|
| Microsoft Defender for Business | Endpoint protection (antivirus, anti-malware) | Free with M365 nonprofit licensing |
| 1Password / Bitwarden | Password management | Free-$5/user/month |
| KnowBe4 | Security awareness training + phishing simulation | Nonprofit pricing available |
| Google Workspace / Microsoft 365 | Built-in MFA, email filtering, admin controls | Free for nonprofits via TechSoup |
| Backblaze / Carbonite | Cloud backup | $6-$9/month per device |
| Cisco Umbrella / DNSFilter | Web filtering and DNS security | $2-$5/user/month |
A 25-person nonprofit can implement the critical and high-priority items on the checklist above for under $2,000 per year. The cost of not doing it — a data breach costs nonprofits up to $2 million according to BDO — is orders of magnitude higher.
Pros and Cons of Outsourcing Cybersecurity
| Pros of Outsourcing | Cons of Outsourcing |
|---|---|
| Access to specialized security expertise | Ongoing monthly cost |
| 24/7 monitoring without hiring shifts | Less direct control over security decisions |
| Stay current on evolving threats | Requires trust in an external partner |
| Faster incident response | Quality varies by provider |
| Compliance expertise built in | Staff still need training regardless |
For most nonprofits, outsourcing cybersecurity to a trusted IT support partner is the practical choice. Few organizations can justify a dedicated security hire, but every organization needs security expertise.
Frequently Asked Questions
Why are nonprofits targeted by cyberattacks?
Nonprofits hold sensitive data — donor financial information, client records, employee data — but typically have less security infrastructure than for-profit organizations. Attackers see them as high-value, low-defense targets. In 2025, 27% of nonprofits worldwide experienced cyberattacks, and the sector saw a 241% increase in attacks year over year.
What is the most important cybersecurity step for a small nonprofit?
Enable multi-factor authentication (MFA) on every account, starting with email and your CRM. MFA is free, takes minutes to set up, and blocks the vast majority of credential-based attacks. Pair it with a password manager and you have addressed the two most common attack vectors.
How much should a nonprofit budget for cybersecurity?
A small nonprofit (under 50 staff) can implement essential protections for under $2,000 per year using free tools and nonprofit-priced solutions. Organizations that outsource cybersecurity monitoring to an MSP should budget $10-$30 per user per month on top of their managed IT costs.
Does my nonprofit need cyber insurance?
Yes. Cyber insurance covers the costs of breach notification, legal fees, forensic investigation, and public relations — expenses that can quickly reach six figures. Premiums for small nonprofits typically range from $1,000-$5,000 per year. Many insurers now require MFA and basic security controls before issuing a policy.
How do I create a cybersecurity incident response plan for my nonprofit?
Start with a 2-page document that answers: who to call first (IT partner, legal counsel, insurance), how to communicate with staff during an incident, when to notify affected donors or clients, and who has authority to make decisions. Run a tabletop exercise annually where your team walks through a simulated breach scenario.
Your Next Steps
- Enable MFA today. Start with email (Google Workspace or Microsoft 365 both support it at no cost) and your CRM. This is the single highest-impact action you can take.
- Deploy a password manager this week. Apply for 1Password’s nonprofit plan through TechSoup or set up Bitwarden for your team.
- Verify your backups. Check that your critical data is being backed up daily. Test a restore right now to confirm it works.
- Schedule security training. Run a 20-minute all-staff session covering phishing awareness. Use real phishing examples from your own inbox.
- Write a basic incident response plan. Even a 2-page document is better than nothing. Define who to call and in what order.
- Get a security assessment: Schedule a consultation with Scottship Solutions. We will assess your current security posture and build a prioritized improvement plan sized for your budget.
Related Reading
- Nonprofit IT Policy Guide — the acceptable use and password policies that support your security program
- Disaster Recovery vs Data Backup — what happens when your security measures fail
- Disaster Recovery Planning Steps — build the recovery plan referenced in the incident response section
- Common IT Infrastructure Problems — weak security is one of the seven problems we see most
Sources
- BDO — The Crucial Role of Cybersecurity for Nonprofit Organizations in 2025 (60% attack rate, $2M breach cost)
- The Modern Nonprofit — Nonprofits Are Prime Targets for Cyberattacks (241% increase, 68% lack response plans)
- KahnLitwin — What Nonprofit Board Members Need to Know About Cybersecurity (2025)
- Tardigrade Technology — Key Nonprofit Cybersecurity Statistics in 2025
- Trust Consulting — Cybersecurity Best Practices 2025 for Nonprofits
- NetHope — 2025 State of Humanitarian and Development Cybersecurity Report
At Scottship Solutions, we help nonprofits protect their data, their donors, and their mission. From managed IT support with built-in security monitoring to fractional CIO services that include cybersecurity oversight, we build practical security programs that fit nonprofit budgets. Start with a tech stack audit to identify your gaps, then explore our IT services for ongoing protection. Schedule a consultation today to find out where your organization stands.