Contact

Cybersecurity Guide for Nonprofits

Cybersecurity Solutions for Small Nonprofits

TL;DR: A cybersecurity guide for nonprofits covers the security measures your organization needs to protect donor data, staff credentials, and financial records. This includes access controls, endpoint security, phishing defenses, and a structured audit against a recognized framework such as NIST CSF or CIS Controls. Scottship Solutions conducts cybersecurity assessments for nonprofit organizations and delivers a prioritized remediation plan written in plain language. Schedule a call to get started.

What This Guide Covers

  1. Why nonprofits are cybersecurity targets
  2. What cybersecurity measures nonprofits need
  3. The 15-point nonprofit cybersecurity checklist
  4. Tools nonprofits use for cybersecurity
  5. How to protect nonprofit donor data
  6. Affordable cybersecurity resources for nonprofits
  7. What a nonprofit cybersecurity audit covers
  8. Frequently Asked Questions
  9. Your Next Steps

Why nonprofits are cybersecurity targets

Nonprofits hold exactly the kind of data that threat actors want: donor payment records, Social Security numbers for grant recipients, healthcare data at social service organizations, and financial accounts that move significant grant dollars. Many operate without dedicated IT security staff, use aging systems, and rely on volunteers who have not received security training.

According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involve a human element, including phishing, stolen credentials, or unintentional error. Nonprofits are not exempt from this pattern. A single successful phishing email can give an attacker access to your donor database, your bank account, or your email distribution list.

The IBM Cost of a Data Breach 2024 report puts the average total cost of a breach at $4.88 million globally. For small and mid-size organizations, direct costs in the $150,000 to $400,000 range are common when you account for forensics, notification, legal, and remediation. Most nonprofits cannot absorb that without consequences to programs and staff.

This guide covers what your organization needs to have in place, how to get an independent assessment of where you stand, and which tools fit nonprofit budgets.

What cybersecurity measures should nonprofits have?

The minimum viable cybersecurity posture for a nonprofit organization covers six areas. These are not optional for organizations that handle donor payments, personal data, or healthcare information.

Identity and access management

Every staff member and volunteer should have their own account, with access limited to what their role requires. Multi-factor authentication (MFA) must be enabled on email, financial systems, and any platform that holds donor data. Former employees should be offboarded within 24 hours: credentials revoked, shared accounts rotated, and MFA codes reset.

Endpoint security

Every device used for work, including personal phones and laptops, should have endpoint protection software running, automatic OS updates enabled, and disk encryption active. Devices that do not meet these standards should not have access to organizational systems or data.

Email security and phishing defense

Your email platform should have DMARC, DKIM, and SPF records configured to reduce spoofing of your domain. Staff should receive phishing simulation training at least twice per year. This is the single highest-return investment for nonprofits, given that human error is the leading cause of breaches.

Data protection and backup

Donor records, financial files, and grant documents should be stored in a controlled environment with role-based access, not in a shared drive folder with organization-wide permissions. Backups should be automated, encrypted, stored off-site or in a separate cloud account, and tested for restoration at least quarterly.

Network and cloud configuration

Your office Wi-Fi should use WPA3 or WPA2 encryption with a strong passphrase that is rotated when staff turn over. SaaS platforms (CRM, accounting, email) should be configured using their security hardening guides, not left on vendor defaults. Remote workers should use a VPN or zero-trust access solution to connect to organizational systems.

Incident response plan

Your organization needs a written document that answers: who is notified in the first hour after a breach, who makes the decision to shut down systems, which regulatory bodies require notification (state AGs, HHS for health data, card brands for payment breaches), and what communications go to donors. A plan that lives in a document folder no one has read is not an incident response plan.

The 15-point nonprofit cybersecurity checklist

Use this checklist to conduct an initial self-assessment. Each item is a verifiable control, not a general recommendation.

  1. MFA is enabled on all email accounts, including board members and volunteers.
  2. A complete list of all current staff accounts and their access levels exists and is reviewed quarterly.
  3. Offboarding process revokes all access within 24 hours of departure, including shared accounts.
  4. All work devices (owned and personal) have antivirus or EDR software running with current signatures.
  5. Full-disk encryption is enabled on all laptops and mobile devices.
  6. Automatic OS and application updates are enforced, or a patch cadence of no more than 30 days is documented.
  7. DMARC, DKIM, and SPF email authentication records are published and verified.
  8. Staff have completed phishing awareness training in the past 12 months.
  9. Donor data and financial files are stored with role-based access controls, not open shared folders.
  10. Automated, encrypted, off-site backups run daily and are tested for restoration at least quarterly.
  11. Administrative access to your CRM, accounting platform, and cloud storage is held by no more than two named individuals.
  12. Office Wi-Fi uses WPA2 or WPA3 encryption and a passphrase rotated in the past 12 months.
  13. A vendor security review process exists for any third party with access to your systems or data.
  14. A written incident response plan exists and at least two staff members know their role in it.
  15. Cyber liability insurance has been reviewed in the past 24 months and covers ransomware and social engineering.

“Most nonprofits we assess have strong intentions and weak documentation,” says Josh Bass, Cybersecurity Consultant at Scottship Solutions. “The checklist items that fail most often are offboarding, backup testing, and the incident response plan. Those three are where attackers find the open door.”

Tools nonprofits use for cybersecurity

The table below covers the tools that appear most often in nonprofit cybersecurity environments. Several carry nonprofit pricing for 501(c)(3) organizations.

ToolCategoryNonprofit AccessBest For
Microsoft 365 BackupData protectionIncluded with M365 Business Premium; nonprofit pricing through MicrosoftBacking up Exchange, SharePoint, and OneDrive automatically
KnowBe4Security awareness trainingNonprofit pricing available on requestPhishing simulations and compliance training for all staff
Malwarebytes for TeamsEndpoint protectionStandard pricing; free tier for very small orgsLightweight antimalware for mixed device environments
Microsoft Defender for BusinessEndpoint detection and responseIncluded with M365 Business PremiumEDR-level protection for staff devices without a dedicated security team
HuntressManaged detection and responseStandard pricing; often bundled by MSPs serving nonprofits24/7 threat monitoring for organizations without in-house security staff

Microsoft 365 Business Premium is the single most impactful license upgrade available to nonprofits currently on M365 Basic or Business Standard. It adds Microsoft Defender for Business, Microsoft Purview (data loss prevention), and Intune (device management) to the same tenant. Microsoft offers M365 Business Premium at nonprofit pricing to eligible 501(c)(3) organizations. See our post on protecting nonprofit donor data from breaches for specifics on the M365 data protection configuration.

How to protect nonprofit donor data

Donor data is your most sensitive asset and your greatest liability. It typically includes names, addresses, email addresses, giving history, and payment card or bank account information. A breach of this data triggers legal notification requirements in most US states, potential PCI DSS penalties if card data is involved, and reputational damage that directly affects fundraising.

Know what you are holding

Start by documenting where donor data lives: your CRM, payment processor, email marketing platform, spreadsheets on shared drives, and any third-party databases. Data you cannot see, you cannot protect. Most nonprofits discover during an audit that donor records exist in more places than leadership knew, including old spreadsheet exports in shared folders and email inboxes with full contact lists.

Limit who can reach it

Your CRM and donor database should have role-based access controls enforced. Development staff need read and write access to donor records. Program staff typically need name and contact information only. Finance needs giving totals and payment records. Board members should not have direct database access. Export permissions should be restricted to named individuals and logged.

Do not store payment card data

Your organization should never store full payment card numbers, CVV codes, or magnetic stripe data on any system you control. Use a PCI-compliant payment processor (Stripe, Authorize.net, PayPal, or a nonprofit-specific option) and let them handle card storage. If you receive card data via paper forms or phone, use a tokenization workflow and destroy the original record after processing.

Encrypt and back up

Donor databases should be encrypted at rest and in transit. Backups must be encrypted before storage and kept in a location separate from your primary system. Test restoration at least quarterly. A backup you have never restored is not a backup you can rely on.

Have a breach notification plan

If donor data is compromised, most US states require notification to affected individuals within 30 to 90 days, depending on jurisdiction. Some states require notification to the state attorney general as well. Know your obligations before an incident, not after. See our post on nonprofit cybersecurity compliance for a state-by-state notification overview.

Affordable cybersecurity for nonprofits

A common barrier to nonprofit cybersecurity investment is the assumption that meaningful protection requires enterprise-level spending. It does not. The highest-return investments for most nonprofits cost less than $50 per employee per year, and several are available free or at steep discount through nonprofit programs.

Start with what you already have

If your organization uses Microsoft 365, your current license already includes tools most nonprofits are not using. Microsoft Secure Score in the Microsoft 365 admin center shows exactly which security settings are configured and which are not. Enabling MFA, configuring safe links, and turning on audit logging costs nothing beyond what you already pay.

Check for nonprofit pricing directly

Most major security vendors offer nonprofit pricing to registered 501(c)(3) organizations. Microsoft’s nonprofit program provides M365 Business Premium, which includes Defender for Business, Intune, and Purview, at significant savings over commercial rates. KnowBe4 offers nonprofit pricing on request. Before purchasing any security software at commercial pricing, contact the vendor directly and ask for their nonprofit rate.

Prioritize by risk, not cost

The three highest-risk gaps for nonprofits are consistently: no MFA on email, no offboarding process, and no tested backup. These are also among the least expensive to fix. MFA is included in most email platforms. An offboarding checklist costs nothing. Backup software through Microsoft 365 costs less than $5 per user per month. Address these before investing in more advanced tools.

Consider a managed security provider

Nonprofits without in-house IT staff can engage a managed security service provider (MSSP) or a managed IT provider with security capabilities. Providers like Huntress offer 24/7 threat monitoring that most nonprofits cannot replicate internally. When evaluating providers, ask specifically about their nonprofit client base, their documented incident response process, and whether they carry cyber liability insurance of their own.

What a nonprofit cybersecurity audit covers

A cybersecurity audit is a structured, independent review of your organization’s security controls, policies, and practices measured against a recognized framework. It is not a software scan. It is an assessment of people, process, and technology together.

The two frameworks most commonly applied to nonprofits are:

  • NIST Cybersecurity Framework 2.0 (NIST CSF): A flexible, risk-based framework developed by the National Institute of Standards and Technology. Organized around six functions: Govern, Identify, Protect, Detect, Respond, Recover. Widely used across sectors and well-suited to organizations of any size.
  • CIS Controls v8: A prioritized set of 18 security controls developed by the Center for Internet Security. Organized into Implementation Groups (IG1, IG2, IG3), with IG1 representing the essential baseline appropriate for most small nonprofits. Highly actionable and specific.

A nonprofit cybersecurity audit conducted by Scottship Solutions includes an access control review (who has access to what and whether it is appropriate), an assessment of your existing policies and procedures, endpoint security verification, email security configuration review, backup and recovery testing, and a scored findings report with a prioritized remediation plan.

The output is a plain-language report that identifies your highest-risk gaps, explains what each gap means in practical terms, and gives you a sequenced action plan you can execute internally or with a technology provider. Scottship Solutions does not sell software or earn commissions on tool recommendations, so the remediation plan reflects what your organization needs, not what carries the highest margin.

Frequently Asked Questions

What cybersecurity measures should a nonprofit have as a minimum?

At minimum, every nonprofit should have multi-factor authentication on all email accounts, role-based access controls on donor and financial data, automated encrypted backups tested quarterly, phishing awareness training for all staff and volunteers, and a written incident response plan with named contacts. These five controls address the most common attack vectors nonprofits face without requiring enterprise-level spending.

How much does a nonprofit cybersecurity audit cost?

A nonprofit cybersecurity audit from an independent provider typically ranges from $2,500 to $10,000, depending on the scope, the size of your organization, and the depth of the assessment. Audits scoped to a specific framework such as CIS Controls IG1 or NIST CSF tend to cost less than broad-scope assessments. Scottship Solutions offers nonprofit-specific cybersecurity assessments with a fixed-scope, plain-language report. Contact us for a transparent estimate based on your organization’s size and environment.

How do nonprofits protect donor data from a breach?

The most effective donor data protections are: storing data only in access-controlled systems (not open shared drives), enabling MFA on your CRM and payment platforms, using a PCI-compliant payment processor so card data never touches your systems, encrypting and backing up your donor database, and having a written breach notification plan that identifies your state’s legal requirements before an incident occurs.

What is the NIST Cybersecurity Framework and does it apply to nonprofits?

The NIST Cybersecurity Framework (CSF) is a voluntary risk-management framework published by the National Institute of Standards and Technology. It applies to organizations of any size and sector. Version 2.0, released in 2024, added a Govern function that covers organizational roles, risk appetite, and policy. For nonprofits, the framework provides a structured way to identify gaps and prioritize fixes without prescribing specific tools or vendors.

Are there free or low-cost cybersecurity tools for nonprofits?

Yes. Microsoft 365 Business Premium (available at nonprofit pricing through Microsoft for eligible 501(c)(3) organizations) includes Microsoft Defender for Business, endpoint management via Intune, and data loss prevention tools. KnowBe4 security awareness training is available at reduced nonprofit rates. Malwarebytes offers a free tier for very small organizations. Many of the most impactful controls, including MFA, audit logging, and DMARC configuration, are included in tools nonprofits already pay for but have not fully configured.

How often should a nonprofit conduct a cybersecurity review?

A full cybersecurity assessment should be conducted every one to two years, or after a significant change such as a staff leadership transition, a major system migration, a merger, or a security incident. An annual internal self-assessment using a checklist is appropriate between formal assessments. Nonprofits that process credit card data or handle health information may face more frequent review requirements under PCI DSS or HIPAA.

Your Next Steps

  1. Run through the 15-point checklist above and mark each item as in place, partial, or missing. This gives you a gap list before any outside assessment begins.
  2. Check your Microsoft 365 Secure Score in the admin center. It identifies specific misconfigurations and prioritizes them by impact with no additional cost.
  3. Review your cyber liability insurance coverage. Confirm it explicitly covers ransomware, social engineering, and business email compromise. Many nonprofit policies have gaps in these areas that surface only after a claim.
  4. Review your state’s breach notification law so your incident response plan references the correct timelines and notification contacts before an incident occurs.
  5. Schedule a call with Scottship Solutions to discuss a nonprofit cybersecurity assessment scoped to your organization’s size, systems, and risk profile.

Work With Scottship Solutions

Scottship Solutions works exclusively with nonprofits and small businesses. Our cybersecurity assessments are scoped against NIST CSF 2.0 and CIS Controls v8, delivered as a plain-language report with a prioritized remediation plan, and designed to give your leadership team a clear picture of where your risk is highest and what to do first. We do not sell software or earn commissions on tool recommendations. Learn more about our cybersecurity services for nonprofits or schedule a call to discuss your organization’s needs.

Sources

  • Verizon — 2024 Data Breach Investigations Report — verizon.com/business/resources/reports/dbir/
  • IBM Security — Cost of a Data Breach Report 2024 — ibm.com/reports/data-breach
  • National Institute of Standards and Technology — Cybersecurity Framework 2.0 — nist.gov/cyberframework
  • Center for Internet Security — CIS Controls v8 — cisecurity.org/controls/
  • Microsoft — Microsoft 365 for Nonprofits — microsoft.com/en-us/nonprofits
  • Payment Card Industry Security Standards Council — PCI DSS v4.0 — pcisecuritystandards.org
Josh Bass

Written by

Josh Bass

Cybersecurity Consultant at Scottship Solutions

Josh leads security assessments and compliance audits for mission-driven organizations. He helps nonprofits build defensible security postures, meet HIPAA and state privacy requirements, and respond to threats before they become incidents.

Certifications

CompTIA Security+ Certified

Industries Served

Healthcare & Community Health (HIPAA), Human Services, Child Advocacy, Foundations & Grantmakers
Recent Posts
Categories
Tags
Archives