What You’ll Learn
- Why Nonprofits Are Prime Targets
- The 5 Biggest Cybersecurity Threats to Nonprofits
- Essential Protections Every Nonprofit Needs
- The Nonprofit Cybersecurity Checklist
- Building a Security-First Culture
- Tools and Costs
- Recommended Solutions by Category
- Pros and Cons of Outsourcing Cybersecurity
- Frequently Asked Questions
- Your Next Steps
Why Nonprofits Are Prime Cybersecurity Targets
A development director opens a phishing email that looks like it came from a major donor. Within 30 minutes, an attacker has access to the donor database , 15,000 names, addresses, and payment methods. The organization does not discover the breach for three weeks. By then, the damage to donor trust is irreversible.
This is not hypothetical. According to BDO, 60% of nonprofits have reported experiencing a cyberattack in the last two years. Nonprofits were the second-most targeted sector, and Cloudflare’s Project Galileo documented a 241% increase in cyberattacks against nonprofits between 2024 and 2025.
Why are nonprofits targeted? Attackers look for organizations that hold sensitive data but lack the resources to protect it. Nonprofits fit that profile: they store donor financial information, client case files, employee records, and grant data , often with minimal security infrastructure and no dedicated cybersecurity staff.
At Scottship Solutions, we help nonprofits close these gaps without the overhead of a full security team. The protections in this guide are practical, affordable, and sized for organizations that need to protect their data without diverting resources from their mission.
The 5 Biggest Cybersecurity Threats to Nonprofits
| Threat | How It Works | Nonprofit Impact |
|---|---|---|
| Phishing | Fake emails trick staff into clicking links or sharing credentials | Leading cause of breaches (16% of all incidents in 2025) |
| Ransomware | Malware encrypts files and demands payment to unlock them | Accounts for 44% of breaches; demands averaging $1M+ |
| Credential theft | Stolen or reused passwords give attackers access to systems | 80-85% of people reuse passwords across accounts |
| Business email compromise | Attacker impersonates a CEO or vendor to redirect payments | Average loss: $125,000 per incident |
| AI-powered attacks | Attackers use AI to create convincing phishing and deepfakes | 16% of breaches now involve malicious AI use |
In 2024, 68% of breaches involved a human element , someone clicking a bad link, reusing a password, or falling for a social engineering attack. The most effective cybersecurity investments for nonprofits focus on reducing this human risk through training, policies, and basic technical controls.
Essential Protections Every Nonprofit Needs
1. Multi-Factor Authentication (MFA)
MFA requires a second form of verification , like a code from your phone , in addition to your password. It is the single most effective security measure any organization can implement.
- Enable MFA on every account that supports it: email, CRM, financial systems, cloud storage, social media
- Use authenticator apps (Microsoft Authenticator, Google Authenticator) rather than SMS codes
- Require MFA for all staff, board members, and volunteers with system access
- Cost: Free , built into Google Workspace, Microsoft 365, and most cloud platforms
2. Password Management
Deploy a password manager across your entire organization. This eliminates password reuse and makes strong, unique passwords the default.
- 1Password, Bitwarden, and LastPass all offer nonprofit pricing or free plans
- Require passwords of 14+ characters (length matters more than complexity)
- Ban password sharing via email, Slack, or sticky notes
3. Security Awareness Training
Your staff is your first line of defense , and your biggest vulnerability. Regular training reduces the likelihood of successful phishing attacks by up to 75%.
- Run phishing simulations quarterly using tools like KnowBe4 (nonprofit pricing available)
- Train all new staff during onboarding
- Keep sessions short: 15-20 minutes, focused on real examples
- Celebrate staff who report suspicious emails , build a culture where reporting is rewarded
4. Endpoint Protection
Every device that connects to your systems needs protection. Use a centrally managed antivirus and anti-malware solution.
- Microsoft Defender for Business is available through nonprofit licensing at no additional cost
- Ensure all devices receive automatic security updates
- Maintain an inventory of every device accessing organizational data
5. Data Backup and Recovery
If ransomware hits, your backup is your lifeline. Follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy off-site.
- Automate daily backups of all critical data
- Test restores monthly , a backup you have never tested is not a backup
- Keep backup credentials separate from your main network so ransomware cannot encrypt your backups too
- See our backup and disaster recovery resources for a complete guide
6. Incident Response Plan
68% of nonprofits lack a documented plan for responding to cyberattacks. When an incident occurs, you do not have time to figure out who to call.
- Document: who to notify, in what order, through what channel
- Include legal counsel, insurance provider, IT partner, and communications lead
- Define when and how to notify affected donors or clients
- Run a tabletop exercise annually , walk through a scenario as a team
The Nonprofit Cybersecurity Checklist
| Priority | Action | Cost | Timeline |
|---|---|---|---|
| Critical | Enable MFA on all accounts | Free | This week |
| Critical | Deploy password manager to all staff | Free-$5/user/mo | This week |
| Critical | Verify backups are running and test a restore | $0-$50 | This week |
| High | Install endpoint protection on all devices | Free (Defender) | This month |
| High | Run first security awareness training | Free-$500 | This month |
| High | Create offboarding checklist for departing staff | Free | This month |
| Medium | Write an incident response plan | Free | This quarter |
| Medium | Conduct a security risk assessment | $2,000-$10,000 | This quarter |
| Medium | Set up quarterly phishing simulations | $500-$2,000/yr | This quarter |
| Ongoing | Review access permissions quarterly | Free | Every 90 days |
Building a Security-First Culture
Technology alone cannot protect your nonprofit. The strongest firewall in the world does nothing if a staff member shares their password with a vendor over email. Security is a culture issue, not just a technology issue.
What Security Culture Looks Like
- Staff report suspicious emails without fear. Create a simple “report phishing” button in your email client and thank people who use it.
- Leadership models good behavior. If the executive director skips MFA, staff will too. Security starts at the top.
- Training is ongoing, not annual. A single yearly training session has minimal impact. Short, quarterly touchpoints keep security top of mind.
- Policies exist and are enforced. Written policies on acceptable use, password management, and data handling set clear expectations.
“Nonprofits must educate staff, volunteers, and board members on recognizing threats and maintaining security hygiene. Cybersecurity is not just an IT responsibility , it is an organizational responsibility.”
KahnLitwin, What Nonprofit Board Members Need to Know About Cybersecurity (2025)
Tools and Costs for Nonprofit Cybersecurity
| Tool | Purpose | Nonprofit Cost |
|---|---|---|
| Microsoft Defender for Business | Endpoint protection (antivirus, anti-malware) | Free with M365 nonprofit licensing |
| 1Password / Bitwarden | Password management | Free-$5/user/month |
| KnowBe4 | Security awareness training + phishing simulation | Nonprofit pricing available |
| Google Workspace / Microsoft 365 | Built-in MFA, email filtering, admin controls | Free for nonprofits via TechSoup |
| Backblaze / Carbonite | Cloud backup | $6-$9/month per device |
| Cisco Umbrella / DNSFilter | Web filtering and DNS security | $2-$5/user/month |
A 25-person nonprofit can implement the critical and high-priority items on the checklist above for under $2,000 per year. The cost of not doing it , a data breach costs nonprofits up to $2 million according to BDO , is orders of magnitude higher.
Recommended Solutions by Category
| Category | Recommended Tool | Nonprofit Discount Available |
|---|---|---|
| Endpoint protection | Microsoft Defender, Malwarebytes for Teams | Yes — free with M365 nonprofit |
| Email security | Microsoft Defender for Office 365, Proofpoint Essentials | Yes — included in M365 Business Premium nonprofit |
| Multi-factor authentication | Microsoft Authenticator, Duo Security | Free (Authenticator); nonprofit pricing (Duo) |
| Staff phishing training | KnowBe4, Proofpoint Security Awareness | Yes — nonprofit pricing available |
| Backup & recovery | Veeam, Acronis Cyber Protect Cloud | Yes — TechSoup licensing available |
| Password management | Bitwarden (free tier), 1Password Teams | Free tier available; nonprofit pricing (1Password) |
Pros and Cons of Outsourcing Cybersecurity
| Pros of Outsourcing | Cons of Outsourcing |
|---|---|
| Access to specialized security expertise | Ongoing monthly cost |
| 24/7 monitoring without hiring shifts | Less direct control over security decisions |
| Stay current on evolving threats | Requires trust in an external partner |
| Faster incident response | Quality varies by provider |
| Compliance expertise built in | Staff still need training regardless |
For most nonprofits, outsourcing cybersecurity to a trusted IT support partner is the practical choice. Few organizations can justify a dedicated security hire, but every organization needs security expertise.
Frequently Asked Questions
The most effective cybersecurity stack for a small nonprofit includes endpoint protection (Microsoft Defender or Malwarebytes), email security with phishing filtering (Proofpoint Essentials or Microsoft Defender for Office 365), multi-factor authentication on all accounts, and annual staff phishing awareness training. Most of these tools are available free or at significant discount through TechSoup or Microsoft’s nonprofit program. Scottship Solutions can help you assess which tools are missing from your current setup.
Basic cybersecurity tools — endpoint protection, MFA, and email filtering — can cost as little as $0–$10/user/month when using nonprofit discounts through TechSoup or Microsoft. A managed cybersecurity layer (monitoring, incident response, vulnerability scanning) typically runs $30–$80/user/month through a managed security services provider. For a 25-person nonprofit, a solid foundational security program can be implemented for $500–$1,500/month depending on scope.
Nonprofits are most frequently targeted through phishing emails (attempting to steal credentials or deploy ransomware), business email compromise (BEC) attacks targeting finance staff, and ransomware. A 2023 report from Proofpoint found that nonprofits are 2x more likely to be targeted by phishing than average organizations, largely because of their public donor lists and often under-resourced IT environments. Staff training is consistently the highest-ROI cybersecurity investment for small nonprofits.
Yes — and many funders and board members now require it. Cyber liability insurance covers breach notification costs, legal fees, and remediation expenses if donor or staff data is compromised. Premiums for small nonprofits typically run $1,000–$3,000/year. Insurers increasingly require documented security practices (MFA enabled, endpoint protection active, staff training completed) before issuing coverage — making basic cybersecurity hygiene both a security and insurance requirement.
Microsoft Defender (included with Microsoft 365 Business Premium) provides strong baseline protection — endpoint detection, email filtering, and identity protection. For most nonprofits under 50 staff using Microsoft 365, it covers the majority of attack vectors when properly configured. What Defender alone does not provide: security monitoring, incident response, vulnerability scanning, or staff training. A managed security layer from a provider like Scottship Solutions fills those gaps.
Enable multi-factor authentication (MFA) on all staff accounts — email, cloud storage, and any donor management or finance tools. MFA blocks over 99% of automated credential attacks (Microsoft, 2023) and costs nothing on most platforms. After MFA, the highest-impact next steps are deploying endpoint protection on all devices and completing a phishing simulation to assess staff awareness. Scottship Solutions offers a free cybersecurity assessment to help nonprofits identify their most urgent gaps.
Your Next Steps
- Enable MFA today. Start with email (Google Workspace or Microsoft 365 both support it at no cost) and your CRM. This is the single highest-impact action you can take.
- Deploy a password manager this week. Apply for 1Password’s nonprofit plan through TechSoup or set up Bitwarden for your team.
- Verify your backups. Check that your critical data is being backed up daily. Test a restore right now to confirm it works.
- Schedule security training. Run a 20-minute all-staff session covering phishing awareness. Use real phishing examples from your own inbox.
- Write a basic incident response plan. Even a 2-page document is better than nothing. Define who to call and in what order.
- Get a security assessment: Schedule a consultation with Scottship Solutions. We will assess your current security posture and build a prioritized improvement plan sized for your budget.
I’m Josh Bass, Cybersecurity Consultant at Scottship Solutions. I lead security assessments and compliance reviews for nonprofits — helping organizations identify their gaps, implement the right tools, and build defensible security postures that fit nonprofit budgets. The stats and tool recommendations in this guide reflect what I see in real engagements with nonprofits of all sizes.
Related Reading
- Nonprofit IT Policy Guide , the acceptable use and password policies that support your security program
- Disaster Recovery vs Data Backup , what happens when your security measures fail
- Disaster Recovery Planning Steps , build the recovery plan referenced in the incident response section
- Common IT Infrastructure Problems , weak security is one of the seven problems we see most
Sources
- BDO , The Crucial Role of Cybersecurity for Nonprofit Organizations in 2025 (60% attack rate, $2M breach cost)
- The Modern Nonprofit , Nonprofits Are Prime Targets for Cyberattacks (241% increase, 68% lack response plans)
- KahnLitwin , What Nonprofit Board Members Need to Know About Cybersecurity (2025)
- Tardigrade Technology , Key Nonprofit Cybersecurity Statistics in 2025
- Trust Consulting , Cybersecurity Best Practices 2025 for Nonprofits
- NetHope , 2025 State of Humanitarian and Development Cybersecurity Report
At Scottship Solutions, we help nonprofits protect their data, their donors, and their mission. From managed IT support with built-in security monitoring to fractional CIO services that include cybersecurity oversight, we build practical security programs that fit nonprofit budgets. Start with a tech stack audit to identify your gaps, then explore our IT services for ongoing protection. Schedule a consultation today to find out where your organization stands.
Looking for more? Explore our managed IT services for nonprofits hub for guides, case studies, and service details.
Written by
Josh Bass
Cybersecurity Consultant at Scottship Solutions
Josh leads security assessments and compliance audits for mission-driven organizations. He helps nonprofits build defensible security postures, meet HIPAA and state privacy requirements, and respond to threats before they become incidents.
Certifications
CompTIA Security+ Certified
Industries Served
Healthcare & Community Health (HIPAA), Human Services, Child Advocacy, Foundations & Grantmakers