Cybersecurity for Nonprofits: The Essential Checklist

Nonprofits are increasingly targeted by cyberattacks. Ransomware attacks demanding payment to restore access to systems, phishing schemes targeting staff, data breaches exposing donor and client information—these attacks affect nonprofits of all sizes. Many nonprofit leaders feel overwhelmed by cybersecurity, thinking strong security requires expensive IT infrastructure and expertise they can't afford. In reality, most cyberattacks succeed not because security is technically sophisticated, but because organizations skip basic security practices. Strong foundational security protects against the vast majority of threats and doesn't require massive investment.

This article provides a practical cybersecurity checklist focused on what actually matters: the high-impact security practices that stop most attacks. These are the fundamentals that should be in place before you worry about advanced threats or sophisticated security infrastructure. Get these basics right and you'll be more secure than most organizations.

Access and Authentication: Controlling Who Can Access What

The strongest security starts with controlling access. Who can access your systems? Who can access sensitive data? What can they do? Most breaches involve either weak authentication (easy-to-guess passwords or no password at all) or inappropriate access levels (staff having access to data they don't need).

Implement strong passwords or password managers. Staff creating their own passwords often create weak ones. Consider implementing a password manager (like Bitwarden or 1Password) where the organization creates strong passwords and staff access them through the manager. This is easier for users (one master password rather than dozens of weak passwords) and more secure (strong random passwords stored securely). Alternatively, enforce a minimum password standard: at least 12 characters, mixed case, numbers, and symbols.

Implement multi-factor authentication (MFA) everywhere possible. MFA requires a second form of authentication beyond password—usually a code from an app or SMS. Even if someone gets your password, they can't access your account without the second factor. Enable MFA for email, cloud services, financial accounts, and any system containing sensitive data. This single practice stops most account takeovers.

Limit access based on job role. Staff shouldn't have access to donor financial information, client health records, or administrative systems unless their job requires it. When staff leave, immediately revoke their access. When staff move roles, update their access. This limits the damage from compromised accounts or insider threats.

Track who has administrative access. Identify all staff with admin-level access to systems. Limit this group to the minimum necessary. Review quarterly. Someone who left should no longer be an admin. Someone who moved roles might no longer need admin access. Regular review prevents access creep and limits privilege abuse.

Updates and Patching: Staying Current With Security Fixes

Most cyberattacks exploit known vulnerabilities that have fixes available. If you're not installing security updates, you're vulnerable to attacks that would be easily stopped by updates. This is one of the highest-impact security practices and costs nothing.

Enable automatic updates on all devices and systems. Computers, phones, servers, routers, software—all of them get security updates regularly. Enable automatic updates so you're always current. Don't delay or skip updates hoping to avoid disruption. Security updates are more important than avoiding brief interruptions. Set updates to happen during off-hours if timing is an issue, but don't skip them.

Maintain an inventory of systems and software. Know what systems and software your organization uses. When vulnerabilities are announced, you need to know whether you're affected. Without an inventory, you don't know what you need to patch. Create a simple spreadsheet: operating systems, cloud services, software, hardware. Update it as things change. Assign someone to maintain it (doesn't need to be IT staff, just someone who keeps track).

Have a patching process. When security updates are released, how does your organization decide whether to install them? Ideally immediately for critical security updates, within weeks for others. Don't have staff deciding individually whether to install updates. Centralize it so it actually happens.

Email and Phishing: Guarding Your Largest Attack Vector

Email is the primary vector for attacks on nonprofits. Phishing emails trick staff into clicking malicious links or downloading malware. Business email compromise tricks staff into transferring funds or sharing sensitive data. Email security and staff awareness are critical.

Use email security filtering. Cloud email providers like Gmail and Microsoft 365 include good phishing filtering. Enable it. Configure strict settings to catch more suspicious emails. This stops the majority of phishing emails automatically. Work with your email provider to understand filtering options and enable the strongest reasonable settings.

Train staff on phishing. Teach staff what phishing looks like: urgent language, requests to verify passwords, links to login pages, urgent requests for money transfers. Train them to check sender addresses carefully (attackers often use addresses that look similar to legitimate ones but aren't). Create a process for reporting suspicious emails rather than punishing people who get tricked. If staff fear reporting phishing, they'll delete it without telling you, and you won't know there's a problem.

Implement email authentication (SPF, DKIM, DMARC). These technologies make it harder for attackers to spoof your organization's email address. Configure these in your email system. This stops attackers from sending emails that appear to come from your nonprofit.

Be cautious with email-based sharing of sensitive data. Email is not encrypted by default; messages can be intercepted. Avoid sending passwords, financial information, or personal data through email when possible. If you must share sensitive data, use encrypted email or a secure file transfer service.

Data Backups and Recovery: Preparing for Loss

Ransomware attacks encrypt your data and demand payment to restore it. The best protection is regular backups stored separately from your primary systems. If your data is backed up securely, ransomware is just an inconvenience. Without backups, ransomware can be devastating.

Implement the 3-2-1 backup rule: three copies of critical data (one primary, two backups), on two different types of media (e.g., cloud and external hard drive), with one copy stored off-site. This ensures data is never lost to single points of failure. For most nonprofits, this looks like: data on your primary systems, automatic daily backups to cloud storage, and periodic backups to external hard drives stored off-site.

Test your backups regularly. Create a backup and then try to restore from it. If you've never restored from backup, you don't know whether it actually works. Test annually at minimum. Document the restoration process so when you need to restore, you know how.

Ensure backups are immutable. Ransomware can delete backups if it has access. Configure backups so they can't be changed or deleted once created. Most backup services support this; make sure it's enabled.

Vendor and Device Security: Protecting Your Connected Systems

Your organization uses external services (email, cloud storage, payment processors) and devices (laptops, phones, servers). All of these are entry points for attacks. You need basic security measures for devices and oversight of vendor security.

Ensure devices have antivirus protection. All computers should have antivirus or anti-malware software installed. Modern operating systems include built-in protection; make sure it's enabled. Avoid free antivirus from unknown sources; use Microsoft Defender (built into Windows), Apple's built-in protection (macOS), or reputable options like Malwarebytes.

Maintain device inventory. Know what devices connect to your network. Ideally, require that only approved devices connect. This prevents staff from connecting personal devices with malware or unknown devices that could compromise your network.

Assess vendor security. Before using a cloud service or software, check their security practices. Ask vendors about encryption, backups, security audits, and incident response plans. Don't use vendors with no security practices or unwillingness to discuss them.

Monitoring and Incident Response: Detecting Problems Early

Security monitoring helps you detect attacks in progress so you can respond before significant damage. You don't need advanced monitoring initially; basic practices are enough. Monitor for suspicious activity: unusual login times or locations, multiple failed password attempts, unusual data access, unexpected account changes.

Review logs regularly. Most systems create logs of activity. Periodically review them for suspicious patterns. You might not catch everything, but you'll catch many problems. For nonprofits without IT expertise, this can be as simple as cloud service security alerts. Pay attention when services warn you about suspicious activity.

Develop an incident response plan. If you discover a breach or attack, what do you do? Who do you notify? How do you communicate with affected people? Document this in advance. Create a plan that assigns responsibilities so you're not figuring it out during a crisis. Your plan should address: detecting incidents, containing them, notifying affected parties, recovering systems, and learning from what happened.