Cybersecurity Challenges and Best Practices for Nonprofits

June 26, 2023

Nonprofits and nongovernmental organizations (NGOs) face significant cyber threats. In fact, 27% of nonprofits worldwide have fallen victim to cyberattacks, according to the 2023 Nonprofit Tech for Good Report. Unfortunately, many of these organizations remain vulnerable due to outdated security protocols.

A report published by the Nonprofit Technology Enterprise Network (NTEN) revealed:

  • 68% of nonprofits do not have documented policies and procedures in place should a cyberattack occur.
  • Less than 50% of nonprofit organizations have internal procedures or policies in place to manage how data is shared with external agencies.
  • 71% of nonprofits allow staff members to use unsecured personal devices to access organizational emails and business files.

Since many nonprofits lack proper security protocols or up-to-date defense measures, they are considered low hanging fruit for cybercriminals.

Why are Nonprofits Vulnerable to Cyberattacks?

Nonprofits are particularly vulnerable to cyberattacks due to several key factors. First, these organizations often store personal, financial, or other sensitive information about donors and clients. Additionally, many nonprofits are associated with secondary organizations, such as healthcare or government entities, which possess their own data, services, and vulnerabilities. If a cybercriminal can exploit any weaknesses within these interconnected components, they can gain significant leverage.

Moreover, nonprofits frequently collect information from individuals who are vulnerable and at-risk, like low-income families, children, and the elderly. This also makes their data highly valuable to cybercriminals.

Other vulnerabilities specific to nonprofits include:

  • Limited cybersecurity expertise:

    Nonprofits often lack dedicated IT departments or cybersecurity professionals due to budget constraints. This lack of expertise and resources can make it challenging to implement and maintain robust security measures.
  • Dependence on volunteers:

    Nonprofits heavily rely on volunteers who may not have adequate cybersecurity knowledge or training. This reliance introduces an additional layer of vulnerability, as volunteers may unknowingly engage in risky online behaviors or inadvertently expose sensitive information.
  • Third-party service providers:

    Nonprofits frequently collaborate with third-party vendors or service providers for various functions like fundraising platforms, cloud storage, or website management. These external partnerships can create additional entry points for cyberattacks if proper security protocols are not established and monitored.
  • Lack of awareness and prioritization:

    Nonprofits may underestimate the severity of cyber threats or believe that they are less likely to be targeted compared to larger organizations. This perception can lead to a lack of awareness and a failure to prioritize cybersecurity, making them more susceptible to attacks.

When cyberattacks specifically target nonprofits, the aim is often to obtain various types of information, such as research surveys, mailing lists, donation forms, meeting records, and donor details.

What Kinds of Cyberattacks do Nonprofits Commonly Face?

The shift from traditional paper-based systems to digital storage means that personal and financial information is now increasingly vulnerable. It's crucial to recognize that any member of your team could unintentionally provide a "key" to cybercriminals.

Common cyberattacks endured by nonprofits include:


In a ransomware attack, cybercriminals identify the most valuable data and compromise it until you pay a specific amount, often within a set timeframe. This is carried out by a form of malware that encrypts data on an infected computer or device. Cybercriminals demand payment for the decryption key.

Social engineering:

Cybercriminals employ deceptive tactics, often via email, phone calls, or text messages, to manipulate individuals and gain unauthorized access to organizational systems. Social engineering attacks exploit human error rather than relying solely on technical weaknesses.

Data breaches from third-party vendors:

Nonprofits frequently rely on third-party vendors to store sensitive information, such as donor data, medical records, or PII used for fundraising. If a breach occurs in a vendor’s system, the sensitive data stored there becomes exposed and vulnerable to theft.

Data breaches from employees:

Many data breaches occur due to employee negligence or malicious intent, leading to unauthorized access and theft of sensitive information. This can occur through actions such as mishandling data, sharing credentials, or falling victim to phishing attempts.

Malicious software:

Viruses and other forms of malware can infiltrate computers or mobile devices connected to the nonprofit’s network, putting sensitive information at risk. Malicious software can cause significant disruptions and compromise the integrity of data.

  • Detecting a data breach early is crucial to minimize the damage it can cause. Continue reading to learn the warning signs that can indicate your company has been hacked.

These cyberattacks can lead to serious consequences for nonprofits, including:

  • Exposure of confidential or sensitive information.
  • Inaccessibility of organization, donor, or client data.
  • Disruptions to operations, potentially leading to reputational damage and loss of support. Consider that donors might choose to fund – or not fund – organizations depending on their cybersecurity efforts.
  • Strain on internal resources and management due to the need for data recovery and restoration.
  • Unforeseen costs associated with addressing a compromised environment, such as legal expenses, regulatory fines, and identity protection measures.

Best Practices to Strengthen Your Nonprofit’s Cybersecurity

The last thing you want to do is leave yourself—and your data—out in the open. And the worst time to start thinking about how to respond to a cyberattack is when you’re being breached. Therefore, proactive planning is key. To strengthen your nonprofit’s cybersecurity, it is essential to establish a culture of cybersecurity that is driven and emphasized by leadership. With this in mind, take the following steps to develop an effective cybersecurity program—and culture—at your nonprofit.

Assess and Test

Conduct a thorough audit of your current IT infrastructure to identify weaknesses, potential risks, and areas for improvement. This assessment will provide visibility over what’s happening in your environment and help create a roadmap for enhancing cybersecurity.

Expand Full Article

We're Here to Help

We are here to help
From business growth to compliance and digital optimization, Eide Bailly is here to help you thrive and embrace opportunity.
Speak to our specialists