Practical cybersecurity tips for nonprofits 

Imagine you have to call one of your key donors to explain that their personal information was involved in a data breach at your organization. How comfortable would you be explaining why you had their data, what you were doing to protect it, and whether you had taken reasonable steps to keep only the data you needed and safeguard what you kept? 

Asking this last question is a way of applying “reasonableness” to your cybersecurity practices. Did you protect personal data in a manner that a reasonable person would expect? 

While cybersecurity can feel opaque, the underlying principles are familiar—much like how organizations reduce fire risk through basic safety protocols and preparedness. Reasonable cybersecurity is built on routine, repeatable practices, not technical complexity. It means keeping only what you need, protecting what you keep, appropriate detection and response capabilities, and knowing when to call the professionals. 

Data breach prevention: Building reasonable safeguards 

Don’t hoard data 

The most effective control is also the simplest: Don’t hoard data. The value of data to your organization decreases over time, but your liability for protecting it never does. You can’t suffer a data breach if you don’t have data.

Ask two questions for all your data: Why are we collecting this? Why are we keeping this? If you can’t answer both clearly, delete it. That old spreadsheet with social security numbers and personal information from client intake forms or client intake forms from a shuttered program is a liability, not an asset. A great action to take is to create a data retention policy and make sure it is not only written down, but also practiced.

Fix password problems 

When staff reuse passwords across systems, it’s like using one key for your house, car, and office—convenient until someone gets a copy. Password managers create unique, strong passwords for every system. Several offer substantial nonprofit discounts: 1Password offers nonprofit pricing, while Bitwarden starts at just $4 per user monthly with a robust free tier.

Enforce multi-factor authentication (MFA) 

Research from Microsoft shows that MFA blocks over 99.9% of account compromise attacks. It’s free and adds a critical layer of protection. 

Those too-often postponed or ignored update notifications are often fixing security vulnerabilities. Keeping systems current is critical. 

Monitor for early warning signs 

Occasionally cyber monitoring systems can generate false alarms. The goal isn’t eliminating all alerts—it’s noticing unusual activity early enough to respond. 

The current information is sobering: the global average time to identify and contain a data breach is 241 days, according to IBM’s 2025 Cost of Data Breach Report. That’s over seven months before organizations notice uninvited guests in their systems. For breaches involving stolen credentials, it can take even longer—averaging 292 days. 

Basic monitoring includes alerts for failed login attempts, access from unexpected locations, or unusual downloads. Many existing systems (including Microsoft 365 and Google Workspace) include built-in monitoring tools. 

Know what you can handle and when to escalate

Know the difference between small and big problems

Sometimes you’ll discover a small security incident you can handle internally—perhaps someone clicked on a suspicious link, but you caught it immediately. Your response plan is a critical line of defense: Disconnect the affected system, change relevant passwords, assess potential damage, and document what happened.

The critical skill is distinguishing between incidents you can manage internally and those requiring professional help. A single compromised password is a small problem. A compromise across multiple systems requires calling in the professionals.

Practice your incident response plan 

You can discover critical gaps in your response plan while there’s still time to fix them. A tabletop exercise is a simple, structured discussion of a potential scenario—for example, “What would we do if our donor database was compromised?” You can run one in 30 minutes and discover gaps in your response plan when corrective action is still straightforward. 

The aim is to clarify roles, contacts, and the information each person needs. This isn’t a technical test; it’s a test of communication and process.

Identify your escalation and support contacts 

Cyber insurance providers typically coordinate forensics, legal support, and crisis communications. The good news: policies for small nonprofits often cost less than you’d expect—often just a few thousand dollars per year annually. Organizations like Coalition and Nonprofits Insurance Alliance specialize in nonprofit coverage. 

Document response procedures in a simple one-page plan. Prepare communication templates for different audiences—affected individuals, your board, the media. Having these frameworks ready means you won’t have to make critical decisions under pressure. 

Meeting the reasonable standard 

The test remains simple: Could you confidently explain your data practices and security measures to someone whose information was affected? If yes, you’re meeting the reasonable standard. If not, you now have the resources to get started. 

Photo credit: ATHVisions/Getty Images