Nonprofits are increasingly attractive targets for cybercriminals. Not because they're particularly profitable, but because they're often under-defended. Sensitive donor data, client records, and grant funds make them worthwhile targets. A lack of dedicated security staff makes them accessible ones.
After reviewing security programs at dozens of nonprofits in the $5–20M range, I see the same vulnerabilities appearing again and again. Here are the five most common — and what to actually do about them.
Mistake #1: Treating Security as an IT Problem
The most foundational mistake isn't technical — it's organizational. Most nonprofits I work with think about cybersecurity as something that happens in a server room, managed by whoever is responsible for the computers. In reality, the most common attack vector is a person, not a system.
Phishing attacks succeed because a staff member clicked something. Business email compromise works because a finance manager wired money to a fraudster. Ransomware spreads because someone opened an attachment on an unmanaged laptop. In every case, the failure point was human, not technical.
The fix: Security is a leadership responsibility, not just an IT function. The executive director, COO, and CFO need to understand the threat landscape and make decisions about acceptable risk. Annual security awareness training for all staff — not a checkbox exercise but an engaging, scenario-based program — is foundational. It's also one of the most cost-effective security investments you can make.
Mistake #2: Unmanaged Endpoints
Walk into most nonprofits and you'll find a mix of organization-owned laptops, personal devices people use for work, and computers that have been in service since the previous administration. Staff log into cloud services from home networks. Former employees retain access to shared accounts. The IT asset inventory, if it exists at all, is a spreadsheet no one has updated in 18 months.
Unmanaged endpoints are one of the most significant and most overlooked risk factors in the sector. Every device that touches organizational data — email, donor database, shared drives — is a potential entry point.
The fix: Implement Mobile Device Management (MDM) for all organization-owned devices, and have a clear policy on personal device use for work. Tools like Microsoft Intune or Jamf can be deployed at nonprofit pricing and provide encryption, remote wipe capability, and basic threat detection. This is not as expensive or complicated as it sounds — a good IT partner can have you up and running in a few weeks.
Mistake #3: Weak Access Management
Password hygiene at nonprofits is generally poor. Shared passwords are common ("the password for the donor database is on the sticky note by Sarah's desk"). Staff use the same passwords across personal and professional accounts. Multi-factor authentication is inconsistently deployed. And when someone leaves the organization, account deprovisioning is often incomplete or delayed.
These are not edge cases. They're the norm. And each one creates a meaningful door that an attacker can walk through.
The fix: Require MFA on every system that supports it — email, cloud storage, donor management, financial systems, everything. This single control neutralizes the vast majority of credential-based attacks. Implement a password manager organization-wide (1Password, Bitwarden, and others have nonprofit pricing). Create a formal offboarding checklist that includes access revocation for every system, and assign a specific person to own that process.
Multi-factor authentication stops over 99% of automated credential attacks. If you do nothing else from this article, enable MFA on your email and financial systems today.
Mistake #4: No Vendor Security Review
Nonprofits routinely hand sensitive data to third-party vendors — donor management platforms, payroll processors, HR systems, cloud storage providers, program management tools — without asking a single security question. Vendor contracts are signed based on feature lists and pricing. Nobody asks: how do you store our data? What happens in a breach? Do you have SOC 2 certification?
This matters because your security is only as strong as your weakest vendor. A breach at a software partner can expose your donor data even if your own systems are perfectly secure. And in regulated environments — healthcare, housing, some education contexts — the liability for a vendor-caused breach can fall back on your organization.
The fix: Create a lightweight vendor security questionnaire and make completing it a condition of contract signature. At minimum, ask: Do you have SOC 2 Type II certification (or equivalent)? What is your incident notification process? How is data encrypted in transit and at rest? Do you undergo third-party security audits? Most enterprise vendors have answers to these questions readily available. Vendors who can't or won't answer them deserve harder scrutiny.
Mistake #5: No Incident Response Plan
Most nonprofits have never thought through what they would do if a security incident actually occurred. If ransomware encrypted your files tonight, who would you call first? Do you have offline backups? Would your board need to be notified? Do you have cyber liability insurance, and what does it cover? What are your notification obligations to clients, donors, or regulators?
The absence of answers to these questions isn't just a compliance gap — it's a risk multiplier. Organizations without incident response plans tend to make their worst decisions in the first hours after an incident, when stress is highest and time is shortest.
The fix: Document an incident response plan — it doesn't need to be long, but it needs to exist. At minimum, identify your incident response team (who decides and who communicates), your backup and recovery procedures, your legal notification obligations, your cyber insurance carrier and policy number, and a short list of external resources (legal counsel, a breach response firm) you'd engage in a serious incident. Test the plan annually with a tabletop exercise — a structured conversation about what you'd do if a specific scenario occurred. It will surface gaps that the document alone can't catch.
Where to Start
Confronting five security gaps at once can feel paralyzing. If you need to prioritize, start here:
- Week 1: Enable MFA on email and any financial or banking systems.
- Month 1: Conduct staff security awareness training. Complete an access audit — who has access to what, and does it match their current role?
- Quarter 1: Inventory your devices and implement MDM. Draft an incident response plan.
- Year 1: Implement a vendor security review process. Consider a third-party security assessment to identify gaps you've missed.
None of this requires a six-figure security budget. What it requires is a decision that security is worth the attention — and someone with the knowledge to translate that decision into action.
That's exactly what a fractional CIO is designed to do.