The New Reality of Cyber Threats for Nonprofits
More Digital, More Risk
When the pandemic pushed galas online and moved staff into hybrid roles, nonprofits accelerated their digital transformation. Virtual events, cloud CRMs, and mobile donations made giving easier, but they also expanded the attack surface. According to BoardEffect, half of nongovernmental organizations reported being targeted by a cyberattack in 2021, and nine in ten admit they do not train staff regularly on cyber hygiene. In short, the sector is more connected than ever, yet still underprepared.
Headlines That Should Alarm Every Board
Community IT’s 2025 Incident Report recorded almost 500 suspected account compromises last year and noted that identity-based attacks are practically guaranteed for small and mid-sized nonprofits. These stories rarely make national news, but the financial fallout hits hard: ransom payments, forensic consultants, legal counsel, and donor trust erosion can exceed the cost of a new program. If the board fails to act, the mission suffers.
Understanding Fiduciary Duty in the Digital Age
Duty of Care Includes Data
Board members must exercise reasonable care when overseeing organizational assets. In 2025, donor databases and beneficiary records are as valuable as endowment funds. Ignoring cyber risk is essentially ignoring asset protection.
Duty of Loyalty Requires Resilience
The duty of loyalty demands decisions that serve the nonprofit’s best interest. Resilience planning, including incident response and business continuity, shows loyalty to staff, donors, and program recipients whose data you hold in trust.
Duty of Obedience and Regulatory Compliance
From state breach-notification laws to GDPR and HIPAA, nonprofits face an expanding web of regulations. Boards that neglect security may inadvertently steer the organization out of compliance, putting tax-exempt status, grants, and partnerships at risk.
Why Cybersecurity Is a Governance Issue
Mission Protection, Reputation, and Donor Trust
A breach that leaks donor credit-card data or patient health information can stall fundraising for months. Every dollar spent on incident remediation is a dollar diverted from programs—no board wants that on its watch.
Financial Stewardship and Risk Management
Cyber liability resembles any other strategic risk. Just as the finance committee reviews investment policies, the board’s audit or risk committee should scrutinize password policies, backup routines, and insurance riders.
Board Accountability and Legal Implications
Lawsuits against corporate boards for lax security are growing, and similar actions are creeping into the nonprofit arena. Failing to implement basic safeguards could be construed as negligence.
Common Vulnerabilities in the Nonprofit Sector
Legacy Systems and Limited Budgets
Old Windows servers that no longer receive patches are still common in resource-strapped environments. Attackers exploit these gaps with off-the-shelf malware in minutes.
Human Error and Social Engineering
Gift card scams and bogus wire transfers often start with a single phishing email. In many nonprofits, one distracted intern can expose the entire network.
Third-Party and Supply-Chain Risks
Payment processors, volunteer portals, and outsourced IT vendors all connect to your data. A breach in any of them can ricochet into your environment, so vendor due diligence is non-negotiable.
Building a Culture of Cyber Readiness
Leadership From the Top
Culture flows from the boardroom. When trustees ask about MFA adoption as readily as they ask about cash flow, staff take notice.
Policies Everyone Understands
Cyber policies should be written in plain language, not tech jargon. Post them on the intranet and revisit them annually.
- Acceptable Use Policies
Spell out what staff can and cannot do on organizational devices. Make it clear that personal email on work laptops invites trouble.
- Data Classification and Retention
Not every spreadsheet deserves the same protection level. Label data sets as public, internal, confidential, or highly sensitive, then delete records you no longer need.
Cost-Effective Cyber Controls Nonprofits Can Deploy Today
Multi-Factor Authentication
MFA blocks more than 99 percent of account-takeover attempts, yet many nonprofits still rely on passwords alone. Free authenticator apps or physical security keys cost far less than breach cleanup.
Regular Patch Management
Automate operating-system and software updates. Weekend volunteers can help monitor patch dashboards if you lack full-time IT staff.
Email Filtering and Anti-Malware
Cloud mail platforms like Microsoft 365 and Google Workspace include enterprise-grade filtering. Activate advanced threat-protection features and log reports for board review.
Phishing Awareness Training
Short monthly simulations keep staff alert. Community IT saw a 20 percent uptick in nonprofits adopting formal training in 2024, which coincided with fewer confirmed compromises.
Principle of Least Privilege
Staff should only access the data they need for their roles. Segmenting finance, HR, and program folders can limit blast radius when an account is compromised.
Cyber Insurance: Safety Net or False Security?
What Policies Cover
Cyber policies can pay for forensic specialists, legal counsel, ransom negotiations, and public-relations campaigns. Some even offer breach coaches.
How Underwriters Assess Nonprofits
Insurers increasingly ask for proof of MFA, offline backups, and incident response plans. Without these, premiums soar or coverage is denied.
Avoiding Common Exclusions
Read the fine print. Some policies exclude social-engineering fraud unless you meet stringent email-control requirements. Align your controls before the renewal date.
Incident Response Planning on a Shoestring
Building the Team
Identify a response leader, legal advisor, communications lead, and IT point person. Small shops can rely on external counsel and managed-service providers.
Communication and Disclosure
Prepare templated messages for donors, regulators, and staff. Timely, transparent updates preserve trust.
Tabletop Exercises
Simulate a ransomware attack once a year. Use a deck of scenario cards, a whiteboard, and pizza. The goal is muscle memory, not perfection.
Steps Boards Should Take Immediately
- Ask the Right Questions: Which systems hold sensitive data? When was the last penetration test? How quickly can we restore from backup?
- Allocate Budget Strategically: Prioritize controls that lower the greatest risk, not the flashiest tools.
- Mandate Regular Reporting: Require quarterly cyber briefings alongside financial statements.
Conclusion
Cybersecurity is now table stakes for mission success. Treating it as an IT line item misses the broader fiduciary picture. When the board embraces its duty of care in the digital realm, the organization safeguards donor trust, protects vulnerable communities, and demonstrates modern governance.
Protect More Than Your Mission: Protect Your Data
Your nonprofit’s reputation, donor trust, and financial health are only as secure as your cybersecurity posture. Treating cyber risk as a governance issue isn’t optional—it’s part of your fiduciary duty.
Learn how we can help you lead with confidence.
Visit baldwincpas.com/non-profit to start a conversation today.
Frequently Asked Questions
How often should our board review cybersecurity policies?
At least annually, with interim updates when new threats or regulations emerge.
Is cyber insurance worth the premium?
Yes, provided you meet underwriting requirements and understand exclusions. Think of it as a financial backstop, not primary defense.
What is the first control we should implement if funds are tight?
Enable multi-factor authentication on every cloud account. It offers the highest risk-reduction per dollar spent.
Do small nonprofits really need an incident response plan?
Absolutely. Even a one-page checklist of contacts, systems, and first steps can cut downtime dramatically.
