When the pandemic pushed galas online and moved staff into hybrid roles, nonprofits accelerated their digital transformation. Virtual events, cloud CRMs, and mobile donations made giving easier, but they also expanded the attack surface. According to BoardEffect, half of nongovernmental organizations reported being targeted by a cyberattack in 2021, and nine in ten admit they do not train staff regularly on cyber hygiene. In short, the sector is more connected than ever, yet still underprepared.
Community IT’s 2025 Incident Report recorded almost 500 suspected account compromises last year and noted that identity-based attacks are practically guaranteed for small and mid-sized nonprofits. These stories rarely make national news, but the financial fallout hits hard: ransom payments, forensic consultants, legal counsel, and donor trust erosion can exceed the cost of a new program. If the board fails to act, the mission suffers.
Board members must exercise reasonable care when overseeing organizational assets. In 2025, donor databases and beneficiary records are as valuable as endowment funds. Ignoring cyber risk is essentially ignoring asset protection.
The duty of loyalty demands decisions that serve the nonprofit’s best interest. Resilience planning, including incident response and business continuity, shows loyalty to staff, donors, and program recipients whose data you hold in trust.
From state breach-notification laws to GDPR and HIPAA, nonprofits face an expanding web of regulations. Boards that neglect security may inadvertently steer the organization out of compliance, putting tax-exempt status, grants, and partnerships at risk.
A breach that leaks donor credit-card data or patient health information can stall fundraising for months. Every dollar spent on incident remediation is a dollar diverted from programs—no board wants that on its watch.
Cyber liability resembles any other strategic risk. Just as the finance committee reviews investment policies, the board’s audit or risk committee should scrutinize password policies, backup routines, and insurance riders.
Lawsuits against corporate boards for lax security are growing, and similar actions are creeping into the nonprofit arena. Failing to implement basic safeguards could be construed as negligence.
Old Windows servers that no longer receive patches are still common in resource-strapped environments. Attackers exploit these gaps with off-the-shelf malware in minutes.
Gift card scams and bogus wire transfers often start with a single phishing email. In many nonprofits, one distracted intern can expose the entire network.
Payment processors, volunteer portals, and outsourced IT vendors all connect to your data. A breach in any of them can ricochet into your environment, so vendor due diligence is non-negotiable.
Culture flows from the boardroom. When trustees ask about MFA adoption as readily as they ask about cash flow, staff take notice.
Cyber policies should be written in plain language, not tech jargon. Post them on the intranet and revisit them annually.
MFA blocks more than 99 percent of account-takeover attempts, yet many nonprofits still rely on passwords alone. Free authenticator apps or physical security keys cost far less than breach cleanup.
Automate operating-system and software updates. Weekend volunteers can help monitor patch dashboards if you lack full-time IT staff.
Cloud mail platforms like Microsoft 365 and Google Workspace include enterprise-grade filtering. Activate advanced threat-protection features and log reports for board review.
Short monthly simulations keep staff alert. Community IT saw a 20 percent uptick in nonprofits adopting formal training in 2024, which coincided with fewer confirmed compromises.
Staff should only access the data they need for their roles. Segmenting finance, HR, and program folders can limit blast radius when an account is compromised.
Cyber policies can pay for forensic specialists, legal counsel, ransom negotiations, and public-relations campaigns. Some even offer breach coaches.
Insurers increasingly ask for proof of MFA, offline backups, and incident response plans. Without these, premiums soar or coverage is denied.
Read the fine print. Some policies exclude social-engineering fraud unless you meet stringent email-control requirements. Align your controls before the renewal date.
Identify a response leader, legal advisor, communications lead, and IT point person. Small shops can rely on external counsel and managed-service providers.
Prepare templated messages for donors, regulators, and staff. Timely, transparent updates preserve trust.
Simulate a ransomware attack once a year. Use a deck of scenario cards, a whiteboard, and pizza. The goal is muscle memory, not perfection.
Cybersecurity is now table stakes for mission success. Treating it as an IT line item misses the broader fiduciary picture. When the board embraces its duty of care in the digital realm, the organization safeguards donor trust, protects vulnerable communities, and demonstrates modern governance.
Your nonprofit’s reputation, donor trust, and financial health are only as secure as your cybersecurity posture. Treating cyber risk as a governance issue isn’t optional—it’s part of your fiduciary duty.
Learn how we can help you lead with confidence.
Visit baldwincpas.com/non-profit to start a conversation today.
At least annually, with interim updates when new threats or regulations emerge.
Yes, provided you meet underwriting requirements and understand exclusions. Think of it as a financial backstop, not primary defense.
Enable multi-factor authentication on every cloud account. It offers the highest risk-reduction per dollar spent.
Absolutely. Even a one-page checklist of contacts, systems, and first steps can cut downtime dramatically.