An understanding of cybersecurity for nonprofits is crucial to keeping organizations safe – but cybersecurity is complicated and constantly changing. How can nonprofits keep up?

We’re here to help. In this article, we’ll unpack three topics that are essential in understanding cybersecurity risk for nonprofits:

In doing so, we won’t comprehensively cover every area of cybersecurity (that’d be nearly impossible) – but we will lay out a framework for navigating cybersecurity for nonprofits that will benefit your decision-making.

Ready? Here’s how to understand nonprofit cybersecurity risk.

1. Are nonprofits at risk of cyberattacks?

The answer to this question, unfortunately, is that nonprofits certainly are at risk of cyberattacks – and, unfortunately, the level of risk is relatively high.

There are two main factors at play here. First, nonprofits often have access to valuable data: donor credit card data, for example, or personally identifiable information (PII) of individuals being supported. So, there’s incentive for cybercriminals to target nonprofits.

Second, nonprofits are often operating with lower security measures in place than for-profit organizations. This is partly due to budget restraints. Corporations are simply able to afford a cybersecurity focus that nonprofits may not be able to – there’s a gap in tools, personnel, and strategy. According to NTEN, for example, 68% of nonprofits don’t have documented policies and procedures in case of a cyberattack. On top of that, many nonprofits use open source software, meaning that any vulnerabilities quickly become public knowledge.

With these factors taken together, the risk is significant. And that’s borne out by the data; nearly one in five nonprofits is impacted by a cyberattack in a given year.

2. What types of cybersecurity risks do nonprofits face?

We’ve confirmed that nonprofits are at risk. Now, let’s unpack what those risks are.

Admittedly, this is complicated. Cybersecurity is broad, deep, and constantly changing, and new attacks and defense mechanisms are deployed every day. To answer our question, though – what types of cybersecurity risks do nonprofits face? – two lines of classification will be helpful: the outcome of an attack and its method of delivery.

Cyberattack Outcomes

To start, let’s classify the type of cybersecurity risks nonprofits face by the outcomes that cyberattacks are designed to achieve. There are three outcomes that are most common:

Data breach.

A data breach occurs when proprietary or personally identifiable data is accessed without authorization. This can occur through third-party attacks, malicious insider activity, or simple negligence. Breaches happen often, and when they happen to big companies, they make headlines – think the Equifax breach, which exposed the personal data of 143 million people.

Nonprofits rarely operate at the same scale, but the effects of a breach can still be devastating, both in terms of reputation damage and regulatory fees.


Some cyberattacks are simply purposed to bring down systems. Sometimes, this is done with intent to compromise the mission of an organization; there are many nonprofits that have active ideological opponents. Sometimes, attacks aren’t targeted; an employee may accidentally bring a malware-infected device onto the network, for example, which could end up shutting down critical systems.

Regardless of intent, though, downtime can impede essential work.

Ransom demand.

Finally, some cyberattacks are purposed to elicit ransom payments. These are termed ransomware.

Ransomware is meant to shut down an organization’s systems until payment is delivered to the hackers. Once payment is made, hackers will (supposedly) provide access to a key that unlocks functionality. Some organizations simply make the payment and hope the hackers keep their end of the bargain; some (like the city of Baltimore, Maryland, last year) go to any means necessary to get systems online – an approach which often carries huge costs.

Cyberattack Delivery Methods

While most cyberattacks are purposed toward one of the three outcomes listed above, there are a nearly endless variety of delivery methods. Here are a few of the most common:

Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.

These attacks attempt to overwhelm a system’s resources so that it simply can’t respond to requests.

Phishing and spear phishing attacks.

Phishing and spear phishing attacks use content from spoofed trusted sources to attempt to gain personal information. The most common version of this is email phishing – for example, nonprofit HR employees may receive a spoofed email from the “CEO,” requesting the receipt of W2s for a list of employees.

Drive-by attack

Drive-by attacks use insecure websites to affect the machines of visitors. Hackers insert a script on the page that might install malware, for example. This method is particularly challenging to address because it doesn’t on any user activity to enable the attack.

SQL injection attack

Database-driven websites are particularly vulnerable to SQL injection. These attacks use a SQL query to the database to gain unauthorized access to data on the server.

Malware attack

“Malware” is a broad category of cyberattack, but, in general, it refers to software that’s installed in your system without your consent and is then used to cause harm. It may self-propagate (meaning spread to other machines or applications), or it may simply execute its function in a single place.

3. How can nonprofits reduce cybersecurity risk?

To this point, we’ve confirmed that nonprofits are at risk of cyberattacks and have scratched the surface of identifying what those risks are. In other words, we’ve painted a pretty negative picture.

There’s good news, though: nonprofits can reduce cybersecurity risk.

And, while the methods of reducing risk can become complex in application, in principle they’re fairly straightforward. To reduce cybersecurity risk, nonprofits should:

Document protocols.

As research by NTEN and others shows, nonprofits often don’t have documentation in place – but they should. Robust cybersecurity policies can lessen the likelihood of an incident in the first place, and response documentation can give teams quick paths forward to minimize damage in the event of an attack.

Train users.

Nearly 60% of nonprofit organizations don’t provide any sort of regular cybersecurity training to users. Training users on best practices is an impactful way of reducing risk; ignorant user action leads to far too many successful attacks.

Make systems redundant.

Systems should be redundant, meaning that there should be multiple instances of mission-critical data and systems so that if one instance is compromised, recovery is possible. Basically, nonprofits should diligently back things up. This greatly reduces the damage that a cyberattack can cause.

Harden systems.

In addition to backing things up, nonprofits should also take steps to harden systems. Doing this effectively will likely involve a risk assessment. Generally, solutions involve implementing antivirus or other security software, and may include proactive monitoring as well.

And, last, but not least:

Get help.

The best way to counter cybersecurity risk for nonprofits is to work with an expert IT firm that can enact all of these principles in your environment.

Ready to reduce cybersecurity risk for your nonprofit?

At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to after settling for low-cost IT support options they believe will provide them with the right value.

As a result, cyber damages are all too common.

Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure. And we ensure you get the highest value possible by bringing 25 years of expertise in exclusively serving nonprofits to bear in your environment.

If you’re ready for nonprofit IT support that drastically reduces cybersecurity risk, let’s talk.