Protecting your Nonprofit from Cybersecurity Threats

October 8, 2025
Image of two people talking at a computer desk
Photo of CPA Aaron Sachs, CPA

Organizations today face a litany of technological worries when it comes to protecting against cyberattacks. Bad actors can paralyze systems with ransomware, capture sensitive data through phishing schemes, or simply steal data to be sold on the dark web or used for other malicious purposes. While the financial consequences can be devastating to a not-for-profit, the reputational damage and loss of trust in the community can be even more difficult to recover form.

Does your organization conduct e-commerce to process donations or event registrations electronically? Is personally identifiable information collected for donors, patrons, mailing lists, etc.? Do you have other sensitive financial information stored electronically? Not-for-profit organizations can be particularly tempting targets for cybercriminals for all of these reasons. To make matters worse, many organizations have limited resources to hire or contract with IT professionals to help address these risks. This article will highlight five steps that can be taken right now to make your organization more resilient to these ever-growing threats.

1. Arm your employees with knowledge

Employees can unwittingly open the door to cyberattacks by falling victim to phishing e-mail scams or inadvertently downloading malicious software. Phishing e-mails can be very convincing and appear to be from legitimate sources. But in reality, they are sent by scammers to trick your employee into divulging sensitive information or login credentials. Everybody in the Organization should receive training on how to identify the red flags of such scams. Internal procedures should be established to ensure employees receive training during the onboarding process and a refresher course at least annually. There are many free training videos and tools available online, including cisa.gov, to help build your team’s awareness of cybersecurity risks and how to avoid falling for the traps.

2. Make use of multifactor authentication tools

When passwords and login credentials fall into the wrong hands, multifactor authentication can prevent unauthorized users from signing in. Also known as two-step verification, it works by prompting users to provide a second set of factors to sign in. A common way this is achieved is by sending a unique pin to a predetermined phone number or email address. That pin must then be entered by the user in addition to the password before access is granted. Most financial institutions now offer multifactor authentication as an optional security measure for online banking. This is often a free and very effective tool in preventing account takeovers and other fraud. In addition to banking, many software programs also offer this feature.

3. Enable automatic software updates

Cybercriminals often look for vulnerabilities in software that isn’t up to date as an easy way to break into your network and infect your devices with malicious software or steal data. You can take a major step in preventing this by simply turning on automatic updates for computer operating systems (i.e. Windows or Apple OS) and other software installed on computers, phones and other devices with access to the Organization’s network. When automatic updates are not available, organizations should institute policies and procedures for keeping software up to date.

4. Secure your wireless network

Having a wireless network without proper security measures in place can seriously expose your organization. Take these important steps to enhance security:

  • Turn on encryption and firewall protections when setting up your network. Encryption prevents anyone who accesses your network from being able to view the data being transmitted. Firewalls are network security tools that serve as a barrier between your trusted internal networks and untrusted external networks.
  • Many network routers come with default passwords to allow for ease in setup. Always change default passwords to new, stronger passwords that are difficult to guess. Strong passwords typically include upper-case and lower-case characters, numbers, and special characters such as *,!,^,#,$, etc.
  • Set up a separate “guest” account on your wireless network to restrict access. A guest account serves as a separate wireless channel that is isolated from your secure, primary channel. The guest channel should always have a different password than your primary channel.

5. Consider cyber liability insurance

A cyber liability policy is intended to cover losses as a result of data breaches and other cyberattacks. The range of coverage for such policies can vary greatly, from basic services that simply notify affected parties of data breaches to more comprehensive plans that cover lost funds, costs to recover or repair data, and even public relations consultants to help the organization repair reputational damage. It’s important to first understand your organization’s specific risks, liability exposure, and thoroughly review what is covered when selecting a policy.

Broker Check
Graphic of a conversation bubble

Need a CPA, Financial Advisor, or Employee Benefit Plan expert?

Connect with an Advisor