Cybersecurity Checklist for Nonprofits
Nonprofits combine attackers' favorite conditions: donor financial data, grant funds moving by wire, volunteer-heavy access sprawl, and thin IT budgets. A breach costs donor trust — the one asset a nonprofit can't rebuild with a grant. The good news: most nonprofit incidents are preventable with free-to-cheap controls.
The threats that actually hit nonprofits
Donor-data theft
CRMs full of names, addresses, giving history, and stored payment methods are identity-theft kits — and donor notification letters devastate retention.
Grant and payroll wire fraud
Attackers impersonate executive directors or grantors to redirect disbursements; nonprofits' public transparency makes the impersonation easy to research.
Access sprawl from volunteers and turnover
Years of shared logins, departed staff, and volunteer accounts accumulate into an unauditable attack surface.
How many of these boxes can you actually check?
Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.
Get Your Free Security GradeThe checklist
1.Turn on MFA everywhere — email, CRM, banking, payroll
quick winMost nonprofit breaches start with one phished account; MFA is free and blocks the pattern.
2.Claim nonprofit software discounts (security tools included)
an afternoonGoogle, Microsoft, and most security vendors offer free/steep nonprofit tiers — budget is less of a barrier than awareness.
3.Verify any payment or banking change by phone
quick winED impersonation fraud works by urgency over email; a call-back policy defuses it completely.
4.Give every staffer and volunteer their own account, and expire volunteer access
an afternoonShared logins plus turnover equals zero accountability; expiration dates automate the cleanup nobody remembers to do.
5.Limit donor-database exports and track who can run them
an afternoonThe full-CRM export is the breach; most roles need lookup access, not download access.
6.Back up the CRM and finance systems off-site, tested
an afternoonDonor history is the organization's memory — ransomware shouldn't be able to erase it.
7.Train staff and key volunteers on phishing yearly
ongoingVolunteer-heavy orgs have wide, rotating human attack surfaces; brief training moves the needle disproportionately.
8.Add cyber questions to your board's annual risk review
quick winBoards own risk oversight; ten minutes a year keeps security funded and the ED covered.
Frequently asked questions
Why would hackers attack a charity?
Because charities hold the same data and move the same money as businesses, with fewer defenses. Attackers don't read mission statements — they scan for open doors, and resource-constrained organizations have more of them.
What does a donor-data breach actually cost?
State breach-notification laws apply to nonprofits, so there are legal and notification costs — but the deeper cost is donor trust: donors who receive a breach letter demonstrably reduce future giving. Prevention is donor retention.
We have no IT budget. Where do we start?
The first four items on this checklist cost approximately nothing: MFA is free, call-back verification is a policy, nonprofit software discounts are unclaimed money, and access cleanup is an afternoon. Do those, then run a free assessment to prioritize what's next.
How many of these boxes can you actually check?
Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.
Get Your Free Security Grade