Most nonprofit breaches don't come from sophisticated nation-state hackers. They come from a reused password, a clicked phishing link, an unpatched laptop, or a contractor who still had admin access two years after the project ended. The good news: a small organization can close the vast majority of that risk with a handful of free, well-documented controls. According to CISA, turning on multifactor authentication (MFA) alone makes an account about 99% less likely to be compromised (CISA, as of 2026 — verify).
This page lays out a realistic security baseline for a small nonprofit with little or no in-house IT: MFA everywhere, a password manager, automatic 3-2-1 backups, prompt updates, phishing and ransomware awareness, least-privilege access, encryption, vendor due diligence, and a simple written breach-response plan. We map each piece to free guidance from CISA and the NIST Cybersecurity Framework 2.0 so you can go deeper without paying for a consultant on day one.
What this page is — and isn't
This is a plain-language operational starting point, not legal advice. Data-breach notification duties, donor-privacy obligations, and PCI requirements vary by state, by country, and by the payment tools you use. Confirm your specific obligations with counsel and your payment processor before you rely on anything here.
Why small nonprofits get targeted
Attackers don't skip you because you're small or mission-driven — they often target you because you're small. Nonprofits hold exactly the data criminals want (donor names, emails, payment details, sometimes sensitive client records) while typically running on lean budgets, volunteer-managed systems, and shared logins. That combination makes them efficient targets.
The threats that actually hit small organizations are mostly mundane and automated:
- Phishing and business email compromise (BEC) — a fake invoice, a spoofed "the ED needs gift cards" request, or a login page that harvests your credentials.
- Ransomware — malware that encrypts your files and demands payment. StopRansomware.gov is the U.S. government's central hub for prevention and response resources.
- Credential stuffing — attackers replay passwords leaked from other breaches against your email and donor platform.
- Stale access — former staff, board members, or vendors who still have keys to your accounts.
None of these require a big security budget to defend against. They require a few consistent habits, which is what the rest of this page builds out. If you're standing up operations from scratch, pair this with our broader operations guidance and document retention policy.
Map your work to free CISA & NIST guidance
You don't need to invent a security program. Two free, government-backed resources already organize the work, and your job is mostly to follow them at a small scale.
The NIST Cybersecurity Framework (CSF) 2.0 Small Business Quick-Start Guide organizes everything into six functions. Think of them as the lifecycle of managing risk (NIST, as of 2026 — verify):
| CSF 2.0 function | Plain-language question | Small-nonprofit example |
|---|---|---|
| Govern | Who owns security, and what's our policy? | Name one accountable person; write a one-page acceptable-use policy. |
| Identify | What data and systems do we have? | List your accounts, devices, donor data, and who can access each. |
| Protect | How do we prevent incidents? | MFA, password manager, updates, backups, least privilege. |
| Detect | How would we notice something wrong? | Turn on login alerts; review who accessed donor records. |
| Respond | What do we do when it happens? | A written breach-response plan with names and phone numbers. |
| Recover | How do we get back to normal? | Tested backups and a communications plan. |
CISA's Cyber Guidance for Small Businesses and its MFA Toolkit translate the "Protect" function into concrete steps. Sector-specific help is available too: the NTEN cybersecurity community and TechSoup's Digital Resilience program are built for nonprofit realities and budgets.
The core security baseline
These are the highest-leverage controls. If you do nothing else this quarter, do these — they map directly to the CSF 2.0 Protect function and block the threats described above.
1. Turn on MFA everywhere. Start with email, your donor/CRM platform, your payment processor, cloud file storage, and any admin accounts. CISA reports MFA makes an account roughly 99% less likely to be hacked (CISA, as of 2026 — verify). Prefer an authenticator app or a hardware security key over SMS text codes where you can; CISA recommends moving toward phishing-resistant FIDO/WebAuthn methods over time.
2. Use a password manager. Reused passwords are how one breach becomes five. A manager generates and stores unique passwords so staff only remember one strong passphrase. Bitwarden offers a capable free tier and low-cost team plans.
3. Automate 3-2-1 backups. Keep 3 copies of important data, on 2 different media, with 1 copy offsite or offline. CISA endorses 3-2-1 and recommends backups be encrypted, kept offline or immutable (unchangeable within a retention window), and tested by actually restoring them — an untested backup is a hope, not a control. See the #StopRansomware Guide.
4. Patch and update promptly. Turn on automatic updates for operating systems, browsers, and apps. Most exploited vulnerabilities already have a fix available — the gap is installing it.
5. Train against phishing. Teach the team to slow down on urgent money requests, hover over links, and verify wire/gift-card requests through a second channel (a phone call to a known number). One 20-minute session plus a posted reminder beats no training.
6. Apply least privilege. Give each person the minimum access they need, and review it. When someone leaves — staff, board, or vendor — revoke access the same day. Keep an offboarding step in your volunteer and staff exit process.
7. Encrypt devices. Turn on full-disk encryption (BitLocker on Windows, FileVault on Mac) so a lost laptop isn't a data breach. Ensure your cloud tools use encryption in transit and at rest (most reputable ones do).
If you only have one hour this week
- Turn on MFA for the email account that can reset every other password.
- Confirm your donor data is backing up automatically — and restore one test file.
- Remove access for one person who no longer needs it.
Donor data, privacy & PCI basics
Trust is a nonprofit's core asset, and donor data is where security and privacy meet. A few principles keep you out of trouble.
Collect less, keep it shorter. The safest data is the data you never stored. Don't capture sensitive information you don't need, and set retention limits so old records are purged — align this with your document retention policy. Less data means a smaller blast radius if you're breached.
Never store raw card numbers. This is the heart of PCI DSS (the Payment Card Industry Data Security Standard). The simplest path for a small nonprofit is to not handle card data directly at all: use a reputable processor (such as Stripe, PayPal, or a donation platform) so card numbers go straight to them and never touch your systems. That dramatically shrinks your PCI scope. Ask your processor which PCI Self-Assessment Questionnaire (SAQ) applies to you (as of 2026 — verify with your processor).
Do vendor and data due diligence. Every CRM, email tool, and form builder that touches donor data is part of your security perimeter. Before you sign up, check: Do they offer MFA? Do they encrypt data? Do they publish a security/privacy page and a breach-notification commitment? Is there a data processing agreement? Limit how many tools touch your donor list in the first place.
Write a short privacy notice. Tell donors what you collect, why, and that you don't sell their data. It builds trust and is increasingly expected. See our website essentials guide for where this lives on your site.
Know your breach-notification duties in advance
If donor or client personal data is exposed, you may be legally required to notify affected individuals — and sometimes regulators — within specific timeframes that vary by state and country. Don't research this during a crisis. The FTC's Data Breach Response guide includes a model notification letter; confirm your specific obligations with counsel now (as of 2026 — verify).
Your 12-point security baseline checklist
Print this, assign an owner to each line, and put a review date on the calendar (quarterly is reasonable for most small orgs). Each item maps to the CISA/NIST guidance above.
Small-Nonprofit Security Baseline
- MFA on email + admin accounts — start with the account that can reset all others.
- MFA on donor/CRM + payment platforms — protect the data and the money.
- Password manager rolled out — unique passwords for every account.
- 3-2-1 backups running automatically — three copies, two media, one offsite/offline.
- Backup restore tested — you've actually recovered a file this quarter.
- Automatic updates on — OS, browsers, and apps patch themselves.
- Full-disk encryption enabled — every laptop and phone with org data.
- Least-privilege access reviewed — each person has only what they need.
- Same-day offboarding — departing people and vendors lose access immediately.
- Phishing awareness done — team trained to verify money requests by phone.
- Vendor due diligence — every tool touching donor data offers MFA + encryption.
- Written breach-response plan — names, numbers, and first steps, stored offline.
Want a fillable version and other operations templates? See the templates library.
Build a simple breach-response plan
A breach-response plan is just a short, pre-written answer to the question: "What do we do in the first 24 hours?" Decisions made calmly in advance are far better than ones made in a panic. Keep your plan to one or two pages, store a copy offline (so ransomware can't lock you out of your own plan), and base it on the three steps in the FTC's Data Breach Response: A Guide for Business:
- Secure operations. Assemble your response team, take affected systems offline to stop the bleeding — but don't power machines off if forensic evidence may matter — and change compromised passwords.
- Fix the vulnerability. Find how they got in (a phished password? an unpatched server?) and close it before restoring service, so you're not breached again the same way.
- Notify the right people. Consult counsel on legal notification duties, then notify affected individuals, and where required, regulators, payment networks, and law enforcement. The FTC guide provides a model notification letter.
Your one-page plan should name: who leads, who decides on notification, your IT/forensics contact, your cyber-insurance contact (if you have a policy), your payment processor's fraud line, and your legal contact — all with phone numbers. This is the Respond and Recover half of the NIST framework made concrete.
Worked example: a small nonprofit phishing breach
Here's how the plan plays out in practice. Riverside Family Resource Center (4 staff, ~600 donors) discovers that its program director's email was phished — an attacker got the password and was reading messages, and sent a fake "update our banking details" email to two grant funders.
Timeline using the FTC's three steps:
| When | Step | Action taken |
|---|---|---|
| Hour 0 | Detect | A funder calls to confirm the "new bank account" — Riverside realizes the account is compromised. |
| Hour 0–1 | Secure | Reset the director's password from a clean device; revoke all active sessions; turn on MFA (it had been skipped on this account). |
| Hour 1–3 | Secure | Check email rules for hidden forwarding/auto-delete rules the attacker set; remove them. Review sent items for other fraudulent messages. |
| Hour 3–6 | Fix | Confirm no other accounts shared that password (the password manager shows they didn't). Enforce MFA org-wide. Run a phishing refresher. |
| Day 1 | Notify | Call both funders' real numbers to warn them the banking email is fraudulent. Consult counsel: because no donor financial data left the system, formal breach notification may not be triggered — but they confirm with a lawyer (as of 2026 — verify). |
| Day 1–2 | Recover | Document the incident, the timeline, and the fix in their records. Add "MFA on every account, no exceptions" to the baseline checklist. |
What made the difference
Three things contained this: a password manager proved the password wasn't reused elsewhere, a written plan meant nobody wasted the first hour debating, and verifying by phone caught the fraud before money moved. The one gap — MFA skipped on a single account — is exactly the kind of exception this baseline is designed to eliminate.
Fund your security upgrades without another grant deadline
Tools, backups, and training cost money small nonprofits rarely budget for. Good Circles gives you recurring, unrestricted income to cover exactly these gaps. A supporter picks your cause once, then a share of their everyday local spending funds you automatically — an estimated $72 per active supporter per year, or roughly $36,000 a year from 500 supporters. It's recurring, unrestricted, and free for nonprofits.
Claim a Founding Nonprofit spot →Sources & tools
Free first
- CISA Multifactor Authentication (MFA) Toolkit + StopRansomware.gov — Government toolkit for rolling out MFA, plus the central U.S. hub for ransomware prevention and response resources.
- NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide — Organizes security into six plain-language functions (Govern, Identify, Protect, Detect, Respond, Recover) sized for small organizations.
- FTC Data Breach Response: A Guide for Business — The three-step playbook for responding to a breach, including a model notification letter you can adapt in advance.
- NTEN Cybersecurity community — Nonprofit-specific cybersecurity guidance, training, and peer community built for mission-driven teams.
- TechSoup Digital Resilience — Nonprofit-focused security assessments, learning, and discounted tools to build digital resilience on a budget.
- Bitwarden (free password manager) — Open-source password manager with a capable free tier and low-cost team plans for generating and storing unique passwords.
Paid — optional labor-savers
- Managed IT / MSSP provider — An outsourced IT or managed security services provider that handles patching, monitoring, backups, and incident response for you. Worth it when Worth it once you have paid staff, meaningful donor or client data, and no in-house IT person to own the baseline.
Last verified 2026-06-16. Figures and rules change — verify at the source before you act.
FAQ
What is the single most important cybersecurity step for a small nonprofit?
Turn on multifactor authentication (MFA), starting with the email account that can reset every other password, then your donor and payment platforms. CISA reports MFA makes an account roughly 99% less likely to be compromised (as of 2026 — verify). It is free on most platforms and blocks the most common attacks, like phishing and stolen passwords.
What does the 3-2-1 backup rule mean?
Keep three copies of your important data, on two different types of media, with one copy stored offsite or offline. CISA endorses 3-2-1 as a defense against ransomware and recommends backups be encrypted and immutable. Critically, you should test a restore regularly, because an untested backup is a hope rather than a control.
Do we have to worry about PCI compliance if we accept donations online?
Usually you can keep it simple by never touching card data directly. If you use a reputable processor or donation platform, card numbers go straight to them and never enter your systems, which dramatically shrinks your PCI DSS scope. Ask your processor which Self-Assessment Questionnaire applies to you, and never store raw card numbers yourself (as of 2026 — verify with your processor).
What should be in our breach-response plan?
Keep it to one or two pages, stored offline, following the FTC's three steps: secure operations (take affected systems offline and reset passwords), fix the vulnerability (close how they got in), and notify the right people (consult counsel, then tell affected individuals and any required regulators). List your response leader, IT or forensics contact, insurance and legal contacts, and your payment processor's fraud line, all with phone numbers.