The Blackbaud Breach Should Have Been a Wake-Up Call
In May 2020, a ransomware attack hit Blackbaud — one of the largest cloud computing providers serving nonprofits, hospitals, and universities. The breach exposed donor records, financial data, and Social Security numbers belonging to millions of people across hundreds of organizations. Blackbaud paid the ransom, then waited two months to tell its clients. The FTC took action, and the fallout continues into 2022.
If your nonprofit used Blackbaud, your donors' data was likely compromised — and you may not have had any say in it. That single incident captures everything wrong with the state of cybersecurity for nonprofits: dependency on third-party vendors, limited internal security resources, massive stores of sensitive personal data, and a cultural reluctance to invest in defense until something breaks.
This guide is built for nonprofit leaders, IT managers, and board members who know the threat is real but aren't sure where to start. I've spent years working with organizations that operate on tight budgets, and I'll walk you through the specific, practical steps that actually reduce risk — without requiring a Fortune 500 security budget.
Why Threat Actors Target Nonprofits Specifically
There's a dangerous myth that cybercriminals only go after big corporations. The reality is the opposite. According to the Verizon 2021 Data Breach Investigations Report, small organizations — those with fewer than 1,000 employees — accounted for a substantial share of confirmed data breaches. Nonprofits fit squarely in that category.
Here's why threat actors love targeting nonprofits:
- Rich data, thin defenses. Nonprofits collect donor names, addresses, credit card numbers, health information, and sometimes immigration status. That data commands a premium on dark web markets.
- Understaffed IT. Many nonprofits have one part-time IT person — or none at all. Security awareness training is often nonexistent.
- Trust-based culture. Nonprofit employees are trained to be helpful and responsive. That makes them prime targets for social engineering and phishing attacks.
- Outdated infrastructure. Donated hardware and software, unpatched systems, and legacy applications create wide-open attack surfaces.
I've seen nonprofits running donor management databases on machines that hadn't been patched in three years. That's not an edge case. It's the norm.
The $4.24M Question: Can Your Nonprofit Survive a Breach?
IBM's 2021 Cost of a Data Breach report pegged the global average cost of a data breach at $4.24 million — the highest in 17 years. Nonprofits won't hit that average, but they don't need to. A $50,000 incident response bill can shut down a small nonprofit permanently.
Beyond direct costs, there's donor trust. A 2021 survey by the Nonprofit Technology Enterprise Network (NTEN) found that many nonprofits experienced increased cyberattacks during the shift to remote work, yet most lacked incident response plans. When donors learn their personal and financial information was stolen, they don't come back. The reputational damage compounds the financial hit.
The FBI's Internet Crime Complaint Center (IC3) received nearly 850,000 complaints in 2021, with reported losses exceeding $6.9 billion. Business email compromise — the kind of attack where someone impersonates your executive director to request a wire transfer — accounted for a massive chunk of those losses. Nonprofits are especially vulnerable to this because staff are conditioned to respond quickly to leadership requests.
What Is Cybersecurity for Nonprofits?
Cybersecurity for nonprofits is the set of policies, technologies, and training practices that protect a nonprofit's digital assets — donor databases, financial systems, email accounts, websites, and internal communications — from unauthorized access, theft, or disruption. It differs from corporate cybersecurity primarily in scope and budget, not in urgency.
Effective nonprofit cybersecurity focuses on three pillars: people, process, and technology. You can buy the best firewall on the market, but if your development associate clicks a phishing link, none of it matters.
The 8 Steps That Actually Reduce Risk
1. Train Every Person Who Touches a Keyboard
Security awareness training isn't optional. It's the single highest-ROI investment any nonprofit can make. Your staff and volunteers need to recognize phishing emails, understand social engineering tactics, and know what to do when something looks suspicious.
Start with a comprehensive cybersecurity awareness training program that covers the fundamentals — password hygiene, device security, recognizing suspicious links, and reporting procedures. Make it part of onboarding for every new employee and volunteer.
Then go deeper. Run regular phishing awareness training with simulated phishing campaigns to test whether the lessons are sticking. In my experience, the first phishing simulation catches 25-35% of staff. After three rounds of training and simulation, that number typically drops below 5%.
2. Enable Multi-Factor Authentication Everywhere
Multi-factor authentication (MFA) stops the vast majority of credential theft attacks. If a staff member's password gets compromised in a phishing attack, MFA prevents the attacker from accessing the account.
Enable MFA on every account that supports it: email, donor management systems, cloud storage, social media accounts, banking platforms. Microsoft reported that MFA blocks 99.9% of automated attacks. There is no excuse not to use it.
3. Adopt Zero Trust Principles
Zero trust means you verify every user and device before granting access to any system, regardless of whether they're inside your office network. For nonprofits with remote staff, volunteers accessing systems from personal devices, and cloud-based applications, zero trust isn't a luxury — it's a necessity.
Start simple: limit access to sensitive data on a need-to-know basis. Your communications intern doesn't need access to donor financial records. Your event coordinator doesn't need admin rights to your CRM.
4. Patch Everything, Starting Now
Unpatched software is one of the most common entry points for attackers. The CISA Known Exploited Vulnerabilities Catalog maintains a running list of vulnerabilities that attackers are actively using. Many of them target software that nonprofits rely on daily — Microsoft Exchange, WordPress, Adobe products.
Set up automatic updates on every endpoint. If you're running software that's no longer supported by the vendor, replace it. Running Windows 7 or an unsupported version of a CMS in 2022 is an open invitation.
5. Back Up Donor Data — And Test Your Backups
Ransomware attacks encrypt your data and demand payment for the decryption key. If you have clean, recent backups stored offline or in an isolated cloud environment, you can recover without paying.
Follow the 3-2-1 rule: three copies of your data, on two different media types, with one stored offsite. Then — and this is where most organizations fail — actually test your backups quarterly. A backup you can't restore from is not a backup.
6. Create an Incident Response Plan
When a breach happens — not if — your team needs to know exactly what to do. Who do you call? Who notifies donors? Who contacts law enforcement? How do you contain the damage?
Write a one-page incident response plan. Include names, phone numbers, and specific steps. Print it out and keep physical copies accessible. During a ransomware attack, your email and shared drives might be encrypted. A plan you can only access on a locked-down server is useless.
7. Secure Your Email Like Your Organization Depends on It
It does. Email is the number-one attack vector for nonprofits. Business email compromise, phishing, and malicious attachments all arrive through the inbox.
Configure SPF, DKIM, and DMARC records on your email domain. These authentication protocols make it much harder for attackers to spoof your organization's email address. If you don't know what those acronyms mean, your IT support should. If they don't, find someone who does.
8. Vet Your Vendors
The Blackbaud breach proved that your data is only as secure as your weakest vendor. Before you hand donor data to any third party, ask them specific questions: Do they encrypt data at rest and in transit? How do they handle incident notification? Have they completed a SOC 2 audit?
If a vendor can't answer these questions clearly, that's your answer. Walk away.
Board-Level Responsibility: Cybersecurity Is Governance
I've spoken with too many nonprofit boards that treat cybersecurity as "an IT thing." It's not. It's a fiduciary responsibility. If your board oversees financial controls and compliance, cybersecurity belongs in the same conversation.
Every nonprofit board should:
- Receive a cybersecurity briefing at least annually
- Approve an information security policy
- Ensure cyber insurance coverage is adequate and current
- Ask leadership directly: "What is our biggest cyber risk, and what are we doing about it?"
State attorneys general have started scrutinizing nonprofits that fail to protect donor data. The legal landscape is shifting, and boards that ignore cyber risk are exposing themselves to personal liability.
Budget Reality: What You Can Do With Almost Nothing
I hear the objection constantly: "We don't have the budget for cybersecurity." Here's what I tell every nonprofit executive director who says that.
You don't have the budget for a breach either.
The good news is that the highest-impact steps cost little or nothing:
- MFA: Built into most platforms you already use (Google Workspace, Microsoft 365).
- Patching: Turn on automatic updates. Zero cost.
- Security awareness training: Accessible programs like the cybersecurity awareness training at computersecurity.us exist specifically for organizations operating on limited budgets.
- Phishing simulation: Tools like the phishing simulation platform at phishing.computersecurity.us let you test your team's readiness with realistic scenarios.
- Backups: Cloud backup solutions are affordable at nonprofit scale.
- Incident response planning: A few hours of staff time to create a document that could save your organization.
Prioritize people over products. A trained employee who spots a phishing email before clicking is worth more than a $50,000 security appliance.
The Remote Work Problem Isn't Going Away
The pandemic pushed nonprofits into remote work almost overnight. Two years later, hybrid and remote arrangements are permanent for many organizations. That means staff are accessing donor databases from home Wi-Fi networks, personal laptops, and shared family devices.
If you haven't already, establish a remote work security policy that covers:
- Required use of VPNs for accessing internal systems
- Mandatory device encryption on any machine that accesses organizational data
- Prohibition of storing donor data on personal devices
- Minimum security requirements for home networks (updated router firmware, strong Wi-Fi passwords)
Remote work expanded your attack surface dramatically. Your security policies need to catch up.
Compliance Isn't Just for Corporations
Depending on what data you collect and where your donors live, your nonprofit may be subject to data protection regulations you don't even know about. PCI DSS applies if you process credit card donations. HIPAA applies if you handle health information. State breach notification laws apply in all 50 states.
The FTC's privacy and security guidance provides a solid baseline for any organization handling personal data. Start there and work outward based on your specific data types and donor locations.
Start Today, Not After the Breach
Every nonprofit leader I've worked with who experienced a breach says the same thing: "I wish we'd started six months earlier." The threat actors targeting your organization right now don't care about your mission, your budget constraints, or your staffing challenges. They see data, and they want it.
Cybersecurity for nonprofits isn't about perfection. It's about making your organization a harder target than the one next door. Enable MFA this week. Schedule your first phishing simulation this month. Brief your board this quarter. Each step moves you from "easy target" to "not worth the effort" in an attacker's calculus.
Your donors trusted you with their information. That trust is worth protecting.