In July 2023, a ransomware attack crippled the nonprofit hospital chain CommonSpirit Health, ultimately affecting over 600,000 patients and costing the organization an estimated $160 million. That's not a Fortune 500 company. That's a mission-driven organization built to serve communities — brought to its knees because a threat actor found a way in.
Cybersecurity for nonprofits isn't an optional line item anymore. If your organization collects donor data, processes credit cards, stores medical records, or maintains any personally identifiable information, you're a target. This post breaks down exactly why nonprofits are getting hit, what the real threats look like, and the practical steps you can take — even with a razor-thin budget — to protect your mission.
Why Threat Actors Target Nonprofits Specifically
There's a dangerous myth floating around nonprofit boardrooms: "We're too small to be a target." The data says otherwise. According to the 2023 Verizon Data Breach Investigations Report (DBIR), 74% of all breaches involved a human element — social engineering, errors, or misuse. Nonprofit staff, often undertrained and overworked, are exactly the kind of targets attackers love.
Here's what makes nonprofits uniquely vulnerable:
- Lean IT budgets. Most nonprofits spend less than 3% of their operating budget on technology, let alone security.
- High staff turnover and volunteers. Rotating personnel means inconsistent security practices and credentials that don't get deactivated.
- Rich data stores. Donor databases, beneficiary records, health information, financial data — it's all valuable on the dark web.
- Trust-based culture. Nonprofits are built on trust. That makes employees less suspicious of unusual requests — and more susceptible to social engineering.
Attackers aren't picking targets based on revenue. They're picking targets based on ease of entry. And right now, nonprofits are some of the easiest doors to open.
The $4.88M Lesson Most Nonprofits Learn Too Late
IBM's 2023 Cost of a Data Breach report pegged the global average cost of a data breach at $4.45 million. But here's what keeps me up at night for nonprofits: even a breach costing a fraction of that — say $50,000 — can be existential for an organization running on grants and donations.
I've seen it happen. A small human services nonprofit gets hit with credential theft through a phishing email. The attacker gains access to the donor management system, exfiltrates 15,000 records, and the organization now faces notification costs, legal fees, and — worst of all — a total collapse of donor trust. Donations dry up. The mission stalls. The organization closes.
That's not hypothetical. That's the pattern I've watched play out repeatedly in the nonprofit sector.
The Three Attacks Hitting Nonprofits the Hardest
1. Phishing and Spear Phishing
Phishing remains the number one attack vector across every sector, and nonprofits are no exception. But what makes nonprofit phishing particularly dangerous is the specificity. Attackers research your organization's leadership, your grant cycles, your partners. They craft emails that look like they're from your executive director, a foundation officer, or a government agency.
One common scheme: a spoofed email from the "ED" asking the finance manager to wire funds for an urgent program expense. The finance manager, used to working quickly under pressure, complies. The money vanishes.
Running regular phishing awareness training for your organization isn't a nice-to-have. It's the single highest-ROI security investment a nonprofit can make.
2. Ransomware
Ransomware attacks against nonprofits surged in 2023. Healthcare nonprofits, educational institutions, and social service agencies have all been hit hard. The FBI's Internet Crime Complaint Center (IC3) reported that ransomware complaints continued to climb, with critical infrastructure sectors — including healthcare and education — disproportionately targeted.
The playbook is almost always the same: an employee clicks a malicious link or opens a weaponized attachment. Malware deploys. Data gets encrypted. A ransom note appears demanding cryptocurrency. For a nonprofit without robust backups, paying feels like the only option — and even paying doesn't guarantee recovery.
3. Business Email Compromise (BEC)
BEC attacks cost organizations over $2.7 billion in 2022 according to the FBI IC3's annual report. Nonprofits are prime targets because their org charts are often publicly available, their staff are accessible, and their financial controls tend to be weaker than those of for-profit companies.
A BEC attack against a nonprofit typically involves compromising or spoofing the email of a senior leader, then using that access to redirect payments, steal W-2 data, or authorize fraudulent wire transfers.
What Does Cybersecurity for Nonprofits Actually Look Like?
This is the question I get most often from executive directors and board members. They know they need to do something. They just don't know where to start — especially without a dedicated IT team.
Here's the honest answer: cybersecurity for nonprofits starts with people, not products. You don't need a six-figure security operations center. You need trained staff, basic technical hygiene, and a plan for when things go wrong.
Step 1: Train Every Person Who Touches a Keyboard
Security awareness training is the foundation of everything. Every employee, every volunteer, every board member who accesses organizational systems needs to understand the basics: how to spot a phishing email, why they should never reuse passwords, what to do when something looks suspicious.
If you haven't started yet, our cybersecurity awareness training program was built with exactly this scenario in mind — organizations that need real training without enterprise-level budgets.
Step 2: Enable Multi-Factor Authentication Everywhere
Multi-factor authentication (MFA) stops the vast majority of credential theft attacks dead in their tracks. If an attacker phishes a password but can't provide the second factor, they're locked out. Microsoft has stated that MFA blocks 99.9% of automated account compromise attacks.
Enable it on email, donor databases, financial systems, cloud storage — everything. No exceptions for the executive director. No exceptions for the board chair. Everyone.
Step 3: Adopt a Zero Trust Mindset
Zero trust isn't just a buzzword for Fortune 500 companies. The core principle — never trust, always verify — is especially relevant for nonprofits with distributed teams, remote workers, and volunteers using personal devices.
In practice, this means:
- Verify every access request regardless of where it comes from.
- Grant least-privilege access — people should only access what they need for their specific role.
- Segment your network so a compromised volunteer laptop can't reach your donor database.
- Continuously monitor for unusual activity, even from "trusted" internal accounts.
You don't need expensive tools to start. You need policies and discipline.
Step 4: Back Up Everything — And Test Your Restores
Backups are your last line of defense against ransomware. Follow the 3-2-1 rule: three copies of your data, on two different media types, with one stored offsite (or in the cloud). And here's the part most organizations skip — actually test restoring from those backups. A backup you can't restore from is just a false sense of security.
Step 5: Create an Incident Response Plan
When — not if — something happens, your team needs to know exactly what to do. Who do you call first? How do you contain the breach? Who communicates with donors and the media? What are your legal notification obligations?
Write it down. Print it out. (Your digital plan won't help if ransomware has encrypted your systems.) Run a tabletop exercise at least once a year. CISA offers excellent tabletop exercise resources that are designed for organizations of all sizes.
How Can Nonprofits Afford Cybersecurity?
This is the featured question — and it deserves a direct answer.
Nonprofits can afford cybersecurity by prioritizing training and basic hygiene over expensive tools. The majority of breaches exploit human error, not sophisticated zero-day vulnerabilities. Training your staff through programs like our phishing simulation and awareness training costs a fraction of what a single breach would. Enabling MFA is typically included in your existing email and cloud platform at no additional cost. Writing an incident response plan takes time, not money. And many cybersecurity frameworks, including NIST's Cybersecurity Framework, are publicly available and designed to scale to any organization size.
Start with the fundamentals. Layer on more advanced controls as your budget allows. The worst strategy is doing nothing because you can't do everything.
The Board's Role in Nonprofit Cybersecurity
If you're a nonprofit board member reading this, cybersecurity is a fiduciary responsibility. You wouldn't let the organization operate without financial controls. You shouldn't let it operate without security controls either.
Here's what I recommend every nonprofit board do in the next 90 days:
- Add cybersecurity to the board agenda. Make it a standing item, not a once-a-year afterthought.
- Ask for a risk assessment. Even an informal one. Where is your data? Who has access? What would happen if your systems went down for a week?
- Fund security awareness training. This is the single most cost-effective investment your organization can make. Our cybersecurity awareness training is built for exactly this purpose.
- Require cyber liability insurance. Policies are available for nonprofits and can cover breach response costs, legal fees, and notification expenses.
- Demand an incident response plan. And make sure it's been tested.
Volunteers: The Security Gap Nobody Talks About
I've audited nonprofit environments where volunteers had full access to CRM systems containing tens of thousands of donor records — from their personal laptops, with no endpoint protection, and no MFA. That's not a security posture. That's an open door with a welcome mat.
Volunteers are essential to your mission. They're also a massive security risk if not properly managed. Every volunteer who accesses your systems should go through the same security awareness training as paid staff. Their access should be time-limited and role-based. And when their volunteer engagement ends, their credentials should be deactivated immediately — not three months later when someone remembers.
Stop Thinking Like a Small Target
The nonprofits that survive cyber incidents in 2023 and beyond are the ones that stop believing they're too small to be attacked. You're not too small. You're just right — right-sized data, right-sized vulnerabilities, right-sized lack of defenses. Threat actors know this.
Cybersecurity for nonprofits doesn't require a massive budget. It requires intention. Train your people. Lock down your accounts. Plan for the worst. And start today — because the attackers already have.
Take the first step by enrolling your team in phishing awareness training and building a security culture that protects the mission your donors trust you to deliver.