The Complete Nonprofit Cybersecurity Guide

Nonprofits collect and store deeply sensitive information about their donors: names, addresses, email addresses, phone numbers, payment card details, bank account information for recurring gifts, employer names for matching-gift programs, and — for some organizations — health information, immigration status, political affiliations, or religious beliefs. A breach of this data doesn't just trigger legal liability; it shatters the trust relationship that is the foundation of charitable giving. The reputational impact of a data breach is disproportionately devastating for nonprofits. A for-profit company can recover customer trust through discounts and improved service. A nonprofit that exposes donor data faces a dual crisis: donors who feel their personal information was mishandled will stop giving, and media coverage of the breach can deter prospective donors. Studies show that 60% of donors would stop contributing to a nonprofit that suffered a data breach, and recovery of donor trust can take years. Donor data protection starts with data minimization — collecting only the information you need and retaining it only as long as necessary. Many nonprofits retain years of transaction history, correspondence, and personal details without a clear retention policy, expanding their exposure unnecessarily. Implement a data-retention policy that defines what data is collected, why, how long it is kept, and how it is securely disposed of when no longer needed. Access controls are equally critical. Not every staff member and volunteer needs access to the donor database. Implement role-based access in your CRM (Salesforce, Bloomerang, Little Green Light, Network for Good) so that event volunteers can see attendee lists but not donation amounts, program staff can access relevant contact information but not payment details, and only authorized development team members can access full donor records.

If your nonprofit accepts credit card donations — online, by phone, or in person — you must comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS applies to any organization that processes, stores, or transmits cardholder data, regardless of size, transaction volume, or nonprofit status. There is no exemption for charitable organizations. Most nonprofits qualify as PCI Level 4 merchants (fewer than 20,000 annual e-commerce transactions) and can validate compliance by completing the annual Self-Assessment Questionnaire (SAQ). The applicable SAQ depends on how you accept payments: SAQ A applies if you fully outsource payment processing to a PCI-compliant third party (like Stripe, PayPal, or Classy) and never touch cardholder data. SAQ A-EP applies if your website controls the payment page redirect. SAQ D applies if you process or store cardholder data on your own systems. The simplest path to PCI compliance is to use a PCI-certified payment processor and ensure your organization never directly handles cardholder data. Use an iframe or redirect-based donation form provided by your processor — do not build a custom payment form that touches card numbers. This approach qualifies you for SAQ A, which has the fewest requirements (22 controls versus 300+ for SAQ D). Even with outsourced payment processing, PCI DSS requires: maintaining a firewall configuration, using vendor-supplied security patches promptly, encrypting transmission of cardholder data across public networks (TLS 1.2+), restricting access to cardholder data by business need-to-know, and maintaining an information-security policy. Cyber Defense Agent verifies TLS configuration, security headers, and external vulnerabilities on your donation pages — the technical controls that PCI DSS requires for any internet-facing payment surface.

Nonprofits face a unique cybersecurity challenge: they hold sensitive data that demands protection, but their missions rightly prioritize program spending over administrative overhead. The good news is that effective cybersecurity does not require a massive budget. The controls that prevent the vast majority of attacks are low-cost or free — they require discipline and process, not expensive tools. Start with the five most impactful controls for any nonprofit: 1. Enforce MFA everywhere — Enable and enforce multi-factor authentication on email (Microsoft 365, Google Workspace), your CRM, financial systems, and any system containing donor data. MFA is free in Microsoft 365 and Google Workspace and prevents 99%+ of account compromise attacks. 2. Use a password manager — Deploy a team password manager (Bitwarden offers free accounts for nonprofits) and eliminate password reuse, shared credentials, and sticky-note passwords. 3. Patch promptly — Enable automatic updates on all workstations, servers, and applications. Most exploited vulnerabilities have patches available before they are attacked. Delayed patching is a choice, not a necessity. 4. Train your team — Conduct quarterly security-awareness training covering phishing recognition, safe browsing, and incident reporting. Free resources are available from CISA (Cybersecurity and Infrastructure Security Agency) and the Center for Internet Security. 5. Back up your data — Follow the 3-2-1 rule and test restoration quarterly. Microsoft 365 and Google Workspace data should be backed up independently using a third-party backup tool. Beyond these basics, take advantage of nonprofit technology discounts. Microsoft offers Microsoft 365 Business Premium (which includes advanced threat protection and Defender for Endpoint) to eligible nonprofits at significant discounts through TechSoup. Google offers similar discounts on Google Workspace security features. Cyber Defense Agent provides affordable external scanning that gives nonprofits the same visibility into their attack surface that enterprise organizations have — without the enterprise price tag.