Cybersecurity for Nonprofits: Protect Donor Data on a Limited Budget
Posted: December 31, 1969 to Cybersecurity.
Cybersecurity for Nonprofits: Protect Donor Data on a Limited Budget
Nonprofit organizations handle some of the most sensitive data in any sector. Donor names, addresses, payment information, volunteer records, client case files, and in many cases protected health information or details about vulnerable populations. Despite this, nonprofits consistently rank among the least-prepared organizations when it comes to cybersecurity. A 2025 NTEN survey found that 59 percent of nonprofits have no cybersecurity plan, and nearly 70 percent have never conducted a security assessment of any kind.
The assumption driving this gap is that cybercriminals target large, wealthy organizations and ignore nonprofits. That assumption is dangerously wrong. Attackers target vulnerable systems, not valuable ones. A nonprofit running an unpatched donor management system with no multi-factor authentication and no security monitoring is a far easier target than a Fortune 500 company with a dedicated security operations center. The data is equally monetizable on dark web markets regardless of whether it was stolen from a corporation or a food bank.
Petronella Technology Group has worked with nonprofits across North Carolina for over 23 years, and we understand the budget constraints that make security feel impossible. This guide provides a practical, prioritized approach to protecting your organization without requiring enterprise-level spending.
Why Nonprofits Are Targets
Several factors combine to make nonprofits attractive to attackers. Understanding these factors helps explain why investing in even basic security measures produces outsized returns for organizations in this sector.
Valuable data with weak defenses. Nonprofits collect donor payment information, Social Security numbers for grant applications, health records for service delivery, and personal details about vulnerable populations. This data has real market value. Credit card numbers sell for $10 to $50 each on dark web forums. Complete identity packages including SSN, date of birth, and address fetch $30 to $100. A donor database containing thousands of records represents a significant payday for an attacker who faces minimal resistance getting in.
Limited IT staff and expertise. Most nonprofits operate without dedicated IT staff. Technology management falls to whoever is most comfortable with computers, typically someone whose actual job is program management, fundraising, or administration. Security configurations are left at defaults. Updates are deferred because nobody wants to risk breaking something before a grant deadline. The result is an environment where known vulnerabilities persist for months or years.
Trust-based culture. Nonprofits thrive on trust and collaboration, which creates a culture that is inherently less suspicious of unexpected emails, unusual requests, and social engineering tactics. Staff members are accustomed to working with diverse partners and responding to requests from unfamiliar contacts. This openness, while essential to the mission, creates vulnerability to phishing and pretexting attacks.
High-profile events create phishing opportunities. Fundraising campaigns, disaster response efforts, and public awareness events generate increased email volume and website traffic. Attackers exploit these events by creating convincing phishing emails that mimic donation confirmations, event registrations, or partner communications.
Building a Budget-Friendly Security Stack
Effective cybersecurity for nonprofits does not require a six-figure budget. It requires prioritizing the controls that address the most likely threats and implementing them consistently. Here is where to start, ordered by impact relative to cost.
Multi-Factor Authentication
If your nonprofit does nothing else, enable multi-factor authentication on every account that supports it. Email, donor management systems, cloud storage, banking portals, social media accounts, and any administrative interfaces. MFA blocks over 99 percent of automated credential attacks. Microsoft and Google both offer free MFA through their authenticator apps. The implementation cost is zero. The time investment is a few hours to set up and a brief training session for staff. The security improvement is enormous.
Email Security
Email is the primary attack vector for nonprofits. Phishing emails that impersonate board members, donors, or partner organizations are the most common way attackers gain initial access. Configure SPF, DKIM, and DMARC records for your domain to prevent attackers from spoofing your organization's email address. Enable the built-in phishing protections in Microsoft 365 or Google Workspace. Both platforms include AI-powered threat detection in their nonprofit-discounted plans.
Microsoft 365 Business Basic is available to nonprofits for free through the Microsoft Nonprofits program. Google Workspace offers similar discounts through Google for Nonprofits. These plans include email, cloud storage, and basic security features that significantly upgrade the security posture of organizations still running consumer-grade email services.
Endpoint Protection
Every computer and mobile device that accesses organizational data needs endpoint protection. Windows Defender, included free with every Windows license, provides capable antivirus and anti-malware protection. Ensure it is enabled and configured to update automatically on all devices. For organizations that can allocate modest budget, solutions like Microsoft Defender for Business (available at nonprofit pricing through the Microsoft 365 Business Premium plan at approximately $5.50 per user per month) add advanced threat protection, device management, and automated investigation capabilities.
Automatic Updates
Unpatched software is one of the most exploited vulnerability categories. Configure automatic updates for operating systems, web browsers, and productivity software on all organizational devices. For donor management systems and other specialized applications, establish a monthly update schedule and assign someone the responsibility of verifying updates are applied. The majority of successful attacks exploit vulnerabilities for which patches have been available for months.
Backups
Ransomware attacks against nonprofits increased 40 percent between 2024 and 2025. A reliable backup strategy is your primary defense against ransomware and your recovery path after any data loss event. Follow the 3-2-1 rule: maintain three copies of important data, on two different types of storage media, with one copy stored offsite or in the cloud. Cloud backup services designed for small organizations start at $5 to $10 per month and can protect your donor database, financial records, and operational documents.
Free and Low-Cost Security Tools
Several tools and resources are available specifically for nonprofits at no cost or deeply discounted rates.
Cloudflare Project Galileo provides free DDoS protection and web application firewall services to nonprofits and civil society organizations. If your nonprofit operates a website that could be targeted by denial-of-service attacks, this program provides enterprise-grade protection at no cost.
1Password for Nonprofits offers free team password management, eliminating the practice of sharing passwords via email or spreadsheets. Password reuse across accounts is one of the most common security failures in nonprofit environments, and a password manager addresses it directly.
CISA Cybersecurity Resources from the Cybersecurity and Infrastructure Security Agency provide free vulnerability scanning, security assessments, and training resources. Their Cyber Hygiene Services program will scan your public-facing systems for known vulnerabilities and provide remediation guidance at no cost.
TechSoup serves as a clearinghouse for discounted technology products and services for nonprofits. Through TechSoup, organizations can access significant discounts on security software, cloud services, and hardware from vendors including Microsoft, Google, Symantec, and others.
Security Awareness Training for Staff and Volunteers
Technical controls are only effective when the people using your systems understand basic security practices. Security awareness training for nonprofit staff and volunteers should cover recognizing phishing emails, creating strong unique passwords, handling sensitive donor and client data, reporting suspicious activity, and understanding the consequences of a breach for the organization and the people it serves.
Training does not need to be expensive or time-consuming. KnowBe4 offers free security awareness training resources through their nonprofit program. Google and Microsoft both provide free training modules within their platforms. The most effective approach combines brief, regular training sessions with simulated phishing tests that give staff practice identifying threats in a safe environment.
Volunteers present a unique challenge because they may use personal devices to access organizational systems, may have limited technical skills, and may cycle through the organization frequently. Establish a brief security orientation for new volunteers that covers the essentials: do not share passwords, do not click unexpected links, and report anything suspicious. Keep it simple, make it part of the standard onboarding process, and reinforce it regularly.
Grant-Funded IT Security
Many nonprofits overlook the fact that technology and security costs are legitimate expenses that can be included in grant budgets. Federal grants from agencies like HHS and DOJ increasingly expect grantees to demonstrate adequate data protection practices. Including line items for security software, staff training, and IT assessments in grant proposals is not only acceptable but increasingly expected by funders who understand that data breaches can undermine program outcomes.
Several foundations specifically fund technology capacity building for nonprofits. The Technology Association of Grantmakers maintains a directory of technology-focused funders. State and local community foundations often have technology improvement grants. When writing grant proposals that include security spending, frame the investment in terms of mission protection: securing donor data protects donor trust, which protects fundraising capacity, which protects the programs that serve your community.
Compliance Requirements for Nonprofits
Nonprofits face several compliance obligations that directly involve cybersecurity, even though many organizations are unaware of them.
PCI DSS for donation processing. If your nonprofit accepts credit card donations, whether online, by phone, or in person, you are subject to the Payment Card Industry Data Security Standard. PCI DSS requirements include maintaining a firewall, encrypting cardholder data, restricting access to payment information, and regularly testing security systems. Smaller organizations can often satisfy requirements through self-assessment questionnaires, but the requirements still apply and non-compliance can result in fines and the loss of the ability to process card payments.
State data breach notification laws. Every U.S. state has a data breach notification law that requires organizations, including nonprofits, to notify affected individuals when their personal information is compromised. North Carolina's Identity Theft Protection Act requires notification without unreasonable delay. Failure to comply can result in penalties and litigation.
HIPAA for health-related nonprofits. Nonprofits that provide healthcare services, substance abuse treatment, mental health counseling, or other health-related programs may be covered entities or business associates under HIPAA. HIPAA's Security Rule requires specific administrative, physical, and technical safeguards for protected health information. Violations carry penalties up to $2.13 million per violation category per year.
Our CEO Craig Petronella has written extensively about compliance for organizations with limited resources across his 15 published books on cybersecurity. The consistent finding is that compliance does not require large budgets. It requires understanding your obligations, implementing the controls that address the highest risks, and documenting what you have done. PTG's ComplianceArmor platform helps organizations of all sizes track their compliance posture across multiple frameworks, making it practical for nonprofits to demonstrate due diligence to funders, regulators, and the communities they serve.
Managed Services for Nonprofits
For nonprofits that cannot justify a full-time IT hire, managed IT services provide access to professional security expertise on a predictable monthly budget. A managed service provider handles firewall management, endpoint protection, patching, backup monitoring, and security incident response so your staff can focus on the mission rather than troubleshooting technology problems.
When evaluating managed service providers, look for experience with nonprofit organizations, willingness to work within nonprofit budgets, and the ability to help with compliance requirements relevant to your sector. Ask about their incident response capabilities, their approach to security monitoring, and whether they provide regular reporting on the health and security of your environment.
PTG has supported nonprofits in the Raleigh-Durham region and beyond since our founding, and we structure our engagements to fit the financial realities of mission-driven organizations. Security-first thinking has been part of our approach since day one because we understand that the organizations most in need of protection are often the ones least equipped to provide it on their own.
Taking the First Steps
You do not need to implement everything in this guide at once. Start with the highest-impact, lowest-cost measures: enable MFA everywhere, configure email security, ensure automatic updates are running, and establish a backup routine. Then work through the remaining recommendations as budget and capacity allow. Even incremental improvements dramatically reduce your risk profile.
If you need help assessing your current security posture or building a practical security plan that fits a nonprofit budget, contact our team. We will help you identify the gaps that matter most and build a path forward that protects your mission without straining your resources.
