Nonprofit IT & Cybersecurity

Your donor database is the most valuable digital asset your nonprofit owns. It contains names, addresses, email addresses, phone numbers, giving histories, wealth screening data, and often credit card or bank account information. A breach of this data would devastate donor trust and potentially end major gift relationships permanently.

CRM Security Services

• Salesforce Nonprofit / Bloomerang / DonorPerfect security: Configuration review and hardening of your donor management platform including access controls, field-level security, sharing rules, and API permissions
• Access control enforcement: Role-based access ensuring development staff see donor records appropriate to their role, program staff access only their program data, and volunteers and interns have strictly limited access
• Data export controls: Preventing unauthorized bulk exports of donor data that could be used for identity theft or shared with competitors. Alerting on unusual export patterns
• Online donation security: Ensuring your donation processing meets PCI DSS requirements, protecting donor payment information from skimming, interception, and unauthorized access
• Backup and recovery: Regular backups of donor databases with tested recovery procedures, ensuring you can restore donor records if data is corrupted, deleted, or encrypted by ransomware

Most nonprofits cannot justify a full-time IT staff person, let alone a security team. Our managed IT services give your organization access to a complete IT department at a fraction of the cost of a single hire.

Managed IT Services Include

• Helpdesk support: Phone, email, and remote support for staff technology issues — email problems, software questions, printer issues, VPN connectivity, and password resets
• Cloud workspace management: Administration of Microsoft 365 or Google Workspace including user provisioning, security configuration, email management, and Teams/Meet administration
• Device management: Setup, configuration, patching, and monitoring of staff laptops, desktops, and mobile devices with centralized security policies and remote management
• Network management: Office network setup, Wi-Fi security, guest network isolation, firewall management, and VPN for remote workers and branch offices
• Technology planning: Annual technology assessments and budget recommendations so you can plan technology spending in your grant proposals and annual budgets, not react to emergencies

Federal grants, state contracts, and private foundations increasingly require nonprofits to demonstrate adequate cybersecurity and data protection practices. Failing to meet these requirements can cost you grant funding or create audit findings that jeopardize future awards.

Grant Compliance Support

• Federal grant cybersecurity requirements: Implementation of NIST 800-171 or similar controls required by HHS, DOJ, DOE, and other federal agencies for grant recipients handling sensitive data
• OMB Uniform Guidance (2 CFR 200): Technology controls satisfying the administrative requirements for federal awards, including data protection, access controls, and audit trail requirements
• Foundation due diligence: Documentation and evidence that your organization meets the cybersecurity requirements specified in foundation grant agreements and RFPs
• Client data protection: Security controls for beneficiary data in case management systems, health records, housing records, and other program databases that contain protected personal information
• Audit preparation: Organizing technology evidence for A-133 single audits, funder site visits, and compliance reviews

Nonprofits have the most complex access management challenge of any organization type. Paid staff, board members, committee volunteers, event volunteers, interns, AmeriCorps members, consultants, and pro bono professionals all need varying levels of system access — and turnover in several of these categories is very high.

• Tiered access framework: Defined access levels for each role type — staff, board, volunteer, intern, consultant — with pre-configured permission sets that can be assigned and revoked quickly
• Automated onboarding/offboarding: Streamlined processes to grant access when someone joins and revoke it completely when they leave, including email accounts, file shares, CRM access, and building systems
• Board member access: Secure access to board documents and financials through controlled portals rather than emailing sensitive documents to personal email accounts
• Shared credential elimination: Replacing shared login credentials (a common nonprofit practice) with individual accounts that provide accountability and can be revoked independently
• Multi-factor authentication: MFA enforcement for all users accessing organizational systems, with user-friendly methods that do not create barriers for less technically experienced volunteers

Nonprofit cultures built on trust, openness, and collaboration are exactly the qualities that social engineers exploit. Training must acknowledge this tension — teaching security vigilance without undermining the culture that makes your organization effective.

• Nonprofit-specific phishing simulations: Realistic phishing tests using lures that target nonprofits — fake grant notifications, donor impersonation, event registration fraud, and board member impersonation emails
• Short, practical training: Monthly micro-training modules (5-10 minutes) that fit into busy nonprofit schedules without consuming time that should be spent on program delivery
• Board member training: Annual security briefings for board members covering their fiduciary responsibility for data protection, current threats targeting nonprofits, and how to recognize social engineering
• Incident reporting culture: Building a blame-free reporting culture where staff feel comfortable reporting suspicious emails, accidental clicks, or potential security incidents immediately