Cybersecurity for Small Nonprofits: Protecting Donor Data on a Limited Budget

Nonprofits Are Targeted More Than Most Organizations Realize

Small nonprofits often assume they are not interesting enough to target — their budgets are modest, their profiles low, and their assets seemingly limited. Attackers do not see it that way. Nonprofits hold valuable donor databases with credit card information and personal financial data, handle significant donation payment flows, and frequently have limited IT resources and security awareness. This combination of valuable data and limited defenses makes nonprofits disproportionately attractive targets, particularly for business email compromise and donation fraud schemes.

The good news: several major technology vendors offer significantly discounted or free software for qualifying nonprofits — making strong security achievable at costs far below what comparable commercial organizations pay.

Nonprofit-Specific Cybersecurity Threats

Donation Fraud and Payment Diversion

Attackers impersonate executive directors or board members via email, requesting changes to donation processing accounts or diverting major donor wire transfers to fraudulent accounts. The pattern mirrors business email compromise in commercial settings — the high emotional stakes of nonprofit missions and the deference employees show to leadership create conditions where fraudulent requests are acted on without adequate verification.

Defense: Establish a verbal verification requirement for any change to banking or payment processing information. Any email requesting changes to where donations are deposited — regardless of the apparent sender — requires a phone call to a verified number before action is taken.

Donor Database Breaches

Nonprofit donor databases contain names, addresses, email addresses, donation histories, and frequently credit card or bank account information for recurring donors. A breach of this database violates donor trust, triggers state breach notification obligations, and can result in loss of major donors who no longer feel their data is protected.

Defense: Use a cloud-based CRM platform (Salesforce Nonprofit, Bloomerang, Little Green Light) that handles data security at the platform level, with strong access controls and encryption. Minimize local storage of donor data — if it lives in the cloud platform rather than Excel files on local computers, the breach surface is dramatically smaller.

Phishing Targeting Grant and Program Staff

Program staff and grant writers frequently communicate with government agencies, foundations, and corporate donors — creating a communication environment that sophisticated phishing emails can convincingly imitate. Fake grant notifications, government agency impersonation, and foundation portal credential-harvesting attacks are specifically targeting nonprofit staff.

Free and Discounted Security Resources for Nonprofits

The most significant advantage nonprofits have in cybersecurity is access to deeply discounted technology:

• Microsoft 365 Business Premium through TechSoup: Qualifying nonprofits can access Microsoft 365 Business Premium — which includes Defender for Business EDR, Intune MDM, Defender for Office 365, and the full productivity suite — for approximately $3 to $5 per user per month versus the commercial rate of $22/user/month. This is the single most impactful technology discount available to nonprofits. Apply through techsoup.org.
• Google Workspace for Nonprofits: Qualifying nonprofits receive Google Workspace Business Standard free of charge through Google for Nonprofits. Apply at google.com/nonprofits.
• Cloudflare for Nonprofits: Free Cloudflare Pro plan for qualifying nonprofits — includes WAF, DDoS protection, and CDN for the nonprofit website.
• Cisco Meraki for nonprofits: Deep discounts on Meraki networking equipment through TechSoup for qualifying organizations.
• CrowdStrike for Good: Significant EDR discounts for nonprofits meeting program criteria.

Practical Security Priorities for Small Nonprofits

With limited IT staff and budgets, nonprofits should focus security resources on the highest-risk areas:

1. MFA on all accounts — especially email: A compromised executive director email account used to request fraudulent wire transfers is one of the most damaging scenarios for nonprofits. MFA on every account prevents this regardless of password strength.
2. Donation processing through a PCI-compliant processor: Stripe, PayPal, Clover — ensure donation processing uses a validated payment processor that handles card data security. Donor card data should never sit on nonprofit-managed systems.
3. Payment diversion prevention protocol: The verbal verification requirement for banking changes costs nothing and prevents the most financially damaging attack type facing nonprofits.
4. Donor database access controls: Only staff who need access to the full donor database for their role should have it. Restrict download and export capabilities to senior leadership.
5. Cyber insurance: Many nonprofit insurance policies can be extended to include cyber liability coverage at modest cost. Given the breach notification costs that follow donor data exposure, cyber insurance is worth evaluating as part of the organization’s overall insurance program.

Volunteer and Board Member Security

Nonprofits involve volunteers and board members who access organizational systems from personal devices with varying security postures. Key controls:

• Board members with access to financial systems or sensitive donor data should be enrolled in the organization’s MFA requirements regardless of volunteer status
• Provide board members with access to the organization’s password manager for any credentials they hold
• Create a simple device use policy for volunteers who access nonprofit systems — minimum screen lock and current OS version requirements
• Revoke board and volunteer access promptly when terms end or relationships change

Bottom Line

Small nonprofits face real cybersecurity risks — particularly donation fraud and donor data breaches — but have access to discounted and free technology resources that significantly reduce the cost of strong security. TechSoup-discounted Microsoft 365 Business Premium provides enterprise-grade security at a fraction of commercial cost. Payment diversion prevention, MFA on all accounts, and PCI-compliant donation processing address the highest-risk exposures. Cybersecurity does not have to compete with mission spending when the right discounted tools are used strategically.