Home » Nonprofit Cybersecurity: 4 Steps to Protect Your Volunteer Data

Nonprofit Cybersecurity: 4 Steps to Protect Your Volunteer Data

If you work for a nonprofit organization, you’re likely using digital tools in your workflow. While digital tools help you do your job more efficiently, they can leave you vulnerable to cyber attacks. Even everyday tasks have risks, like emailing donors and accessing volunteer data from your volunteer management software.

Nonprofits are particularly vulnerable to cybercriminals because the fallout of a cyberattack could be catastrophic to their organization. The reality is that many nonprofits aren’t equipped to deal with breaches in cybersecurity.  

It’s important to take these threats seriously and take the necessary steps to protect your organization’s database (including information about volunteers, donors, and community members). In this article, we’ll dive into cybersecurity, explain the risks your organization could face, and detail the steps you can take to protect your data.

Article Contents:

What is Nonprofit Cyber Security? 

You probably know that you should have cyber security protocols to protect your organization’s supporter database, website, or internal processes and communications. But perhaps you don’t know where to begin with the specifics of nonprofit cybersecurity. Let’s get started.

Cybersecurity is a collection of IT systems that are used to prevent hackers from accessing and exploiting your data. When you face a cyber attack, a malicious entity attempts to access your data to either corrupt, steal, or use your data for other nefarious uses. Often, cyber theft is financially motivated.

According to Steve Morgan, the founder of Cybersecurity Ventures, “cybercrime [damages include] destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”

State of Nonprofit Cyber Security in 2022: The Impact of COVID

The COVID pandemic saw an unprecedented number of nonprofit employees and volunteers move their work online. Meetings and fundraisers went digital or hybrid, and more supporters than ever before accessed their favored organizations through personal devices and Wi-Fi routers. While the flexibility of working from home has benefited some individuals, remote work has also created an abundance of new opportunities for cybercriminals.

In 2022, cyber threats are ubiquitous; organizations of all types and sizes have found themselves at increased risk. Ransomware and phishing are some of the biggest threats faced by nonprofits.

Ransomware is particularly effective in accessing financial payouts. The Institute for Critical Infrastructure Technology states that 50% of nonprofits have experienced a ransomware attack.

What Is Ransomware? 

Ransomware is malware that uses encryption to capture and hold the victim’s data for ransom. The organization's files, applications, or donor data are held captive until they pay the dictated financial sum. According to McAfee, ransomware can quickly freeze an entire organization. This type of cyber security threat funnels billions of dollars to cybercriminals every year.

What Is Phishing?

Phishing is another common scam that affects nonprofit employees and volunteers. Phishing emails are fraudulent correspondence that require some sort of action on the part of the reader; for example, clicking on a link or downloading an attachment. Phishing emails lure an unsuspecting victim into providing the attacker with sensitive data. They are often used to steal passwords, install ransomware, and share viruses through a variety of misleading ways.

Do I Need Better Cyber Security at My Nonprofit?

Most nonprofits are lagging behind in security measures when compared to for-profit organizations. According to a cybersecurity survey commissioned by Microsoft, most nonprofits do not have important cybersecurity measures in place.

The survey specifically found:

  • 60% of surveyed nonprofit respondents did not know of or did not have a digital data policy that details how their organization would handle cybersecurity risks or protection of sensitive data.
  • 74% of respondents did not use multifactor authentication to access their organizational email account or other business related accounts.
  • 92% of nonprofit staff said they use personal devices to log in to organizational email and business accounts. The other 8% reported that even though they did not permit staff to use personal devices, staff did so anyway.


When organizations store and collect data on individual donors, corporate partners, charities, etc., they must put robust safety measures in place. Not only could stolen or hacked data disrupt operations, but it could also trigger the distrust of your donors.

The Council for Nonprofits suggests you develop a solid cyber security plan if you engage in any of the following activities:

  • Accepting website donations. If you’re conducting e-commerce of any kind, like accepting donations or selling t-shirts, you need to take extra security measures.
  • Providing virtual work or volunteer opportunities. Since the pandemic, many meetings and volunteer opportunities have gone hybrid or completely online. The digital tools we’ve used to stay in touch (here’s to you, Zoom) can also make us vulnerable to cyberattacks.
  • Collecting and storing personal data. This includes any “personally identifiable information” from your volunteers or donors. Sensitive information might be driver’s license or social security numbers, employee records, home addresses, telephone numbers, etc.
  • Building volunteer or donor profiles. When you are collecting information on the preferences of volunteers and/or donors, you need to take extra measures to protect the data.
  • Raising money or providing services to citizens in the European Union. In the case that US nonprofits are providing services to EU citizens  AND collecting data about those citizens, they must comply with the EU’s General Data Protection Regulations (GDPR Compliance).

4 Tips to Protect Nonprofit Data

Nonprofits are often unaware of cybersecurity best practices because of the ever-evolving nature of today’s digital landscape. Even when nonprofits have measures in place, it’s often hard to get team-wide adoption and buy-in. As we’ve learned, nonprofits face significant challenges in maintaining a cybersecurity plan, which is crucial in protecting and securing organizational assets.

These are 4 quick, cost-effective tips you can take to protect yourself against cyberattacks at your nonprofit:

1. Enable Multi-Factor Authentication

Nonprofits can protect themselves by activating multi-factor authentication. This is a security measure that requires the user to provide two means of verifying their identity. This is typically the correct username and password coupled with a code sent to a smartphone, a photo of an ID card, etc.

2. Do Not Reuse Passwords Across Devices

While it’s easier to remember a single password, using the same one across devices is a big security no-no. If you or your organization’s devices get hacked, this mistake makes it easy for cybercriminals to access your other accounts. Nonprofit Tech for Good recommends using a password manager like LastPass. While this will give you a quick boost in security, only 30%  of nonprofits report using a secure password manager on their work computers.

3. Make Sure Your Team Has Received Phishing Prevention Training

Did you know that 93% of all cybersecurity situations are the result of a phishing scam? Even the most sophisticated spam filters are unable to prevent phishing emails from getting through to nonprofit employees’ inboxes. The best way to protect yourself and your nonprofit data is to regularly hold phishing prevention training for your staff and volunteers.

With nearly 60% of nonprofits not providing cybersecurity training for their staff, it is no wonder that this scam is so successful. By investing time and energy into training your team to recognize nefarious emails, you can collectively keep your volunteer data more secure and prevent an organization-wide data breach.

4. Look for a SOC 2 Compliant Volunteer Management Software Provider

What is SOC 2 Compliance?

The goal of SOC 2 compliance is to ultimately boost the privacy protections around customer data. SOC 2 is a sort of stamp of approval that an organization has specific security policies that are documented and obeyed. Auditors can and often do ask to review a company’s compliance. SOC 2 measures extend to cloud-based data storage, confidentiality, processing integrity, and overall security of your data.

Those most concerned with SOC 2 compliance are SaaS companies or those who store customer information in the cloud.

SOC 2 is an exceedingly common security requirement that tech companies must meet today. Although, surprisingly, most volunteer management software companies are not SOC 2 compliant. This leaves your volunteer data at risk.

SOC 2 Compliant Volunteer Management Software

As a volunteer manager, take the extra step to confirm whether your volunteer management software is SOC 2 Compliant. You can do so by contacting the company’s Chief Information Officer.

Get Connected volunteer management software is an early adopter of SOC 2 Compliance. As a best-in-class volunteer management software provider, Get Connected saw the need for nonprofit organizations to have an added layer of protection when it comes to sensitive volunteer data. Finding volunteer management software that covers the necessary tech security, you’re empowered to spend time on more pressing needs within your community.
______________________________________

By making a concerted effort to improve volunteer data privacy and security, volunteer managers can better protect their volunteers and organization against growing digital threats in 2022 and beyond.

Additional Resources

Volunteer Management Software: 25+ Top Tools for Nonprofits

Nonprofit Guidelines for Cybersecurity and Privacy

U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework

Author: Annelise Ferry