How nonprofits can improve their cybersecurity fundamentals

Opportunistic cybercriminals present a financial threat to organizations of all sizes and in all industries. Nonprofits are often particularly enticing targets because they store profiles of their donors and often include their financial information. Nonprofits might also be targeted by malicious actors whose primary motivation is to damage these organizations’ missions and outreach.

Additionally, the challenge of paying competitive salaries is one of the main reasons nonprofits are sometimes unable to hire professional staff.¹

In the face of a global shortage of skilled cybersecurity employees (over four million in 2024),² nonprofits need to do more with less. These organizations must find cost-effective methods to improve cybersecurity around their digital payments, data storage, internal and external communications and networks.

Fortunately, even incremental improvements are worthwhile. The more an organization creates a culture of cybersecurity awareness, the better prepared it will be to avoid many incidents and mitigate their impact when they occur.

No matter how modest the operational budget and cybersecurity know-how may be in your organization, the guidelines below can raise awareness and tighten controls. Here’s how you can start: 

Like natural disasters, cyber incidents present a measurable risk to your organization and should be met with an intentional response. A cyber response plan that identifies key stakeholders, establishes communications protocols, outlines data backup and outlines recovery processes for employees, volunteers and leadership is essential to understanding and managing cyber-risk. The plan should reflect the risk associated with the work your nonprofit does and the amount of sensitive information it stores. The organization should make updates to reflect significant changes in its operations or functions. 

Cybercriminals still rely on many well-known tactics, including fake donor scams, phishing, business email compromise, ransomware and social engineering tactics, to gain access to all types of organizations, including nonprofits. Ensure that all employees and volunteers receive information regarding these threats. 

Nonprofits are becoming more proactive about implementing cyber-defense fundamentals, but many are only covering the basics. Making use of password managers, multifactor authentication, biometrics and other tools that protect account access does not eliminate cyber-risk, but when implemented and used regularly, it can reduce it. Other basic IT functions, such as regular system backups, antivirus scans, software updates and applying network traffic filters can provide an additional layer of protection.

One study found that only 16% of nonprofits have a device management plan in place.⁶ Your organization should regularly account for all internet-connected devices that access its network or systems and ensure they’re outfitted with the latest software and security controls.

If your organization relies on volunteers and employees who use personal devices for work, raise risk awareness that such devices pose for the organization. Educate them about personal security and how to secure devices when they use them for work. Additionally, provide ongoing awareness training that keeps your organization current about scams and indicators of device compromise (e.g., rapid battery drain, overheating and spikes in data consumption). 

Cyber awareness must be consistent throughout your organization, including advisory boards, leadership and every type of employee and volunteer. Leadership can set an example by undertaking regular trainings to help them stay alert to potential threats and explaining the value of training across the organization. Internal messaging can emphasize that prioritizing cybersecurity hygiene provides direct support for the nonprofit’s mandates and core objectives.

Nonprofits can reduce the threat of cyber incidents that originate with third parties by prioritizing shared security. Be ready to ask service providers and other partners about their own security methods and encourage the sharing of information on emerging threats and solutions. Work with financial institutions that can help your organization protect donations and other transactions and keep donors’ payment information safe.

Many data breaches begin when hackers steal an authorized user’s credential and use the data to access sensitive files and data. A simple, cost-effective way your organization can hedge against this risk is by restricting employee access to only the data they need to do their jobs. By the same principle, only designated IT personnel should have permission to download software and applications to company devices.

Contact your Bank of America nonprofits representative to discuss this topic or other ways we can help.

¹ The Center for Effective Philanthropy, “State of Nonprofits 2024 What Funders Need to Know.”

² World Economic Forum, “Bridging the Cyber Skills Gap,” 2025.

³ NetHope, 2024 State of Humanitarian and Development Cybersecurity Report.

⁴ Ibid.

⁵ Independent Sector: “Health of the U.S. Nonprofit Sector, Annual Review 2024.”

⁶ NetHope, 2024 State of Humanitarian and Development Cybersecurity Report.