In the nonprofit world, trust is currency. Donors give not only their money but also their
personal information including their names, emails, payment details, and sometimes even social security numbers for tax purposes. Yet, many small and midsize nonprofits operate without the robust cybersecurity frameworks that protect corporate or government systems. This investigative look examines how nonprofits handle donor cybersecurity and where they fall short.
When a Maryland utility-assistance organization suffered a suspected phishing attack in 2020, staff
discovered how thin their cyber defenses really were.
“We relied on goodwill and basic antivirus software,” admits one former employee. “Once a donor reported suspicious emails, we realized how vulnerable we were.”
Their experience is far from unique. According to the Nonprofit Technology Network (NTEN), nearly 60% of nonprofits lack a dedicated IT security budget.
The problem often begins with underfunding. Nonprofits prioritize program delivery over digital infrastructure. But with donor data becoming a target for cybercriminals, experts warn that ignorance is no longer an excuse.
“Hackers see nonprofits as soft targets,” says a cybersecurity researcher at the University of Maryland. “They hold valuable financial and personal data, but lack resources to defend it.”
Some nonprofits are taking proactive steps. Organizations like the Red Cross and Save the Children have invested in threat monitoring and zero-trust architecture. Smaller groups, however, rely on cloud-based CRMs and third-party vendors like Salesforce, Raiser’s Edge, or Classy and assume that these vendors handle all security needs. But this creates blind spots: misconfigured databases, weak passwords, and untrained staff can still lead to data leaks.
A 2024 report by CyberPeace Institute found that nonprofits experienced a 30% year-over-year increase in weekly cyberattacks in 2024.
“Human error remains the number one threat,” suggests a donor with a background in data privacy. “You can’t secure data if your staff doesn’t know how to recognize a phishing email.”
Experts recommend that nonprofits adopt the NIST Cybersecurity Framework, require
multi-factor authentication, and provide annual security training for staff. Donors, meanwhile, can take their own precautions by verifying website legitimacy, donating through secure gateways, and asking how their data will be used and stored.
As cyber threats evolve, the nonprofit sector faces a crossroads: treat donor data as sacred trust or risk reputational damage and financial loss. In an era where giving depends on confidence, cybersecurity is no longer a technical issue, it’s a moral one.
Anne Woappi
Independent Author & Investigative Journalist
annewoappi.com 