Illustration of writing an article on a laptop

ASU Lodestar Center Blog

Minimizing cybersecurity risks in nonprofits


As nonprofits use more technology, they face increased risk from cyber security attacks that organizational leaders must be prepared to address. While all businesses face these threats, the nonprofit sector is often more vulnerable to attacks due to outdated information systems and equipment. Complicating these concerns is the increased number of remote employees using various internet connections and equipment. With the types and frequency of cyberattacks increasing, the impact of cyberattacks can be financially and operationally devastating unless nonprofits adequately and proactively prepare.

A cyberattack can occur in multiple ways by accessing computers, mobile phones, and network systems. In 2020, 330 million people were victims of cybercrime, and the FBI has estimated that cyberattacks have increased by 300% over the past three years. The costs to businesses are also escalating, and recent information shows that nonprofit organizations are more vulnerable to cyberattacks than for-profit businesses. To manage this vulnerability, nonprofit leaders must address cyber risk through strategic planning to ensure their organizations are adequately prepared for a cyber security attack.

Create a steering committee

The first step nonprofit organization should take is to create an IT steering committee responsible for developing strategic and tactical cybersecurity plans. Cybersecurity is not just an IT function but involves all aspects of the organization. Therefore, the committee should include representation of the departments but, at a minimum, include IT, human resources, finance, and operations. As the cyber security plan is implemented, the committee ensures that processes are developed, followed, and consistent with the mission and values of the agency.

Assess the current system

Fundamental to any cybersecurity plan is completing a comprehensive cybersecurity assessment. This assessment evaluates the organization's physical security, equipment, software, network, and personnel access. As issues are identified, the processes are developed and monitored to address security gaps. The assessment should be conducted regally to ensure that the organization follows industry best practices and that any new cyber threats are addressed.

As cyber threats constantly evolve, adopting security platforms that identify and protect against threats is essential. Preventing a cyberattack is critical, and it begins by maintaining and upgrading the organization's hardware and software. Nonprofits should have dedicated roles that ensure that computer systems are up to date, security patches are implemented, and backup procedures are implemented.

Train employees

The most important aspect of prevention is educating employees on cybersecurity. Social engineering attacks are the hardest to prevent as they involve employees unknowingly allowing cybercriminals access to the organization's IT systems. Therefore, nonprofit leaders should ensure employees receive regular and ongoing education to increase awareness, recognition, and reporting of socially engineered cyberattacks. Additionally, nonprofits should adopt multifactor authorization (MFA) for all employees. MFA has been shown to reduce the risk of successful cyberattacks.

Have a response plan

Finally, nonprofit organizations should have a plan for when a cybersecurity attack is successful. With cybersecurity attacks increasing, a response plan includes containing a breach, assessing its impact, and communicating necessary information to the organization's employees and stakeholders. Once the breach is addressed, a comprehensive assessment should be implemented to determine the type of attack, why it was successful, what was accessed, and to what degree. This assessment will help to address areas to help prevent future attacks.

As nonprofits continue to use more technology, their risk of cyberattacks increases. However, by taking a strategic approach, nonprofits can help protect their assets that enable them to meet their missions.

Greg Wellems is a 2023 graduate of the Master of Nonprofit Leadership and Management Program at Arizona State University. With over 30 years of management and leadership experience, he serves as the Vice President of Operations for Keystone Human Services, overseeing Intellectual Disability Services in Pennsylvania, Delaware, and Partnerships for People in New Jersey.

Illustration by Lillian Finley

Learn more with our Executive Leadership Certificate

The Nonprofit Executive Leadership Certificate is designed to meet the professional needs of executive directors, senior-level managers and emerging executives of nonprofit and public organizations, offered in a cohort format to promote skill-building and peer networking among seasoned leaders facing challenges just like yours.

Greg Wellems


ASU Lodestar Center Blog