If you run a nonprofit, trust is everything.
People give you their time.
Their money.
Their heart.
The least we can do is protect their information.
This isn’t a technical post. It’s a practical one. These are straightforward things every nonprofit should be thinking about right now — especially as cyberattacks increasingly target smaller organizations.
Let’s keep it simple.
Have a Clear Data Protection Policy
If you collect donations, event registrations, volunteer signups, or newsletter subscriptions — you’re collecting personal information.
That means you need a written policy that answers a few basic questions:
- What information do we collect?
- Why do we collect it?
- Who can access it?
- How long do we keep it?
- Do we share it with anyone?
This doesn’t have to be complicated. It needs to be clear. Your donors should never have to guess what happens to their information.
Depending on where you operate or who donates to you, privacy laws (like GDPR or state-level regulations) may apply. I’m not your attorney — so make sure you check with legal counsel — but having a documented, thoughtful policy in place is step one.
Strong policy = donor confidence.
Keep Your Systems Updated (This Is Bigger Than You Think)
Most cyberattacks don’t happen because someone outsmarted you. They happen because something wasn’t updated.
Hackers actively look for outdated systems and software. When updates come out, they fix known vulnerabilities. If you delay those patches, you’re leaving the door open.
At a minimum, nonprofits should:
- Keep Windows or Mac systems updated
- Update Microsoft 365 or Google Workspace apps
- Update server software (if you have one)
- Update PDF readers, browsers, and productivity tools
Many updates can be automated. But someone still needs to own it. Reputation damage from a breach is far more expensive than staying current.
Be Careful What You Collect (And Where You Put It)
Here’s a hard truth: the safest data is the data you don’t collect. Ask yourself: Do we really need this information? If it’s optional, make it optional.
Also consider how long you’re keeping donor data. If someone gave once in 2014 and never again, does your organization still need that record?
Now let’s talk about storage. If donor information lives in:
- Multiple Excel spreadsheets
- Attached to emails
- On someone’s desktop
That’s a problem. Spreadsheets aren’t built for security, tracking access, or compliance. And email is not secure file transfer — especially when sensitive information is involved. If budget allows, a donor management system or CRM is far safer and far easier to manage long term.
And if you must use spreadsheets?
- Store them in secure cloud storage (Microsoft 365, OneDrive, etc.)
- Restrict access
- Never email them as attachments
Limiting access also matters. The fewer people with access to donor data, the lower the risk.
Lock Down Staff and Volunteer Accounts
Technology is important. And people are your biggest risk — and your biggest defense. Start with the basics:
Strong Passwords
Longer is better.
Don’t reuse passwords.
Use a password manager.
Multi-Factor Authentication (MFA)
This is huge. If you do only one thing after reading this blog, turn on MFA. That extra code sent to your phone or authenticator app makes it dramatically harder for someone to break in — even if they steal a password.
Remove Access When People Leave
Volunteers rotate. Staff transitions happen. Make sure accounts are immediately disabled when someone is no longer affiliated with your organization. Lingering accounts are an easy entry point for attackers.
Why This Matters More for Nonprofits
Cybercriminals often assume nonprofits:
- Don’t have IT staff
- Don’t have strong protections
- Won’t prioritize security
That makes nonprofits attractive targets. And a breach doesn’t just cost money. It damages donor confidence, creates embarrassment, it pulls focus away from your mission. And your mission is too important for that.
Security doesn’t have to be complicated. It just has to be intentional. At ATCOM, we work with nonprofits across North Carolina who are doing incredible work in their communities. Our job is to help protect the foundation that allows you to focus on that work.
If you’d like a no-pressure conversation about your current setup, we’re happy to offer guidance.
