4 Cybersecurity Best Practices for Community Nonprofits

Cybersecurity is a stressor for many nonprofits and community organizations. Make sure you’re doing your part to keep data safe with these best practices.

By Jay Love

In an increasingly digital world, it is important for nonprofits to ensure that employees and donors have the tools to operate safely and effectively online. With over 33 years in the mission-driven sector, Co-founder and Chief Relationship Officer at Bloomerang Jay Love offers the following advice for organizations.

During 2020, both for-profit and nonprofit employees began working from home to ensure safe practices during the COVID-19 pandemic. While remote work has its benefits, this desire to keep everyone safe and healthy was also accompanied by other risks, particularly when it came to cybersecurity. 

According to this resource, in 2020 alone, 330 million individuals across 10 countries fell victim to cybercrime. Plus, in the remote work environment, 73% of Americans say they’re spending more time online than ever before, 59% say they’re worried about cybercrime, and 56% find it difficult to distinguish credible versus non-credible sources. 

Nonprofits aren’t exempt from these concerns. Cybersecurity is necessary to keep your data, your donor information, and your finances safe. When you experience a breach, you run the risk of losing your supporter’s faith for a long time, potentially ruining your organization’s reputation.

In this guide, we’ll cover four best practices community-based organizations that might not have extensive experience in the security sector can implement today. This is the first step to keeping your organization safe. We’ll cover the following strategies: 

  1. Ensure Secure Password Policies
  2. Pay Attention to Security News
  3. Update Your Apps Frequently
  4. Educate Your Staff Members

These tips are all taken from Bloomerang’s comprehensive nonprofit cybersecurity guide. After you’ve implemented these four foundational best practices to get your feet wet in the cybersecurity world, we recommend revisiting the complete guide to determine additional protocols you can implement to keep your organization safe. 

1. Ensure Secure Password Policies

Do you use the same passwords for all of your logins? Is your password your pet’s name, spouse’s name, or a birthday? These are a few of the most common passwords that individuals use to “secure” their systems. The problem is that using the same password for everything and/or creating passwords based on personal information makes your system weaker and more vulnerable to attack. 

Therefore, one of the best things you can do to protect your system is for your staff members to use modern password protocols. Ask your staff members to create a unique password for each separate login they have with your organization. You might even encourage them to use a secure password manager like LastPass or Dashlane to store these passwords and make logins faster.

Encourage staff members to use password best practices such as: 

  • Create a long password, at least a minimum of 8 characters.
  • Use a mix of letters, numbers, and symbols. 
  • Avoid the common password types (pet names, significant dates, child’s name, partner’s name, etc.).
  • Avoid keyboard pathways, like “qwerty.” 
  • Use either complete passphrases or a randomized mix of letters and numbers for passwords.

In addition to asking staff members to follow these password guidelines, your organization should also be sure to configure your system and adjust permissions so staff members only have access to the information they need.

Let’s say you’ve configured your nonprofit CRM so everyone has full access to everything. You did this because you trust everyone at your organization and don’t see the purpose in trying to hide anything from them. This would mean everyone has access to all data in your donor profiles, including addresses, contact information, and even payment information. 

Let’s say someone at your organization uses the incredibly insecure password, “qwerty123.” Their system gets hacked. Now that hacker also has easy access to all of this sensitive information in your system. Investing in a system that offers secure permissions, configures those permissions properly, and allows team members to only see the information they need, depending on their positions, is one more defense you have against external penetration. 

2. Pay Attention to Security News

When major hacks happen, there are usually a number of patches and immediate fixes that are released to the public. Learning about these fixes right away can help your organization identify potential threats before they become irreparable.

For example, consider the recent cyber attack on the Microsoft Exchange server. Companies were hacked using empty web shells in their systems and their information was held at ransom for upwards of $50,000. 

Microsoft offered a one-click mitigation tool that companies could use to find potential vulnerabilities in their own systems. 

If organizations didn’t pay attention to security news and didn’t know about the hack or mitigation tool, they wouldn’t be able to take action immediately to address the issue. 

During the Microsoft hack, the software company also offered patches to address four of the critical vulnerabilities from the attack. Therefore, organizations that updated their systems right away experienced more immediate protection from these cybersecurity threats. 

3. Update Your Apps Frequently 

When you first invest in any software, vendor, plugins, or apps that your nonprofit uses, you likely do a lot of research to make sure you’re picking the right solution. You might look at guides like this one to determine the features that are most important for your organization, budget, and more. 

But after your initial investment (so long as you’ve made a good choice in software), you probably don’t think a whole lot about how your tools are changing unless you’ve outgrown it or something drastically changes. However, updating your apps as frequently as possible is one of the best ways to make sure you’re keeping your system safe. 

Consider, for example, your nonprofit’s website. When was the last time you saw a notification on the back end of the site that said you had an update available? What went through your head? Chances are, you thought something like this: “Ugh, I just wanted to post to the blog. I’m sure the update can wait until I’m finished.” Then, you probably didn’t go back and install the update. 

When software solutions come out with updates, they usually contain new protocols to create a more secure system. For instance, they might offer updates such as: 

  • Bug fixes or removal
  • Security patches
  • Add new features
  • Remove outdated features

If you’re curious about what types of updates are rolled out with each update of your software, revisit the solution website and look for a changelog. Changelogs explain what the different updates have completed over the years and how those changes have impacted the system. 

Then, be sure you update your software as soon as you see that notification pop up, even if it might take a couple of extra minutes. Your cybersafety is worth it. 

4. Educate Your Staff Members

Finally, as a community-based nonprofit, each of your staff members probably wears several hats at the organization. Undoubtedly, a multi-functional team like this has its advantages. It means your staff members are probably aware of the various activities going on at your organization and how each of those activities helps you meet your ultimate goals. 

This type of organizational structure also usually means your staff members have some level of experience with using the different software solutions available at your organization. They might even use most or all of your software tools daily. For example, a web designer at your organization may also serve as a marketing specialist, meaning they’ll be working with your website and databases. Therefore, they need to prioritize security in every aspect of their role. 

To make sure your staff members are being as safe as possible with your organization’s sensitive data, roll out staff training opportunities to help them learn more about cybersecurity. 

Start by looking through guides like this Nonprofit Courses resource list to see if there are any immediately available security options that you can encourage your team to engage with. 

Then, come together as a group to reflect on the various lessons you learned and apply them to the organization. For instance, your staff members might learn skills like: 

  • The importance of creating strong passwords and tips for doing so.
  • How to recognize phishing scams. 
  • What their responsibilities are when it comes to security. 

When your staff members are well informed about common security risks and threats, they’ll be more likely to take the necessary steps to protect themselves and the organization. You can even take additional security measures like sending regular phishing tests to your staff members to keep them on their toes and reinforce what they’ve learned during cybersecurity courses. 


The shift to remote work and increased use of online networks has led to growing concerns about cybersecurity. Your organization can stay ahead of the game by taking some immediate next steps to keep your system more secure. Having a strategic approach to the most vulnerable aspects of your organization such as password protocols and software updates will help you create a better security procedure. 

Make sure you also take cybersecurity education seriously. Explaining to staff members the importance of safe online procedures will help them implement best practices at your organization and in their personal lives.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s