4 Cybersecurity Best Practices for Community Nonprofits

Cybersecurity is a stressor for many nonprofits and community organizations. Make sure you’re doing your part to keep data safe with these best practices.

By Jay Love

In an increasingly digital world, it is important for nonprofits to ensure that employees and donors have the tools to operate safely and effectively online. With over 33 years in the mission-driven sector, Co-founder and Chief Relationship Officer at Bloomerang Jay Love offers the following advice for organizations.

During 2020, both for-profit and nonprofit employees began working from home to ensure safe practices during the COVID-19 pandemic. While remote work has its benefits, this desire to keep everyone safe and healthy was also accompanied by other risks, particularly when it came to cybersecurity. 

According to this resource, in 2020 alone, 330 million individuals across 10 countries fell victim to cybercrime. Plus, in the remote work environment, 73% of Americans say they’re spending more time online than ever before, 59% say they’re worried about cybercrime, and 56% find it difficult to distinguish credible versus non-credible sources. 

Nonprofits aren’t exempt from these concerns. Cybersecurity is necessary to keep your data, your donor information, and your finances safe. When you experience a breach, you run the risk of losing your supporter’s faith for a long time, potentially ruining your organization’s reputation.

In this guide, we’ll cover four best practices community-based organizations that might not have extensive experience in the security sector can implement today. This is the first step to keeping your organization safe. We’ll cover the following strategies: 

  1. Ensure Secure Password Policies
  2. Pay Attention to Security News
  3. Update Your Apps Frequently
  4. Educate Your Staff Members

These tips are all taken from Bloomerang’s comprehensive nonprofit cybersecurity guide. After you’ve implemented these four foundational best practices to get your feet wet in the cybersecurity world, we recommend revisiting the complete guide to determine additional protocols you can implement to keep your organization safe. 

1. Ensure Secure Password Policies

Do you use the same passwords for all of your logins? Is your password your pet’s name, spouse’s name, or a birthday? These are a few of the most common passwords that individuals use to “secure” their systems. The problem is that using the same password for everything and/or creating passwords based on personal information makes your system weaker and more vulnerable to attack. 

Therefore, one of the best things you can do to protect your system is for your staff members to use modern password protocols. Ask your staff members to create a unique password for each separate login they have with your organization. You might even encourage them to use a secure password manager like LastPass or Dashlane to store these passwords and make logins faster.

Encourage staff members to use password best practices such as: 

  • Create a long password, at least a minimum of 8 characters.
  • Use a mix of letters, numbers, and symbols. 
  • Avoid the common password types (pet names, significant dates, child’s name, partner’s name, etc.).
  • Avoid keyboard pathways, like “qwerty.” 
  • Use either complete passphrases or a randomized mix of letters and numbers for passwords.

In addition to asking staff members to follow these password guidelines, your organization should also be sure to configure your system and adjust permissions so staff members only have access to the information they need.

Let’s say you’ve configured your nonprofit CRM so everyone has full access to everything. You did this because you trust everyone at your organization and don’t see the purpose in trying to hide anything from them. This would mean everyone has access to all data in your donor profiles, including addresses, contact information, and even payment information. 

Let’s say someone at your organization uses the incredibly insecure password, “qwerty123.” Their system gets hacked. Now that hacker also has easy access to all of this sensitive information in your system. Investing in a system that offers secure permissions, configures those permissions properly, and allows team members to only see the information they need, depending on their positions, is one more defense you have against external penetration. 

2. Pay Attention to Security News

When major hacks happen, there are usually a number of patches and immediate fixes that are released to the public. Learning about these fixes right away can help your organization identify potential threats before they become irreparable.

For example, consider the recent cyber attack on the Microsoft Exchange server. Companies were hacked using empty web shells in their systems and their information was held at ransom for upwards of $50,000. 

Microsoft offered a one-click mitigation tool that companies could use to find potential vulnerabilities in their own systems. 

If organizations didn’t pay attention to security news and didn’t know about the hack or mitigation tool, they wouldn’t be able to take action immediately to address the issue. 

During the Microsoft hack, the software company also offered patches to address four of the critical vulnerabilities from the attack. Therefore, organizations that updated their systems right away experienced more immediate protection from these cybersecurity threats. 

3. Update Your Apps Frequently 

When you first invest in any software, vendor, plugins, or apps that your nonprofit uses, you likely do a lot of research to make sure you’re picking the right solution. You might look at guides like this one to determine the features that are most important for your organization, budget, and more. 

But after your initial investment (so long as you’ve made a good choice in software), you probably don’t think a whole lot about how your tools are changing unless you’ve outgrown it or something drastically changes. However, updating your apps as frequently as possible is one of the best ways to make sure you’re keeping your system safe. 

Consider, for example, your nonprofit’s website. When was the last time you saw a notification on the back end of the site that said you had an update available? What went through your head? Chances are, you thought something like this: “Ugh, I just wanted to post to the blog. I’m sure the update can wait until I’m finished.” Then, you probably didn’t go back and install the update. 

When software solutions come out with updates, they usually contain new protocols to create a more secure system. For instance, they might offer updates such as: 

  • Bug fixes or removal
  • Security patches
  • Add new features
  • Remove outdated features

If you’re curious about what types of updates are rolled out with each update of your software, revisit the solution website and look for a changelog. Changelogs explain what the different updates have completed over the years and how those changes have impacted the system. 

Then, be sure you update your software as soon as you see that notification pop up, even if it might take a couple of extra minutes. Your cybersafety is worth it. 

4. Educate Your Staff Members

Finally, as a community-based nonprofit, each of your staff members probably wears several hats at the organization. Undoubtedly, a multi-functional team like this has its advantages. It means your staff members are probably aware of the various activities going on at your organization and how each of those activities helps you meet your ultimate goals. 

This type of organizational structure also usually means your staff members have some level of experience with using the different software solutions available at your organization. They might even use most or all of your software tools daily. For example, a web designer at your organization may also serve as a marketing specialist, meaning they’ll be working with your website and databases. Therefore, they need to prioritize security in every aspect of their role. 

To make sure your staff members are being as safe as possible with your organization’s sensitive data, roll out staff training opportunities to help them learn more about cybersecurity. 

Start by looking through guides like this Nonprofit Courses resource list to see if there are any immediately available security options that you can encourage your team to engage with. 

Then, come together as a group to reflect on the various lessons you learned and apply them to the organization. For instance, your staff members might learn skills like: 

  • The importance of creating strong passwords and tips for doing so.
  • How to recognize phishing scams. 
  • What their responsibilities are when it comes to security. 

When your staff members are well informed about common security risks and threats, they’ll be more likely to take the necessary steps to protect themselves and the organization. You can even take additional security measures like sending regular phishing tests to your staff members to keep them on their toes and reinforce what they’ve learned during cybersecurity courses. 


The shift to remote work and increased use of online networks has led to growing concerns about cybersecurity. Your organization can stay ahead of the game by taking some immediate next steps to keep your system more secure. Having a strategic approach to the most vulnerable aspects of your organization such as password protocols and software updates will help you create a better security procedure. 

Make sure you also take cybersecurity education seriously. Explaining to staff members the importance of safe online procedures will help them implement best practices at your organization and in their personal lives.

5 Training Tips for Multi-Functional Nonprofit Teams

Nonprofit training is the key to running a successful organization. Learn how to incorporate these tips into your training to make the most of your resources.

By Matt Hugg

Training your nonprofit team is more important than ever. Methods and operations are changing daily, whether that’s for accounting and tax-filing, fundraising, program delivery, or any of the dozens of other functions in your organization. 

Then there’s the issue of liability. What if you make a mistake because you or your team members weren’t fully trained? Not to mention, learning the latest in whatever you do can be a lot cheaper than continuing on in the old, inefficient way. 

So, yes, you have no choice. You, your staff, and volunteers need to keep up. 

What are some great ways to keep multi-functional teams up to speed? Here are five powerful tips from experienced nonprofit training professionals:

1. Implement cross-training.

Cross-training isn’t new. You learn someone else’s job, and they learn yours. Then, if something happens, you’re both covered.

The problem is that a lot of people feel threatened by cross-training. They interpret it as the first step to replacing them—or at least making them more vulnerable to layoffs. “After all,”the rationale goes,“if someone else can do my job, why do they need me?”

The way someone takes to cross-training speaks more to the culture of the workplace than the value of the practice. There’s no doubt that understanding someone else’s job is valuable. 

Just imagine—and unfortunately, this is more than theoretical these days—your colleague comes down with an unexpected illness. They could be out for weeks. You can’t just stop providing your services because one person isn’t there. Given the state of today’s world, we’re probably in the best position to make a non-threatening case for cross-training. 

So how do you begin? Effective cross-training doesn’t start when you show up at someone’s desk and say, “show me how.” Instead, it starts with something everyone should be doing: documenting their work processes. 

Creating a “how-to” manual for your job may seem like busywork, but it’s an effective way to learn your job in the best way possible while reflecting the brand and values of your nonprofit. It can also be valuable for performance evaluations and if someone needs to step into your role in an emergency.

With your manual in hand (or more likely, on a screen or tablet), you’re ready to start cross-training. 

First, pair off your staff. It might seem logical to match people with similar or equivalent positions, especially when specific skills or licensures are involved. For example, matching a social worker who cares for children with one who cares for the elderly. However, you can reap even greater benefits (and provide greater insights) by connecting people with entirely different roles, like a manager with a coordinator or a person from one department with someone from another. 

To get the job done faster and with some measure of enthusiasm, institute an incentive system. Consider rewarding the team (with money, a day off, a gift card, etc.) when the trainee can successfully show competence in the work they’re learning.

2. Incorporate multi-channel learning.

It shouldn’t come as any surprise that humans are wired in a variety of ways in how they best receive information. Some of us learn best by reading. Others love video. Others still get the most out of podcasts. And let’s not forget the ones who need a live classroom, whether online or in-person. Everyone has their favorite.

When it comes to training your staff, there’s good news and bad news in this. The good news is that if you pick the right one, your team’s ability to receive and process information will skyrocket, and you’ll have a more effective staff as a result. The bad news is that producing training in so many ways is time-consuming and costly. Plus, the same person who can write a training manual may be the wrong person to present that information in a video or podcast and vice versa. 

It would be disingenuous to suggest that you can take a middle ground on this. No matter what method you select, if you stick with a single channel, you’ll get mixed results at best. Some will suck up the information, and others will check out in the first few minutes. So, it’s a good idea to go with two or more channels to better accommodate your learners and ensure that they do the best learning they can.

3. Incentivize education.

What’s disappointing as an educator is knowing that at some time in nearly everyone’s life, they had a bad learning experience—and that’s usually the experience they remember the most. Perhaps they were bored, they had test anxiety, or they even associate education with the physical and emotional pain that was inflicted by bullies or terrible teachers. So, when you say “we’re having a training session on that,” you can almost see the flashbacks on their faces as they return to whatever bad experience they recall.

Since you can’t guarantee that someone will joyfully, or at least with an open mind, show up at your training, your best bet is to incentivize them. 

Incentivizing isn’t just a reward at the end of successful completion of your training—although it can be. It starts before the training begins, with a promise that what you’re presenting will be engaging—and yes, even fun. Creating expectations is critical to successful training. You need to market the benefits of attendance, even if it’s required. Training is more effective, and easier to carry out, if the trainees want to be there.

Then, of course, you need to carry out that promise. If you do, recruiting attendees for your next training will be much easier. If you don’t, you shouldn’t be surprised when there are a lot of empty seats in front of you next time.

4. Prioritize ongoing learning.

“Show me your budget and I’ll show you your priorities.” More than likely, you’ve heard this saying before.

So, what’s your budget for staff and volunteer education and training? What does it tell us?

You’re going to pay for education one way or another. If it’s not in your budget, many of your staff and volunteers won’t take the initiative and expense on themselves. You’ll “pay” in using outdated processes, high staff and volunteer turnover, and maybe even a lawsuit that hits when someone makes a costly mistake because they’re not properly trained for their function. That means organizational training is actually one of the smartest investments you can make!

But paying for education may not mean paying for someone to take a class or go to a conference. There are a lot of free resources out there. For a low-cost training initiative, you could equip someone to organize a certification program that takes staff or volunteers through specific videos, documents, or podcasts with a test you devise at the end. 

Or, you could set up your own training programs using in-house staff. It’s shown that if you need to teach someone else, you learn that subject better yourself, as well. Assigning someone on your staff to teach fellow team members can be a growth experience for them and an excellent learning experience for others.

5. Keep it short and focused. 

The human brain is a funny thing. It’s much more powerful than the fastest computer we can build, but it works best when data is input in short, measured flows. 

Think of a funnel and a hose. If you turn the hose on full blast, it’s easy to overwhelm the funnel and spill water all over the ground. If you regulate the flow, you get full value from the water when it all goes down the tube. It’s the same with the human brain.

In professional development, this means keep your subject matter focused, and present it in short bursts of time—like 20 minutes or less. 

This doesn’t mean you have to schedule 60 minutes of training over three days. It means to schedule strategic breaks and processing time into your training. For example, watch a short video (less than 20 minutes), then complete a review questionnaire, interact with other learners about the subject, or take a coffee break. Just make sure you’re giving time for your material to sink in before pushing more down the funnel.


Education and training are too valuable to your nonprofit to leave them to chance. You can’t waste your organization’s resources on ineffective training, and you can’t afford not to train, either. Your staff, volunteers, and most importantly, those you serve, deserve it. Good luck!

Matt Hugg is an author and instructor in nonprofit management in the US and abroad. He is president and founder of Nonprofit.Courses, an on-demand, eLearning educational resource for nonprofit leaders, staff, board members, and volunteers, with thousands of courses in nearly every aspect of nonprofit work.  

He’s the author of The Guide to Nonprofit Consulting, and Philanders Family Values, Fun Scenarios for Practical Fundraising Education for Boards, Staff, and Volunteers, and a contributing author to The Healthcare Nonprofit: Keys to Effective Management.

Matt teaches fundraising, philanthropy, and marketing in graduate programs at Eastern University, the University of Pennsylvania, Juniata College, and Thomas Edison State University via the web, and in-person in the United States, Africa, Asia, and Europe. He is also a popular conference speaker