Industry Coverage icon

Strengthen Your Nonprofit’s Privacy and Security Operations

Protect the information of your members, donors, and users.

Unlock a Free Sample
  • Security and privacy simply aren’t part of the mission description and only become a priority when painful, reactive incidents move them forward.
  • Donor/member data is on the line. Proper stakeholder stewardship is essential, and the consequences of cyber risks will impact their support of your movement and, further, your revenue.
  • Cyber breaches have significant operational impact. Expect costly organizational interruptions, service delays, and potential fines and penalties.

Our Advice

Critical Insight

A nonprofit organization’s fiduciary obligation and mission promise to prioritize the interests of the stakeholders it serves must be interpreted to include its obligation to protect IT assets that hold personal data through privacy and cybersecurity protocols.

Impact and Result

  • Articulate the importance of robust cybersecurity and privacy programs to key stakeholders by speaking the language the organization understands.
  • Understand measures to mitigate the leak or loss of donor/member data by evaluating the intersection of privacy and security and their separately defined Info-Tech frameworks.
  • Take the first step by assessing your privacy and security gaps.

Strengthen Your Nonprofit’s Privacy and Security Operations Research & Tools

1. Strengthen Your Nonprofit’s Privacy and Security Operations Deck – An introduction to the challenges of security and privacy in the not-for-profit industry.

Understand the privacy and security opportunities and obstacles in the nonprofit environment and take action.

Unlock a Free Sample

Strengthen Your Nonprofit’s Privacy and Security Operations

Protect the information of your members, donors, and users.

Analyst Perspective

Security and privacy are part of the mission

Don’t neglect data security and privacy in favor of mission-focused tasks. It’s crucial to remember that if privacy and security fall short, it may become impossible to carry out tasks and initiatives that fulfill your mission. The stakes for nonprofits are much higher than for for-profit businesses. Data breaches can put your members, donors, and users at risk, disrupt nonprofit operations, expose liability, and ruin the reputation (and revenue) nonprofits have built.

We can see nonprofits are starting to pay attention, yet they are loath to make these changes due to capital and human resources, which remain major obstacles to the path of maturity and consistency.

This report is designed to encourage nonprofits in starting or continuing a security- and privacy-focused path by identifying key data protection challenges and outlining steps nonprofits can take to strengthen their operations, provide consistent protection, and overcome capital and human resource constraints.

Questions for support transition

Monica Pagtalunan
Research Analyst, Industry Practice
Info-Tech Research Group

Executive Summary

Your Challenge

Security and privacy simply aren’t part of the mission description and only become a priority when painful, reactive incidents move them forward.

Donor/member data is on the line. Proper stakeholder stewardship is essential, and the consequences of cyber risks will impact their support of your movement and, further, your revenue.

Cyber breaches have significant operational impact. Expect costly organizational interruptions, service delays, and potential fines and penalties.

Common Obstacles

Financial resources, staff, and skills to combat security and privacy efforts efficiently are limited.

Mission-focused budget initiatives will always win over operational ones. The industry uniquely faces more budget constraints than time constraints.

The foundations of cybersecurity and privacy have not been defined, with the assumption that security and privacy are one and the same.

Cyber insurance is inaccurately viewed as the end-all solution for lacking safety standards.

Info-Tech’s Approach

Articulate the importance of robust cybersecurity and privacy programs to key stakeholders by speaking the language the organization understands.

Understand measures to mitigate the leak or loss of donor/member data by evaluating the intersection of privacy and security and their separately defined Info-Tech frameworks.

Take the first step by assessing your privacy and security gaps.

Info-Tech Insight
A nonprofit organization’s fiduciary obligation and mission promise to prioritize the interests of the stakeholders it serves must be interpreted to include its obligation to protect IT assets that hold personal data through privacy and cybersecurity protocols.

Every nonprofit is different but similar

Nonprofit organizations have different primary purposes…

The nonprofit sector covers a wide range of organization types, each with their own complexity and uniqueness.

…but overall have similar objectives…

Each nonprofit’s mission is central to its purpose. Every decision the board makes focuses on the mission, vision, and values of the organization.

…and sources of funding.

Funding comes from operations, donations from generous stakeholders, grants, membership fees, philanthropic efforts, sponsorship, and government support.

Purpose of Nonprofit Organizations

Info-Tech Insight
Any impact to your generous stakeholders’ satisfaction and perception of the organization will impact their generosity and support of the mission.

Cyber risk is heightened

Diagram of Asset Security and Cybersecurity

Physical asset security is still valid for some nonprofit organizations, especially where paper-based manual processes are prominent. This component includes ensuring that physical devices cannot be easily carried away from the office, locking wall-to-wall filing cabinets, installing physical alarm systems, and storing external hard-drive backups in secure locations.

Data, security, and privacy are the foundations of digital transformation. For the most part, nonprofit organizations are shifting toward digital, with tools such as public-facing websites, social media, online donation forms, and cloud-based platforms.

Members, donors, and users are increasingly using smart devices to access information, engage with the organization, and make donations. Social media remains an important connection tool to promote events, share information, and build a community.

This change means the cybersecurity risks are heightened. Protecting cybersecurity includes enabling automatic software updates, enabling firewalls, setting complicated passwords that are regularly changed, and installing individualized screen locks on digital devices.

Cyber incidents are on the rise

Cyber incidents are on the rise

Note: Community IT Innovators exclusively serve nonprofit IT teams from around the world. This report encompasses cyber incidents that have occurred among their clients alone. Therefore, these numbers are not representative of the entire nonprofit industry.

Source: Community IT Innovators, 2022.

The most concerning exposure for nonprofits is the leak of information

It’s not just an IT problem; the organization will be impacted.

Your External Stakeholders Impacted Data Risk Exposure Impacts




Traditional PII

Personal data

Sensitive personal data

Data collection

Processing donations

Processing event registrations

Transferring data, i.e. cloud

Storing data, i.e. enterprise systems

Exposed confidential/sensitive information

Inaccessible data and compromised environment

Reputational damage and loss of support and revenue

Legal/regulatory fines and investigations

Organization interruption

Nonprofits are attractive as “low-hanging fruit”

"You don't want to become the headline. Our organization relies on people's generosity. If there's a massive breach, people will not donate. With that type of reputational damage, the organization's future would be in jeopardy."
– Ramadji Doumnande, Director of IT Operations and Security at National Parks Conservation Association

Cybercriminals want what nonprofits have – data. The most concerning data breach is the leak of sensitive donor/member information. Donors/members are important external stakeholders that nonprofits heavily rely on for their support, and the exposure of donor/member data can impact their trust and confidence in your organization. Consider the following pieces of personal data that your organization collects:

Traditional PII:
Personal identifiable information
Personal Data:
Any information relating to an identified or identifiable person
Sensitive Personal Data:
Special categories of personal data (some regulations, like GDPR, expand their scope to include these)
Full name (if not common) First, middle, and last names Biometrics data: Retinal scans, voice signatures, facial coding, or neuroscience data
Home address IP address Health information: Patient identification number or health records
Date of birth Email address or other online identifier Political opinions
Social security number Social media post Trade union membership
Banking information Location data Sexual orientation and/or gender identity
Passport number Photograph Religious and/or philosophical beliefs
Etc. Etc. Ethnic origin and/or race

Source: Qostodian Recon, 2021

Data is an invaluable asset – ensure it’s protected

Industry Case Studies

People Inc

Up to 1,000 clients’ data was exposed, with the hacker managing to infiltrate an email account belonging to an employee of the organization due to a weak password. Accounts involved contained personal, sensitive information including names, addresses, social security numbers, financial data, medical information, health insurance details, and government IDs.
ZDNET, 2019.

American Dental Association

Hackers claimed that they had leaked 9 gigabytes of the American Dental Association’s data, with security researchers confirming the breach of tax forms (i.e. W2), financial spreadsheets, and information about private practices. Additionally, the hackers that triggered the malware forced certain critical systems offline, including web-based chat, email, and telephone services.
Forbes, 2022.


The ICRC breach was found and disclosed on January 18, 2022, but the actual intrusion took place the previous year, on November 9, 2021. Hackers exploited a vulnerability found in their email platform, Zoho, to bypass authentication, place web shells, and compromise administrator credentials. The details of more than 515,000 people are believed to have been collected, including data such as names, locations, and contact information.
The Record, 2022.

Trust is required from an external perspective

“Without trust, nonprofits lack a key ‘currency’ that allows them to operate smoothly."
– Jeffrey Moore, Chief Strategy Officer at Independent Sector

Source: The Chronicle of Philanthropy, 2022.

Trust is the currency of the industry. High levels of trust allow nonprofits to raise more money for the mission and build strong working relationships with their supporters and the communities they serve.

Security and privacy breed trust. Protecting financial and personal information of those who contribute is critical to the nonprofit organization’s ability to earn and maintain trust and funding. Forward-thinking organizations understand how important security is to fostering trust, and they often prioritize security at the highest leadership levels (executives and the board) to emphasize its importance.

Strengthen your most valuable asset. To build trust, nonprofit organizations need to pay diligent attention to security and privacy fundamentals and foundations. Organizations can still secure the environment while concentrating on mission-based initiatives.

Decline is trust of non-profits

Source: “Trust in Civil Society,” Independent Sector, 2022.

Human and capital resources constraints are obstacles to privacy and security operations


IT staffing and budget constraints

75% of nonprofit organizations see IT budget as a barrier

82% of nonprofit organizations see staff time as a barrier

Source: nten, 2022.


Effects of cybersecurity skills gap

Nonprofit organizations are not confident in performing basic cybersecurity tasks.

Nonprofit organizations are not confident in performing basic cybersecurity tasks.

Source: Ipsos, 2022.


Lack of security culture within the organization (executives and/or end-users)

59% of nonprofit organizations do not have cybersecurity training for staff.

Source: nten, 2018.

Constraints have impacted security and privacy maturity levels

Do not give into the “low pay, make do, and do without” culture.

60% 92% 74% 64%
Nonprofits do not have, or know, of policies around cybersecurity, equipment usage, and data privacy. Nonprofits state they could access organizational email and files using personal devices. Nonprofits do not have policies that identify personal data among other data that is collected. Nonprofits do not have policies for educating beneficiaries or donors on how data is used/stored.
Source: Microsoft, 2017

Human and capital resource budget constraints have impacted the quality of security and privacy operations. Organizations are struggling with cyber and privacy basics, increasing the likelihood of cyber incidents.

Under-funding and under-resourcing can have disastrous effects. A data leak is not just a cyber risk; it’s an operational risk. The organization will feel effects related to finances, reputation, operations, and regulations.

Capacity building is critical to the infrastructure and health of a nonprofit organization. IT staffing, budget, skills, and security culture are forces that have fuelled the nonprofit industry’s underinvestment in security and privacy. However, there is opportunity to achieve effectiveness. Strengthening security and privacy is indeed possible, but organizations still believe in the inaccurate assumption that a lack of capital and human resources is an unsolvable problem.

Cyber insurance should not be a band-aid solution intended to cure all cybersecurity concerns

Insurance companies are increasing premiums to keep up with the increase in cyberattacks. The costs from lawsuits, ransomware payouts, and other remediations have driven this increase. Insurance companies are not willing to lose money on cybersecurity, so policies are getting more expensive.

Companies with poor cyber hygiene will be rejected or quoted a high premium. It’s now harder to qualify for cyber insurance. You will have to attest to the strength of your security controls through a self-assessment.

Cyber insurance is not a mitigation plan. Some companies see cyber insurance as a way to get around improving their IT security. After all, if your losses in the event of an attack are covered, why should you take extra steps to prevent data breaches?

It’s one more tool in the toolkit. On top of your security and privacy program, cyber insurance should be one extra layer to protect your supporters’ data. Best practice is gaining appropriate technologies and tools to satisfy cyber insurance requirements.

Cyber insurance premium increase percentage in 2021
Source: Fitch Ratings, 2022

Increase in claim frequency among nonprofits for first half of 2022
Source: Coalition, 2022

Mature your privacy operations

Privacy should not be viewed strictly through a compliance lens

Bring your stakeholders into the picture

By offering stakeholders transparency and control over their personal information, a good privacy program and its policies can shield nonprofit organizations from the financial and reputational harm posed by a data breach, while a flawed policy can exacerbate the problems caused by a breach.

Although regulators focus on the enforcement of these eight areas, understand the impacts on your organization and stakeholders:

Stakeholder Impact
Privacy impact assessment Leverage to identify and mitigate privacy risks that impact your stakeholders.
Privacy notice Promote transparency and give stakeholders more control over the way their data is collected and used.
Data classification Avoid the high protection, storage, and retention costs associated with hoarding vast amounts of data.
Data retention Build stakeholder trust by capturing less information to begin with. Reduce the information available to steal by only collecting the data you need.
Third-Party risk management Don’t entrust data protection solely to a vendor. Their poor cybersecurity practices and conduct reflect poorly on you.
Cross-border transfer Leverage technology that enhances visibility and transparency into the “when” and “how” of payment statuses.
Data subject request handling Gives your stakeholders the right to obtain a copy of their personal data that your organization stores.
Data breach handling Efficiently mitigate damages to reduce time taken to rebuild trust and confidence with impacted stakeholders.

Establish your compliance requirements for alignment

Federal/National Privacy Regulation Industry Privacy Regulation Information Security Privacy Framework

Cross-border data transfer safety and data privacy rights of citizens (EU)

Consumer rights and consent to personal data use (California)

Privacy rights document for private-sector organizations (Canada)

National standard for privacy governance of health-specific documentation

Enforces security and protection of credit card data provided by cardholders and transmitted through card processing transactions

NIST Privacy Framework 1.0
Privacy framework mapped across five functional areas that encourages proactive privacy planning

ISO/IEC 27701
Operational controls mapped against GDPR articles for organizations’ specific compliance requirements

Info-Tech Insight
It is recommended that nonprofits follow standards like PIPEDA as best practices even though some best practices like PIPEDA are generally applicable only for “commercial activities.” Keeping your organization and stakeholders protected should be top of mind.

Security and privacy are not the same but are intertwined

A common assumption is that security and privacy are one and the same...

Security’s role is to protect and secure assets, of which confidential data – especially personal data – is a large focus. The consequences of a personal data breach can be severe, including potential regulatory consequences and the loss of customer trust. As a result, we often think of how we use security to protect data.

Information security common functions include:

  • Risk management
  • Vulnerability management
  • Identity and access management
  • Strategy and governance
  • Data protection
  • Incident response

…but security is not equivalent to privacy.

Privacy must be thought of as a separate function. While privacy will always have ties to security in the ways security protects data, privacy starts and ends with the focus on personal data. Beyond protection, privacy extends to understanding why personal data is being collected, what the lawful uses are, how long it can be retained, and who has access to it.

Privacy common functions include:

  • Lawfulness, fairness, and transparency
  • Integrity and confidentiality
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Accountability

Integrate security operations into your privacy operations

Integrate security operations into your privacy operations

Do common things uncommonly well

Even the cybersecurity basics can help nonprofit organizations secure the environment and protect data in the face of cyber risks


Create security policies, including bring your own device (BYOD) and device security policies.

Improve endpoint and vulnerability management to manage devices connected to systems of data and assess entry points.

Enable multifactor authentication.

Ensure vendor compliance with requirements necessary for protecting access to personal identifiable information of customers/donors.

Implement a robust data backup process and redundancy policy.

Improve identity management by limiting access to sensitive data and implementing least-privilege access.

Encrypt sensitive and important data to guard against ransomware attacks and recovery strategy.

Implement strong passwords and change passwords often.


Patch systems to address vulnerabilities that could lead to ransomware attacks.

Conduct phishing tests and use anti-phishing tactics.

Perform regular stress tests of networks and systems.

Audit systems regularly to identify potential risks.


Understand the threat’s scale and scope. Contextualize:

  • What sort of threat is this? What systems or resources is it targeting? Where did it come from? How many other devices has it been able to infect? Which resources in other areas of my network are vulnerable?


Define and uphold post-incident record-keeping requirements in the event of a breach.

Visit Info-Tech’s Security Research Center

Every nonprofit organization can strengthen its security and privacy operations

Leverage Info-Tech’s security research library regardless of your maturity level

Starting point:
Gauge your current security and privacy posture.
Build the fundamentals:
Establish your security and privacy program.
Take a risk-based approach:
Mature your security and privacy program.
Privacy Operations Conduct a Privacy Gap Analysis Build Your Data Privacy Program Mature Your Privacy Operations
Establish Compliance Requirements Assess and evaluate to understand gaps Establish your cybersecurity and privacy functions Place focus on the highest-risk areas
Security Operations Conduct an Information Security Gap Analysis Build Your Information Security Strategy Leverage Info-Tech’s Security Research Center
Security & Privacy Oversight Develop Your Security Outsourcing Strategy Embed Privacy and Security Culture Within Your Organization Develop a Security Awareness and Training Program That Empowers End Users

Your data privacy and security journey starts with gap assessments

Assess for three reasons:

1. Make the case to executives for security and privacy investment buy-in.

Justify IT budget changes. Following a systematic investigation of all security functions and understanding of program gaps, security leaders can effectively estimate their necessary security budget or shine a light on areas where intolerable risks will persist without budgetary relief.

2. Develop an actionable security and privacy roadmap.

Highlight functions that were previously overlooked. A systematic approach lays a foundation across all areas of information security to build a complete program on. Instead of pursuing new projects in an ad hoc nature, you can use our systematic methodology to build a comprehensive security program today and enable ongoing management of inevitable changes to the initial program.

3. Improve your cyber hygiene for the sake of cyber insurance.

Lessen premiums and gain approval for cyber insurance by identifying and evaluating your weaknesses. Consider the following:

  • Firewalls and antivirus
  • User training
  • Secure connections
  • Technology configurations
  • Organizational policies and procedures that aim to prevent breaches and dictate responses to violations

Improve security and privacy oversight

Embed awareness, skills, and resources

Develop Your Security Outsourcing Strategy
Outsource what you can; you can’t do it all by yourself.
Security operations is a 24/7 business. Organizations must devote appropriate resources for oversight and supervision of security and privacy operations, regardless of the cybersecurity skills gap or IT staffing/budget constraint. If hiring an in-house IT team is not possible, outsourcing must be considered.

Embed Privacy and Security Culture Within Your Organization
Effectively communicate the impact and value to the organization.
Executive buy-in enables the IT resources and budget needed to mature your security and privacy operations. To truly take hold, privacy and security engagement must be supported by senior leadership, aligned with business objectives, and embedded within each of the organization’s operating groups and teams.

Develop a Security Awareness and Training Program That Empowers End Users
Your most naive staff member is the weakest link.
Educate and train all staff on security awareness, incident response and handling, and general data security risks. Security education should be at the forefront of users’ minds. Constantly refresh their memories so they are continuously watchful for risks such as phishing emails.


Craig Bradley
YMCA of Greater Toronto

Pew Research Center

Pew Research Center

Alan Tang
Principal Research Director
Info-Tech Research Group

Bob Wilson
Research Director
Info-Tech Research Group


“2022 Nonprofit Cybersecurity Incident Report.” Community IT Innovators, 2022.

“2022 Cyber Claims Report.” Coalition, 2022.

“2023 Nonprofit Trends Report.” Cerini & Associates, 2023.

“4 Key Thoughts on Cyber Insurance for SMEs.” IT Force, n.d.

“Cyber security skills in the UK labour market 2022 Findings report.” Ipsos, 2022.

“Cybersecurity within Nonprofits.” Eide Bailly, n.d.

“Health of the U.S. Nonprofit Sector.” Independent Sector, 2022.

“How Data Breaches Happen.” Kaspersky, n.d.

“Managing Nonprofit Tech Change 2022 Report.” nten, 2022.

“Nonprofit Cybersecurity: Balancing Best Practices, Budget, and Team Productivity.” Build Consulting, 2022.

“Nonprofit Guidelines for Cybersecurity and Privacy.” Microsoft, 2017.

“NPCA Achieves PCI Compliance in the Cloud.” Qostodian Recon, 2021.

“Privacy and Cyber Security Emphasizing privacy protection in cyber security activities.” Office of the Privacy Commissioner of Canada, 2014.

“Privacy vs. Security: Understanding the Difference.” Audit Board, 2022.

“The change role of the board on cybersecurity.” Deloitte, 2021.

“Trust in Civil Society: Understanding the factors driving trust in nonprofits and philanthropy.” Independent Sector, 2022.

“US Cyber Insurance Sees Rapid Premium Growth, Declining Loss Ratios.” Fitch Ratings, 2022.

Chimwanda, Elastos. “Essentials for an Effective Cybesecurity Audit.” ISACA, 2022.

Cimpanu, Catalin. “Red Cross blames hack on Zoho vulnerability, suspects APT attack.” The Record, 2022.

Daniels, Alex. “Trust in Nonprofits and Philanthropy Continues to Be Higher Than in Government and the News Media.” The Chronicle of Philanthropy, 2022.

De Vries, Jennie. “What drives cyber security investment? Organizational factors and perspectives from decision-makers.” Technical University Delft, 2017.

Hill, Michael. “Altruism under attack: why cybersecurity has become essential to humanitarian nonprofits.” CSO, 2022.

Holland, Jake. “Cyber Insurance Policies Grow Pricey Amid Rising Hacks, Lawsuits.” Bloomberg Law, 2022.

Hulshof-Schmidt, Robert. “State of Nonprofit Cybersecurity.” nten, 2018.

Jesenik, Jessica. “Is your nonprofit organization headed for a data breach?” Software One, 2021.

Köller, Joe. “Is Cyber Insurance Worth It? Advantages, Coverage & Requirements Explained.” Tenfold, 2021.

Maddison, John. “Managing Risks with Limited Resources.” CSO, 2019.

Martin, Carolyn. “Protecting Privacy: A Nonprofit’s Guide to Data Privacy Breaches.” Lutzker & Lutzker, 2021.

Martin, Kelly. “Research: A Strong Privacy Policy Can Save Your Company Millions.” Harvard Business Review, 2018.

Mathews, Lee. “Ransomware Criminals Strike American Dental Association.” Forbes, 2022.

Medwick, Jennifer. “Nonprofit Organizations and Data Security Incidents – How to Manage and Respond.” JDSupra, 2022.

Osborne, Charlie. “One of New York’s largest nonprofits suffers data breach.” ZDNET, 2019.

Osmond, Chad. “What’s Changing in the Cybersecurity Insurance Market?” Smarter IT Services, 2023.

Price, Nick. “How the Board Structures of For-Profit and Not-for-Profit Organizations Differ.” Board Effect, 2018.

Raghavan, Kamala. “Cybersecurity in Small Businesses and Nonprofit Organizations.” Today’s CPA, 2016.

Shainblum, Esther. “Online Privacy and Cybersecurity Issues for Charities and NFPs.” Carters, 2022.

Townley, Pam. “Cyber-Liability Insurance 101 for Nonprofits.” Associations Now, 2017.

Strengthen Your Nonprofit’s Privacy and Security Operations preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research


Monica Pagtalunan


  • Craig Bradley, SVP of IT, YMCA of Greater Toronto
  • 2 anonymous contributors
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019