When the Call Comes... Why Every Nonprofit Needs a Cybersecurity Plan Yesterday

Picture this: You’re reviewing quarterly reports when an email lands in your inbox from Volunteer Management

vendor. Subject line: ' URGENT: Suspicious Activity Detected on Your Account. ' Your heart rate spikes as you read further-unusual login attempts from unfamiliar IP addresses, bulk data downloads at 3 AM, access

patterns that don’t match your organization’s normal operations.

Or maybe it happens differently: Your accountant notices duplicate wire transfer requests that no one authorized. Your fundraising database starts behaving strangely. A staff member receives an email that looks like it’s from you, asking for sensitive donor information-except you never sent it.

For nonprofit leaders in 2025 , these scenarios aren’t hypothetical. They’re becoming terrifyingly common.

Nonprofit organizations, our leaders, constituents, and allies are facing unprecedented threats to our physical and data security. Cybercriminals are targeting nonprofit institutions at rates 40% higher than other

organizations. And it’s not just about financial theft anymore. In our current political climate-both in the US and abroad-government surveillance and AI are increasingly targeting the activists and constituents we serve.

The question isn’t if your organization will face a cybersecurity threat. It is when-and whether you’ll be ready.

The False Comfort of Preparation

Here is what keeps me up at night: I’ve watched well prepared organizations crumble under the pressure of an actual cyber incident. Organizations with policies, protocols, and incident response plans sitting in neat binders that no one follows when chaos hits.

Why? Because having a plan on paper is fundamentally different from having a culture of security. And when the crisis arrives-when you discover that sensitive data on the people you serve may have been stolen, when

a PR crisis team is making decisions about technology responses, when fear overtakes protocol-that’s when you learn the difference.

Throughout my career working with nonprofit technology leadership, I’ve seen this pattern repeat: Organizations invest in detection software and compliance frameworks, but they forget the most critical element: people.

The Real Vulnerabilities Aren’t Technical-They’re Human

Let me be blunt: Your biggest cybersecurity threats aren’t sophisticated hackers breaking through your firewalls. They are:

Your staff clicking on a phishing email because they’re rushing between meetings and the message looks legitimate.

Your vendors who have access to your systems but haven’t been properly vetted or monitored;

Your culture that treats security as ITs problem rather than everyones responsibility;

Your leadership who don’t understand that crisis response requires including-not sidelining-your technical and cybersecurity experts.

This is where most nonprofits get it catastrophically wrong. They buy expensive 24/7 monitoring services while ignoring the unlocked side door that their people inadvertently leave open every single day.

What Actual Information and Data Security Looks Like

If you're serious about protecting your organization, your constituents, and your mission, you need to shift from compliance theater to genuine resilience. Here's the framework that actually works:

Security Leadership That Reports to the Top

You need a Chief Information Security Officer (CISO) or equivalent-permanent or fractional. And, this person is not buried three layers down in your org chart but reporting directly to executive leadership with a seat at the table during crisis decisions.

Why? Because when a breach happens, technology expertise must inform legal and communications responses-not the other way around. Lawyers protect the organization, CISOs protect the data and the people it represents. Both perspectives are essential in a response.

People-Centered Security Culture

Your strongest defense isn’t software-it’s trained, aware staff who understand their role in security.

Annual Training for Everyone - Not just clicking through a compliance module, but engaging education that includes understanding rights (like GDPR and Your Local Data Privacy Laws) and recognizing evolving threats.

Security Mindset from Day One - Onboarding processes that build security awareness into new staff orientation, not as an afterthought.

Regular Drills - Simulated phishing attacks that help staff build the muscle memory to pause, verify, and report suspicious activity without shame or blame.

Active Incident Response Exercises - Practice scenarios where your team actually walks through what happens when systems are compromised. The time to figure out who does what is not during an actual breach.

Vendor Risk Management - Third-party vendors represent one of your most significant vulnerabilities. If they have access to your systems or data, they're part of your security perimeter-whether you ve acknowledged it or not.

Implement rigorous vendor security assessments. Require proof of their security practices. Monitor their access. Build contractual obligations around data protection. And, be prepared to walk away from vendors who can't meet your security standards no matter how convenient or low cost their services might be.

Plans That People Actually Follow

Having an Incident Response Plan is table stakes_ But it is worthless if:

• Senior leaders don/t understand or respect it

• Staff don't know it exists or how to activate it

• It hasn't been tested through realistic simulations

• It gets overridden by panic or politics when something actually happens

Your plan must be living documentation that informs muscle memory not a binder that collects dust.

The 2025 Imperative

Here is why this matters more urgently than ever. We are not just protecting operational data anymore. We are protecting activists, organizers, vulnerable populations. People whose information-in the wrong hands or exposed to government surveillance-could lead to real harm.

The political climate has shifted and AI-powered surveillance capabilities have expanded. The consequences of data breaches aren’t just reputational or financial-they’re potentially life-altering for the people we serve.

If you/re leading a nonprofit working in:

• Immigration and refugee services

• Reproductive health and rights

• LGBTQ+ advocacy

• Civil rights and racial justice

• Environmental activism

Any work that challenges power structures

...your data security is a moral imperative not just a technical requirement.

The Leadership You Need Right Now

Effective cybersecurity in 2025 requires leaders with both current technical knowledge and regulatory expertise. The threat landscape evolves constantly. Compliance frameworks update regularly. The tactics criminals and hostile actors use change by the month.

You cannot rely on outdated expertise or general IT knowledge. You need specialized security leadership that understands.

• Current threat vectors and attack patterns

• Regulatory requirements (GDPR, CCPA, HIPAA where relevant)

• Incident response coordination across technical, legal, and communications teams

• How to build security culture, not just implement security tools

• The specific vulnerabilities nonprofit organizations face

This is precisely why fractional CISO arrangements have become invaluable for small to mid-sized nonprofits. You get enterprise-level security expertise without enterprise-level overhead-and critically, you get someone whose entire focus is keeping your people and data safe.

When the Call Comes

I started this piece with a scenario - the call that every nonprofit leader dreads. When that call comes-and increasingly, it will-your organization’s response will be determined by the investments you made beforehand.

Not primarily investments in expensive software (though good tools matter). Investments in:

• Security leadership with a real voice in organizational decisions

• Staff awareness and training that builds reflexive good practices

• Vendor management that treats third parties as part of your security perimeter

• Incident response planning that's been tested and internalized

• A culture where security is everyone's responsibility

The organizations that weather cyber incidents well aren't necessarily those with the biggest IT budgets. They're the ones who recognized that security is fundamentally about people-protecting them, empowering them, and ensuring they know their role in collective safety.

The call is coming. Will you be ready?

Need to assess your organization's cybersecurity readiness? Fractionals for Impact helps nonprofits build resilient security cultures and implement practical protections that match their resources and risk profiles. Reach out for a free 30-minute consultation to discuss where your vulnerabilities lie and how to address them-before the crisis hits.