By Rick Wilhelm, CTO, Public Interest Registry
Every nonprofit is already making cybersecurity decisions – whether they realize it or not.
Cybersecurity can feel overwhelming or out of reach, especially if your nonprofit does not have a dedicated IT team or legal expertise in house. But even small teams are making decisions every day about tools, vendors, systems, and risk.
These decisions don’t just affect systems, they shape how your organization protects its data, its people, and the trust it has built with its community.
The goal is not perfection. It is making informed, practical choices that help protect your organization and the communities you serve.
Here are some approaches to cybersecurity that are realistic and effective.
1. Recognize that there is not always one right answer
When evaluating a new tool, there is often a tradeoff between innovation and safety. And in many cases, there isn’t always a one-size-fits-all answer.
What matters most is understanding the full set of short-term and long-term risks and benefits.. Decisions on risk versus reward should be made at the right level in the organization, with the appropriate transparency.
Good security decisions aren’t about eliminating risk entirely, they’re about managing it thoughtfully.
2. Don’t be afraid to bring in outside expertise
You may not have a cybersecurity expert on staff, and that’s okay.
Many nonprofits tap into expertise through:
- Board members with relevant experience.
- Short term consultants
- Trusted partners like auditors or legal advisors
This can be especially useful when evaluating software vendors or partners. A small investment in expert guidance can prevent much larger risks down the line.
3. Evaluate “free” tools carefully
The landscape for free or low-cost security tools shifts quickly. Team-based features are typically not part of free offerings, and free versions often only include entry-level capabilities.
This matters most when evaluating tools like password managers.
It’s worth doing your homework. In many cases, spending a little more on a reliable tool can significantly reduce your risk and may decrease operational complexity. Compared to the cost of a breach, these investments are often minimal
4. Focus on practical, high-impact protections
Password management is only one part of the picture. There are several practical steps you can take to strengthen your organization’s security without overcomplicating things.
- Use cloud-based file storage: This can be safer than storing important data locally on laptops or individual devices.
- Set up cloud-based backups: Well-managed backups can help reduce the impact of ransomware or other data loss.
- Strengthen email protection: Spam filtering and related protections can help reduce exposure to phishing emails and malicious links.
- Use single sign-on where appropriate: This can help centralize application logins and make access management easier across your organization.
- Reinforce basic account habits across your team: Strong, unique passwords, multi-factor authentication, careful handling of shared accounts, and caution around suspicious links and attachments can all reduce risk.
These steps may not solve every problem, but they can lower risk in very practical ways and help your team build a stronger foundation over time.
5. Choose systems your team can realistically manage
The most secure system is one your team can actually maintain. When choosing a CRM or major platform, ask:
- Do we understand how to use and manage this securely?
- Do we have the capacity to maintain it over time?
- Is the vendor actively updating and supporting the system?
In many cases, simpler systems are more secure because they are easier to manage well.
6. Plan for response, not just prevention
Even with strong safeguards, incidents can still happen. If your organization experiences a data breach, the exact communications strategy will depend on the circumstances. But in general, your response should prioritize the following:
- Speed: Respond quickly so stakeholders are not left in the dark while the situation unfolds.
- Transparency: Share what you know as clearly and honestly as possible, even if the full picture is still developing.
- Clarity: Communicate in a way that is straightforward and easy to understand so people know what happened, what it means, and what comes next.
A data breach can be complicated by both the technology involved and the amount of time required for investigation. Even so, how your organization communicates at that moment matters.
Moving forward
Cyber threats are evolving, becoming cheaper, faster to deploy, and harder to detect. That makes it even more important for nonprofits to invest in improved processes, reliable tools, and informed decision making.
You don’t need a large team to make smart cybersecurity choices, but you do need a clear approach and a commitment to prioritize what matters most.
For organizations looking for additional support, the Global Cyber Alliance Cybersecurity Toolkit for Mission-Based Organizations is helpful to continue building knowledge and practical next steps.