Cybersecurity Essentials: Keeping Donor Data Safe in 2026
- Nonprofit Learning Lab
- 2 days ago
- 4 min read
This is a guest blog.
Stewardship comes in many different forms. While you may typically think of stewardship in terms of thank-you messages and appreciation strategies, it also encompasses cybersecurity.
Think about it. Would you trust your hard-earned funds with an organization that neglects to protect your sensitive information? Cybersecurity is key to risk management, but it also lays the foundation for strong donor relationships.
This guide will explore strategies your organization can implement to keep donor data safe and maintain trust with supporters.
1. Use multi-factor authentication.
Instead of simply entering a password, multi-factor authentication requires you to enter your password and a separate code to verify your identity before logging into any of your accounts. This extra level of security prevents automated attacks in which hackers use your password to log into your accounts, where they can intercept wire transfers, download donor data, and perform other malicious activities.
While you may already use multi-factor authentication on your own accounts, enforce it for everyone who interacts with your organization’s systems, including your:
Staff
Board members
Check the multi-factor authentication options within your nonprofit CRM. For best results, use authenticator apps like Google Authenticator, Microsoft Authenticator, or 1Password to generate codes instead of text messages, as SMS codes can be vulnerable to SIM swapping. SIM swapping occurs when hackers trick your mobile phone carrier into transferring your phone number to their own SIM card, preventing you from receiving your own phone calls and text messages and granting them access to the authentication codes you receive.
2. Run phishing tests.
Phishing emails are becoming increasingly less obvious as hackers now use AI to generate more realistic communications featuring accurate information about your organization that may fool your staff. Instead of simply including security training in your onboarding process and following up once a year, implement ongoing micro-training.
Use tools like KnowBe4 or Gophish to send simulated phishing emails to your staff each month. That way, you can continuously test your staff’s instincts and keep them on high alert. For instance, you may send a simulated phishing email that asks staff members to wire $5,000 to your executive director right away. You can direct users who click through the email to a page explaining that the email is fake, identifying the warning signs they missed to keep in mind for the future, and inviting them to complete an additional training course.
3. Audit user roles for your donor database.
Nonprofit work is typically collaborative, as it requires the input of many different people and perspectives to make a mission possible. However, that doesn’t mean that every person involved in your organization needs the same access to your precious donor data.
Audit the user roles within your donor management system, and adjust the permissions as needed. For example, you may:
Alter volunteer permissions so they can only see the information needed for their shifts.
Revoke access for junior staff to export or delete any donor data.
Limit full administrative access to a few key decision-makers.
While some team members may see this changing of permissions as a sign of a lack of trust, explain that you’re actually protecting them from accidentally causing a breach. Stakeholders who only need limited access to your data should feel confident knowing they are less likely to cause security risks for your organization. If any stakeholders need additional access later on, you can always revisit the permissions you set.
4. Verify your vendors’ security measures.
Most of your data likely lives in the cloud. You’re trusting vendors like your event management software, donor database, and payment solution providers to protect your donor data.
Instill confidence in your staff and donors by verifying your vendors’ security measures. For example, Bloomerang’s nonprofit credit card processing guide recommends seeking out security protocols like:
PCI-compliance. The Payment Card Industry Security Standards Council sets regulations that payment tool providers must follow to remain compliant. These requirements include installing a firewall system, encrypting data, and protecting against malware.
Fraud monitoring tools. The top payment processing tools actively attempt to catch and evaluate suspicious activity to prevent fraud. For example, they may use machine learning algorithms to scan for unusual patterns or verification tools to match the donors’ CVV code and billing address with the information their bank provides.
Regular software updates. When your payment processing solution performs regular security updates, that’s a sign they’re committed to protecting donor data for the long haul. Investigate the change log for any solutions you’re considering to see how often they update their software.
To help evaluate new vendors, compile a list of questions to ask that will give you insight into their security measures. For instance, you may ask questions like, “Is your platform SOC 2 Type II compliant?” and “How do you encrypt data?”
5. Create an incident response plan.
When a security breach occurs, it’s normal to feel panicked, but with a plan in place ahead of time, you can proceed rationally. Create a one-pager that your team can reference in case of a cybersecurity emergency, with information like:
Immediate first steps. What should the person who first notices the breach do upon discovering it? A common first step is disconnecting the affected device from the internet.
Chain of command. Who is accountable for making important decisions regarding the breach, such as shutting down the server, notifying your insurance company, or calling your lawyer? This may be a senior staff member or someone designated as a cybersecurity lead.
Communications plan. How will you communicate this breach to stakeholders? Draft a statement template that you can easily fill out with the relevant details.
Share your incident response plan widely across your team so that everyone knows what to do in the event of an emergency. If a cybersecurity risk does occur, evaluate how your procedures worked, and make changes to this document accordingly.
As hackers become increasingly more sophisticated, nonprofit organizations must become even more savvy to protect their donor data. Stay up to date with the latest cybersecurity news, and inform your team of any important updates or new protocols so everyone can play their part in maintaining supporter trust.