Hackers Don't Care You're a Non-Profit

You may think hackers only go after banks, tech giants, and multinational corporations. But the truth is non-profits and charities are prime targets for cybercrime, and the risks are growing.

Even though non-profits and charities hold valuable assets like donor data, beneficiary information, payment details, and possibly health records, they usually don’t have a team of cybersecurity specialists guarding the gates.

Savvy directors know that that cybersecurity and cyber resilience aren’t just IT issues. They’re governance issues that go right to the heart of your fiduciary duty to protect the organization’s mission and assets.

The Risk Landscape for Non-Profits

“It's important for not-for-profits to truly understand that they are under threat. It's not a matter of ‘if,’ it's a matter of ‘when’ you’re going to have a breach.” - Scott Peyton, Grant Thornton Risk Advisory Partner

Non-profits are particularly tempting targets for cybercrime because they collect and store valuable data, such as personal details, payment information, and health records. Cyber criminals assume a non-profit’s defenses are weaker than those of a large corporation because they often rely on outdated systems and volunteer IT support.

Plus, there’s a unique threat that non-profits face but most regular businesses don’t, and that’s ideological targeting, where individuals, groups, or even nation-states, oppose the non-profit’s mission and values and launch cyberattacks to disrupt its operations and damage its reputation.

Cyberthreats come in many shapes and sizes, but these are the most common.

• Phishing. Emails, texts, or phone calls that trick people into giving away sensitive information or taking harmful actions.
• Ransomware. Malicious software that encrypts files to prevent access, followed by a demand for payment.
• Data Breach. Unauthorized access to personal or financial information. It can happen through hacking, access to network peripherals such as printers, lost or stolen devices, or accidental emails to the wrong person.
• Business Email Compromise. Fake invoices, payment instructions, or wire transfers requested through compromised emails.
• Distributed Denial of Service. Flooding a website or online service with an overwhelming amount of traffic, causing it to slow down significantly or crash.

The Real-Life Impact

Cyberattacks can be devastating to a non-profit’s finances, operations, and reputation. Here’s what’s at stake:

• Financial Losses. Direct costs include ransom payments, forensic investigations, legal fees, and system recovery. Indirect costs include lost donations, reduced grant eligibility, and increased insurance premiums.
• Damage to Reputation. Donors expect their information to be protected. A breach can erode trust and lead to donor attrition.
• Operational Disruption. Cyberattacks can halt mission-critical services for days or even weeks. This can mean real harm to vulnerable populations.
• Legal and Compliance Risks. Breaches can trigger investigations under privacy laws. Non-compliance can result in fines and legal action.

Looking for real-life examples? They’re easy to find. Recent Canadian targets include non-profits of every kind, including Hamilton Community Foundation, The Calgary Urban Project Society, Toronto Public Library, Cowichan Valley School District, four CEGEPs (community colleges) in Quebec, and five Southwestern Ontario hospitals.

Outside Canada, examples include the International Committee of the Red Cross, Water for People, and Philabundance.

Barriers Non-Profits Face

For many non-profits, cybersecurity is a “someday” project until an incident forces it onto the board agenda. Non-profits tend to share common barriers such as:

• Limited budgets. Every dollar spent on IT security is a dollar not spent on programs.
• Lack of expertise. Reliance on generalist staff or volunteers for tech support.
• Low levels of cyber awareness. Directors may not know what to ask or how to evaluate cyber readiness.
• Mission-first mindset. Passion for the cause can overshadow cyber risks.
• The “too small to be a target” myth. Small non-profits may think they’re unlikely targets, but in reality the existence of valuable data is all the motivation an attacker needs.

The Board’s Role in Cybersecurity and Cyber Resilience

When it comes to protecting the organization from cybercrime, the board and management are accountable to regulators, donors, and the public. Management communicates and informs the board about the protections they have in place, and the board is responsible for ensuring that resources are allocated so that management has the tools and staff they need.

A strong governance approach addresses both cybersecurity and cyber resilience.

• Cybersecurity is about reducing the likelihood of an incident. It focuses on preventing attacks and protecting systems from unauthorized access or damage.
• Cyber resilience is about reducing the impact when an incident occurs. It focuses on preparing for, withstanding, responding to, and recovering from cyber incidents.

Directors don’t have to be experts, but they’re expected to provide oversight, ask the right questions, and ensure the organization is managing cyber risk appropriately. As a director, your oversight responsibility requires you to:

• Understand the risk. Improve your knowledge of cybersecurity and cyber resilience as you would any other strategic risk.
• Ask the right questions. Your role is to probe. Leave the execution to management.
• Set the tone at the top. Be a role model. Treat cybersecurity seriously in the way you use your devices and handle confidential information.
• Be aware of the legal obligations. Be aware of the applicable laws and regulations and make sure management has a plan to comply.

Practical Steps You Can Take

The board’s role is to ensure management is building strength in both cybersecurity and cyber resilience.

1. Risk Management and Business Continuity Planning. Ensure that key cyber risks are identified and assessed and that mitigation and recovery plans are in place.
2. Regular Board Reporting. Ask for key metrics such as incidents blocked, vulnerabilities patched, and training participation. If an incident occurs, ask about lessons learned.
3. Appropriate Policies. Ask about policies on password management, data handling, and acceptable use.
4. Staff Training. Ask about training for employees and volunteers to help mitigate risk. Be aware that insurers often require at least basic cybersecurity training.
5. Incident Response Plan. Make sure there’s a plan that includes threat identification and containment, communications, and business continuity, and that it’s tested regularly.
6. Third-Party and Vendor Risks. Compromised suppliers are a frequent cause of vulnerability. Ask whether vendor contracts require them to meet security standards and provide notification of breaches.
7. Cyber Insurance. Some risks can be mitigated through insurance, but be aware that not all risks are insurable. Ensure the policy is understood and it fits the organization’s risk profile. Policies vary widely, so watch out for limitations, gaps in coverage, and maximum insurable amounts.

After a Breach

Assume that an incident will occur eventually. Your organization’s response can make the difference between a manageable incident and a crisis that damages its mission and reputation. A well-handled breach can even strengthen stakeholder trust by demonstrating competence, transparency, and resilience.

When an incident occurs, management should inform the board immediately. The board’s role is to ensure the incident response plan is executed, the right expertise is engaged, legal requirements are met, and lessons are applied. At each step of the process, the board should look for certain assurances.

• Identify and Contain the Incident. Confirm that management knows the containment steps and that responsibilities are clearly assigned.
• Engage Experts. Ensure the organization has pre-arranged relationships with cyber, legal, and communications experts.
• Assess Scope and Impact. Ask for regular updates and ensure the assessment is thorough before making public statements.
• Notify Regulators Where Required. Verify that notification obligations are understood and met on time, and that communications are clear, factual, and empathetic.
• Communicate with Affected Parties. Ensure communication with donors, beneficiaries, partners, and the public to protect the organization’s reputation while maintaining trust.
• Recover and Restore Operations. Confirm that recovery priorities align with the mission’s most essential activities.
• Conduct Post-Incident Review. Hold management accountable for implementing improvements. Track progress over time.

But We Don’t Have the Resources

Cybersecurity isn’t an all-or-nothing game. It’s about making smart, risk-based choices with the resources you have. The key is to start somewhere. Even small steps can dramatically reduce the risk. Here are a few ways to make meaningful progress without breaking the bank:

• Start with the crown jewels. Focus first on protecting your most valuable and sensitive information: donor databases, financial systems, and beneficiary records.
• Use free and low-cost tools. Many reputable organizations offer free cyber training, phishing simulations, and basic security software. Resources such as email security and anti-malware software may be available free or on a discounted basis from major providers.
• Leverage partnerships. Corporate sponsors, tech companies, and universities may offer pro bono IT security assessments or discounted services.
• Join forces with peers. Pool resources with other non-profits through sector associations to share training, policies, or vendor contracts. In Canada, the Canadian Centre for Nonprofit Digital Resilience is a good place to start. Look for similar resources in your own jurisdiction.
• Phase your improvements. You don’t have to fix everything at once. Create a simple cyber roadmap and tackle the highest risks first.

Questions for Savvy Directors

Asking the right questions signals to management that cybersecurity and cyber resilience matter. Here are questions non-profit board members should ask, not just once, but on a recurring basis.

• What are our most critical digital assets? How are we protecting them?
• Do we have a cybersecurity policy, and when was it last reviewed?
• How are we training staff and volunteers on cybersecurity?
• Do we have cyber insurance, and what does it cover? Are the limits adequate for our risk profile?
• What’s our plan if we experience an incident. Have we tested it?
• What are our legal and regulatory obligations in the event of a breach?
• What processes do we have to back up critical data and have we tested restoring it?
• What cybersecurity risks do our vendors and partners pose? How do we manage them?
• When was our last cybersecurity risk assessment? What were the key findings and did we close the loop?
• What indicators or metrics do we track to measure our cybersecurity posture?

Protect Your Mission

When a cyber incident shuts down your systems, freezes your funds, or leaks sensitive data, it’s not an IT problem, it’s a mission problem. You can’t serve your community, support your beneficiaries, or maintain donor trust if your operations are crippled.

Cyber belongs to everyone. The board has a role to play, and that is safeguarding the organization’s ability to do what it was created to do by making cybersecurity a core part of its governance responsibilities. A cyber-aware board keeps the topic on the agenda, ensures that directors model the desired behaviour, and encourages board members to increase their knowledge of the subject.

When the board demonstrates that cybersecurity matters, that attitude flows down through the entire organization.

Your takeaways:

• Non-profits and charities are increasingly vulnerable to cybercrime. A breach can have devastating impact on the organization’s finances, operations, and reputation.
• Cybersecurity and cyber resilience aren’t just IT issues, they’re governance issues.
• Directors don’t have to be experts, but they need to know enough to fulfill their responsibilities.
• Even in the face of limited resources, there are practical steps that a non-profit or charity can take to improve its cybersecurity posture.

Resources:

• What Newly Available Data Tells Us About Cybersecurity in Canadian Nonprofits. Jason Shim and Cathy Barr. Imagine Canada. September 2024.
• What should NFP boards know about cybersecurity? Dennis J. Morrone and Vikrant Rai. Grant Thornton. March 2024.
• Why cybersecurity is the new governance frontier for non-profits. Chartered Governance Institute UK and Ireland. May 2025.
• Why Non-Profits and Associations Are Targets for Cyber Attacks. OSIbeyond. August 2024.
• How Much Do Volunteer Board Members Need to Know About Cybersecurity? Nick Price. BoardEffect. December 2022.
• 8 Cybersecurity Concerns for Nonprofits & How to Address Them. Kadian Douglas. © 2025 Nonprofit Leadership Center.

Note: This Savvy Director blog post was drafted with the assistance of ChatDPQ, DirectorPrep's AI-powered tool designed specifically for board directors.

Thank you.

Scott

Scott Baldwin is a certified corporate director (ICD.D) and co-founder of DirectorPrep.com – an online membership with practical tools for board directors who choose a learning and growth mindset.

We Value Your Feedback: Share your suggestions for future Savvy Director topics.