Turns out your biggest threats aren’t hackers in hoodies – they’re normal humans doing normal human things.
Most nonprofits & mission-driven orgs assume they’re too small or too niche to be targeted. “Why would anyone want our stuff?” they ask, clutching their 2014 laptop like a security blanket. The truth is: attackers love small organizations because you’re small. Limited staff, shared passwords, aging computers, and a heroic belief in “we’ll get to that someday” make you surprisingly appealing.
Here are the three risks that cause the most trouble – and the easiest ways to defuse them.
1. Account Compromise (AKA: The Password Reuse Olympics)
Most attacks start with a single staff member clicking a link they promise “looked really legitimate.” Or with a shared Gmail password written on a sticky note under the keyboard. Once an attacker gets into email, they can reset passwords, steal donor data, impersonate staff, or—worst of all—email your accountant.
What helps:
Use MFA. Use a password manager. Retire shared accounts like it’s 1999.
2. Backups That Don’t Actually Back Anything Up
Many organizations swear they have backups… right until the moment they need them. Then it turns out the backup drive hasn’t worked since before the last presidential administration.
What helps:
Automated, isolated backups with version history—not “external hard drive we plug in when we remember.”
3. Unmanaged Devices (AKA: “I think my kid’s Minecraft laptop also has donor data on it.”)
If staff access work email or documents on personal devices with no security controls, it’s basically an open house for attackers.
What helps:
Basic device expectations, software updates, and light-touch protection. No need for heavy-handed policies; just enough structure to avoid catastrophe.
Words of Wisdom:
Most cybersecurity problems come down to a small handful of patterns repeated endlessly. Fix the patterns, and everything else gets much quieter.