|
Require Multi-Factor Authentication (MFA) Everywhere
MFA is the single most effective control against account takeover. Enable it on email, cloud apps, remote access, and administrative accounts especially for leadership and finance staff.
Train Staff to Spot Phishing
Most breaches start with a human attack, not a hacker breaking in. Provide simple, recurring training on phishing emails, fake links, QR code scams, and urgent “CEO” requests.
Protect Email First (It’s the #1 Attack Vector)
Use modern email security features: spam filtering, phishing detection, attachment scanning, and link protection. Email is where ransomware, fraud, and data theft usually begin.
Back Up Critical Data — and Test Restores
Follow the 3-2-1 rule: 3 copies of data; 2 different storage types; and 1 copy offline or immutable Backups don’t matter unless you can restore them quickly after an attack.
Keep Systems Patched and Updated
Unpatched systems are low-hanging fruit for attackers. Ensure operating systems, browsers, firewalls, and software automatically update—or are patched monthly at minimum.
Use Strong Passwords (and a Password Manager)
Restrict password reuse. Encourage long passphrases and provide a password manager to reduce sticky notes or spreadsheets.
Limit Access Using “Least Privilege”
Staff should only have access to what they need to do their job—nothing more. Especially restrict: financial systems; donor databases; HR and payroll; and administrative accounts. This dramatically limits damage if an account is compromised. If you use MS 365 do not have your executives account also have administrator rights.
Secure Laptops and Mobile Devices
Encrypt devices, enable screen locks, and allow remote wipe for lost or stolen equipment. Many nonprofit data breaches happen because a laptop was lost, not hacked. Use encryption like Bitlocker for Windows and FileVault for Mac.
Monitor for Suspicious Activity
You don’t need a 24/7 security operations center (SOC), but you do need visibility. Basic logging and alerting can identify: unusual logins; impossible travel; multiple failed login attempts; and malware detections. Early detection prevents small incidents from becoming disasters.
Have an Incident Response Plan (Even a Simple One)
Know who to call, what to shut down, and how to communicate before an incident happens. A one-page plan is infinitely better than panic during a breach. Here is a sample plan.
| 
