Protecting your mission, your donors, and the people you serve
Unlock full access
Section 1: Nonprofit-Specific Risk Assessment
Risk | Likelihood for AZ Nonprofits | Potential Impact | Priority |
Ransomware encrypting donor DB and client records | HIGH — small orgs are targeted | Mission disruption + donor trust breach + potential grant clawback | CRITICAL |
BEC targeting executive wire transfer authority | HIGH — thin approval controls | Direct financial loss; avg $50K–$150K | CRITICAL |
Donor payment data breach | MEDIUM-HIGH — depends on payment processor | Legal liability + donor relationship damage + reputational harm | HIGH |
Volunteer/board account compromise | HIGH — minimal onboarding security | Entry point for broader compromise | HIGH |
Client/beneficiary data exposure | MEDIUM — depends on population served | Direct harm to vulnerable individuals + legal/regulatory exposure | HIGH (if applicable) |
Grant documentation loss | MEDIUM — ransomware side effect | Funding clawback + disqualification | HIGH |
Staff offboarding failures | HIGH — high turnover in sector | Access retention by departed staff | MEDIUM |
Phishing / credential theft | HIGH — sector has low training | Account compromise + BEC entry point | MEDIUM |
Section 2: The Foundational Controls Checklist
IDENTITY AND ACCESS — ADDRESS FIRST
□ ☐ MFA enabled and enforced on ALL organizational accounts: email, donor management, financial, cloud storage
□ ☐ Every person (staff, volunteer, board) has their own individual account — no shared credentials
□ ☐ Access is role-based: staff see only what they need for their role
□ ☐ Offboarding checklist exists and is followed: access revoked same day as departure
□ ☐ Quarterly access review: confirm active accounts match current staff and volunteers
DATA PROTECTION
□ ☐ Donor payment data is handled through a PCI-compliant payment processor — never stored in spreadsheets or email
□ ☐ Client/beneficiary records are stored in access-controlled system — not shared drives
□ ☐ Sensitive documents (SSNs, financial data, client case files) are not transmitted by email unencrypted
□ ☐ Data retention and disposal policy exists: old records are securely deleted, not just moved to trash
□ ☐ Personally identifiable information is inventoried: we know what we have and where it lives
BACKUP AND RECOVERY
□ ☐ Automated backup of donor database, client records, financial records, and grant documentation
□ ☐ Backup is stored off-site or in separate cloud tenant — not on same network as production systems
□ ☐ Backup restoration has been tested in the last 12 months — we know it works
□ ☐ Recovery time estimate exists: if we lost everything tonight, how long to restore?
SECURITY AWARENESS
□ ☐ All staff have received security awareness training in the last 12 months
□ ☐ Board members have received at least a brief security orientation
□ ☐ Volunteers with system access have received basic security training before access is granted
□ ☐ Staff know who to call and what to do if they suspect a phishing attack or incident
□ ☐ BEC prevention: staff know to verify any unusual payment request by phone before acting
INCIDENT PREPAREDNESS
□ ☐ Written incident response plan exists — even a one-page version is better than none
□ ☐ IT contact has 24/7 emergency availability — or we have a plan for after-hours incidents
□ ☐ Cyber insurance policy is in place and has been reviewed in the last 12 months
□ ☐ Arizona breach notification obligations (ARS § 18-552) are understood
□ ☐ Key contacts are documented: legal counsel, insurance carrier, IT provider, board chair
Section 3: Protecting Donor Trust
Donors give because they trust your organization to deploy their gifts responsibly. Cybersecurity is part of that stewardship. Here's how to frame it internally and externally.
What to Tell Your Donors (When Asked)
"We protect your information with the same care we give to the people we serve. We use encrypted storage for your payment and personal information, multi-factor authentication on all accounts that can access donor data, and a cyber insurance policy that protects us and you in the event of an incident. Your trust matters to us — in every dimension of how we operate."
What to Include in Your Donor Privacy Policy
• What personal and financial information you collect
• How it is stored and protected
• Who has access to it and under what conditions
• How long you retain it
• How you would notify donors in the event of a breach
• Contact information for questions
Section 4: Board Governance Checklist
Boards are responsible for fiduciary oversight of organizational assets. Cybersecurity is a board governance issue. These questions should be on the annual board agenda.
□ ☐ Has the organization completed a security assessment in the last 24 months?
□ ☐ Does the organization have a written security policy?
□ ☐ Is cyber insurance in place with appropriate coverage limits?
□ ☐ Does the organization have a documented incident response plan?
□ ☐ Has the executive director or CFO briefed the board on the top cybersecurity risks?
□ ☐ Does the organization have a named person responsible for technology security?
□ ☐ Are there dual controls on financial transactions above a defined threshold?
□ ☐ Is donor and client data inventoried and access-controlled?
□ ☐ Has the organization experienced any security incidents in the past year? Were they reported to the board?
Section 5: Low-Cost and Free Security Tools for Nonprofits
Tool | What It Does | Cost for Nonprofits |
Microsoft 365 Business Premium (via TechSoup) | Full security stack: Defender, Intune, Conditional Access, Exchange | Significant nonprofit discount via TechSoup / Microsoft Nonprofit Program |
Google Workspace for Nonprofits | Email, Drive, admin security controls | Free for eligible nonprofits |
Bitwarden (Password Manager) | Secure credential management for teams | Free tier available; Teams from $3/user/month |
Cloudflare Gateway (DNS filtering) | Blocks malicious sites and phishing domains | Free for teams under 50 |
Have I Been Pwned (domain monitoring) | Alerts when org email accounts appear in breaches | Free for nonprofits |
CISA Free Cybersecurity Services | Vulnerability scanning, phishing assessment, training | Free for eligible organizations |
AEGITz offers nonprofit-specific pricing for Phoenix-area 501(c)(3) organizations. We believe protecting your mission is the right thing to do — and we price accordingly. Schedule a no-obligation discovery call at aegitz.com.
