Key Takeaways
- Nonprofits hold donor financial data, beneficiary health and social service records, grant compliance documentation, and personnel files — often across four or more disconnected systems, with no formal data governance policy that specifies how each is accessed, retained, or disposed of.
- According to Okta’s 2025 Nonprofits at Work report, nonprofits were the second-most targeted sector by cybercriminals, and Microsoft’s Digital Defense Report 2024 identifies them as the fourth-most targeted by nation-state actors — despite being among the least-resourced organizations for security response.
- The human element remains the dominant breach vector: Verizon’s 2024 Data Breach Investigations Report found that 68% of breaches across all sectors involved a human element, including phishing, credential misuse, and social engineering. Nonprofits, which routinely conduct business through volunteer board members, remote staff, and third-party vendors, carry above-average exposure in all three categories.
- Fragmented data systems — CRM, fund accounting software, case management platforms, and grant portals that do not integrate — create data silos that pose both operational liabilities and security gaps. Data that exists in multiple places, in inconsistent formats, and without access controls cannot be protected.
- Bottom line: Nonprofit data management is not an IT department problem. It is a financial risk, a compliance obligation, and a donor-trust issue that belongs on the CFO’s agenda as much as on the IT manager’s.
The average nonprofit manages more sensitive data than most of its leadership team realizes. Donor payment details and giving histories. Beneficiary records that may include health status, immigration information, housing instability, or involvement with the justice system. Personnel files. Grant compliance documentation is subject to federal audit. Vendor contracts. Board communications.
That data lives across a collection of systems that were typically purchased one at a time to solve one problem at a time, integrated incompletely or not at all, and administered by staff who received no formal data governance training. The security posture surrounding it rarely matches the sensitivity of its contents.
The Nonprofit Data Environment Is More Complex Than It Looks
A mid-sized nonprofit managing three program areas typically runs at a minimum: a constituent relationship management system for donors, a fund accounting platform, a case management system for beneficiaries, a grant management portal for funder reporting, and shared drives or cloud storage for documents. Many also manage a separate HR system, event management software, and donor payment processing through a third-party platform.
Each of these systems holds a different category of data. Each has its own user access controls, or lacks them. Each creates a different export format when data needs to move between them. And in the absence of a formal data governance policy, decisions about who can access what, how long records are retained, and what happens when a staff member departs are made informally, inconsistently, and usually only after something goes wrong.
The operational consequence is fragmented, unreliable data that development teams cannot use for donor analysis and program teams cannot use for outcome reporting. The security consequence is a larger-than-necessary attack surface, populated by accounts that were never deactivated and data that was never deleted.
Designated Systems of Record
One foundational governance decision that most nonprofits have not made explicitly: which system is authoritative for each data domain. The CRM holds donor records, but so does the accounting system, the event platform, and three years of exported spreadsheets sitting in shared drives. When these records conflict — and they do — staff make ad hoc decisions about which version to trust.
Designating a system of record for each data category (donor engagement data in the CRM, financial data in the accounting platform, beneficiary outcomes in the case management system) and designing all integrations and exports around those designations is the foundational step that makes both data quality and data security manageable.
The Threat Environment Nonprofits Actually Face
The threat landscape is not theoretical. According to Okta’s 2025 Nonprofits at Work report, nonprofits were the second-most targeted sector by cybercriminals in 2024. Cloudflare’s Project Galileo data, cited in NetHope’s 2025 State of Humanitarian and Development Cybersecurity Report, documents a 241% increase in cyberattacks on civil society organizations between 2024 and 2025.
The reasons are structural. Nonprofits hold valuable data — donor financial information, beneficiary personal records, and sometimes federally regulated program data — while typically operating with smaller IT budgets, less technical staff, and more permissive access controls than comparable private-sector organizations. They also conduct significant business through channels that expand their exposure: volunteer board members using personal devices and personal email, remote program staff on unmanaged networks, and third-party vendors with access to core systems.
Business email compromise, which involves impersonating an executive or trusted vendor to redirect a payment or authorize a wire transfer, is among the most financially damaging attack types affecting nonprofits. These attacks succeed not because of technical vulnerabilities but because of process gaps — specifically, the absence of dual-authorization requirements and verbal verification protocols for financial transactions initiated by email.
Regulatory Compliance Adds Its Own Layer
Depending on the program area, nonprofit data environments may be subject to specific regulatory frameworks beyond general data privacy obligations. Nonprofits operating health programs may hold data subject to HIPAA. Those working with youth education programs may hold records subject to FERPA. Organizations receiving federal funding are subject to data management and record retention requirements under 2 CFR Part 200. State-level data privacy laws, which have proliferated significantly since 2020, may also apply based on where an organization operates and where its donors or beneficiaries reside.
These are not IT compliance checkboxes. They are legal obligations that carry financial penalties and, in the case of a breach, reporting requirements to regulators, affected individuals, and, in some cases, funders. IT managers and CFOs need a shared understanding of which regulatory frameworks apply to their organization’s data before a breach makes that question urgent.
Practical Security Controls That Match Nonprofit Operational Reality
The security controls most likely to reduce nonprofit breach risk are not sophisticated — they are consistently applied fundamentals that many organizations have not implemented.
Multi-factor authentication on all systems handling financial data, donor records, and beneficiary information is the single highest-return control available. It does not require a significant budget. Its absence is responsible for a disproportionate share of credential-based breaches across all sectors.
Role-based access controls limit user permissions to the data each role actually requires. A program coordinator does not need access to donor financial records. A development officer does not need access to beneficiary case files. Access controls that have never been formally defined, or that were defined once and never updated as staff roles changed, provide no meaningful protection.
Off-boarding procedures that immediately deactivate accounts when staff or volunteers depart are a control most nonprofits recognize as important, and few execute consistently. Every active account belonging to a departed employee is an unmonitored access point.
Vendor due diligence, applied to any third-party system that accesses or stores organizational data, should include review of the vendor’s data security practices, breach notification procedures, and applicable certifications. Nonprofit organizations frequently share data with partners, fiscal sponsors, referral organizations, and grant portals without formal data-sharing agreements governing how that data is handled on the receiving end.
Building the CFO-IT Partnership That Data Governance Requires
Data management decisions in nonprofits are rarely made jointly by finance and technology leadership. The accounting platform was chosen by the CFO. The CRM was chosen by development. The case management system was chosen by program staff. The result is an architecture that reflects departmental priorities rather than organizational data strategy.
The CFO’s stake in data governance is direct: grant compliance documentation must be audit-ready, financial records must be accurate and attributable, and donor data must be handled in ways that support the organization’s legal and reputational obligations. The IT manager’s stake is equally direct: the systems must be secured, integrated, and maintained within a typically insufficient budget.
Neither can solve the problem independently. The organizations that manage their data environments effectively have made data governance a shared leadership responsibility — with formal policies, assigned ownership, and board-level awareness of the risk posture.
Wiss works with nonprofit organizations on the technology advisory and financial systems work required by data governance: accounting platform selection and implementation, internal controls assessment, audit readiness, and advisory support that helps finance and technology leadership align on the systems and policies their data environment needs. If your organization’s data management practices have grown without a plan, that’s a solvable problem. Contact the Wiss nonprofit practice to discuss your organization’s specific situation.
Previous
Share
