Article Read Time

Last winter, a nonprofit food pantry director in a town of about 6,000 people called me after what could have been a very bad week. Someone had impersonated her board chair in an email and asked the bookkeeper to transfer $4,200 to a new account. The bookkeeper, who works two jobs and answers emails between them, almost sent it. She caught it because the chair never signs off with only his first initial. That small habit saved real money that would have bought real groceries.
I tell that story because it captures the spot most nonprofits sit in. You hold sensitive information, and you move money, but you run lean, and cyber security rarely makes the budget. In 2026, that gap is what attackers count on. Here is what I think every nonprofit director should keep in mind this year.
A Nonprofit is a target because of what you hold, not how big you are
A common belief is that criminals only chase banks and hospitals. They do not. Nonprofits keep donor names, credit card details, and sometimes deeply private records about the people you serve: health histories, immigration status, addresses of families fleeing harm. That information has value, and your defenses are often thinner than a corporation’s. Attackers know this. They do not see a small charity. They see an unlocked door.
So the question is not whether you are worth attacking. It is whether you have made yourself an easy hit.
The most common attack still arrives by email
Most of the trouble I see does not involve clever code. It involves a convincing message. This is called phishing, which means a fake email or text message designed to trick someone into clicking a malicious link or handing over a password. In 2026, these messages are sharper than ever because attackers now use AI tools to write clean, personal notes with no clumsy spelling to give them away.
The fix is mostly human. Teach your staff and volunteers to slow down on any message that asks for money, login details, or a change to payment instructions. Build a simple rule: any payment change gets confirmed by a phone call to a known number, never the number in the email. The food pantry’s near miss came down to one person who paused. Pausing is a skill you can teach.
Turn on the second lock
If you do only one technical thing this year, do this. Turn on multifactor authentication, which adds a second step beyond your password, such as a code sent to your phone. It is the closest thing to a free, strong lock that exists in cyber security. Most email and donation platforms offer it at no cost. A stolen password alone cannot open an account that has it switched on.
I know the worry. Staff turnover is high, and volunteers come and go, and you fear the second step will slow everyone down. It adds a few seconds. A breach can cost you weeks and the trust of every donor you have.
Plan for the day your data is held hostage
Ransomware, which is malware that locks your files until you pay, has not gone away. For a nonprofit, the damage is not only the ransom. It is the program that stops because the client list is locked, or the event that collapses because the registration system is dark.
Two habits protect you. First, keep backups of your important files, and keep one copy somewhere that the rest of your network cannot reach. Think of it as a spare set of keys kept at your sister’s house, not under the same doormat. Second, write down a short plan for who you call and what you do first if systems go down. A plan scribbled on one page beats a perfect plan that lives only in your head.
Mind the tools you did not vet
Nonprofits run on donated software, free trials, and the personal accounts of busy volunteers. Each one is a door. A volunteer’s home laptop with no updates can carry trouble straight into your donor database. You do not need to ban these tools. You need to know they exist, keep them updated, and remove access the day someone leaves.
A Nonprofit does not have to do this alone
Here is the part the industry rarely tells you. A great deal of solid protection costs nothing. The federal Cybersecurity and Infrastructure Security Agency, known as CISA, offers free guides and even free scans for organizations like yours. The FBI’s Internet Crime Complaint Center, IC3, is where you report fraud and help others avoid it. Your state emergency management office and local InfraGard chapter can point you to people who help for the love of the mission.
We help nonprofits across the Commonwealth, too, and when we do, we start by telling you what you can fix for free before we ever talk about anything else. If you want a plain conversation about where your organization stands, call us at 502-234-5554. No pressure, no pitch, just a look at your front door together.
The families you serve trust you with more than a meal or a bed. They trust you with their information. Guarding it well is part of the same promise you already made.
At Commonwealth Sentinel, we stay focused on cyber security so you can focus on other things!
