Nonprofit Cyber Security Statistics

Hackers have moved beyond focusing their efforts mostly on corporations and government agencies in recent years, expanding their operations to take advantage of weak cyber security across a variety of organization types. Nonprofits, small and medium sized businesses, healthcare, and other groups are increasingly targets. Attackers seek sensitive data, ransom payments, and jumping-off points for committing additional attacks.

With this shift in attacker interest, it is critical that nonprofits understand the risk that they face so that they can be better prepared to detect and respond to attacks. This post provides statistics that can empower you and your organization to learn more about cyber risks and take proactive steps to improve your resilience against attacks.

68% of nonprofits do not have documented policies and procedures in case of a cyber attack

Without documented policies and procedures, the pathway from discovering that the organization has been hacked to fully recovering from the attack is significantly longer and fraught with difficulties. With a set of robust cyber incident response and recovery procedures in place, the organization can fully understand the impact of the attack and rapidly reduce the time it takes to get back to business-as-usual.

43% of nonprofits do not have policies that clearly define what data is considered personally identifiable information (PII)

A lack of policies that define what data is considered sensitive, including PII, puts the organization at great risk for data loss, mishandling, and fraud. A well-defined policy for handling sensitive data should give staff members guidance on how to store, process, destroy, and share sensitive data.

71% of nonprofits have policies and procedures for backing up data, hardware, and software

This is certainly an encouraging statistic. Modern operating systems and devices often make it easier for users to back up their data. Ensuring that there is a good policy in place as well as having the right backup and restoration tools to enable that policy go a long way to help nonprofits get back to business following an incident. Just make sure that your backups really do contain all of your critical data and that the data can be restored in a timely manner in the case of an incident.

59% of nonprofits have no cyber security training for their staff

One of the most common attack vectors used by hackers is taking advantage of a user's trust or actions. Without the proper cyber security awareness training, staff members do not have the tools they need to identify the type of attacks that target them. A cyber security awareness course as well as periodic refresher sessions are a great way to reduce the organization's risk of attack and to help quickly identify potential attacks.

55% of nonprofits do not require multi-factor authentication (MFA) to log into online accounts

One of the best ways to rapidly and inexpensively improve your organization's security is to enable multi-factor authentication (MFA). Most online services as well as common desktop-based applications can now leverage MFA for free, through the use of an app.

42% of nonprofits do not monitor their IT environment for security events

Without the necessary technical capabilities or cyber security expertise, nonprofits are unable to identify attacks that have occurred against their organizations. A well-tailored security monitoring capability can prevent attackers from gaining initial access and limit the impact of a cyber security incident.

Learn More

Want to learn more about how to avoid being a negative cyber security statistic? Send us a message here to set up a free consultation with our security experts. During the consultation, we'll discuss your security goals, current security strategies, and how our team can support your organization in becoming more secure.


  1. NTEN, State of Nonprofit Cybersecurity