The Nonprofit Security Priority Matrix: What to Do First (And What to Skip)
Not all security measures are created equal. This matrix helps you focus on what actually protects your organization instead of what just looks impressive.
QUADRANT 1: DO FIRST (High Impact, Reasonable Effort)
These are your non-negotiables. Start here.
1. Multi-Factor Authentication (MFA) on Critical Accounts
Why it matters: 99% of automated attacks are stopped by MFA. One compromised email account can expose your entire donor database, financial records, and confidential client information.
What it costs: Free for most services. 2-3 hours to set up across your organization.
How to implement:
- Start with email accounts (Microsoft 365, Google Workspace)
- Add financial systems (banking, payroll, accounting software)
- Enable on your CRM and database systems
- Set up authenticator apps (Microsoft Authenticator, Google Authenticator) instead of SMS when possible
- Create backup codes and store them securely
Common objection: "It's too annoying for staff."
Reality: Staff check their phones constantly anyway. The 3 seconds it takes to approve a login is nothing compared to the weeks of cleanup after a breach.
How to implement:
- Identify what data is critical (financial records, donor data, program files)
- Choose a cloud backup service (Backblaze, Acronis, or your cloud provider's backup tools)
- Set automated daily backups
- Test restoration monthly (set a calendar reminder)
- Keep one backup offsite and offline (external drive stored at someone's home)
Common objection: "We already save files to the cloud."
Reality: Cloud storage isn't the same as backup. If ransomware encrypts your files, it syncs that encryption to the cloud. You need versioning and separate backup.
Timeframe: 1 week to implement, ongoing 30 minutes/month to verify
3. Password Manager for the Entire Organization
Why it matters: Weak passwords and password reuse are the #1 way attackers get in. A password manager makes strong, unique passwords effortless.
What it costs: $3-8/user/month for nonprofit plans. 1-2 days to roll out.
How to implement:
- Choose a business password manager (1Password, Bitwarden, Dashlane)
- Set up shared vaults for organizational accounts
- Train staff in a 30-minute group session
- Migrate passwords gradually, starting with most critical accounts
- Enable MFA on the password manager itself
Common objection: "People will never use it."
Reality: Once staff realize they only need to remember one password instead of 47, adoption skyrockets. The browser extensions make it seamless.
Timeframe: 2-3 weeks for full adoption
4. Basic Security Awareness Training (Monthly, Not Annually)
Why it matters: Most breaches start with someone clicking a phishing link. Your staff are your first line of defense.
What it costs: Free to $5/user/month. 15 minutes per month.
How to implement:
- Send one practical tip per month via email or Slack
- Forward real phishing attempts you receive (with clear "THIS IS FAKE" warnings) to show what to watch for
- Practice "hover before you click" in team meetings
- Create a no-shame reporting culture for suspected phishing
- Use free phishing simulations quarterly (KnowBe4 has free options)
Common objection: "We already did security training."
Reality: One annual training session doesn't work. Security awareness needs to be ongoing, like fire drills.
Timeframe: Ongoing, 2 hours/month to manage
5. Software Update Schedule
Why it matters: Unpatched software is the second-most-common breach vector. Most ransomware exploits known vulnerabilities that have already been patched.
What it costs: Free. 2-4 hours per month.
How to implement:
- Enable automatic updates on all computers and mobile devices
- Create a monthly "patch day" for servers and critical systems
- Test updates on one device before deploying to everyone
- Document which systems need manual updates
- Set calendar reminders for quarterly reviews of outdated software
Common objection: "Updates break things."
Reality: Sometimes they do. But unpatched systems get breached. Test first, update fast.
Timeframe: 1 day to set up, ongoing 3-4 hours/month
6. Email Security Rules and Spam Filtering
Why it matters: Email is the primary attack vector. Better filtering stops most threats before they reach staff.
What it costs: Often included free with Microsoft 365/Google Workspace. Enhanced filtering: $2-5/user/month.
How to implement:
- Enable built-in security features in your email platform
- Create rules to flag external emails (add "EXTERNAL" to subject lines)
- Block executable file attachments (.exe, .zip, .scr)
- Enable link protection that scans URLs before allowing clicks
- Set up DMARC, SPF, and DKIM records (work with your email provider)
Common objection: "We need to receive attachments from partners."
Reality: Block dangerous file types. PDFs and documents can still come through. Anything else can go through secure file sharing.
Timeframe: 1 week to configure properly
7. Admin Account Controls
Why it matters: Admin privileges let attackers move freely through your systems. Limiting admin rights contains damage.
What it costs: Free. 3-4 hours to implement.
How to implement:
- Remove admin rights from all standard user accounts
- Create separate admin accounts for when elevated access is needed
- Use standard accounts for daily work, admin accounts only when necessary
- Document who has admin access and why
- Review admin accounts quarterly
Common objection: "People need admin rights to install software."
Reality: No, they don't. You can install software for them, or use tools that allow limited installation without full admin rights.
Timeframe: 1-2 days to implement
Your Security Foundation: Do This First
Stop trying to do everything. Start with what actually protects you.
These 7 actions provide real protection without breaking your budget:
|
|
๐ Multi-Factor Authentication - Blocks 99% of automated attacks
๐พ Automated Backups - Your ransomware insurance policy
๐ Password Manager - Strong passwords without the headache
๐ง Email Security Rules - Stop threats before they reach staff
๐ฑ Software Updates - Close the holes attackers exploit
๐ฅ Security Awareness - Monthly tips, not annual training
๐ก๏ธ Admin Controls - Contain damage when something goes wrong
Timeline: 1-3 months to complete all seven
|
QUADRANT 2: DO SMART (High Impact, High Effort)
Plan for these after Quadrant 1 is solid. These need budget and time.
1. Email Security Platform Upgrade
Why it's worth it: Built-in email filtering misses sophisticated phishing. Advanced platforms catch more threats and provide better threat intelligence.
Realistic cost: $3-10/user/month ($500-1,500/year for small nonprofits)
When to tackle: After MFA and basic filtering are in place. Typically 3-6 months into your security work.
How to phase it in: Start with a 30-day trial. Compare blocked threats to your current filtering. Calculate ROI based on time saved dealing with phishing reports.
What to look for: Real-time link scanning, attachment sandboxing, impersonation protection, easy reporting for users. Mimecast, Proofpoint, and Barracuda all have nonprofit programs. IF you have an MSP, they can often resell you licenses at a better cost than going directly through the companies
2. Endpoint Detection and Response (EDR)
Why it's worth it: Traditional antivirus catches known threats. EDR catches unknown threats by watching for suspicious behavior.
Realistic cost: $5-15/device/month ($1,000-3,000/year for 10-20 devices)
When to tackle: After you've secured accounts with MFA and established backup routines. Usually 6-12 months in.
How to phase it in: Deploy to executive team and finance staff first (highest-risk users). Expand to everyone else once stable.
What to look for: Easy management for non-experts, automated threat response, 24/7 monitoring included. SentinelOne, CrowdStrike, and Microsoft Defender for Endpoint have nonprofit options.
3. Security Policy Documentation
Why it's worth it: Policies create accountability and consistency. They're also required for most grants and partnerships.
Realistic cost: 20-40 hours of your time, or $2,000-5,000 for a consultant to draft.
When to tackle: After you've implemented basic controls and know what your actual practices are. Don't document aspirational policies you can't enforce.
How to phase it in: Start with acceptable use policy. Add data handling guidelines. Build incident response procedures. Tackle compliance requirements last.
What to look for: Templates from NTEN, TechSoup, NGO-ISAC, or the Technology Association of Grantmakers. Adapt existing policies rather than starting from scratch. Keep language simple and enforceable.
4. Incident Response Plan
Why it's worth it: When something goes wrong, panic makes everything worse. A plan means you know exactly what to do.
Realistic cost: 15-25 hours to create, free to maintain.
When to tackle: After your technical controls are in place. You need to know what systems you're protecting before you can plan how to respond.
How to phase it in: Create a one-page emergency contact list first. Add decision trees for common incidents. Run a tabletop exercise annually.
What to look for: Clear roles and responsibilities, communication templates, vendor contact information, legal and PR guidance. CISA has free templates.โ
5. Vendor Security Reviews
Why it's worth it: Third-party breaches are increasingly common. Your security is only as strong as your vendors'.
Realistic cost: 2-3 hours per vendor review, ongoing.
When to tackle: After your internal security is solid. Start with vendors who handle your most sensitive data.
How to phase it in: Create a simple vendor questionnaire. Review during contract renewals. Prioritize financial, HR, and donor management systems.
What to look for: SOC 2 reports, security certifications, incident history, data handling practices. Don't expect perfection. Look for transparency and reasonable controls.
Build Deeper Protection: Plan for These Next
These need budget and time, but they're worth doing right.
Tackle after Quadrant 1 is solid:
|
|
๐ฌ Advanced Email Security - Catch sophisticated phishing ($500-1,500/year)
๐ฅ๏ธ Endpoint Detection - Stop unknown threats ($1,000-3,000/year)
๐ Security Policies - Create accountability and meet requirements
๐จ Incident Response Plan - Know what to do when things go wrong
๐ค Vendor Reviews - Your security depends on theirs too
Timeline: 6-18 months, phased implementation
|
QUADRANT 3: QUICK WINS (Low Impact, Low Effort)
Do these when you have 30 minutes and want to show progress.
1. Security Awareness Posters/Reminders
Why it's low priority: Posters don't stop attacks, but they keep security top of mind.
When to do this: While waiting for software to install or during downtime between bigger projects. Ask for 5 minutes during all staff meetings for the op tips and reminders
How to implement: Download free posters from CISA or NIST. Print and post near workstations or send via Slack. Rotate monthly. Takes 15 minutes.
2. Basic Device Inventory
Why it's low priority: Knowing what you have is useful, but doesn't directly stop threats.
When to do this: Good first project when you inherit a role. Helps you understand the landscape.
How to implement: Create a simple spreadsheet. List every computer, phone, tablet, and printer. Include purchase date, user, and operating system. Takes 2-3 hours.
3. Guest WiFi Network Separation
Why it's low priority: Separating guest traffic from your network prevents casual snooping, but sophisticated attackers bypass this easily.
When to do this: If your router supports it and setup takes under an hour. Otherwise, skip it until you need new hardware.
How to implement: Check if your router has guest network capability. Enable it, use a different password, restrict access to internal resources. Takes 30-60 minutes.
4. Screen Lock Enforcement
Why it's low priority: Prevents physical access breaches, which are uncommon for most nonprofits.
When to do this: Easy to enable via group policy or mobile device management if you already have those tools. Otherwise, not urgent.
How to implement: Set computers to lock after 10-15 minutes of inactivity. Configure via Windows Group Policy or Mac profile. Takes 1-2 hours to deploy.
5. Security Newsletter Subscription
Why it's low priority: Staying informed is good. Acting on information matters more.
When to do this: When you want to feel proactive but don't have time for real work.
How to implement: Subscribe to Krebs on Security, CISA alerts, NGO-ISAC or your email security vendor's newsletter. Skim weekly. Takes 15 minutes to set up, 10 minutes per week to read.
Quick Credibility Builders: Do These Between Big Projects
Easy wins that show progress without moving the needle much.
Good for when you have 30 minutes:
|
|
๐ Security Reminders - Keep awareness visible
๐ Device Inventory - Know what you have
๐ก Guest WiFi - Separate visitor traffic
๐ Screen Locks - Prevent casual snooping
๐ฐ Security Newsletter - Stay informed on threats
Timeline: 15 minutes to 3 hours each
|
QUADRANT 4: SECURITY THEATER (Low Impact, High Effort)
Things that look impressive but waste your limited resources.
1. Penetration Testing (Before You've Done the Basics)
Why vendors push this: High-margin service that sounds critical. Makes them look sophisticated.
Why it doesn't make sense: A pentest will tell you that you need MFA, backups, and patching. You already know that. Spending $10,000-25,000 to confirm it wastes money you could spend fixing those issues.
What to do instead: Implement Quadrant 1 completely. Then consider a focused assessment of specific systems if you have budget left over.
When it makes sense: If you're subject to regulatory requirements (HIPAA, PCI-DSS) or handle extremely sensitive data and have already implemented strong baseline security. For most small nonprofits: never.
2. Complex Compliance Frameworks You Don't Need
Why vendors push this: ISO 27001, NIST CSF, and similar frameworks create ongoing consulting revenue.
Why it doesn't make sense: These frameworks are designed for large organizations with dedicated security teams. The overhead of documentation and auditing consumes resources better spent on actual security.
What to do instead: Follow the CIS Controls or Essential Eight Framework by the Australian Government. These are practical, prioritized, and don't require certification theater.
When it makes sense: If a major funder or partner requires specific compliance. Even then, look for the lightest-touch approach that meets requirements.
3. Enterprise-Grade Solutions for 10-Person Nonprofits
Why vendors push this: They have one product. They want to sell it to everyone regardless of fit.
Why it doesn't make sense: Enterprise tools assume dedicated IT staff, substantial budgets, and complex environments. You'll spend more time managing the tool than it saves you.
What to do instead: Look for SMB (small-medium business) versions of security tools. They're simpler, cheaper, and designed for organizations without IT departments.
When it makes sense: Rarely. If you're managing 100+ devices or have specific regulatory requirements, you might need enterprise features. Otherwise, mid-market solutions work fine.
4. Security Awareness Training That's Just Compliance Theater
Why vendors push this: Annual training modules create recurring revenue and check compliance boxes.
Why it doesn't make sense: Research shows one-and-done training has minimal impact. People forget 90% within a month. Yet these programs cost $20-50/user annually.
What to do instead: Monthly micro-training takes 10 minutes, costs nothing, and has better retention. Save the budget for technical controls.
When it makes sense: If cyber insurance or a specific contract requires documented training. Even then, look for the cheapest option that meets requirements. KnowBe4 and Microsoft have great ongoing training that you can set up.
5. Expensive Security Information and Event Management (SIEM) Systems
Why vendors push this: Every enterprise has one, so they pitch them to everyone.
Why it doesn't make sense: SIEMs collect and analyze logs from all your systems. They require a security analyst to interpret the data. If you don't have an analyst, the SIEM just generates alerts you can't act on.
What to do instead: Use built-in logging in your cloud platforms. For specific monitoring needs, use focused tools rather than enterprise SIEM platforms.
When it makes sense: If you have 200+ users, handle regulated data, and can afford a part-time security analyst. Otherwise, the complexity outweighs the benefit.
Skip the Security Theater: Don't Waste Resources Here
These look impressive but don't make sense for most nonprofits.
Save your money and skip::
|
|
๐ญ Penetration Testing - Before you've done the basics
๐ Complex Compliance - Frameworks you don't actually need
๐ข Enterprise Solutions - For 10-person organizations
๐ Annual Training Theater - That nobody remembers
๐ฅ๏ธ Expensive SIEM Systems - Without analysts to interpret them
Reality check: Most small nonprofits never need these
|
How to Use This Matrix
Step 1: Assess where you are now Go through Quadrant 1. Check off what you've already done. Be honest. If something is "partially done," it's not done.
Step 2: Choose one thing to start Not three things. Not five things. One. Pick the Quadrant 1 item that scares you most or that your leadership keeps asking about.
Step 3: Set a realistic timeline Most Quadrant 1 items take 1-4 weeks to implement fully. Block time on your calendar. Treat it like any other project deadline.
Step 4: Communicate progress Tell your ED what you're doing and why. Brief updates build support for future security investments. "We implemented MFA this month, which blocks 99% of automated attacks" gets attention.
Step 5: Don't get stuck in analysis paralysis You will never have perfect information. You will never have unlimited time. Done is better than perfect. Implement something imperfect this week instead of researching the perfect solution for three months
โ
โ
โ