Nonprofit Cybersecurity Incident Response: A Practical Guide

Nonprofits hold valuable data: donor payment information, client records, employee files, and in many cases health or legal information. Attackers don't discriminate by budget. Phishing campaigns, ransomware deployments, and credential theft hit small organizations at the same rate as large ones — often more successfully, because defenses are lighter.

The gap is not awareness. Most nonprofit leaders understand the risk. The gap is affordable, practical tools to address it. Enterprise cybersecurity solutions are designed for organizations with dedicated IT departments and five-figure consulting budgets. Most nonprofits have neither.

• Phishing and business email compromise

  A staff member receives a convincing email appearing to come from a known contact — a board member, funder, or vendor. They click a link, enter credentials, or authorize a wire transfer. This is the most common entry point for nonprofit breaches.

• Ransomware

  Malicious software encrypts your files and demands payment to restore access. Nonprofits are targeted specifically because they often lack backups and can't sustain operational downtime.

• Credential theft

  Attackers obtain staff usernames and passwords — often through phishing or data breaches at third-party services — and use them to access email, donor databases, or cloud storage.

• Vendor and third-party incidents

  A platform your organization uses (CRM, payment processor, cloud storage) experiences a breach that exposes your data.

• Brand and domain impersonation

  Someone creates a fake version of your website or email domain to solicit donations or conduct fraud under your name.

1. 1. Detection

   Someone notices something is wrong — an unexpected login alert, a staff member reports a suspicious email, a vendor notifies you of a breach. Without a documented plan, this moment is chaotic. With one, there's a defined reporting path.

2. 2. Containment

   The immediate goal is to stop the spread. Isolate affected systems. Revoke compromised credentials. Suspend suspicious accounts. Your plan specifies who has the authority and technical access to do this.

3. 3. Eradication

   Once contained, the threat is removed. Malware is cleaned. Phishing infrastructure is reported and blocked. Vulnerabilities are patched.

4. 4. Recovery

   Systems and access are restored safely. Operations resume. Donor-facing systems come back online only after verification.

5. 5. Notification

   State breach notification laws require timely notification to affected individuals and regulators. Your plan documents the timelines and contact information before you need them under pressure.

6. 6. Post-incident review

   What happened? What worked? What needs to change? The review cycle closes the loop and strengthens your next response.

IRPForge generates a planning document based on CIS Controls v8 and the NIST Cybersecurity Framework. It does not monitor your systems or provide active incident response services.

The IRPForge intake form collects your organization's structure, data types, team contacts, IT setup, and state. The system maps your inputs to the appropriate framework sections and assembles three documents:

Built on CIS Controls v8 and the NIST Cybersecurity Framework — publicly available standards, not certified or endorsed by NIST or CIS.