Nonprofit cybersecurity readiness checklist.

Use this to find the next practical security fixes.

Mark each item as done, not sure, or needs work. For funders, boards, insurers, and partners, the most useful answer is usually evidence that the control exists or a clear plan to fix the gap.

Identity and access

• MFA is enabled for staff email, file storage, finance, donor, HR, cloud, and admin accounts.
• Admin accounts are named, limited, reviewed, and not shared between staff members.
• Offboarding removes access from email, files, password manager, vendors, shared inboxes, and devices.
• Staff use a password manager and do not reuse passwords across sensitive systems.

Data, backups, and recovery

• Sensitive donor, beneficiary, legal, staff, and operational data is mapped to systems, vendors, and owners.
• Retention expectations are known for donor records, client files, program data, source material, and financial records.
• Critical data has backups with retention, access control, monitoring, and recovery expectations.
• At least one important restore has been tested and documented in the last 12 months.

Incident readiness

• A primary responder and decision maker are named for account compromise, data exposure, ransomware, and lost-device scenarios.
• External IT, security, legal, insurance, hosting, and platform support contacts are recorded with after-hours paths where available.
• Draft internal, funder, customer, and affected-person communication templates exist for common incidents.
• The team has walked through at least one likely incident scenario and recorded follow-up fixes.

Remediation worksheet