Nonprofit Security

Security for Nonprofits

Donor trust is your most valuable asset. A data breach destroys it.

Sherlock Forensics provides affordable cybersecurity audits for nonprofits and charities covering donor data protection, phishing defence, grant compliance, volunteer management system security and website security. Quick security audits for nonprofits start at $1,500 CAD. Phishing awareness campaigns start at $250 CAD per campaign or $3/user/month for unlimited campaigns.

Nonprofits collect sensitive data from donors, volunteers, beneficiaries and grant organizations. Limited budgets often mean that security is deprioritized, but attackers do not give discounts to charities. Phishing attacks target nonprofit staff to steal email credentials and redirect donations. Donor databases with payment card information are valuable targets. Grant fund diversion through business email compromise can threaten your organization's financial viability. We provide security assessments sized and priced for nonprofit budgets.

Order a Quick Audit - $1,500 Talk to Our Team

Threat Landscape

Why Nonprofits Are Vulnerable

01 - Donors

Donor Data Breaches

Donor databases contain names, addresses, email addresses, phone numbers, payment card details, donation amounts, employer information and giving histories. A breach of this data triggers mandatory notification under PIPEDA, generates negative media coverage and causes donor attrition that can take years to recover from. We assess your donor management platform security, access controls, encryption practices and data retention policies to identify exposure risks before an attacker does.

02 - Phishing

Phishing Targeting Staff

Nonprofit staff are prime phishing targets because they frequently communicate with external parties including donors, grant organizations, government agencies and partner organizations. Attackers craft phishing emails that impersonate donors, board members or grant administrators. Compromised staff email accounts are used to redirect donations, steal contact lists, impersonate the organization or access financial systems. We test your staff's phishing resistance and provide targeted awareness training.

03 - Grants

Grant Fund Diversion

Business email compromise targeting nonprofits can redirect grant payments, vendor payments or program funds to attacker-controlled accounts. An attacker who compromises the email account of a finance director or executive director can issue fraudulent payment instructions that bypass normal approval processes. We assess your financial controls, email security and payment authorization procedures to prevent fund diversion.

04 - Volunteers

Volunteer PII Exposure

Volunteer management systems store personal information including names, addresses, phone numbers, email addresses, emergency contacts and in some cases background check results and social insurance numbers for tax receipt purposes. Many nonprofits use spreadsheets, shared drives or free-tier software with minimal access controls to manage this data. We assess your volunteer data handling practices and recommend practical improvements that fit nonprofit technology budgets.

Our Approach

How We Help Nonprofits

Donor Platform Security

We assess the security of your donor management platform whether it is Salesforce, Bloomerang, Little Green Light, Kindful or a custom solution. We test access controls, API security, payment processing integration, data export controls and administrator account security. Our assessment identifies the paths an attacker would use to access or exfiltrate donor data.

Email and Phishing Defence

We assess your email security configuration, run simulated phishing campaigns that mimic nonprofit-specific attack scenarios and provide staff awareness training. Phishing campaigns start at $250 CAD per campaign. Unlimited campaigns are available at $3/user/month. We track click rates over time so you can measure improvement and demonstrate security awareness to grant funders.

Website Security

Your website is your public face and your donation collection point. We assess your website for vulnerabilities including cross-site scripting, SQL injection, payment form security, plugin vulnerabilities, SSL configuration and content management system security. A compromised donation page can capture donor payment data or redirect donations to an attacker.

Compliance Assessment

We assess your organization's compliance posture against PIPEDA, BC PIPA and grant-specific security requirements. Many funders now require evidence of data protection practices as a condition of funding. Our assessment provides a clear compliance status report that you can include in grant applications and board reporting.

Compliance

Privacy Obligations for Nonprofits

Regulation Relevance to Nonprofits
PIPEDA Applies to nonprofits engaged in commercial activities including payment processing for donations and merchandise sales
BC PIPA Applies to BC organizations collecting personal information regardless of commercial activity
CRA Requirements Registered charities must maintain adequate books and records including donor information
Grant Funder Requirements Increasing number of funders require evidence of data protection and cybersecurity practices

From the Field

Nonprofit Security in Practice

A BC-based nonprofit with approximately 15,000 donors engaged us for a quick security audit after their board raised concerns about data protection. Our assessment revealed that their donor database was accessible with a single shared password used by eight staff members, their website donation form was transmitting card data through an outdated plugin with known vulnerabilities and their volunteer spreadsheets containing social insurance numbers were stored on an unencrypted shared Google Drive with no access logging. We provided a prioritized remediation plan that addressed the most critical issues first. The organization implemented individual logins with MFA, migrated to a current payment plugin, moved sensitive volunteer data to an encrypted platform with access controls and established a data retention policy. Total remediation cost was under $3,000 in addition to the audit fee.

Pricing

Nonprofit Security Engagements

Quick Security Audit - $1,500 CAD
Focused security review covering donor database security, email security, website vulnerabilities, volunteer data protection and basic compliance assessment. Delivered in 3-5 business days with prioritized recommendations and estimated remediation costs. Designed for nonprofit budgets. Order online.
Phishing Campaign - $250 CAD
Simulated phishing campaign using nonprofit-specific attack scenarios. Measures click rates and provides immediate training for staff who click. Track improvement over time. Unlimited campaigns available at $3/user/month. Learn more.
Standard Penetration Test - $5,000 CAD
Full penetration test for larger nonprofits with complex technology environments. Covers donor management platforms, website infrastructure, email security, cloud systems, internal network and compliance gap analysis. Order online.

Frequently Asked Questions

Nonprofit Security FAQs

Can a nonprofit afford a security audit?
Yes. Our quick security audit starts at $1,500 CAD, which is accessible for most nonprofit operating budgets. Many organizations include security assessment costs in technology or operational budget lines. Some grant funders will fund security assessments as part of capacity-building grants. The cost of a security audit is a fraction of the cost of a donor data breach, which includes notification expenses, legal costs, reputational damage and donor attrition.
What data do nonprofits need to protect?
Donor names, addresses, email addresses, phone numbers, payment card details, donation histories and employer matching information. Volunteer personal information including emergency contacts and potentially social insurance numbers. Client or beneficiary data, which may include vulnerable populations. Grant documentation with organizational financial details. Staff employment records. All of this data is subject to privacy legislation and valuable to attackers.
Do nonprofits need to comply with PIPEDA?
PIPEDA applies to nonprofits engaged in commercial activities, which includes processing credit card donations, selling merchandise and operating fee-for-service programs. Even where PIPEDA does not directly apply, BC PIPA imposes privacy obligations on organizations collecting personal information. A breach of donor payment data would likely trigger mandatory notification under PIPEDA regardless of the organization's charitable status.

Resources

Related Reading

Privacy and Compliance

Related Services

Get Started

Protect your donors, your volunteers and your mission.

Quick audits from $1,500 CAD. Phishing campaigns from $250 CAD. Sized for nonprofit budgets.

Order Online

Secure Your Nonprofit

We understand nonprofit budgets and priorities. Let us assess your security posture and provide practical recommendations that fit your resources.

Call 604.229.1994
Phone
604.229.1994
Burnaby Office
Burnaby, BC, Canada
Coquitlam Office
Coquitlam, BC, Canada