You're doing incredible work for animals, but you also need to protect that work. Whether you're handling sensitive undercover footage or coordinating campaigns, a security breach could disrupt your operations, compromise your strategy, or damage your organization's reputation.

Over the years, many organizations have come to us facing security problems that could have been prevented. In almost every case, we've found at least one critical issue that could have put the organization, its data, or its people at risk. Recently, our Executive Director James Morgan led a cybersecurity workshop for ProVeg's Kickstarting For Good 2025 cohort to address exactly these vulnerabilities.

We've distilled the workshop into 8 essential practices you can start with today – practices that are easy to implement, yet extremely effective. Let's get into it.

8 Cybersecurity Essentials for Nonprofits

These eight practices form the foundation of your organization's digital security. Implement these first, and you'll be better protected than most.

1. Set Up a Password Manager

Stop reusing passwords across multiple accounts. A password manager generates and stores unique, complex passwords for every account, so you're using passwords that are secure without having to remember them. You only need to remember one master password, the rest will be stored in the vault.

If you currently have passwords stored in a Google Doc, spreadsheet, or notes app, move them to a vault and delete them from other apps immediately. These are not secure storage methods, and they're one of the most common vulnerabilities we find in consultations.

Bonus feature: Password managers won't autofill your credentials on fake phishing sites. If your password manager doesn't recognize a login page, that's often your first warning that something's wrong.

Recommended options:

• Bitwarden (free tier available, open-source and trustworthy)

• 1Password (nonprofit discounts available)

2. Enable Two-Factor Authentication (2FA) Everywhere

2FA adds a crucial second layer of security that blocks 99% of automated attacks. Even if someone steals your password, they still can't access your accounts without the second factor. Yet in our security audits, missing 2FA remains one of the most common vulnerabilities we find.

Enable 2FA on all critical accounts: email, social media, banking, cloud storage, and your website admin panel.

Critical rule: Never share your 2FA codes with anyone under any circumstances, even if they claim to be a support agent from the service being represented (like sharing your Google 2FA with someone claiming to be from Google support). Legitimate companies will never ask for these codes.

Recommended options:

• Authy

• Google Authenticator

• Alternatively, use a physical key like Yubikey

Do not use SMS for 2FA since it is less secure.

3. Protect Your Email

Your email is often the gateway to all your other accounts, making it a prime target. Here’s how you can protect it:

Secure the account and monitor activity:

• Use strong, unique passwords with 2FA enabled

• Regularly review connected apps and revoke access for unused services

• Consider encrypting sensitive emails (e.g. using FlowCrypt with Gmail)

• For extra privacy, use ProtonMail or Tuta

Related to this, learning how to spot phishing can be critical in protecting your organization. In fact, over 90% of data breaches start with phishing.

Train your team to spot phishing.

Since over 90% of data breaches start with phishing, learning to recognize these attempts is critical. Watch out for:

• Suspicious sender addresses (watch for subtle misspellings)

• Urgent requests for credentials or financial information

• Links that don't match their supposed destinations (hover over the link to see the actual address the link goes to – it should show up at the bottom of your screen)

• Requests to verify accounts or update payment information

Common scam targeting new hires: Attackers know new team members are eager to impress and less likely to question authority. A common scam involves someone posing as a director and emailing a new staff member saying, "I'm in a meeting, can you quickly grab some gift cards for donors?" It sounds silly, but it works because it feels urgent and helpful.

During onboarding, tell every new person clearly: "You will never be asked by your manager to buy gift cards, transfer money, or share passwords over email, ever."

When in doubt, verify requests through a separate communication channel.

Check if your email has been compromised: Visit Have I Been Pwned and enter your email address to see if it's appeared in any known data breaches. If it has, change your password immediately.

4. Audit Your Browser Extensions

Browser plugins (or extensions) are those little add-ons that block ads, save passwords, or help you take screenshots. They seem harmless, but every plugin you install can see what you see in your browser: your emails, your passwords, even your payment details.

Sometimes good plugins get sold to shady companies or updated later with hidden tracking or malware. This is why auditing your extensions regularly is essential.

How to stay safe:

• Review your extensions every year (or more often)

• Open your extensions list in your browser settings

• Delete anything you don't use or don't fully trust

• Keep only the essentials from well-known developers with recent updates

The rule of thumb: fewer plugins = fewer risks. Aim to have no more than four plugins. This one small habit can reduce your chance of a breach significantly.

5. Enable Automatic Updates

Scammers actively exploit known security flaws in outdated software. Updates patch these vulnerabilities before they can be used against you. This is one of the simplest yet most effective security measures.

Update automatically:

• Operating systems (Windows, macOS, Linux)

• Applications and browsers

• Mobile apps

• Website platforms and plugins

For your website specifically:

• WordPress sites need regular core, theme, and plugin updates

• Platforms like Squarespace handle all updates automatically (this is one reason we choose Squarespace when building websites for other organizations)

• Monitor for suspicious login attempts or unauthorized changes

6. Be Mindful with Sharing & Storing Files

Setting proper sharing permissions goes a long way in protecting the safety of your files.

When sharing permissions, follow these principles:

• Grant minimum necessary access

• Use view-only permissions when editing isn't needed

• Remove access immediately when team members leave

Important: contractor and external partner access

Make sure your organization, not the contractor, owns your key accounts: your website domain, your hosting, your fundraising tools, your email system. Contractors should have delegated access, never ownership. When a contract ends, make removing their access part of the offboarding routine.

If you’re concerned about privacy: Google Drive is fine for general use, but just know that it’s not private from Google itself – so keep sensitive information elsewhere.

Recommended options:

• Tresorit

• Sync.com

• Proton Drive

7. Establish Onboarding/Offboarding Processes

Create a security checklist for new hires and departing employees – the risk of security breaches increases during staff transitions. This can also apply to volunteers.

Onboarding new team members

• Provide organization password manager access

• Set up work email with 2FA

• Grant minimum necessary system access (not the entire Google Drive or CRM)

• Review security policies and provide training

• Train new hires about common phishing scams

• Document all accounts and access granted

• Keep a simple checklist of what accounts to add and who's responsible

Offboarding team members:

• Disable all system access immediately (same day they leave)

• Remove from shared password manager

• Change any shared passwords they knew

• Revoke access to cloud storage and collaboration tools

• Update social media account access (if applicable)

• Collect any organizational devices

We can't tell you how many organizations still have former volunteers with full admin rights years later. A simple five-minute checklist can save you enormous risk.

8. Encrypt and Protect Devices + Safe Payments

If your laptop or phone is stolen, encryption keeps your data safe. While it might sound intimidating, it’s usually just a click or two away!

Encrypt all devices that contain organizational data:

• Mac: FileVault is built in, just turn it on

• Windows: Use BitLocker (Windows Pro)

• Mobile devices: Usually enabled by default with screen locks

Follow basic device protection:

• Use strong screen locks, not just swipe patterns

• Add a lock screen PIN on every device (simple but powerful if device is lost or stolen)

• Don't store passwords in easily accessible locations

• Use privacy screens when working in public

• Don't leave devices unattended

Pay safely:

• Use credit cards or virtual cards instead of debit cards when buying tools or tech online

• Credit cards offer stronger fraud protection, and virtual cards can be cancelled instantly if something looks suspicious

• These principles of paying safely are especially relevant when traveling abroad

Understanding Free Tools: When Free is Good and When It's Dangerous

You've probably heard the saying "If the product is free, you are the product." This is often true with social media or free VPNs, where your data, location, or behavior is what's being sold.

Never use free VPNs. They need to make money somehow, and if you're not paying, it's often through tracking, data harvesting, or ads. There have been cases of free VPNs recording users' screens on mobile devices and collecting bank login details.

However, there's another category: mission-driven or open-source tools like Signal, Bitwarden, Authy, and FlowCrypt. These aren't free because they sell you out. They're free because they're built by nonprofits or funded by donations, transparency, or paid business tiers.

Instead of thinking "free = bad," think "free = check who's paying for it." If the answer is open-source, grants, or premium versions, you're probably fine.

Advanced Cybersecurity for High-Risk Advocacy Organizations

• When handling sensitive communication – use Signal (secure messaging platform that provides end-to-end encryption), avoid WhatsApp, Twitter, SMS

• When using public networks – use a reputable VPN (we recommend Mullvad or NordVPN). These are paid, privacy-respecting providers. You're often better off with no VPN at all than a free one.

• When traveling – consider using a separate travel device with minimal organizational data, log out of sensitive accounts, turn off fingerprint unlock

• When purchasing tech – choose trusted, well-supported companies or retailers, avoid outdated tech and anything that no longer gets security updates

• When protecting yourself against potential incidents:

  • Appoint one person to be in charge of security

  • Write down what to do in a data breach:

    • Change passwords

    • Remove suspicious access

    • Notify affected people

    • Get expert help if needed

• Review and practice your 1-page cyber action plan yearly

• Consider free training resources like the UK Government's cyber training

• Empower your team to speak up immediately if they suspect they've been compromised or clicked something suspicious – many people stay silent out of embarrassment, which only makes things worse.

  • Make it clear they can reach out to leadership or directly to us for confidential support.

Feeling overwhelmed? Start with these 5 quick wins

• Install Bitwarden on your phone and laptop browser

• Turn on 2FA for your most important accounts (email, banking, file storage)

• Delete any Google Docs or spreadsheets storing passwords

• Add a lock screen PIN on every device

• Audit your browser extensions and remove anything unused

Five steps, 30 minutes of work, and you've just addressed most of the major risks nonprofits face online.

Reach out to us for support

If you’re looking for additional help with strengthening your organization’s security, we’re your best allies. We've spent years helping animal advocacy nonprofits build stronger, more secure digital foundations, while also supporting organizations in the face of crisis.

We offer free, confidential security consultations where our team can help you:

• Discuss and review your organization's digital security

• Prioritize the most important improvements

• Help implement security tools and policies

• Train your team on security best practices

• Develop incident response plans tailored to your work

Ready to strengthen your digital security?

Reach out to us for a confidential consultation