Cybersecurity Best Practices for Nonprofits | Aprio Insights

ARTICLE | January 19, 2026

Authored by Aprio, LLP

Summary: As a nonprofit auditor, I often encounter organizations that believe they are too small to be targeted by cyberattacks. However, the Louvre experienced a breach after disregarding a 2014 security audit that identified critical vulnerabilities, including a surveillance system password set as “LOUVRE.” If such basic security oversights can compromise a leading institution, nonprofits with limited resources managing sensitive donor and client data face even greater risk. What are some cybersecurity best practices that nonprofit leaders can take back to their organizations and governance?

As a nonprofit auditor, I have reviewed the financials and operations of many organizations, from small community groups to large advocacy organizations, and have encountered a range of risks. Few events highlight the importance of cybersecurity as clearly as the 2025 heist at the Louvre. In October of that year, thieves disguised as construction workers stole part of the French Crown Jewels collection, valued at approximately €88 million (over $100 million USD), in a daylight operation that lasted less than eight minutes.

What really grinds my gears as an auditor? A 2014 security audit revealed severe vulnerabilities in the museum’s systems, including using “LOUVRE” as the password for the video surveillance server! While the heist was physical, the audit warned that weak cyber defenses could let hackers override cameras, alarms, or access controls remotely. The Louvre’s experience shows a risk many nonprofits face: complacency. Nonprofits often have limited resources and manage sensitive data.

If a world-class institution like the Louvre can be breached, similar risks exist for other organizations. In this article, I will share cybersecurity best practices that nonprofit leaders can implement.

Why Nonprofits Are Prime Targets (And Why It Matters More Than You Think)

Many nonprofits assume they are not targets for cyberattacks, but this is a risky misconception. In my audits of organizations in education, healthcare, and social services, I have found that attackers often seek out groups with valuable data and limited defenses. Donor lists, volunteer records, and financial information are prime targets for identity theft and ransomware.

As an auditor, I have encountered executives who dismiss these risks, believing their organizations are too small to be targeted. However, motivation, not size, drives cyberattacks. Hackers may exploit your systems for phishing campaigns or politically motivated attacks related to your mission. For CFOs, the financial impact is significant: the average breach costs nonprofits thousands in recovery, legal fees, and lost donations.

The Louvre’s experience highlights the consequences of systemic neglect, not just a single weak password. Protect your nonprofit by establishing strong foundational cybersecurity practices and building on them over time. Investing in cybersecurity protects resources that could otherwise support your programs.

Start With the Foundation: Strong Passwords and Multi-Factor Authentication

If the Louvre taught us anything, it’s that using simple passwords like “password123” or your organization’s name poses a significant security risk. Employees often reuse passwords or share logins to save time, which is understandable given nonprofit workloads, but this practice increases vulnerability.

First, implement a strong password policy. Require passwords to be at least 12 characters and include uppercase, lowercase, numbers, and symbols. Tools like Bitwarden, LastPass, or Okta can generate and securely store passwords, and many offer nonprofit discounts. I have recommended these solutions to clients, resulting in fewer forgotten passwords.

Along with strong passwords, enable multi-factor authentication (MFA) as a second layer of security. MFA requires an extra verification step, such as a code sent to your phone to confirm your identity. In fact, Google Workspace and Microsoft 365, commonly used by nonprofits, make MFA easy to implement. Compromised email accounts can result in spam sent to donor lists, but MFA can prevent these breaches.

Roll out MFA across your organization, prioritizing executives and finance teams who manage sensitive data. For CFOs, integrate these security measures with your financial controls. Limit administrative access to accounting software such as QuickBooks or Sage, similar to how you segregate check-signing duties. Additionally, conduct regular, preferably quarterly, reviews to assure users have only the access they require.

Train Your Team: Human Error Is the Weakest Link

Technology is essential, but most security breaches happen because of human mistakes. Many attacks start when someone clicks on a fake link in a phishing email. Nonprofits are at higher risk, especially when staff, volunteers, or board members use their work email addresses.

Therefore, ongoing training is essential. Cost-effective resources like the CISA toolkit or KnowBe4’s nonprofit-priced simulations can help. These tools send simulated phishing emails to test your team and provide targeted education based on their responses.

Ask your team to report suspicious emails without fear of blame, and praise people who take action. Leaders should remind everyone that keeping data secure protects the organization’s mission and the privacy of donors and those you serve.

If the budget is limited, start with free resources like webinars and instructional videos, while considering the needs of remote workers. In hybrid environments, make sure home networks are protected with VPNs.

Secure Your Data: Backups, Encryption, and Access Controls

Nonprofits manage sensitive data, including donor credit cards and grant proposals, which is why data security is essential. The Louvre’s use of outdated systems, such as Windows 2000, highlights the risks of neglecting updates.

Here are a few things to consider: Use the “3-2-1 rule”: keep three copies of data, on two different media, with one stored offsite. Cloud services like Google Drive or Dropbox for Business can automate this and scale with your team. CFOs could save thousands by recovering from a backup instead of paying for ransomware.

Encryption adds protection by making data unreadable without a key. I recommend enabling encryption on laptops and emails with sensitive information. Tools like Microsoft’s BitLocker and macOS FileVault come with many current laptops.

Auditors regularly review access controls, often tied to password management issues. Nonprofits should use role-based access, giving volunteers email access only, while business office staff and CFOs can access financial applications. Audit logs in your applications can track “who does what,” helping to spot anomalies. In my work, inspecting audit logs is regarded as a great detective control for spotting where access needs to be updated.

Many nonprofits are now relying on cloud-based tools. Explore how to enable automatic updates and monitor for vulnerabilities.

Vendor Management: Don’t Let Third Parties Be Your Downfall

Nonprofits frequently outsource to payment processors such as Stripe or CRM systems like Salesforce. However, security issues with third parties can also create risks for your organization.

It’s important to analyze vendor contracts carefully. Ask for cybersecurity certifications; SOC 2 reports are essential and reveal much about your service organizations. Include breach notification and data ownership clauses in your agreements if possible.

Best practice: Conduct annual vendor risk assessments. Rate them on security posture and have backups if one fails. Always have controls in place to complement the work of third parties. Engage your board in this process to provide oversight and assure cybersecurity remains a governance priority.

Prepare for the Worst: Incident Response Plans

Even with best practices, breaches may still occur. The Louvre received warnings but did not have an action plan for unexpected incidents. Your nonprofit should develop an incident response plan by considering questions such as: Who should we contact (IT, legal, PR)? How can we limit damage? What are the first steps for recovery?

Also, consider the importance of cyber insurance. As the saying goes, “you won’t know you needed it until you need it.”

Final Thoughts: Why The Louvre Incident is a Cybersecurity Lesson Learned

The Louvre incident didn’t just lose jewels in a heist; it shook the confidence many had in a historical institution. Nonprofits are trusted with lives, causes, and communities—don’t let weak cybersecurity undermine that.

I spend most of my time with nonprofit practitioners, so I know change feels overwhelming. Remember, you can start small: update passwords regularly, enable MFA as soon as possible, and make training a regular occurrence. Resources abound, such as NTEN, TechSoup, and CISA are great starts. As exec directors and CFOs, you’re stewards of more than finances; you’re guardians of impact.

If you’re reading this and thinking about your own setup, reach out to an auditor like me or a cybersecurity consultant. Better safe than sorry—your mission depends on it.

Please connect with your advisor if you have any questions about this article.