Cybersecurity Services
 
Data Protection & Recovery

Data Protection
Disaster Recovery Planning
Data Recovery Services
Disaster Recovery Services
Business Continuity Planning

Support & Engineering

Business Hours Remote Support
After Hours Remote Support
Business Hours Onsite Support
Critical Escalations Support
Secure Remote Access
Comprehensive User Lifecycle and Identity Management
Critical Infrastructure Monitoring
Network Management and Monitoring
Ticketing System/Portal
IT Project Management
Solutions Engineering and Implementation
Managed Process Automation and Integration
Managed Procurement Services

Management & Compliance

Employee Risk Management
Best Practices Management
Centralized IT Documentation
Budget and Technology Roadmap
Technology Vendor Management
Asset Inventory and Lifecycle Management
IT Process and Policy Management
Policy Development
Risk and Compliance Management

Infrastructure Services

Access Control Systems
Surveillance Systems
Environmental Monitoring
VOIP

Protecting Client and Donor Data in an Era of Uncertainty

Chase Carlton
Oct 7, 2025 11:25:36 AM

Nonprofits thrive on trust. Whether you’re helping families in crisis, advocating for justice, or running community programs, your mission depends on people believing you can protect their information and their dignity.

That trust doesn’t just come from your work in the community. It also depends on how safely you handle the data behind that work, and the names, stories, and records that make your programs possible.

Every nonprofit keeps sensitive information. It might be client case files, donor lists, or volunteer records. And while this data helps you operate, it also makes you a target. Many nonprofits have limited staff, outdated systems, and tight budgets, which can make security a challenge. Unfortunately, bad actors know that too.

The New Landscape of Risk

In the last three years, more than two-thirds of nonprofits have experienced a data breach. Each one affected an average of 19,000 people. Email-based attacks are also climbing fast — up 35 percent over the past year.

The trend is clear: nonprofits are in the crosshairs. And the more personal the work, the more sensitive the data.

The stakes are especially high for organizations serving people whose privacy is essential to their safety and dignity - including refugees, survivors of violence, LGBTQ+ people, neurodivergent individuals, and others who may face heightened risks or discrimination.

The Red Cross Breach (2022)

In 2022, hackers broke into servers belonging to the International Committee of the Red Cross. They stole the personal information of more than half a million people, including detainees and families separated by war or disaster.

The impact was immediate. The Red Cross had to shut down the Restoring Family Links program, which helps reunite people separated by conflict. Staff couldn’t access critical systems or contact families safely. For weeks, operations were frozen while the organization tried to confirm what had been stolen and how it happened.

The victims of the breach weren’t donors or staff. They were people who had already lost nearly everything, and now their trust in a global humanitarian organization was shaken.

The USAID and DOGE Data Infiltration (2025)

In early 2025, members of the Department of Government Efficiency (DOGE) gained unauthorized access to systems belonging to the U.S. Agency for International Development. A whistleblower from the National Labor Relations Board later revealed similar data exfiltration activity there, showing that large amounts of government data had been copied or removed, potentially by foreign actors. To this day, no one is certain who has that information or where it is being stored.

This kind of event highlights how fragile data control can be. Once information leaves your network, you may never know who has it or how it might be used. For nonprofits that partner with government agencies or share data with outside organizations, that uncertainty carries serious risk.

The Human and Organizational Cost of Data Exposure

When a breach happens, the fallout is often personal.

  • Clients may be outed, retraumatized, or put in danger. For some, this kind of exposure can mean stigma or discrimination.
  • Donors may suffer financial loss or identity theft. Their confidence in your organization may take years to rebuild.
  • Staff and volunteers often feel the weight of recovery, spending long hours trying to rebuild systems and repair relationships.

Even after operations resume, the loss of trust can linger. People may hesitate to share their stories or their support.

Five Practical Steps Every Nonprofit Can Take

Even small improvements can make a big difference. Here are five steps every organization can start with:

  1. Know where your data lives.
    List every place your data is stored — your CRM, cloud storage, spreadsheets, and email accounts. Include personal devices and partner systems too.

  2. Classify and prioritize sensitivity.
    Identify what’s public, what’s internal, and what’s confidential. Client notes, health data, and donor financials should always receive the strongest protection.

  3. Restrict access and review it often.
    Give each person access only to the information they need. Check permissions regularly and close old accounts when people leave.

  4. Create policies and train your team.
    Write down how your organization handles data. Make sure everyone, including volunteers, knows what information can and cannot be shared.

  5. Clean up what you keep.
    Delete data that no longer serves a purpose, and have a data retention policy to back it. If you need to keep information for reports or compliance, remove personal details so the data can’t be traced back to individuals. Pruning and de-identifying records greatly reduce the risk of harm if a breach ever occurs.

Leadership as Stewardship

Good data protection starts with leadership. Executive directors and boards set the tone for how seriously privacy and security are taken. They decide whether policies are living documents or forgotten files. Strong data governance should be a standing leadership conversation, just like budgets or fundraising. Review your retention policies, vendor agreements, and training programs regularly. Make sure your staff have the time and tools they need to handle data safely.

The line between digital safety and human safety is thin. One mistake can interrupt essential programs and compromise the very people you aim to protect. Safeguarding data is an act of care. It preserves trust, dignity, and the ability to do your work effectively. 

If it has been a while since your organization reviewed its data practices, start simple. Map where your data lives, decide who truly needs access, and set clear retention rules. Build training into your annual calendar, and revisit these choices as your programs evolve. Every nonprofit, no matter the size, can take meaningful steps toward better protection. The key is to start now and stay consistent. Trust isn’t automatic. It’s earned through small, steady choices; the same kind of care that defines every part of your mission.

Need Help Getting Started?

If this sounds like a lot to take on, you don’t have to do it alone. Fenix Cyber works with nonprofits to build clear, manageable systems that protect data and strengthen trust without adding unnecessary complexity or cost.

We offer a free nonprofit risk assessment to help you understand your current data landscape and identify simple, high-impact steps to improve security.

You can learn more or request your free assessment at https://fenixcyber.com/benchmark

 
leadership, trust, Access Control, nonprofit

Read On

Security, Privacy, and AI: A Risk-First Approach

Artificial Intelligence is changing how we work, live, and interact with technology. In Fort...

On Effective Leadership: Fostering Collaboration, Trust, and Growth

Managers bear the substantial responsibility of steering their teams to achieve success. The style...

Do You Really Own Your Backups? The Hidden Truth About Backup Portability

My backups are handled, right?

When you partner with an IT provider for backup services, you likely...