Cybersecurity Without the Panic: What Actually Matters and Why
Summary:
Cybersecurity doesn't have to be overwhelming. Most attacks are run like a business—you can consistently protect yourself by doing the basics. If you're collecting data or expanding your visibility online, this is the moment to get ahead of it.
What’s in it for you:
You want to: protect your team, your data, and your org—without spiraling every time a headline hits.
You’re struggling to: figure out what’s real, what matters, and what you actually need to do.
You need to: feel like you’ve got this covered—without having to become an expert.
You’re looking for: steps that are doable, grounded, and won’t make your head explode.
Helia’s Perspective
Okay, let's be real about cybersecurity. It feels both really far away (it'll never happen to me!) and also terrifyingly close (it could happen any second!).
When a family member’s company got hacked, what struck me most was how business-like the whole thing was. Basically: "We're holding all your stuff hostage for $X by X time - just pay up and you're good!" It's an oddly effective business model - and one that caused WILD amounts of stress.
Then at Think of Us, I remember that moment when the money we raised through Audacious was about to be announced and I realized how much responsibility we had given how many folks’ data we held - and what a target we might suddenly be. I was SO grateful we had a senior tech leader to manage it all - and realized that most orgs our size didn’t have that luxury!
Cybersecurity = a reality in our world. So when you find folks like Jonathan and Giuseppe (who cofounded New Harbor) that really care about it, make it make sense, and don't require twenty steps just to log in (and Marina Nitze recommends them - I've learned to just do anything Marina suggests!), I wanted to share. This is something worth paying attention to, and I promise it doesn't have to be overwhelming.
Jonathan hiking The Inca Trail to Machu Picchu
The Story
When I asked Giuseppe and Jonathan what most people get wrong about cybersecurity, they immediately smiled.
"Most people think it's all shadowy hackers in hoodies," Giuseppe told me. "But the reality? It's run like a business."
Giuseppe genuinely LOVES this stuff - he's the friend who actually reads privacy policies for fun and gets excited explaining how attacks work. He told me about attack groups with Slack channels, customer service teams, and even holiday schedules. They develop sophisticated scams - like those fake invoice emails that look like they're coming from your actual vendors or personalized messages referencing your latest LinkedIn post.
Jonathan nodded, sharing a recent example where attackers created an entire fabricated email exchange between a fictitious legal services firm and a nonprofit's CEO. The fake CEO "approved" the invoice and asked for it to be sent to accounting. It looked completely legitimate.
Their message was reassuring, though: you don't need perfect security. You usually just need to be difficult enough that attackers move on to easier targets. A few consistent habits (see their Top Things to Do list below) make you significantly less vulnerable - and that's a very good use of your time.
What this Looks Like in Practice
-
You don't need to be un-hackable. You just need to make it not worth the effort. Most attacks are crimes of opportunity—bots scanning for open doors.
If you're using multi-factor authentication (MFA), strong and unique passwords, running software updates regularly, and basic staff training, you've already raised the bar. A hacker might look at 1,000 places an hour—but if your systems are locked down, they'll move on. For resource-constrained social sector organizations, these basics give you the most protection for the least effort.
-
If something does happen—take a breath.** Seriously. Most incidents aren't catastrophic. What matters is how you respond. Do you have someone to call? Do you know what data may have been accessed? Do you have a plan?
The best time to prepare is before something goes wrong. But the second-best time? As soon as it does. Stay calm. Ask for help. You'll likely be okay.
-
You're probably holding more sensitive data than you should.** Nonprofits collect a lot of sensitive info—names, addresses, financials, SSNs, health notes, program data—and often keep it long past when it's needed. That's a huge risk, especially when it's stored in inboxes or shared drives. This is especially true for organizations working with vulnerable populations or collecting sensitive information as part of your mission.
Ask yourself: if someone got in today, how much would they find? Not to panic—but to remind ourselves of the responsibility that comes with trust.
*Noting “perfect security” = a mythical state!
Secret Sauce & Takeaways
If there's one thing you should do, it's: Turn on MFA across everything you use. Then, stop holding on to sensitive data you don't actually need.
Common Pitfalls to Avoid:
Thinking you're too small or not "important" enough to be targeted
Holding onto sensitive information just in case
Only acting when something breaks or a funder sends a checklist
What Makes This Work Well:
Start with what’s MOST important- Identify your most sensitive data first, and work outward from there
Building muscle memory—it's not about a perfect system, it's about small habits over time. Pro tip - set a cybersecurity rhythm. Monthly check-ins to review security are (shockingly!) more effective than annual panics!
Make sure to include reviewing your user accounts and removing ones when folks leave - this saves you money(!) AND is foundational for security (e.g., prevents abandoned accounts from being taken over by factors + against disgruntled former employees)
Talking about it in plain language, regularly (especially during onboarding and offboarding)
Having someone—internal or external—who's really keeping an eye on things and can step in when needed
Giuseppe hiking in Olympic National Park in the Pacific Northwest
Questions to Ask Yourself
Are we holding on to data we don’t need—and if so, why?
What would we do if something went wrong tomorrow?
Are our basic systems in place—like onboarding, offboarding, and knowing who owns what?
How confident am I that my team knows what to do if they spot something suspicious?
What systems or processes do we rely on most heavily, and how would we operate if they were unavailable?
Want to Try This?
Templates & Guides:
Not sure where to start? New Harbor’s Top Things to Do to Protect Yourself = a resource you very very very much want. And, for just ONE thing, pick ONE system and set up MultiFactor Identification. Here’s what this looks like for Google Workspace:
Have team members run a Google Security Checkup
Enforce multi-factor authentication for your organization (you will need admin access). We recommend a 1-week grace period. Here’s a guide.
Consider enrolling in Google’s Advanced Protection Program for extra protection against targeted online attacks.
EFF’s Online Privacy for Nonprofits: A Guide to Better Practices lists out practical, nonprofit-friendly steps to take right now.
Want to minimize your data footprint? Try TechSoup’s “Is Our Data Ours Anymore”
Recommended Reads:
Cybersecurity: Nonprofit Best Practices (our “Cybersecurity 101”), which shares ways that nonprofits can strengthen and protect their systems and data, and Online Harassment Protection & Response, which shares practical tips and policy recommendations to help nonprofits protect against and address online harassment.
Tactical Tech’s Data Detox Kit: Great for getting clear on what data you collect, how it’s stored, and what you can let go of (and a straightforward Data Retention Policy Template from New Harbor)
Connections:
If you’re looking for help with security, New Harbor is a security company with nonprofit roots that has helped a number of nonprofits get secure. Sign up for their free office hours at securityforgood.org OR sign up for their services (and get 10% off) at New Harbor.
This article comes from a coffee chat with New Harbor in March 2025 (our FIRST Helia Library interview!). We've learned the most from doing and from talking with other doers willing to share their wisdom. We share these stories in the Helia Library because we don't need to start from blank pages or do it all alone.
As always, take what's helpful, leave what's not, and make it your own.
