Minimum Cybersecurity Controls for Nonprofits (A Practical Baseline)

If your legal aid intake queue is exploding and a funder report is due, nonprofit cybersecurity can feel like a “later” problem. Until an account takeover locks you out of email, a ransomware note freezes a shared drive, or a data leak puts a client at risk.

Minimum cybersecurity controls for nonprofits means the smallest set of protections that meaningfully reduces likely harm. Not a full compliance program. Not a stack of fancy tools. It’s the seat belts, smoke detectors, and door locks that keep your work moving when something goes wrong.

This baseline is built for small and mid-sized legal aid organizations with limited IT time. The goal is simple: deliver essential digital security to reduce the most common damage quickly, with steps leadership can track and verify to protect access to justice.

Key takeaways for legal aid technology: the practical baseline in plain English for legal aid intake

• Turn on Multi-factor authentication for email, online intake system, and key systems
• Apply software updates by patching devices, apps, and self-service portal on a set schedule
• Back up data to ensure data protection, then test restores so you know it works
• Train staff to spot phishing attacks and report them fast
• Limit access (least privilege) for eligibility screening, don’t give everyone the keys
• Tighten email settings to block common tricks
• Write a simple incident response plan, practice once a year
• Keep a basic inventory of devices, apps, and vendors

What “minimum” cybersecurity controls means for nonprofits (and how to set your baseline)

In nonprofit cybersecurity, “minimum” doesn’t mean “barely try.” It means high-impact, low-cost controls that stop common attacks like phishing, password reuse, and ransomware while requiring minimal staff time. If you look at mainstream guidance like the CIS Critical Security Controls for cybersecurity compliance and legal aid intake triage best practices, the fundamentals repeat for a reason.

Your baseline should cover three things: people, process, and tools. Even if your tools are simple, your process can’t be vague.

Scope it to what runs the mission, identified through a risk assessment: email, file storage, case management system, finance, donor data, staff devices, and key vendors. Many of the common technology challenges facing legal nonprofits and legal services programs also create security risk, because workarounds become invisible pathways for mistakes.

Nonprofit board oversight matters here. For legal aid organizations, leaders should ask for proof, not promises (screenshots, reports, and a short monthly dashboard).

Start with the outcomes that matter: protect accounts, protect data, recover fast

Think in outcomes for digital security, not jargon, especially for your triage process:

Protect accounts so one stolen password doesn’t become a full takeover (MFA, password manager, phishing training, zero trust model).
Protect data so a mistake doesn’t expose everything (least privilege, safer sharing rules).
Recover fast so ransomware becomes a disruption, not a shutdown (backups, restore tests, incident plan).

A simple scoping checklist for leaders (systems, data, and vendors)

In a 30-minute meeting, confirm you can name:

• Top apps: email, file storage, case management, accounting
• Top devices: staff laptops, staff phones, shared computers
• Sensitive data: client, donor information, HR, payment-related data, eligibility screening
• Critical vendors, managing third-party risk: IT support, case system vendor, payroll, fundraising tools

If the answer is “we don’t know,” that’s normal. Inventory is a control.

Minimum Cybersecurity Controls for Nonprofits, a Practical 10-Control Baseline

Below is a pragmatic baseline for legal aid intake and other nonprofit operations, aligned to common threats (phishing, credential theft, ransomware). It’s also close to what you’ll see in sources like SANS guidance on the CIS Controls, without turning your week into a framework project.

Identity and access controls (stop account takeovers fast)

1. MFA for email and key apps

• What: A second factor for sign-in (app prompt or hardware key).
• Why: Stops most password-only takeovers.
• Done looks like: MFA on all staff email and all admins, with a monthly MFA coverage check.

2. Password management

• What: Unique passwords stored in a manager, not spreadsheets.
• Why: Password reuse is an open door.
• Done looks like: Shared passwords eliminated, new accounts like matter management created through the manager.

3. Least privilege (role-based access)

• What: People get only what they need for their role, supporting automated triage processes.
• Why: Limits the blast radius of a mistake or takeover, enhancing network security.
• Done looks like: Finance, HR, and case data have tighter groups than “all staff.”

4. Offboarding that removes access fast

• What: A repeatable checklist when staff or volunteers leave.
• Why: Old accounts are easy targets.
• Done looks like: Accounts disabled the same day, access removed from shared drives and vendors.

Device, email, and patching controls (reduce everyday exposure)

5. Automatic updates and patching

• What: OS, browsers, and key apps update automatically.
• Why: Many attacks use known, unpatched flaws, and timely patches boost workflow efficiency.
• Done looks like: Auto-update on, weekly spot checks with vulnerability scanning, a short monthly patch status report.

6. Basic endpoint protection and disk encryption

• What: Built-in protection is fine, plus full-disk encryption on laptops.
• Why: Protects against common malware and lost device exposure.
• Done looks like: Encryption verified on all laptops, devices require a passcode.

7. Email security settings and safer defaults

• What: Strong email filtering for spam and malware scanning, plus reduced risky features to block common tricks.
• Why: Email is where most nonprofits get hit first.
• Done looks like: Auto-forwarding restricted, sign-in methods for legacy systems blocked when possible, alerts routed to IT/ops.

Ownership tip: assign a named owner (ops lead or IT vendor) and a cadence (weekly checks, monthly leadership summary).

Data protection and resilience controls (limit damage and recover)

8. Backup solutions that are separate, plus restore testing

• What: Backup solutions that can’t be erased by the same stolen account.
• Why: Backup solutions are your exit route from ransomware attacks.
• Done looks like: Quarterly restore test notes (what was restored from the case management system, how long it took, what broke).

9. Basic data classification and secure sharing rules

• What: Clear rules for sensitive data (client, HR, donor), including categorization and routing.
• Why: Most “breaches” start as simple mishandling.
• Done looks like: Like a legal aid society, staff know what can’t be emailed, and when to use secure links.

Stop doing this: don’t email sensitive documents as attachments “just this once.” It becomes a habit. 10. A simple incident response plan, practiced yearly

• What: A one-to-two page plan for who does what in the first 24 hours.
• Why: Confusion burns time when stakes are high.
• Done looks like: One tabletop exercise per year, updated contact list, decisions documented. A practical starter is the incident response plan maker for vendors.

If you need help choosing right-sized security tools or managed support, start with options that fit your operations, not a sales pitch (see CTO Input nonprofit technology services).

How to implement the baseline without overwhelming staff (a 30-60-90 day plan)

You don’t need a budget miracle. You need ownership, sequence, and proof. For turning this baseline into a longer plan, a step-by-step tech plan for justice organizations helps connect controls to real work like legal aid intake.

First 30 days, lock down logins and reduce the biggest risk

• Turn on MFA for email, admin accounts, and legal front door
• Remove shared accounts, assign named users
• Roll out a password manager to leadership and finance first
• Enable auto-updates on laptops and browsers
• Confirm backups exist and identify where they live
• Pick a simple cybersecurity awareness training method and start it
• Name one incident point of contact (primary and backup)

Days 31 to 90, prove recovery and tighten access and data handling

• Review least privilege for shared drives and finance folders
• Use an offboarding checklist every time
• Run a restore test from a simulated data breach and set a time-to-recover goal to cut client wait times
• Tighten key email security settings (forwarding, legacy sign-in)
• Build a basic inventory for device management (laptops, online applications, donor information, admin accounts, vendors)
• List vendor security contacts and renewal dates
• Run a tabletop incident drill with leadership

Evidence leadership should ask for to guide resource allocation and build cyber resilience: MFA status screenshots, a short access review sign-off, restore test notes, and training completion rates.

FAQs about minimum cybersecurity controls for nonprofits

Is MFA enough?
MFA is the fastest way to cut account takeovers, but it won’t stop ransomware from a bad download or prevent sensitive trauma-informed client data from being shared the wrong way. Pair MFA with patching and backups.

What if we use Google Workspace or Microsoft 365?
That’s fine, many nonprofits do. The baseline is still on you: MFA, safer email settings, access reviews, a hosted phone system for remote operations, and tested backups (cloud data still needs recovery planning). Just watch out for legacy systems with older software integrations, which can introduce risks.

Do we need cyber liability insurance first?
Cyber liability insurance can help after an incident, but it doesn’t replace controls. Many insurers also require basics like MFA and backups, so you’ll end up doing the work anyway.

How much should this cost?
Often less than leaders fear, because several controls use built-in features like legal resource finder and better habits. The real cost is staff time and clear ownership. For larger organizations with scarce internal resources, Compliance as a Service might be an option.

What’s the minimum documentation to keep?
An asset list, a cybersecurity policy, an offboarding checklist for information-gathering, backup and restore notes including tools like A2J Author, and a one-to-two page incident plan. Short, current, and easy to find beats long and ignored.

Conclusion

A baseline isn’t about perfection. It’s about reducing harm from threats like social engineering fast, protecting trust, and keeping services like legal aid intake and eviction prevention available when something goes wrong. Pick a few metrics you can track monthly: MFA coverage, patching compliance, backup restore success, training completion, triage process effectiveness, and “incident plan exists and was practiced.”

If you want a calm, nonprofit board-ready view with data-driven insights of where you stand and what to fix first, book a nonprofit cybersecurity baseline clarity call. Which single chokepoint, like outdated standardized forms, if fixed this quarter, would unlock the most capacity and trust through human-ai partnership for your team?