It’s 4:45 p.m. on a Friday. Intake is still piling up. A partner email comes in with a spreadsheet attached, full of names, birthdates, and case notes. Someone forwards it to “whoever can help.” On Monday, a funder report is due, and the numbers don’t match. Meanwhile, you’re thinking a quieter thought you don’t love saying out loud: If we had a breach, would we even know where the sensitive data is?
A justice nonprofit security plan doesn’t have to start as a big policy overhaul or a new tool purchase. For justice nonprofits, “minimum viable” should mean something else: fewer harmful workarounds, fewer access mistakes, and fewer ways for a single phishing email to derail client trust.
Key takeaways (what to do first):
- Pick 10 controls that reduce real risk in the work, not a long wish list.
- Assign decision rights now, security work dies in ambiguity.
- Reduce data sprawl before you buy anything new.
- Build around people and workflows, not “IT projects.”
- Track a small set of measures for 90 days so you can prove progress.
What “minimum viable” means when the stakes are client trust
In justice work, the risk is rarely abstract. A lost device can expose a survivor’s location. A shared folder can reveal immigration status. A compromised inbox can break a court deadline.
Minimum viable means you can look a board member in the eye and say: “We know our top risks, we’ve reduced them, and we can show it.” A good baseline can map to public guidance like CISA’s Cybersecurity Performance Goals and the CISA guidance for civil society with limited resources, without turning your team into full-time security staff.
It also fits the justice gap reality. You can’t lawyer your way out of scale limits. You need capacity multipliers, and security is part of that. If your systems are fragile, people spend time on cleanup, rework, and panic. This is the same operational pain described in common tech challenges facing legal nonprofits, just with higher stakes.
The 10 controls you can implement This Quarter (without breaking operations)
- Name an owner and backup (decision rights, in writing).
Pick one security owner (often ops or IT) and one backup. Write down who can approve changes like MFA enforcement, access removals, and vendor risk decisions. - Turn on phishing-resistant MFA for priority accounts.
Start with email, file storage, and finance systems. If you can’t do phishing-resistant methods everywhere, still enforce strong MFA broadly and lock down admins first. - Standardize access with roles, then clean up exceptions.
“Everyone has access” is a habit, not a need. Define 5 to 8 roles that match the work (intake, supervising attorney, finance, partner liaison) and remove one-off access grants. - Centralize passwords in a manager and stop sharing logins.
Shared credentials erase accountability. Move to a password manager, require unique passwords, and rotate any shared accounts you discover during cleanup. - Patch the basics and remove local admin rights.
Patch operating systems and browsers weekly. Remove local admin rights from staff devices unless there’s a documented reason. This blocks a lot of common malware paths. - Back up critical data with a simple restore test.
Identify the few systems that would stop services if lost (email, shared drives, case docs, finance). Back them up, then run a restore test on one sample set. - Create a “sensitive data map” for your top three workflows.
Pick intake, referrals, and case documents (or your equivalent). Document where data enters, where it’s stored, who can see it, and where it leaves (partners, courts, pro bono). - Lock down email forwarding and risky sharing settings.
Block auto-forward to outside addresses where possible, tighten external sharing defaults, and require expiration dates for links when feasible. - Adopt a short incident playbook and run one tabletop.
One page is enough to start: how to report, who decides, what systems to shut off, when to notify partners. Run a 45-minute tabletop with leadership. - Train for the real moments, not generic “security awareness.”
Teach staff how to handle partner spreadsheets, suspicious court-looking emails, and urgent wire requests. Practical beats preachy. The NYLPI data protection best practices for nonprofits is a useful reference point for shaping this around client safety.
A 90-day plan that fits justice nonprofit constraints
| Timebox | Focus | Outputs you can show | Measure |
|---|---|---|---|
| Days 1 to 14 | Ownership, identity, quick locks | Owner named, MFA on priority systems, admin accounts reduced | % of priority accounts with MFA |
| Days 15 to 45 | Access cleanup, device hardening, backups | Role-based access started, patch rhythm set, restore test completed | # of stale accounts removed |
| Days 46 to 90 | Data map, incident readiness, training | Sensitive data map, one tabletop, staff micro-training | Time to offboard access |
If you want a planning pattern that doesn’t burn people out, borrow from NIST’s small business security fundamentals: reduce what you must protect, control who can access it, and practice what you’ll do when something goes wrong.
What to stop doing (to get capacity back)
Stop treating sensitive data like “just another attachment.”
No more client lists in email threads. No more intake docs living in a shared drive folder where “anyone with the link” can open it. No more approving exceptions because someone is in a hurry. The hurry is real, but the fallout is worse.
Pick one habit to retire this quarter, and replace it with a supported workflow.
What to measure so the numbers move (and trust follows)
A minimum program still needs proof. Keep it small:
- Coverage: MFA on priority systems, backup coverage for critical data.
- Exposure: number of shared accounts, number of stale users, number of public links.
- Response: time to disable a compromised account, time to remove access on departure.
If you want deeper research on why nonprofits struggle here (and what tends to work), see this systematic literature review on nonprofit cybersecurity readiness.
FAQs for justice nonprofits building a minimum viable security program
Do we need a full-time CISO to do this?
No. You need clear ownership, a short list of controls, and the discipline to stick to them for 90 days.
Will MFA and access controls slow staff down?
They can, if rolled out without support. Start with the highest-risk systems, give staff a clear “why,” and fix edge cases fast.
What if our work depends on partners who send data unsafely?
Treat partner handoffs as a workflow problem, not a scolding problem. Offer a safe default (secure upload, restricted sharing link, agreed template) and make it easy.
How do we handle courts and compliance pressures?
Map the data flows that touch court filings, deadlines, and required records. Then set controls around those flows first, courts are not “downstream,” they shape the work.
How CTO Input helps you implement this in 90 days
The hardest part isn’t picking controls. It’s making them real in messy, human workflows. CTO Input helps justice organizations map how work actually happens, assign decision rights, and put a realistic sequence behind the plan. That usually starts with clarifying your constraints and risks, then building a paced roadmap teams can absorb, like the approach described in technology roadmaps for legal nonprofits.
If you need support scoping the right work (and not buying your way into new chaos), see CTO Input’s nonprofit tech products and services and examples in these legal nonprofit technology case studies.
To take the next step: set up a 30-minute working session with your ops lead, program lead, and whoever owns identity and devices. Bring your top three workflows and your top three “we can’t lose trust here” fears. Start small, move with discipline.
Learn more at https://www.ctoinput.com and keep reading practical field notes at https://blog.ctoinput.com.
You don’t have to fix everything this quarter. You do have to choose. Which single chokepoint, if fixed, would unlock the most capacity and trust in the next 90 days?