What Is a Cybersecurity Risk Assessment — and Why Every Nonprofit Needs One
A few years ago, a San Francisco nonprofit got hit with ransomware. Their team lost access to years of client records overnight. Case files. Donor information. Program data staff had spent months building. They had to notify hundreds of families that their personal information may have been compromised.
They didn't have an incident response plan or secure backups. They had no idea how exposed they were until it was too late.
This happens more than most nonprofit leaders realize. 60% of nonprofits have reported experiencing a cyberattack in the last two years. Cloudflare's Project Galileo reports a 241% increase in cyberattacks between 2024 and 2025, with human rights and civil society organizations among the second most impacted sectors.
Most nonprofits are still operating without a clear picture of where they're vulnerable.
A cybersecurity risk assessment changes that. It is not a technical exercise reserved for large corporations. It is one of the most practical things a nonprofit leader can do to protect their organization, their donors, and the people they serve.
What is a Cybersecurity Risk Assessment?
A cybersecurity risk assessment is a structured review of your organization's technology environment. It looks at where sensitive data lives, who has access to it, and where the gaps in your current security are.
It is less like an audit and more like finally sitting down with someone who can tell you what you're actually dealing with. It provides a clear picture of what exists, what's missing, and what needs attention.
For a nonprofit, that means looking at everything from your email system and donor database to how staff access files remotely and whether your organization has any compliance requirements tied to your funding sources.
Why Nonprofits Are Specifically Targeted
Many nonprofit leaders assume their organization isn't worth targeting. They're not a bank. They don't process credit cards. Who would want to attack a food bank or a housing organization?
Cybercriminals target nonprofits specifically because of what they hold and what they typically lack in defense.
Consider what your organization collects: donor names, addresses, and payment information. Client records that may include health history, housing status, immigration status, or financial circumstances. Employee and volunteer data. Grant records.
For organizations serving vulnerable populations, that information is sensitive in ways that go far beyond its technical value.
70% of nonprofits lack formal cybersecurity policies. 68% have no documented procedures for responding to a cyberattack.
Valuable data, limited defenses, and staff who haven't been trained on what to watch for. That combination is exactly what attackers look for.
What a Risk Assessment Covers
A proper assessment is not a checklist someone completes in an afternoon. It is a comprehensive look at the systems, policies, and day-to-day behaviors that shape your security.
Here is what it should cover:
Devices and Infrastructure
What devices are being used, by whom, and are they managed? 71% of nonprofits allow staff to use unsecured personal devices to access organizational emails and files. Each of those devices is a potential entry point for an attacker.
Access Controls
Who can access what, and why? A volunteer shouldn't be able to export your full donor list. A program coordinator shouldn't have administrative access to financial systems. A risk assessment maps where access is broader than it needs to be.
Email Security
Email remains the most common way attackers get in. The assessment looks at whether your email environment has the right protections in place and whether staff could recognize a convincing phishing attempt.
Backup and Recovery
Where does your data live? Is it backed up? If ransomware encrypted everything on your network tomorrow, how long would recovery take — and is it actually possible? Many organizations believe they have backups until they need to use them.
Compliance Obligations
Depending on your funding sources and the populations you serve, you may have data security requirements tied to government contracts, health information, or specific federal funders. A risk assessment identifies any gaps before they surface as a compliance problem.
Incident Response
What does your team do in the first hour after a breach? Most organizations don't have an answer. That gap significantly increases the damage when something goes wrong.
What Happens When Organizations Skip It
The consequences of a cybersecurity incident are not purely technical. For a nonprofit, they reach directly into the mission.
According to IBM's Security Report, the average data breach costs nonprofits $200,000, which is money that could have gone directly toward their mission. For an organization running on a tight budget, that is not just a financial hit. It can end programs. It can end the organization.
When donor data is compromised, donors lose confidence. When client records are exposed, the people your organization serves face additional harm — people who are often already in vulnerable positions. When a funder learns that a grantee experienced a preventable breach, the questions that follow are hard to answer.
The organizations that weather incidents best are the ones that knew where they stood before something went wrong.
Signs Your Organization Needs a Risk Assessment
You do not need to be a technology expert to know whether a risk assessment makes sense. A few honest questions get you most of the way there.
1. Do you know what sensitive data your organization holds and exactly where it's stored?
If the answer is something like "on the server somewhere" — that's a gap.
2. Could you say with confidence that your staff would recognize a convincing phishing email?
Not a poorly written one. A good one, from what looks like a familiar sender, with a plausible request.
3. If your most critical data disappeared tomorrow, how long would recovery take?
Do you have a current, tested backup?
4. Do you have written policies for how data is handled, who has access to what, and what to do when something goes wrong?
If any of those questions made you uncomfortable, a risk assessment is a reasonable next step. Most organizations in this position haven't had the time or resources to address these things systematically. That's not a failure. It's just where a lot of nonprofits are.
Where Cyber Insurance Fits In
A cybersecurity risk assessment and cyber insurance are not the same thing, but they work together.
Insurance covers the financial cost of an incident after it happens. An assessment helps prevent incidents from happening in the first place, and it directly affects your ability to get coverage and what you pay for it.
Most cyber insurance providers now require evidence of basic security controls before issuing a policy: multifactor authentication, regular software updates, an incident response plan, and documented policies. Without those in place, insurers may decline your application or exclude key coverage.
A risk assessment shows you where those gaps are so you can close them — whether you are applying for coverage for the first time or preparing for renewal.
How PCS Works With Nonprofits on Risk Assessments
PCS Technology has worked with nonprofit organizations across the Bay Area for over 35 years. We understand that nonprofit leaders are not IT professionals, and they should not have to be.
Our risk assessment process is designed for mission-driven organizations. We look at your environment, explain what we find in plain language, and help you prioritize what needs attention based on your budget and how your organization actually operates.
The output isn't a 40-page technical report. It's a practical conversation about where things stand and what a realistic path forward looks like.
If your organization hasn't had a formal assessment, or if it's been more than a year since your last one, we're here to help. You can schedule a call to get started.