Skip to main content

Why IT and Cybersecurity Matter for Nonprofits

As a nonprofit organization, you might think that IT and cybersecurity are not your top priorities. After all, you have a noble mission to pursue, a limited budget to manage, and many other challenges to overcome. Why should you spend your precious resources on something that seems so technical and distant from your core values?

Well, the answer is simple: because IT and cybersecurity are essential for your success and survival in the digital age. Without them, you risk losing your data, your reputation, your donors, your partners, and your impact. And that’s not an exaggeration.

According to a recent report by Nonprofit Technology Enterprise Network (NTEN), 71% of nonprofits experienced at least one cybersecurity incident in 2022. According to IBM, the average cost of a data breach is $3.86 million, which can be devastating for an organization that relies on donations and grants. And the damage is not only financial but also reputational and operational. Imagine losing the trust of your supporters, the confidence of your beneficiaries, and the ability to deliver your services.

That’s why IT and cybersecurity are not optional, but essential for your nonprofit. They are not just technical tools or obstacles to overcome, but strategic assets that enable you to fulfill your mission and vision. They are not just expenses, but investments that pay off in the long run.

How Much Should You Spend on IT and Cybersecurity?

Now that you understand the importance of IT and cybersecurity for your nonprofit, you might wonder how much you should spend on them. There is no one-size-fits-all answer to this question, as it depends on various factors, such as your size, your sector, your goals, your risks, and your resources. However, there are some general guidelines and best practices that can help you make an informed decision.

First, you should look at your IT and cybersecurity budget as a percentage of your overall operating budget. According to NTEN, the average IT budget for nonprofits in 2017 was 5.7% of the total operating budget. Since the 2020 pandemic, cybersecurity and remote access needs have gone up substantially as well. While these numbers vary by specific sector and size, they can give you a baseline to compare your current spending with. An annual spend of at least 6-7% of your overall operating budget for technology and cybersecurity is a reasonable starting point for small to medium-sized nonprofit organizations.

Second, you should assess your IT and cybersecurity needs and priorities. What are the main challenges and opportunities that you face in your digital environment? What are the goals and objectives that you want to achieve with your IT and cybersecurity strategy? What are the risks and threats that you need to mitigate and prevent? What are the gaps and weaknesses that you need to address and improve? These questions can help you identify the areas that require more attention and investment, and the areas that can be optimized and streamlined.

Third, you should benchmark your IT and cybersecurity spending with your peers and competitors. How do you compare with other nonprofits in your sector and size? Are you getting the best value for your money? Are you leveraging the latest technologies and best practices? Are you meeting compliance requirements you have? These questions can help you evaluate your performance and position in the market, and identify the opportunities and threats that you need to capitalize on or avoid.

How to Spend Wisely on IT and Cybersecurity

Once you have determined how much you should spend on IT and cybersecurity, you need to make sure that you spend it wisely. This means that you need to allocate your budget in a way that maximizes your return on investment, minimizes your risks, and aligns with your mission and vision. Here are some tips on how to do that:

  • Focus on the essentials. You don’t need to have the most advanced or expensive IT and cybersecurity solutions, but you do need to have the ones that are most relevant and effective for your nonprofit. This means that you should prioritize the basics, such as data backups, protection against hackers and malware for your cloud environment and user devices, firewalls, encryption, password management, and user education/security awareness training. These are the foundations of a robust and resilient IT and cybersecurity infrastructure, and they can prevent or mitigate most of the common cyberattacks.
  • Be proactive, not reactive. You don’t want to wait until a cyberattack happens to take action, but you want to prevent it from happening in the first place. This means that you should invest in proactive measures, such as risk assessments, vulnerability scanning, penetration testing, incident response planning, and threat intelligence. These are the tools that can help you identify and address your vulnerabilities, detect and respond to cyberattacks, and recover and learn from them.
  • Be strategic, not tactical. You don’t want to spend your IT and cybersecurity budget on random or isolated initiatives, but you want to spend it on a coherent and comprehensive strategy. This means that you should align your IT and cybersecurity goals with your organizational goals and integrate your IT and cybersecurity plans with your overall strategic plan. This way, you can ensure that your IT and cybersecurity spending supports and enhances your mission and vision and that you can measure and demonstrate your impact and value.


IT and cybersecurity are not luxuries, but necessities for nonprofits in the digital age. They are not costs, but investments that can help you achieve your mission and vision. They are not problems, but solutions that can help you overcome your challenges and seize your opportunities.

However, you need to spend wisely on IT and cybersecurity, not just blindly or sparingly. You need to spend smartly to maximize your return on investment, but not wastefully or recklessly. You need to spend strategically to align with your mission and vision, but not tactically or randomly.

By following these guidelines and best practices, you can ensure that your IT and cybersecurity spending is not a burden, but a benefit for your nonprofit.

If our team at Connect Cause can help you in any way, please reach out and let us know.