Our Approach to Online Security: Best Practices for Nonprofits

By Nicholas Longtin | December 2021

Best Practices for Nonprofit Online Security

These days nonprofits leverage the web for a huge variety of mission-critical activities from fundraising to engaging with program participants. While a lot of opportunities exist online to further a nonprofit's mission, the modern internet landscape can be a very dangerous place. Bots scanning for website vulnerabilities, hackers attempting to steal data, and malicious programs all threaten to harm nonprofits' online assets. Keep reading to learn our best practices for online security and learn more about how ArcStone keeps our clients safe from online threats. 

How to Approach Online Security

Having great online security requires policies, procedures, and tools that cover a wide range of a nonprofit's operations. Security is also a highly technical subject that many nonprofits struggle with due to the lack of technical staff and know-how. For our clients, we offer advice, tools, and support to help safeguard their online presence, but security is also a human endeavor requiring discipline around daily practices.

The Human Factor

Even one careless individual can cause great harm to a nonprofit's online security, so first let's cover what staff need to do to help safeguard your organization's online assets. It's also important to realize that each staff member's technical knowledge and ability vary greatly, so providing training and guidance is critical. Human security concerns usually fall into one of three categories: access control, communications, and vigilance.


Controlling access to systems is really where good online security starts. You don't want the wrong people to have access to critical systems or security too weak to keep nefarious individuals out. 

Some critical aspects to good access control are:

  • Limiting who has logins to critical systems
  • Prohibiting the sharing of logins and account information
  • Using fine-grain permissions to only allow the access needed for the role
  • Limiting access by location or device for highly sensitive systems
  • Enforcing strong password policies and two-factor authentication
  • Using a password management system to store and share login information


How your staff communicates and shares critical data is also an important aspect of online security. We already covered how to safeguard access information, but there is a wide variety of data that can be considered highly sensitive, such as donor information or program participants' personal information.

Some critical aspects to good communications and data security are:

  • Use strong encryption in communication tools when available
  • Use encryption on all company devices 
  • Limit the use of personal employee devices or enforce security policies on those devices as well
  • Avoid collecting any personal or sensitive information on your website - use a third-party service 
  • Avoid displaying contact and personal information on your website - put barriers up to make stealing data harder
  • Don't use email file attachments - use Google drive or another file sharing tool
  • Train staff about email scams, spotting spoofed emails, phishing, and dangerous email attachments


The online security landscape is constantly evolving and new types of threats emerge every year. Staying vigilant and up to date on security issues can be an important aspect of your overall organization's level of security. Hopefully, you have an excellent technology partner or agency which handles the maintenance of most of your platforms.

Important security vigilance steps to keep in mind are:

  • Clearly document and communicate company security policies to staff on a regular basis
  • Researching all software programs for security concerns before installing
  • Keep all software programs up to date and patched - don't use end-of-life software
  • Review all third-party platforms TOS and security policies
  • Keep an eye out for poor security practices by staff and partners
  • Get a security audit by a reputable company

New call-to-action


How ArcStone Keeps Our Clients Safe

We realized long ago that having great online security was a huge burden for nonprofits and often outside of their reach. That's why we decided to bake in security to all our processes and offer great security training and tools to all our clients. We aren't usually involved in every aspect of our clients' online security, but it's very common that we will build websites and host them for clients. An organization's website is also often a security focal point, handing a lot of critical areas of their mission. 

Building Secure Websites

The first step to having a very secure website is to build it right in the first place. We have chosen to build websites on the WordPress CMS platform, which has both demonstrated a stellar history of security and created an entire ecosystem of enhanced website security tools that can be used if needed.

The first step we always take in building a website is to develop a detailed blueprint of the site. This document helps us build secure websites by outlining critical website functions, determining which third-party tools will be used, and outlining how any critical data will be collected through forms or displayed on the site. 

Critical steps we take to building a secure website are:

  • Creating a detailed blueprint that outlines all website functions and technologies needed
  • Vetting all third-party tools, plugins, and services needed to build the site
  • Advising clients on how to securely collect data online and what not to do
  • Reviewing planned website content for potential abuse and security issues
  • Using secure project management tools throughout the whole process
  • Leveraging a secure source code control management tool to manage all programmers and code development

Secure Website Hosting

Once a new website is built and launched, it's exposed to the entire world and a huge host of possible online threats. Simply existing on the internet makes a website a target. Since we often build and host websites we have some unique advantages that make your website's security easier, and the technical staff to help support future updates. 

Important components of ArcStone's Secure Website Hosting:

  • All websites we host leverage an up to date SSL security certificate
  • Logins and access information is all kept in a secure password management system
  • Only necessary staff has access to hosting systems
  • Websites are backed up daily - and our backup system is routinely tested
  • All website code is managed in a secure source code control system
  • Our websites all have a security plugin installed
  • We limit who can have website CMS admin access
  • All CMS code and plugins are kept up to date
  • An intrusion detection system is used to alert us of unauthorized website code updates

A Continually Evolving Field

Online security never stands still and neither should your strategies for dealing with potential threats. If you want more information about how to create an online security strategy check out our free on-demand webinar on Online Security for Nonprofits.

If you have any questions or concerns about your organization's online security please reach out and you can speak with one of our security experts.



Topics: Nonprofit Help